Over the last two years, the data centre market has seen rapid expansion, accelerated by the COVID-19 pandemic. The digitisation of business processes and the growth of generative AI are expected to drive further demand in the next 12 to 24 months.
Stephen Beard, Global Head of Data Centres and Partner at Knight Frank sat down with Jim Marchant of Aon’s Cyber Risk Advisory team to discuss the role that data centres are playing in the global economy and the cyber risks that need to be considered by both users and operators of data centres.
JM: Stephen, data centres are something that most people will have heard of and something that everyone is pretty reliant on whether they know it or not! Could you give a top line explanation on how Knight Frank helps enterprise clients navigate data centres?
SB: Sure – so for businesses looking to use a data centre there are three main models. Typically and historically, companies built and ran their own dedicated data centres, very common for the banking community, but we only see this in place for a relatively small number of clients now, certainly less than 10%.
The co-location model then took over whereby an independent operator would build a facility to house multiple companies who can install their own IT hardware into a shared data centre. The company then controls access to their independent space or shared rack space in the facility and manages their own server hardware. The data centre operator then provides the infrastructure of the building (power, network, security, etc.), shared services and sometimes something called a ‘smart hands wrap’, which covers things like installing new equipment and patching. This works well for companies who need to have access to their data processing and storage requirements and those who may need to have more control over the physical location of their data.
Then there is the growing Cloud model from someone like AWS or Microsoft Azure who run a large estate of data centres. The company won’t necessarily need to know where all their data is being processed (Data Sovereignty, GDPR, etc. rules aside) but they do benefit from a cloud platform and the resource of flexibility and scalability that it brings.
A hybrid IT structure used by many of Knight Frank clients, is to take space in a co-location facility for their mission critical workloads and then having a Cloud service to supplement capacity and access to software as well as providing a back-up solution.
JM: Data centres have played a crucial role in powering businesses for some time but are really coming into the public eye through things like cloud computing and Artificial Intelligence (AI). Can you tell me a bit about how you have seen the market change over the last couple of years and what you see coming up over the next 12 to 24 months?
SB: Over the last two years, the data centre market has continued to expand at pace, and we saw COVID-19 add to that rate of growth as companies were forced to adapt to remote working and servicing customers in more digitally focussed ways. The pandemic also placed a spotlight on business resiliency and the need to be adaptable – two areas where Cloud services can really help.
"Over the next two years, Knight Frank expects to see a new wave of demand for data centres with two key driving forces. The first is the continued digitisation of business processes and IT transformation which is happening across every industry sector. The second factor is Generative AI and the massive amounts of computing power that it consumes. The data centre market for AI computing alone is already worth $155bn per annum and is forecast to reach $1.4tn by 2030."
JM: We’ll come back to AI, but before we do, it would be good to understand how Knight Frank talks to its clients about risk when it comes to data centres?
SB: When we introduce an enterprise client to the market to find a solution, key considerations prioritised have historically been maintaining uptime and the key risks that might reduce this uptime. Uptime will generally be determined by how well the operators have built the data centre and critically, how they are running and maintaining the data centre. Knight Frank also considers the data centre’s environment. This includes both the geographical location and the physical layers of security implemented by the operator. The market is increasingly aware that a security threat is now as likely to be digital as it is physical.
With this in mind Jim, what are the new types of questions that an enterprise client of ours should be considering when it comes to data centres and cyber risk management?
JM: The critical first step is being clear about the differences in responsibilities between the operator and the client. For example, the operator will usually be responsible for the physical security of the data centre and the procedures for accessing the building. Cyber attacks often start with someone gaining unauthorised access and inserting a USB that contains malware. So, our advice to clients is to verify the robustness of access security controls, including the identity and access management systems and ask for any issues to be resolved before signing a contract.
Other areas to check include the Building Management Systems (BMS) which controls functions such as ventilation, lighting, and fire suppression. Clients should obtain assurances relating to system access controls and whether a cyber risk assessment has been conducted.
As well as due diligence on the operator, a data centre client taking space in a co-location facility should have its own cyber security risk management plan covering the hardware and software under its control. The client should also have a business continuity plan that sets out how it continues to function should the data centre become unavailable. The final key area I will raise is helping clients to better understand the commercial impacts of their data centre facility going offline.
SB: Regarding commercial impacts, how do clients know what the costs of a data centre cyber attack could be?
JM: Let’s take the example of a cyber attack that causes a fire in a data centre. There will be crisis response costs such as a digital forensics investigation alongside the obvious business interruption and hardware replacement costs. You also have the impact of reputational damage and the potential for third-party liability claims. Aon’s Cyber Risk Advisory team works with organisations to map out what these costs could be. Once a client understands the possible financial impact, it helps them to make better informed decisions about cyber risk management, including how much to invest in security controls, how much spare data centre capacity they may need and what the most effective cyber insurance programme is for their risk profile. Regarding spare capacity, how do Knight Frank clients decide how much they need?
SB: This is one of the core pillars of advice that we provide and there is a delicate balance between the capacity needed today, the capacity that will be needed in 12 months or more and the capacity that a client has as a back-up. We know how different industry segments have quite different data centre needs. For example, the Life Sciences sector is only starting to move from an on-premises IT model into co-location. Financial Services on the other hand have been placing functions, like those needing low latency, into co-location facilities for some time, and using the Cloud for back-office IT. Knight Frank’s experience in the market enables us to connect enterprises with the right model and blend of service partners.
JM: We’ve talked about the data centre buildings themselves - let’s talk about data and specifically about personal data and regulatory risk for clients. How are regulations like GDPR changing the way clients plan their data centre strategy?
SB: Clients need clear visibility into their data and need to be able to prove where it is being handled. This is a new type of challenge for the Cloud market. In short, it means more data centres in more locations. Cloud service providers are providing more localised services to enable clients to adhere to data sovereignty rules and co-location operators are seeing a rise in demand from clients who want that extra layer of visibility and control.
JM: More data centres in more places inevitably raises the topic of energy consumption – how is this shaping the data centre market?
SB: A lot depends on what the data centre is being used for. A high frequency trading company is going to be focussed on minimising the time it takes for data to travel, so it’s more about physical proximity than energy efficiency. On the other hand, generative AI model training loads are typically less time sensitive and consume a lot of power, so these could be in a location like Iceland where land is typically cheaper and power costs are lower and more eco-friendly as the power is either from hydro or geothermal sources.
Of course, many companies will have a mix of needs so may use some local data centres for speed or data sovereignty reasons and split out other functions, and IT loads to somewhere like Iceland for lower cost and ESG considerations.
JM: Thanks for the discussion Stephen – it’s been really interesting. It’s clear that as businesses are handling more and more data, the data centre market is growing quickly to meet these needs. The range of choices for companies - whether to use co-location, Cloud or a dedicated centre - is obviously a good thing. However, more choice brings complexity and associated risks which need to be managed - keeping us and our clients pretty busy!
Contact:
Jim Marchant
Cyber Risk Advisory
[email protected]
0207 0860098
More Insights