This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
3. - Aligning with compliance, security standards in the cloud: Read more in this section
- PCI DSS cloud guidelines spark debate among would-be adopters
- PCI report clarifies cloud computing security guidelines
- Cloud computing security certification is a two-way street
- FedRAMP cloud security standard not yet fully baked
- An enterprise guide to cloud computing security certifications
- Before cloud deployment, consider risks of e-discovery
- Legal, compliance issues take center stage as cloud computing use grows
Explore other sections in this guide:
- 1. - Cloud computing security still halts enterprise adoption
- 2. - Best practices, tools for securing your cloud environment
As data and functionality moves from behind corporate firewalls to the cloud, it is important for IT managers to understand its impact on e-discovery's legal compliance. Relevant electronically stored information (ESI) subject to legal discovery usually focuses on emails, declarations such as social media statements and other business data that must be preserved.
The power of the cloud environment is that it provides a high level of abstraction with late binding. In an ideal cloud environment, one doesn’t need to know where data resides, how it is managed or how functionality is provisioned across geographies. For e-discovery in the cloud, however, the closer you come to a pure cloud environment, the greater the risk. There are rules governing data that require the preservation of metadata such as change dates and access rules that make it possible for a forensic analysis to determine the chain of custody.
Environments that provide more flexibility to users are an anathema to e-discovery. This is similar to trading system constraints, which require a firm to be able to reconstruct the state of a system at a particular time. In the early 1990s, for example, some traders experimented with Smalltalk for applications development. The commercial Smalltalk environments put the power in the hands of the user/developers, but made it impossible for management to enact meaningful policies that would ensure auditability. Similar concerns are emerging for e-discovery in the cloud environments.
When coupled with security and reliability concerns following the well publicized Amazon service outages, there is justifiable worry about the ability for enterprises to comply with e-discovery requests for cloud based systems.
But as Mike West, a vice president and distinguished analyst at Saugatuck Technology, notes: “One key challenge the cloud relieves is improving the availability of discovery evidence, which all too often is either delayed or never produced because of the inaccessibility of traditionally-stored data.”
On the other hand, availability without auditability is insufficient.
In-house e-discovery solutions are still gaining in popularity for large firms because asset control is simplified when everything is kept behind enterprise walls. But as demand for flexibility and economies of scale pushes more data to the cloud, we will see significant changes in the e-discovery vendor and product landscapes.
Today, there are distinct markets for e-discovery software and for cloud services. In the future, we expect cloud providers to become the de facto providers of e-discovery solutions, which will become integrated at the platform level. In general, only the cloud provider has access to all the data -- and metadata -- required to fulfill legal discovery requests.
While the e-discovery market currently supports many emerging specialty firms, a shakeout resulting in fewer vendors is likely in the next 24-36 months. Look for changes in the way e-discovery solutions are sold, with a migration from discrete products and vendors to integrated services provided by the cloud providers themselves.
Best positioned for survival in this scenario are vendors whose products integrate well with, or are acquired by, leading cloud vendors. The winners in this space will be the cloud providers and the e-discovery vendors they choose as partners during the shakeout. Losers will be the enterprises that select e-discovery vendors based on current functionality without regard to a migration path for cloud deployment.
Recommendations for e-discovery in the cloud
1. If your enterprise has already made a commitment to cloud deployment, make sure your e-discovery vendor is up to the task and has an ongoing relationship with your cloud provider. For private clouds, your e-discovery vendor should have experience with your hardware/software environment at other client sites.
2. If your enterprise is currently undecided about or avoiding cloud deployment, you should still consider a cloud-transition plan when choosing an e-discovery solution vendor. Even if you’re convinced that you won’t be putting data in a cloud within the next two years, the market is heading in that direction. Leading vendors in this space should have a roadmap for helping you make the move with confidence that you will remain compliant in a cloud environment.
3. Ensure that your enterprise e-discovery requirements are reflected in your cloud services providers’ service level agreements (SLA). It is important to be explicit in terms of access to data and metadata that may be required to prove chain of custody and ownership of data. For example, your enterprise must be aware of legal constraints imposed by your industry and the location of your enterprise and your customers, and these must be part of your SLA. For U.S. firms, the Federal Rules of Civil Procedure are a good starting point for guidance. Although the SLA won’t protect you from legal repercussions in the event of a policy breach -- such as moving European customer data through an unapproved cloud -- you may at least be protected contractually from certain types of economic loss.
4. Perhaps the most important action is to start a program for monitoring changes in this market, and monitoring relevant court decisions. E-discovery in the cloud is a moving target, and an acceptable strategy today may be the subject of sanctions in the future as the bar for standard of practice is inevitably raised.
The complexities of tracking ESI in a cloud make the choice of an e-discovery vendor challenging, and poor choices will lead to increased risk. Until e-discovery functionality is routinely and unobtrusively embedded in solutions from the cloud providers themselves, plan for ongoing change.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.