Notes from the Consultant’s Jungle

Bob Landstrom, CGEIT, CISSP, CDCDP

The Tier Model for Mission Critical Facilities, created and governed by The Uptime Institute (TUI), is the most pervasively referenced data center tier model.  It is not the only multi-level model describing the quality of data center facilities, but it by far enjoys the majority of mindshare in this regard.

The four-tier model from The Uptime Institute was developed through thoughtful analysis and extensive empirical data from facilities of member organizations.  Quality control over interpretation and accreditation of tier ratings to facilities is closely guarded by TUI.   Awarding a tier level to a facility can only be done through designated professional services suppliers sanctioned by TUI.  Self proclaimed use of a tier rating by any company without TUI involvement exposes the firm to legal action by TUI.  Even so, misuse and misappropriation by enterprises world-wide is prolific.

Data center providers often claim to be of a certain tier rating (usually Tier III or Tier IV, the highest).  This is a false claim, because except for a small facility in western Virginia, there are no certified commercial data center colocation or hosting facilities.  Customers shopping for colocation space will often make a tier level requirement a term of qualification in RFP’s, and prospective providers will affirmatively respond in their proposals, even though this is folly for both the Customer and the vendor.

Why do so many firms shopping for colocation services seek tier ratings when shopping for data center providers?  The reason is because TUI, through the creation of this four-tier availability model, has given the community a model whereby a firm can match their business characteristics against an availability threshold, backed by the highly regarded advice of TUI.

Why do data center providers not seek tier certification from TUI?  There are several reasons for this, and their all based on cost and return on that investment.

For one thing, a TUI professional services consultant must be hired to conduct the assessment of the facility.  The assessment is extremely detailed and requires not only the hours of the consultant’s time but also the hours of time supporting the discovery work.  While this may be costly, it’s not the primary cost reason.

Data center operators are shooting for the Holy Grail, Tier III level in most cases (some for Tier IV, but the point applies to both).  The capital investment required to truly satisfy the concurrent maintainability requirements of a Tier III facility is very significant when compared to Tier II or Tier I architectures.  Many facility operators have embarked upon certification, believing they had Tier IV facilities, only to find they are Tier I or Tier II according to the model’s qualifying standards.  Faced with the additional capital costs to meet the Tier III standards, many firms punt and choose to continue with what they have already in place, and instead make claims of higher tier levels and “tier+” levels even though this is seen as illegal in the eyes of TUI and those in the industry truly knowledgeable in this area.

The interesting thing is though, that while a facility may be uncertified and even uncertifiable to a particular tier level, its true availability performance outperforms even higher tier ratings.  Similarly, a certifiable higher tier facility can demonstrate lower availability performance than the tier rating would imply.  How can this be?

The Uptime Institute tier model describes predominantly the topology of the MEP infrastructure in a facility, and the components comprising that infrastructure.  This then, is a predictive model, even though derived using empirical data.  Provided a data center does indeed have redundancy of key mission critical components, the actual real-world availability performance will be also driven by the strength of governance of the facility.  That is to say, the strength of Standard Operating Procedures and Methods of Procedures (SOPs and MOPs), as well as the competence of the staff and management of the facility will ultimately drive the performance of the site.

There are many data centers that would qualify as Tier II at best, but deliver availability superior to that of Tier IV guidance.  This is due to the quality of management of whatever MEP infrastructure exists at the facility.  Data center operators know this, and thus find justification in declining the chase for TUI certification.

This situation of stagnating returns is sustained by the fact that the TUI model provides a very good framework of guidance for the business community at large.  Until an alternative emerges that can capture similar mindshare to the TUI model, firms on both sides of the buyer/vendor fence will continue to misuse and misappropriate TUI guidance with no real benefit to anyone other than TUI when legal prosecution yields rewards.

What is needed, is a model that takes into account the ability of the MEP infrastructure to support high availability (like the Uptime Institute approach does), but to also take into account the historical availability performance of the site under evaluation.  This type of availability certification would involve an audit of MEP infrastructure and components, much like is done by TUI professional services, but will include other aspects that directly impact real availability performance.

One of these additional components is a risk assessment, that aligns actual threats to availability that exist at the particular location of the facility under audit.  Obvious common issues are proximity to airports and railways, local crime rates, gas lines, water shortages (or excesses), and so on.  The identification of threats at the particular location are then vetted for likelihood of occurrence and any mitigating features of the facility.  For instance,  if the nearby rail line is for light rail passenger traffic only, then this is a different risk profile than a freight line.  If the local crime rate is high but adequate intrusion and authorized access controls are in place then that is considered in the profile as well.  This part of the audit will require thorough security risk management analysis as well as interaction with local public and private agencies to complete.

Another component of this certification is the audit of actual availability performance over a period of time relevant to the quality of the analysis.  Actual maintenance and outage logs will be collected from the facility operator as evidence, as well as contact with facility customer/tenants to discover any relevant evidence not shown in operator-provided documentation.

The audit should also include aligning facility infrastructure equipment component ages and ratings with historical empirical data to look-ahead for any operational impact probabilities that may impact performance after the audit.

The result is a new standard model that includes MEP topology and architecture, real-world availability performance delivered by the quality of operations, and security risk profiles to produce a facility availability rating that is relevant and useful for both the facility operator and its customers.

The Uptime Institute is due to release an update to its tier model description that includes operational considerations.  Early news on this development suggests that an operational score will be appended to the tier certification, a la “silver,” “gold,” “platinum.”  If this is the way this plays out, this is different from what is suggested here, though an important improvement to account for the likelihood of the certified data center living up to the theoretical performance levels suggested by its tier certification.

More to follow.  Your thoughts on this topic are much appreciated.