- July 16, 2020
- Bill Tolson|
- Information Security|
- Lawful Access to Encrypted Data Act
The cloud is an obvious candidate for storing vast amounts of email, files and other forms of unstructured data for compliance. Organizations in highly regulated industries such as financial services, healthcare, government, and energy are very familiar with the regulatory rules that require secure retention of electronically stored information (ESI). However, before you proceed it’s a good idea to carefully review some of the basic requirements for compliance archiving in the cloud.
Is my data secure?
The leading measure of security for cloud providers is the Statement on Auditing Standards No. 70 (SAS 70). SAS 70 defines the standards that an independent auditor must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The Sarbanes-Oxley Act (SOX) of 2002 placed chief executives and company auditors under the regulatory microscope and brought SAS 70 to the forefront.
Under SAS 70, auditor reports are classified as either a Type I or Type II report. In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors, and misrepresentation. An SAS 70 Type II report includes the same information as a Type I report; but in addition, the auditor attempts to determine the effectiveness of agreed-upon controls by testing them over a minimum of six months.
Where is my data?
Because some government regulations place geographic limits on where compliance data may be stored, regulated organizations must always be aware where their data resides. The EU Data Protection Directive (Directive 95/46/EC) requires member regions to ensure that a third-party country provides “an adequate level of protection” of personal data before the member can transfer data to that country.
When considering a cloud service provider, it is important for the data owner to ask where the data will be stored. Large service providers, such as Microsoft Azure and Amazon AWS, have data center locations worldwide so that data can be located according to your geographical requirements. Specialized service providers also provide a choice of storage sites and offer specialized configurations to ensure compliance data is not co-mingled with other client’s data.
How fast can I retrieve my data?
The speed which data needs to be retrieved from the cloud is an important consideration for cloud archival. If trouble should arise with courts or regulatory bodies, retrieval speed can make the difference when fines or penalties are at risk. We recommend that you address the issue of retrieval speed and run your own tests to verify vendor claims. We also recommend that you ask each vendor for its Service Level Agreements (SLAs) regarding retrieval speed. Cloud providers deploy different technologies for indexing, search, and production that each affect the speed which you can access archival data for legal discovery or regulatory audits. Demand strong SLAs to ensure that you can retrieve the data you need, when you need it.
Archive360 Compliance Archiving in the Azure Cloud
Cloud compliance archiving offers attractive price points as compared to traditional on premise compliance archival. However, it carries with it the need to carefully review important issues for security, data location, and data retrieval. At Archive360, we believe that cloud compliance archiving is the perfect solution for long-term retention of compliance data. Archive2Azure is our new cloud compliance archival solution that offers fantastic cost savings, while providing data security and fast access to data. To learn more about Archive2Azure, contact us.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.