Cloud Computing: Considerations for Data Safety
Sep 13, 2010 QuickCounsel Download PDF
One of the most comprehensive shifts in information technology over the past decade is the emergence of cloud computing as a strategy for IT systems management. Cloud computing puts the company's mission-critical data and intellectual property in the hands of a third party. The legal team can help company leadership better understand the risks and considerations associated with cloud computing and how the organization may be protected from legal, operational, and compliance perspectives in a cloud computing relationship. Following is a brief summary of issues to consider, including data security; regulatory considerations regarding data location; back-up and archiving procedures; how the vendor will be able to integrate with the organization's records management and e-discovery needs; and an exit strategy for when the relationship terminates.
Cloud computing is very broadly defined as location-independent, ubiquitous computing and storage on demand. The National Institute of Standards and Technology provides a more detailed definition. There are three major forms of cloud computing:
Depending on the service model used, the organization may face different considerations for back-up/archive, records management, and e-discovery.
It is essential to ensure the service provider's security and authentication architecture can be synchronized with the organization's internal security model. In most cases, organizations are not outsourcing all IT systems to the cloud, but rather a small subset of those systems, such as email or document management. Some applications are easier to manage in this manner than others. Email is easier to control because there is usually a specific, named account per user. Content management systems or shared drives are more difficult to synchronize, because access may be at group or department levels.
Data Location and Incident Response
The location of data is the most complex aspect of the cloud computing model. Before entering a cloud computing arrangement, it is critical to know where data will physically reside, and if, due to its location, there are regulatory or legal requirements to which the data is subject, and to make certain the cloud provider has the capability to deal with these issues. The following are examples only, and not intended as an exhaustive list of all data privacy laws that may be relevant.
Back-up and Archive
Organizations should be aware of the parameters and the eventual resting place for the backed-up and archived data. The cloud vendor or the data owner may govern the archival methods, depending on the application.
A good records management program requires the controls described above, plus adherence to a retention schedule. Failure to destroy data on a scheduled routine basis (except for data subject to "legal hold") can lead to additional costs and legal exposure. An audit process can help verify that the provider is actually deleting and digitally shredding when required by a retention schedule. An audit process should validate not only the contractual arrangement but also the vendor's processes for disposition of information. The level of audit will depend upon the nature of the arrangement between the organization and the cloud vendor. In a SaaS relationship, some responsibility may fall under the control of the provider. For IaaS or PaaS arrangements, the organization is typically in charge and executes controls at an application level. The organization's IT experts may therefore be the ones to set these parameters.
Controls and processes established at the beginning of the relationship governing records management also affect the stages that follow, including identification, preservation, and collection of data.
Understanding the cloud provider's capabilities regarding data search tools before moving to a hosted model will avoid problems in the future. Will these tools be available from the provider, and at what cost? For example, basic search may be available at no cost, with additional charges for using more robust tools like Autonomy's IDOL or Google Enterprise Search. If the organization has search tools already licensed, can it use them on cloud-based data sets? Are there custom data types that require additional capabilities (e.g., searching into image text with optical character recognition (OCR) technology?
Preservation and Collection
Legal hold: It is important to understand the provider's legal hold capabilities. Does the cloud provider's staff (and the organization's IT staff) have the ability to lock down content in place and manage complexities such as multiple overlapping holds? Does the cloud environment support the interaction between records management and e-discovery such that disposition schedules do not override legal holds? At the very least, does is not interfere with that interaction? If this is not the case, it may be necessary to bring the collection set into a fully-controlled repository at this point in the lifecycle.
Delegated authority: In the event the organization uses third parties to perform collections and review, the cloud provider should be able to give them securely administered access to data from a geographically separate location.
Exit Strategy from Vendor
Because of the large amounts of data potentially involved, planning an exit strategy can help alleviate future problems. Termination provisions should be negotiated with the vendor at the beginning of the relationship. Negotiation should include items such as:
Cloud computing is an evolving arrangement for IT systems management. A shift to a cloud computing model forces organizations to confront new issues in data security as well as familiar issues that have been around for decades. The GLD Button to the right offers a checklist of some questions an organization should ask.
Additional ACC Resources
Have an idea for a quickcounsel or interested in writing one?
This resource is sponsored by:
Table of Contents