Compliance Archiving in the Public Cloud – The Top 3 Questions You Should Be Asking
By with Bob Spurzem, Director of Product Marketing,at Archive360
Organizations in highly regulated industries such as financial services, healthcare, government and energy are intimately familiar with the compliance regulations that require the secure long-term retention of electronically stored information (ESI). For these industries and others, the public cloud has become a top contender for storing their massive amounts of email, files and other forms of unstructured data. However, while the cloud offers undeniable advantages such as cost and virtually unlimited scalability, not all public cloud services are alike and before proceeding there are some important questions you should be asking.
Is my data secure?
The leading measure of security for cloud providers is the Statement on Auditing Standards No. 70 (SAS 70). SAS 70 defines the standards that an independent auditor must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The Sarbanes-Oxley Act (SOX) of 2002 placed chief executives and company auditors under the regulatory microscope and brought SAS 70 to the forefront.
Under SAS 70, auditor reports are classified as either a Type I or Type II report. In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors, and misrepresentation. An SAS 70 Type II report includes the same information as a Type I report; but in addition, the auditor attempts to determine the effectiveness of agreed-upon controls by testing them over a minimum of six months.
Where is my data?
Because some government regulations place geographic limits on where compliance data may be stored, regulated organizations must always be aware where their data resides. The EU Data Protection Directive (Directive 95/46/EC) requires member regions to ensure that a third-party country provides “an adequate level of protection” of personal data before the member can transfer data to that country.
When considering a cloud service provider, it is important for the data owner to ask where the data will be stored. Large service providers, such as Microsoft Azure and Amazon Web Services (AWS), have datacenter locations worldwide so that data can be located according to your geographical requirements. Specialized service providers also provide a choice of storage sites and offer specialized configurations to ensure compliance data is not co-mingled with other client’s data.
How fast can I retrieve my data?
The speed at which data needs to be retrieved from the cloud is an important consideration for cloud archival. If trouble should arise with courts or regulatory bodies, retrieval speed can make all the difference when fines or penalties are at risk. For your organization’s protection, it is a smart idea to not only address the issue of retrieval speed, but run your own tests to verify vendor claims. It is also important that you ask each vendor for its Service Level Agreements (SLAs) regarding retrieval speed. Cloud providers deploy different technologies for indexing, search and production – each one can affect the speed at which you can access archival data for legal discovery or regulatory audits. Demand strong SLAs to ensure that you can retrieve your data when and where you need it.