In Part 1 of iTnews’ Concise Guide to Choosing a Data Centre, we looked at considerations around size, location, power, price, network links and weight limits.
We also encountered a significant problem: how do you find out the operational history of a given facility in order to accurately judge its availability record? How do you, in short, assess the risk of failure?
In this section -- Part 2 of iTnews’ concise guide -- we dive into the due diligence and contract negotiations required before you finalise the selection, sign on the dotted line and move on in.
This section is best navigated via a series of questions about the scenarios you are hoping to avoid:
-
Who am I dealing with? How can I do due diligence on the operational history of a data centre?
-
What happens if my data centre provider goes broke? How can I be assured of my provider’s financial stability? (Page two)
-
What happens if the data centre business is sold, or if the landlord sells the land out from under it? (Page two)
-
What is my exit strategy? (Page three)
-
Whose laws are we subject to? (Page four)
-
Who is liable for downtime? Should I push for the data centre to be liable for consequential loss? (Page four)
-
Who are my neighbours? How can I mitigate the risk of sharing infrastructure with undesirable tenants? (Page five)
Who am I dealing with?
Assessing the operational performance of a facility before you have kit operating inside it is a significant challenge. Market reputation will only get you so far.
A facility's insurance history may provide some clues into its quality and that of its processes. There, at least, you might determine if the data centre has experienced fire, flooding or legal incidents in the past.
“The claims history and profile of a facility is important – it tells you what your insurance costs as a customer are likely to be going forward,” notes James Halliday, a partner with law firm Baker and Mackenzie.
“Whenever a business makes claims, its premiums tend to go up.
“More generally, a claims history might point to some operational and business issues you would want to avoid. I would seek to avoid any business that has made huge claims over short period of time.”
Generally, IT outages tend to be attributed to:
But a great deal of data centre outages also appear to be the result of fire and flood incidents.
Disaster Recovery expert Tim Cousins has generated a list of several organisations suffering from fire and flood incidents – a frightening number being the largest brand names in Australia.
Organisations as large as ANZ Bank, Fosters, Macquarie Bank, Monash University, Racing Victoria and Vodafone have suffered data centre floods in the last five years.
Almost as many have been subject to data centre fires (including The Commonwealth Bank, Ergas, Telstra, Ticketmaster) and accidental discharge of fire suppression systems.
Mike Andrea, director at data centre consultancy Strategic Directions, says Australian organisations are “apathetic” when it comes to flood risks.
"The [2010/11] Brisbane floods seem to have been forgotten already, and it’s only been 18 months," he notes.
Andrea advises buyers to “not listen to what data centre providers say about flood risk” and instead seek floodplains data from relevant local or State Government departments.
There are also specialist organisations that specifically deal with this data for a fee.
“When you are thinking about flood risk – remember that whether the data centre floor or the IT infrastructure gets wet is only one issue,” Andrea says
“The other is about access - whether the owner/operator can continue to get diesel to the facility to manage and maintain operations. If the power is out and all the roads are shut, trucks can’t get diesel to it."
A quick straw poll of five of Australia’s largest data centres – all of whom spoke anonymously – suggests that most customers don’t bother to ask for claims profile and history.
Data centre operators are on occasion prepared to offer this information to a potential customer, but that depends largely on whether the customer is a big enough fish to land. Government agencies, for example, tend to get what they are after.
Read on to page two to find out how a data centre operator's financial situation might affect you.
Could my provider go broke?
Customers might also be wise to seek access to the financial history of the data centre provider.
Building and maintaining a data centre is a capital-extensive exercise. Despite increased demand, data centre businesses are still very risky ventures.
“The economics of building a data centre can be challenging. To establish a data centre, you need to make a significant capital investment, take out a lease over the premises, and pay for infrastructure, power supply and comms into the building,” notes Halliday.
“So the financial history of your data centre provider should be assessed as part of your due diligence."
Customers should seek information on the provider's expansion plans, and whether those plans are broadly in line with the future needs of your business.
It’s also important to consider whether the your IT infrastructure might be at risk should the provider go bust.
receivers be called in to the data centre business.
Halliday highlights a January 2012 change to Australia's Personal Property and Securities Act (PPSA) that allows a bank or other third party with a security interest in a company to sell off assets the company was in possession of should it become insolvent.
The PPSA was originally designated for land titles, but now applies to non-land assets, so IT infrastructure could conceivably be caught.
Similar laws in New Zealand (see Graham v Portacom [2004] 2 NZLR 528) have led to a bank taking ownership of demountable buildings one company leased to another when the latter became insolvent.
Halliday says a similar scenario could well play out in the data centre industry.
If a data centre operator sought a mortgage or raised funds for expansion by offering a security interest to a bank and later became insolvent, the receiver of the centre operator would look to see what interests were registered under the PPSA.
Unregistered customer equipment in the facility could technically be sold by a receiver to help cover debts, even if the operator does not own the kit.
“I would advise that you register IT assets held in a third party facility in your name,” Halliday says.
“If you haven’t registered ownership of assets within the facility, you could end up losing title to your asset. A security asset that has been registered takes priority over unregistered interests.”
What if the data centre business is sold?
It’s less common that a cash-strapped data centre business becomes insolvent in today’s market. It’s far more likely that an operator struggling to meet its debts will opt to sell the business and its assets before such a scenario can play out.
Halliday expects the data centre industry to be ripe for consolidation in the coming years, as it is "an industry in which you achieve profitability through scale".
Several of the mid-tier data centre operators interviewed for this feature said they were entertaining multiple offers.
Unfortunately there is little a customer can do about the business being sold. The only real risk evaluation comes down to the size of the business you’re contracted with.
It is also worth considering that many data centre operators don’t own the land their asset sits on.
In such a scenario, Halliday said, due diligence should involve a search of the lands and titles office in the relevant State or Territory to ensure there is a “registered lease over the premises”.
“When a lease is registered, even if the underlying land is sold, the lease goes with the land,” he said.
Andrea recommends that the lawyers of data centre customers seek a head lease on the premises during the due diligence process.
He notes several examples of where a third party had rights over a facility that caused a problem for its ongoing operation.
One common issue is that data centres located within a larger multi-story premises may over time prove unattractive to the landlord, owing to the increasing price of energy.
“I know of one situation in Brisbane where a data centre operated within a commercial office tower," Andrea says.
"The data centre basically was using up all the power and cooling, and the streets around the building were constrained – the building simply couldn’t access any more power or water. The data centre operators were told to leave at the end of their lease period.”
The situation gets particularly messy when a direct competitor of the data centre operator purchases the land/premises, as the ‘Eagle St’ incident so colourfully demonstrates.
Read on to page three for some vital tips on formulating an exit strategy.
What is my exit strategy?
For all the complexity of most data centre contracts, Andrea believes one of the most overlooked is the exit strategy.
“If things don’t work out and something happens to the business – if for example your growth is larger than expected or if you are acquired - you need to consider what ability you would have to exit the agreement,” he said.
A common cause of conflict between data centre operators and tenants is whether the contract allows for “termination of convenience".
“Its a tricky issue,” Andrea says. “In some large contracts, a customer might sign a lease for 1MW of power and cooling.
"The data centre provider has then gone and committed 1MW of redundant power and cooling for the customer’s area or fit-out, as they have been told the customer needs to use that capacity.
“But then that same customer might also negotiate for a termination clause. They might desire that at any point in time, they can pull out of the facility without penalty."
There is thus a major disconnect between client expectations (the ability to walk away with no penalty) with the data centre provider’s expectations around the capital they are investing on behalf of that customer.
There is a scale above which a data centre provider can’t afford to invest in a facility unless there is a client readily available to take up that power.
Should a bank or Government department terminate a large agreement on a whim, with no client ready to take up such a substantial amount of power, the facility might run at a loss.
One solution might be an agreement under which the customer pays a penalty that reflects part of the rent the owner/operator might miss out on while it re-leases the capacity, Andrea suggests.
“But I would suggest a more sensible option is that if the customer wants termination for convenience they simply pay a higher rent to start with,” he says. “It’s a lot cleaner.
“There has to be a trade-off there. Organisations can’t expect its reasonable for their landlord to invest in infrastructure but have the customer pull the plug on them at any time.”
It’s for this reason many new data centres – Adelaide’s Tier5 and Melbourne’s Metronode data centre among them – are being built in a modular fashion so as to be financially efficient for the owner/operator.
Once a tenant signs a contract, the owner/operator can buy, order and install new plant relatively quickly.
Read on to page four for considerations around legal jurisdiction and responsibilities.
Whose laws are we subject to?
As more US-based providers of data centre services enter the market, Australian organisations might also wish to check that their contracts clearly state that the agreement is subject to the laws of the actual location of the data centre.
In general, data and applications stored at a data centre are subject to the laws of that local jurisdiction. Data stored in Australia, for example, is subject to Australian copyright and privacy law.
But customers and operators could also agree for their services contract to be subject to the laws of a different place. The data centre provider may – for whatever reason – wish to have any dispute settled according to the laws of the jurisdiction where its head office is located.
Australian Government organisations, in particular, favour settling any dispute with their local service provider on home soil. There may be a reason a customer wishes to be subject to the laws of another jurisdiction, but otherwise its best to check the contract applies to more familiar territory.
Who is liable for downtime?
Another common sticking point in negotiations is whether data centre providers will agree to be liable for consequential loss arising from system downtime.
The default position for most data centre operators is to offer a contract that excludes liability, but for a select few scenarios.
The first is for server downtime or interruption, which as mentioned in Part 1 of our guide is usually only covered by a credit reimbursement regime under the SLA, depending on the duration of the outage.
The second is that the data centre operator might accept liability for causing any physical damage to a customer’s equipment.
“Beyond that – data centre operators will generally exclude liability for consequential loss – and by that I mean a business interruption loss,” Halliday notes.
“If you had a revenue-generating web site hosted on a virtualised server, the contract would most likely exclude liability for lost revenue or profit caused by a failure of that server.
“The reason why it’s done this way is simple economics. Data centre operators see themselves as offering a simple service.
"Their equation is lease, power and equipment costs versus revenues from customers. They are not growth businesses but utility services – so they have a low risk threshold. The returns are stable but low - with low returns you must have low risk.
“For a customer the risk is very high. You would suffer significant losses if your mission-critical platform goes down. It is the customer that needs to take out business interruption insurance.”
Some larger customers – particularly government departments – have sought to include liability in their contracts, but have met stiff resistance from the data centre industry.
Of the large data centre operators we spoke to for this guide, none said they would be prepared to sign a contract that made them liable for business interruption.
“The data centre should be only one component of the customer’s business continuity plan which should cater for any disruption of services,” one said on the condition of anonymity.
Andrea agrees, adding that he would worry about the viability of any data centre business that did absorb consequential loss.
“No data centre is rated to 100 percent uptime ... That’s because data centre operators know that nothing can be designed to prevent an act of God.
“[Or] you might well be in a Tier IIII data centre, but if the Australian Federal Police turns up and shuts a facility down, they shut it down. You can’t insure against that.
“If they get sued, they go out the back door. That doesn’t help anyone. None of their customers.
“As a customer you might negotiate consequential loss in, and the board thinks you’ve got this great deal. But in the meantime, you forget about the business continuity or disaster recovery plans you should have put together.
“It is important a customer takes DR into account for themselves.”
Read on to page five to find out how your data centre neighbours may affect your service.
Who are my neighbours?
Enterprise use of shared IT resources under “cloud computing” contracts has reared a new issue for the due diligence process worthy of consideration.
Having your business’ applications hosted on the same physical server or data on the same storage array as another organisation raises questions about what risk that customer might pose to you.
What if that organisation used their share of the capacity in an irresponsible way? Or worse yet, what if your neighbour on shared infrastructure was the subject of a cyber-attack that affected the performance or availability of your own applications?
Hosting your own servers under a co-location agreement, rather than subscribing to a shared ‘cloud service’, mitigates this risk to some degree.
But as an attack on hosting provider NetRegistry in late 2010 illustrated, if those servers are nonetheless connected to the same communications infrastructure, load balancer or firewall as a customer under attack, it can still impact performance.
So a customer needs to consider: would you be comfortable with hosting a transactional system within a facility that also hosts highly controversial entities? Consider:
“So again as part of your due diligence of the facility, you should be asking questions,” Halliday advises.
“What processes does the data centre operator have in place to ensure no copyright infringing activity going on in centre?
"What do they do if they find infringing activity going on? Is there any history or pattern of this conduct in the past?”
All Australian data centre providers surveyed for this study said they had no way of knowing what conduct their customers were engaged in with regards to copyright. Halliday wonders whether that position will be tenable in the future.
“In the MegaUpload case, the data centre operators were left in a limbo legal state,” he notes. “Would deleting the data in question be in contempt of court?
"But leaving it sitting there in the facility also comes at tremendous cost, that capacity could be used for other revenue generating activity. That would have to be concerning for any other customer using that facility, as again it impacts the financial viability of the facility.”
Theoretically, Halliday can see a strong market for insurance against sustained losses caused by cyber attack to help mitigate this risk.
But what rights do you as a customer have to seek information on which other organisations share the same infrastructure within a data centre?
Whether you manage to get any answers on these questions again depends on your bargaining position: i.e., how large and profitable you might be to a potential data centre supplier.
Is your IT infrastructure and spend a big enough prize to warrant the data centre provider to agree to such a demand?
Halliday believes it “all comes back to due diligence”.
“There is no substitute for looking at the operational and business history of the facility. That’s the bottom line.”
