Offshoring Datacenters? You Might Want to Think About That

By John Merryman

(Back to article)

The concept of allowing data to move offshore radically breaks with tradition of keeping the corporate jewels relatively close to home. Nonetheless, two trends are evident: Small companies are beginning to offshore IT infrastructure (one application at a time), and large multi-national companies are off shoring entire datacenters.

With the never-ending pressures to lower IT run-rates, corporations are expanding cost cutting measures to IT infrastructure. Labor arbitrage is the defacto standard for lowering the cost of IT for many corporations, however, some companies are now considering the movement of not only labor pools, but IT infrastructure and production data also.

Offshore IT service providers span the globe from India, China, Eastern Europe, Africa, to South America. Offshore labor resources execute a growing number of call centers, application, and business processes for organizations worldwide.

In all cases, some level of data access goes part and parcel with the offshore service provider contract.

But how could relocating IT infrastructure to a remote third-party datacenter be a viable strategy, especially considering how recently the infrastructure hosting and managed service provider market fizzled in the U.S.?

The following industry trends explain why:

  • Offshore IT firms (Wipro, Infosys, HCL Comnet, Tata Consulting, Satyam, etc.) have made a serious move into infrastructure management services such as database administration, system, network, storage management, etc.
  • Traditional outsourcing firms are advancing quickly towards global infrastructure management strategies.
  • Any organization that has successfully outsourced technical or business processes to remote service providers is now likely to consider infrastructure management.
  • For the CIO and/or CFO IT infrastructure capital and operational costs are the next logical line item on the budget and typically comprise a huge percentage of the average IT budget.

    Market Perspectives

    Today, offshoring IT infrastructure applies to the extreme edges of the market: extremely large multinational corporations and small businesses

    In a recent publication of Foreign Affairs magazine Sam Palmisano, CEO of IBM, writes: ”State borders define less and less the boundaries of corporate thinking or practice … banks, insurance companies, professional-service firms, and IT companies are building R&D and service centers in India to support employees, customers, and production worldwide.”

    With over 40,000 out of IBM’s 330,000 employees based in India alone, global datacenter infrastructure is a significant part of IBM’s overall global service strategy. IBM’s recent announcement to expand investments in India by $6 billion includes a significant investment in service delivery centers. This investment will include datacenters, both internally hosting R&D infrastructure and externally hosting client IT infrastructure.

    For the colossal multinational corporation, the bottom-line solution is simple: Build your own datacenter using your own designs for infrastructure reliability/resiliency and standard controls for data access and security.

    The trend also applies to small companies where the cost of both housing and maintaining the hardware and supporting systems outweighs any concerns over data security.

    Palmisano continues: “Small and medium-sized businesses everywhere, particularly, are benefiting: as new services—from back-office administration to sales support—create infrastructures once only affordable to large organizations, these businesses can now participate in the global economy.”

    The bottom line here is if the cost of supporting the physical infrastructure is significant enough, and the number of physical systems a company needs to support is limited, then the relocation of actual hardware starts to make sense.

    All trends aside, if your organization formally values data as a corporate asset (just like intellectual property, buildings, land, capital, etc.), relocating your IT infrastructure raises a myriad of risk questions: Who mitigates the risk of foreign policy melt-downs, political instability, land disputes, terrorism, natural disasters, black market influences, and industrial espionage? Do these factors present tangible risks for data security, integrity, and availability?

  • Data Security and Regulations

    With the exception of data protection legislation in the European Union, few if any formal regulations limit the movement of business-critical or sensitive data to offshore locations. To comply and ensure the ebb and flow of money across the Atlantic, U.S. companies practice self-regulatory measures via Safe Harbor standards, but only for EU transactions involving personal data.

    These measures represent the first steps toward formal data privacy governance on an international level. However, the scope and associated impacts don’t apply to IT offshoring hotbeds such as India and China. And still, the data security industry buzzes with examples that include such headlines as: "U.S. customer social security numbers going for $5 on the street in Mumbai," resulting from production data moving offshore for testing purposes.

    The bottom Line? Domestic data privacy laws and regulations are not enforceable in a foreign jurisdiction. Unless the hosting country has equivalent laws, regulations, and commitment for enforcement, you should plan on a rigorous examination of the offshore security policy, procedure, and technical controls.

    A recent analysis by the U.S. Federal Deposit Insurance Corporation (FDIC) concluded that formal data privacy policy and governance is practically non-existent in most, if not all offshore hotbeds. The report states, “… none of the countries currently have privacy laws equivalent to those of the European Union or the United States”.

    That said, changes are afoot with India recently announcing the creation of a data security watchdog agency, associated with NASSCOM (National Association of Software and Services Companies). This non-governmental organization will publish and promote best practices for IT security, but there are no indications of formal regulation and governance by the government.

    While many debate that this offers companies no more than "warm and fuzzies" with respect to data security, it does lay groundwork for Indian offshore service providers to set up stringent auditing and management capabilities for data security.

    Nonetheless, governing data security is a monumental task if the data and supporting systems are physically located offsite. As a result, until these laws become more widespread and enforceable a more realistic scenario will see companies adopt the interim "half-way-house" model, resulting in the retention of IT infrastructure and data, but outsourcing the maintenance and management.

    Essentially the policies, procedures, and powers of the free market govern offshore data security instead of formal regulations. And these regulations still depend on well managed policies and procedures as seen in the onslaught of U.S. domestic customer data theft and loss cases of the last several years.

    Infrastructure Maturity

    One could argue the last several years of rolling blackouts in the U.S. are not far from conditions in developing nations, but when you sign off on moving infrastructure to another part of the world, can you safely assume the infrastructure supporting datacenter operations (power, environment, roads, etc.) is reliable?

    While the "backhoe" still presents the world’s greatest risk to high-bandwidth communications and data transmission, general infrastructure maturity, telecommunications and power reliability are significant risk issues to consider when moving IT infrastructure offshore, especially if the user base is geographically distributed.

    Depending on location, routine power outages and service disruptions are an environmental reality. Offshore hotbeds like Mumbai are plagued by frequent brown-outs and power disruptions, while Shanghai is developing one of the worlds most sophisticated power infrastructures.

    But don’t plan on infrastructure issues to persist in offshore hot spots. As discussed above, China is investing heavily in infrastructure development and India is showing increased commitment to telecommunications and power infrastructure development.

    Don Van Boren, president of Vanguard, specializes in call center consulting services and comments: “Many are keeping their datacenter infrastructure local for security issues, however a lot of companies are now looking at relocating infrastructure to offshore locations. Higher bandwidth network connection costs are dropping and remote management is no longer an issue”.

    The bottom line is infrastructure maturity is inevitably going to expand in the various offshore industrial IT centers, while other environmental risks like natural hazards and political stability fall into the unmitigated risk bucket. With billions of dollars pumping into these economies, governments have no choice but to keep pace with post-industrial growth needs.


    Is the typical medium to large organization ready to move IT infrastructure offshore? At the moment, no. While these companies are using or have considered infrastructure outsourcing, the hardware and connecting infrastructure remains in house with the necessary provisions made for the outsourcer to manage resources remotely and securely.

    For larger organizations the investment in datacenters and the supporting environment is already in place. As such, any arguments for physically relocating infrastructure are less tangible. Larger organizations will really need to look at outsourcing enough hardware to significantly decrease their overall hardware footprint; a situation that is unlikely at this time.

    For example, if a large investment bank decides to outsource their messaging environment they may remove 30-to-50 servers from their global hardware footprint. This barely makes a dent in their overall hardware investment meaning they still have all the overheads of maintaining their other systems and the environments to house them while loosing control (perception or not) of that most precious of corporate resources, their business data.

    Many financial services companies built large data processing facilities in rural America, specifically to take advantage of lower labor rates and a lower cost of doing business. Now the same companies are moving labor offshore which many believe establishes a natural precursor to offshoring infrastructure.

    While this maybe a reasonable assumption certain factors would need to be mitigated before this started happening on a large scale, namely:

  • Outsourcing companies need to specialize in holistic services allowing organizations to outsource significant numbers of systems and services. ·
  • The infrastructure within the outsourcing environment becomes mature and regulated enough to guarantee the level of service required for business to operate competitively. ·
  • The laws and regulations that govern data protection in the countries where business data exists become formalized and globally regulated.

    While the evidence suggests that the IT infrastructure will ultimately follow the people who are responsible for performing the technical work, it will only be viable if the risks and limitations associated with this strategy are addressed and mitigated.

    John Merryman is a senior consultant with GlassHouse Technologies, an independent storage services firm. He can be contacted at jmerryman@glasshouse.com.

    Stephen Craike is the technical director for Nitor Global Solutions, a specialized consulting firm focusing on global systems integration and operational services. He can be contacted at Stephen.Craike@nitorsolutions.com.