Since 1987 - Covering the Fastest Computers in the World and the People Who Run Them

July 28, 2010

Digital Breadcrumbs: Audit Trails in the Cloud

Joshua Geist

Data verification, audit trails, e-discovery, and compliance officers are all terms very familiar to the enterprise  market, and the larger the organization, the more focus there is on ensuring a fully compliant computing environment.   The end game is always the same – ensuring a company that can withstand any kind of public or private scrutiny, and a business that that delivers strong ROI for its stakeholders. 

Most enterprises are required to maintain strict data retention policies for up to 7 years and often beyond.  Still, large companies are not the only ones that are subject to regulation or compliance requirements. Their smaller mid-market counterparts are just as likely to be subjected to strict guidelines and scrutiny when it comes to their backed up and archived data. 

Typically, mid-sized and enterprise organizations can easily prove data integrity and assurance to a compliance officer, auditor or stakeholder, because they can show where their data physically resides and who has direct access to it. The ability to walk an auditor into the server room, show the rack that holds the server drives that holds the organizations data and the “who has access” list has for years been the standard practice for a data audit trail.
Now, however, with the emergence of the public cloud, the world of data assurance has dramatically changed.  For example, if an organization were to archive its data to Amazon’s S3 cloud and a year from now needed to provide an audit list, they would find themselves in a precarious situation.  The company couldn’t simply knock on Amazon’s door and ask to see who accessed its data during the last 3 years.   public clouds weren’t  designed for that. They are built to provide easy access to lots of data (securely of course) through multiple tools and points. 

 The ability to audit, or audit ability, is critical and is lacking in the public cloud.

There are 3 key areas that an enterprise needs to assess when they look at utilizing the public cloud to store their data:
        1.      Regulatory compliance and the ability to audit their data

        2.      Vendor Lock-in

        3.      Information control and access

Regulatory compliance and the ability to audit data  

Storage and cloud companies are starting to take this matter seriously as they realize that simple data warehousing is not the solution.  The realization is setting in that digital breadcrumbs, and file and session tagging will become the key to enterprises confidently adopting available cloud technologies.  Look for solutions from companies focusing on this space to emerge in 2010, and as they do so, the landscape for data storage assurance will change dramatically. 

Businesses will then flock to the cloud knowing they can store their data in an auditable and compliant manner, and can rest assured that any e-discovery requirements or compliance tests  they encounter can be easily accommodated with confirmed receipt of when the data was stored, by whom and that it has not been touched since the date it was archived.  

Vendor lock-in

Vendor lock-in is always a big challenge for the enterprise and something that always needs to be considered when faced with a purchase decision.  Past situations where companies where forced to pay for years for upgrades and updates to a vendor’s proprietary software is often top of mind of many CIOs and CFOs.  In today’s world with so many choices and a constantly and rapidly changing technology landscape, companies should strive to ensure that they don’t get locked into one particular vendor, particularly when it comes to anything cloud.   Put simply, CIO’s need to ensure that they can easily migrate their data to their vendor of choice, when they want, under terms that are never punitive.  And those operating in the cloud industry and serving the mid and enterprise markets need to be able to provide portability of their stored data from one cloud to another should the customer want this. 

Information control and access

Information control and access have always been requirements within the enterprise network, and most vendors have provided for rich feature sets and capabilities within their data and document management tools.  With single admin access and no advanced capability to tier access to the data, cloud providers are going to need to step up in a similar way if Enterprises are to adopt Cloud storage solutions.  The alternative is for cloud and storage vendors to take this responsibility on themselves and build out their own access management tools that tie into the public clouds.  Look as well to recent industry announcements for advances in the control and access space and for solutions that allow the enterprise to garner the control they need and are accustomed to.

Share This