New Practice Standards for Data Center Professionals James I. Nelson, MS, MBCP, CDCP, CORP Chairman of the Board, ICOR (ICOR) PO Box 1171 Lombard, IL 60148 USA jnelson@theicor.org This whitepaper covers the following topics: The Importance of Data Centers Risk Factors The absence of standards The need for data center certifications Resilient data center facilities and management The Importance of Data Centers A business is driven by corporate goals. These goals are put to work using divisions who execute processes. These processes need to be supported by IT systems and services all supported by the IT infrastructure. However, it is important to remember that this entire infrastructure relies on a proper facility layer. It is very important for business to make sure that each of these factors are properly managed and monitored. However, companies spent a lot of money and time on the infrastructure layer but tend to forget the importance of the facilities. This can lead to disastrous results. Having high performance IT resources on hand is essential if business processes are to work to achieve corporate goals Corporate goals / processes Organization Division A Division B... Infrastructure Facilities Business processes Services Site/Room Print Service R&D Procurement Mail Service Production Sales... Network Service R3 System Service Hubs Routers NT Sys tems SAP ORACLE Switches UNIX Appli Network Systems Systems Main frames cations CAD/CAM Electrical Environment Fire Suppression Other related facilities equipment PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 1 of 14
Downtime and Its Consequences Ebay USA: System breakdown created lost of Stock Exchange value of $300M Singapore Stock Exchange: 2 days out of order due to IT downtime (March 2001). Losses of $150 M. Investment Bank Data Center outage. Losses Exceeding $500 M Telco in Malaysia: GSM Network down for hours causing lost revenue and upset customers. These are just a few examples of where things went horribly wrong. If the infrastructure goes down and if the facility is not built to support the technology, businesses will experience heavy losses. Even telcos can go down as they rely heavily on network equipment. That facility related problems can have a big impact can be seen from these few random examples. Facility related problems can have a major impact on the company in terms of lost revenue and customer dissatisfaction. META group has done research in the various industries to understand the potential losses as a result of downtime. The numbers might be different from your company, but regardless of what the real number is, the numbers are big and a lot of money is being burned when IT is down. The Mission Critical Site is the foundation of every ICT Infrastructure and therefore business failing to address this could lead to serious losses. If the mission critical site doesn t have a reliable network or the cooling doesn t work, then you will have a serious problem and negative impact to the core business processes. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 2 of 14
The Complexity of Mission Critical Sites The mission critical site is very complex. There is incoming power from the national grid, raised floors, and fire suppression. All of the elements shown here have to be done and done correctly. Your network must be reliable if your cooling doesn t work, then you will have serious problems. The problem is that we need to have a well balanced data center in which all important factors are considered. Over investment or under investment in any of these areas could lead to lost money. Over investment is a waste of money and under investment could lead to downtime. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 3 of 14
Risk Factors for Data Centers There are many risk factors for data centers that come from both a natural and human origin. You have to take care to mitigate what you can in terms of risk. Sometimes there are risks like earthquakes that you cannot do much about, but you need to mitigate what risks you can to ensure that your data center is as protected as possible. In ensuring hi availability we also need to take care of the external factors. Natural Origin Human Origin Main Causes of Downtime *Fire *Heat *Cold *Water Flooding *Lightning *Earthquake Air Pollution and Contamination Electro Magnetic Fields Power Failure Virus *Unexpected Catastrophic events, normally impossible to predict. Equipment Failure Vandalism Unintentional Human Errors Sabotage Terrorism Network saturation Hackers Data Network Origin Resilient DataCenter Facilities The main causes of downtime are human error and hardware / system failure. The errors we make are usually not intentional, but even small mistakes can lead to big disasters, Proper processes need to be in place and they care needs to be taken that they are done the way are supposed to be done so that the data center is not compromised. Hardware and system failure plays also a big part and most of the time these hardware failures occur due to the data center being wrongly designed, maintained or managed. Hardware or system failure can also often be caused by uneven cooling or power quality issues. Causes of downtime and data loss (Source: ZDNet by ADIC) Resilient DataCenter Facilities PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 4 of 14
The Absence of Data Center Standards There is good news and bad news the bad news is that there are no world wide standards in the industry. The good news is there are best practices or semi standards. The TIA 942 is a reasonable or semi standard. It contains proper information from a telecom perspective, raised floor, echoing, and technical infrastructure. It also provides good vendor independent information. In addition, it contains the definitions of tier levels in the appendix. It is not a world wide standard but it is a good standard. More and more people are looking at it. SS507 is a Singapore BC/DR standard a certifiable standard. Service providers offering data center recovery services to the market can use this standard to show how the data center should look. It is a good standard a framework standard or high level standard. It is not a tier standard you are either compliant or not compliant. It is also only a Singapore standard but will be released soon as an international guideline. It is possible to do certification on it, but not as a ISO body. Uptime Institute provides good information on trends and technology, such as how to cool your data center, on contaminations, etc. Vendor specific standards are not really standards. Their purpose is usually to sell more products. They write whitepapers directly linked to what they sell. What is the problem and how to fix it buy their product. Take them with a grain of salt. They bank on the fact that IT personnel usually have very little understanding on facilities and what data centers need to operate effectively. ISO 20000 is an IT Service Management Standard. It is actually an ISO / IEC based on ITIL. They formalized it and added processes to certify. You will get a certificate on the wall to show you are running your IT services correctly. Good standard on how to run operations best practice framework on how to run IT Services. There are plenty of standards for sub components. There are general electrical standards that apply to electrical systems for example but not specifically for a data center. For example, ground resistance = 25 ohm is a general electrical standard, but for data centers should be 1.0 or a maximum of 5.0 ohm. No one has taken the time to put all these standards into a form for data centers. Also, the standards differ from country to country. Use the standards listed here as leverage. Standards do exist for sub components Electrical: UNE EN 50160, UNE EN 61000 3 2, UNE EN 61000 3 3, UNE EN 55011, UNE EN 55014, IEC 61558, IEC 61643 1, EN 60730 2 7, Etc. Earthing: MIE REBT 039, EN 50310 EMF: EN61000 4 8, EN55022, EN 55011, TEMPEST: MIL STD 220AIB Environmental: IEC 61340 5 1, IEC 61340 5 1, ESD S20.20 1999, UI, ASHRAE Raised Floors: BS/EN 12825, UK PSA PF2 Airpurity: UNE EN ISO 14644 Networks: ISO 11801, EN 50173, TIA 568A Fire Protection: NFPA75, UI PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 5 of 14
International versus National Standards Most international standards are compiled with general norms and guidelines they are generalized so go with your own country s guidelines. They are more specific. There may be slight differences. It is important to understand international norms, but take it as guidance and use your local regulations. Local standards always overrule international standards. Most national standards are derived from International standards National standards, code of practice, guidelines, etc., always overrule International standards, code of practice and guidelines Always check the local standards and ensure compliance The Need for Data Center Certifications What Do These Jobs Have in Common? They Need to be Certified Professionals If you start a butcher shop you need to be licensed or certified. In most countries/states you need to even have a license/certificate to become a hairdresser. The purpose of licensing or certifying professionals is to guarantee quality of the service delivered. The real point here is that the data center is vital to the success of the organization yet there are no standards for data centers. Also, there is a need to certify or guarantee those people who are running our data centers. Even our secretaries running the office are often certified by Microsoft. It is vital to the industry that we begin to ensure that those people running our mission critical facilities are certified professionals. What certification do you ask him for when you let him run your mission critical data center? Up until now, if you want someone to run your data center there has been no way to ask someone for his qualification other than some work experience which does not always prove the right background for the job. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 6 of 14
Vendor Certifications versus Non Profit Certifications The question is often raised as to whom to go to for education and training in different industries. Vendors who sell products and services such as software or consulting will often offer education and training at a reduced cost sometimes even for free. They often write whitepapers directly linked to what they sell. The whitepapers usually address a problem and then provide as a solution the products or services the vendor sells. So, be aware that their purpose for doing so is to get in the door in order to sell product. Also our suppliers and vendors are not always helping us as they tend to advise us on what is good for them. The good old consultants or training providers who are at the same time selling data center hardware will tell you a different story than a credentialing organization. Another thing to consider when evaluating training offered by vendors is that the training provided is usually related to how to use their products. The best practice or standard will be designed around how to use their products. They bank on the fact that personnel have very little understanding of the industry and that by purchasing the product they will be able to do their job effectively. In addition, the training is often offered by the vendor s sales and marketing personnel not certified trainers. Alternately, non profit education and credentialing organizations do not sell products or services. They provide education and training based upon international standards developed by the industry. Their education and training programs are developed with the purpose of teaching a specialized field of knowledge in order to improve the performance of individuals in their workplace. Only certified trainers and professional instructors with a wide variety of industry experience are used by nonprofit education and training organizations. They are vendor neutral and do not sell products or services to the students. Their sole purpose is to provide the education and training necessary for learning the course objectives and increasing the knowledge of the students. Non profit credentialing organizations also drive standards and certify individuals ensuring employers that their employees or potential employees are qualified to do the job they have been certified to do. Employers who invest in education and training for their employees should look to the vendor neutral non profit credentialing organizations so that their employees learn from internationally recognized standards taught by internationally recognized and credentialed instructors. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 7 of 14
New Data Center Certifications With few exceptions, enterprises today rely on IT for the delivery of business critical services often directly to the end consumer. It is therefore vital that the mission critical data center is designed, maintained, and operated with hi availability and efficiency in mind. The fact is, however, that most data centers do not meet the full availability, capacity, safety or efficiency requirements often demanded. The ever changing technologies put even more pressure on data center managers along with the ever faster pace at which these changes are required. On top of that, there are a vast number of companies where the data center is a shared responsibility between IT and facilities divisions each having their own values and standards to which they believe a mission critical site should be designed, maintained and operated. (ICOR) in partnership with EPI, a British origin company, have developed a series of data center courses. The intent of these courses is to certify existing data center professionals. Each course also provides valuable training for professionals working in and around the data center such as facility managers and business continuity managers, but the primary purpose of the courses are to certify existing professionals rather than training new professionals on how to manage a data center. ICOR is a non profit internationally recognized education and credentialing organization. The mission of ICOR is to provide training and professional development for professionals in the disciplines that support a resilient organization. Data center, facility, and business continuity professionals align with this mission as they support the critical infrastructure of organizations both on the IT side as well as the facility side. EPI is the sole auditor for data center facilities under the SS507 standard in Singapore. The course developer, Edward van Leent, is also a certified lead auditor and lead consultant for BS15000/ISO IEC20000, a world wide standard for IT Service Management. The foundation for each course is based on various international norms such as IEC, UN, UL, and ISO. Each course contains elements from standards such as SS507, TIA 942, TIA 606, NFPA75, 2001, ISO/IEC 20000, ITIL, IEC 61000, SS507, ISO24762 and many others. Each course is also enhanced with best practices and experience of veterans in the industry with international experience. Some companies have made these certifications compulsory for the career path of IT personnel involved with data center activities. Over 1,000 CDCP certified professionals world wide as of mid 2007. This is a brief listing of those who have sent their employees for this training: IBM, HP, SingTel, Barclays, Time, Symantec, and more. It is the ONLY world wide recognized data center training curriculum for facilities personnel. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 8 of 14
Certified Data Center Professional (CDCP) Synopsis / Course Description: Join the elite group of Certified Data Center Professionals! The Certified Data Center Professional course is designed to expose IT, Facilities, or Data Center Operations professionals working in and around the Data Center to the key components of the Data Center. Business Continuity professionals will also benefit from understanding the essential elements of a high available, fully available, and efficient Data Center, how to audit the Data Center, and will learn valuable lessons on how to enable a high available, flexible, safe, and efficient mission critical Data Center environment for both new and existing sites. Learn how to set up and improve key aspects such as power, cooling, security, cabling, safety, and more to ensure a high available Data Center and avoid costly downtime. Gain excellent practical experience and insights in what works and what doesn t work when it comes to setting up, maintaining, and running mission critical sites such as the Data Center. The CDCP course will teach you how to run a more efficient Data Center keeping you current on standards and ever changing technologies. It is a two day course designed to expose participants to the key components of the Data Center. It addresses how to setup and improve key aspects such as power, cooling, security, cabling, safety etc. to ensure a hi available Data Center. It also addresses key operations and maintenance aspects. The course concludes on Day 2 with a certification exam. Attendees who pass the exam will receive the official Certified Data Center Professional certificate accredited by ICOR and in addition earn 1.4 CEU credits for ICOR. Day 1 Covers the Following Topics: The Data Center, its Importance & Causes for Downtime Data Center Standards and Best Practices Building Construction Raised Floor/Suspended Ceiling Power Infrastructure Electro Magnetic Fields Day 2 Covers the Following Topics: Cooling Infrastructure Light Standards Designing a Scalable Network Infrastructure Fire Suppression Data Center Monitoring Operational Security and Safety Practices Labeling Documentation Cleaning MTBF/MTTR Maintenance Contracts/OLA IT Service Management based on ITIL/BS15000/ISO/ICE 20000 EXAM: Certified Data Center Professional PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 9 of 14
Certified Data Center Specialist (CDCS) The CDCS is a 3 day course following the CDCP participants must hold a CDCP certification to take this course. CDCS is a pre requisite for persons wishing to achieve the CDCEstatus. The focus for the CDCS course is on specializing, building on what was learned in the CDCP course ensuring participants understand suppliers and vendors and how to verify offers for correctness, effectiveness and efficiency. The primary audience for the CDCS course is an IT, Facilities or Data Center Operations professional working in and around the data center and having responsibility to achieve and improve hi availability and manageability of the data center. After completion of the course you will be able to: Understand the design life cycle of data centers and the stages involved Discuss in great level of detail requirements with vendors, suppliers and contractors and ensure that they do the right thing for the customers business and not what is right for the vendor Verify on the technical level design plans, quotes and offers proposed by vendors/contractors Understand Tier levels for both the data center design/setup as well as maintenance tier levels Understand the various building considerations such as bullet proofing, mitigation of seismic activity, fire ratings and thermal stability Understand how to build up a raised floor and making sure it is done properly to avoid misalignment, level differences and leakage Understand how to read Single Line Electrical Diagram and taking out the most common design issues made. Choose the right UPS and parallel configuration and learn how to make sure that classic mistakes when installing parallel systems can be avoided Understand how to calculate battery banks enabling you to double check offered configurations ensuring they meet your requirements Understand what distance to keep to avoid EMF issues for human safety and equipment disturbances Understand all about cooling setup and CFM, Delta T and other important factors Understand contamination factors and limitations Understand full details of fire suppression options and how to calculate gas content and verify installations Understand how to measure data center energy efficiency and how to improve it PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 10 of 14
Day 1 Covers the Following: Data center design/life cycle overview Tier levels Building considerations & standards Advanced raised floor & suspended ceiling Advanced Power Generators UPS systems Harmonic filters Battery banks Day 2 Covers the Following: Advanced Electro Magnetic Fields Advanced Cooling Advanced fire protection Day 3 Covers the Following: Cable management Environmental specifications Data center efficiency Question and Answers and exam preparation (if time permits) EXAM: Certified Data Center Professional Certified Data Center Expert (CDCE) This course and certification will be released in early 2008. The focus will be on the expert or more senior management of the data center. Again, it is the third in the series and you must have passed the CDCP and CDCS exams to qualify to take this course. PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 11 of 14
Certified Data Center Operations Manager (CDOM) With the constant pressure of reducing cost of IT operations while at the same time meeting the ever increasing business requirements for continuous improvement in effectiveness and improved uptime and service levels, running IT data center operations is a daunting task. With no standards available to tap on, customers are on a continuous and everlasting search on what are the best ways to run efficient and effective data center operations based on best practices and proven methodologies. This course is designed to train anybody involved in running mission critical data centers and show them how to minimize downtime, improve effectiveness and efficiency in data center operations. The Certified Data Center Operations Manager is the first, world wide accredited, certified 2 day course in data center operations. It is designed to expose participants to the key elements involved in day to day IT Operations. It highlights the overall framework needed to run an IT organization in a controlled manner as demanded in volatile and high availability business organizations. Proven best practices are focused upon in order to reveal detailed inside information on how to get the most out of IT Operations, where results are instantly accomplished without making huge investments in soft or hardware. By virtually touching the IT Operations processes end to end, all aspects relevant for being successful in running and maintaining critical data centers are available. The primary audience for this course are System and Network Engineers, Infrastructure/Operational Managers and CIO s that are responsible for delivering and improving high quality IT Operations in business critical environments. Day 1 Learning objectives, participants will be able to understand: IT Organizational Management directives Road map Policies Standards Procedures Baselines Guidelines IT Security & Controls Confidentiality Integrity Availability Physical controls Technical/logical controls Administrative controls IT Controls Risk management Risk analysis Calculate risk Risk in depth IT Roles Common roles Job descriptions Responsibility Accountability IT Operations Documentation Application management Systems & network management Backup and restore Capacity management PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 12 of 14
Day 2 Learning objectives, participants will be able to understand: IT Operations Anti virus management Email management Security management Password management Logging Monitoring Auditing IT Evaluation/Improvements Effectivness/efficiency in operations Business user expectations & evaluations Cost effective operations Cost reductive operations Customer surveys Feedback programs IT Safety Protection mechanism Emergency situations IT Redundancy Job rotation Shift handover Training Business continuity Disaster recovery/business continuity IT Operational Mgmt Service support desk SLA Incident response Hardware implementation Software dev. & implementation Maintenance Change management Project management Planning Testing Resource management Product management Contract management PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 13 of 14
Resilient Data Center Facilities and Management A common issue for most of today s data centers is that they are in general not ready for deploying new technologies that consume more power and need more cooling capacity. Planning for the data center facility itself has to be part of the planning when planning new IT projects. Carefully evaluate if the data center can hold new technology. We don t always know what is happening in the future 2 3 years out. Once you build a data canter facility you imagine that it is made to last 10 15 years however, technology is changing every 2 3 years so data centers need to be modified to align with current technology. SS507 is a Singapore standard that describes how the disaster recovery site should look: redundant power, proper cooling, enough if systems go down, network redundancy, fire suppression. All data centers who were audited in 2006 failed to pass. Sometimes it was as simple as missing proper signage or single point of failure. But the fact is that businesses are spending millions on IT infrastructure, but are not spending enough time or money looking at the resiliency of their data centers. People who offer business continuity and disaster recovery often spend millions on achieving high availability but fail on an audit. They often do not take the data center room itself seriously. It is important and could lead to a disaster for your business. In Summary If you are a data center professional get certified in data center management. If you employ data center personnel get them trained and certified so that you know that they have the knowledge and the skills to protect and manage the most mission critical facility in your organization. Data Centers, both primary and backup site play a critical role in the ability of business to run and to survive Proper standards, where applicable, need to be applied in order to build and run a resilient site Mission critical sites should be audited and certified to guarantee hi availability Only certified professionals should deal with the complexity of setting up and running mission critical data centers For more information on the courses offered by ICOR go to http://www.theicor.org/pages/courselisting.html PO Box 1171 Lombard, IL 60148 USA www.build-resilience.org 1.866.SOLVE21 Page 14 of 14