Few people get excited about auditing or regulatory requirements. However, given the rapid pace of change within the regulatory and compliance landscape in recent years, there is reason to get excited about data center auditing. The auditing rules that data centers need to meet are changing in some ways, and stakeholders must track and respond to the changes if they want to remain in compliance with the various regulatory and industry auditing standards they need to meet.
Data center auditing overview
Data center auditing procedures fall into two main categories:
- Audits that data center operators voluntarily perform to help optimize cost, performance, security, and other priorities.
- Audits that are required by regulations or industry standards.
The first category consists of audits that are subjective and vary widely from one data center to another. Given this, it's hard to identify any central trends involving voluntary audits.
Trends in data center auditing
The second type of data center audit – audits that are formally required by regulations – has seen a lot of change in recent years.
Perhaps the most notable shift was the replacement of SAS 70 and SSAE 16, which are auditing standards that play a key role in SOC 2 compliance, with SSAE 18, which is an updated version of the standard. This change doesn't fundamentally alter the reporting requirements for data centers that need to achieve SOC compliance, but it does update some of the reporting details.
Another major compliance change currently in the works is the introduction of PCI DSS 4.0, which took effect in March 2022. PCI DSS is a set of compliance standards maintained by the payment processing industry. The rules aren't designed for data centers in particular – indeed, data centers are not an explicit focus of PCI DSS – but are a consideration for data centers that want to host workloads that process payments in some way.
For that reason, data center operators may need to update their auditing strategies to reflect the new rules introduced by PCI DSS 4 – which, among other enhancements, imposes much stricter requirements related to security and authentication. Those requirements could impact the physical and virtual security protections that data centers need to implement if they want to achieve PCI DSS compliance.
Beyond auditing: Other data center compliance changes
Beyond PCI DSS, there are a host of other compliance regulations and standards that some data centers may need to meet, especially if they cater to certain industries or operate in certain regions.
For example, data centers that host healthcare-related workloads may need to comply with HIPAA, the major healthcare data privacy protection regulation in the United States. The GDPR, CPRA, and CCPA data privacy regulations also impact data centers that are based in – or, in some cases, merely serve users based in – particular jurisdictions.
These compliance frameworks haven't seen major updates in recent years, so auditing strategies that data centers already have in place to help comply with HIPAA, GDPR, CCPA and similar regulations should continue to work for the foreseeable future.
However, some changes may be in the works over the course of 2023 at least for HIPAA, so data center operators should monitor the compliance landscape closely to make sure they remain compliant with whichever auditing or other mandates the regulations impose.
Conclusion
The auditing requirements that data centers must heed haven't been totally upended, but they are changing in notable ways. If you're not paying attention – and if your data center auditing strategy is stuck in the 2010s – now's the time to figure out how to meet new and emerging auditing mandates.
