A quick question for IT security professionals

I just read this paragraph in the Evernote security and privacy information page. Does this point to a good data security infrastructure?

Operational security is equally important, and physical infrastructure and operations procedures reflect that. The data center where the Evernote service operates is SAS 70 (Type II) and SSAE16 SOC–1 (Type 2) certified and requires two-factor authentication for admittance. All access to the data center is limited in scope of personnel and regular audit reviews are conducted.

As I understand it, their recent move to 2048 bit SSL keys is really good and exponentially strengthens the encryption used to secure data transmission to and from their servers but what about the rest?





  1. Nathan Jeffery avatar

    I’ve been to a DC and the entry criteria was appointment only and finger print scanning.
    Plus supervise access, not ‘free roam’.

    To me two-factor authentication sounds good and if they’re having security audits then that’s even better.

    I’m not sure about those specific certifications though, that is perhaps a little out of my depth of knowledge.

  2. Allen Baranov avatar

    I dug quite deeply into SAS 70. It is an auditing Standard and sounds very impressive but you have to be aware what you are actually looking at.

    The scope is very important.

    If I write a document that says “We have no security controls. Our servers are hosted in the middle of a busy shopping centre and anyone has full console access to them. There is however a plastic cordon tape around the area where the servers are and people need to open it and close it after they are done. We also have a mat.”

    We can pass the SAS 70 audit if all the above is true. Forget good security principals, is what we have stated a true reflection of reality. (Actually, does the auditor think that it is.)

    SAS 70 type 2 is a little more interesting… do the controls as stated above work. Is there a mat? Check. Is there cordon tape. Do people open and close it? Check.

    Having passed the SAS 70 audit, I can now add that to my site – “Our security controls have passed a full SAS 70 type 2 audit and users need to abide by our access controls.”

    The other things that companies can do is have SAS 70 audits of some of their infrastructure. So, your “Level 1” server sits under the technician’s desk next to his skateboard and comic collection but “Level 5” servers are in the data centre. The website states “All data centres are SAS 70 audited” but in the Standard document it states “Scope: Level 5 Servers”.

    Basically, a SAS 70 Audit is the company saying “we have independent auditors that can verify we haven’t lied to you about security controls”. You have to read further to see what these controls actually are.

    1. Paul avatar

      Hi Allen

      Thanks for your comment. I just saw it now (WordPress thought it was spam). So the SAS 70 certification basically means little as an assurance that the quality of the security measures is particularly good, just that there are procedures in place and they are enforced?

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: