This content is part of the Essential Guide: Enterprise cloud security best practices for locking down your cloud
Manage Learn to apply best practices and optimize your operations.

Before cloud deployment, consider risks of e-discovery in the cloud

The economic case for cloud deployment is compelling for many enterprises. But the risks surrounding e-discovery in the cloud need to be addressed by your e-discovery solutions.

As data and functionality moves from behind corporate firewalls to the cloud, it is important for IT managers to understand its impact on e-discovery's legal compliance. Relevant electronically stored information (ESI) subject to legal discovery usually focuses on emails, declarations such as social media statements and other business data that must be preserved.

Adrian Bowles
Adrian Bowles

The power of the cloud environment is that it provides a high level of abstraction with late binding. In an ideal cloud environment, one doesn’t need to know where data resides, how it is managed or how functionality is provisioned across geographies. For e-discovery in the cloud, however, the closer you come to a pure cloud environment, the greater the risk. There are rules governing data that require the preservation of metadata such as change dates and access rules that make it possible for a forensic analysis to determine the chain of custody.

Environments that provide more flexibility to users are an anathema to e-discovery. This is similar to trading system constraints, which require a firm to be able to reconstruct the state of a system at a particular time. In the early 1990s, for example, some traders experimented with Smalltalk for applications development. The commercial Smalltalk environments put the power in the hands of the user/developers, but made it impossible for management to enact meaningful policies that would ensure auditability. Similar concerns are emerging for e-discovery in the cloud environments.

When coupled with security and reliability concerns following the well publicized Amazon service outages, there is justifiable worry about the ability for enterprises to comply with e-discovery requests for cloud based systems.

But as Mike West, a vice president and distinguished analyst at Saugatuck Technology, notes: “One key challenge the cloud relieves is improving the availability of discovery evidence, which all too often is either delayed or never produced because of the inaccessibility of traditionally-stored data.”

On the other hand, availability without auditability is insufficient.

Changes ahead

In-house e-discovery solutions are still gaining in popularity for large firms because asset control is simplified when everything is kept behind enterprise walls.  But as demand for flexibility and economies of scale pushes more data to the cloud, we will see significant changes in the e-discovery vendor and product landscapes.

Today, there are distinct markets for e-discovery software and for cloud services. In the future, we expect cloud providers to become the de facto providers of e-discovery solutions, which will become integrated at the platform level. In general, only the cloud provider has access to all the data -- and metadata -- required to fulfill legal discovery requests.

While the e-discovery market currently supports many emerging specialty firms, a shakeout resulting in fewer vendors is likely in the next 24-36 months. Look for changes in the way e-discovery solutions are sold, with a migration from discrete products and vendors to integrated services provided by the cloud providers themselves.

Best positioned for survival in this scenario are vendors whose products integrate well with, or are acquired by, leading cloud vendors. The winners in this space will be the cloud providers and the e-discovery vendors they choose as partners during the shakeout. Losers will be the enterprises that select e-discovery vendors based on current functionality without regard to a migration path for cloud deployment.

Recommendations for e-discovery in the cloud

1. If your enterprise has already made a commitment to cloud deployment, make sure your e-discovery vendor is up to the task and has an ongoing relationship with your cloud provider. For private clouds, your e-discovery vendor should have experience with your hardware/software environment at other client sites.

2. If your enterprise is currently undecided about or avoiding cloud deployment, you should still consider a cloud-transition plan when choosing an e-discovery solution vendor. Even if you’re convinced that you won’t be putting data in a cloud within the next two years, the market is heading in that direction. Leading vendors in this space should have a roadmap for helping you make the move with confidence that you will remain compliant in a cloud environment.

3. Ensure that your enterprise e-discovery requirements are reflected in your cloud services providers’ service level agreements (SLA). It is important to be explicit in terms of access to data and metadata that may be required to prove chain of custody and ownership of data. For example, your enterprise must be aware of legal constraints imposed by your industry and the location of your enterprise and your customers, and these must be part of your SLA. For U.S. firms, the Federal Rules of Civil Procedure are a good starting point for guidance. Although the SLA won’t protect you from legal repercussions in the event of a policy breach -- such as moving European customer data through an unapproved cloud -- you may at least be protected contractually from certain types of economic loss.

4. Perhaps the most important action is to start a program for monitoring changes in this market, and monitoring relevant court decisions.  E-discovery in the cloud is a moving target, and an acceptable strategy today may be the subject of sanctions in the future as the bar for standard of practice is inevitably raised.

The complexities of tracking ESI in a cloud make the choice of an e-discovery vendor challenging, and poor choices will lead to increased risk. Until e-discovery functionality is routinely and unobtrusively embedded in solutions from the cloud providers themselves, plan for ongoing change.

Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.

Dig Deeper on Enterprise cloud compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.