To Cloud, Or Not To Cloud
I have over 30 years in the IT industry. During this time I have worked with a variety of products in a variety of industries.
Published:
Browse All Articles > To Cloud, Or Not To Cloud
Moving to the Cloud is one of the major topics that is currently being discussed in companies all around the world.
Moving to the Cloud is one of the major topics that is currently being discussed in companies all around the world. There can be strong opinions for both cases. These debates can be almost as strong as the Microsoft versus Apple debates of the past few decades. While there are advantages for many companies, there are also some disadvantages that many people may not have thought about when considering a move to the Cloud. To be upfront, before you read any further, I am against moving to the Cloud. However, it may not be for the reasons most people may consider, which is why I have written this article.
There are advantages to the Cloud. These are more noticeable in small and mid-size businesses. In most cases, these businesses struggle with providing and maintaining their network infrastructure. These tasks not only involve determining the hardware and software needs, but also the purchasing, installation, and configuration of the equipment. The daily cost for these services typically does not justify hiring and maintaining a technology staff to provide support services for in-house systems.
Therefore, in the past, these organizations have relied on third party providers. These providers may be small local companies themselves or larger organizations. The problem with larger support organizations is that the customer may have whoever is available (not necessarily familiar with the site) provide the needed services. In these cases, moving to the Cloud makes good, financial sense. The services are always available, they can typically be purchased and configured by inexperienced people, and problems are handled by the service provider.
This type of configuration allows for the services to be expanded and new features added dynamically with little or no impact to the company. The performance of the systems can also be improved “on the fly” for an additional cost. There is no longer the need for downtime to add additional storage space, memory, or compute power. This allows the systems to grow (or contract) to meet the needs of the company. In most cases, moving to the Cloud should also eliminate downtime for an organization. In the event there is a problem at the hosting services location, they simply redirect customers to a replica of their services at another data center. This type of flexibility, uptime, and ease of data access has made the Cloud very appealing to many companies.
The disadvantages to the Cloud are often not discussed or considered. First, many people feel that by moving to the Cloud, their data is safe from loss. The providers tend to speak about how they move data around, create duplicates, and provide alternate paths to provide constant access to give customers a feeling of confidence. This process is also supposed to prevent any unintentional data loss.
However, this has proven to be incorrect. There have been instances where Cloud providrs have lost customer data such as Amazon's E2 crash, T-Mobile's SideKick, and other less publicized incidents. While the percentage of data loss was small compared to the amount of customer data they actually house, there were some companies whose data was permanently destroyed. Unless a company had some guarantee written into their contract, the most they received was an apology letter letting them know data was unrecoverable. Admittedly, these incidents were in the earlier days of Cloud services. Since that time, there have been improvements in backup solutions for Cloud providers, but in the end, you are still at the mercy of the systems they have established. In most cases (and for security reasons) they will not disclose the processes they use to minimize data loss.
When a company’s data is hosted by a Cloud provider, the company must be able to maintain an Internet connection in order to access their data and enable their employees to perform daily functions. However, the company is still at the mercy of the ISP. If the company’s Internet provider has an outage, then how much of the business can still function? While these outages can happen when not using the Cloud, employees still have access to the files needed to do their jobs on their local machine or network drives.
Another weakness in the Cloud was provided in the documents released by Edward Snowden. These showed that while the front-end infrastructure was encrypted and secured, the back-end communications between data centers was not. These circuits were tapped by the National Security Agency in order to spy and collect data. While general hackers would not necessarily have the ability to directly tap these circuits, it does not mean that another government does not have those resources, especially since many of these providers have data centers in various countries. However, while performance, uptime, and security are typically discussed, there is one area that seems to never be mentioned when considering a move to the Cloud.
The one area that is not typically discussed or considered when moving to the Cloud is document management and retention. I spent the majority of my career managing backup and recovery systems. Having this responsibility has exposed me to dealing with legal hold, e-Discovery, and document retention. As a result, a few years ago I joined ARMA (Association Records Managers and Administrators). It was through this organization I realized there is a problem with storing data on the Cloud.
One of the original, big selling points to moving a company’s data to the Cloud was the fact that it would always be available and almost impossible to delete. Hence, the Cloud was not designed to easily, permanently delete and remove data. While this is a great benefit, particularly for small, private companies, it can be a headache for larger enterprises. Many of these organizations are under specific rules and regulations such as Sarbanes-Oxley (in the United States) or various others for those businesses in the European Union, on how long to keep data and how it must be handled. In many of these cases, the complexity of document retention was not taken into account when the Cloud was developed.
For those not familiar with document retention and records management, it means there is a policy, rule, or regulation that states you will keep a record (financial, human resource, email, etc.) for a specific period of time and then it will be permanently deleted. If a lawsuit is filed against a company and they are placed under legal hold, then those documents may now be discoverable. It does not matter if you are not supposed to have them. In fact, the company would be seen as violating its own retention policy and could be subject to fines and sanctions by the court for improper document handling. Depending on the size of the company, these can be anywhere from hundreds of thousands to millions of dollars, and cannot be appealed!
The other factor that most companies do not consider is that the laws that affect their data is applied to where the data is STORED, not where the company is located. Since many Cloud providers reduce cost by moving data around to various data centers, it is entirely possible that a company’s data could be in an entirely different state or even country from where the company is based. While there can be provision written into contracts regulating and restricting where the data is located, these typically come with a higher cost. As more restrictions are added, the cost benefit of moving to the Cloud is reduced. There is also the possibility, while remote, that a government agency could subpoena the Cloud provider for a copy of all of your data, without your knowledge (Broas, 2013). Some Cloud providers have implemented data encryption to minimize this possiblity. In these cases, the government must notify the data owner to obtain the encryption keys (Musthaler, 2014).
There are those who would argue that many of these same problems will occur with an on premise solution, and they are correct. A company’s data is always subject to hardware failures, network hacks and breaches, rogue administrator actions, and other vulnerabilities. The difference is that by keeping the data in-house, the company can better control the management of their data. In the end, improper data and record handling can result in huge fines and penalties. As I heard one executive state, “those types of fines would be like an underwater torpedo coming at you that could take the entire company down”. Another point was made at a Gartner presentation I attended a few years ago. The analyst made a statement to the effect that CFOs love the Cloud due to the cost savings. However, if you let your in-house or outside legal team read the agreement, they will say, “No way!” Believe it or not, the agreements are written to benefit the provider.
While this may be the first time someone has heard about the proper handling and management of documents and records, it is an important fact for every company. If you would like more information on why it is important, please read a previous article I wrote and published on Experts-Exchange called The Importance of a Proper Document Management and Retention Policy (http://www.experts-exchange.com/Software/Misc/A_10604-The-Importance-of-a-Proper-Document-Management-and-Retention-Policy.html ). While there can be a lot of advantages to the Cloud, each company needs to carefully evaluate if the cost savings and benefits outweigh the risk. For many small, and even some mid-size companies, the answer will be “yes.” However, for the other companies, the risks of record retention and e-Discovery issues may make the Cloud less appealing. Remember, if the documents or records exist, they are discoverable.
Amazon Cloud Crash Data Loss
http://www.businessinsider.com/amazon-lost-data-2011-4
Sarbanes-Oxley
http://www.sec.gov/rules/final/33-8180.htm
European Union
http://www.arma.org/docs/bookstore/westerneuropeanbusinessrecords_intro.pdf
Information Governance and the Cloud
http://www.arma.org/docs/hot-topic/makingthejump.pdf
http://www.arma.org/r1/news/newswire/2014/03/25/increasing-cloud-adoption-increases-enterprise-risk
Broas, T. (2013). E-Discovery In The Cloud: Who Can Get Your Data? Retrieved from Law360: http://www.law360.com/articles/439600/e-discovery-in-the-cloud-who-can-get-your-data
Musthaler, L. (2014, September 5). Encrypted data in the cloud? Be sure to control your own keys. Retrieved from Network World: http://www.networkworld.com/article/2603122/cloud-security/encrypted-data-in-the-cloud-be-sure-to-control-your-own-keys.html
Advantages
Therefore, in the past, these organizations have relied on third party providers. These providers may be small local companies themselves or larger organizations. The problem with larger support organizations is that the customer may have whoever is available (not necessarily familiar with the site) provide the needed services. In these cases, moving to the Cloud makes good, financial sense. The services are always available, they can typically be purchased and configured by inexperienced people, and problems are handled by the service provider.
This type of configuration allows for the services to be expanded and new features added dynamically with little or no impact to the company. The performance of the systems can also be improved “on the fly” for an additional cost. There is no longer the need for downtime to add additional storage space, memory, or compute power. This allows the systems to grow (or contract) to meet the needs of the company. In most cases, moving to the Cloud should also eliminate downtime for an organization. In the event there is a problem at the hosting services location, they simply redirect customers to a replica of their services at another data center. This type of flexibility, uptime, and ease of data access has made the Cloud very appealing to many companies.
Disadvantages
The disadvantages to the Cloud are often not discussed or considered. First, many people feel that by moving to the Cloud, their data is safe from loss. The providers tend to speak about how they move data around, create duplicates, and provide alternate paths to provide constant access to give customers a feeling of confidence. This process is also supposed to prevent any unintentional data loss.
However, this has proven to be incorrect. There have been instances where Cloud providrs have lost customer data such as Amazon's E2 crash, T-Mobile's SideKick, and other less publicized incidents. While the percentage of data loss was small compared to the amount of customer data they actually house, there were some companies whose data was permanently destroyed. Unless a company had some guarantee written into their contract, the most they received was an apology letter letting them know data was unrecoverable. Admittedly, these incidents were in the earlier days of Cloud services. Since that time, there have been improvements in backup solutions for Cloud providers, but in the end, you are still at the mercy of the systems they have established. In most cases (and for security reasons) they will not disclose the processes they use to minimize data loss.
When a company’s data is hosted by a Cloud provider, the company must be able to maintain an Internet connection in order to access their data and enable their employees to perform daily functions. However, the company is still at the mercy of the ISP. If the company’s Internet provider has an outage, then how much of the business can still function? While these outages can happen when not using the Cloud, employees still have access to the files needed to do their jobs on their local machine or network drives.
Another weakness in the Cloud was provided in the documents released by Edward Snowden. These showed that while the front-end infrastructure was encrypted and secured, the back-end communications between data centers was not. These circuits were tapped by the National Security Agency in order to spy and collect data. While general hackers would not necessarily have the ability to directly tap these circuits, it does not mean that another government does not have those resources, especially since many of these providers have data centers in various countries. However, while performance, uptime, and security are typically discussed, there is one area that seems to never be mentioned when considering a move to the Cloud.
Document Retention
The one area that is not typically discussed or considered when moving to the Cloud is document management and retention. I spent the majority of my career managing backup and recovery systems. Having this responsibility has exposed me to dealing with legal hold, e-Discovery, and document retention. As a result, a few years ago I joined ARMA (Association Records Managers and Administrators). It was through this organization I realized there is a problem with storing data on the Cloud.
One of the original, big selling points to moving a company’s data to the Cloud was the fact that it would always be available and almost impossible to delete. Hence, the Cloud was not designed to easily, permanently delete and remove data. While this is a great benefit, particularly for small, private companies, it can be a headache for larger enterprises. Many of these organizations are under specific rules and regulations such as Sarbanes-Oxley (in the United States) or various others for those businesses in the European Union, on how long to keep data and how it must be handled. In many of these cases, the complexity of document retention was not taken into account when the Cloud was developed.
For those not familiar with document retention and records management, it means there is a policy, rule, or regulation that states you will keep a record (financial, human resource, email, etc.) for a specific period of time and then it will be permanently deleted. If a lawsuit is filed against a company and they are placed under legal hold, then those documents may now be discoverable. It does not matter if you are not supposed to have them. In fact, the company would be seen as violating its own retention policy and could be subject to fines and sanctions by the court for improper document handling. Depending on the size of the company, these can be anywhere from hundreds of thousands to millions of dollars, and cannot be appealed!
The other factor that most companies do not consider is that the laws that affect their data is applied to where the data is STORED, not where the company is located. Since many Cloud providers reduce cost by moving data around to various data centers, it is entirely possible that a company’s data could be in an entirely different state or even country from where the company is based. While there can be provision written into contracts regulating and restricting where the data is located, these typically come with a higher cost. As more restrictions are added, the cost benefit of moving to the Cloud is reduced. There is also the possibility, while remote, that a government agency could subpoena the Cloud provider for a copy of all of your data, without your knowledge (Broas, 2013). Some Cloud providers have implemented data encryption to minimize this possiblity. In these cases, the government must notify the data owner to obtain the encryption keys (Musthaler, 2014).
There are those who would argue that many of these same problems will occur with an on premise solution, and they are correct. A company’s data is always subject to hardware failures, network hacks and breaches, rogue administrator actions, and other vulnerabilities. The difference is that by keeping the data in-house, the company can better control the management of their data. In the end, improper data and record handling can result in huge fines and penalties. As I heard one executive state, “those types of fines would be like an underwater torpedo coming at you that could take the entire company down”. Another point was made at a Gartner presentation I attended a few years ago. The analyst made a statement to the effect that CFOs love the Cloud due to the cost savings. However, if you let your in-house or outside legal team read the agreement, they will say, “No way!” Believe it or not, the agreements are written to benefit the provider.
Conclusion
While this may be the first time someone has heard about the proper handling and management of documents and records, it is an important fact for every company. If you would like more information on why it is important, please read a previous article I wrote and published on Experts-Exchange called The Importance of a Proper Document Management and Retention Policy (http://www.experts-exchange.com/Software/Misc/A_10604-The-Importance-of-a-Proper-Document-Management-and-Retention-Policy.html ). While there can be a lot of advantages to the Cloud, each company needs to carefully evaluate if the cost savings and benefits outweigh the risk. For many small, and even some mid-size companies, the answer will be “yes.” However, for the other companies, the risks of record retention and e-Discovery issues may make the Cloud less appealing. Remember, if the documents or records exist, they are discoverable.
Reference Materials
http://www.businessinsider.com/amazon-lost-data-2011-4
Sarbanes-Oxley
http://www.sec.gov/rules/final/33-8180.htm
European Union
http://www.arma.org/docs/bookstore/westerneuropeanbusinessrecords_intro.pdf
Information Governance and the Cloud
http://www.arma.org/docs/hot-topic/makingthejump.pdf
http://www.arma.org/r1/news/newswire/2014/03/25/increasing-cloud-adoption-increases-enterprise-risk
Broas, T. (2013). E-Discovery In The Cloud: Who Can Get Your Data? Retrieved from Law360: http://www.law360.com/articles/439600/e-discovery-in-the-cloud-who-can-get-your-data
Musthaler, L. (2014, September 5). Encrypted data in the cloud? Be sure to control your own keys. Retrieved from Network World: http://www.networkworld.com/article/2603122/cloud-security/encrypted-data-in-the-cloud-be-sure-to-control-your-own-keys.html
I have over 30 years in the IT industry. During this time I have worked with a variety of products in a variety of industries.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (5)
Commented:
Commented:
Commented:
Author
Commented:I did note that it is a viable solution for many companies. However, there are things happening that are changing the dynamics and cost. For example, hyper-converged systems are making the cost deltas for Cloud less appealing than they once were, especially for smaller companies. These products are not only reducing complexity, but costs as well. There are also some experts predicting that with the rise in attacks on Internet services, that the Internet could experience outages in the next year of up to a day or more. Something like this could impact companies decisions on moving to a Cloud service if there data is totally unavailable for long periods of time.
Commented: