Resilience: from a concept to a standard
The term resilience has been borrowed from science where it describes the ability of materials to return to their original form without alteration after a shock or continuous pressure. This term was borrowed from medicine too where it describes the ability of individuals or groups to overcome trauma. Applied to the economic world, resilience refers to the capacity of a system or organisation to absorb a shock, crisis or event that will impact its functioning temporarily but without stopping its activity durably, in order to return as quickly as possible to a normal state.
It is the ISO 22301 standard: 2019 - Security and resilience - Business continuity management systems - that specifies the requirements to be implemented "...to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptions when they occur." (Source ISO.org). As with security, resilience requires a cross-functional approach across all business activities. Adopting a resilience/ISO 22301 approach requires a complete analysis of the company's ecosystem: its environment, its suppliers and its internal services.
By definition, a Data Center must be resilient insofar as its mission is to ensure the optimal functioning of its users' IT infrastructures in all circumstances. Its design and equipment must therefore be designed to ensure its mission. But there are many other aspects to consider when assessing the level of resilience.
Data Centers: a key component of resilience and business continuity
In a digital economy, Data Centers concentrate and protect the vital needs of companies to manage and process their information flows (supply management, orders, invoicing, etc.). Because IT plays such a central role, it is now vital to ensure its continuous operation and transparency for users.
In order to ensure the smooth running of the IT infrastructures they host, the primary objective of Data Centers is the continuity of the power supply as well as a stable temperature in the computer rooms. Power supply and air conditioning are two of the main services governed by SLAs: availability rate for power and the maximum temperature not to be exceeded for air conditioning. Based on redundancy levels ensuring the equipment back-up, the Uptime Institute defined Tier I to Tier IV standards (with Tier IV being the highest level), thus providing a standardised framework. Tier IV certification is the first indicator to consider and assess whether a Data Center will be in the position to operate, should it be impacted by some failures. The Uptime Institute goes even further with two levels of certification: "Design", validating the Data Center meets the specifications for Tier I, II, III or IV, and "Facility", obtained after the installation has been tested.
Data Center and resilience: A global approach is mandatory when it comes to risk assessment
However, there are many other risks that can impact a Data Center. The geographical location can expose the Data Centre to natural hazards: earthquakes, floods, tidal waves, typhoons or tornadoes, etc. Some building zones near rivers or coasts can experience exceptional flooding once or twice a century. Geopolitical risk for a conflict or tension zone should also be considered. Let’s not forget about the regulations in force in the data centre’s country. All of these exogenous risks to the Data Center must be considered and put into perspective with the business challenges before choosing the data centre.
Finally, the quality of the Data Center operator is of considerable importance, i.e. its reliability, financial stability and shareholding. Similarly, given the sensitive nature of the data hosting business, certifications related to the requirements of the client's business should also be checked. The ISO 27001 and ISO 22301 certifications respectively concerning information security and business continuity ensure the operator hosting and operating the data has a good level of resilience. Both certifications are thus a prerequisite. They may be completed by other certifications or status related to the client's activity or business: PCI DSS (VISA-Mastercard payments) or defence and governmental projects.
Resilient Data Centers: Instructions for use
Data hosting has become a mature industry, having structured its services on the basis of certifications and regulations to create the necessary framework of trust for a sensitive activity. This makes it easier for clients to pre-select their provider based on their needs in relation to the service being delivered and thus better assess value for money.
To sum up, resilience in the data hosting sector is governed by the ISO 22301 standard which, combined with Tier certifications, establishes a level of service quality defined on the basis of open, measurable criteria and certified by independent bodies. These certifications ensure the level of performance of the Data Centre. For the hosting service provider, these certifications are a reflection of its maturity as far as risk management is concerned. In addition to certifications, visiting the data centre and meeting the teams will help you assess whether the hosting provider offers the level of resilience you require.
Information you need to know to choose your Data Centre
1/ Identify the Data Center service provider
Moving your data to a Data Center is a big decision that will impact your business for years to come. Take an interest in the life of the company:
- Shareholding, turnover,
- Who owns the Data Center? Is the service provider the owner and/or operator of the Data Center?
- What is its strategy?
- Will you be able to easily get additional space in the same Data Center if needed?
2/ Where is your Data Center located?
The aim is to map the main risks that could affect the operation of the Data Center:
- A climatic risk (heat, flooding, earthquake)?
- Is the country economically and politically stable? If possible, visit the country.
- Check the legislation and regulations in force and their impact on your activity.
3/ Check the certifications of the Data Center and of the company that manages it
A certification establishes a level of service quality and requirements. The Tier certification of the Uptime Institute (an independent American organisation) is a standard. The "tiers" range from I to IV. Data Centers certified as Tier IV are qualified as "fault tolerant" and, thanks to the redundancy of their equipment, can approach "zero fault" and thus achieve an availability of up to 100%.
Also look into certifications such as ISO27001 and ISO22301 (security and resilience) or business-specific certifications such as PCI DSS (for payments via Visa or Mastercard).
4/ Is your Data Center provider able to support your projects with other services?
Some IT operators offer a "one-stop-shop" model. Meaning, in addition to the services dedicated to Data Centers, your provider can support you on other subjects (e.g. Cloud, Resilience or Advisory). By knowing your hosting needs, your partner can offer you a 360° view of the entire IT value chain.
5/ Meet the teams and ask to contact an existing client
Every business has its own requirements, so make sure your service provider knows your sector of activity.
Meet the teams and ask to visit the infrastructure in person. You will then be able to see for yourself which physical security measures have been implemented in the Data Center.
Assess the reputation of the Data Center operator.