Geo-redundant data center should be at least 200 km away

Back in December, the German Federal Office for Information Security (BSI) published version 1.0 of the “Criteria for the location selection of highly available and geo-redundant data centers”.

centron Datacenter georedundant banner

 

Distance between geo-redundant data centers
… data centers providing geo-redundancy should have a minimum distance of approx. 200 km to each other. If a significantly smaller distance is unavoidable in individual cases, this necessity must be explained in detail in writing and subjected to a risk analysis. Under no circumstances should geo-redundant data centers be less than 100 km apart.

This could have significant consequences for companies in the financial services industry, because the BafIn (Federal Financial Supervisory Authority) usually follows BSI recommendations and follows them. The previous recommendation of 5 km has been drastically increased, which can mean the end of existing redundancy concepts from banks and insurers.

The reason given by the BSI is that future threats cannot be predicted with sufficient certainty. The text says:

In principle, the distance between data centers that provide geo-redundancy must be based on the basic idea mentioned in the introduction to this chapter. However, since it is not possible, especially by looking at the past, to predict future potentially harmful situations and events with sufficient certainty…

The BSI is alluding to natural events that could cause both data centers to fail at the same time . These include storms, volcanic eruptions, major fires or tsunamis, but also accidents in nuclear reactors are among the risks.

Many data center operators follow the recommendations of the BSI voluntarily in order not to expose themselves and their customers to unnecessary risks. Some sectors, such as the financial services sector, are required by BaFin to adhere to these recommendations. As an operator of critical infrastructure, which includes banks, the requirements are tightened. More information on critical infrastructures can be found at Kritis.

One can only guess what impact these new recommendations will have in detail. The choice of location alone becomes a very big challenge. If a data center is located in Frankfurt, for example, then the redundancy location can no longer be located in Nuremberg, Essen, Cologne, Stuttgart, etc. The map below shows this very clearly. The situation around Munich, Hamburg and Berlin is similar.

 

centron blog georeduntes data center radius

 

200 km radius around the Frankfurt data center

Companies that operate their data centers themselves will face the greatest challenges. A migration to a new location is unavoidable for some, which entails immense costs and ties up internal IT for a long time. The alternative is to outsource the data centers to a data center provider who can show the relevant certifications and security standards.

The ISO 27001 certified centron data center in Hallstadt near Nuremberg offers sufficient distance for large areas in Germany to also meet the new recommendations of the BSI regarding the choice of location for a geo-redundant data center. The following map illustrates this:

 

centron Blog georeduntes Datacenter Radius 2

 

100 km radius away from the centron data center

Further developments will be exciting. The GDPR was only recently introduced and now the BSI is following up with this new recommendation. If you have any questions regarding geo-redundant data centers, we will be happy to answer them. Feel free to Contact without obligation.