http://www.linuxinsider.com/story/it-management/61485.html
By Scott Whitney
TechNewsWorld
02/04/08
After a bad experience, I vowed to myself that I wouldn't get fooled
again. I put on my Due Diligence Hat and sat down to determine how to
choose a data center. Following are the major points which you
absolutely cannot ignore if you hope to be successful. I wish I had this
article when I was going about my business. Here, I hope to provide, in
no particular order, a definitive list of investigation points.
In 2005, notebook computers accounted for 50.1 percent of all computer
sales. In 2006, shelf space for notebooks increased 44 percent while
desktop shelf space (and sales) went down by 23 percent. What does this
have to do with a data center? Everything.
At Journyx, where I manage IT, we presently have about 25 employees. Of
those, 11 have laptops issued to them as their primary machine. One
employee works remotely in another state. Therefore, half of our
employees need constant remote access to our business. Well, it's
possible they don't need it, but they sure do whine about it an awful
lot when they don't have it. So for me, in my little fiefdom known as
"IT," that pretty much amounts to the same thing.
As with most companies, we store the bulk of our data internally on our
network here at the corporate headquarters, but we also store a fair bit
of it at our data center. We have Software as a Service (SaaS)
applications which we host for our customers as well as for ourselves.
We have our Web site, of course, which must be up and running 24/7 or my
CEO calls me up in a panic. We have an FTP (file transfer protocol)
server for support, as well as one for the public, etc. You get the
picture. We've got resources that are needed by our remote employees as
well as our customers. In essence, we need a reliable, 24/7, redundant,
fast way for our people and the world to access our data. If this sounds
familiar to you, you might be in the same boat that we were in. We
needed a data center.
Take On the Challenge
I'm oversimplifying our needs a bit, since we are a hosted service
provider for literally hundreds of organizations around the world. You
see, with the software that Journyx creates, you can either host it
locally on one of your own servers, or you can ask us to do it for you,
taking away that overhead. Since we host our customers' data in addition
to our own, in different time zones around the world, I was in the
joyful, enviable position of evaluating data centers (again). It was
either that or get a root canal, and that was the excuse I used last
time, so I decided to man up and take on the challenge.
I say "again" because my previous data center experience was a true
fiasco. You see, this company -- we'll call them "Evil" -- had bought up
my existing provider and, in an effort to either cause the 100 or so
customers significant pain for no reason whatsoever or to cut costs
without evaluating the actual opportunity cost of the move, they decided
to close the facility in which we were housed and move us across town to
their "better" data center. Well, Evil and Evil's minions had no idea
how to run a data center. Without going much into their inexperience,
let's just say that we knew we needed to move when at 5:30 p.m. on a
Friday, one of the minions shut down all physical and logical access
into and out of the data center because several of the collocated
customers had a virus. We were unable to get back up and running until
Monday morning. This was one indication that perhaps there were better
choices available to us out there in the world.
Vowing to myself, in my best Roger Daltrey voice, that I wouldn't get
fooled again, I put on my Due Diligence Hat (my boss makes me wear it
from time to time to avoid situations like the above) and sat down to
determine how to choose a data center.
Following are the major points which you absolutely cannot ignore if you
hope to be successful. I wish I had this article when I was going about
my business. Here, I hope to provide, in no particular order, a
definitive list of investigation points that should lead you to the best
collocation provider for your needs in your area.
Halt! Who Goes There?
With the Sarbanes-Oxley Act of 2002, a lot of attention became focused
on fraud and fraud prevention. Part of this particular Enron-created
hell is the wonderful and invigorating SAS 70 audit, which, in the
simplest terms, is a proctologic exam where the external auditors and
your internal management pokes and prods and searches around until they
can pull sufficient controls out to ensure that customer data is kept
relatively safe.
As I mentioned above, we host our own application for our use plus that
of paying customers. It collects time, expense and travel data for
users, and that data gets billed to projects, among other things. For
many of our customers, it would be a catastrophe if any of that
information was readily available to their competitors. While logical
security is, of course, my purview, physical security at a data center
can play a huge role in satisfying SAS 70 requirements as well as
letting you sleep at night. Some things that you might consider for
security in your quest for the perfect data center:
* How many cameras does the data center have and where are they
placed? How is the data recorded and how long is it kept?
* Is everyone who goes into and out of the data center required to
sign in and sign out?
* Are there two or more specific stop-points on the way into the
data center?
* Is the data center staffed 24 hours a day? Is it staffed with
security personnel, and if not, what are the procedures for the
onsite staff to deal with security threats?
* Who has access to the logs and videos and what is the procedure to
get them?
* Is the data center insured against loss due to theft or vandalism
or must you carry your own?
[...]
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 23:20:45 PST