A monthly newsletter focused on real world issues and practical strategies for the e-discovery investigation professional.

In This Issue:

	From the Investigator's Notebook: Cloud Computing – Using Clouds Doesn't Mean Flying Blind
	News & Events

From the Investigator's Notebook: Cloud Computing – Using Clouds Doesn't Mean Flying Blind

Cloud computing is a technology with so much potential that almost every organization should consider how it can help save costs by using virtual storage and processing systems. However, as with virtually every new technology, potential comes with potential new perils – a cloud on the ground is, after all, a fog. The key to capturing the benefits of the cloud environment while avoiding foggy perils is to understand exactly how cloud computing works, ask the hard questions regarding how data will be handled in a cloud environment, and apply cloud computing appropriately based on this information to meet the specific needs of a particular business.

Cloud computing is best understood as a concept rather than a particular technology. Cloud computing involves entrusting electronic data for storage and/or processing to a third-party provider, and then remotely accessing the data "in the cloud" via the Internet. The data is in fact stored on a server—sometimes on a virtual server—operated by the cloud provider, often alongside data from other clients on the same storage services and processors. By allowing clients to pay based on use, cloud computing provides potentially sky-high cost savings to corporations, which can avoid the serious and recurring capital expenditures associated with setting up and maintaining their own servers, such as IT personnel costs. In other words, the users of cloud computing technology pay for what is used. Cloud computing further enables a corporation to quickly and easily ramp up or ramp down computing and storage capacity based on business needs.

Cloud computing has, however, become idealized. Far too often, corporate officers and counsel have gazed into the mist, seen cloud computing's many benefits (and there are many real benefits) and gleefully turned their data over to a cloud provider without a further thought. However, the legal and ethical responsibility to ensure data preservation, security and production in the event of an e-discovery matter, for example, is non-delegable. Thankfully, these responsibilities can be met while capturing the cost-saving benefits of cloud computing by affirmatively taking measures to safeguard data.

Corporations and counsel should ask questions and fully understand the implications of cloud computing for their specific data, before entrusting their data to a cloud provider, with regard to the following considerations:

• Data Location: The nature of cloud computing makes it impossible to fully know, unless you ask, where the data will be physically located. A vendor who wants to obfuscate the actual location can often do so. This is important for jurisdiction in e-discovery – a court in State A may lack the authority to demand the release of data stored in State B (or even more problematic, another country with strict data privacy laws). Pragmatically, the physical location of data matters if a forensic image needs to be made of the data – it is easier to image a server that is near you than to travel across the globe to the server site. Moreover, governmental regulations may have some say in whether you can send particular types of data to various venues.
• Data Security: Corporations have a business interest in ensuring their data is protected. Furthermore, certain data (e.g., credit card and health information) is regulated by laws and contractual agreements that mandate security and confidentiality requirements be met. Accordingly, it is necessary to ask who is going to have access to the data and what security will be provided to ensure the data is adequately protected. In a cloud computing environment, it is vital to think of these requirements before entering into a service agreement. For example, does the cloud provider have a current SAS 70 Type II certificate? Can the provider offer assurance that the portions of the Payment Card Industry Data Security Standards (PCIDSS) they are responsible for are compliant?
• Forensic Investigations: Conducting forensic investigations in the cloud environment is complicated because data that needs to be imaged is often running on a virtual server that is on a physical server that also hosts data (on other physical servers) for other cloud clients. This can make the process of acquiring data in an investigation substantially more complicated. Moreover, there is a risk of inadvertent seizure of data, as demonstrated recently when federal agents executed a search warrant and seized the server on which their target's systems were run. In this case, the agents ended up seizing the processors and data of uninvolved, innocent companies whose systems happened to be on the wrong server at the wrong time. The multitenancy nature of cloud servers necessitates a well-crafted confidentiality agreement between the cloud provider and its clients. You need to be assured that in a situation like this, the cloud provider can protect your data and continuity of operations.
• Cloud Provider Integrity: Keep in mind that not all companies are created equally. As cloud computing has become increasingly popular, more companies are jumping on the bandwagon and offering cloud computing. The proliferation of cloud service providers increases the need for corporations to do their due diligence and vet the company that is going to host its data. Ask about the company's experience, reputation and financial stability. In the event that a cloud provider does go out of business, develop a plan for what will happen to your data.

There is no good reason not to fly in the clouds and capture the inherent benefits of cloud computing. Forward-thinking corporations and their counsel will be able to mitigate the risks associated with cloud computing in the same way that the risks associated with in-house data management are mitigated – by crafting a proactive and informed data management plan. Knowledge is the best fog lamp, and the key to successfully using cloud computing.

Special thanks to Alan Brill, Kroll Ontrack, Senior Managing Director, for his contribution in writing this article. Mr. Brill specializes in technology security issues and high-tech investigations. He can be reached for question or comment at abrill@krollontrack.com for questions or comments..

Back To Top

News & Events

Join Kroll Ontrack at LegalTech West 2009 Litigation Technology Workshop and Earn an ESI Technology Certificate
Kroll Ontrack will be exhibiting at LegalTech West 2009 – June 24 and 25 in Los Angeles, California. We invite you to the conference and our booth #104 to learn about our discovery, computer forensics, electronically stored information consulting services and trial services.

While at the event, don't miss the Kroll Ontrack-hosted Litigation Technology Workshop. Today's volatile economic climate challenges corporations and law firms to do less with more; budgets are shrinking while data proliferation and the threat of sanctions due to improper ESI handling are on the rise. Become a skilled member of the litigation team in just one day, learning about everything from preservation duties to cutting-edge search tools. Attend one, two or all three courses. Attendees to all three courses will earn the Kroll Ontrack ESI Technology Certificate. The following targeted tracks will be presented by a panel of ESI experts:

• Track 1: An Ounce of ESI Preservation is Worth a Pound of ESI Cure;
• Track 2: Skilled Data Management – Processing, Review and Production Practices; and
• Track 3: Document Review – Establishing the Team & Utilizing the Technology.

For more information on the show or for tickets, please visit www.krollontrack.com/redir/ltw-invins_061609.asp.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

This newsletter was written by Kelly Kubacki and Meridith Socha, Kroll Ontrack Law Clerks, with assistance from Regina Jytyla, Kroll Ontrack Managing Staff Attorney. Ms. Socha can be contacted by writing to msocha@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.