Cybersecurity Gets Physical: Tips for Selecting the Best Datacenter Partner

Andrew Davidson

As more and more organizations look to reduce their overhead costs, they are turning to co-location datacenters as an answer to their challenges.  However, if you don’t do the right research, you could find itself stuck in a long-term contract with a site that doesn’t meet your needs.

First, What’s a Colocation Datacenter

A colocation (“colo”) datacenter is any provider that rents out rack space, servers, networking, equipment, utilities etc. to other organizations to use for their own purposes.

Some colos just rent rack space and cages, with renters responsible for installing their own servers and getting hooked up. Others reach full cloud Infrastructure-as-a-Service (IaaS) level, managing all aspects of datacenter operation.

What type of colocation provider you choose depends on your goals. Do you want to get hands-on with your servers in a dedicated rack? Are you just looking to rent server space for basic tasks? Or do you need massive quantities of floor space where you have total control? Answers to these basic questions will drive initial requirements.

Selecting the Best Colocation Partner

Once you’ve determined what level of service you need from your colo provider, there are additional things you need to consider before you lock in with a long-term colo contract.

Compliance Requirements and Support

Prior to selecting a colocation datacenter, you should understand your long-term compliance roadmap. Determine the high-water mark of compliance frameworks for your Cloud Service Offerings (CSO) (ex. SOC II Type II, ISO 270001, FISMA, CMMC, FedRAMP, Protected B, etc.). Research potential datacenter partners to determine if they meet or are in the process of meeting those requirements.

Additionally, make sure the contract language with the colocation datacenter includes compliance assessment support, to include onsite assessment reviews and assessment artifact collection.  Some colocation datacenters claim to support assessments, but then make it very difficult for the assessor to gain the artifacts required. Ensure the contract language is in place to protect your organization’s interests.

Resilient, Redundant Datacenter Design

It would be difficult to find a colocation datacenter these days that doesn’t support redundancy efforts for its clients. This is usually communicated by specifying datacenter “tiers,” with higher number tiers indicating greater reliability.

However, there are contractual items beyond the tier level that you should consider when researching a new datacenter for your CSO.  You should request information on how many physical backup generators are located within the primary CSO site.  In addition, how much fuel is maintained onsite and how long “at full capacity” would the site be able to perform during a loss of power?  These questions are answered based on the overall criticality of your CSO to stay in operation if the colo partner is unable to be resupplied quickly by a fuel company.

Along with the primary site, most compliance frameworks require you to have a failover site to support redundancy.  With this type of requirement, you should ensure that the failover site location is at least 50 physical miles away from the primary site to limit the potential impact from residing in the same geographic location.

Perhaps Don’t Build Your Datacenter in a Flood Plane, Under a Tornado

Pay close attention to the physical location of each colocation datacenter.  Where are the primary and secondary datacenters physically located and what natural disasters could impact them?  If they are close to the coastal waters of the United States, were they built to sustain Hurricane category levels (Level 1-5)?  In this scenario, you would want to ensure your datacenter can sustain up to a category 5 hurricane that can reach above 157 mph.

If the datacenter is located in the midwest, how susceptible to flooding from the Mississippi River is it?  Is the datacenter physically located within Tornado Alley?  If so, is it built to withstand a tornado up to Fujita Scale F5 at 261 mph?

These are questions that each organization should be asking to make sure your CSO is protected against physical disasters that could interrupt service.

Advanced Datacenter Security

If you’re trying to sell your CSO to an audience with more stringent requirements (e.g., Department of Defense), further analysis of the proposed datacenter will be required.  An example is the requirement for intrusion detection alarms at the entrance of your physical components, like the door to the cage where the components are stored. You may also need access to automated mechanisms for reviewing/maintaining visitor access records to the colo.

Additionally, your customer requirements may even include support for National Security requirements for classified materials.  In this scenario, you will need to ensure that the datacenter supports classified security controls up to the appropriate classification level.  In some cases, the datacenter will need to support enough onsite space to hold classified briefings.

Contact 38North to Get Physical

As an elite cloud security advisory firm, 38North specializes in all aspects of colo and cybersecurity – including the physical element. Contact us today so we can help you select, manage and maintain effective colo security.

Frequently Asked Questions:

1. How do colocation datacenters typically handle the installation and setup of servers for their clients?

Colocation datacenters typically provide rack space, power, cooling, and network connectivity for their clients’ servers. However, the installation and setup of servers themselves are usually the responsibility of the clients. Clients can physically install their servers into the racks provided by the datacenter and configure them according to their requirements. Some datacenters may offer additional services or support for server installation and setup for an extra fee, but in general, clients retain control over their server hardware and its configuration within the colocation facility.

2. Are there any specific considerations for organizations looking to collocate their datacenter operations for compliance with multiple regulatory frameworks simultaneously?

Yes, there are several specific considerations for organizations seeking to collocate their datacenter operations while maintaining compliance with multiple regulatory frameworks simultaneously:

  1. Compatibility of Compliance Requirements: Organizations need to ensure that the colocation datacenter can accommodate the various compliance requirements they must adhere to. This might involve assessing whether the datacenter already complies with specific standards or if it has plans in place to meet them.
  2. Contractual Obligations: Contracts with the colocation provider should clearly outline how compliance with different regulatory frameworks will be addressed. This includes specifying the responsibilities of both parties regarding audits, reporting, and ongoing compliance efforts.
  3. Data Segregation and Isolation: Organizations may need to ensure that their data and systems are segregated and isolated from other tenants within the colocation facility to maintain compliance with certain regulations, such as those related to data privacy and security.
  4. Access Controls and Monitoring: Implementing robust access controls and monitoring mechanisms is crucial for maintaining compliance with various regulatory frameworks. Organizations should assess the datacenter’s security measures, including physical security, access control systems, and surveillance capabilities.
  5. Auditing and Reporting Capabilities: The colocation provider should have mechanisms in place to support auditing and reporting requirements associated with different regulatory frameworks. This includes providing access to relevant documentation, logs, and evidence of compliance efforts.
  6. Scalability and Flexibility: As regulatory requirements evolve, organizations need assurance that the colocation facility can adapt to meet new compliance obligations. This might involve assessing the provider’s ability to scale services, update security measures, and implement changes as needed to remain compliant with changing regulations.

3. What are some common contractual pitfalls related to compliance assessment support with colocation datacenters, and how can organizations safeguard against them?

Common contractual pitfalls related to compliance assessment support with colocation datacenters include:

  1. Vague Language: Contracts may contain vague or ambiguous language regarding the scope of compliance assessment support, leading to misunderstandings about the responsibilities of the datacenter and the client.
  2. Limited Assistance: Some datacenters may claim to provide compliance assessment support but offer minimal assistance or guidance during audits or assessments, leaving the client to handle most of the compliance work independently.
  3. Hidden Fees: Additional fees may be hidden in the contract for compliance assessment support services that were not clearly outlined during negotiations, leading to unexpected costs for the client.
  4. Lack of Documentation: The datacenter may fail to provide sufficient documentation or evidence of compliance efforts, making it challenging for the client to demonstrate compliance to regulatory authorities or auditors.
  5. Inadequate Response Times: Delays in responding to compliance-related inquiries or requests for documentation can hinder the client’s ability to meet regulatory deadlines or address audit findings promptly.

To safeguard against these pitfalls, organizations should:

  1. Thoroughly Review Contracts: Carefully review contracts to ensure that language regarding compliance assessment support is clear, specific, and aligns with the organization’s needs and expectations.
  2. Request Detailed Service Level Agreements (SLAs): Negotiate SLAs that outline the datacenter’s commitments regarding compliance assessment support, including response times, documentation requirements, and the scope of assistance provided.
  3. Clarify Responsibilities: Clearly define each party’s responsibilities regarding compliance assessments, audits, and reporting obligations within the contract to avoid misunderstandings or disputes later on.
  4. Request References and Case Studies: Ask the datacenter for references from other clients who have utilized their compliance assessment support services and inquire about their experiences. Additionally, request case studies or examples of successful compliance engagements to gauge the datacenter’s track record in this area.
  5. Include Penalties for Non-Compliance: Consider including penalties or financial incentives in the contract to incentivize the datacenter to meet its obligations regarding compliance assessment support and to provide recourse for the client if these obligations are not met.
About the Author
Andrew Davidson