The cloud age needs to understand the changing risks and responsibilities

Source: Internet
Author: User
Keywords Cloud service provider supplier ensure email must

The steady development of cloud services industry confirms that companies are rapidly migrating all or part of their computing, application, and data storage requirements to this emerging target. According to Gartner, the industry is expected to maintain strong growth by 2015, when global cloud services revenues are expected to reach $148.8 billion trillion.

This enthusiasm for cloud computing's rapid rise is not an unwarranted spark, but because its benefits are indeed attractive. The main drivers include significantly reduced IT costs and improved operational efficiency, enterprise collaboration, and business agility. In addition, the emerging services offerings offer many options: Amazon Web Services, Rackspace, Nirvanix, and other vendors ' infrastructure as a service (IaaS); "Platform-as-service (PaaS)" of Microsoft Azure and Google apps, and Software as a service (SaaS) for vendors such as and Casecentral

Early adopters of cloud technology see this migration as a necessary condition for business development, despite the hidden risks of service disruption and security and privacy disclosure. However, it is clear that cloud service providers are fully aware of the reluctance of companies to initially entrust critical information assets to their management, so they continue to make efforts to mitigate concerns about stringent service level agreements (SLAs, concerns about uptime, privacy, and security requirements).

Intuit and Google's recent long service outages have made headlines in major media, and this only confirms that cloud technology is not only now interrupted but will also be interrupted in the future, which means that quality of service and data availability issues remain the most important. While encryption is still the baseline method for protecting data when migrating to a cloud environment, you should also understand the issues of how to migrate data and distinguish responsibilities and the additional risks that must be addressed before establishing a partnership with any cloud service provider.

When discussing cloud risk, there are some equally important issues surfacing. While these issues have not yet become a top-priority headline, they still have far-reaching implications and require sustained discussion and attention. Savvy IT leaders are beginning to realise that the "three" hurdles must be overcome: disruption, privacy, and security when weighing cloud computing risks. Careful assessment and partnerships with other stakeholder organizations are more necessary than ever to understand and mitigate the risks associated with file management, electronic discovery (eDiscovery), judicial issues, and exit strategies.

Archives Management: Data Retention and removal

One of the key advantages of migrating information to the cloud is that it can greatly simplify data management. To date, companies have been emphasizing the need to ensure data integrity and availability, but are less concerned with information retention and cleanup requirements.

This issue requires a collaborative approach between the enterprise IT and legal departments to understand and identify specific data retention and processing needs, because many cloud service providers offer contracts that are standard protocols. Also keep in mind that the nature of the cloud vendor's work is to collect data, not to purge data. They make it easy for businesses to expand and encourage companies to keep all the data. The removal of data is usually not the subject of their discussion, but it is worth exploring.

Migrating to a cloud environment is thought to make data management easier, but for data retention it is more complex and difficult to deal with in this new environment than within the enterprise. As a result, organizations need to determine what their options are and how service providers handle file management. For example, it is important to understand how service providers apply multiple retention policies, because they use this method to purge certain datasets based on the agreement of both parties.

In some cases, such as involving the SaaS cloud service model, data retention and cleanup may be included in the service scenario. Many SaaS-based e-mail vendors set policies to delete messages that are retained for more than one year. In addition, you can manage data retention through the enterprise's backup software. Regardless of the approach, customers need to play an active role in developing data retention and purge strategies and work closely with vendors to understand the legal consequences and risks of violating, and even unintentionally violating, these policies.

Electronic Discovery (eDiscovery): Data retention, collection, and production

Cloud computing also makes searching, accessing, collecting, and saving electronic storage information (ESI) more laborious, more complex, and more risky than processing processes within the enterprise. In addressing this issue, the enterprise IT department needs to work with relevant legal departments to obtain guidance and advice on the differences between cloud discovery and offsite storage.

Like file management, cloud service types can also affect functional levels. For example, if an enterprise simply uses the cloud as a repository, the likelihood of searching for data can be greatly reduced. However, if the enterprise uses the SaaS cloud service, it will increase the likelihood of performing search and content indexing to support electronic discovery (eDiscovery) requirements. When evaluating these features, it is important to understand the tools provided by the cloud service provider. In some cases, organizations can combine internal and external tools to enhance search and identification of data.

Another important issue is the need to understand the authenticity and admissibility of cloud-based data. For example, does data ownership change when migrating data to a cloud environment? Does enterprise access to data in the cloud differ from access to local storage data? In addition, how to assess and monitor the authenticity of the data? Maintaining data in the original format is critical, but sometimes migrating to the cloud changes metadata and file names. This complicates the situation, especially when the enterprise is no longer able to access metadata that was stored locally. If the information changes when migrating to the cloud, the enterprise should be clear whether data audits can be used to prove that the data is still valid in the original format.

From a legal point of view, the ability to apply the "legally retained" policy is necessary to preserve the data as part of the evidence management strategy. When dealing with cloud-based data, the program becomes more complex and requires additional careful investigation before signing an agreement with a cloud service provider. Most importantly, businesses need to understand whether data must be restored to the customer's location to meet legal retention policy requirements, or whether the legal retention policy can be applied (although the data still resides in the cloud). In particular, ensuring that cloud providers do not have any action that would result in damaging data is likely to incur penalties or other costly legal consequences.

If the cloud service provider is unable to recover data in the manner and time prescribed by the Court in the course of any proceedings, it will have serious consequences, including commercial penalties, negative inferences and sanctions, thus increasing the electronic discovery (eDiscovery) problem in the cloud. The best way to avoid these dire consequences is to work with legal experts and stakeholders early in the process to pinpoint any potential electronic discovery pitfalls.

Judicial issues: Where data is stored is critical

Judicial issues are often overlooked, and the solution to this problem needs to be focused on two levels. First, companies must ensure that their cloud service providers operate in a specific location that is required to be stored in strict accordance with the relevant legal requirements. Second, be sure to consider the nature of the data, especially the US cloud provider, whose data or e-mail is reserved for foreign citizens, because European privacy laws are much stricter.

Universities across the United States are among the first to adopt cloud computing technology, many of which migrate thousands of student emails to the cloud to save IT operational costs and resources. There are numerous success stories about how e-mail outsourcing enables organizations to meet ever-increasing campus communication and collaboration needs, but there is still a little-known fact in some schools that European teachers and students ' e-mails face additional risks from mail outsourcing. The European Union's privacy laws are much stricter than those in the US, which require the authorization of the parties before they are sent to third parties.

The Cross-border problem is no longer just a matter of data owners, which has now begun to spread to the physical location of the cloud vendor file server. Since many vendors store data in multiple data centers around the world, it is wise to recognize the location of each data center in order to effectively address different privacy laws. To reiterate, the most fundamental goal is to minimise privacy exposure, and it must be remembered that justice is an area where legal, regulatory and compliance risks are set.

Exit Policy: Regain data

Perhaps the most overlooked aspect is the problem when a business wants to abort a cloud service or replace a cloud service provider. There are a number of reasons why an enterprise must develop an exit strategy in advance, for example, to avoid data disclosure when a cloud service provider goes bankrupt, and to ensure that all cloud data can be restarted or migrated to a new vendor.

To date, this has not yet attracted enough attention from cloud service providers, and there is a need to analyze why they are avoiding the problem, but it is even more critical to know how to get the customer back to the data. In some cases, it is possible to migrate data directly from A vendor to Vendor B. In any case, cost and time factors must be taken into account, and the potential risks should be given special attention and legal advice.

The services provided by different cloud service providers vary widely, and some vendors are more likely to negotiate on these customer concerns. Avoid signing fixed contracts that do not support customization or modification of customers. Obviously, the stronger the client's strength, the more negotiating capital is. But for small organizations, it is more prudent to migrate mission-critical data to the cloud because they can also be severely affected.

An in-depth analysis of the risks associated with reducing cloud

Because of the potential risk of compromising data exposure, it is recommended that service providers focus primarily on how to minimize widespread service disruption while adopting appropriate policies and procedures to reduce privacy and security risks. Occasionally, individual cloud service providers may be forced to accept fines of up to hundreds of thousands of dollars because customers are unable to retrieve their data, but they are not likely to make headlines, but they are real.

For this reason and for all of the above reasons, IT organizations must begin to look at the risk of small but equally influential exposure to migrating data to the cloud. At the same time, large enterprises and small businesses need to work together to ensure that all areas of focus are resolved perfectly so that cloud migrations can increase business revenues without creating debt.

As we all know, the best defense is offense, so companies that want to reduce cloud-related risks need to know about the legal issues before they move. First of all, IT and legal personnel within the enterprise brainstorming. This cross-functional team is able to take a holistic view of the company's data before developing a detailed strategy, ensuring that any data migration to the cloud will improve enterprise efficiency and processes without bottlenecks or risks.

(Responsible editor: Duqing first)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.