I have been told by a storage administrator that if he moved data to the cloud he was no longer responsible for it. He made the wash-my-hands of it sign during that conversation to illustrate it was “not my problem.” That’s because of guarantees offered by the cloud service provider storing the information. I did not get any of the details about those guarantees but I would also question how sound they were and what recourse the company would have if anything did get lost.
An event happened this past week that illustrates this problem and set off alarm bells for all storage administrators and IT management. U.K.-based code hosting company Code Spaces lost every client’s data and ceased operation. The data loss was due to a malicious hacker that deleted the data and was so proficient at it that Code Spaces’ protection mechanisms were incapable of protecting or recovering data. Russ Fellows wrote a blog with more detail on the Evaluator Group web site. More can be found at SearchAWS.com.
This was a major fail for Code Spaces and a major loss of valuable development source code that was stored there by many companies. And there were guarantees about how the data was protected. A conversation with an IT guy who decided to put data on Code Spaces would be completely different now. Would a company executive believe that the IT guy was no longer responsible when the data was moved there? There is no realistic defense for the IT guy here.
This means the responsibility for protecting information and ensuring its availability for use remains with IT, specifically the storage team, irrespective of where it is physically located. Protecting data from disaster or some type of alteration or destruction is one of the earliest and most basic jobs in IT. Making the data available to the point of business continuity is a responsibility. The consideration that IT would be absolved of those responsibilities by moving to a cloud provider is wishful thinking.
Moving the data to the cloud may have economic benefit. But it still requires the operational effort and expense of ensuring the data is protected and available. The protection and availability must be proven with periodic exercising of recovery and availability switchover. Without that, the liability is there but without evidence that responsible actions have been taken.
In advising our IT clients, this is a great example to use. From this point on, when someone says they are moving data to the cloud and no longer have responsibility, I’ll just ask if they have it in writing that they will not be held liable. We certainly have an example now.
(Randy Kerns is Senior Strategist at Evaluator Group, an IT analyst firm).