As more companies outsource information management to the Cloud or colocation services, focus on data protection increases.
The rise in colocation centers has coincided with the rise of IT in general, as businesses move more and more of their information technology infrastructure outside the corporate firewall to ease the burden that the requirements for speed, efficiency and processing power put on internal IT systems.
Fears that the Cloud might dent the rise in colocation gloss over the need for Cloud services to be hosted somewhere. According to a study by Orbis Research, the North American data-center colocation market is expected to more than double by the end of 2022, while the latest report from 451 Research projects that the sector will be worth $33.2 billion worldwide by 2018.
Simon West, chief marketing officer at Cyxtera Technologies, which provides secure data-center infrastructure, says over the last two decades IT has transitioned from a largely on-premises, static cost center within an enterprise to one that is connected to the entire ecosystem of vendors and stakeholders, with 24/7 applications running all over the world. “Now we have massive interdependencies and systems that are consuming each other’s data,” he says. “You need reliable places to run these applications, where you’ve got access to high-quality, high-speed, pervasive connectivity to the rest of the world.”
The vast interconnections affect both colocation and security requirements. Colocation centers have good physical security and employ specialist staff and technologies to secure data and applications. They invest more heavily in dedicated security infrastructure; companies that store data in their offices typically do not have biometric locks on the server rooms, for example.
On the other hand, the lack of end-to-end control and visibility is also a significant security issue when paying a third party for data-center services. “It is not in their interest to tell you that they experienced a breach or other security issue, and it is unlikely this will happen unless the third party knows you have a way of discovering this yourselves,” warns Scott Bancroft, a cybersecurity specialist at financial services consultancy Capco. “In many cases, the right to audit is denied you, as the provider claims the inability to separate your data from that of other companies (if using hybrid or multitenant services).”
Not only is a client reliant on the provider’s standards of security and screening of staff, Bancroft says, but unless the company is using dedicated infrastructure, processing and storage, there is always a risk of cross-contamination of data or human error in disseminating information—with potential legal repercussions. “In the future, under GDPR [Europe’s pending General Data Protection Regulation], you will be responsible for the actions of your partners and third parties from data privacy and protection,” Bancroft says. “Are you sure they can and will comply with GDPR? How will you know?”
Multi-client infrastructure also raises risks. “If you think about a data center,” adds Cyxtera’s West, “the main door is not the front door, the back door or the loading dock. It’s the network itself, where you have these very large aggregations and networks. In most of our data centers there are more than eight different telecommunications providers all coming into the facility.”
Cybersecurity was part of the rationale behind Cyxtera, formed in May as a five-part acquisition, involving 57 data centers around the world and associated colocation portfolio from CenturyLink, and four software companies all working in the field of networking-infrastructure security or analytics. “We think the time is long overdue inside the field of cybersecurity for more-integrated solutions,” says West. “We’re looking to integrate some of our network-security capabilities into a core colocation product.”
“Over the last 20 years,” he continues, “we’ve seen great revolutions in IT—the rise of the Cloud, running things globally—that are more available, more agile and scalable. But security hasn’t really evolved along the way, and we think that security has to get modernized. We have to do a better job at protecting these infrastructures and systems; because, as [the ransomware virus] WannaCry recently showed, the stakes are just too high.”
Gemalto cybersecurity expert Paul Hampton argues that data breaches happen all of the time, regardless of whether companies have colocation, Cloud, virtual data centers or their own physical data centers. “IT systems are attacked, and they can all lose sensitive data. From a Gemalto perspective—we spent years talking about ‘secure the breach’—you are going to be breached; it doesn’t really matter what controls you have in place. So you need to know your data is secured in some way, shape or form; and the Cloud doesn’t particularly change that.”
Given the resources required for data storage and protection, outsourcing to a colocation provider makes sense for smaller companies. “It’s the economies-of-scale argument. You can gain access to best practices and good resources as a result of doing so,” Hampton says. “Although your data is no longer under your direct control, the IT infrastructure within which your data is operating would be much more robust. You can rent a much more sophisticated solution from a third party.” The evolution of affordable enterprise Cloud services has made them particularly attractive to smaller or more tech-specific businesses, which may well end up running nearly all of their systems in third-party Cloud environments.
Still, risks abound. “Cloud data centers seem easy, quick and relatively cheap. However, you need to do all the due diligence up front and they are limited in customizations and flexibility, which all cost additional amounts,” says Capco’s Bancroft. “There is also the question of portability of data and applications, should your vendor increase prices significantly after the initial contract. How much will it cost you to move to a different supplier? Proprietary APIs may also mean significant redesign requirements. The infrastructure cost is only part of the potential TCO [total cost of ownership] here. How much will it cost you if your most sensitive data is made public or sold on the data black market?”
Regardless of where institutions house their data—be it in a locked rack or cage within a data center or something more like the Amazon model, where a client shares computers with many others; whether it’s in-house or in a hybrid model using all of these alternatives—it is naive to think no intruder is ever going to attempt a hack. “Whether it’ll be successful is another matter,” says Cyxtera’s West. “We advise that you can’t think of security just as something you simply bolt on after the fact. You have to think about cybersecurity as an integral part of what you are building, from the ground up. It becomes incumbent to work out what is high priority stuff that you need to protect and how you protect that—and to make sure you understand, from a business operations and technical partner’s perspective, how it will work.”
WHAT’S THE DIFFERENCE?
• A colocation (colo) is a data center where businesses rent space for servers and other computing hardware. Typically, a colo provides the building, cooling, power, bandwidth and physical security, while the customer provides servers and storage. Space is usually leased by the rack, cabinet, cage or room.
• Cloud services are similar to colocation, in that organizations realize cost savings through the use of a shared facility. With Cloud services, however, the Cloud service provider supplies and manages the customer’s full hardware infrastructure, including servers, storage and network elements.
• Hybrid data centers are a technology strategy, offering a flexible approach to housing data that includes on-site legacy IT infrastructure, keeping more critical services on an internal Cloud or data center, and third-party off-premise infrastructures such as managed services, hosting and Cloud providers, which includes colocation.