Cloud archiving: The security of compliance data is important

Cloud technology is clearly appropriate for storing compliance-related data. Software as a service (SAAS) provider also defines its services as a more economical way to isolate data that is rarely accessed, requiring high security and access control, from primary site storage. However, experts cautioned that without careful scrutiny of third-party services, storing compliance data in a cloud file could pose a risk.

There are many different types of cloud-based service providers that provide data archiving services, from public cloud storage sites, such as Amazon's simple Storage Service (S3), to vendors who specialize in providing compliance data archiving.

Cloud service providers that provide compliance data archiving have been working to quell problems with data security, controllability, and business stability. "People in this line have a long business experience and they know what they're doing," says Brian Baineau, a senior ESG consulting analyst.

But not everyone is convinced that all the problems are solved. Here is an outline of how vendors can mitigate the concerns that are often encountered when applying cloud-based compliance data archiving and the remaining issues.

Security in cloud Technology

Many well-known business and service providers, including Microsoft, it said in December 2010 that unauthorized users downloaded data from the BPOs were embarrassed to disclose information disclosure events, making administrators skeptical about the physical and virtual security of highly sensitive compliance-related data in cloud providers.

"What we're talking about is getting some of the most critical data in these groups," George Tziahanas, the global president of Autonomy, a law and compliance solution, is the lifeblood of these companies and is highly classified. ”

Some vendors locate their compliance with the 70th Audit Standard (SAS70), type I or type II as a standard proof of security measures. Jay Heiser, vice president of research at Gartner, explains the difference. "SAS70 Type I is published by audit practitioners to demonstrate that the corresponding control process is sufficient to handle service-level requirements in the contract," he said. According to Heiser, the SAS Type II audit requires the auditor to inspect the site to see if the service provider complies with the appropriate process.

However, Heiser warns that the SAS 70 audit "is not a certification, but a proof" that the problem is that the audit is not based on any best practices or industrial standards; SAS 70 is only one form of audit report. According to Heiser, a successful SAS Type I audit only means that the service provider's process can meet its contractual commitments. "It will not promise the quality of any actual service," he said.

Heiser also said he advises companies to conduct at least four surveys of candidates in the selection of cloud service providers:

1. To prepare and adopt questionnaires to service suppliers ' basic service information, equipment information and security measures. Heiser mentioned that sharedassessments.org and cloud security Alliance (CSA) have provided a corresponding questionnaire for administrators to use.

2. Check upstream vendor information for each cloud service provider.

3. Check all third party certification information, such as SAS 70 or ISO/IEC 27,001:2005.

4. Go to the scene. Heiser mentions that service providers usually give you access to their site based on your business value.

Three cloud-based service providers,--autonomy,mimecast and Symantec, address user security concerns through advanced data protection technology and encryption technology.

Autonomy manages more than 17PB of compliance-related data, and synchronously writes data to multiple separate physical devices, possibly in different locations, in different formats.

According to Orlando Scott-cowley, a mimecast technology instructor, Mimecast also stores its data on different devices and in different locations, so even stealing an entire disk drive or rack will not get any useful information. The company also uses encryption to protect all user data without assigning a 256-bit Advanced Encryption Standard (AES) key to each user. As a further security measure, Scott-cowley said, Mimecast also assigns a user number to each user and marks the user number for the corresponding data. Users can only view data with a consistent customer number.

Symantec encrypts the user during data transfer to the datacenter and uses a 256-bit AES key during the storage process.

Do you know where your data is stored?

There are some government regulations that have regional limits on where data can be stored. The EU Data Protection Programme (EC) requires its member regions to ensure that they can provide "adequate levels of protection" for personal data when transmitting data to third party countries.

Administrators also don't like cloud service providers to split data into different data centers, or even to different countries ' data centers. "The first thing that these regulated companies think about is the need to be clear where their data is stored," says Autonomy's tziahanas. ”

"The big difference between the usual cloud providers, like Amazon and Google Cloud and autonomy, is that you can identify exactly where your data is in a specific period of time," he added.

Autonomy and Symantec allow potential users to audit themselves to ensure that the data is stored where the company claims to be. Symantec allows companies to set up data centers for data storage, and mail accounts associated with the company also point to the data center.

Retrieving data from the cloud

In addition, one of the concerns that administrators have about cloud service providers is the ability to quickly retrieve data.

"From a compliance or legal point of view, you can retrieve any information you keep at any time," said Phil Favaro, an electronic discovery lawyer at Symantec. In fact, companies that are subject to compliance not only require that data be stored for a specific period of time, but are obligated to quickly retrieve data and raw data from the courts, compliance topics and management when they require internal or government audits and electronic discovery requirements.

"Are you able to quickly browse through your virtual cabinets and find the information you need to conform to the court's requirements within seven days?" "I have such a problem, it is very important that the cloud supplier can provide such a structure, without such a structure, the company will be in trouble with the courts or regulators." ”

A recent study by the LLC Security Investigation Center, Ponemon College, found that compliance and the storage of unstructured information cost an average of about 2.1 million yuan a year, but could not carry out an enterprise's intellectual capital Management.

Larry Ponemon, the founder and chairman of the academy, said the study focused on at least 1,000 of it seats in about 100 companies, who privately believed that the cloud was a way to reduce compliance costs. However, he cautioned that keeping records in the clouds was not the perfect answer.

"I've talked to nearly 20 companies, and almost every company has mentioned that using cloud or managing services may improve these issues to a large extent," Ponemon said, "I think the cloud does provide such a service, but because of the cloud, it can't solve the problem, who has access to what data, and why." They simply access it. ”

Ponemon said it is important that any compliance application, cloud or internal, will be recorded as a file level. "It has to be a file level, not a volume level," he said, "and you probably only need one of the 1,000 records." ”

The importance of service level agreements

Autonomy and mimecast solve this problem through stringent service level agreements. "When someone hears the word ' cloud ', they think of Amazon and Google, when they have these scary stories, and understand that their data could be stolen from such an infrastructure, completely beyond their control, without any guarantee of a service level agreement," Mimecast's Scott-cowley said. He says Mimecast ensures 100% service availability, including access to archived mail at any time and place through the Web interface.

Autonomy provides a service level agreement that covers access, how quickly data can be written to disk and directory, how quickly it can be transferred to the survey, how quickly the data can be filtered through policy, and how quickly users can find the information they need through policy filtering. "You can store data for each day, but assuming you don't have a good mechanism to access it, these are completely irrelevant information." The company's Tziahanas said.

With stringent service level agreements, localized services, and stringent security metrics, the cloud data archiving services market is maturing. This does not mean that every service provider will use the same tool. "From a risk management perspective, you can't stop before the cloud," says Gartner's Heiser. "You have to dig deep and find out what the supplier's so-called ' cloud ' is." ”

This means digging deeper into the so-called industrial standard safety audits and, possibly, field visits to service provider equipment. This series of defensive measures will allow you to be more leisurely in dealing with courts and regulators.

(Responsible editor: Lu Guang)