The Critical First Steps Towards Leveraging the Public Cloud to Meet Electronically Stored Information (ESI) Compliance Regulations

A Q&A with Bill Tolson, vice president of marketing at Archive30.

Q: Healthcare, financial services, the public sector and other highly regulated industries/sectors face increasingly stringent and oftentimes complicated compliance regulations around the secure long-term retention of electronically stored information (ESI). Yet, the undeniable benefits of the public cloud such as cost advantages and elastic scalability are compelling business, compliance, legal and IT professionals to explore it as a viable solution. What advice are you offering customers as the critical first steps in this process?

A: Today, two of the most common questions we receive from customers is: Should we move our data to the public cloud? And, if so, which one? The first piece of advice we offer is: Be aware that all public cloud providers are not alike. The second is: Do your homework.

We arm our customers with what we view as the top three questions: Is my data secure? Where is my data? How fast can I retrieve my data

Q: For security, what should customers look for or be asking?

A: We first advise that customers facing ESI compliance regulations fully understand the Statement on Auditing Standards No. 70 (SAS 70). The Sarbanes-Oxley Act (SOX) of 2002 placed chief executives and company auditors under the regulatory microscope, and brought SAS 70 to the forefront.  For cloud providers, this is the leading measure of security.SAS 70 defines the standards that an independent auditor must employ to evaluate the contracted internal controls of a service provider. This includes controls over IT and associated processes. Under SAS 70, auditor reports are classified as either a Type I or Type II report. In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors, and misrepresentation.  An SAS 70 Type II report includes the same information as a Type I report; but in addition, the auditor attempts to determine the effectiveness of agreed-upon controls by testing them over a minimum of six months.

Q: Certain industries and government regulations have placed geographic limits on where compliance data may be stored. What advice to you offer in this area?

A: Yes, this is critical, yet frequently overlooked requirement – especially as it relates to public cloud. Regulated organizations must always be aware where their data resides. For instance, the EU Data Protection Directive (Directive 95/46/EC) requires member regions to ensure that a third-party country provides “an adequate level of protection” of personal data before the member can transfer data to that country.

It is important that when considering a cloud service provider, the data owner should ask where the data will be stored.  Large service providers, such as Microsoft Azure and Amazon Web Services (AWS), have datacenter locations worldwide so that data can be located according to your geographical requirements.  Specialized service providers also provide a choice of storage sites and offer specialized configurations to ensure compliance data is not co-mingled with other client’s data.

Q: And, the last question on your list – can you explain why the speed at which you can retrieve data is important?

A: Retrieval speed is a critical consideration in choosing your public cloud provider. For instance, if trouble should arise with regulatory bodies or the courts, retrieval speed can make all the difference in the avoidance of potential fines or penalties. It is important that you ask each vendor for its Service Level Agreements (SLAs) regarding retrieval speed.  Cloud providers deploy different technologies for indexing, search and production – each one can affect the speed at which you can access archival data for legal discovery or regulatory audits.  Demand strong SLAs to ensure that you can retrieve your data when and where you need it.

Bottom line, for the shrewd organization, don’t only ask the questions but verify each answer directly by running your own tests to validate the public cloud vendor’s claims.


Leave a Reply

WWPI – Covering the best in IT since 1980