There are many ways to leverage the cloud. Some can make you a hero, others can be disastrous. To understand both scenarios, it helps to look at how others are using the cloud. According to a recent Cloud Computing Magazine article by Mike Chase, J.D., executive vice president and chief technology officer for the cloud service provider dinCloud, some of the top trends are:
- Virtual offices for disaster recovery – Companies intent on staying in business no matter what are leveraging the cloud to relieve concerns about the effects of such emergencies as environmental disasters, global terrorism, criminal activity (internal and external), and shifting legal/political landscapes. Setting up virtual offices with servers, desktops, file shares, and everything synced to the cloud can make business continuity easier.
- Desktop as a service – The cloud can offer so much more than the typical enterprise desktop. There are fewer licensing headaches, and the cloud may have functionality that is not available at the enterprise level.
- Regulatory relief – “Cloud has become the best way to meet new regulatory challenges because regulatory requirements around physical facilities hosting sensitive customer data can be a real drain on time/money/resources,” stated Chase. “Security guards, cameras, logs, man-traps, cages, availability, become a real headache.”
- Security – Cloud-based security can be licensed monthly and is scalable. There also is a huge marketplace of cloud-based tools from which to choose. Leveraging the cloud can provide a depth of security not possible at the enterprise level.
- Mobile – The cloud makes it easy to tie servers, desktops, and cloud storage to an existing Microsoft Active Directory, keeping full policies and permissions intact across most, if not all, mobile devices.
Despite the advantages listed above, leveraging cloud services requires organizations to address a number of information governance (IG) concerns to ensure that their information is available, protected, and managed in compliance with their unique requirements. Here are a few of those concerns:
- Contracts with cloud service providers should ensure that information is readily available when needed. Find out what the provider’s guaranteed uptime availability is and what it is doing to prevent access outages, such as mirroring servers at different locations and alternate Internet routing for network outages.
- Contracts should stipulate that the organization, not the cloud service provider, owns the information stored with the cloud provider. Most organizations assume they own their data, but that is not always the case, nor is it necessarily straight-forward. They must know the answers to these questions: If a contract is canceled or not renewed, does the organization get its data back and how quickly? If there is a contract dispute, can the service provider hold the organization’s data hostage? What happens in the event the provider goes bankrupt or is acquired by another organization?
- While cloud providers can provide additional layers of security as noted above, organizations shouldn’t assume the security is more stringent; they must conduct due diligence. The security of the organization’s data is completely dependent on the service provider’s policies, controls, and staff. Before contracting with the service provider, determine what these controls are and if they are as good as or better than internal controls would be.
- If organizations are placing data in the cloud that is a potential target for legal document requests (e.g., e-mail), they must have an agreement with the provider and a protocol for the provider to lock down the data (initiate a legal hold) to avoid spoliation issues and unwanted sanctions.
These are just a few of the many IG issues discussed in ARMA’s Guideline for Outsourcing Records Storage to the Cloud; the publication provides a comprehensive overview of the IG concerns organizations should address before contracting to use cloud services. It also contains handy checklists of questions to ask service providers about legal issues, technology, and service level agreements.