Most folks nowadays are up to speed on the concept of storing data in the cloud. Everyone who's ever used DropBox,...
SkyDrive, Google Drive, Box, Carbonite or any of the hundreds -- if not thousands -- of other cloud storage, cloud synchronization or cloud backup services knows this firsthand. Consumers and enterprises with data to store and a connection to the Internet can, in just a few minutes, begin uploading that data to remote, backed-up, "always on" environments for a relatively low cost. This is pretty compelling compared to the old days of manual backups -- or the resultant and seemingly inevitable data loss should you forego it -- multiple redundant copies of files across devices and limited or no access to certain files, depending on the device you're using and where you're using it from.
Because of the ease and relative simplicity of putting data into cloud-based storage environments, it's sometimes easy to miss the reality that some data has special requirements; legal, compliance or regulatory constraints can impact how data can be stored, where it can be stored and what security measures are required to protect it in doing so.
When it comes to long-term data archiving, there can be advantages in some cases to leveraging the cloud for this purpose. But making the decision about when it's appropriate, how you'll implement it and what service you'll use is different from evaluating other, more generic cloud storage options. Your organization will need to decide the features it needs, the approach it will use and then make an informed risk-aware decision about which path to pursue.
Step 1: Gather cloud data archiving service requirements
In almost every technology purchasing decision, it's useful to start with requirements gathering; cloud data archiving is no exception. Archival applications and services may need to accomplish a few different things depending on your needs from a regulatory, compliance and business perspective, including:
- Protect data against tampering, modification or deletion.
- Index data so you can locate information.
- Limit access to data to only those with appropriate authority.
- Protect privacy of the information.
- Provide disaster recovery features.
- Enable rapid access to data from certain users.
Your particular enterprise needs and requirements will govern which features are most important. But because not every cloud provider offers every feature, and certain implementation options facilitate certain goals more than others, it's important that you know what you need before you start deciding on particular technologies.
If your organization already has an on-premises archiving approach, a useful first step is to evaluate how you use that system -- i.e., what features that platform provides and how it's being used now. While they may not be formally documented, the ways you employ your current product can be a useful way to harvest a baseline set of requirements that you can seek to emulate, as you evaluate cloud approaches.
If you do not have a system you're replacing or supplementing, it's helpful to understand a few things to help you formulate the requirements. For example, the regulatory constraints that will govern the data after it's archived, the type of data that you will archive -- i.e., is it free-form or structured? Is it email, files or a combination of both? -- and who will be accessing the data and how. Getting to the root of these questions might take some legwork; be clear from the beginning about your objectives and enlist input from the stakeholders involved: legal, compliance teams, internal auditors, business teams and any others that you identify during this process.
Step 2: Understand implementation options
Once you've identified the requirements, the next step is to understand the different implementation options available for cloud data archiving. Generally speaking, these are divided into two groups: "cloud only" and hybrid.
The cloud-only model is fairly straightforward and easy to understand: you employ a cloud service to do the actual archival legwork. The advantage of this is that it doesn't necessarily require internal infrastructure or on-the-ground expertise to set up, run and maintain. A smaller organization that doesn't have dedicated expertise -- or a larger one with a relatively narrow scope for archival -- might find this the simplest option to employ, as well as the easiest to get up and running quickly.
A hybrid model, by contrast, leverages internal resources to help do the work. For example, a hybrid approach might store recently created data locally for easy access, but send older or less frequently accessed data to a cloud repository. Organizations must find the optimal balance between limited capacity and higher cost on-site storage with cheaper, but higher latency remote cloud storage. An organization that has personnel with expertise in archiving technology -- for example, those that are already using a local archival product currently -- or one that has a large volume of data that users require access to frequently, might benefit from this approach. Your particular requirements and circumstances will dictate the best fit here.
From a security standpoint, there are advantages and disadvantages to consider, as well. Additionally, your existing strengths and weaknesses, areas of competence, and the nuances of the program you've developed will affect the approach your enterprise chooses. For example, if yours is an organization that struggles with validation of external service providers while having a robust set of internal controls and technical cloud security expertise, you might find a hybrid approach beneficial. If, however, your organization has a robust program to vet the technical and operational aspects of service providers, but has spotty internal controls or lack of in-house expertise, it might find that a fully outsourced approach has advantages.
Step 3: Product evaluation
The last step, as you might imagine, is to select the specific product and service combination you will use. Over the past few years, a number of vendors have launched product offerings in the cloud data archiving service space, so -- unlike a few years back -- there are now plenty of options to choose from in the marketplace. That said, not every vendor will offer every feature, support all implementation models or provide every security/privacy/audit control your requirements will dictate. For example, if the data is highly sensitive, your enterprise may wish to look for data protection features, such as encryption -- along with corresponding key management controls. Or, it may wish to evaluate authentication features -- e.g., multifactor-- monitoring and reporting features, network protection mechanisms -- e.g., access controls and monitoring --and host-based controls. Consider procedural controls, as well, such as who will have access to your data and how they are vetted.
As with evaluating any other cloud service, the onus is on the customer to understand what the vendor offers, to negotiate intelligently to get the features and controls you need to satisfy your requirements, to set contractual requirements and SLAs appropriately, and to monitor the vendor to ensure it's performing as expected.
One area you may wish to pay specific attention to as you implement cloud data-archiving services is potential lock-in. Keep in mind that requirements change, changes happen in the vendor landscape -- e.g., mergers and acquisitions -- and sometimes vendors don't perform as expected. As such, having some idea about the feasibility of migrating data to another vendor can help inform decision making.
Either way, the cloud can be a powerful tool when it comes to long-term storage and archival of data. However, it is important that potential customers recognize the unique constraints and requirements that a technology like this can have. By understanding their requirements, calculating the pros and cons of hybrid versus cloud-only deployment, and by carefully selecting their vendor in light of that information, organizations can leverage the cloud to reduce the costs associated with long-term archival, while simultaneously ensuring they have their privacy, security and compliance needs addressed.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.
Uncover must-ask questions for potential cloud data archiving service providers