How To Manage Cloud Data Safely

Transcription

1 Information Governance In The Cloud

2 Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions

3 Topics Cloud Characteristics And Risks Information Management In The Cloud Preservation And Spoliation In The Cloud Collection In The Cloud ediscovery In The Cloud Authentication Of Cloud Data End Of LifeCycle Disposition End Of Vendor Relationship Mitigating Risk

4 The Cloud Is Here To Stay It is estimated that the annual global market for cloud computing will be $95 billion by 2013* By 2020 more than a third of the digital universe will either live in or pass through the cloud ** * Rachael King, How Cloud Computing Is Changing the World, Business Week, Aug. 4, 2008 ** IDC May 2010

5 What Is The Cloud? Services Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Deployment Public Cloud Private Cloud Community Cloud Hybrid Cloud

6 Essential Characteristics Of Cloud Services On Demand Self Service Broad Network Access Measured Service Resource Pooling Rapid Elasticity

7 Cloud Benefits Cost Savings Pay as you go Pay for service; No hardware costs Risk of hardware or software loss shared (cost and down time) Scalability Elasticity Application Development Low Cost Experimentation Potential Compliance and Security benefits

8 Cloud Risks Access Security Location Segregation Spoliation Service (export, analytics, costs, backup and recovery) Ownership Privacy Integrity Authentication Vendor Continuity

9 What Is Different About The Cloud? Service Location Access Security Possession, Custody and Control

10 Are Corporate Obligations Different In The Cloud? Obligations remain the same: Storing data in the cloud does not relieve the organization of the responsibility for protection, management or retention of its data

11 Are Retention And Business Practices In The Cloud Different Than What We Do Now? No they are the same The more things change, the more they stay the same. Alphonse Karr GARP Risk Management EDRM and Discovery Processes Location Access and Security Possession, Custody and Control

12 Generally Accepted Recordkeeping Principles = GARP Accountability Transparency Integrity Protection Compliance Availability Retention Disposition

13 GARP Maturity Model A Qualitative and Quantitative Measurement by Principle Average Across All Principles Rating and Evaluation of an Organization s Overall Information Governance

14 GARP Maturity Model Five levels Less than 5 may be acceptable because of Organizational risk tolerance As measured against competitors GARP Maturity Level Color Status 5 GREEN 4 BLUE 3 AMBER 2 ORANGE 1 RED

15 Electronic Discovery Reference Model

16 Information Management In The Cloud Risks Access Security Privacy Location

17 Information Management In The Cloud Risk Mitigation Capture sufficient data when information created to govern it Handle information in compliance with reasonable, defensible, and auditable protocols: GARP Establish clear rules and privacy expectations for use, access and security of systems, including social networking sites - Not just perimeter security Work with the cloud provider to ensure information governance compliance Verify and limit data location

18 Preservation And Spoliation In The Cloud Risks Segregation/Identification Can cloud data be linked back to a custodian? Preservation Will the vendor comply with a legal hold, and how? Access Can you preserve on multi-user servers? Location Where is the data?

19 Preservation And Spoliation In The Cloud Risk Mitigation Information Management (GARP ) How information created, stored and removed from cloud - Metadata - Segregation/commingling Understand how vendor conducts backup and recovery In Agreement - Legal Hold Protocols: how will vendor will comply with legal hold - Access rights for preservation - Limit data storage locations - Limit or prohibit subcontracting by the cloud provider - Allocation of liability for loss

20 Collection In The Cloud Risks Segregation/Identification Access Export Options Costs

21 Collection In The Cloud Risk Mitigation Vendor Analytic Tools Metadata Access Rights for collection or forensic collection In Agreement - Export Options - Analytic Options - Cost Options

22 ediscovery In The Cloud Scenarios Discovery requests or third party Subpoenas to the entity Subpoenas to the third party cloud provider

23 ediscovery In The Cloud Risks Possession, custody and control - Who controls the data if a third party is hosting it? - Complicated by deployment models of cloud computing the more third parties involved (through subcontracts, public cloud, etc.), the more complicated ownership gets

24 ediscovery In The Cloud Risk Mitigation In Agreement - Ownership - Access - Notice Obligation - Steps provider will take in response to subpoena - Cost Apportionment - Allocation of liability for wrongful disclosure

25 Authentication Of Cloud Data Risk Mitigation Chain of Custody - Can vendor track creation, modification and access to your information contemporaneously through lifecycle - System and Access Logs - In Agreement

26 Is This The End? End of Information LifeCycle in the Cloud Disposition options: transfer, destruction Most vendors are not focused on disposition they are more likely to recover deleted items than to prove something was permanently deleted End of Relationship with your Cloud Vendor? What are the obligations for returning data upon termination, or if the vendor goes out of business?

27 Risk Mitigation At The End Risk Mitigation In Agreement - Data Disposition Protocols - Data Transfer and Ownership - Agree on fees for data transfer and disposition

28 Risk Mitigation Summary Outline Risks Weigh Risk vs. Reward Investigate Provider Audit Practices Include Important Issues in the Vendor Agreement Consult with Counsel Consult Relevant Guidelines

29 Questions