back to article Data centre doesn't like your face? That's a good thing

Your company has decided, quite sensibly, that it wants to move its application infrastructure to a data centre rather than living with the risk of an on-premise approach. So how do you choose the data centre you should move to? Location Location is a compromise of locality versus suitability, but in my mind you should lean …

  1. Disko

    Helpful considerations

    May I suggest building up your kit in the comfort of your own location, with staff, tools and coffee on hand, to only install it at the datacenter once it's all set up, complete and known to be in good working order - at least the hardware, OS and basic stack you are going to be running. I get that this isn't always an option (e.g. when replacing burnt out kit on the fly) but for regular installations I think it's a lot more practical - it prevents this kind of potentially painful scenario where you're stuck at the DC build bench because some part or cable is wrong or missing.

    Also, I'd personally prefer to set up a separate (from the rest of the rack) maintenance connection on the rack, or bring my own Internet connection in the form of a mobile Wifi hotspot (a phone with a data plan will do just fine for downloading some docs or patches) . Local Wifi availablility is not something I would want to have to rely on when troubleshooting. Having my own uplink also allows me to check things like loopbacks and what a system looks like to the outside world - and that I can make sure that whatever the server is supposed to be doing, actually amounts to anything at HQ without having to call in and ask someone to check if system X is now visible on the network, or having to wait and see what happens - fingers crossed - when users connect.

    1. Anonymous Coward
      Anonymous Coward

      Re: Helpful considerations

      Be careful on assumptions about being able to use phones/wi-fi/laptops in the server room. Most secure server rooms are faraday cages (for good reason - think rogue wireless access points), and wouldn't allow you to take a phone in anyway. Taking your own laptop into the room may also not be an option (or if it is, then you may find it can never come back out again without being wiped first!).

      Bottom line - check first. And remember that if you are allowed to take phones/laptops and setup wifi access points in the room, then so can the other clients - are you happy with that?

      1. Disko

        @ AC Re: Helpful considerations

        ...connection on the rack would be an utp port, and stepping outside would usually get me a signal on my phone so i can download that patch or doc or do a test or whatever. Did I really need to mention you would probalby like to secure your (Wifi) connection? Sorry for that, I guess it doesn't go without saying these days. Not familiar with general datacenter policy regarding storage devices or laptops etc. not being allowed in or out - it seems kind of moot given there's already a whole stack of hardware there ("mine") for me to peruse as i see fit, and with only authorized and registered access to locked cabinets, it's easy enough to know who makes a mess.

    2. Anonymous Coward
      Anonymous Coward

      Re: Helpful considerations

      "May I suggest building up your kit in the comfort of your own location, with staff, tools and coffee on hand, to only install it at the datacenter once it's all set up, complete and known to be in good working order - at least the hardware, OS and basic stack you are going to be running."

      May I suggest getting the vendor supplying the hardware to do that - ideally on their own premises. Assembling servers is not a value add service for an IT department to need to be involved with...

      Although these days, it's far more economical in the vast majority of cases to buy private cloud server resources from a resident vendor than installing any of your own server hardware - except where the processing power required in a single OS image is so large that it makes more sense to buy your own tin....

      1. Disko

        @ AC Re: Helpful considerations

        RIght, but not all of us buy off the shelf/ BTO stuff or there would be little to assemble

    3. NoneSuch Silver badge

      With respect you missed the BIG one.

      Ensure the company you are entrusting your data to is fiscally viable and monitor that they remain so for the duration of your stay in their data center. If they ever go under, your assets and your access to them may be restricted for a long time.

      Ensure your backups are made frequently and stored on your infrastructure. Have a transition plan to other resources using only those backups.

      Lots of companies offer data centers today. Not all of them should be in that business.

      1. Anonymous Coward
        Anonymous Coward

        "Ensure the company you are entrusting your data to is fiscally viable and monitor that they remain so for the duration of your stay in their data center"

        That's why most companies use 2 datacentres with different providers. Although these days, one Datacentre, and real time replication to options like Azure Site Recovery are also viable alternatives.

  2. This post has been deleted by its author

    1. oldcoder

      Caution on roof top installations of antennas

      The problem with antennas is that you will likely need local installation staff - if nothing else than to CYA over damaging the capability of some other facility (not necessarily on the same roof).

      I say that from previous work with a company that tested microwave ranging and GPS systems. The company frequently got accused of blocking the cable companies links with satellites - and they were over a mile away. Any antenna put up COULD do that, or interfere with a different customer at the same site.

      Very likely you wouldn't expect to be able to install your own stuff as you would not be familiar with the other communication links that may be present.

  3. The Crow From Below

    "And yes, formal certifications do demonstrate that a provider has a certain level of process and procedure and has given due consideration to security and data protection."

    Just because they can pass an accreditation and audits doesn't mean much in my eyes:

    back in the early part of this century I worked for a company based on the south coast that gained both iso 27001 and iso 9001 whilst I was working there. The processes for staff to follow were written down/made up about a week before the accreditation, and were never followed post that (each time an audit was due, the paperwork was fudged and lies were given as answers to the auditors questions, which they believed). The server rack was installed in an non-airconditioned, ground floor store room with large windows on 2 walls, it was also close to a fairly large town, but far enough away from other buildings that everyone knew it was there but no one could actually see it, meaning anyone breaking in would have had plenty of time to do so (not that it would be needed as the windows were not even double glazed and led directly out to the car park to make thievery all the easier).

    Oh and the door was never locked (except when the auditors were in), everyone used the admin account for every machine, server and RDP session and generally I couldn't trust that setup to securely store my mothers recipe for serving corn flakes, let alone the corporate banking and chemical production companies that entrusted their employee data to that shocker of a setup.

    The kicker...the reason for not choosing a professional, secure and reliable data center was that the customers wanted to know that their data was held securely and not by a 3rd party...(I face palmed so hard when I was told this that I think I did some permanent damage)

    1. Anonymous Coward
      Anonymous Coward

      "each time an audit was due, the paperwork was fudged and lies were given as answers to the auditors questions, which they believed"

      Then there was something very wrong with the audit. If you get someone like Bureau Veritas in, there is little chance that this sort of thing would not show up as they will check all documentation, and logs and match it to camera footage and security access system records, stated governance and control systems, etc. etc. and also things like glass windows will also be noted as not ideal (both for security and for heat management).

      Also as a customer - when visiting such things would be always logged and reported.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Just because they can pass an accreditation and audits doesn't mean much in my eyes:

      True. I once worked for a company that was very proud of its ISO 9000 certification, and genuinely did try to follow the processes. During one of the regular "surprise" audits I was asked for a project spec, but on attempting to retrieve it from the doc repository I realised that it didn't exist. Either never written, or never stored.

      To buy time I gave the auditors a similarly-named document from a related project, assuming that by the time they noticed that the content was incorrect I could have written and backdated the first document which I could just produce with an apology for the "mistake".

      The auditors never noticed, suggesting that they just ticked the boxes based on the document titles.

      1. Anonymous Coward
        Anonymous Coward

        "assuming that by the time they noticed that the content was incorrect I could have written and backdated the first document"

        No! You'd honestly consider undertaking fraud (for which you'd be personally liable in most jurisdictions) to benefit the reputation of your employer (for which you get little if any credit) and for the sole reason of hiding their organisational incompetence of neither having the spec, nor the process to realise and correct this omission in the first place?

        If I might offer some advice, having worked in a number of situations of institutional fraud, never, ever cover things up for the business. Unless you're a shareholding director, fraudulent practice won't benefit you, but the risk you're taken is your entire future career, and possibly your liberty. Might sound extreme for "mere paperwork", but if you were falsifying ISO9000 compliance, that compliance is presumably relied upon by customers, and the fraud will be deemed to have been done for financial advantage. And potentially the business would have been embarrassed by a blot on the audit scorecard, but that's retrievable. If they were found to be cheating the audits, then the customers simply won't renew - will your employers thank you for that?

        Very few corporate frauds start off as vast and wilful attempts to steal - the vast majority are some attempt to put right a missed ambition - sales targets not met one quarter, earnings below expectations, operational KPIs below the bonus threshold. And the perpetrators usually plan to make things good next quarter or next month, conceal the evidence, and nobody will be the wiser or worse off.

        And whilst your intention was to cover your tracks well enough to avoid detection, that's what people like all the jailed, sacked and unemployed fraudsters thought. Remember Enron, and Arther Andersen? The demise of the $100bn a year Enron empire, and the 85,000 employee Andersen's business came simply because the board wanted to hide a few underperforming projects, planning to make things right in subsequent quarters. The Satyam fraud reported elsewhere on the Reg today is another example.

        If you're prepared to do fraudulent things, at least make sure that you personally benefit from the risks you take - but even then I'd say don't do it. I've worked in an IT firm with people currently doing time for a fraud they hoped they could hide, but that benefited them.

  4. Velv Silver badge
    Mushroom

    Critical Business

    "Check out the Goods Inwards area too. If you purchase equipment for the data centre it's likely to be bulky, so you'll have it delivered straight to the data centre"

    Depending on how critical your business is, you might want to consider the delivery arrangements. All deliveries should be pre-registered, and unexpected deliveries should be rejected by the data centre. Because who knows what else could be delivered if they'll just accept anything. Some may even only permit deliveries in the presence of one of your named people and the packages must be unpacked immediately.

    And while there may be confidentiality agreements preventing you, try to find out who the other tenants are. You might not be a target for terrorists, anarchists, animal rights groups, etc, but are your co-tenants?

    1. J P

      Re: Critical Business

      My brother did some work auditing (in the financial accountant sense) a rather well known large financial sector outfit with its own datacentre(s) - all 3 UK sites were below the water table & in flood risk areas (London, South Coast and another; I forget where). Access to the racks was through a secure airlock (vertical glass tube affair) with scales in the floor - if you weighed more on the way out than the way in it triggered an alarm. [Yes, I know, carry a bag of sand in under your jacket etc]

      Unfortunately, the colleague accompanying my brother was quite large - so large in fact that he didn't fit in the tube. "No worries" said 'Security', and they opened up the delivery shutter at the other end of the room - which was quite literally big enough to drive a truck through.

      (Of course, the actual audit/stocktake was laughable - all the units' ID stickers/serial numbers were either round the back, or obscured by the locks & cages everything was secured in; they just had to take the client's word for it that this row of identical black plates with flashing LEDs on it corresponded to that set of entries on the ledger)

  5. Steve Davies 3 Silver badge

    don't for get the....

    winter clothing. some of the data centres I've been in have been as cold as a Norfolk Beach(Huntstanton or Cromer) in Mid Summer.

  6. jake Silver badge

    "Your company has decided, quite sensibly, that it wants to move its application infrastructure to a data centre rather than living with the risk of an on-premise approach."

    Out of curiosity, how does adding one or more levels of abstraction make for a more sensible approach to corporate security?

    Not trying to needle anybody, I'm truly curious where this mind-set comes from. Can anyone explain the concept in a way that makes sense to this jaded old sysadmin?

    1. Gavin Park Weir

      Because very few companies can afford to invest in the types of physical security and redundancy/resiliency a good data centre provides.

      1. jake Silver badge

        @Gavin Park Weir

        So you've drunk the cool-aid.

        One good in-house sysadmin costs far less than out-house hosting. With far fewer levels of potential problems.

  7. Paul Hovnanian Silver badge

    Location

    Some years ago, I supported a system located in my companies data center that satisfied practically all of this articles 'should have' checklist. Except that it was built within a few hundred yards of the Seattle Fault.

    Sadly, the system had originally been designed to be redundant and distributed. So that one clod tripping over a power cable would result in functions failing over to another site in the Puget Sound region. But the PHBs in IT management figured that all the redundant servers should be relocated to the one central site.

  8. Anonymous Coward
    Anonymous Coward

    As opposed to home-grown...

    Horror stories from the days before you could buy a data centre from someone else (and pay them to do the same things in secret...).

    A colleague set up his data centre with diverse routing from separate comms providers, until he found that all of the incoming cables had to cross the same railway bridge to reach his site.

    The data centre that had a separate printing area for output. Until someone dropped a laser toner refill, when we found that the underfloor voids were connected and part of the same air-con system.

    The diesel generators up on the roof of a city tower block. Worked perfectly when we had a power cut. Until we discovered after 20 minutes that the diesel header tanks were supplied from a main tank at ground level, with a mains-powered lift pump.

    The diesel generator that was wired so that the mains sensor was on its output side. When the incoming mains failed the generator fired-up, saw its own output and shut down; fired-up; shut down; etc.

    The data centre air con that had its cooling condensers out in the car park. During the summer they took full sunshine during the day and got too hot to work.

    The data centre that had an unguarded main power cut-off button right next to the exit door. Just next to the unlabelled door release button.

    We're so much better now.

  9. Stoneshop Silver badge

    Although you should have a torch to hand to see into the darker recesses of your cabinets,

    In my trouser pocket: flashlight (currently one powered by a 18650 Li-Ion, should get one that runs on penlites because you then can get spares at any corner shop); in my backpack a Petzl Tikka headlamp. There have been several cases where you'd otherwise had to have three hands.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019