I am working on a data center project for a client. Evaluating data centers is kind of funny, especially the certifications. SAS70, ISO, LEEDS and PCI Compliance.I don't think people even understand that SAS70 means that a CPA has audited the procedures and processes to ensure that there are indeed written processes in place and that at least some of them are followed. Now some of you will argue you with me about this, but the reality is, my evaluation is pretty accurate. It's a goofy deal to spend between $15k and $35K for the cert. Why?
Well, most of the regulations - like HIPAA, SOX, and PCI Compliance - are based around Data Security, not transport security. Let me give you an example: HIPAA doesn't distinguish between a paper file that is left on a desk and gets misplaced or read by the wrong eyes and the electronic file on a server in a data center. PCI Compliance has to do with stored data - much like how merchants have to protect against employees stealing carbon copies and properly disposing of credit card imprints. We just concern ourselves more with the electronic theft. Why? Probably because it is more intangible.
That being said, why is SAS70 so important? I think it is about appearnace more than anything. If there is a data breach, and your servers were at a non-certified facility, the executive that made that decision would look like an idiot. It's about appearance. And to some extent Marketing.
It's kind of the same with LEEDS. How energy efficient is a data center? It's sole purpose is to provide space, ping and power. Any data center wants to be energy efficient, because it drives the bottom line. Now it is also a marketing bit.
Physical security is important, of course. A locked cabinet at the minimum, but that won't stop someone from throwing coffee in the cabinet and burning out your server. There's always a loophole.
Think about how important Internet Access and Data Backup are to businesses. The lessons of Katrina and other disatsers have prominently demonstrated that water damage will destroy all your files and you will be out of business.
Internet Access is a utility - and the cost to some businesses to be out of Internet Access is tens of thousands of dollars. Some businesses have even experienced that but still refuse to buy redundancy.
I guess that redundancy, security, encryption, and backup are seen as unnecessary - until it happens to you - and more like insurance - good to have if you want to pay for it, but if it isn't a legal requirement (like email archiving is for financial planning firms), then most companies forego it.
So why would the data centers need to worry about the certs then? Marketing for sure; but also because it is a check box on many RFP's. But the story they have to start telling is about process and security instead.
Even uptime as a check box is funny. Most consumers are used to TDM uptime of five nines (99.999%) and with line powered POTS service for voice. Even today, most consumers have not come to grips with the fact that VoIP and cell service are NOT five nines. The tower is not a central office. At four nines that means about 1 hour of downtime per year. At three nines that's almost 9 hours per year of downtime. Advertised 100% uptime is great, but we have seen many outages in the last year from even the big names like Rackspace, Amazon and Google. (Not to mention Facebook and twitter).
As we move to Cloud services, outages will increase. Why? More vendors in it means more competition, which means commodity pricing will drive down margin and providers will cut costs in staff, equipment and redundancy. As one CEO put it, Resiliency and redundancy are nice, but very expensive. Even security is an expensive deal. I don't know what kind of security Epsilon had, but all that data was hacked -- just like TJ Maxx and many others. So what it was a SAS70 data center? If you don't secure the data properly (and back it up), the server might as well have been in the hallway.
This was just food for thought as I diligently research for my project.
