The Pros and Cons of Cloud Computing: Part 3

Here is Part Three of our Four Part informational series on cloud computing.

Read Part 1
Read Part 2

Probably one of the biggest obstacles an organization must get around when moving information to the cloud is realizing that they have delegated control of that information to somebody else. This is especially sensitive for records materials that contain personal payment information, health information, records that are protected by legal privilege or other confidential records materials. Within the organization these materials may be protected through strict access controls, enforced policies and carefully designed procedures. When the information is shifted to a hosted environment few of these controls may exist. This requires a careful evaluation of all of these areas with an eye toward managing the risk associated with a data breach. Hosting platforms and ASPs will have policies and procedures and these should be reviewed, as well.

It is important to note that there should not be an expectation that internal controls and policies can be universally duplicated in a hosted environment. After all, the platform is much different and the maintenance of that platform will require access by third-party employees who must maintain it. At a minimum, it is safe to assume that any potential
vulnerabilities, or “red flags” in Federal Trade Commission parlance, that exist within your own operation will exist within the hosted environment. The list of items to check should start there and expand to include other vulnerabilities that also exist because of the dynamic storage environment.

Just to illustrate how difficult this problem can be to pin down, it is helpful to think in terms of applications that have existed in the cloud for some time. Many people have some type of online mail account, such as G-mail or Yahoo mail. This application is hosted on a remote server and emails moving through the account probably contain sensitive information from time to time. It would be very unlikely that 1 person in 1000 could accurately name the location where the data is being hosted. It is even less likely that anyone currently using this type of account could articulate the confidentiality policies. Clearly this is not a perfect example, since these types of services are provided as a convenience to consumers; however, the same difficulties in tracking the actual storage location, policies and internal procedures governing the maintenance of this information still apply. Where chain of custody issues come into play, can the hosting company actually provide a list of all persons who may have had access to hosted data within a fixed period of time? Have they moved data to a different hosted location without your knowledge? Is it even practical to inspect a facility where data is being hosted? These and many other items are important considerations when evaluating cloud storage.

This series is courtesy of PRISM (Professional Records & Information Services Management).

  • Categories