Businesses are facing an unprecedented growth in their reliance on data. The best estimates suggest that by 2020 data production will have increased to between 40 and 50 times its 2009 level. Much of that data will be generated by individuals but they will rely on corporates to store it and there is a growing recognition that the ability to analyse and apply all forms of data can be a key competitive differentiator for businesses in many sectors.
Every business has its own requirements and priorities in relation to data storage and usage, ranging from opportunities, threats, capacity to invest, technical expertise, but most are finding that the challenges are getting greater rather than diminishing. Consumer facing businesses find that their customers are highly intolerant of slow web-based services, driving a need for high reliability and low latency. The evolution of data protection and privacy legislation around the world has increased the regulatory risks and challenges of handling data properly. The need for technical agility to meet unforeseen legal risks, such as those posed by the unexpected death of Safe Harbour arrangements, has increased the risks of individual corporate committing to their own solutions. The security issues brought to the fore by the likes of TalkTalk have taken the attention of senior management beyond what might have been perceived as a technical regulatory risk and highlighted the risks that data storage can pose to corporate survival.
As a consequence the provision of data storage and processing is becoming increasingly sophisticated and beyond the direct capabilities of many heavy data users. To meet that demand a spectrum of outsourced solutions are being deployed, ranging from simply outsourcing server management through to a complete outsource of data needs. Some of the solutions may be deployed through a public or hybrid cloud such that physical location is invisible to the service recipient. However, many solutions, including a traditional data centre deployment and private cloud implementations may offer certainty of location.
This article looks at how recent trends are influencing the choice of location for data centres and what contractual assurances customers may seek from providers to mitigate the inherent risks so that they can appropriately balance the risk with the sought after benefit.
Location Location Location
For data centre operators, choice of location must be for the long-term. Although large-scale operators may be able to balance utilisation if they operate a geographically diverse network of centres, fundamentally they aspire to each location being as highly utilised as possible.
While many customers are usually not committed to a specific location to the same extent as a party actually constructing and operating a data centre, recent developments have placed an increasing importance on customers not just focusing on “instant” output measures (such as latency and availability) when contracting for data centre services but also assurance around any kind of risk associated with non delivery. Some examples of recent considerations that are driving data centre location choices are:
- Availability of high quality telecommunications services: A remote data centre is only of use to a remote customer if it benefits from reliable communications which are not already over-loaded. Physical distance may bring with it enhanced risks of interruption of supply.
- Achieving power savings. Volume growth means that over 10% of all electricity generated globally is now used by the technology industry and accordingly the cost of power remains a highly significant component of the operational costs. Power costs can be reduced by increasing the efficiency and/or obtaining cheaper sourcing. In particular, as artificial air conditioning to keep IT equipment running well despite its own heat generation is power intensive, a climate which is dry and cold or a location close to an abundant supply of a natural coolant such as cold water can be used to increase the power use efficiency. Accordingly, there has been an increased push to use ambient environmental factors to improve the efficiency of operating the physical infrastructure of the data centre. However, better power utilisation needs to be matched with appropriately reliable service. As an example, potential locations in Greenland which may score well on passive cooling and green power sources such as geothermal equally may carry enhanced risks of latency (or even availability) of communications to its users.
- Assurance as to certainty and continuity of service. There are a number of factors that affect that certainty but in terms of location choice the wide variances across the globe in the level of investment in power generation and distribution with even certain advanced economies predicting shortages of generation capacity is very significant. A location which does not have sufficiently reliable primary power supplies will find itself operating at a significant disadvantage. Alongside long-term security of supply, short and medium-term resilience is also critical. Most data centres deploy backup power solutions (for example batteries of the short term and diesel generation the longer term) but these are designed to be short-term solutions and rarely utilised.
- Sustainability of supply. The policies and buying requirements of customers themselves drive providers to focus on greener operations at all levels of the supply chain and to find ways to minimise the effect of the associated increase in regulations and taxes on the use of traditional fuels and generation of carbon emissions. In addition to using environmental factors to increase efficiency (as explored above) companies and providers are also looking to use power generated from sustainable sources. It is worth noting that despite the impression given by some publicity material for data services, grid connections in the UK cannot provide exclusively. At best, a provider is paying for the generation of green energy that will go into the supply network for general consumption
- Data safety. The safety of the data and compliance with international data protection requirements is a particular concern for consumer facing businesses. In order to meet customer demands, providers are having to consider political influences which extend beyond questions of power assurance and pricing. For example, although the direct consequences of the recent Schrems decision in relation to Safe Harbour provisions are likely to be resolved between the relevant states, the decision serves as a warning about legal regulation and has the potential to cut established data processing operations off from their primary markets.
The nature of the contracting process means that a buyer of data centre services of any kind will retain significant risk in the non-delivery of the service. That retained risk may be as obvious as the exclusion of loss of profit claims arising from breach or characterising service credits as an exclusive remedy for failures. However, it may well be more subtle, for example it may be inflated by the time it would take to procure and utilise an alternative solution.
Individual Risk Profile
A buyer of data centre services therefore needs to understand what its own risk profile is in relation to the data services it is buying. A service which needs to prioritise low latency and real-time processing (such as e-commerce) will tend t o have a different risk profile from services which can proceed in a longer timeframe if necessary (for example some forms of inventory management and elements of payroll outsourcing). A buyer’s procurement process for data centre services should then follow that risk assessment. For example, depending upon the specific types of data, services and policy involved, the customer may wish to stipulate the level of redundancy in power supplies, and telecommunications links and mandate certain policies in relation to electronic and physical security. For both parties, choosing the right location requires a balanced risk assessment recognising that every choice will have inherent compromises and risks.
In many cases the risks a particular data centre site may face will be beyond the immediate control of the data centre operator itself but it may be able to arrange mitigations of both the risk arising and its consequences if it does. For example, there is not much which can be done about the occurrence of natural disasters but there are clear averaged assessments of historic risks of earthquakes and site visits may provide valuable clues as to the risk of flooding for a specific location. However, achieving an acceptable balance as to the appropriate level of assurances and commitments given by the provider is complex and many providers will resist commitments to even maintaining the current standards and precautions they apply. For each different project a buyer must consider how the contractual commitments of the data centre provider fit with the required risk profile:
- Is the buyer looking for full contractual compensation for particular risks? Data centre providers often regard this kind of approach as distorting their risk/reward too far and frequently the exclusions of liability they seek (for example loss of profit and loss of goodwill) are far more significant than the limit of liability itself.
- Is the buyer looking for an adequate incentive for the supplier to take adequate precautions and remedial actions in relation to its risks? If so how should this be captured as between firm contractual commitments, general compensatory damages (within any agreed limits and exclusions of liability) and contractual regimes such as service credits.
- Is the buyer effectively reliant upon the reputation of the provider? While such a view might not provide specific comfort in the context of an actual outage, a competitive marketplace ensures that providers have a strong interest in their market reputation and ultimately that may prove a strong driver towards high performance.
- Is the buyer able to rely upon any explicit assurances as to the continued development and improvement of the services? Are there any particular areas which the buyer would wish to see enhanced over the course of the term, for example security or service levels or simply price. Where the buyer is relying on improvements over a period of time is it clear whether these will be sold as “extras” or built into the base services it receives?
- What degree of control should the customer retain over the solution? As noted, outsourcing may take many forms. A customer may choose to operate its own data centre but outsource only critical elements of the service around it. The more that the solution is shared between multiple users the greater the compromise of control by each individual user will need to be.
- To what extent is the buyer committed or incentivised to use a single source? Some service strategies allow a buyer to purchase capacity efficiently in an incremental fashion
Consider your strategy
Not all outsourced solutions for data centres will allow a buyer to be specific in respect of location. However, a solution which is location specific can offer the buyer the opportunity to mitigate certain risks and achieve a degree of control. Each customer will value such mitigation and control differently, and may differentiate between service types in that evaluation. However, the effectiveness of the approach can be greatly enhanced by careful consideration of the accompanying contracting strategy.