Skills, biz disruption top datacenter audit unease
Lack of skilled professionals and disruption to business are the biggest challenges data centers in Asia face when it comes to audits, according to industry insiders.
Murali Balakrishnan, Asia-Pacific practice lead for cloud and converged infrastructure at Hewkett-Packard Technology Consulting, noted in an e-mail interview that companies in Asia are not bound by regulatory obligations to conduct compulsory audits of their data centers. However, they are impacted by legal requirements such as Sarbanes-Oxley (SOX) and J-Sox, which is the Japanese version of SOX targeted at companies listed under Japan's stock exchanges.
Datacenter audits, Balakrishnan added, can cover a number of different areas ranging from security and disaster recovery to operations.
Steve Wallage, managing director of Broadgroup Consulting, said data centers typically encounter five different types of standards. First, there are datacenter-specific ones such as redundancy which involves various uptime tiers and cooling, he said, highlighting guidelines from the American Society for Heating, Refrigerating and Air-conditioning Engineers or ASHRAE, as an example.
IT or business focused standards are another area, he said. This is where the likes of security standard ISO 27001, green standard ISO 14001 and quality management standard ISO 9001, come into play/
Additional vertical standards may also apply, Wallage added. For example, those in the financial services and healthcare industries are subject to SAS 70 and HIPAA (Health Insurance Portability and Accountability Act), respectively, while organizations that handle payment card data need to comply with the PCI DSS (Payment Card Industry Data Security Standard).
There are also standards relating to internal business practices or data protection requirements at the national level, he added.
Uwe Schlager, managing director at T-Systems Singapore, said the company's local business units are certified under the ISO 9001, ISO 27001, ISO 14001, ISO 20000 IT service management standard and the OHSAS 18001 occupational health and safety standard, as part of an umbrella ISO certification issued by its global office. T-Systems manages 91 data centers worldwide, including seven in Asia.
Audit frequency varies
HP's Balakrishnan pointed out that datacenter audits for compliance or to align with industry standards "foster vigilance and enforce a strong culture of safety, security, protection and risk management within the organization".
At the same time, an audit is an "intensive exercise" as it entails "deep technical knowledge and probing using a combination of tools, observations and inspections", he explained.
He added that organizations ought to differentiate between, and balance, major and minor audits. The former, which usually takes place every two to three years, is aimed at achieving or renewing certifications or to comply with regulations, while minor audit covers "business-as-usual operations" and are carried out once or twice a year, depending on how critical the operations are.
Balakrishnan said: "In general, many organizations, especially the ones in critical industries or under close public or market scrutiny, cannot afford not to carry a yearly audit with a datacenter audit usually subsumed under the annual IT audit."
In addition, he noted that there are pros and cons associated with both self- and third-party audits, where external resources are tapped especially by cloud and outsourcing providers, as well as organizations seeking competitive differentiation or to demonstrate corporate social responsibility through the achievement of LEED (Leadership in Energy and Environmental Design) green building certification.
A spokesperson from the Asia Data Centre Alliance (ADCA) said in an e-mail that its members conduct annual internal as well as third-party audits for certification purposes. The ADCA is a group of datacenter service providers catering to customers in the region.
According to its Web site, the alliance members meet Tier III and above standards under the Uptime Institute, and also tap the ISO 27001, ISO 9001 and ISO 20000 as reference for their facilities.
The spokesperson added that companies that do not undergo certification may perform third-party audits every other year.
T-Systems' Schlager explained that each ISO certification lasts three years, but an annual "surveillance audit" is required. The company uses both internal and third-party audits for all its clients.
Skills, disruption make audits tricky
According to Wallage of Broadgroup Consulting, audits are not easy exercises and there are a number of reasons why this is so. Chiefly, data centers run 24-7 and audits may impact their operations.
Balakrishnan concurred: "Datacenter audits can be intrusive, meaning, inspection and examination can be in-depth and penetrating, especially where tools are deployed.
"So one question an organization has to ask is: how much disruption or intrusion can you allow for without impacting operations?"
Another area of concern is skills, he noted. "Depending on the type of audit, the required technical skillsets coupled with audit skill sets may be scarce," explained Balakrishnan.
The ACDA spokesperson also cited knowledge in subject matter and industry as a challenge. There is a need for the auditor to be perceptive about and understand the business in order to formulate an effective assessment, he said.
Another area to note is the amount of information a datacenter operator can or is willing to share, without compromising confidentiality of information, he added. On the other hand, he noted, self-audits can lead to a biased or distorted view.
Wallage also pointed to a "disconnect" between IT and facilities management as datacenter managers may not be aware of all the applications running in the data centers.
There are also technical challenges abound, said Wallage. For example, when measuring PUE (power usage effectiveness), it is often claimed that results for the same facility can vary by 25 percent depending on the time of the day. Floor space utilization may also affect PUE, he said, noting that some data centers currently do not measure PUE until 70 percent occupancy is achieved because, otherwise, the reading will be higher.