Data Centers

MISSION CRITICAL FACILITIES

As the demand for computing power, data storage, and general business continuity accelerates, so does the importance of an organization’s mission critical facilities. Digital Realty and Infrastructure Advisors provides real estate services and strategies for the technology intensive, 24/7 facilities that businesses and governments rely on to support and protect their people, equipment, services, and data.

DRI provides the industry’s most experienced advisors within this highly specialized sector and asset class. Concentrating on data centers, telecom switches, network providers, disaster recovery sites, and critical operations centers. DRI supports key markets throughout North America, EMEA, and APAC.

Engage DRI and leverage a knowledge base from dozens of client engagements surrounding mission critical requirements. Our understanding of the mechanical systems, complex power and HVAC requirements, regulatory issues, and sensitive security considerations of these facilities is informed through practical and expansive experience. Whether an owner or user, acquiring an asset, looking to increase efficiency or expand operations, DRI will help you align your real estate assets with the short- and long-term goals of your organization.

Data center - 1

We deliver a comprehensive overview for Mission Critical Facilities that extend from planning through ongoing operational efficiency providing the Enterprise options.
Data Center Services Colocation Solutions Remote Hands / Smart Hands
• Space • Cabinets •Troubleshooting
• Power • Cages • Maintenance Tasks
• Cooling • Suites • On-site technical personnel
• Network • Custom Solutions
• Security • Burstable Colocation
• Disaster Recovery • Prepackaged Bundles
• Uptime SLA
• Support & Monitoring

Prepare and recommend a detailed review of potential data centers, including facility assessments complete with critical systems qualifications, property pictures, site plans, market observations, and information on 30+ significant features, including:
• Collocation market conditions, pricing models, installation costs, PUE, and SLA terms
• Provider history, financial condition, and managed services capabilities
• Tiering Standards and Energy Efficiency: Uptime, TIA, LEEDS
• Compliance and Data Center certifications for PCI, HIPPA, SSAE 16, SAS70, FISMA
• Size and condition of raised floor or slabe area and electrical/mechanical support space
• Electrical system specifications, including switch gear, generators, UPS and PDUs
• Mechanical system specifications, including chillers, cooling towers, CRACs and economizers
• Fire protection system, including VESDA and BMS monitoring
• Fiber providers (lit and dark) in and near building
• Roof description including penetrations, drainage, and wind rating
• Hazards/Risks including flood, seismic, railroads, highways, airports, pipelines, hazardous materials, surrounding uses, and building setbacks
• Electricity feed capacity, redundancy, and upgrade capable
• Electricity tariffs, property taxes, and available economic incentives

 

Uptime Institute

Uptime Institute Data Center Tier Levels

Tier Level

Requirements

1
  • Single non-redundant distribution path serving the IT equipment
  • Non-redundant capacity components
  • Basic site infrastructure with expected availability of 99.671%
2
  • Meets or exceeds all Tier 1 requirements
  • Redundant site infrastructure capacity components with expected availability of 99.741%
3
  • Meets or exceeds all Tier 1 and Tier 2 requirements
  • Multiple independent distribution paths serving the IT equipment
  • All IT equipment must be dual-powered and fully compatible with the topology of a site’s architecture
  • Concurrently maintainable site infrastructure with expected availability of 99.982%
4
  • Meets or exceeds all Tier 1, Tier 2 and Tier 3 requirements
  • All cooling equipment is independently dual-powered, including chillers and heating, ventilating and air-conditioning (HVAC) systems
  • Fault-tolerant site infrastructure with electrical power storage and distribution facilities with expected availability of 99.995%

 

Energy efficiency

The most commonly used metric to determine the energy efficiency of a data center is power usage effectiveness, or PUE. This simple ratio is the total power entering the data center divided by the power used by the IT equipment.

PUE logo

Power used by support equipment, often referred to as overhead load, mainly consists of cooling systems, power delivery, and other facility infrastructure like lighting. The average data center in the US has a PUE of 2.0, meaning that the facility uses one watt of overhead power for every watt delivered to IT equipment. State-of-the-art data center energy efficiency is estimated to be roughly 1.2.

 

Power and cooling analysis

Power is the largest recurring cost to the user of a data center. A power and cooling analysis, also referred to as a thermal assessment, measures the relative temperatures in specific areas of a data center, as well as the ability of a data center to tolerate specific temperatures. Among other things, a power and cooling analysis can help to identify hot spots, over-cooled areas that can handle greater power use density, the breakpoint of equipment loading, the effectiveness of a raised-floor strategy, and optimal equipment positioning (such as AC units) to balance temperatures across the data center. Power cooling density is a measure of how much square footage the center can cool at maximum capacity.

 

Computational fluid dynamics (CFD) analysis

cfd

Uses sophisticated tools and techniques to understand the unique thermal conditions present in each data center—predicting the temperature, airflow, and pressure behavior of a data center to assess performance and energy consumption, using numerical modeling. By predicting the effects of these environmental conditions, CFD analysis in the data center can be used to predict the impact of high-density racks mixed with low-density racks and the onward impact on cooling resources, poor infrastructure management practices and AC failure of AC shutdown for scheduled maintenance.

 

Thermal zone mapping

Thermal zone mapping uses sensors and computer modeling to create a three-dimensional image of the hot and cool zones in a data center.  This information can help to identify optimal positioning of data center equipment. For example, critical servers might be placed in a cool zone that is serviced by redundant AC units.

 

The SSAE 16 audit supersedes the prior SAS 70 Type 2 audit.

What is SSAE 16?

Effective for audit periods ending June 15, 2011 or thereafter, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a new standard created by the American Institute of Certified Public Accountants (AICPA). The replacement of SAS 70 with SSAE 16 represents the first significant modification to the AICPA standards for reporting on controls at a service organization since SAS 70 was issued in 1992. As organizations became increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations. SSAE 16 and its international counterpart, ISAE 3402, were drafted to correct these misuses.

How are SSAE 16 and SAS 70 different?

The SSAE 16 SOC 1 report and the SAS 70 Type 1 report are similarly focused in content, but the SSAE 16 SOC 1 report includes an assertion by management for the system description and related control objectives.

 

What is the difference between PCI Compliance, PCI DSS and the PCI Data Security Standard?

PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the way your business handles information to the PCI DSS standard.

What does it mean for a service provider or merchant to be PCI Compliant?

There is a group of principles and requirements which organize the elements of the PCI DSS. To be PCI Compliant means to restrict your information handling procedures to the PCI DSS requirements, and to have an attestation of compliance.

These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.

The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which SAQ is appropriate for your
company.

What are the PCI Compliance responsibilities for merchants and companies located in a data center?

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software of programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for employees and contractors

Additional PCI DSS Requirements for Shared Hosting Providers

  • Shared hosting providers must protect cardholder data environment

What does it mean for a data center colocation provider to be PCI Compliant?

A data center provides the facility for companies and merchants to conduct their business. In that capacity, the data center provider has specific responsibilities that have to be PCI Compliant. A merchant or company that is located within a PCI Compliant data center is not then PCI Compliant, each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance.

Data centers are only required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ.

In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:

“The questions for Requirements 9.1-9.4 only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”

The following questions are the specific listed Requirements 9.1-9.4 for data centers:
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
9.1.1(a) Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
9.1.1(b) Is data collected from video cameras reviewed and correlated with other entries?
9.1.1(c) Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
9.4(a) Is a visitor log in use to maintain a physical audit trail of visitor activity?
9.4(b) Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
9.4(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law?

 

 

What does it mean for a service provider to be HIPAA Compliant?

A “Covered Entity” is an individual, organization or agency that must comply with the requirements to protect the privacy and security of health information and which falls into one of the three categories:

A Health Care Provider
A health care provider includes those such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies. A health care provider as such is a covered entity if they transmit any information in an electronic form in connection with a transaction for which the Health and Human Services (HHS) has adopted a standard.

A Health Plan
A health plan includes health insurance companies, HMOs, company health plans, government programs that pay for health care (such as Medicare, Medicaid, and the military and veterans health care programs).

A Health Care Clearinghouse
A health care clearinghouse includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Here is a PDF to determine whether an individual or company or organization is a covered entity under the Administrative Simplification provisions of HIPAA.

What are the HIPAA Compliance responsibilities for companies located in a data center?

Any company located within a data center that qualifies as a covered entity must adhere to the privacy rules as set forth in the HIPAA Privacy Rule.

What does it mean for a data center colocation provider to be HIPAA Compliant?

In the broad definition of a health care clearinghouse, a data center facility could be interpreted to “facilitate the processing of” health information by providing the infrastructure to do so. This may include backup storage devices, connectivity to network providers or virtual servers. However, as per the data centers SSAE 16 control standards, user organizations (customers that use the data center’s services) are responsible for:

1. Informing the data center provider of any regulatory issues that may affect the services provided by the data center.

2. Ensuring that adequate mechanisms are in place to monitor and protect content of any information passing through their network.

3. Implementing their own access control systems on their infrastructure.

The customer is responsible to meet the requirements of HIPAA compliance. And a data center, under the SSAE 16 controls, is already HIPAA compliant for the storage and processing of data using its managed services and data center infrastructure.

© DRI Advisors