Is your company ready for legal holds and compliance with mobility and the cloud?

Gordon Merrill, MSIA, continues his series on security aspects of operating systems mobility and the cloud. Everything that follows is Mr. Merrill's own work with minor edits.

* * *

It has not been too long since Google lost millions of e-mails and struggled to get most (!) of them back for customers. Amazon recently had cloud issues where they were not able to restore all the data their cloud customers had placed on their servers. 

I recently sat in on a presentation hosted by the Chattanooga Technology Council called "Cloud Computing: Separating Fact from Fiction." The Google and Amazon situations were discussed in this meeting and IT leaders questioned whether the cloud was secure enough yet for any other than benign data.

Are you ready for the cloud? If so, will you use a public service or a private cloud?

Companies are being urged to go virtual and into the cloud to be competitive. We usually read advice to use private clouds, not public clouds. Controlling our own cloud can afford some degree of protection beyond security on public clouds; however, they are both accessible through an IP address, making both types of cloud vulnerable.

But in addition to the security and data integrity of cloud computing, legal and compliance issues become more ah, clouded, – OK, more complex – when we enter the cloud.

In the U.S., Sarbanes-Oxley requires total control over your data from origination to destruction. Other compliance regulations have similar restrictions in them that impose various punishments for the breach of company data.

Let's look at the Amazon case, in which several cloud subscribers did not regain all of their data placed on the cloud. Where does that leave them? Just as our digital age has far outpaced the 1986 Computer Fraud and Abuse law (18 USC 1030a) and the Wire and Electronic Communications Interception Law (18 USC 2510 et seq., leaving us with major data environments not mentioned with any sort of legal recourse or protection, we are now moving fast into the new mobile and cloud age with newly uncharted territory for legal compliance or recourse. With a legal system that has not even caught up to brick-and-mortar and perimeter security, how can we expect any real guidance as we rush forward into the great unknown?

Imagine that a hypothetical Fortune 250 company, XYZ Essentials, has their data stored on a private cloud on Amazon Elastic Computer Cloud (EC2) when the EC2 system goes down. Suppose XYZ is already on a legal retention order from a court stipulating that all data and records are to be retained with zero destruction until released by the court. Let's take it a step further and say the company is under Federal Department of Justice Investigation as well.

• Is XYZ now out of compliance because they have data that was lost when EC2 services went down?

• Is XYZ still responsible for the data it lost when it turned control over to a cloud provider?

• Does this action constitute a loss of control from creation to destruction?

• In the brick-and-mortar world, if the lost data were demanded by court order, those data could still be recovered from company-managed backups or by forensic recovery from the hard drives. How do we recover data if the cloud goes down?

In the last of this five-part series, Gordon Merrill looks at forensic issues in cloud computing.

* * *

Gordon Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. Gordon's information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years.

Learn more about this topic

Is the operating system dead?

Is your company ready for 4G mobile connectivity?

Does your security policy reflect mobility and cloud security?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.