New Tools for Cost-Effective Information Governance
The data explosion that has burdened organizations across the globe for the past decade has become increasingly expensive to manage. Many IT professionals would point to storage as the most obvious culprit for higher data management costs.
But another factor driving those costs are legal demands. Those demands originate from the courts and regulatory bodies, which have high expectations for how organizations should respond to data requests. Judges, for instance, are punishing groups that fail to account for how they store and manage their information. Companies are also navigating more exacting regulatory requirements. Take FINRA Regulatory Notice 10-06, which was promulgated last year to protect investors from false or misleading claims on social networking sites. Compliance with this regulation remains so difficult that FINRA recently promised securities firms that it would issue further guidance on the Notice this year.
Going to the Cloud for Data Storage and Retrieval
Such costs—and the risks they pose—are driving organizations to explore alternatives to controlling their data. The latest alternative to traditional storage solutions involves migrating data to the cloud.
Retrieval of company data: The hype surrounding the cloud has generally focused on the opportunity for cheap and unlimited storage. But storage alone is not enough. Organizations must have the actual ability-not theoretical-to retrieve their data and do so in real time. Otherwise, they may not be able to satisfy legal or regulatory requests, let alone the day-to-day demands of their operations.
In an analogous context, courts have traditionally compelled paper document productions even though the requested materials may be buried in a messy warehouse. In one such case from this year, a Manhattan federal court ordered a company to turn over decades old records that were commingled with other materials in poorly labeled, shrink-wrapped boxes. The court reasoned that disorganized record-keeping should not excuse an organization from producing relevant information.
The rationale from that case is equally applicable to cloud storage. Cloud-based data must be intelligently organized such that companies can timely respond to discovery requests and other legal demands. Otherwise, the savings achieved through cheap storage will be redirected to the resulting legal quagmire.
The first step to timely retrieving data is to confirm whether the cloud has the capacity to implement and observe company retention protocols. Just like traditional data archiving software, the cloud must enable automated retention rules which permit a company to keep information for a designated time period. This will enable data to be expired once it reaches the end of that period.
The pool of data can be further decreased through single instance storage. This deduplication technology eliminates redundant data by preserving only a master copy of each document placed into the cloud. This will reduce the amount of data that needs to be identified, preserved, collected and reviewed as part of any discovery process. For while unlimited data storage may seem ideal now, reviewing unlimited amounts of data will quickly become a logistical and costly nightmare.
A cloud offering must also have e-discovery functionality. At a minimum, the offering should deploy legal holds to prevent users or automated policies from overwriting and destroying data. Advanced search capabilities need to be included to reduce the amount of data that must be analyzed and then reviewed. Moreover, the cloud must support load files in compatible formats for export to third-party review software.
Finally, the cloud should also provide a company with a clear audit trail establishing that neither company documents, nor their metadata, were modified when transmitted to the cloud. Without this assurance, a company may not be able to comply with key regulations or establish the authenticity of its data in court.
Security considerations: While data retrieval is significant, that issue pales in comparison to whether a given cloud offering can adequately secure that data. Without proper security measures, breaches are likely to occur. This may result in disclosures of sensitive business and personal information, along with adverse media coverage. To ensure an organization does not suffer this fate, it should confirm that a cloud provider has addressed the following security issues:
1. The offering must provide sufficient security for data transfers to the cloud. Consider the following contrasting scenarios: When transmitting data to and from the cloud, would you prefer that company data be moved in the equivalent of an armored car? Or would you trust company data to be transported by an old jalopy?
To ensure an offering has the "armored car" version of security, verify that the cloud uses Transport Layer Security (TLS) for data transfers. TLS is an encryption protocol that secures email and instant messages such that they cannot be modified, intercepted or altered in transit.
2. Once data is safely transferred to the cloud, it must also be secured while it is stored there. This can best be accomplished through Secure Sockets Layer (SSL) encryption. This requires the user to present login credentials and ensures that a secure SSL connection is used to access messages for search and review. A secure SSL connection encrypts the data so a third party—including the cloud provider—cannot eavesdrop on the transmission and view data being transmitted.
Determine whether the offering has other safety measures, such as redundant firewalls which block hackers from compromising the cloud provider network. An intrusion-detection system should also be deployed to uncover any malicious network traffic and computer usage that conventional firewalls may not address. Moreover, all network access points should also be monitored to deliver continuous protection against the latest worms and security threats.
An organization should also consider whether a cloud offering can preserve the character of confidential and attorney/client privileged information. For example, does the provider forbid its employees from accessing a customer archive unless they have the customer's express permission? Or does the offering include "password hashing," which encrypts all passwords that users employ to access data before those passwords are stored?
If the organization maintains offices in Europe, the cloud provider must be a member of and abide by the US/EU Safe Harbor framework. By storing data with such a cloud provider, a company can be sure that its storage strategy is consistent with the EU directive on data protection.
3. An organization must confirm that the actual facility which hosts cloud-based data is secure. That facility should be a "tier-4 data center." This designation indicates that the facility has the highest level of physical security and reliability for the organization's data.
The facility should also conform to industry best practices. Hence, the cloud provider should be SAS-70 Type II certified. This means that the offering conforms to industry recognized best practices for security and internal controls.
End-to-End Information Governance
A cloud provider that can timely retrieve data and that has implemented proper measures to secure that data may be the right choice for a company to lower its information management costs. Alternatively, an organization can deploy an end-to-end information-governance solution to address its archiving and e-discovery needs. Sometimes overshadowed by other technologies, end-to-end software provides a common sense solution for decreasing the costs and risks associated with data management.
For pre-litigation data management, an effective solution will provide companies with a central repository to manage company information. The software should have "data classification services," which intelligently analyze and tag data content as it is ingested into the archive pursuant to company retention protocols. By so doing, organizations can search for and retrieve data with greater efficiency. This will reduce expenses downstream when documents must be searched and analyzed in response to legal demands.