The cloud is an obvious candidate for storing compliance-related data. Software-as-a-service (SaaS) providers pitch their services as an economical way to rid your on-site storage of reams of rarely accessed information that requires strict security and access controls. But experts warn about stashing your compliance data using cloud archiving without carefully examining available third-party services.
There are different types of cloud-based service providers that offer data archiving, ranging from public cloud storage sites such as Amazon’s Simple Storage Service (S3) to providers that specialize in compliance data archiving.
Cloud-based providers that offer compliance data archiving services have worked hard to calm fears over data security, control and business stability issues. “People that have been doing this have been in the business for a while and know what they’re doing,” said Brian Babineau, a senior consulting analyst at Enterprise Strategy Group.
But not everyone is convinced all the issues are resolved. Here’s a rundown of how providers are alleviating common fears surrounding cloud-based compliance data archiving, and which issues remain.
Security in the cloud
Embarrassing public disclosure of data leaks from many well-respected businesses and service providers -- including Microsoft’s December 2010 announcement that unauthorized users downloaded data from its Business Productivity Online Suite (BPOS) -- have administrators questioning cloud providers’ physical and virtual security of highly sensitive compliance-related data.
“We’re talking about having some of the most critical data these entities have,” said George Tziahanas, global head of legal and compliance solutions at Autonomy Corp. “This really is the lifeblood of these firms, and it’s highly confidential.”
Some providers market their compliance with the Statement on Auditing Standards No. 70 (SAS 70), Type I or Type II, as evidence of strict security measures. Jay Heiser, a research vice president at Gartner Inc., explains the two variations. “[SAS 70] Type I is an attestation by an auditing practitioner that the control processes in place are adequate to deal with contractual service-level requirements,” he said. According to Heiser, a SAS 70 Type II audit requires the auditor to go on premises to see if the service provider is following through with the processes.
But Heiser cautions that a SAS 70 audit is “not a certification, it’s an attestation.” The problem is that the audits aren’t based on any best practices or industry standards; SAS 70 is simply the form for the evaluation and audit report. According to Heiser, a successful SAS 70 Type I audit only means the service provider has the processes to meet its contractual promises. “It tells you nothing about the quality of the actual service,” he said.
When Heiser talks to organizations, he suggests they do at least the following four steps as part of their due diligence investigation of a potential cloud services provider:
- Prepare and use a questionnaire to get basic information about the services and the service providers’ equipment and security measures. Heiser said SharedAssessments.org and the Cloud Security Alliance (CSA) offer questionnaires to help administrators prepare their own
- Review vendor-supplied information on any cloud service providers.
- Review any third-party evaluations such as SAS 70 or ISO/IEC 27001:2005.
- Go to the source. Heiser said service providers generally will allow on-site visits based on your business worthiness.
Three service providers that offer cloud-based services -- Autonomy, Mimecast and Symantec Corp. -- address security concerns with a combination of advanced data protection technologies and encryption.
Autonomy manages more than 17 PB of compliance-related data, and concurrently writes its data on multiple segregated physical devices in multiple locations and in immutable form.
Mimecast also stores its data on multiple drives in multiple locations so the physical theft of a drive or rack wouldn’t expose any usable data, according to Orlando Scott-Cowley, the firm's technical evangelist. The company also encrypts all customer data and assigns each customer an Advanced Encryption Standard (AES) 256 key. As an added security measure, Scott-Cowley said, Mimecast assigns each customer an account code and tags the data with the code. Users can only view data with the same account code.
Symantec encrypts customer data during transport to its data centers and at rest using an AES 256 key.
Do you know where your data is?
Some government regulations place geographic limits on where data may be stored. The EU Data Protection Directive (Directive 95/46/EC) requires member regions to ensure that a third-party country provides “an adequate level of protection” of personal data before the member can transfer data to that country.
Administrators are wary of cloud service providers that stripe data between data centers in multiple locations and even different countries. “The first thing that most regulated entities require is that it’s clear where their data is,” Autonomy's Tziahanas said.
“The biggest difference between general cloud vendors, the Amazon and Google clouds, and a vendor like Autonomy is that [with Autonomy] you will know specifically where your data is at any moment of time,” he said.
Autonomy and Symantec have allowed potential customers to perform their own audits to ensure data is where the companies claim it is. Symantec allows organizations to specify the data center where their data will reside, and all e-mail accounts associated with the organization will flow to that data center.
Retrieving data from the cloud
One continuing concern administrators have with cloud-based service providers is the ability to retrieve data quickly.
“From a regulatory or legal perspective, anytime you store something, you have to be able to bring it back,” explained Phil Favaro, a discovery attorney at Symantec. Not only are regulated companies required to store specified data for certain periods of time, but they have obligations to the courts, regulatory bodies and management to quickly recall the data and its metadata when needed for internal and government audits and e-discovery requests.
“Can you go through the virtual filing cabinet and pull out what you need to comply with a court order that requires you to do so within seven days?” Favaro asked. “That’s a significant doubt that I have, that cloud offerings provide that structure. Without that sort of structure, companies are going to get in trouble with courts or regulatory bodies.”
A recent study by the Ponemon Institute LLC security research center found compliance costs associated with the storage of unstructured information costs on average $2.1 million per year to organizations that fail to manage corporate intellectual capital.
Larry Ponemon, founder and chairman of the institute, said the study looked at approximately 100 companies with at least 1,000 IT seats, and those he talked to personally mentioned the cloud as a good way to reduce compliance costs. He warns that putting records in the cloud isn’t the entire answer, however.
“I talked to about 20 organizations, and almost every organization mentioned the possibility of using the cloud or a managed service that has greater capability to deal with these issues,” Ponemon said. “I think the cloud is going to be that type of service. But just because it’s cloud, it doesn’t necessarily solve the problem of who has access to what and why. They’ll just access it as one big blob.”
Ponemon said it’s important that any compliance practice, cloud or in-house, look at records on a file level. “It has to be at the file level, not at the volume level,” he said. “It could be that you need only one record out of 1,000.”
The importance of SLAs
Autonomy and Mimecast address the access issue with strong service-level agreements (SLAs). “When [people] hear the word ‘cloud,’ they look at Amazon and Google, they read the horror stories, and realize their data could potentially be left out there on an infrastructure that’s outside of their control and doesn’t come with any SLA,” Mimecast's Scott-Cowley said. He said Mimecast guarantees 100% service availability, including anywhere, anytime access to archived e-mail through its web interface.
Autonomy offers SLAs covering access, how fast the data will be written to disk and indexed, how quickly it will be available for search, how fast the data will flow through the policy filters, and how rapidly customers will be able to navigate between messages pushed through the policy filters. “You can store data all day, but if you don’t have a good mechanism to access that data, it’s almost irrelevant,” the firm's Tziahanas said.
With stronger SLAs, location-specific services, and stricter security measures, the cloud-based data archiving services market is maturing. But that doesn’t mean every service provider will use the same tools. “From a risk management point of view, you can’t stop with the word ‘cloud,’” Gartner’s Heiser said. “You have to dig under the covers and find out what they mean by the word ‘cloud.’”
That means digging a little deeper, looking beyond purported industry standard security audits and physically visiting service provider facilities if possible. A pound of prevention could keep you in good graces with the courts and regulatory bodies.
BIO: Todd Erickson is a News and Features writer for the Storage Media Group.
This was first published in August 2011