Datacenter – Colocation SLA

Viewing 5 reply threads
  • Author
    Posts
    • #336
      aswancer
      Participant

      Datacenter (core) services has a very broad scope with several major components including physical and logical protection, server management, database management and backups and restores. IT has four primary SLAs and one standard that are meant to address these components; 1. LoboCloud service 2. Database management service 3. Backup services 4. Co-Location Service and the datacenter standard. IT offers additional related services that can be found on the IT service catalog. This SLA is specific to Colocation.

    • #357
      erooney
      Participant

      – How does this apply to “shared” facilities/spaces or the different tiers of data centers defined in the proposed Data Center and Server Room Standard? What tier, as defined in proposed the Data Center Standard, does this SLA apply? Is this intended to cover collocation in UNM IT’s Tier 4 facility only?

      2.1.1:
      – Is it possible to provide the Colocation Facility Access Agreement as an attachment?
      – Bullet items 2 and 3 need some clarification. If a department has signed the Colocation Facility Access Agreement do they still need to submit a Help.UNM ticket for access > 24 hours in advance? In cases where a department needs emergency access <24 hours, what is that process?
      – Is unescorted access available 24/7 or only during business hours?
      – There is text about having to “refrain from bypassing firewall rules”. This passage sounds like a requirement and should use MUST, REQUIRED or SHALL to indicate that this is absolute as defined in RFC 2119.

      2.2.2:
      – What specific things does this walkthrough observe? Are results of walkthrough documented and available to the customer for review?

      3.2:
      – For sensitive data, should Data Custodian/Owner be made aware? Is UNM IT the data custodian in these colocation instances or is the department with the server?
      – If a department has less than a full rack of equip, and is located with other colocated servers, do other departments have access to our equip in the same rack or is access locked down to the unit? Do you have racks that are specific to the kinds of data being stored on them in instances a department purchases existing rack space?
      – Is department access to servers escorted and only during business hours or do dept staff have access 24/7 unescorted in cases of emergencies or unplanned outages where we have failures?
      – Bullet 7 reads “Contact UNM IT Service Manager for additions or changes in established service levels;”. However, section 4.3 indicates that exception go through the CIO’s Office.
      – Bullet 9: Are “special data types” those listed in the Data Classification Standard? If so, reword to specifically indicate that storing any E-Class or C-Class data requires department notify UNM IT and Data Owner or Steward?

      Eugene

      • #365
        bpietrewicz
        Keymaster

        Eugene,

        Thanks for taking the time to comment:

        – The IT data center is tier 4 including co-lo
        2.1.1
        – I will post the Co-location Facility Access Agreement this week.  Today if possible.
        – The second bullet on 2.1.1 should say Request escorted access.  I will update the SLA.
        – Yes unescorted access is available 24/7.  I will update the SLA. 
        –  I will ask our agreements committee about must vs shall language.
        2.2.2
        – Co-location racks are visually inspected.  If there are warning lights/indicators or unusual sounds the technical contact will be notified.   Facilities equipment is visually inspected for leaks, unusual noises or warning lights.  Issues are addressed immediately using the appropriate request/incident methodology.   There is no separate report for the walk through.         
        3.2
        – When a request comes in to store sensitive data hosted via colo, the request is forwarded security.  Security refers the customer to the data steward for approval.  Once approved security validates the technical controls.
        – Different customers can be collocated in the same racks.  The rack doors are not locked so yes collocation customers do have physical access to other colo customer equipment.  Equipment is not racked based on data type.
        – Unescorted access is 24/7.  This will be updated in the SLA.  Escorted access is during business hours. Escorted access can be escalated in the event of an emergency.  Escalation is done by placing a call to the IT service desk. 
        – 3.2 is referring to enhancing or adding features to the service.  4.3 is the process for requesting exceptions to the SLA.
        – No, the special data types are not listed in the Data Classification Standard, they have been classified by the appropriate UNM Data Owners/ Stewards, as identified in UNM Policy 2580, and as denoted on the Data Governance web site at: http://data.unm.edu/data-classification.html
        If IT receives a request for a Colocation service that involves a new data element not on the list, it will be forwarded to the Data Owners, who will classify that data element.
        Regards,
        Brian

        • This reply was modified 8 years, 1 month ago by tbui.
    • #411
      cdean
      Participant

      Although at this point Law has no plans to use this service, we reserve the right to create a customized SLA specific to our needs with mutually-agreed upon consequences for both Law and UNM IT.
      Cyndi Johnson

    • #421
      ayoder
      Participant

      2 What happens if a department is working with an external contractor? What is the process for UNM IT when interacting with contractors hired to implement solutions for UNM?

      2.1 Community is misspelled also “physical compute servers”? Physical Servers?

      2.1 Is 10 gigabit networking available in the colocation space? Is there an additional charge? 

      2.1.1 “Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit” What happens in the event of an Incident? 

      7 Maintenance Window for Colocation servers is not listed? 

      If UNM IT needs the change the regular maintenance window, they should generate a new SLA to make sure it meets the business requirements of UNM

      • #463
        bpietrewicz
        Keymaster

        Q: 2 What happens if a department is working with an external contractor? What is the process for UNM IT when interacting with contractors hired to implement solutions for UNM?

        A: We only get involved from access perspective.  Contractors working on Co-Lo equipment must be escorted by the Co-Lo customer.  If the contractor needs frequent access to the co-lo space there is an option to grant unescorted access. 

        Q: 2.1 Community is misspelled also “physical compute servers”? Physical Servers?

        A: I will correct both on the SLA.

        Q: 2.1 Is 10 gigabit networking available in the colocation space? Is there an additional charge? 

        A: 10 Gb networking is not available at this time.  We have not received enough interest to invest in the infrastructure.  If you would like to have it you can make a request and we can discuss options. 

        Q: 2.1.1 “Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit” What happens in the event of an Incident?

        A: Relay the urgency to the service desk and they can raise the priority of the ticket.  Or you can request unescorted access which will give you 24/7 access to the datacenter.  

        Q: 7 Maintenance Window for Colocation servers is not listed? 

        A: There is no maintenance window for the datacenter at this time.   

        Q: If UNM IT needs the change the regular maintenance window, they should generate a new SLA to make sure it meets the business requirements of UNM.

        A: If IT has a need for a maintenance window in the future we will update the SLA and give customers 90 days’ notice of the change. 

    • #423
      elisha
      Participant

      2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?

      2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?

      “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)

      2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.

      3.1
      More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”

      Where will reports on performance be accessible?

      For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?

      3.2 Is there any training or certification that should be required for qualified personnel?

      4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?

      7 Same question as 4.2 related to input into changes in maintenance windows.

      • #470
        bpietrewicz
        Keymaster

        Q: 2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?

        A: If a department is paying for a full rack the rack is dedicated to the department.  

        Q: 2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?

        A: We do not offer NAT for co-lo at this time.  It is on the road map.  Nat will be available to LoboCloud customers in the near future.

        Q: “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)

        A: There are special circumstances in which co-lo customers can bypass the firewall.  We want to call this out specifically. 

        Q : 2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.

        A: Good catch.  I will add it the SLA. 

        Q: 3.1
        More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”
        Where will reports on performance be accessible?

        A: Per Security:
        Standard Communication Approach:
        For documents that describe our operational security processes, it is our practice to keep those documents from publication.  

        Below are a couple of redacted, non-sensitive steps taken from our Standard Operating Procedure SOP that covers responding to incidents on deptweb.  The steps listed below are representative of the standard steps in our SOPs that describe what we do in incident response in terms of standard customer communications:  
        a. Attempt to contact department … (to) make the first attempt to un-publish the compromised site;
        b. If department can’t be contacted … or if malware is being distributed through the compromised site … un-publish the compromised site.
        Exceptions:
        While there are rare exceptions to the approach referenced above, those exceptions involve either:
        • An apparent breach/ exposure of Personally Identifiable/ Sensitive and Protected Information (PII/ SPI) that require an immediate disconnect or similar response;
        • An apparent Denial of Service (DoS) attack that also requires an immediate disconnect or response.
        Hopefully this helps clarify the standard approach that we use in responding to such incidents from the perspective of customer communication.  

        Q: For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?

        A: Yes we follow our standard change management processes for changes to the datacenter.  Change would go through CAB/TAT.  Notifications will be posted on IT alerts.  If an outage of Co-Lo services is required we would reach out to co-lo customers. There is no need for a maintenance window at this time.  If a maintenance window is needed in the future IT will update the SLA and give co-lo customers at least 90 days’ notice. 

        Q: 3.2 Is there any training or certification that should be required for qualified personnel?

        A: Yes we give co-lo customers training before they begin using the service and upon request.  I will update the SLA.   

        Q: 4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?

        A: Yes.  We will notify customers of any maintenance that may impact them.  At that time we will discuss customer requirements.

        Q: 7 Same question as 4.2 related to input into changes in maintenance windows.
        A: After seeing this question for the second time I think it would be best to update the SLA with the appropriate information.  I will update the SLA.  

    • #479
      barchu02
      Participant

      2.1.1 End-User (Department IT) Requirements to Use the Service
      Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit;

      What happens if a critical co-location server goes down and the owner needs immediate access?

      2.2.2 Specific Service Levels
      Ensure bi-weekly walk-through by UNM IT to observe condition of Customer’s devices;

      Does IT contact the customer if they find an issue? Does IT physically touch the machines?

      • #489
        bpietrewicz
        Keymaster

        Q: 2.1.1 End-User (Department IT) Requirements to Use the Service
        Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit;
        What happens if a critical co-location server goes down and the owner needs immediate access?

        A: Relay the urgency to the service desk and they can raise the priority of the ticket.  Or you can request unescorted access which will give you 24/7 access to the datacenter.  

        Q: 2.2.2 Specific Service Levels
        Ensure bi-weekly walk-through by UNM IT to observe condition of Customer’s devices;
        Does IT contact the customer if they find an issue? Does IT physically touch the machines?

        A: Yes IT will contact the customer if we notice anything unusual.  No IT will not touch customer machines unless the customer requests IT to do so.  

Viewing 5 reply threads
  • The topic ‘Datacenter – Colocation SLA’ is closed to new replies.