The term outsourcing generally carries the connotation of a more efficient business practice that cuts costs through division of labor. A company outsources—at least theoretically—to transfer work unrelated to its main business to contractors that specialize in those tasks. Thus, if your company manufactures widgets, you might consider outsourcing your payroll duties to a company that knows the ins and outs of tax law, accounting and so forth. Outsourcing of the company’s data center needs is no different, but doing carries a number of risks: some are common to outsourcing in general, and some are peculiar to data center outsourcing specifically.
The Temptations of Outsourcing
Unless your company’s main business is IT related, you may well be tempted to consider outsourcing your data center services. Dealing with just a single desktop computer can be extremely frustrating, and troubleshooting the problems can be downright infuriating. But what about an entire room full of computers and other equipment? Then there’s the trouble of carving out adequate building space for the data center, maintaining adequate security, hiring a staff to manage it, plan for expansions, keep pace with government regulations and so on. And who can pass up the promised cost savings? Why not just let someone else handle the blue screens and other hassles of IT so that you can focus on your company’s main business and its customers?
The outsourcing options for data center services are almost as numerous as the ostensible benefits. Myriad service providers are ready to help you as far as you want to go: they’ll offer you anything from simple data storage plans and other individual services all the way to a complete transition to the (public) cloud. And by outsourcing, you’d be joining a crowd of others; according to DatacenterDynamics, the Data Center Industry Census 2011 indicates that worldwide investment in outsourcing is forecast to reach $8 billion in 2012.
But the picture is not all rosy, as you probably guessed. Data center outsourcing is a legitimate option for many companies, and it can be done successfully if carefully planned. Rushing headlong into sending all your IT resources into the cloud, with no thought for the potential pitfalls and hidden expenses, can be nigh on disastrous. Costs can quickly mount and thereby make the traditional in-house data center approach look much more appealing than it might have originally.
Should you outsource? That depends on a number of factors, including your business’s IT needs, applicable regulations, budget and so on. But if you are considering looking beyond your company for IT services, first consider the following risks and pitfalls that could hamper your transition. These warnings may dissuade you from outsourcing, or they may simply help you outsource more successfully—the choice is yours!
Areas of Risk for Data Center Outsourcing
Security. This is a perennial concern of data center outsourcing. By allowing an outside party to provide your IT services, you are letting another group of individuals into the loop of your data and computer activities. Although many service providers are scrupulous about securing their facilities—both physical and virtual—the risks still are present and, in some cases, are compounded. Data center service providers must provide all the usual security measures: physical site security, malware protection, data encryption, authenticated access and employee background checks, to name a few. But other security risks may be peculiar to these providers. For example, colocation providers may allow customers access to the data center—meaning that unless special precautions (such as cages or locked cabinets) are taken, your competitors (or worse) could see or access your equipment, compromising your data security. Furthermore, just the fact that more people have access to your data (your employees plus the service provider’s employees) automatically increases the risk of a data leak or other breach.
Cloud computing in particular is plagued with concerns about security. A remote service provider, in this case, could be storing and processing your data, in addition to transferring it back and forth over public data infrastructure. Although security measures may be in place (VPNs, encryption and various other countermeasures against known avenues of attack), the opportunities for an enterprising hacker to gain access to your data are rife. Virtualization also poses some risks, with applications from potentially numerous different customers all operating on the same server. Although logical barriers may be in place, it’s easy enough to reach the conclusion that those barriers are not as strong as physical barriers—particularly if a motivated hacker or other malicious party wishes to cause you harm.
Although security is not the only risk of data center outsourcing, it is probably the foremost concern. Security violations can cost your company not only financial damage, but it can also harm your reputation and bring unwanted attention from government regulators.
Compliance. Speaking of government regulators, are you aware of all your legal responsibilities in the United States Code (all 200,000 or so pages of it—to say nothing of the code of regulations)? Probably not—but you may be aware of some of those responsibilities, as well as how complex they can be in many cases. But can you expect your service provider to know all your responsibilities as well, and to meet them with regard to your IT resources? This may, understandably, be a stretch.
You’re unlikely to get much sympathy from a government regulator if your data security measures (i.e., those of your service provider) don’t meet certain standards, regardless of whether you actually had anything directly to do with it. When your IT services are kept in house, you generally can have a fairly good idea of your level of compliance with regulations, but when you outsource, you’re trusting another company to also maintain that level—at a minimum. And if your company is in the financial services sector, you’ll be facing many more (and often much tougher) regulations to boot.
If your service provider serves a number of customers in different industries, it is unlikely to be aware of regulations specific to your business. If you are audited by a regulator, then you may face stiff penalties for your provider’s lack of compliance. But that’s not the worst part. If your data is housed in a server or storage device along with that of someone else, then you may suffer if that someone else violates some law or regulation. On at least one occasion, a federal agency raid of a hosting provider led to confiscation of equipment shared by several customers—meaning that not only was the alleged violator’s assets seized, but so were those of companies who had absolutely nothing to do with the situation (other than their proximity in a data center). In the wake of such debacles, federal agencies may wise up to the implications of virtualization and amend their enforcement approaches to protect innocent parties—but you shouldn’t count on it.
Accountability and service. One inherent and virtually unavoidable problem with outsourcing is that you’re working with a provider that is serving more than one master, metaphorically speaking. (That is, unless you are the provider’s sole customer.) As a result, the provider must split its attention among a number of companies and individuals, meaning you may not always get the kind of priority response that you would get in house. The farther removed you are from your company, the less interest you will receive in your company’s success—this is an unfortunate reality (with a few exceptions). Thus, the value you receive from outsourcing may not be what you expect, as the service level is likely to fall short of what you would receive from your own staff. (This is not always true, but you can check with other customers of your candidate provider to find out what you can expect.)
Another way of looking at this situation is that the service provider is simply not as accountable to you as, say, an in-house IT department. Gaining a certain level of accountability with a provider can require complicated legal documentation (is there any other kind?), and disputes can be expensive to resolve.
Disaster recovery. This is another area where necessary legal documentation and various allegiances can lead to trouble when you’re outsourcing. If the service provider suffers some disaster—even if it’s not the provider’s fault—then recovery may require attention to numerous customers. Your priority on that list will depend on a number of factors, depending on how the provider operates, existing agreements and so on. Perhaps the worst part is that if a disaster occurs, there may be little for you to do other than wait, and that can be a frustrating position.
Disasters, of course, can occur to anyone. By outsourcing, you’re not necessarily placing your IT resources in any better or worse a situation compared to the in-house route, although if you’re in an earthquake-prone area, for instance, outsourcing to a different geographical location makes some sense. The main concern is how your service provider handles a disaster, and its response could fall short of your expectations. This is simply another consequence of trusting matters to another party.
Availability. You need your IT resources when you need them, and that could be anytime day or night. But what happens when your service provider has scheduled maintenance that will affect your ability to access certain data or services? What about unplanned outages? Certainly, even an in-house data center requires downtime for maintenance and the (hopefully occasional) unplanned event, but when you outsource, you’re trusting someone else with your service availability. To be fair, service providers should be highly motivated to keep service available, but what if you fall in with a lousy provider? Switching providers can be expensive and time-consuming, but poor service can also cost you.
Adding more links to the chain. The “weakest link” metaphor is useful when considering the risks of data center outsourcing. Your business relies on your data center services to meet both internal needs and the needs of customers. When your data center is kept in house, the “chain” that connects you to required resources is generally shorter. When you involve outside companies to provide services, you’re adding more links to that chain; the problem, of course, is that more links mean a greater chance of a failure somewhere along the line. A prime example is employee loyalty. By outsourcing your data center or some portion thereof, you are bringing a number of additional individuals into the mix—and that means more security risks. The same metaphor can apply to a number of other areas.
Both approaches to data centers—in house and outsourced—have their benefits and drawbacks. The above risks outline some of the biggest areas of risk for companies that outsource. Needless to say, budget is also a critical concern. Although you may have heard that, for example, cloud computing can save you lots of money, don’t believe it until you’ve investigated the cloud in light of your particular business and IT needs. The risks of the cloud, or any other outsourcing approach, may save you money, but they may also end up costing more than the in-house approach. Unexpected costs owing to security breaches, lack of availability, inadequate disaster recovery and failed audits can easily blow away any savings from relying on service providers. Again, this is not to say that you should avoid outsourcing—by all means, consider it as an option. Just do so mindful of the risks, particularly as they relate to your specific industry and requirements.