Seven Criteria for Sourcing Colocation, By Manon Buettner and Joanne Peterson

Cloud computing as a business concept is off and running, with Amazon Web Services projected to grow to $3.8 Billion in 2013 (ZD Net, January 7, 2013). Many mid- and large-enterprise companies, however, are facing the prospects of outsourcing their infrastructure to a colocation facility for the first time. The economic climate, bundled with trends toward outsourcing and an abundant supply of retail and wholesale data center space, are forcing in-house data center operators to present colocation options.

Data centers come in all shapes and sizes. The market is saturated with carriers, hosting providers and REITs all competing for retail colocation clients. How can you evaluate what is most important in your data center search?

The seven overarching areas to consider when evaluating a colocation provider are:

  • Corporate Profile
  • Geographic Location
    • Environmental threats to the facility and its surrounding area
  • Physical Structure
  • Security, Compliance and Regulatory Controls
    • Access Controls
  • Critical Systems
    • Core, Critical and Conditioned Power
    • Environmental Controls
    • Air Handling, Heat Rejection and Water
  • Network Connectivity and On-Net Providers
  • Service & Support Portfolio
    • Staffing
    • Breadth of Services
    • SLA’s

Let’s start with the provider’s company profile. You will want to have a good understanding of their financials and footprint. What is their growth trajectory? How are they investing in the business? Is it publicly held or venture backed? In addition, does the portfolio include multiple data centers? Are they a regional, national or global footprint? Do they offer raised floor, modular data centers or private suites? To what degree have they invested in infrastructure, personnel and support? How do they rate themselves against the four Uptime Institute Design tiers?  In this time of rampant M&A activity, how dedicated are they to customer service, transparency and responsiveness?

As we look to the actual data center structure, it’s important to understand the physical elements that should be important to a client. What is the history of the proposed facility? What surrounds it? A frequent but less obvious inquiry is their distance to a major airport.  Another item to consider is the shipping and receiving logistics, i.e. how easily can a large moving truck back in and unload? Can the freight elevator and shipping bay support the height, weight, and dimensions of the incoming racks? Is there secure storage for the client’s gear and how long can it be stored? How are shipments tracked and confirmations sent? These “gotchas” are often overlooked and can cause major frustration after the fact. Definitely figure these caveats into the big picture.

Companies will be evaluating data centers as production or disaster recovery sites. As such, they should understand the natural environmental threats in the region, such as earthquakes, tornadoes, hurricanes, blizzards/hail storms and flooding. You’ll need to know if the facility is located in a flood plain, a flight path or in a seismic fault zone. Buildings may be built to Zone 3 standards in Zone 3 seismic regions, however it’s comforting to know the provider follows the more aggressive Zone 4 standards for internal bracing of their infrastructure and client racks. Data center providers can say funny things when pressed. I actually had one tell a client, “Tornadoes don’t happen on our side of the river!”

What degree of physical security is offered? These elements include a fenced defensible perimeter, traffic bollards or car traps, guard-controlled gated entry, 24×7 on-site guard, and digital surveillance (CCTV). Other procedural security elements to check for are customer defined access lists, visitor tracking, biometric screening, mantraps and locking cabinets/cages.

Regulatory compliance is of growing concern, especially if your company’s customer-facing contracts call out Service Level Agreements around uptime/availability, or if they must adhere to government-mandated regulatory constraints. Depending on your industry, inquire about HIPAA (Healthcare), PCI (Payment Card Industry), and FISMA (Federal) compliance in order to match them to a provider holding these certifications.

With the SSAE 16 (Statements on Standards for Attestation Engagements No. 16) standard effectively replacing the familiar SAS 70 (Statement on Auditing Standards No. 70) in 2011, providers have replaced SAS 70 Type I & II Audits with SSAE 16 SOC 1 Type 1 & 11.  Whereas Service Organization Control (SOC) 1 is purely focused on internal control over financial reporting (ICFR), SOC 2 and 3 are specifically designed for many of today’s cloud computing, Software as a Service (SaaS), and technology related service organizations to offer a standard benchmark by which two data center audits can be compared against the same set of criteria. These new audits are comprised of any number of the five (5) Trust Services Principles, which are Security, Availability, Processing Integrity, Confidentiality, and Privacy.  Recognize providers who have sought SOC 2 and 3 audits as those who are ahead of the curve in welcoming a more comparative and meaningful analysis.

Let’s talk about “critical systems,” which is the power, cooling, fire suppression infrastructure and associated monitoring software that is the most telling measurement of uptime, yet the least understood.

Power is king in a data center environment. How much and how it’s handled could be the key to winning a company’s business for that particular data center. Frequency and types of testing are popular questions of Data Center Managers. Often this work is contracted to third parties.

Power breaks down into 3 main components: (i) core power, (ii) critical power and (iii) uninterruptible conditioned power.

Core power is simply the total capacity available at the data center. This is the total number of MegaWatts (mW) the facility has available. Inquire about the substation(s) that feeds the building. Sometimes it is on-site, but typically the utility company brings in redundant high-voltage feeds from diverse, nearby substations. One is primary and requires a manual cutover to the redundant feed in an emergency.  Ideally they will come from different power grids, but not usually.

Critical Power is really about back-up power. How are they designed to fail-over from utility power to batteries to generators?  For this area of consideration, calculate whether sufficient generator power exists to support the potential load, and for how long. A more populated data center will burn through more fuel than a new one with high vacancy. How many gallons of diesel fuel are stored on-site and how long that full will last at full load? Don’t take “N+1” at face value. Dig in and do the math.

Uninterruptible Conditioned Power often refers to Uninterruptible Power Supply, or “UPS” power.  This is the bank of batteries responsible for cleaning and conditioning the utility power before it is delivered to customer racks. Customers should ask about the number of MegaWatts available on the current UPS, the total number of UPS available at the site and ensure there are at least two redundant sources (A & B).  Otherwise, so-called redundant power strips to your rack would both rely on the same source. How long will the batteries sustain the load until the generators fire up and sync?  How often are the batteries replaced and to what extent are they monitored? The customer needs assurance that any single source failure will not impact both of his power circuits simultaneously.

Air handling is often defined by the capacity of CRAH units (kW or tons per unit) on site. Does the data center have a raised floor and a high-efficiency chilled water system? How is heat rejected? How many compressors/chillers does the facility have? What is the capacity (in tons) of the chilled water plant? Are there diverse water mains? How many gallons of water are stored on-site?

Environmental controls refer to the facility’s fire detection and suppression, leak detection and grounding systems. Most facilities use a VESDA (Very Early Smoke Detection Apparatus) to alarm them of microscopic particles of combustible materials – a precursor to fire. Additionally, it’s typical to see a dual, pre-action dry-pipe system, where water is held back from the sprinkler heads until such time as the heat of a fire melts the sensors and a localized sprinkler sets off. Monitoring of these system dashboards should ideally be done on- and off-site for redundancy.

A great data center cost per rack isn’t great unless it includes all of the necessary specifications, such as a reasonable price per Mbps for network connectivity. Which carriers are on-net in the data center? Does the data center offer a blended carrier IP service? Is the facility carrier-neutral? What are the cross connect options and fees?  Is there an on-site meet-me room? Is there fiber diversity into the facility? Is there private data transport between data centers? Are wireless services available? You’ll want to understand these things in order to make the best overall choice. Don’t forget to think through all of the WAN and connectivity requirements in advance!

Last but not least is the consideration of available support services. Does the data center offer ad hoc troubleshooting? Contracted managed services such as hardware/OS, Database, Application, Security, Storage, and Tape Backup? Is there a 24×7 on-site operations staff?  How do they bill for Remote Hands? With little exception, data centers offer “Tier 1” remote hands, which is anything shy of taking a screwdriver to a box (i.e. rack and stack, eyes and ears). Tier 2 will perform break/fix, troubleshooting and Tier 3’s are the specialists. Different fees may apply depending on which Tier is required. Remember…  You don’t need them, until you need them. So all else being equal, wouldn’t you rather chose a provider staffed with Tier 2 and 3 specialists in case of an emergency?

A deal isn’t always a deal, a concept that is glaringly brought to light after the contract is signed. A customer may have negotiated an awesome price per rack, but there are only two or three network providers to choose from at an outlandish cost per Mbps. Maybe the provider’s freight elevator can’t accommodate the rack height/weight. What if their remote hands graveyard staff is a single level 1 guy?

Knowledge and understanding of these key areas will enable you to make a sound decision. Spend time before you start to conduct a thorough needs assessment and requirements definition. I assure you the time spent up front to agree on the most specific business, technical and cultural requirements will save everyone countless cycles. Not only will you narrow your discussions to only those data center operators who truly meet your needs, but your short list of providers will swiftly return a more valuable proposal.


About the Authors

Manon Buettner, Principal, Nuvalo LLC

Manon is a contributing writer for a number of industry-focused publications and is a popular featured speaker at data center and network trade events. She is the founding co-chair of Cloud Girls, a vendor-neutral community of female technology advocates focused on cloud education.


Jo Peterson, Director, NextGen Products, TeleProviders, Inc.

Jo Peterson is an experienced technologist in the areas of cloud computing, virtual DC, and related solutions, Jo has spent most of her career in communications for the U.S. Air Force and carriers such as MCI, Qwest and XO. Jo holds an MBA in E-business, is a founding member of the Cloud Girls council and former board member of the Association for Women in Technology. Jo is a contributing writer for industry publications and frequent guest speaker.