What are the implications of using the cloud
Numerous seminars have been presented in recent years which considered the implications of using Cloud computing in a business environment.
In this document, together with information gleaned during attendance of a variety of seminars and other hosted events that I have attended, I aim to set out the differences in the various cloud scenarios available, where businesses may be now, and what the possibilities are for using cloud scenarios now and in the future.
In the past few years, the cloud has become more widely known, providing a range of solutions aimed at end users and businesses of all types.
Who uses the cloud
While there are many ways to use the cloud, they really boil down to two core use cases:
Consumers: who store personnel data such as files, images, videos, and synchronizes to other devices from anywhere through some apps.
Businesses: who host their apps in the cloud and use components and services from cloud providers, such as computing (Virtual Machines), Applications, database, and storage, and so on.
For each of these use cases, storage is a critical component. Storage-as-a-Service (STaaS) is an architecture model offered by a number of vendors, most notably by Google Drive, Dropbox etc, that let users host files and assets in the cloud. STaaS is implemented as Software-as-a-Service (SaaS) on a subscription basis.
Cloud Types
External (or Public) Cloud
Most professionals are familiar with the big public cloud players such as Dropbox and Google Drive as well as voice over IP (VoIP) services such as Skype. All are capable of sharing or transferring data remotely using any number of computing and mobile device apps.
The primary reason for businesses to use [public] cloud storage is that it’s easy and cheap, and requires very little support and infrastructure overheads. But there is a downside: information can be hard to manage and even lost.
Security is also a major concern as is the inability to display different versions of a file or determine the location that it is stored. The lack of traceability and the inability to determine where the data is stored i.e. in UK, USA or other global location makes it arguably impossible to monitor or fulfil specific obligations relating to legislative or regulatory compliance requirements.
Private Hosted Cloud
Private cloud storage can take the form of either fully hosted or multi-site distributed data storage.
Examples of private cloud storage are use of services such as Relativity which is hosted by Millnet and a Disaster Recovery facility which is fully hosted and encrypted in a secure data centre out of town.
A reputable cloud provider is likely to have higher data security standards and better back-up and recovery capability than the public cloud especially if the provider is accredited with ISO or other key industry standards.
However, in hosted environments data is still stored outside the business network, and possibly even abroad, which may contravene regulatory requirements.
In a live use environment where daily access to data is required, if the internet connection becomes unstable, there may be problems accessing data or business critical services provided by the hosting provider. Since these services are externally focussed any disruption becomes very visible.
Due diligence must be undertaken in the case of hosting providers to determine the security in place and storage location of data.
When using externally hosting providers it is also necessary to determine whether the data being hosted is the responsibility of your business or whether the client takes responsibility and there is a need to focus on ensuring that Service Level Agreements (SLA’s) with any cloud providers are strictly adhered to and when problems occur they are quickly resolved.
Private hosted cloud services can also be expensive dependent on the mix of services taken and the amount of data storage required. There can also be issues with substantial hidden costs creeping in that were not anticipated.
An example currently in use by an International City based Legal Firm
The environment currently consists of an internal cloud which resides on a secure and resilient virtual environment. This hosts the business-critical applications and storage requirements removing the potential risk of the older legacy servers failing.
This environment provides speedy server recovery should restarts be needed.
For DR (Disaster Recovery) and BC (business Continuity) requirements the internal systems are further backed up to a separate internal encrypted host environment for local recovery and onward transmission to a secure dedicated data centre repository in the M4 corridor which provides external DR & BC capability.
This business also utilise an external e-discovery service a well known provider which hosts the large amounts of data processed with some matters.
Conclusion
The External Public cloud environment has considerable security inadequecies which suggests that this use of the cloud does not yet provide the security model that would give confidence to a Law Firm in it’s ability to meet Compliance requirements.
In commissioning Private Hosted cloud services there is a need to be fully aware of where data is stored and whether security is sufficient. Due diligence should be carried out and care should be taken to ensure contracts incorporate fully understandable requirements and are robust and that SLA’s are strictly adhered to. It is also important to understand any potential additional costs, not incorporated in the agreement that could be levied.
In short there are still considerable security and compliance concerns in utilising any external cloud based services and where and for what purpose they are used, in effect ‘cherry picking’ services that are not business-critical and can be comfortably acknowledge to not breach any regulatory or compliance requirements.