Don’t think of it as a data centre, especially if the complexities of procuring information technology infrastructure and establishing an agreement that mitigates risk seems overwhelming. Do what Darren Ghan suggests, and think of it as a garage instead.
According to the general counsel at service provider CentriLogic Inc. in Toronto, there are different versions of the data-centre-as-garage scenario. You can build a garage yourself, and deal with whatever happens to it, or you can rent or lease a garage, in which case your landlord is obliged to make sure it has all the power and cooling you’d need for your van, but you’d be responsible for the van itself and whatever you carry around inside it. Alternately, you could work out a deal where you not only get the garage but the van, and someone else is responsible for changing the oil and putting things inside it, but you decide where it’s driven.
Ghan uses the garage analogy because his firm is one of those offering the various “rental” options, which in the data centre market are more commonly referred to as colocation (where the provider takes on more of the work) and managed services. He says it’s the easiest way to get across the many nuances associated with determining what data centre strategy is right for a specific customer.
“I find that in a lot of cases, clients will know they need something, but they don’t know what they need,” he says. “They won’t necessarily understand what colo or managed is. They’ll have never set foot in a data centre.”
That may change soon, however. According to Toronto-based research firm IDC Canada, the market for data centres here is already worth $4.1 billion and is poised to grow another 7.2 per cent in 2014. This is probably because more companies need computer resources to handle not only back-office internal functions but customer-facing things like web sites, mobile apps, and even web-based programs for sales, marketing, and finance functions.
Dan McMullen, business unit executive, site and facilities, with IBM Canada, works with companies across all the available business models, whether it’s helping design and operate a data centre for a large organization or helping one completely outsource its data centre operations into what’s called a “hosted” online environment, or cloud computing.
“It comes down to size and strategy,” he says. “They may not want to invest in the IT skills, so they’ll look at a colocation model. Or if they have great enough needs around security, privacy, or records management, then they’re more inclined to look at owning and designing and maintaining one.”
In-house lawyers that get involved in arrangements to build or run a stand-alone facility may need to quickly get up to speed on some fairly arcane technical issues. This includes what type of power, or computing densities, the organization requires. IT infrastructure tends to be measured in metrics of watts per square foot, McMullen explains, and as more complex functions happen in data centres, the density is on the rise. For example, old or “legacy” servers might have been designed at two to three kilowatts per “rack” (the space on which a server sits in a data centre). Modern data centres, on the other hand, may need to be designed at 20-25 kW per rack, which would require some specific provisions in utility agreements.
“It enhances computing capacity, but it also impacts the mechanical and electrical ability you need to support that,” he says.
Then there’s site selection. McMullen says organizations need to understand what attributes a physical area has had historically before they even begin to put hardware and software inside. He remembers specifically a project involving a bank in the Caribbean.
“They were building a data centre and one of the aspects they had to determine is seismic. It turned out they were going to be on the same fault line as Haiti,” he says. “We went back close to 200 years of history to determine whether or not we should build the data centre because of the seismic activity.”
Other check marks on the due diligence list include flight paths, toxic areas, railway paths, and so on. This has a bearing on what kind of resiliency a data centre needs to have, because in many cases today, when servers go down, businesses stop functioning.
For many mid-sized Canadian companies, this may not seem worth the effort or legal liability, but leasing facilities comes with its own set of dangers, says Derek McCallum, partner and member of the real estate group at Aird & Berlis LLP in Toronto. While leasing obviously allows firms to spread the costs of owning and managing a data centre out over a period of time, it is important agreements bake in enough protection if the unexpected happens.
“If the landlord is not carrying out its repair obligations, the idea of suing them may be way too lengthy,” he says as an example. “You may need a lease that says, ‘I can do it and offset it against my rent.’ You need to be able to keep the facility up 24/7.”
Besides making sure a leased facility has dual power feeds in the event of a blackout and other disaster recovery capabilities, McCallum suggests agreements be long enough that a company can plan a smooth exit strategy.
“The amount of time to do a migration from one facility to another is way beyond turning off a switch in one place and flipping on a switch elsewhere,” he says,
citing some situations that can take more than a year to complete. “With those kinds of time frames in mind, leases become long term. The issue from a tenant’s perspective is having it done with a whole series of renewals that are five-year terms.”
The colocation model — where a company houses its servers in a third-party site along with other firms’ servers — is a popular approach for mid-market companies that are realizing they don’t want the leasing hassles, says Ghan.
“The problem with this industry is once you lease a data centre and once it’s full of client hardware, it’s really hard to get out,” he says. “You can’t just move them off. You wind up experiencing downtime, and nothing turns customers off more than that.”
The downside of colocation, however, is it’s sort of like the difference between owning your home or living in a hotel.
“Everybody and their brother has stuff there,” McCallum says. “If it’s one of those hub buildings, you need to accept a certain level of risk. Otherwise there should be some exclusivity provisions in there, that your infrastructure isn’t next to a competitor’s, or that it’s a certain distance from a competitor.”
Managed services add a bit more flexibility and protection, and may be the way more risk-averse firms balance the need for increased compute power with reduced costs. An example is Toronto-based SecureKey Technologies Inc., which provides identify management software to large corporations and governments. Richard Guttman, SecureKey’s vice president and general counsel, says the company’s software-as-a-service offering was a natural candidate for a company that could provide trustworthy third-party services. In Canada, it has been using Q9 Networks, while its recent contract with a U.S. federal agency led to an agreement with Hewlett-Packard Co. In general, Guttman finds service providers able to meet requirements, but complications continue to rear their heads occasionally.
“Where we struggle is when you buy more standardized offerings (from a services provider) and then your customers then ask for things like audit rights and security and penetration testing,” he says. For the service providers, “What we do in our cages is none of their business, and they’re not in the business of giving access. You lose the ability in contractual negotiations to offer things that otherwise would seem logical.”
Also, as a relatively young company and whose software is its main asset, SecureKey tends to undergo a lot of technology change. “There have been numerous requests that have required us to go back and make some modifications with Q9, where we’ve added a number of additional services, or we’ve reduced some others and asked for some additional application-level monitoring,” he says. That’s why you need the stability of a multi-year relationship, he adds. As needs evolve, so must your contract.
The service providers are beginning to realize this, says Bik Dutta, director of product and market development in Canada at CenturyLink Technology Solutions (formerly Savvis), which will soon open a new 100,000 square feet facility in Markham, Ont. That said, customer expectations are a moving target, particularly when firms first make the move from owning their own data centre to a colocation environment, for instance.
“There’s a propensity for them to ask for as much as possible, as if it’s their own data centre,” he says. Century is trying harder to anticipate whatever requests come its way. “We’ve developed our facilities to hit 90 per cent or more of the market requirements at a given time, and features are added to the platform on a regular basis. Nonetheless, it is still meant as a 90 per cent rule.” In other words, you can always ask.
Guttman says that while the largest firms may continue to set up their own data centres, increased regulations in many industries are forcing companies to turn to third parties to assist with compliance chores.
“As these things continue to proliferate and get more complicated, and the operational requirements of meeting them become onerous, it’s a challenge to do it yourself,” he says. “The classic raised floor off-site allows your provider to meet a number of security and regulatory requirements you wouldn’t stand a chance of meeting on your own.”
As a starting point, Guttman suggests in-house lawyers try and stay away from the actual contracts and the small print until they have enough of a thorough understanding of their organization’s computing needs that they can articulate them in a two-page term sheet.
“I’ve been in situations where there were things in (a contract) that couldn’t be explained,” he says. “We’d ask a question to a service provider, they’d answer it, and we’d say, ‘That’s contrary to what your contract says,’ and they’d have to change it. Jumping into the paper is always a last resort for me.”
Relying on outside counsel isn’t necessarily the answer either, Ghan adds.
“Don’t call a service provider unless you know exactly what it is you’re talking about,” he says. “I’ve talked to clients who are quite clueless. They will hire an outside lawyer and these IT lawyers, they may be great at the line and verse of current law, but they don’t always know what they’re doing. It can make it difficult for clients.”
McCallum believes in the long term, corporate counsel may not find the data centre landscape so difficult to navigate. He says it reminds him of the early days of companies looking at solar energy panels in their offices.
“When that industry came here, the kind of leases the solar developers were asking for were completely foreign to the landlords. There were longer terms, lots of special rights,” he says. “I think here it’s probably similar. It’s not something that people can’t get their heads around.”
And if not, you can always try hiding in the garage.