Who is DP Facilities, Inc., what is its history, and what is its relationship to Mineral Gap?
First known as Data Processing Facilities, then later as DP Facilities, Inc., the company was started in 1967 in Long Island City, New York. After doing some early data center work with IBM, the company built a data center for the Clearing House Association in New York City, which is one of the largest clearinghouses in the U.S. DP Facilities went on to develop data centers for a number of New York’s financial services firms, including Morgan Stanley, Dow Jones, and Lehman Brothers. The company also built data centers for the New York City Fire Department, U.S. Postal Service, and Carnegie Hall, to name just a few noteworthy clients.
DP Facilities, Inc. is the parent company that owns and operates Mineral Gap. In 2017, DP Facilities officially opened its 65,000 square foot Mineral Gap data center in Wise County, Virginia to provide various data center services to federal and state government agencies as well as commercial customers.
What is Mineral Gap and where is it located?
Mineral Gap is the first designed and constructed Tier III data center (certified per Uptime Institute’s classification and certification system) in Virginia. The data center is 65,000-square-feet and is located on a 22-acre site in Wise County’s Lonesome Pine Science and Technology Park.
Wise County, Virginia, known as “The Safest Place on Earth”, serves to insulate the Mineral Gap data center from natural disasters, blackouts and attacks on large population centers. It is in a protected mountain location in southwestern Virginia, and is strategically located away from major population centers with their associated threat vectors. The facility is outside the flood zone, is less than a day’s drive from the Washington, D.C. area, and is conveniently located near a private airport.
The Mineral Gap facility is recognized for the highest standards in design, construction and operational sustainability, and features multiple redundant systems to support current and future IT needs of its clients. Mineral Gap provides operational continuity with experts available around the clock, deploys cutting-edge technologies, and backup systems for connectivity, power and cooling. Mineral Gap delivers the resiliency, capacity and reliability required to keep businesses running in the event of a man-made or natural disaster.
The Lonesome Pine Science and Technology Park area provides ample room for growth, and enables businesses and government agencies to expand their IT infrastructure in a single location. Future development of the campus (Phases II & III) will accommodate 200,000+ square feet of data center space and administrative support buildings. This expansion will utilize more than 50 additional acres of adjacent land under option, and allow quick scalability.
Does Mineral Gap vet every employee and vendor on its site?
Our data center security procedures require that only Mineral Gap-approved personnel and equipment be admitted into the facility. This protects all customers — as well as Mineral Gap’s reputation. (To better understand the threat environment in which all data centers operate, we recommend reading our op-ed about the impact on the Maryland Board of Elections from hosting company ByteGrid’s Russian connection.)
What is K-rated security and is it important for me?
The U.S. State Department issues certifications — referred to as a K rating — for various types of crash barriers (such as gates, fences and bollards) to indicate how effectively they can stop a moving vehicle. The rating assumes a vehicle of 15,000 pounds and allows penetration of no more than 36 inches beyond the barrier. The rating is important for data centers, to indicate that a facility is secure from vehicle intrusions. Mineral Gap provides up to K-12 rated protection, the highest level.
What kind of anti-terrorism and perimeter control measures does Mineral Gap deploy?
Mineral Gap is constructed of high-strength, precast concrete and deploys K-rated security, which is U.S. Department of State certified anti-ram fencing, wedge barriers, a DoD anti-terrorism perimeter blast berm and counter-IED protective measures. The facility’s dedicated force of armed security personnel is on duty 24/7/365, staffing an advanced tactical command center and extensive video and counter-surveillance systems. All Mineral Gap staff undergo extensive vetting and training. Biometric and key card multi-factor authentication provide strict access control all the way to the cage level.
Is DP Facilities (Mineral Gap) a GSA IT 70 Schedule contract holder?
Yes. GSA Contract Award GS35F085GA is available for the provision of services under SIN 132 51 – Information Technology Professional Services, and SIN 132 52 – Electronic Commerce and Subscription Services. Per GSA regulations, state and local government clients may also utilize Schedule 70 award pricing at Mineral Gap.
What do SSAE 16 SOC 1 and SOC 2 mean and why are they important?
SSAE is the acronym for Statements on Standards for Attestation Engagements, promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), is an auditing standard for service organizations. SSAE 16 reporting helps service organizations comply with the Sarbanes-Oxley Act’s Section 404 requirement to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting. A Service Organization Control 1 (SOC 1) is a report on controls at a service organization, which are relevant to user entities’ internal control over financial reporting. A SOC 1 report validates a service provider’s level of commitment to its clients.
A Service Organization Control 2 (SOC 2) report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. SOC 2 is specifically designed for service providers that store customer data in the cloud, which necessarily means SOC 2 applies to nearly every “…-as-a-service” company. Before 2014, cloud service providers had to meet only SOC 1 (SSAE 16) compliance requirements. Now, any service provider storing customer data in the cloud must also meet SOC 2 compliance requirements so as to minimize risk to, and exposure of, that data. To achieve SOC 2 compliance, a service provider must establish processes and practices with required levels of oversight across its organization, which include monitoring unusual system activity, authorized and unauthorized system configuration changes, and user access levels. SOC 2 also requires service providers to set up alerts for any activities that result in unauthorized account or login access, file transfers, modification of data, controls, or configurations. More importantly, SOC 2 compliance mandates audit trails that can provide deeper insight into security breaches and suspicious activities. Last, but not least, SOC 2 requires that a service provider has the ability to take corrective action on these alerts before a massive data breach occurs.
Is DP Facilities (Mineral Gap) compliant with DFARS/NIST SP 800-171?
Mineral Gap is NIST 800 compliant and SSAE 16 and SOC 1 & SOC 2 compliant.
Does a data center need HIPAA certification?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. If the data center has plans to serve the healthcare industry, HIPAA certification is a must. Since data centers typically store, transmit or process electronic protected health information, they must comply with the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 standards and citations to meet HIPAA compliance. Thus, in order to ensure sensitive patient information is protected, a data center services provider must be HIPAA compliant.
Is HITRUST certification necessary?
The Health Information Trust Alliance, or HITRUST, is a privately-held U.S. company. HITRUST in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF), which can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. It is therefore of critical importance for data centers to be HITRUST CSF Certified.
HITRUST CSF is a widely-adopted security framework for healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations through a comprehensive and flexible framework of prescriptive and scalable security controls. Mineral Gap is HITRUST CSF Certified for its BMS, EPMS, SOC, and NOC Systems and meets key regulations and industry-defined requirements.
What is a Tier III Uptime data center?
Tier III is one of four “tiers” created by the Uptime Institute to indicate the level and type of standards a data center meets. Accordingly, Uptime Institute certifies that Mineral Gap was designed and constructed to its very rigorous Tier III standard, which includes 99.982% uptime, no more than 1.6 hours of downtime per year, and is N+1 fault tolerant providing at least 72-hour power outage protection. In fact, Mineral Gap is the first designed and constructed Tier III certified data center in the state of Virginia.
How does a “designed and constructed Tier III Uptime data center” differ from a regular Tier III data center?
Uptime Institute awards Tier Certification of Design Documents (TCDD) to data centers that achieve the highest standards for infrastructure, functionality and capacity as demonstrated on the design documents. To earn a TCDD, a facility is evaluated on mechanical, electrical, structural and site elements, and when certified the facility also receives expert recommendations to enhance Operational Stability over the long-term.
Tier Certification of Constructed Facility (TCCF) is awarded after achieving a TCDD, and it validates that a facility has been constructed as designed. This designation is awarded after careful, live system demonstrations in real-world conditions, proving the data center is capable of meeting the defined availability requirements. By ensuring a facility is built to performance capacity, Uptime Institute’s Tier Certification ensures that any deficiencies in design are identified, solved and tested before operations begin.
It should be noted that Mineral Gap was built after TCDD was awarded and then obtained TCCF upon construction — so it was Tier III certified from day one. This is important because Uptime Institute also certifies many existing buildings as meeting regular Tier III data center standards. However, the process can be more challenging when working in facilities with live loads. They need to begin with a Tier Gap Analysis rather than a formal certification effort. Tier Gap Analysis provides a high-level summary review of major Tier shortfalls, which allows the building owner to make an informed decision whether to proceed with a detailed, exhaustive certification effort.
What is FITARA and how does it affect my data center choices?
Congress passed the Federal Information Technology Acquisition Reform Act (FITARA) in December 2014. It was the first major overhaul of federal information technology (IT) in almost 20 years. FITARA, among other things, codified and built upon the requirements of its Federal Data Center Consolidation Initiative (FDCCI) to consolidate redundant federal data centers, improve the government’s cybersecurity posture, reduce federal data center energy usage, and achieve cost savings. In August 2016, in an attempt to clarify the data center objectives of FITARA, the Data Center Optimization Initiative (DCOI) was launched and tasked with among other things moving from “core and non-core” data centers to industry-standard “tiered” data centers, adding new optimization metrics, and continuing efforts to close data centers and report cost savings. Overall, these initiatives have vastly increased and improved federal agencies’ FITARA data center choices.
How does Mineral Gap reduce capital and operating costs for its clients?
Mineral Gap is ideally positioned to provide cost-effective data center space, thanks to its ideal location and ample power supply – up to 45 MW of power, low-cost electricity (6 cents per kwh), and an estimated PUE ratio of 1.2. This low-cost scenario enables businesses to scale their IT operations as they grow. Mineral Gap’s sophisticated design methodology, including its holistic approach to data center services, management and operations, make it possible to pass on significantly lower capital and operating expenses to its clients.
How do data center locations affect my operations?
There are a number of factors that make a data center’s location critical to a customer’s operations. When evaluating the geographical, security and power aspects of a data center’s location, it’s critical for a customer to also consider the location’s primary and alternate offerings in this regard. The data center’s geographic location needs to be largely immune to inclement weather, seismic activity and floods that could impact mission-critical operations. The availability of inexpensive, nearby sources and/or backup sources of renewable energy, in case of an emergency, that reduce reliance on the wider power grid is key to uninterrupted operations.
While physical security is an imperative, the possibility of man-made disasters must also be considered, which is why many customers don’t want a data center located anywhere near biological labs, chemical plants and nuclear facilities, including railroad lines that might transport hazardous materials — any malfunction in any one of these in the neighborhood could be detrimental to data center operations. It’s also critical to choose a data center that is located away from major population centers and associated threat vectors. Most importantly, from a disaster recovery plan standpoint, it’s location that requires a data center to meet all of the aforementioned features to ensure smooth 7x24x365 operations.
In mission-critical industries in the commercial world, especially in the finance and banking sectors, data center locations are of utmost importance because of these sectors’ need for time-sensitive transactions, where latency of even a few milliseconds as data travels to a distant server could adversely impact operations and revenues. Mineral Gap benefits from the 4,000-mile, 160Tb-per-second Marea cable, which adds not only resiliency by bringing the cable ashore far south of the typical New York/New Jersey transAtlantic hookups, but also adds massive capacity for increased connectivity for Mineral Gap customers — a huge advantage compared to other Virginia colocation data centers — since part of Marea connects to nearby high-speed fiber, thanks to the work of the Mid-Atlantic Broadband Communities Corporation (MBC) and LIT Networks.
In the healthcare sector, HIPAA regulations and the HITRUST CSF security framework require data centers to have policies and procedures in place for safeguarding electronic health information at all times, including in the event of natural and man-made disasters, which makes their location decision of paramount importance.
What is infrastructure as a service (IaaS)?
In the cloud computing world, infrastructure as a service (IaaS) is one of three fundamental layers of the cloud computing services stack, which also includes Platform as a Service (PaaS) and Software as a Service (SaaS). IaaS is an automated computing infrastructure offering, provisioned and managed over the Internet. IaaS provides virtualized computing resources on an outsourced basis to support business operations. Typically, IaaS provides hardware, storage, servers and data center space complemented by networking capabilities; it may also include software. Customers are able to self-provision this infrastructure, using a Web-based graphical user interface that serves as an IT operations management console for the overall environment. IaaS-cloud providers supply these resources on-demand from their large pools of equipment installed in data centers, which are at the core of the IaaS offering. Providers typically bill IaaS services on a utility computing basis reflecting the amount of resources allocated and consumed.
What are the benefits of colocation?
There are several benefits for businesses of any size that are considering colocation of their IT infrastructure at a data center. From a technical perspective, connectivity, reliability, security (that incorporates compliance) and scalability would be among the top considerations. As far as connectivity goes, carrier-neutral colocation providers have fully redundant network connections and typically offer access to a variety of public and private telecommunications services to meet the unique requirements of a business. When it comes to reliability, best-of-breed colocation providers have the systems, processes, and staff in place to deliver “four-nines” or more availability on an annual basis with uptime Service Level Agreements to back it up. In the era of constantly increasing cybersecurity threats, security and compliance are of paramount importance — so, in addition to all of the physical security measures enunciated above, colocation providers must be NIST 800 compliant and not only meet SSAE 16, SOC 1 and SOC 2 standards, but also standards that are critical to specific verticals, such as, PCI (Finance), HITRUST and HIPAA (Healthcare), etc. Scalable and sustainable infrastructure is a key technical and business need that the premier colocation providers offer — they focus on data center and network services, which deliver the best solution in terms of rack space, power, connectivity, bandwidth (including bursting on-demand) and latency.
From a business perspective, reduced cost (both, CAPEX and OPEX) is the primary benefit of colocation, which is a multi-tenant arrangement, where other companies help distribute the cost by “sharing” space. However, businesses just don’t rent space — they gain access to professional staff at a secure facility on a 7x24x365 basis and benefit from a constantly updated state-of-the-art infrastructure, which allows them to manage their data from a remote on-premise terminal. Colocation allows a business to expand its IT infrastructure to fit its needs and manage growth without having to incur capital expenditures. More significantly, colocation positions a company well to migrate smoothly to a cloud computing environment, if it wants to. Also, since most colocation facilities are based outside major metropolitan areas — which are more susceptible to various threat vectors that could significantly impact uptime — they are also the best choice for disaster recovery sites.
How does a dedicated data center compare to hybrid colo?
Most colocation providers used to offer two delivery models for providing infrastructure to wholesale customers: shared and dedicated data centers. In a shared model, the customer is allocated a portion of the total infrastructure of the facility. In a dedicated data center delivery model, the customer is allocated a fixed infrastructure that is isolated from other customers. But as hybrid cloud models, in which companies run part of their infrastructure in private clouds and run the rest in public clouds, have become increasingly popular — a hybrid colocation, or hybrid colo, option has become more relevant to these companies. They are using colocation facilities to support cloud storage and cloud computing. By using colocation with cloud services, i.e., hybrid colo, companies are able to obtain the desired combination of flexibility, scalability, security, control, reliability and cost-effectiveness that best suits their business model. The top colocation services providers offer cloud connectivity solutions that allow companies to connect to the cloud provider of their choice and thus make the hybrid colo option really attractive.
Is Mineral Gap considered an edge data center?
On the basis of Uptime Institute’s certification, Mineral Gap was designed and constructed to its very rigorous Tier III standard – so it meets the technical criteria for an edge data center. However, on a usage and applications basis, it’s deployment by Mineral Gap’s various customers that will determine whether its functioning as an edge data center.
Can managed IT services save us time and money?
Managed service providers (MSPs) are often more cost-effective for a business than for it to maintain its own IT infrastructure using in-house staff. With MSPs, the business is paying for service, not salaries and has access to an experienced, specialized group of IT professionals. Also, MSPs monitor and maintain your systems, including backups and security, to reduce the potential for downtime and business interruption far more effectively than your in-house team, which might not even possess the specific skills to do so. In addition, in-house IT teams come with many peripheral costs including, attrition, advanced training, continued education, equipment and services, dealing with multiple IT vendors, and managing help desk platforms. By hiring an MSP, a business needs to hire and retain just a couple of talented IT staff. More importantly, more and more businesses are outsourcing enterprise applications and data storage to the cloud. Rather than managing cloud services themselves, businesses are partnering with MSPs for cloud services because they not only save on hardware and software costs but also it makes it easier and faster for these businesses to add new services and new users.
Also, as the need arises, a business can scale its resources up or down with the MSP to more cost-effectively manage its growth. In addition to the cost savings, outsourcing to a managed IT services provider allows a business to focus on its core revenue-generating activities and boost productivity accordingly.
Can I get managed IT services at a data center?
A data center operator’s ecosystem includes IT, telecommunications and networking infrastructure and equipment with the related technical, engineering and support staff that empowers the data center to offer managed services of various levels and types that have been highlighted above. In fact, managed IT services that are procured from a data center operator are probably more cost-efficient, reliable, secure and scalable than those obtained through a value-added reseller or systems integrator.
What is managed colocation?
In a traditional colocation, the vendor supplies the physical floor space with cabinets or cages, power and backup power, adequate cooling, physical security, network connectivity, and a host of optional features. Managed colocation offers a customer their desired level of control with the vendor assisting the customer to proactively manage its configuration. The customer may choose to rent servers and other equipment, and while the customer retains control over the design and usage of this equipment, daily management of the data center and facility are overseen by the multi-tenant colocation service provider.
How would shared IT services affect my data security?
The relationship between shared IT services and data security depends on the type of shared IT service,
which in today’s cloud computing world could be IaaS, PaaS, SaaS or hybrid colo, deployed by a customer. The data security stack begins at the data center on one side to the customer on the other side and includes physical security, host infrastructure, network controls, application level controls, identity & access management, client & endpoint protection, and data classification & accountability.
So depending on the type of service, an IaaS customer, for example, would be responsible for four of seven data security stacks starting at and going outward from its premises, while the IaaS customer and cloud service provider (or data center operator) would share responsibility for data security relating to host infrastructure and network controls, and then the cloud service provider (or data center operator) would be solely responsible for physical security of the data at the data center.
In the SaaS customer example , the cloud service provider (or data center operator) would be responsible for four of seven data security stacks starting at and going outward from the data center, while the SaaS customer and cloud service provider (or data center operator) would share responsibility for data security relating to identity & access management and client & endpoint protection, and then the SaaS customer would be solely responsible for data classification & accountability at their premises.
Do I need a data center compliance checklist?
Yes, this is a critical investment that any business can make and thus it is important for any data center to be vetted using a number of different parameters per the comprehensive checklist below:
- Weather/Geographic Stability – immunity to inclement weather, seismic activity, blast and flood zones that could impact mission-critical operations
- Power Grid/Power Plants – easy availability of power, including nearby or backup sources of renewable energy, in case of emergencies, priority fueling in crisis
- Proximity to access routes and fuel storage – transportation, of men and materials, must not be an issue
- Neighborhood – no biological labs, chemical plants and nuclear facilities, including railroad lines that might transport hazardous materials, closeby, located away from major population centers and associated threat vectors
- External Security – k-rated anti-ram fencing, site access, locks, gates, 24/7/365 security guards, windows, location, parking, video surveillance and motion detectors, badges, mantrap entrances, etc.
- Internal Security – biometric and key card multi-factor authentication, strict access control all the way to the cage level, advanced tactical command center and extensive video and counter-surveillance systems, 24/7/365 monitoring, security logs, stored security footage, security trained personnel
- Threat/Access Control – 100-percent owned by U.S. citizens and 100-percent based in the U.S.
- Resilient data center design – fire barriers and robust building architecture
- Modularity in floor layout, electrical and mechanical design
- Full compliance with safety regulations including fire exits
- Protection of power and networking links, and cable vaults
- Redundant power supply – isolated path power architecture
- Uninterruptible power supply with battery backup and generators
- Efficient cooling – N+2 redundancy
- Smoke, fire, humidity and flood detection
- Ergonomic shipping and installation facilities – weather-proof loading docks & storage
- Office space – for customers who might require it
Monitoring and Maintenance
- Regular maintenance and testing of data center
- Reports on system health and testing
Hardware & Networking
- Bandwidth availability/internet connectivity – multiple, redundant Tier 1 providers
- Redundant servers and storage – failover provisions at hardware and software levels
- Tiered data storage – automated progression or demotion of data across different tiers (types) of storage devices and media
- Virtualization – maximize physical server productivity via virtual machines (VMs)
- Data encryption, SSL certificates, firewalls and also virtual firewalls for VMs
- Intrusion detection and prevention systems – behavioral analysis and alerts to staff
- Scalability – for future needs
Standards Compliance & Certifications
- Tier III (designed and constructed)
- HITRUST CSF
- SSAE 16 SOC 1 & SOC 2
- PCI DSS
Contracts & SLAs
- Uptime & Reliability
- Response time and escalation paths
- Monitoring of SLAs – in multi-tenant environment
Disaster Recovery Options
- Recovery Point Objective (RPO) and Recovery Time Objective (RTO) needs
- Customer Service – 24/7/365, speedy registration & resolution of support requests, trouble tickets, and alarms
- Customer Satisfaction – testimonials and customer references