1. Track your applications.
To manage an application effectively, you have to know where it is. Establish a "chain of custody" that enables you to see where applications are running and manage them against any legal concerns. The chain of custody includes which machine an application is installed on, what data is associated with that application, who is in control of the machine and what controls are in place.
With server virtualization, applications move among different machines, and without careful control over the chain of custody, you can expose an application or the data to circumstances where a high-security app may be shifted into a low-security environment. So watch that, and before you change anything in the environment, consider whether the change will create unauthorized access to the application or related data.
2. With off-site hosting, keep your assets separate.
If a third party controls or hosts one of your servers, keeping your operating assets separate from those of the host's other customers is critical to avoid potential liability for security exposures, including improper access. For hosted applications, you also need to ensure that settings for one application cannot drift or migrate into the control of another, so no other host customers can access your data.
To do this, you need to evaluate how the host distributes and controls applications and data stored in its server array. Depending on the configurations of the hosts and client machines, settings and programmatic adjustments can trickle down and install in unexpected manners.
That's why you need to make sure that appropriate security controls are in place. You don't want unexpected updates or configuration controls to gain control over your data or application versions. Make sure your contract with the hosting company details the technical specifications that protect your data and users, and that the hosting company provides the testing and monitoring reporting that shows compliance with your controls.
3. Protect yourself against power disruptions.
Any CIO overseeing a data center knows that power outages can be a common occurrence. The reason is simple -- the power to run and cool a data center is more and more vulnerable. A 2006 AFCOM survey reported that 82.5% of data center outages in a five-year period were power-related.
If your data center has experienced power-related business interruptions, consider drafting contract terms for your own customers that protect you from liability if the power supply to your facilities is disrupted or lost. You may want more than general "acts of God" excuses in your customer-facing agreements.
If you are considering a shift to a hosted extension of your data center, you need to understand your hosted site's power supply and capabilities. Make sure your contract precisely defines those capabilities and allocates the risks for any service disruptions that occur. Account for this in your own customer contracts as well. Draft them carefully to make sure that power disruptions to your suppliers do not expose you to liability that you would avoid if your data center were in-house.
4. Ensure vendor cooperation in legal matters.
So, what happens when virtualization and compliance collide and the matter ends up in court? I have rarely seen a commercial contract for hosted or outsourced services that addressed the potential need for the service provider to cooperate in testifying in lawsuits. However, when a legal collision between virtualization and e-discovery occurs -- such as if a third-party host was unable to produce documents you needed for a legal action -- a service provider can be a significant rogue variable. You may well be able to compel your service provider to participate through a subpoena, but you can imagine how those executives will feel about doing business with you afterward.
To head off this potential scenario, make sure that in any contract with a third-party custodian of data, you obtain the service provider's commitment to cooperate in the courtroom. You may need to pay for this, but it's better than having a service provider that is annoyed at the burden of the litigation support.
In conclusion: Virtualizing any aspect of your data center changes the game for compliance and e-discovery. Make sure you know exactly where your applications are running, that your server controls are intact, and that your service provider contract provisions are "virtualization-friendly." You want to enjoy all the benefits of a virtual data center, not worry about whether your compliance controls are adrift in the computing "cloud."
This was first published in November 2008