In the Cloud, whose data is it?
I just attended a promotional event by NetSuite in Sydney.
When I got back to the office and started speaking with a colleague about how interesting the NetSuite proposition is, he conveyed to me a horror story he had recently heard about a Cloud or SaaS Customer. It was a small business who had all there business records / erp / gl in the SaaS application and for some reason decided it was time to move on to another solution. Trouble came when they requested their data and the supplier said, “it’s not your data, it’s mine.”
Shock horror I thought. This is supposed to simplify the world for SME’s but now they’re going to need a crack legal team to protect them from the evil cloud. I was a bit shocked at this prospect, so decided to do a little research – kind of a snopes or myth busters act on this loss of ownership of one’s vital business data in the Cloud. Here’s what I found.
You cannot delegate responsibility
According to Garntner’s report on cloud storage, you are still legally responsible for the ability to retrieve data within the relevant statute of limitations. Just because you’ve put your data in the cloud doesn’t mean you are no longer accountable for its accessibility. Should you be involved in some kind of litigation, you must still be able to provide your data to courts.
Even if you’re not involved in litigation, you are required to reain records for many reasons including tax purposes.
Getting your data out of the cloud
Of course we get into the cloud with the intent of staying there. But if circumstances change, you need to be sure you can access your data.
I recommend you plan your exits strategy up front. Don’t wait until you’ve been using the cloud for several years to learn that certain data is not available for export. Try to design a mock migration from your candidate cloud solution back to your legacy or some other solution. Think about the following:
- What data is required for this migration – there is likely configuration data, static data like company definitions and customer data, then actual transaction and balance data;
- Is there an export tool? – most applications will have some user definable reporting capability. What formats are available for reports? Can you get CSV or XML report output rather than output formatted for viewing (PDF)?
- Will the take it offline? – once you’re done with their cloud, will they take it offline or is it still out there?
- Can it be restored? – will the cloud supplier be able to restore your data back into the application in the event you need access to it in the native format?
Standard or Certification
There are a number of standards and certifications for data security that apply to external hosting or external cloud provision. I’ve not checked if these standards address the ability to retrieve or export data from the cloud. I might look at these later. Here they are:
- Statement of Auditing Standards(SAS 70) – full definition from wikipedia . Interestingly, this is not a silver bullet. As with many audit reports, a SAS 70 report will give you their opion on things like suitability of the design of the controls to achieve the specified control objectives. The key question next is, how good are your specified control objectives. So you can’t just look at the SAS70 logo on your supplier’s website.
- Payment Card Industry (PCI DSS) – was created by the global payment services like Amex and Visa to help facilitate the broad adoption of consistent data security measures on a global basis. More can be learned from their website.
- ISO 27001 – is a broad Information Security Management System which is not specifically about external hosting or payment / money related security. However, contains common framework for operating IT in a secure fasion.
Probably more secure than the server in your coat closet
Even with the concerns for this new paradigm, many people are of the opinion that a well run cloud provider will be much more secure than your locally hosted solution in your small data centre (or coat closet). Most SME’s really cannot aford to build and run a system that addresses the CIAs of security:
- Confidentiality – do non business technicians have access to the data on your local server? do you know enough about technology to be comfortable that your local pc support guy has set it up?
- Integrity – can you rely on the quality of the data? do you have an integrated solution or some data in your accounting system, other data in billing?
- Availability – if the power goes out in your coat closet, can you get bills out?
Standard Terms on Data Ownership
If you’re dealing with a mature SaaS or Cloud supplier, they’re going to have standard terms in their contract assuring that the data is yours even though they are hosting it for you.
When you leave your car at the mechanic, do you think he considers it his?
Though I agree with the concern about loss of control of your data. I think the benefits of using the cloud justify the research or due diligence you need to do to assure you retain control of your data and have full access should you decide to exit.