Issue link: https://cp.revolio.com/i/488587
10 | THE DATA CENTER JOURNAL www.datacenterjournal.com e ven within the data center industry, some operators must comply with more regulations than others. Much depends on what type of data a particular facility is handling, as well as the customer. So, regardless of how you view regula- tions—as fair or foul—if you're running a data center, you'll probably have to deal with state and local regulators, and perhaps federal as well. Getting into all the details would be impossible, need- less to say, but here's an overview of what companies in this industry face, and how they can deal with it. oVerVieW of Data center regulations Regulations can apply to the physical or digital side of the data center. "If we are talking about the first case—the data cen- ter itself—then what is needed is physical security for HIPAA and other regulations, and the ideas are much simpler," said Leo Leung, VP of Marketing for Scality. In addition to EPA regulations covering backup power systems, for instance, "you have things like OSHA regulations and physical-security requirements. If you have certain levels of financial data or HIPAA data, then there is a center level of security that is required." ose require- ments cover access control and personnel monitoring for the data center at large as well as certain sensitive areas in particular. "If you are talking about the applica- tions running in the data center," added Leung, "you have an entirely different set of HIPAA and OSHA regulations, as well as all of these other things around the data—the applications and access to that data." is is the digital side, which can be complicated by the use of the cloud, for instance. Among the most applicable regu- latory schemes at the federal level in the U.S. are the Health Insurance Portability and Accountability Act (HIPAA), which obviously covers health-related data, and the Sarbanes-Oxley Act, which covers finance. In addition to federal regulations, numerous state and local codes also apply. According to Brad Ratushny, Director of Infrastructure at INetU, data centers will likely deal more with regulators on this front than the federal front. "In general it is my experience that the U.S. government has allowed each state or local government to set and enforce regulations as appropri- ate. is approach allows a facility in Man- hattan or Silicon Valley to be regulated differently from one in a less dense part of the country." Obviously, those regulations will include building codes in the case of new data center construction, as well as zoning and the usual array of licensure and other business and tax matters. Doing business in certain markets may also involve industry standards: per- haps the biggest name in this category is the Payment Card Industry Data Security Standard (PCI DSS), which governs trans- actions as well as data storage and han- dling for credit-card purchases. Naturally, given all the recent high-profile security breaches, data center operators will need to pay close attention to such matters when dealing with sensitive customer information. In addition, companies operating offshore data centers will face yet other regulations. And with growing geopoliti- cal tensions, thanks in part to revelations of extensive NSA spying, the dynamics surrounding international regulatory compliance are becoming increasingly complex. For instance, some countries require that their citizens' data be stored only in data centers located inside their borders. Unfortunately, this complication means that international companies must be prepared to shell out money for expert help (whether in house or external) in ad- dressing the maze of regulations. highly regulateD inDustries Although ranking industries on the basis of regulatory burden is a difficult exercise, several important examples stand out. "ree that come to mind specifi- cally are health care, pharmaceuticals and industries dealing with credit-card data, including e-commerce and payment processors," said Eric Naiburg, Director of Marketing for INetU. Furthermore, "Regulations like Sarbanes-Oxley (SOX), E.U. Safe Harbor and others play a role on most publically traded companies and how they manage their data, length of retention and more." Leung also identifies govern- ments—particularly defense and security contractors—as also facing numerous obli- gations (particularly following the Edward Snowden debacle). Data centers that deal with electronic medical records (or electronic health records) fall "under great scrutiny by the HIPAA regulations to ensure that all data is safe, secure and handled in a proper manner," said Naiburg. "Data centers in the health-care industry must be sure that data is kept private and not shared." In ad- dition, pharmaceuticals face data-handling regulations when conducting clinical trials. "Regulations like Title 21 CFR Part 11, for example, keep a strict eye on the way clinical-trial data is managed, shared and changed. If a record is changed, [the pharmaceutical] had better know why, by whom and what it was changed from and to. at data also comes under require- ments around retention, sharing and other areas to protect both the personal nature of the data and ensure that the study is being managed with validity." anks to what seems to be a grow- ing number of security breaches involving credit-card data (or, at least, a growing awareness owing to recent high-profile cases), scrutiny of the payment-card mar- ket is increasing. "e companies that deal with credit cards are always under a close eye thanks to the the value of that data, but also because of the PCI DSS regula- tions," according to Naiburg. Although the PCI DSS standard isn't a law per se, it is a set of mandatory requirements for companies that handle or store credit-card information. "If you don't comply, you cannot process credit cards, and if you are breached, you had better at least have that audit on file to prove you did what was required. Data centers, applications and databases that store that data must all be in compliance, and that doesn't matter if the data center is in house or hosted elsewhere." Even though government regulators may not be involved directly in enforcing the PCI DSS standard, some jurisdictions may view noncompliance as either violation of existing regulations or evidence thereof. Either way, however, an