Data centers play fast and loose with reliability credentials

[Lee J <lee () riskbasedsecurity com>]

http://www.infoworld.com/d/data-center/data-centers-play-fast-and-loose-reliability-credentials-231268

How reliable is your data center service provider? Perhaps not as reliable
as you think.

The Uptime Institute says some data centers are playing fast and loose with
its "tiering" system for rating data center reliability, making false
claims or at best being economical with the truth about how resilient their
facilities are.

The upshot, the Institute says, is that some companies may be running
important applications in data centers that are more susceptible to failure
than is advertised, and they may get a rude awakening the next time a
hurricane strikes or a transformer blows out in the local power grid.

"At a time when more enterprises are moving at scale to an outsourcing
option, the stakes couldn't be higher," said Julian Kudritzki, Uptime
Institute's chief operating officer, who along with a few data center
operators is trying to raise awareness of the issue.

The Institute's tiering system is only one way of indicating data center
resiliency, but it has become well known in the industry. It gives four
tiers of certification, with Tier III the most common type awarded. A Tier
III data center has multiple delivery paths for power and cooling, and
redundant critical components, so that downtime is minimized and
maintenance can be performed without taking the computing services offline.

Customers can be misled in a variety of ways. Some data centers imply
they're Uptime certified when they're not, while others advertise their
Uptime "design" certification, which shows only that the plans for a
facility met certain criteria. Vendors are expected to follow that up with
a "constructed facility" certification to verify the data center was built
to spec, but many never do.

Complicating matters is that Uptime's "tier" language has become part of
the industry vernacular. Some operators say they use it as a shorthand to
convey a certain level of reliability, and that they're not trying to
intentionally mislead customers.

Not surprisingly, data centers that have made the investment to get
certified don't buy that argument.

"It's a bit of sleight of hand," said Chris Crosby, founder of Compass
Datacenters.

Two of Compass' data centers are Tier III constructed facilities, and
Crosby wants the system better policed so that the credentials remain
meaningful. In the long run, he argues, better policing is good for the
rest of the industry, too. More and more customers are outsourcing their
computer operations, and if enterprises start to think they can't trust
their service provider, the commercial data center industry as a whole will
suffer, he says.

Users need to educate themselves about the various certifications and press
commercial data centers to verify their credentials, Kudritzki said. "The
counsel is 'buyers beware.'"

Some data centers certainly appear to make questionable claims. Arsalon
Technologies of Lenexa, Kansas, says on its website that its hosting
facilities "comply with Uptime Institute data center standards." A page
headed "Data Center Certifications" refers several times to "tier III"
standards.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.