The trend to move from on-premise software to on-demand Cloud-based solutions for an increasing range of business computing services offers the potential to lower costs and mitigate risk. Cloud computing uses web servers from a third party provider to store, deploy and execute applications. Some organisations are investigating the Cloud to meet their Information Governance requirements for archiving, eDiscovery, compliance, records management and data security.
What are the benefits?
Cloud computing can provide new levels of flexibility, security, flexibility and collaboration. Key benefits include:
- The ability to scale as computing services require
- The ability to simplify and optimise the IT environment
- The ability to increase agility to changing business needs
- The ability to increase ROI compared to internal development
- The ability to drive a range of Information Governance capabilities for the Cloud
What should an organisation do?
The Cloud offers major benefits but to fully maximise its potential there are number of key considerations. These include:
On-demand scalability
Maintaining on-premises storage capacity can result in business systems that cannot scale as demand increases or the creation of over-capacity resulting in cost that is never recovered. Cloud computing allows for flexible scaling – both up and down – when changes occur in data volumes, litigation burdens or cost structures. When selecting a Cloud-based service, on organisation should ensure that:
- The service is charged on a per usage basis
- The service data requirements scale up and down as demand requires
- The service cost structure scales up and down as demand requires
- Access to the service scales up and down as demand requires
On-demand data access
Cloud Computing requires the transfer of enterprise data onto a third party service. Like on-premise Information Governance, this information has to be identifiable, searchable and accessible regardless of format, language or source repository. This situation is complicated by the necessity of aligning processes between the organisation and the service provider. When selecting a Cloud-based service, an organisation should ensure that:
- The Service Provider can operate within the structure set by the organisation’s Information Governance policies
- The service provider has intelligent tools for the search and retrieval of corporate information
- The service provider can accommodate the information categorisation and auditing processes established by the organisation
- The service provider can dynamically and securely provide access to defined information sets for partners and third parties as require.
Data location and privacy
Cloud service providers will have data centres located across the globe. This makes it a challenge to know where corporate information is situated – especially where the service provides massive redundancy to ensure availability. Organisations are increasingly faced with local regulations where countries only allow personal data of its citizens to by stored in their home country. When selecting a Cloud-based service, on organisation should ensure that:
- Ensure the provider has servers in the geographies where it orperates
- Ensure it knows exactly where all corporate information is stored
- Ensure it understands its service provider’s back-up strategies
- Ensure that the storage and processing of data in a desired location or jurisdiction is stipulated within the contract
Cloud security
Maintaining the highest levels of security over data in the Cloud has to be a minimum level of service for any provider. Especially when dealing with information that is likely to be required for compliance or litigation, the organisation must be confident that the data is both protection and tamper-proof. When selecting a Cloud-based service, on organisation should ensure that:
- The service adhers to the Safe Harbor Privacy principles
- The service allows personal data to be stored properly within its correct jurisdiction
- The data is fully protected and fully compliant to the storage requirements of that jurisdiction
- The service provider’s back-up strategy does not give the potential for a copy of the data to be created outside that jurisdiction
Defensible disposal
Part of the Safe Harbor Privacy principles adopted by the US and EU provides amnesty when electronic information is lost or unrecoverable in the course of daily business operations. It provides protection from claims of spoilation for data destroyed without clear authority. To avoid the threat of poor deletion and disposal, it is essential that the data is destroyed according to retention and disposal guidelines. The service provider must be able to accommodate and execute these guidelines. When selecting a Cloud-based service, on organisation should ensure that:
- Corporate data is deleted as soon as possible
- Data is easily identified and accessed for eDiscovery
- Data can be placed on Legal Hold
- The service provider can operate to the organisation’s retention and disposal guidelines
Checklist
- Decide which services can be outsourced to a third party supplier
- Ensure the supplier can accommodate the organisation’s Information Governance policies and procedures
- Ensure the Information Governance is built into the contractor
- Ensure that the service is scalable – both for capacity and pricing
- Ensure corporate data is properly stored to meet local regulations i=within the countries where the organisation operates
- Ensure the service provider delivers the highest levels of security and data protection
- Ensure that the service provider can archive and delete information in line with the organisation’s defensible disposal strategy