[ISN] Data centers: Buyers beware of over-hyped facilities

From: InfoSec News (alerts@private)
Date: Tue Feb 20 2007 - 22:29:21 PST


By James Carlini

A couple of weeks ago, I spoke about being disappointed by not being 
able to visit a PEAK 10 data center in Tampa to get a first-hand view of 
their services after an executive scheduled a meeting with me. This 
article brought in more feedback than I ever thought I would get. 
Several calls came in within 15 minutes of publication, including one 
from an IBM executive. People had a lot to say about watching claims 
made within the data center services arena.

The prior article was about being frustrated for not being able to walk 
through a facility that I first had a positive impression of. Some 
respondents said that most companies will have some type of data center 
brag-path that you can walk through just to get an overview of services. 
PEAK 10 did not offer that.

Due diligence

 From others involved in data center services, I got the impression that 
you better make sure you do some due diligence before selecting a 
third-party and turning over your mission critical applications. There 
is a lot of hype out there with claims of reliability and redundancy 
without real resources.

As more corporate organizations look for outsourced facilities, they 
better make sure they are getting what they are paying for.

Here is a portion of a long letter from a local reader that really 
highlighted what I thought were some of the issues:

 "Your instincts were right on - there is most definitely a wide 
 variation in the caliber of the data center from one company to 
 another, and often in between data centers of the same company 
 It is a highly recommended best practice to go and see your specific 
 data center as part of contracting due diligence. You learn a lot 
 within the first five minutes you are there about how well they run 
 their shop and how secure/safe your assets really are.

 Different data centers have different regulations regarding visitors. 
 The better (more secure) ones are often legitimately quite strict about 
 who has access to the facility. For example, I had to be approved by my 
 client contact and sign a Non-Disclosure Agreement prior to gaining 
 access to the data center and I was never allowed out on the floor 
 without an Exodus employee being with me at all times. They were very 
 sensitive about cameras (none were allowed). That being said

 Most data centers have a "brag path" through the facility that allows 
 visitors (once they have signed a Non-Disclosure Agreement) to get a 
 feel for the size and caliber of the operation without getting too 
 close to anything. Typically, you are not on the floor but rather get a 
 chance to see things from hallways through windows and such. This is 
 SOP if someone has a nice data center and has nothing to hide. That 
 they didn't do this for you should indeed raise red flags."

A Colorado reader, who has several decades of IT experience, wrote:

 "That will be the last time they string you along without giving it 
 some thought.

 I agree with you, most companies are always trying to parade their 
 facilities to people it makes for free advertising.

 Trite phrases like "customer privacy" are put-offs. The data center, 
 by its very nature, ensures privacy unless you are showing up with a 
 laptop and planning to do some major downloads and hacking in their 
 presence. So what are they hiding? Hmmm?

 Would be real surprised if you don't get something from them, 
 conciliatory or nasty. Either way, PEAK may be more NADIR; they 
 certainly are in their primal business and customer services skills."

Another industry veteran, who has decades of facilities planning for 
mission critical infrastructure, including several major hospitals and 
airports in the United States and abroad, simply wrote:

 "Impressive ink and unfortunately deserved. Too bad for them."

I'm not Rain Man

Without belaboring the points raised by the readers, I did not get a 
good impression of what PEAK 10 claimed they had in terms of facilities, 
and I would be very suspect of what they list in their marketing 
materials and what is actually out on the floor. As another industry 
veteran put it, "Give me a better answer. I didn't fall down in 
yesterday's rain."

With the need to really understand what you are getting in data centers, 
if you cannot walk through it, walk past it.

CARLINI-ISM: If you can't walk through it, walk past it. 


James Carlini is an adjunct professor at Northwestern University, and is 
president of Carlini & Associates. He can be reached at james.carlini 
(at) sbcglobal.net or 773-370-1888. Check out his blog at 

Copyright 2002-2007 Wisconsin Technology Network LLC. 
All Rights Reserved

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 20 2007 - 22:42:26 PST