The growth of cloud-based archiving holds great promise for data storage managers: more options to outsource the firm's underlying infrastructure and the exciting potential to create a seamless user experience with virtually unlimited capacity. In addition, storage managers can take advantage of volume-based subscription pricing to pay for what they use without a big up-front investment. Yet there are issues to consider before taking the plunge into cloud-based archiving or when considering the fine print on a service-level agreement (SLA). It's easy to find cloud storage users who report anecdotally that every dollar they save with a Software as a Service (SaaS) solution could easily be multiplied two- or three-fold in future retrieval costs -- the ones they meant to avoid in the first place.
Retrieval requests, such as those associated with e-discovery and compliance, aren't a problem for most companies and their storage managers . . . until they are. While most IT administrators are well aware that data volumes are rising as data types and locations become more varied, few are prepared for the impact of having to retrieve and preserve their data as evidence for litigation. Those situations typically strike without warning.
The sticker shock, work interruptions and high-profile urgency associated with an ad-hoc litigation response usually comes on too suddenly for new litigants to do more than roll with the punches. But companies that have been burned once often safeguard themselves from future events by deploying an archive or better utilizing an existing one. Under the current heightened regulatory environment, archives are gaining even more traction for their proactive benefits in storing and retrieving data quickly. This just doesn’t apply to email, which is the most common source of electronic evidence, but to newer formats such as instant messaging and social media, which are also legally discoverable.
Five cloud-based archiving questions to answer
For data storage administrators considering cloud-based archiving, there are a handful of key questions to answer when drafting your strategy. Knowing the responses in advance can help you avoid some of the headaches that seem to almost always accompany e-discovery and compliance requests.
1. What are the risks in outsourcing evidence handling and compliance?
Cloud archiving adoption isn’t purely a cost-driven decision. There are other tradeoffs, both positive and negative. While some corporations refuse to push evidence outside their firewall because of the perceived lack of control, others are happy to pay a premium to outsource the risk of handing it to third parties with more infrastructure and updated security. This depends on your organization’s risk tolerance, knowing and trusting your provider, and negotiating a SLA that suits your requirements. Private clouds require their own due diligence; with a multi-tenant public cloud, your data lives on common servers with that of other clients, which can be an unacceptable tradeoff to some firms.
2. Do I have custody and control of the data if it’s hosted by a third party?
Data hosted by a third party may not be in your immediate custody or control, but you're still responsible for retrieving it for court or regulators within a suitable timeframe and in an acceptable format. If needed, can your provider supply adequate availability, capacity, speed and throughput for mass retrieval? Just as importantly, can your provider export large amounts of data under tight timeframes, particularly over a network? Cloud providers rely on facilitating data ingest to enable quick and easy import and usage, increase user data volumes and promote “stickiness” among clients. The costs and logistics of searching and exporting data en masse can be less straightforward. For some users, a hybrid cloud approach can offer an acceptable compromise. Either way, negotiating requirements up front and doing a test run is advisable.
3. Can the archive adequately support compliance and litigation response?
Most archives -- both on- and off-premises -- were originally designed for storage management, not litigation response. To ensure compliance and defensible e-discovery, they must support the necessary high data volumes, a variety of data formats, 100% data accountability, real-time index updates, granular search, large-scale multi-user querying and data export requirements. In instituting a retention and disposition policy, there must be assurances that deleted data is gone without a trace to keep it from being discoverable in future cases or regulatory events. Conversely, it’s important to note that without a subpoena, deleted data isn’t recoverable in the cloud since it’s not on a local hard drive. Although digital forensics isn't required in civil litigation, it can make or break criminal investigations, and remains a common method of e-discovery collections in the enterprise.
4. Does the archive support and integrate with broader data management or corporate governance provisions?
Requirements for interoperability and customization should be taken into account. Will a cloud archive compound governance issues by creating an additional data silo, as well as duplicating data volumes and governance efforts? Furthermore, will a C-level executive resist storing their data in the cloud, requiring an extra individual search for every investigation? Companies attempting to minimize data growth through aggressive capacity quotas for users sometimes argue that unlimited storage only aggravates the hoarding behaviors causing the problem.
5. What’s the worst that could happen?
It’s advisable to investigate protections or contingency plans, if any exist, in anticipation of worst-case scenarios such as a data breach, unanticipated downtime, an “act of God” data loss, provider bankruptcy, or subpoenas from law enforcement or Homeland Security. Multi-national litigants have additional concerns, as using clouds for cross-border e-discovery runs the risk of violating international data privacy regulations. These laws vary by country, but they typically govern the retrieval and processing of employee data more stringently than in the U.S. and may not support America’s broad legal discovery requirements. Where does the data reside, where are the users and what kind of regulations apply? Users may want to investigate these factors for all jurisdictions in which data is stored and used, as well as in the jurisdictions where their company is likely to go to court.
BIO: Katey Wood is an analyst at Enterprise Strategy Group, Milford, Mass.