Cloud Computing and E-Discovery

"Those who look to the Heavens prosper, those who defy it are no more." 

Cloud Computing is a large and highly scalable distributed delivery model for IT services which provides over the internet virtualized resources. The National Institute of Standards and Technology defines it as a "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” “Clouds” act as virtual data centers for off-site companies in which expertise and infrastructure control are relinquished to the “Cloud” and storage and or manipulation of data are no longer executed on site but rather on the “Cloud”.
Why is this paradigm shift from physical to virtualized computing so important?  There are many reasons but few are paramount for businesses to thrive in this economic downturn:
- Scalability
-“Unlimited” storage
- 24 hour support
- Security
- Diminishing need for physical assets (CAPEX)

With increasing amounts of companies utilizing cloud services offered by Microsoft, Google, and Amazon among others, there is a growing need to readjust and redefine how e-Discovery is being done on “Cloud” data.  

Can eDiscovery be done on virtualized data? Can the ESI discovery process be compliant with the Federal Rules of Civil Procedure (FRCP)?
There are different types of Cloud systems but only two of them will be discussed today:
Public Cloud (Amazon EC2, Google, etc…)
Private Cloud (Microsoft Windows Azure, IBM CloudBurst, Eucalyptus, Elastra …)

A Public Cloud computing system, such as Amazon’s EC2, provides dynamically provisioned resources on a self-serve basis in an environment where data from multiple users is fragmented across common data centers. They use shared resources which can be very efficient for companies not requiring security and access control requirements compliant to e-discovery standards. For instance, Amazon states in their Web Services Agreement in section 11.5 that

“WE AND OUR LICENSORS DO NOT WARRANT THAT THE SERVICE OFFERINGS WILL FUNCTION AS DESCRIBED, WILL BE UNINTERRUPTED OR ERROR FREE, OR FREE OF HARMFUL COMPONENTS, OR THAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED”

Cloud data is neither here nor there meaning that your data may be partially located on a physical server in another state or country. Consequently, your data is liable to privacy laws that may or may not differ from state to state or country to country. This brings into question the validity of your data and how your data can comply with National security regulations. Furthermore, in the event that your data needs to be purged, there needs to be an assurance that all data has been wiped from the data centers.

A private cloud system is very similar to a private cloud except that the provisioned resources as well as the data centers are reserved for selected users. EBay, for instance, has signed an agreement with Microsoft to adopt the Windows Azure private cloud system in which the data centers used by the platform belong to EBay. Unlike public clouds, your data is not stored on shared centers and therefore potentially more secure.

There are many benefits to cloud models such as scalability, cost efficiency and collaboration. However, the lack of well established archiving, logging and security protocols lends to a risky e-discoverable platform where spoliation, whether it be intentional or involuntary, may occur at a moment’s notice. Fortunately, protocols are being developed such as the CSA Certificate of Cloud Security Knowledge (CCSK) which “is designed to ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud”. The trend to have promote data security while lowering costs through clouds is also being actively addressed by the European Network and Information Security Agency (ENISA)

References:

http://www.cloudsecurityalliance.org/pr20100728.html