There is no doubt about it; the cloud is here to stay. According to Forbes 2015 Tech Roundup, more than 60% of enterprises will have at least half of their infrastructure on cloud-based platforms by 2018. And by 2019, according to “Cisco Global Cloud Index: Forecast and Methodology, 2014–2019,” 86% of workloads will be processed by cloud data centers, leaving only 14% to be processed by traditional data centers.


Cloud Basics


Before an organization can wisely select cloud services providers and applications, its information governance (IG) professionals must understand the relevant cloud-related terms. Software as a Service (SaaS) SaaS is a standard term used for applications, such as Expensify or Salesforce.com, that operate in the cloud. Organizations can buy the number of seats needed, use the product, and pay for that usage. Google mail is an example of a SaaS product used by millions of people around the world. Platform as a Service (PaaS) A developer needing a platform on which to write a software product that can later be offered as a SaaS product might turn to a company like Amazon and buy its PaaS. This gives the developer a development area on which to produce products. Infrastructure as a Service (IaaS) An organization may choose to purchase just infrastructure, such as servers and storage, through a cloud provider and then load its platform and application on top of that. This is IaaS. Thus, an organization may buy IaaS from provider one, PaaS from provider two, and offer its end users an SaaS product. This leads to the questions about where the data is stored and, more importantly, who is responsible for it. These questions will be answered in this article.


Cloud Software


Deployment It is worthwhile to note the different ways cloud software can be deployed. As organizations make decisions regarding cloud offerings, it is important to be familiar with the following terms. Public Cloud This is essentially like LinkedIn’s deployment. Users get free access unless they choose to pay for LinkedIn’s premium offering. They share the service with others, so this is generally what the industry calls a multi-tenanted implementation. Users upload the requested personal information they want to and occasionally provide updates. Their data may be commingled with others’ data, and they often do not have a choice as to its physical location. They also are not given much choice regarding their terms of service. Private Cloud Many organizations do not want their information to be in the public infrastructure, so they require that their cloud services be private, often with a separate connection or at least a separate set of servers and customizations. This is a much more expensive service, but it gives them much more say in how and where their data resides. Hybrid Cloud A hybrid cloud is a cloud computing environment that uses a mixture of on-premises, private cloud, and public cloud services with orchestration between the platforms. By allowing workloads to move between private and public clouds as computing needs and costs change, a hybrid cloud gives organizations flexibility and more data deployment options.


Cloud Deployment Benefits


There are many benefits of cloud deployments, and organizations migrate to cloud services to take advantage of them. Likewise, vendors are offering fewer on-premises solutions and moving to cloud-only offerings. However, many of the benefits of using the cloud also present potential risks that IG professionals should be aware of and make sure their organizations consider when selecting vendors and applications. (See “Cloud Deployment Risks” in the next section.) On Demand Self-Service In the cloud, provisioning users with software and services is so much easier. Organizations can often do so on-demand, allowing departments and users to self-provision. Broad Network Access Users can easily access needed information from various locations as necessary. Rapid Elasticity Organizations that suddenly find that they need more capacity than they expected can rapidly scale up and expand. Likewise, if demand drops, they can contract. In fact, they can contract without even knowing it, and since they pay for what they use, this leads to cost savings. It allows organizations to

  • Pay as they go

  • Pay for service, not hardware cost

  • Share the risk of hardware or software loss (cost and downtime.)


Scalability
Organizations can scale up or down as they need. For example, in the retail business, they can scale up just in time for the Christmas rush and scale down in January. Low-Cost Experimentation Because cloud services do not require an extensive capital and IT investment to stand them up, it is much easier for businesses to experiment with various offerings by provisioning a simple pilot. Enhanced Security Because many cloud providers specialize in securing applications, infrastructure, and hardware, an organization’s information potentially can be more secure in the cloud than it would be on its own premises.


Cloud Deployment Risks


It is important to remember that storing data in the cloud does not relieve an organization of the responsibility for protecting, managing, retaining, and disposing of its data in compliance with its legal, regulatory, and operational requirements. While there are many benefits to using the cloud, there are also risks related to their cloud providers’ negligence, inability, or unwillingness to do their part in fulfilling that responsibility. Some of the major risks are described below. Inability to Access Data With its information living in the cloud, an organization does not control its own destiny in terms of its ability to access it. Even though most cloud providers are very reliable, if they have an outage, their clients might be out of luck. An organization also must consider what would happen if its cloud vendor goes out of business. In one situation the author knows about, a vendor went into Chapter 11 bankruptcy, and its clients’ e-mail archive data was tied up for months in the bankruptcy court, which was a disaster for some of its clients.


So, organizations must make sure they have a way to retrieve their data in this type of event or even if they are just looking to change vendors. Insecure Data Although the potential for enhanced security is listed above as a benefit, it can also be a risk because it is not within the organization’s control. If the provider is not diligent, the organization’s information may be at risk.


For example, the organization must coordinate with the cloud provider to put controls around who can access what information. While there are plenty of automatic methods for doing this, this factor should be considered during deployment. Improper Data Location Where the data is located may be quite important.


For example, data in the right geographic location is critical for a multi-national organization that must conform with other countries’ data transfer regulations. An organization also must check to ensure that the fail-over facilities for its data are far away from the main facilities to ensure business continuity in case of a disaster. Inability to Hold, Produce Data When an organization has information in the cloud that is subject to a legal preservation order, the vendor must be able to comply with that order. If the vendor does not have that capability or if it is negligent in suspending disposition and the information is disposed of, the organization could be sanctioned for spoliation. When faced with a discovery request for information in the cloud, the organization also needs a vendor that can either analyze the data to identify the relevant data to be produced or provide tools that will allow the organization to do so.


The costs involved for the cloud services provider to analyze and export needed data should also be factored into vendor selection decisions. Losing Ownership of Data When using services like SaaS, PaaS, and IaaS, an organization needs to be aware of and prepared to deal with contractual issues like who owns data stored in the cloud. Signing some standard contracts could actually involve relinquishing the organization’s rights to its own data – for example when allowing Google to index Gmail messages. Data Privacy Violations Protecting the privacy of an organization’s data must be considered.


For example, storing healthcare data may require an organization to contract with a vendor that has a Health Insurance Portability and Accountability Act-compliant cloud, such as is available from Amazon. An organization should also be aware that many public clouds have a click-through contract that does not allow it to opt out of the provider indexing and using its information. It must make sure that no privacy issues arise from any of those provisions. Also, when data is commingled, as in multi-tenanted systems, there is a potential that an organization’s data can be inadvertently disclosed during another client’s production or discovery event. So, this factor must be considered. Loss of Data Integrity, Authenticity An organization must ensure that the chains of custody and authenticity of its information are taken seriously by its cloud provider, as it needs to be able to trace and prove authenticity of its data.


Risk Mitigation


To realize the rewards of moving to the cloud and mitigate risks, an organization must do the following:

  • Outline the risks. Be clear about what the risks are so each can be evaluated.

  • Weigh the risks vs. the reward. Determine whether the rewards are greater than the risks or if the risks are too great.

  • Investigate providers. Check thoroughly to make sure each provider is reputable, reliable, and meets the relevant criteria outlined above.

  • Audit providers. Regularly audit providers for compliance with agreed-to policies and practices.

  • Negotiate important issues in the agreement. If able to sign a separate agreement – as opposed to being forced to just take the standard one – make sure to include the issues most critical to the organization.

  • Consult with counsel. Make sure the organization’s legal requirements are met and blessed by counsel.

  • Consult relevant guidance. Consult relevant guidelines, such as ARMA International’s Guideline for Outsourcing Information to the Cloud, which is available for purchase at www.arma.org/bookstore.


By using the knowledge gained from this article, IG professionals will be equipped to help their organizations make wise decisions when selecting cloud services. Knowing the terminology, the risks, the rewards, and the risk mitigation factors will allow them to become business enablers and help their organizations embrace this exciting technology.
(Article originally published in Information Management by Galina Datskovsky, Ph.D., CRM, FAI, September/October 2016)