I was delighted to be invited to speak on security and compliance during the Colocation Tutorial at Data Center World last week in Las Vegas, Nevada. The tutorial was an all-day session for enterprise data center operations executives - mostly data center operators from large corporations that currently outsource to a colocation facility. I had the privilege of joining a panel comprising of executives from RagingWire, Equinix, Schneider Electric, Dominion Virginia Power, Transitional Data Center Services, and Neustar.
I wanted to give the readers who were not able to attend the conference or tutorial session some of my key takeaways from the event:
Not all colos are created equal – Fundamentally most individuals think that a colo facility just provides power and space. However, those of us familiar with the business know that there can be embedded service providers and data centers within data centers. Then, add a layer of complexity to the increased prominence of real estate companies, such as Digital Realty Trust, that specialize in data center property management. Lee Tamassia from Equinix provided an excellent overview of the different models from wholesale to retail up to and including cloud services. Mr. Tamassia then discussed how these models integrate with different data center standards. I was then able to add onto these comments to discuss compliance responsibility between a data center and its tenants.
Data center operators may not think compliance is #1 priority – Imagine that! When Jim Leach from RagingWire asked the audience who either managed or was exposed to compliance initiatives on a frequent basis – very few raised their hands. Make no mistake – everyone expects the environment to be secure and more importantly reliable. A few participants stated that compliance often was mandated from legal, IT security, or external auditors. However, the day-to-day activities for these operation executives typically only revolve around topics such as power consumption, utilization, and resources - which affect the bottom line.
Security and compliance should be a topic of focus early on (during the selection and procurement process) – Steve Gunderson from Transitional Data Center Services and Jim Weber from Neustar walked through a template and evaluation process that included looking at security and availability features as well as available audits. One participant from a manufacturing company stated that “I don’t handle credit card information, but the fact that the data center has gone through PCI, in my mind puts them at a higher level.”
The different compliance and certification acronyms can be confusing – I believe I was able to provide insight with this topic. At a minimum, the participants walked away understanding that “SSAE 16 certified” was technically incorrect and could be an indication of misleading marketing. We also discussed HIPAA, FISMA, and how a data center plays a role when its tenants (or the tenants’ customers) are the ones mandated to comply.
In summary, we auditors, just like those in security, can get so ingrained in the details of SOC reporting standards, PCI compliance requirements, FedRAMP authorizations, etc. that we often need reminding of the end-user’s perspective. This conference brought a lot of insight to the auditor in me, and I hope the attendees took away some tangible recommendations and action points from the Colocation Tutorial.
On May 15th, I get another opportunity to speak – this time at the Uptime Institute conference in Santa Clara, CA. Hope to see you there!