Take Steps to Protect Company Data Held By Third Parties

May 11, 2011

Cloud computing is helping to reshape the information technology landscape. Unfortunately, it may also be injecting considerable operational risk that may not be readily understood or appreciated by business owners and executives.

The recent failure of Amazon's Elastic Compute Cloud service is a wake-up call for companies that have already migrated data to the cloud, or those that plan to do so in the near future. As this case shows, cloud computing platforms can -- and do -- fail.

The Basics of Working
 In the Cloud

    Instead of installing software or hardware within the company's information technology infrastructure, cloud computing allows companies to access a shared pool of data resources using web based applications. Cloud computing comes in three forms:
    Software as a service or SaaS - Software and data resides within the service provider's environment. Data is accessible via most web based portals. Data back up and security protocols typically reside with the service provider. (This is sometimes called "on demand software.")
    Platform as a service or PaaS - Provides users access to a development platform where the development tool resides on a third party's servers.
    Infrastructure as a service or IaaS - A company uses a third party's information technology infrastructure, including storage, hardware, and servers. (This is sometimes called "hardware as a service.")

How Cloud Computing Affects E-Discovery 

    Moving data to a cloud platform can significantly complicate the e-discovery process. A cloud provider may be called on to provide vast volumes of data connected to a legal matter before the courts. The provider must be able to demonstrate the following in order to avoid questions regarding the completeness and accuracy of the data provided on your company's behalf:

    Data must be protected and only those with authenticated credentials are granted access.
    All of the data that a company has provided to the cloud provider must be easily identifiable and readily available to be collated for production during the e-discovery process.
    Data cannot be materially altered or deleted during the discovery process. Assurances should be given that historical data is archived and marked as "read only."
    Your company's document retention policies are adhered to and the cloud computing company can provide evidence that documents are being retained in a manner consistent with those policies.
    The applicable laws and regulations governing the data must be complied with at all times. For example, medical data must be stored in a manner consistent with the Health Insurance Portability and Accountability Act (HIPAA).

Consult with your attorney to ensure that a cloud computing provider has the appropriate internal policies and procedures in place to comply with an e-discovery request.

Here are some steps to consider:

1. Estimate the impact of a failure. It's a good time for some companies to estimate the cost of a cloud platform failure and prepare for it. Preparing for a failure requires additional investment. To justify that investment, your company should prepare an estimate of how the failure could impact its financial performance. Here's how:

    Some companies build their cost estimates on a per-minute basis. For example, most cloud computing providers provide a service level commitment as a percentage of the year. If a cloud computing provider states that their service level commitment is 99.99 percent, that translates to data being unavailable for 53 minutes each year. (However, as the Amazon failure shows, what is promised and what actually occurs can be drastically different.)
    For each minute that the data is unavailable, your company will lose revenue and incur incremental costs. Should the data be unavailable for hours or even days, it is easy to see how the financial impact can be significant.

2. Have a back-up in place. Depending on your situation, it may be worthwhile to invest in a "back-up cloud" in case the primary cloud fails. Alternatively, it may be possible to revert to your company's existing infrastructure. Ask your cloud provider to share the contingencies it has in place in the event that a cloud data center fails.

3. Look into whether insurance is an option. Your insurance carrier may be able to provide insurance coverage for cloud outages. The expense may be justifiable if the anticipated financial impact of a cloud failure is in excess of the annual insurance premium.

Cloud computing typically provides a far more flexible solution than traditional information technology infrastructure as well as significant cost savings. However, since the cloud computing customer does not own, manage or control the infrastructure, there are a host of issues that companies must evaluate before they "hop onto a cloud."

Consider the following list of potential issues to address with your cloud computing providers:

    Information that might be here today, gone tomorrow. There is an assumption that data online will remain accessible for as long as needed. Yet, for that assumption to be true, the cloud computing company must frequently back up your company's data. Mistakes can, and do happen. What steps are in place to ensure that your company's data is backed up on a daily basis? How does the cloud computing vendor ensure that new data replaces old data and not vice versa?

    Data availability. There are few issues that annoy users more than not being able to access their data. Before data is moved to the cloud, make sure you have an agreement on data availability documented in a service level agreement (SLA). The SLA should include the associated penalties if the data becomes unavailable. The penalty for breaching the SLA is typically specified by the cloud computing service provider. However, depending on the number of cloud computing users in your company, it may be possible to negotiate a significantly higher penalty. The penalty should be significant enough to ensure that the cloud computing partner has an incentive to deliver the agreed-upon level of service. Setting the penalties too high will result in the cloud computing company refusing to sign the agreement, or failing to pay if it is breached.

    What happens when a data breach occurs? How will your organization and the cloud company respond in the event that a third party, a cloud company employee or one of your employees steals data? It's a good idea to document the entire investigation process, including how and when companies will share data. Do this before an issue occurs, not during the event.

    Employee education. Once data resides in the cloud, employees will be able to access company data wherever there is an Internet connection. Before cloud computing goes "live," educate staff members about the dangers of accessing company data in public places, such as coffee shops, airports, or Internet cafes. This is just as important as reminding employees to protect their company network log-in credentials. Special attention should be given to "phishing" e-mail messages that routinely trick employees into providing their log-in information and passwords. Phishing e-mails may appear to be from the cloud company's administrator when they are actually sent by fraud rings attempting to steal data.

    Data discovery processes. Electronically stored information (ESI) is routinely requested in civil and criminal proceedings. Before migrating data to the cloud, there must be a clear understanding of the processes that the cloud computing company has in place to respond to ESI discovery requests. In the event that your company is required to produce ESI, it should be a smooth process that provides data in a timely manner and creates no doubt that the data is complete and accurate.

    Make a clean break. If your company decides to change cloud computing providers, there must be a clearly defined process to transfer the data from one provider to another. Make sure you receive confirmation that the data that once resided on the previous provider's cloud computing servers has been destroyed in a secure manner and is no longer accessible.

    Stay on top of evolving cloud computing legal issues. With the introduction of new technology, the legal environment often takes time to catch up and provide definitive guidance. As costs continue to decrease and more companies migrate their data from their own walls to the cloud, the pace of legal requirements will likely increase. Consult with your attorneys about staying up-to-date on cloud-related legal developments.

Migrating "mission critical" data to the cloud environment means trusting a third party. Such trust must be well placed. Cloud computing has the potential to dramatically reduce your organization's information technology costs. However, failing to identify potential pitfalls that are inherent in a cloud computing relationship can result in unexpected costs that can far exceed the short-term cost savings.

Read more: http://www.bizactions.com/n.cfm/page/e105/key/166348365G817J1851686P0P10174993T0/#ixzz1M4EKFD30

Return to Newsletter Archive