How are your datacentres managed? Which ones can you continue to use and which ones should you leave? A datacenter audit is used to identify vulnerabilities that could compromise corporate IT at the most sensitive location in the future. How did the search for Achilles heel in Fortuna turn out?

questions evaluated

"At Fortuna, we had a strategic plan to use our current portfolio of datacentres. The audit reports and ORBIT's transparent assessments have given us confidence that the level of datacentres hosting our key applications and customer data are adequate for the availability and resilience required for the services we offer."
Martin Berdych, Group Head of IT, Fortuna Entertainment Group
Fortuna: What did the datacentre audit reveal? | ORBIT

Source: Penta Real Estate

Why audit your datacenter?

Company Fortuna Entertainment Group a. s. (FEG) is the largest Central and Eastern European fixed-odds betting and gaming operator. At the time of the project launch, it operated in five European countries, using the services of nine data centres (DCs) simultaneously. 

The objective of this project was not a conventional audit report (IT assessment), which Fortuna has had worked out several times in the past. This time ORBIT had to judge, whether it is appropriate to continue to operate all nine DCs.

A key aspect was the question of using datacenters for application units in terms of criticality and content. By "decommissioning" DCs that do not meet the requirements, Fortuna will be able to prevent outages of its business services. 

What exactly were we expecting?   

  1. Gathering all the important contracts with DC operators 
  2. Summary data on all datacenters 
  3. Processing standardized audit document templates  
  4. Tens of calls and thousands of kilometres across lockdown-ridden Europe 
  5. Retrieved from audit reports including recommendations on which DCs Fortuna should continue to use and which to abandon 

What does a datacenter audit entail

Each datacenter has its own specifics on which the security of its operation depends. Simply, we divide them into IT and non-IT parts. Fortuna's assignment concerned only non-IT auditwhich assesses, for example:

  • the specifics of the country where the datacentre is located (political system, climatic and geographical risks),
  • specific location (character of surrounding buildings, transport infrastructure),
  • the type of building itself (age of the building, original purpose, accessibility),
  • the type of technology used (cooling, UPS, generators, data and cable distribution),
  • security of halls and racks (monitoring and control of access to rooms, verification processes, separation of technical and office part from the DC itself, fire zones, water distribution, electrical power supply, cooling),
  • DC connectivity (compared to contracted services),
  • DC monitoring,
  • SLA systems.

Our audit document for each DC ultimately consisted of 19 sections with 194 questionswhich in effect meant 1552 rated points for all data centres.

Although these are not low numbers, the biggest obstacle to the successful implementation of the project was covid-19. It was not possible to personally visit all DCs due to government restrictions in each country. Meanwhile, remote video tours have their limits.

After the relaxation of the anti-epidemic measures, we verified by a personal visit that rigorous physical verification of objects, their equipment and on-site processes are of much more value than simply checking DC documentation by video inspection.

What did we find out?

Datacentre structure | ORBIT

Datacentre structure

What is written is given... or is it?

After a few months, to the delight of the client, we found that most of Fortuna's data centres is managed professionally - adheres to expected procedures and safety criteria for DC operations.

Where did we find differences between the declared parameters on paper and reality?

  • Testing datacenter components
    It's reportedly taking place in all of DC. However, at times staff could not agree on how often it occurs, when the last one took place and where documentation is stored.
  • Generator Testing
    "You write that a test of the functioning of the electricity generators is carried out every week. Which day of the week is it?"
    "Well, Wednesday... Tuesday, actually... No, Thursday!"
  • Refuelling
    "And the fuel is refueled how? How does the tanker get to the diesel tanks?"
    "We don't know. Probably somewhere behind the building, where the dumpster is."
    Although everything looked perfectly fine on paper, it is clear from the answers that the people in charge do not know how to refill the main diesel tank, even after five years of DC operation.
  • There is no TIER like TIER
    If something is designed in a certain way, it does not mean that it was built (or completed) that way. With one exception, all datacentres stated that they were built to a TIER III design. While a few DCs also met the TIER IV requirements, some datacenters did not meet the design requirements and therefore did not fully meet the TIER III design.

Datacentre audit as a basis for further decision-making

The uniform standardised evaluation of datacentres has provided Fortuna with important guidelines for further development. The audit reports showed that three of the nine DCs stood up well, three with minor complaints, two with major ones and one site we didn't even consider to be a DC.

On this basis, we were able to make an informed recommendation to Fortuna, which data centres it can continue to use and which should leave.