Joe Malec is a security analyst in the financial services industry and here looks at why outsourcing may be a better option if you need to secure your data

As the functions of the data centre have evolved from storing and processing data to becoming a key component for data security and privacy, some smaller companies are forced to make some tough decisions to survive.  This is due to the barrage of privacy laws from many countries obligating organizations to protect personally identifiable information (PII) and personal health information (PHI). Some of these companies that are affected provide outsourced processing services for larger international companies such as benefits administration, marketing  and recruiting services, just to name a few. 

To meet the additional privacy obligations as well as keep pace with the maturing technological environment, some companies are building their own data centres from unused office space. However, converting space in an office to a data centre can be costly on several levels and the landlord may not allow it.

The infrastructure cost considerations include climate control, electricity demands, alternative power implementation, reinforcing interior office walls and fire detection and suppression. Maintenance has to be factored. How much down time can be tolerated?  Depending on the answer, redundancy will need to be built into the equation.   

The security costs can be overwhelming as well. Common data centre security solutions include cameras, alarms, motion sensors and multi-factor authentication.  While organizations are focusing their resources on appropriate collection, processing and retention of data to meet regulatory obligations, less focus could be on the physical aspect. As a result, the data centres that are built may not be designed to meet certain security standards.

Compounding the problem for many companies are the U.S. regulatory bodies such as the Financial Industry Regulatory Authority (FINRA), Federal Deposit Insurance Corporation (FDIC) and Federal Financial Institutions Examination Council (FFIEC).  They have all published information on the oversight of third party service providers in regards to the protection of data.  Essentially, they are saying that the primary organization has a responsibility to ensure their information is protected even if it is sent to an outsourcer for processing.  To ensure their oversight, companies would audit their outsourcers to appraise their ability to protect the data.  It does not matter which  country the outsourcer is located.  In this process, the primary organization may compare the controls the outsourcer has in place to their own to make the case that the controls over the data are consistent.  The U.S. is not alone; the European Commission’s Directive on Data Protection (Safe Harbor) is intended to ensure that personal data on European citizens is appropriately protected overseas. These restrictions can potentially expose inadequate data centre controls the outsourcer has in place if they are a small operation with a limited budget for controls. 

Even worse, many of the typical "mom and pop" operations who traditionally leveraged the closet or storage room as their data centre may end up being classified as high risk vendors to conduct business with.  If a company does not have the proper controls implemented, it is no surprise if they lose data.  Proof of this can be found in the 2008 U.S. Cost of a Data Breach Study Sponsored by PGP and the Ponemon Institute, where 88% of data breaches were caused by insider negligence.  A similar study in the UK found that the cost per record in a breach was £60. This can be financially devastating to a small company.

A good solution for a small organization is to use a hosted facility for their data centre needs.  That way, they can leverage the benefits of a professional, large scale data centre without having to absorb the financial burden of building and maintaining their own. Hosted data centres are designed with availability and security in mind which blunts some of the biggest issues with data centres built within office space. In addition, most should be ISO 27001 compliant.  This provides them with an internationally recognized certification of their controls.

Some hosted data centres offer other services as well, such as managed hosting of hardware, so smaller companies don't have to worry about the support and maintenance of the systems.  In addition, hosted data centres typically have undergone regulatory and third party audits. The trend towards hosting continues to grow in popularity. SunGard, one of the leading IT service companies with hosted data centres in several countries around the world has reported compound growth exceeding 20% annually. Another company, Digital Reality reported in their 2nd quarter earnings report 22% year-over-year growth.

What all of this boils down to is utilizing a hosted data centre can allow a small organization to implement large-scale security and availability controls over the data, which can potentially help them stay competitive and compliant.