Cloud Provider Due Diligence: Protecting Your Data

My last post discussed the viability of assessing a cloud provider’s financials as part of your due diligence process, and I concluded that requesting full access to a cloud provider’s financials is simply not a reasonable request to make of a privately held company.

How can you entrust your data to a company that you don’t know the financial health of, you ask? You plan for the worst. Expect the company will fail without warning, and plan accordingly.

To be prepared for this eventuality, look for the following in your prospective cloud provider:

Data Backup in Open, Non-proprietary Formats. Your cloud provider should allow you to back up your data in an open, non-proprietary format at any time. Open, non-proprietary formats can be read by standard software without the need for de-obfuscation or decryption – examples would include Comma Separated Value (CSV) or Extensible Markup Language (XML) file formats.

Having your data in this format is crucial for two reasons. First, in a pinch you can view and modify your data yourself: if your cloud provider blinked out of existence, you would still have the ability to review your documents, matter list, and calendar, independent of the cloud provider. And, crucially, should this deleterious event come to pass, you can migrate this data to an alternative cloud (or on-premise) provider.

Data Escrow. The problem with remembering to back up your cloud data is the same problem all manual backup processes suffer from: you forget to do them. Data escrow is an innovative solution to this problem whereby your cloud provider’s data is continuously replicated to an independent, third-party storage provider. Should your cloud provider fail for any reason, your data will remain available with the escrow provider indefinitely. As with manual backups, you should ensure your data is escrowed in an open, non-proprietary format.

While these provisions don’t completely eliminate the impact of having one of your cloud providers fail, they reduce what could be a business- or law-firm-destroying event to an inconvenience. And, more importantly, it allows you to trust the longevity of your cloud-based data with a provider whose financial position might be unknown (which, as I argued, will be the case for virtually all cloud providers that aren’t publicly traded).

With backups available in an open, non-proprietary format or, better still, via data escrow, you can rest assured your data will persevere even in the face of a complete failure of your cloud provider, for business reasons or otherwise.

Comments are closed.