Would you let an architect build your new home without checking their references?
My home is my sanctuary and I would ensure the person building it would construct a home that is safe for me to live in as well as a place I want to spend time in. In addition to their experience and professionalism, what others say about them is one of the most critical, if not the most critical, components of any decision making process.
The same is true of a colocation environment. It is not just a “house” for your assets, but rather, a “home” for the infrastructure that enables your business. I recently underwent the process of choosing a colocation provider. I approached it with the same three vectors as I used for constructing my new home.
Show Your Experience
The first step in identifying the right workers is to show their experience and ensure it meets your expectations.A request for proposal (RfP) process baselines every participant and provides the opportunity to show their value in a standard, fair way. Include physical security concerns as well as logical ones, such as protection against threats to client data, if using their networks.
Are they are Tier III or IV datacenter (www.uptimeinstitute.com)? What are their specific redundancy infrastructures? What are their maintenance schedules? What about fire detection? Once submitted, an initial tour is a nice way to get a sense of the environment you would be working in.
Make sure you request appropriate credentials and certifications appropriate to your industry. Are they SOC 2 certified for their processes? Or is SSAE16 sufficient? Do they need to be PCI compliant?
If you are international, do they have ISO Certification? What about LEED certification for energy and environmental design? If you have regulatory needs, check for HIPAA, FISMA, and perhaps NIST.
Do They Work Professionally and Efficiently?
Have the provider show you their run books and do an operations test. Make sure to check on what happens in off hours, escalation procedures, and mitigation strategies.
Include security concerns here, as well as the hard questions like SLA agreements and penalties. They are critical to parse out early.
Prove it with References that will Validate the First Two Requirements
References can provide you with a true insight into provider behavior if you are prepared with the right questions. Make sure to ask the provider for references that are similar to you (e.g., industry and size) to ensure relevance. Be prepared with questions that highlight operational response and commitment.
Ask for examples of a tight timeline or a critical outage and how the provider responded to those scenarios; they inevitably happen. Ask for strengths and weaknesses. Ask how long they have been with the provider and if they will continue/renew (and why), if long term sustainability/relationship is important to you. Perhaps use LinkedIn to get references they don’t provide? Those are the most valuable!
When I chose a home builder, he was able to validate his credentials, show me client references and provide a model home tour; I felt like I was walking into a mansion. They had used space and light so well, while maintaining a cozy feel that made me want to stay.
The colocation provider did the same. By working through a Request for Proposal (RfP) process, they demonstrated standardization, including appropriate certifications. The tour validated those data points. The operational component validated their knowledge from top to bottom of the organization. The operations manager knew the same answers as did the NOC personnel.
This is comforting to know that I can escalate and know the person on the other end knows how to handle tough situations. Finally, one customer in particular spoke to me about the way the colocation provider handled issues and outliers. It provided me confidence that the colocation provider would partner with me to solve my business problems, rather than just providing me space and power.
Because I planned and knew what I wanted, I adore the house that I live in and plan to live there a long time. It is a safe place and I enjoy the space. By doing the same research and planning with my business’ colocation provider, I have also found a secure home for our assets, where I know I will be safe from threats and treated as a partner, for a long time relationship.
- Enterprise Security Should Be Proactive, Not Reactive
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- Whose Responsibility is CEO “Tech Literacy?”
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management – a widely recognized security best practice among large corporations – easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock