Tips For Picking a Data Center Facility Part 4: Security, Add-ons, and Negotiating the Contract

Tips For Picking a Data Center Facility Part 4: Security, Add-ons, and Negotiating the Contract

Welcome back, This is part 4 and the final episode of my series on picking a data center. If you haven’t seen part 1 through 3, please check them out.

Last time we talked about cooling delivery systems, Fire Suppression systems and network. So let’s jump in and start with Security then we’ll talk about add-ons and finally, negotiating a contract.

Security

When you are picking a facility, it is important to know what your security requirements are. Do you have Top Secret information that you are working with that will need a SCIF, a Sensitive Compartmented Information Facility. You don’t have to sell weapons to fall under ITAR requirements, International Traffic in Arms Regulations, where you may need a facility that restricts access for foreign nationals. There are facilities that specialize in dealing with sensitive and high security Regulatory and compliance environments.

Regardless of whether you have more complex requirements, security is a key component of a data center facility, from both a physical and cyber security perspective. When you look at the security of a facility, the goal is really to delay and detect. Given enough time, any facility can be breached. The goal with physical security is to delay an intruder enough to detect and stop them. Facilities generally take a layered, perimeter approach.

A typical scenario could be, gates to the parking lot, barriers between the parking lot and the facility to prevent vehicular attacks, Multifactor authentication to get in the front door, Man trap and security guard to pass into the lobby. Another, point of authentication and probably a man trap to get into the data center. Another point of authentication to get into your cage, cabinet or room. Take a look at how many layers their security architecture has.

Sometimes you will get steel-lined walls to protect the facility. Doors often have specialized locking systems and zero torque handles to prevent people from forcing entry (my favorites were the Medeco locks). Doors are typically hardened and secured with multiple locking systems and alarms as well as covered by cameras.

Check out the man traps and how they allow access into the facility, There should be no tailgating (following another person in). Every Person should be required to badge in and to badge out. Typically if someone tailgates and doesn’t badge every checkpoint, their access should be turned off.

One thing to note. If you remember from the fire suppression section, Fire safety trumps everything. This means that with all the security measures you put in place, when the fire alarms go off, the doors open up. There are requirements to provide safe egress. The fire department doesn’t want to get their people killed going into a dangerous burning building to rescue tech workers, so they take this stuff very seriously. So that means that every path from the inside to the outside can be opened, this is why all the doors must be alarmed.

So much of security is about the policies and procedures. Check that the staff is checking IDs, requiring approvals to let vendors in, Validating users before responding to requests. When I was in the data center business we would have customers that would hire security firms to try to social engineer the security desk for access to the facility. They should not be susceptible to these attacks. They should also have a process to rapidly remove access if needed and a clear process and approval chain for adding access. Access should only be granted to areas of the facility that are required. They should also perform a regular access audit and remove individuals who should no longer have access.

Some facilities have armed guards, but that is less frequent, although I have seen facilities that have guards with automatic weapons on catwalks patrolling. You should see if they have staff that regularly patrols the building. Sometimes walking the facility is the best way to secure it. This is not just for security, sometimes you can smell a fan burning out before the smoke hits the detectors or before a water leak hits the sensors.

There should also be a robust camera system. They should have cameras outside the facility that cover the entire area around the facility. They should have complete coverage inside the facilities well, and make sure there is a person dedicated to monitoring the cameras. Ideally you should be able to get access to the camera feeds for your equipment as well. Check what their retention is for storing camera footage. Often times you don’t notice a breach right away and you need to go back in time to find the relevant footage. This is also true of all access logs. You should have access to any logs relevant to your equipment, and they need to store those records for a sufficient period of time.

Security can be frustrating, especially when you are used to managing your own. Security is always a balance between security and flexibility. If done right, you have a reasonable amount of flexibility without sacrificing security, but it is important to understand the rules so you don’t run into problems.

Add-Ons

Before I get into negotiating your contract, I want to talk about some add on services you will find at many facilities. Most will offer a managed hands service. This is staff that will enter your area and perform basic tasks at your direction. They are usually not highly skilled professionals, but they can power cycle devices, rack and un-rack equipment for you. Some facilities will offer different tiers of managed hands at different price points.

Check the shipping policies. Many facilities charge fees for handling shipments and storing shipments. Find out what their secured storage pricing and policies are. Most facilities have shared build rooms where you can unbox and set up gear before taking it into your area. The policies around how you use these rooms varies, so know what rules there are.

Most facilities offer access to their monitoring systems, this can include security logs and camera feeds to information about electrical and cooling systems. Some offer different levels of service, from backup services, storage services, network services to move migration services. 

Negotiating the Contract

It is good to know all of the services they offer, because many facilities will be willing to add these things in to sweeten the deal. So let’s talk about some of the things to look for when you put a contract together.

Most facilities will push you to take on longer contracts, and they will put heavier discounts on longer terms. This is almost always a bad deal. I would look at doing a three year deal with options for extensions. This way you get the best of both worlds. The reality of the business is that the longer they keep a tenant, the more money they make. For a facility, they may not break even on year one, or even year two so they always push for longer terms. For the customer, you need to keep in mind that facilities age and newer technology becomes available. Also, your business needs may change. Do you know where you will be in 5 years or what your requirements will be? Do you know what they will be in a year? 

Cost almost always go down, So when you hit the end of you term, you will be in a better place to negotiate a deal, and they will be incentivized to keep a client in the space. One thing that you often see in a contract is an escalator, where the price increases by a percentage every year. This is definitely something you can leverage to negotiate. They will often reduce this or eliminate it to get a deal done.

Think about additional services that they can throw in to sweeten your deal. Cross connects are another place where you can find some savings in a negotiation. Have a certain amount included.

Another thing to consider is negotiating an abatement. This is basically a period of time where you don’t pay rent. If you have a period of time over which you are moving into your new facility, this can help prevent you from paying for two facilities at once. I have seen abatements from one month to one year, depending on what the market is like and what the term of your lease is.

When it is a buyers market, like we are in now, they will do a lot for you. Remember that an empty facility costs them money. Leasing space even below cost can be a good option for them as it can reduce the amount of bleed, just be prepared for a bit tougher negotiation when you renew and the facility is full. New facilities that are empty can be great sources for good deals.They might talk about power rates and things like that, but power costs are a minuscule number in light of the equipment and build costs they are trying to recoup.

For smaller footprints, you will often negotiate for cabinets and circuits. For larger facilities, you will probably be negotiating for square footage and aggregate power. When buying your power in bulk, make sure you really understand what your requirements are. The facility will have to provision a certain amount for you, and whatever they provision for you is power that can’t use for someone else. They will tend to bend less on these issues during negotiation. You can look to structure a deal that grows with you over time. Also, I have seen deals where there is an underutilization refund if the power isn’t used. This is usually a small percentage of the fee however.

Make sure you consider things like non-performance in your contract. Also, seek to add in business downturn clauses. If something unfortunate happens to your business and you need to downsize, you don’t want to be stuck with a contract that is too much for you to handle.

Consider what your future state could look like. If you anticipate growing your footprint, you can look to reserve contiguous space. Typically this is done in a couple of ways. You can either pay a small monthly fee to hold the space for you, or you can negotiate for a first right of refusal where if someone expresses an interest in leasing the space you have the option to take it first.

Lastly, understand what the SLAs are. Typically the penalties for the provider are useless . You can get a refund for the cost of the power at market rates for the period of time you were down. $50 is not going to offset the cost of an outage, but make sure if there are multiple outages you can terminate your contract for non-performance. Some facilities do offer more robust SLA though, so understand what that looks like. Sometimes you will encounter facilities that have E&O policies or errors and omissions policies underwritten by insurers that will pay out more substantial amounts when the provider fails to deliver service.

Keep in mind what I said about a buyer’s market. It is better for them to sell something than to sell nothing, because everyday they are open it costs them money. Be reasonable though, the best contracts are where everyone benefits. Once you are in a facility, you are just as invested in them staying in business as they are.

If there is anything around data center you want me to do a deeper dive on, let me know in the comments. Thanks for watching, if you like what you saw, hit like, please subscribe, that really helps me out and click on the bell icon for notifications when I post new content, and I will see you in the next video.

Leadership with Shawn O'Grady - Part 1

Leadership with Shawn O'Grady - Part 1

Transformation with Miguel Torres - Part 2

Transformation with Miguel Torres - Part 2

0