As cloud content management technology evolves, more companies are moving some of their content into the cloud. The standard practice is to keep regulated data, like health care and financial information, hosted in-house while using cloud services for “lesser” data. However, when the proliferation of data that must be readily accessed is combined with customizable security protocols, it’s neither practical nor necessary to keep all regulated data out of the cloud, according to analysts.
With the right security controls in place, using a cloud content management system is “no different than having a server in a building down the street,” said David Horrigan, an e-discovery and information governance analyst at The 451 Group’s research division in New York. “Just because the server is remote doesn't mean you have additional security concerns. There are precautions you need to take, but the location of the server does not create security risks.”
Learn more about effective cloud content management
Discover what the experts say about strategy and governance for cloud content management
Horrigan added, though, that it’s worth exploring the differences between a private, internally facing cloud and public cloud services, including the security protocols that can be enacted for both approaches. In private clouds, he said, businesses have more control over the type of security used.
Private clouds enable users to take advantage of the provider’s infrastructure, firewalls, authentication and security layers as well as such things as virtual private network tunnels and two-factor authentication through RSA, said Neal Lawson, president and co-founder of iDiscovery Solutions an e-discovery consultancy in Washington, D.C. However, with many public cloud service providers, “there’s a generic privacy statement, and you get what you get,” he said.
Data encryption needed, even in private clouds
Encrypting data is a must, even in a private cloud, for two reasons. One is simple security; the other is the government’s ability to subpoena and obtain information from service providers without any notice to the companies using cloud services, Lawson said. “If the data isn’t encrypted, it’s exposed to hackers -- and the government,” he added.
But data encryption can be burdensome when content needs to be accessed quickly for regulatory purposes, Horrigan cautioned. Information will need to be decrypted, and “time is of the essence in regulatory investigations,” he said. “Regulators are demanding [the data] and you need to get it quickly.”
Meanwhile, cloud content management and Software as a Service (SaaS) providers are building controls into their products in an effort to make sure cloud-managed information stays secure.
“Most of the mature infrastructure providers do [include] mechanisms to set in place governance policies,” said Shriram Natarajan, senior director of the cloud technology practice at Persistent Systems Ltd., a software development services company based in Pune, India. Policies might include making sure that only trusted applications are running on servers and putting checks in place to comply with the data security and privacy provisions of regulations such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, which covers personal financial data. For example, Illinois state law prohibits medical records from leaving the state. But a cloud-based hosting provider could set up access control restrictions so that only computers physically located in Illinois could access the records of state residents, Natarajan said.
Lesser content lives comfortably in the cloud
Organizations that don’t want to move all their data into the cloud often start with a hybrid content management strategy, which typically involves putting less sensitive content in the cloud.
“Content that I would define as ‘lesser’ is content that is not personally identifiable information as defined by the federal government [and] data that is not subject to a legal hold” requiring that it be preserved, Horrigan said. “Once you have a reasonable anticipation of litigation … all that data goes out of the realm of lesser content.” For example, a marketing brochure could be considered suitable for storing in the cloud, but if a legal or regulatory matter involving the brochure ensues, keeping it in the cloud may become less appealing. “The point is that data can change from lesser content to very important content depending on the situation,” he said.
To be safe, Lawson suggested treating both types of content equally. “It’s my client’s data, and I treat [lesser content] the same way as regulated data because it’s important to protect client data,” he said.
Christine Parizo is a freelance writer specializing in business and technology. She's based in West Springfield, Mass. Contact her at email@example.com.
This was first published in April 2012