Look and Listen before Leaping to the Cloud

Steve Bailey, Regional Operations Director, CommVault Systems

Steady growth in the cloud services sector reflects the rapid pace at which companies are moving all or portions of their computing, applications and data storage requirements to this emerging destination. According to Gartner, the industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion. More and more organizations across the Middle East are discovering the benefits of cloud computing and are looking to embrace the cloud.

Early adopters of cloud technologies have viewed the migration as a business imperative, despite the potential dark lining of service outages and exposure to security and privacy risks. It’s clear, however, that cloud service providers understand the initial hesitation that companies are experiencing in trusting crucial information assets to them and they continue to work diligently to assuage concerns with stringent Service Level Agreements (SLAs) addressing uptime, privacy and security.

Headline-grabbing stories about Intuit’s and Google’s recent prolonged service outages only reinforce that disruptions in the cloud can and will occur, which means that service quality and data availability will persist as front-and-center issues. While encryption remains the baseline for securing data when moving to the cloud, there are other questions that should be asked about how data is migrated and accounted for as well as additional risks that must be addressed before entering into a relationship with any cloud service provider.

Steve Bailey, Regional Operations Director, CommVault Systems says that there’s also a set of equally important issues starting to surface in conversations about cloud-related risks. While they may not be grabbing headlines yet, there are far-reaching ramifications, which necessitate ongoing discussions and concerns. Savvy IT leaders are beginning to understand they must look beyond the “big three”–outages, privacy and security–when weighing cloud computing risks. Now more than ever, careful evaluation and forming partnerships with other organizational stakeholders are essential for understanding and mitigating risks relating to records management, eDiscovery, jurisdictional issues and exit strategies.

Records Management: Data Retention & Destruction
One of the overarching benefits of moving information to the cloud is the opportunity to greatly simplify and streamline data management. To date, companies have focused on ensuring data integrity and availability, but haven’t spent much time considering the requirements of information retention and destruction.

This area requires collaboration between corporate IT and legal departments to understand and articulate specific data keeping and disposal needs, especially since the contracts of many cloud service providers are standard cookie-cutter agreements. Also, remember that cloud providers are in the business of collecting data, not purging it. The topic of data destruction often doesn’t come up, but it should.

Moving to the cloud is supposed to make data management easier, yet managing data retention in this new frontier can be more complicated and difficult than handling in-house. Cmpanies need to find out what their options are and how the provider deals with records management.

In some cases, such as dealing with a SaaS cloud service model, retention and destruction might be integrated into the offering. Many SaaS-based email providers include policies for deleting email after one year. In other cases, it’s possible to manage data retention through the organization’s backup software. Regardless of approach, the customer needs to play an active role in setting both data retention and destruction policies.

eDiscovery: Data Preservation, Collection and Production
Cloud computing also can make searching, accessing, collecting and preserving electronically stored information (ESI) more laborious, complicated and risk prone when compared to handling processes internally. In addressing this area, enterprise IT departments need to engage their legal counterparts for guidance and advice on how discovery in the cloud is different than storing boxes offsite at, say, Iron Mountain.

As with records management, the type of cloud service will impact the level of functionality. For example, if an organization is leveraging the cloud simply as a storage repository, the likelihood of being able to search the data is greatly reduced. If the organization is using a SaaS cloud service, however, there’s a greater chance of being able to perform searches and content indexing to support discovery demands. In evaluating these capabilities, it’s important to ask about the tools offered by the cloud provider. In some instances, the organization will be able to use a combination of internal and external tools to facilitate data search and identification.

Another important question entails understanding the authenticity and admissibility of cloud-based data. When data is moved to the cloud, for example, does ownership of the data change and are an organization’s rights to the “clouded data” any different than if it was stored locally?

Also, how is data authenticity evaluated and monitored? It’s critical to maintain data in its original format, but sometimes moving to the cloud creates changes in metadata and file names. This can cause serious complications and companies should determine whether it’s possible to audit the data to demonstrate that it’s still available in its original format.

In the legal world, the ability to apply “legal holds” is essential to preserving data as part of an evidence management strategy. This process can become more complicated when dealing with cloud-based data and therefore requires additional due diligence before signing with a cloud service provider. Foremost, organizations need to understand if data must be restored to the customer site in order to place a legal hold or if it’s possible to apply the hold while the data still resides in the cloud. Above all, ensure that no action is taken by the cloud provider that could lead to spoliation, which would likely result in sanctions or other costly legal results.

eDiscovery issues in the cloud will continue to gain ground as the inability to produce data in the manner and timeframe required by a court during any litigation proceeding can yield dire consequences, including stiff fines, negative inferences and sanctions. The best way to avoid this slippery slope is to engage legal experts and stakeholders early in the process so any potential eDiscovery pitfalls can be pinpointed.

Jurisdictional Issues: Where Data Resides Counts
Jurisdiction is an often forgotten area that needs to be addressed on two levels. For starters, companies must ensure that their cloud service provider operates in accordance with whatever laws pertain to a particular location where data might be stored. Next, consider the nature of the data, especially if a U.S. cloud provider is retaining data or emails that belong to foreign nationals.

Cross-border issues extend beyond the owners of the data to the physical location of a cloud provider’s file servers. Since many providers house data in multiple data centers around the world, it’s prudent to find out the location of each center as privacy laws will differ.

Exit Strategies: Getting Data Back
Perhaps the most overlooked area is what happens when an organization wants to leave the cloud or migrate to a different service provider. There are countless scenarios for why a company should develop an exit strategy upfront.

To date, cloud service providers haven’t focused much in this area and it’s reasonable to expect they may be reluctant to address this topic, but it’s crucial to understand the process of returning data to the customer. In some cases, it may be possible to move data from Vendor A to Vendor B directly. In both cases, there are cost and timeframe considerations as well as potential risks that require attention and legal advice.

It’s advisable to avoid boilerplate contracts that don’t permit customization or modification. Organizations should exercise caution before moving mission-critical data to the cloud as they too can be impacted severely.

Dig Deep in Mitigating Cloud-Related Risks
Because of potential reputation-damaging publicity, expect service providers to focus first and foremost on minimizing widespread service outages while adopting policies and procedures for reducing privacy and security risks. What’s less likely to grab headlines are the isolated instances when a cloud customer can’t retrieve its data and is forced to deal with a sanction that costs hundreds of thousands of dollars.

For that reason and all the others described here, it’s imperative for IT organizations to begin vetting the less-publicized yet equally impactful risks posed by moving data to the cloud.  In the meantime, both large and small enterprises share responsibility for making sure all areas of concern are addressed to ensure a move to the cloud increases business benefits, not liabilities.

Since everyone knows that the best defense is a strong offense, companies seeking to reduce their cloud-related risks need to look and listen to legal before they leap. Bringing an organization’s IT and legal forces together for a meeting of the minds is a good first step.


Negotiating Service Level Agreements
Establishing Service Level Agreements (SLAs) should be a critical part of any negotiations with a cloud service provider. Establish clear rules regarding the following for your data in the cloud:

•Physical location
•Degree of acceptable co-mingling
•Recovery time

Do not leave anything to be discussed later. The best time to negotiate is during the “courtship.”