Steady growth in the cloud services sector reflects the rapid pace at which companies are moving all or portions of their computing, applications and data storage requirements to this emerging destination. According to Gartner, the industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion.
This groundswell of enthusiasm for cloud computing is not unwarranted as the benefits are extremely compelling. The opportunity to reduce IT costs dramatically as well as boost operational efficiency, corporate collaboration and business agility are major drivers. Additionally, emerging service options offer a plethora of choices, encompassing Infrastructure as a Service (IaaS), as provided by Amazon web services, Rackspace, Nirvanix and others; Platform as a Service (PaaS), by outlets including Microsoft Azure and Google Apps; and Software as a Service (SaaS), from such providers as Salesforce.com and CaseCentral.
Early adopters of cloud technologies have viewed the migration as a business imperative, despite the potential dark lining of service outages and exposure to security and privacy risks. It’s clear, however, that cloud service providers understand the initial hesitation that companies are experiencing in trusting crucial information assets to them and they continue to work diligently to assuage concerns with stringent Service Level Agreements (SLAs) addressing uptime, privacy and security.
Headline-grabbing stories about Intuit’s and Google’s recent prolonged service outages only reinforce that disruptions in the cloud can and will occur, which means that service quality and data availability will persist as front-and-center issues. While encryption remains the baseline for securing data when moving to the cloud, there are other questions that should be asked about how data is migrated and accounted for as well as additional risks that must be addressed before entering into a relationship with any cloud service provider.
There’s also a set of equally important issues starting to surface in conversations about cloud-related risks. While they may not be grabbing headlines yet, there are far-reaching ramifications, which necessitate ongoing discussions and concerns. Savvy IT leaders are beginning to understand they must look beyond the “big three”—outages, privacy and security—when weighing cloud computing risks. Now more than ever, careful evaluation and forming partnerships with other organisational stakeholders are essential for understanding and mitigating risks relating to records management, ediscovery, jurisdictional issues and exit strategies.
Records Management: data retention and destruction
One of the overarching benefits of moving information to the cloud is the opportunity to greatly simplify and streamline data management. To date, companies have focused on ensuring data integrity and availability, but haven’t spent much time considering the requirements of information retention and destruction.
This area requires collaboration between corporate IT and legal departments to understand and articulate specific data keeping and disposal needs, especially since the contracts of many cloud service providers are standard cookie-cutter agreements. Also, remember that cloud providers are in the business of collecting data, not purging it. They make it extremely easy to add capacity, which encourages organizations to keep everything. The topic of data destruction often doesn’t come up, but it should.
Moving to the cloud is supposed to make data management easier, yet managing data retention in this new frontier can be more complicated and difficult than handling in-house. For that reason, companies need to find out what their options are and how the provider deals with records management. For instance, understanding how a provider applies multiple retention policies is key, as is their approach for purging certain data sets according to a mutually agreed upon schedule.
In some cases, such as dealing with a SaaS cloud service model, retention and destruction might be integrated into the offering. Many SaaS-based email providers include policies for deleting email after one year. In other cases, it’s possible to manage data retention through the organization’s backup software. Regardless of approach, the customer needs to play an active role in setting both data retention and destruction policies while working closely to understand the legal ramifications and risks if these policies are violated, even inadvertently.
eDiscovery: Data Preservation, Collection and Production
Cloud computing also can make searching, accessing, collecting and preserving electronically stored information (ESI) more laborious, complicated and risk prone when compared to handling processes internally. In addressing this area, enterprise IT departments need to engage their legal counterparts for guidance and advice on how discovery in the cloud is different than storing boxes offsite at, say, Iron Mountain.
As with records management, the type of cloud service will impact the level of functionality. For example, if an organisation is leveraging the cloud simply as a storage repository, the likelihood of being able to search the data is greatly reduced. If the organization is using a SaaS cloud service, however, there’s a greater chance of being able to perform searches and content indexing to support discovery demands. In evaluating these capabilities, it’s important to ask about the tools offered by the cloud provider. In some instances, the organization will be able to use a combination of internal and external tools to facilitate data search and identification.
Another important question entails understanding the authenticity and admissibility of cloud-based data. When data is moved to the cloud, for example, does ownership of the data change and are an organization’s rights to the “clouded data” any different than if it was stored locally? Also, how is data authenticity evaluated and monitored? It’s critical to maintain data in its original format, but sometimes moving to the cloud creates changes in metadata and file names. This can cause serious complications, especially if companies no longer have access to the same metadata as when the data was stored locally. If information is altered when moved to the cloud, companies should determine whether it’s possible to audit the data to demonstrate that it’s still available in its original format.
In the legal world, the ability to apply “legal holds” is essential to preserving data as part of an evidence management strategy. This process can become more complicated when dealing with cloud-based data and therefore requires additional due diligence before signing with a cloud service provider. Foremost, organizations need to understand if data must be restored to the customer site in order to place a legal hold or if it’s possible to apply the hold while the data still resides in the cloud. Above all, ensure that no action is taken by the cloud provider that could lead to spoliation, which would likely result in sanctions or other costly legal results.
eDiscovery issues in the cloud will continue to gain ground as the inability to produce data in the manner and timeframe required by a court during any litigation proceeding can yield dire consequences, including stiff fines, negative inferences and sanctions. The best way to avoid this slippery slope is to engage legal experts and stakeholders early in the process so any potential eDiscovery pitfalls can be pinpointed.
Jurisdictional Issues: Where Data Resides Counts
Jurisdiction is an often forgotten area that needs to be addressed on two levels. For starters, companies must ensure that their cloud service provider operates in accordance with whatever laws pertain to a particular location where data might be stored. Next, consider the nature of the data, especially if a U.S. cloud provider is retaining data or emails that belong to foreign nationals as Europe has much stricter privacy laws.
Universities across the U.S. have been among the earliest adopters of cloud computing technology with many migrating thousands of student emails to the cloud to lower capital IT costs and resources. Success stories abound on how outsourcing email has enabled institutions to support the increased needs for campus-wide communication and collaboration. What is less publicized, but still an unfortunate reality for some schools, is the additional risk of outsourcing email for faculty and students who are European residents. The European Union (EU) has much stricter privacy laws than the U.S., which could require seeking permission from the parties prior to engaging a third-party to handle their email.
Cross-border issues extend beyond the owners of the data to the physical location of a cloud provider’s file servers. Since many providers house data in multiple data centers around the world, it’s prudent to find out the location of each center as privacy laws will differ. Again, the underlying goal is to minimize exposure, and jurisdiction is an area that can trigger legal, regulatory and compliance risks and concerns.
Exit Strategies: Getting Data Back
Perhaps the most overlooked area is what happens when an organization wants to leave the cloud or migrate to a different service provider. There are countless scenarios for why a company should develop an exit strategy upfront, including avoiding exposure if the cloud provider goes bankrupt as well as ensuring all cloud data can be returned or migrated to another provider.
To date, cloud service providers haven’t focused much in this area and it’s reasonable to expect they may be reluctant to address this topic, but it’s crucial to understand the process of returning data to the customer. In some cases, it may be possible to move data from Vendor A to Vendor B directly. In both cases, there are cost and timeframe considerations as well as potential risks that require attention and legal advice.
Not all cloud service providers are equal, and some may be more willing to negotiate on these areas of concern. It’s advisable to avoid boilerplate contracts that don’t permit customization or modification. Clearly, the bigger the customer, the more power is brought to the negotiating table. Still, even smaller organizations should exercise caution before moving mission-critical data to the cloud as they too can be impacted severely.
Dig Deep in Mitigating Cloud-Related Risks
Because of potential reputation-damaging publicity, expect service providers to focus first and foremost on minimizing widespread service outages while adopting policies and procedures for reducing privacy and security risks. What’s less likely to grab headlines are the isolated instances when a cloud customer can’t retrieve its data and is forced to deal with a sanction that costs hundreds of thousands of dollars.
For that reason and all the others described here, it’s imperative for IT organizations to begin vetting the less-publicized yet equally impactful risks posed by moving data to the cloud. In the meantime, both large and small enterprises share responsibility for making sure all areas of concern are addressed to ensure a move to the cloud increases business benefits, not liabilities.
Since everyone knows that the best defense is a strong offense, companies seeking to reduce their cloud-related risks need to look and listen to legal before they leap. Bringing an organization’s IT and legal forces together for a meeting of the minds is a good first step. Together, this cross-functional team can take a holistic view of the company’s data before creating a detailed strategy that ensures any move to the cloud increases corporate efficiencies and processes without creating bottlenecks or risks.
Negotiating Service Level Agreements
Establishing Service Level Agreements (SLAs) should be a critical part of any negotiations with a cloud service provider. Establish clear rules regarding the following for your data in the cloud:
ü Physical location
ü Degree of acceptable co-mingling
ü Recovery time
Do not leave anything to be discussed later. The best time to negotiate is during the “courtship.”