Data Centres: Protecting Your Investment
Data Centres: Protecting Your Investment
Outsourcing your ICT requirements, whether that’s the simple stuff like web hosting or the critical aspects of your storage requirements, is an option many organisations are taking. So what do you need to know?
Data centres come in four basic service flavours: web hosting, managed application (for the most part Microsoft Exchange Server), collocation of servers, and business continuity (also bracketed as disaster recovery).Removing the ICT overheads from your organisation means removing a great deal of the headaches that go with it. Virtual security is a base option to start with.
But as important is physical security for your data. There is no point having rigorous compliance policies in place if all your servers are physically protected by plastic fans and untested battery-based power supplies.In terms of staffing as well, the shortage of skilled (and certified) IT staff with real-world experience that has been widely reported in the previous six months means that many IT departments are either understaffed or are staffed by university-fresh greenhorns. Staffing also becomes a major issue if your organisation has branch offices or needs to work globally. Staffing an IT department 24 hours a day, everyday is an enormous overhead.“War on Terror” smokescreens aside, environmental issues such as 40-degree plus days forcing power outages even in the most robust of big city locations should also factor in your thinking. Flooding, communication systems downtime (Backhoes have been known to slice through main teleco pipes), are good reasons to ensure that your services have third-party support.
Being able to afford and implement the kind of accessible terabyte-level (which as we watch is growing to petabyte) storage that email is enforcing on us is a hard ask. Renting space in a well-featured data centre that has good relationships with storage vendors enables them to worry about the scaling while you concentrate on matters in hand – growing your core processes.
The Expert Overview
David Blumanis, Data Centre Advisor for APC, Asia Pacific, has made a career of setting up data centres. Over the years he has worked with the likes of Telstra, Optus, Vodafone, Ingram Micro and now American Power Conversion Corporation (APC). He has built and operated 15 data centres in his career, including the largest in the southern hemisphere. David Breaks up the challenges relating to data centres into six categories:
Corporate Outlook
On a corporate level, things are changing so fast. With acquisitions and mergers, a lot of information is being held very close to the chest and CIO’s often don’t find out something is happening until is has happened. So one thing I tell them, is that they have to be more involved at the executive level to get that trust built and gain that executive knowledge. This puts the CIO in the executive loop, and gives them enough warning to changes plans when the unexpected happens. CIOs need to be proactive about this because the corporate outlook as far as the execs are concerned the data centre just have to be right and does what they need. This leads into the second point, Strategy.Strategic Approach
Whether its insourced, outsourced, BPO (Business Process Outsourcing) or whether it’s a mix or the architecture and standards that they deploying, there are a lot of different options out there and you have to evaluate what you need. A company might have its prime data centre in-house, whereas disaster recovery might be outsourced and now even remote sites for organisations, particularly large ones, are becoming business critical overnight and need to be managed like the data centre.
When strategising what you need from an outsourced data centre you can do it the traditional way, you can do it the pay-as-you-grow way, you can use virtualisation… there are so many options picking the right strategy can be a challenge.
The view I’m getting at the moment, that is, all the CIOs I’ve spoken to are sceptical about it. It just another fad or is it going to work? Is it just the early adopters talking about it, are the vendors themselves trying to create the market?
When I talk to the CIO’s they are talking about what are the security issues. What’s performance going to look like? What happens if someone installs something on their part and it crashes the whole? There are more questions being raised, so it’s more of a wait and see situation at the moment.
So with strategic approaches, it’s about risk mitigation. Whether you’re a bank or a Telco, risk mitigation is high on the agenda. Then you go to some of the small to medium business risk management is not that high as far as their strategic approaches.
Financial Considerations
Financial considerations is, naturally, one of the biggest issues driving data centres. Whether it be saving costs outsourcing your information, or keeping your in house data centre ticking along, cost is always an important factor.
One of the things we are seeing at the moment is the change PCO dynamics. With all the high density stuff that is occurring, the power and the cooling, the electricity and maintenance bills are actually starting to increase dramatically and influence the TCO dynamics of data centres, as well as the lifecycle costs.
A lot of people look at the day one costs, versus what it’s going to cost running it for the next ten years. Then, like most corporations, they say ‘lets not fix that old data centre, let’s just band aid it for a few more years.’ We’ve just brought a lot of high density stuff in, can’t we just increase the cooling? Even though the floor is falling apart and they have a massive cable mess. They are continually spending a few bucks here and there instead of overhauling it.
Technology Considerations
Data centres are all about security, continuity and if the worst should happen, disaster recovery. To be able to offer this reliability, a data centre itself has to almost paradoxically rely on frequently fickle, and relentlessly changing technology.
The data centre is designed to house all the technology, for today and into the future for the next 10 to 15 years. And if anyone can tell me what is going to happen in the next 10 to 15 years, then I’ll hire them and we’ll start buying shares.
But that’s the biggest challenger. It has to control and manage and support all the technology of the future. It has to be future proof, and that’s a massive challenge.
Do I have legacy gear that I still want to look after?Do I take advantage of the new stuff?Then there is technology integration requirements, and the realisation of what the real requirements are. When I speak to CIOs they are normally going out to vendors and signing NDAs with them around what their future is going to look like. They will also tend to go to guys like Gartner and IDC - and, of course, IDM - to find out what’s happening in the industry. And, of course, they will consult internally, they will go to their own technical workgroups and workgroup leaders in order to find out what they think is happening. What it comes down to once again, is analysis and strategy to determine what is best for your particular business.Operational Considerations
Every Data centre I know looked fantastic when it was built, and fulfilled all of the business requirements. Then if you go back and have a look at a lot of these data centres after they have been operating for 10 years, they normally start looking like they have major issues. This is mainly due to how they have been managed. When management and staff turnover occurs, often the standards and views of how the data centre should operate changes. Human errors need to be reduced, which means more automation and technology, and capacity management. Organisations are continually changing which demands more and more technology to be put into the data centre. How do you capacity plan that? How do you capacity manage that?
Normally people throw more storage and servers into a data centre and improve the networks, but often they forget to speak to facilities about capacity in the UPS, the cooling etc. So there can be a disconnect there.Upgrading capacity in a data centre is more than just throwing in some extra servers. Often it means the whole setup including cooling, power supply, cabling and much more. This takes time. To look at all the different options for the data centre, the technologies, takes time. Everyone I speak to, and I pose this question: ‘Do you have the time to do this?’ When they are actually just trying to manage the day to day. They don’t have time to evaluate what’s best for the business.
External Factors
A lot of people around their data centre don’t understand the external factors, if you look at business compliance for example, at Sarbanes-Oxley. All of a sudden the standardisation of the data centre and accounting for everything that goes in an out, whether its taxation, or compliance for Telco’s to make sure the emergency phone numbers are always active. I know APRA is flexing its muscles in Australia right now reviewing all the financial institutions on their disaster recovery setups and their ability to recover. There’s even simple things like disaster recovery. For example today in Sydney, how many people are planning for an earthquake disaster like the one that happened in Newcastle 20 years ago? Another external factor than I’m seeing, is the overdevelopment, or the speed of development that is happening in industrial parks and cities. We’re now seeing even Melbourne this summer doing brownouts, Shanghai actually switches off the city’s neon lights after 9pm to conserve power. As a result of all the development and the demands for power now the infrastructure is actually struggling in a lot of the countries I visit.
When you consider all those six things, how comfortable is the CIO in making a decision? When I speak to CIOs about this, they have usually passed on that responsibility to a third party.
Macquarie Telecom
Macquarie Telecom’s multi-million dollar investment in its central Sydney ‘Intellicentre’ is an impressive operation. IDM talked with Group Executive for Hosting and Security, Greg Thomson about what it has to offer.
IDM: What kind of client base have you got?GT: The whole Macquarie business model is about corporate and government Australia in that medium to large space. Specifically we have people like AusJet – all of their equipment is in here; GraysOnline the auctioneers, for example. Where it’s really highly critical, uptime 24/7 365 days a year – people like Prime Minister and Cabinet, Government agencies – we can leaverage off the DSD Gateway accreditations (Defence Signals Directorate Gateway Certification). We’re a very highly accredited data centre, with DSD, with AS(Australian Standard) 7799 (Information Security Management Systems). We have Microsoft, RedHat, Solaris, Symantec, Lucent Certifications certifications.
IDM: Does this work as a good sell for you?GT: Yes, but our biggest competitor in this marketplace is the internal CIO who wants to bring you in and show you their computer room and their bright lights and talk about how they have 20 people in their computer area and they go home at 6 o’clock and isn’t that great. As opposed how can I work 24/7 because the business is open 24/7. Just because you’re shut in Australia doesn’t mean you don’t have people working online in America or in Europe. How you manage security, firewalls and patches and those sort of complexities, well, we’ve got people doing that stuff at 2am. If I’m a 20 person IT shop out at Smithfield that’s not going to happen.
IDM: Where was your revenue coming from?If you look at it over the journey, we’ve broken our business into two streams. There’s Co-Lo (collocation), and we also do managed services. Both have continued to grow at a good rate. In 2000 everyone was building data centres and customers were going to come running. That didn’t happen. The reality is you have to work really hard to build the value proposition. The market is really in fully managed servers now.
IDM: So Co-Lo is a big part of the business?Its horses for courses, we’ve seen a lot of people come into Co-Lo then move into a hosted environment. Then there are some people that just get it and want to move straight into the managed services environment. A lot of it comes about from the trigger events that the customer has gone through – it’s about where they’re at in their journey? Is it because they’re having power outages? Is it because they’re having storage issues, back-up issues, security breaches? Whatever it might – whichever of those trigger events - can cause them to make a different choice. The real challenge for us is getting them to understand the value we can give to customers. And one of the things I always remind people is, there was an Auscert survey done earlier in 2005 that found 85% of Australian business sites were vulnerable to attack. If you went back and drew the old analogy and said everyone has an alarm system in their business, and said 85% of those alarm systems are vulnerable to attack, you’d go and get a security guard to sit at your reception desk. If they can get access through your website, what else are they going to have access to?However, if you look at the IDC figures, the dedicated servers market will actually grow three times the rate of collocation in the next three years. Really the market is in fully managed servers.
IDM: Aren’t people becoming savvier about security?GT: I don’t think so. But I’d say the next level is access to the staff 24-by-7. Access to the staff 24/7 is a huge benefit for the sell. There is a shortage of skilled staff. If you’re trying to have one person 24/7, you actually need five. If one of those people leaves, you have to retrain. Then there is reliability. We have a whole suite of engineers, servicing all of this 24/7. We’re just the infrastructure provider that makes it all work. We allow the company to focus on its competitive advantage. Because the reality is, what we do is never going to give a company a competitive advantage. Its not like, Bank A uses our data centre and increases revenue 5%. But it’s not going to go down. Therefore if I’ve got an IT department and IT resources, I can now focus on the applications that are going to make a difference to my business. Because I now don’t have to focus on that infrastructure component and the security component and the Sarbanes-Oxleys or the accounting standards and all those pull-pressures. Our view is we become selective outsourcing. We do this part, we do it really well. Whilst that happens can now take your IT resources and focus on important things, to drive down cost or increase your revenue. But you have to be sure that your outsourcer is fully certified.
You don’t want to find out that your tape back-up doesn’t work, by the fact that it doesn’t work.
IDM: Learn-by-you-mistakes just makes no business sense?GT: That’s why the compliance angle is so important in this industry. But you’ve got to make sure that your selected outsourcer has all the standards to make it work. You have to make sure that they have gone through a regimented structure and discipline to make sure things work in the event of a failure. For example, with the (Sydney CBD) power-outage that occurred a few weeks ago – as a customer, you don’t want to find out that Macquarie hasn’t tested and certified its UPSs. You want to be sure that they’re going to fire up. You have to know that as a certainty.
IDM: Why do people come to you for managed storage?GT: There’s two angles: the production/data storage angle and the disaster recovery. The production angle data storage can become expensive, you’re storing more data, there’s archiving – people have a lot more email. It’s not just about where do I store my files now, it’s about how do I archive it, how long do I archive it for, so it comes back to a model that is an on-demand model. How can I buy the storage space now, but as my business grows and my requirements grow, can I just tap into more storage?
IDM: You must have strong relationships with storage vendors.GT: Our relationships are domestic and international to allow escalation. If something does go wrong, you need to be able to tap into the right resources in the US.
IDM: On compliance, you already mentioned Sarbanes which is not technically over here yet.GT: But it is for the US multinationals. Twelve months ago, no one in Australia really knew what it was. But it is relevant for the US multinationals, Johnson and Johnson, an Ingram Micros then Sarbanes is equally important as accounting standards 7 and 9 are for an Australian-listed public company like ourselves. Over the last two years it has become much more top of mind.
There is also a better understand today of access into your systems and what does that mean to your corporate compliance?
You look now, one of the challenges is viruses getting back on the network via mobile phones. You will get data going out via personal devices. How do you make sure your data is protected against this? People have become a lot more aware. Only two years ago, for example, used to do a lot of Internet caching, for example. That was great for us, it took a lot of cost out of our business. But now everything is in such real time now, we don’t do any caching anymore. We’ve got these great caching boxes that two years ago we used to cache 20% of our internet traffic. Now we do maybe 5%. Now they will just be part of our museum piece from time to time. That’s another one of the challenges with data centres. We spent $30-million building this in 2000, and you have to continue to invest in it each year. You invest in people, process and systems each year.
IDM: How much education of the market are you having to do?GT: We continue to evangelise and get that message out about what are the important things. What I was saying before about the AusCert survey and 85% of businesses being vulnerable, those kinds of things worry me. And I think they need to worry more people. You have to build systems around that. How do I know my IT manager has done all the ticks and crosses?
Hewlett Packard Business Continuity
Steve Cartland is Hewlett Packard’s Manager of Business Continuity Services. We spoke to him about the business-critical options offered by this global organisation in the ANZ region.
The first thing to point out about HP’s Business Continuity centre is that, when we visited it was, in Steve Cartland’s words: “like the head office of the Marie Celeste Insurance Company”. It was huge and it was empty. Now, in most data centre environments this would have been a huge worry for the manager. No clients means no revenue. However, in the case of Business Continuity, the fact that your clients are not sitting in front of you does not have to be a bad thing. After all, they are all paying retainers and they are all working successfully.
IDM: How do you sell your service?SC: To begin with we talk about critical business processes (CBP). I have to make that clear. This is first and foremost in what we do. Hewlett Packard has been in IT Recovery, Business Continuity globally for 20 years, in the Australia for 15 – and we know that CBP needs to come top of the priority list. We approach this primarily as a business not a technology discussion. A major element of this is what we call ‘Recovery Time Objectives’ (RTO) – how fast do you want your CBPs back up. There are various levels of RTO and these range from two minutes to 24 hours. We can typically get everything back up and running within 24 hours, and that’s everything.
IDM: Don’t businesses want all their services covered?SC: When thinking about getting your organisation back up and running in the most efficient and effective manner, you have to work through which ones absolutely have to come up first. For example, it’s got to be more in your interest to have accounts receivable up before your accounts payable. It’s all about what is most critical to any particular business. So what we do first is to help the businesses understand and agree on what the CBPs are. I did some research as few years ago, and the time that an incident happens to the time that a client declares “a disaster” is on average ten hours. Now this is even people who say that the maximum time they can be down is two hours! Because what many organisations don’t have are good internal processes to decide whether they have a disaster.
IDM: Each department head will always protect their territory.SC: Absolutely true. So we go and we sit down with them because it is crucial to get company-wide agreement on the processes before talking about before embarking on detailed hardware and software conversations.
IDM: How long does this process usually take?SC: That’s highly dependent on individual organisations. It can take any where up to six weeks to get the entire service agreed. However, that also involves agreeing things like the rehearsal times and processes as well as the CBPs.
IDM: Rehearsals? Do you rehearse disasters? SC: We prefer to call disasters “denials of access” because the requirements for business continuity services don’t always derive from power outages or floods or the kinds of the things most commonly associated with ‘disaster recovery’. Some denials of access are caused by bad change management systems and implementations. A rehearsal – or a regime of rehearsals, maybe once or twice a year – is an important part of the whole BC setup. One of the major elements of this sort of recovery is the human resources one. There’s no point in having your systems in place and ready to get going again in two hours if the staff going to be traumatised and are not able to function because they are thrown into a new environment.
IDM: Are the review processes pushed to you? SC: Yes. Well mainly push with a bit of pull. We’ve got client management people who go and talk to customers to see what changes there have been. For example, someone might have subscribed for four terabytes and we find out at the critical moment that they are now actually using four and half terabytes but they forgot to tell us. We suggest the customers alter their change management processes – IT and business processes should work together – so that their continuity contact is included. You don’t want your production systems to outpace your back-ups; we are obviously part of that back-up.
IDM: Aside from rehersal, what does a client get?SC: One of the main things we have stored here for the client is the COE (Common Operating Environment). Your environment is replicated here. So, we will have used something like OpenView to replicate the data across using asynchronous communication. The replication from your site to our site can happen on a minute-by-minute basis. But there are a number of ways of doing this – customers have choice. For example, it can happen on a SAN level using our EVA (Enterprise Virtual Array) with a solution called Continuous Access which means that the replication is happening at bit level. From a cost level, you might want to look at OpenView storage mirroring that replicates on a file level.
IDM: Do you arrange the bandwidth?SC: We typicall suggest that customers extend their network onto our site. They need to have a tail circuit coming into our site from whatever cloud one chooses to use. If we were to put that line into your open relay circuits, it would mean that during a denial of access, 95% of your site would be managed by you and the other 5% by us – not a good idea. It makes more sense to extend it here. You’d have that running the whole time with a dedicated router or switch to the equipment here. Your IT people, would then come in here and – because we would have rehearsed this, and get everything running.
IDM: Do you offer SLAs?SC: In this case, you don’t outsource all of your recovery to HP; you work with HP to get your systems back up and running. You look at the responsibilities; for example it’s the customers responsibility to make sure that their sure that their back-ups have been done or that your technology. For example you have to ensure that your tape drive mechanisms are working properly. It’s all about working closely with each other.
IDM: So, you don’t offer SLAs?SC: The way it works is that we provide customers Service Level Agreements on how quickly they can access the site and how quickly we can get all the equipment together – take all the bits of Meccano and build a layout that’s exactly like their layout. We can do that. Then they do the restore – we work with them closely on that. Then from their perspective, the service levels to the business units should be exactly the same. It’s a professionally run data centre their connected to a network, why should anything be different? We are here to make sure that that kind of thing can happen after a denial of access. And remember, it’s up to the customer to tell us what that is. It’s not up to us to tell the customer what their idea of a disaster is. The important thing to get out there is that most disaster declarations are not caused by the headline-grabbing stuff they’re caused by insidious stuff – like the bad change management – but it can happen from a whole range of things.
Related Article: