Yes it is July 4th, but I thought I would write a brief piece describing what my practical experience has led me to believe are some of the incredible discovery and risk management related benefits of having one's enterprise infrastructure reside in the cloud.
This piece is merely soundbite of a much more deeper discussion and I relish the opportunity for constructive debate and dialog. Please don't hesitate to reach out or comment if you concur or have differing opinions, let's chat and share experiences.
....and Happy Independence Day! It's not just about fireworks, cold beer and hot dogs...it's about freedom for all!
The possibility of point and click legal hold implementation.
Properly implemented and managed, a cloud based corporate computing environment can provide many financial, legal and operational benefits. Centrally managed virtual desktops and servers accessible through secure, encrypted connections, can virtually obviate the need for custodians to take individual action to preserve data potentially responsive to litigation matters.
Organizations that have migrated their computing environments are beneficiaries of expedited legal hold management processes that reduce or eliminate the need for custodian involvement. This is possible because infrastructure in the cloud means that IT administrators, at the direction their legal departments and outside counsel, can more quickly identify and target individuals, departments and specific cloud based environments containing potentially relevant data for “snap shotting” and templating – real time processes that can replicate vast quantities of targeted data to legal hold staging storage environments.
Virtual desktop snapshots are file-based captures of the state of a custodian computer, the custodian data, and HW/SW configuration of the custodian’s virtual machine at a point in time. It essentially is a forensically sound picture of all of a custodian's information assets. One can take multiple snapshots of multiple custodian’s virtual machines, even while they are on-line and running, thereby preserving a target group’s computing environment and data. To effect the same process with a physical desktop or email servers, one would have to create a forensic image of the hard disk and collect data from a variety of non desktop related locations, a process many of us are all too familiar with.
Cloud based legal hold implementation achieves one piece of the panacea-like vision of “removing the onus of data preservation from individual custodians”. While the well-established corporate and legal obligations to notify and monitor custodian compliance related to data preservation activities remains the same, the organizational level of effort and spoliation risks are dramatically reduced by leveraging the enhanced functionality of cloud based environments. This is not to say that data or challenges resulting from the co-mingling of business and personal content on BYOD and home devices germane to a legal process will suddenly cease to exist. The reality is many organizations will experience a reduced LOE (level of effort) but for many others, these challenges won’t go away anytime soon.
Dynamic data mapping.
The complexity of legal disclosures related to the identification of relevant custodian and non-custodian based data sources implicated in discovery, a process driven by data mapping, changes significantly when all the data within an organization’s legal control is in cloud based data center environments. With cloud infrastructure, the ease with which an organization can identify and enumerate relevant cloud based email, individual virtual desktops, collaborative systems, file shares, application servers and enterprise content management systems is unprecedented.
Many organizations have or are currently embarking on mass IT outsourcing initiatives where they have vendor managed infrastructure. The legal data mapping requirement should always be a main consideration in the (SLA) service level agreements that corporations have with the IT outsourcing vendors managing their infrastructure. It should be maintained real time and available to legal and records management departments on a self-service basis as a graphical report with ample metadata statistics about content, volumes, ownership, location and other metrics.
While the above data mapping scenario works like a dream for organizations that have direct physical or virtual control over their cloud infrastructure and environments, it collides with the stark reality that there will be relevant information in possession of 3rd party custodians and peripheral BYOD and home based devices as mentioned above and as previously mentioned, challenges of this nature won't soon disappear.
Point and click collection & preservation.
The very nature of how modern cloud based enterprise environments are provisioned for use by an organization defines how collection and preservation in the legal context can take place. This is because a critical requirement for the successful implementation of any enterprise computing environment whether it is cloud based or not, is “system availability”.
Back in the late 80’s and throughout the 90’s, we IBM mainframe folks touted “RAS” as a key benefit of IBM systems. RAS, which is also a short form of term Rastafarian, is in this context an acronym for system “reliability, availability and serviceability”. In order to have enterprise system availability, there has to be a recovery strategy driven by discretionary and nondiscretionary backups, redundancy and infrastructure failover.
Cloud based systems incorporate RAS by having various tiers of SLA’s that provide for alternate paths of high speed connectivity, power sources and infrastructure redundancy depending on the needs and desires of the customer. This ensures that in the event an earthquake were to knock out a facility, the cloud service customers experience minimal or no outages as their backup systems kick in. It is this fundamental non-discretionary, operational backup and disaster recovery functionality that has given rise to highly scalable, defensible and cost effective cloud based collection and preservation of content.
Whether it’s a granular collection of custodian email boxes from multiple cloud based email systems or the cross border preservation of a hundred terabytes of content prior to conducting GDPR anonymization, cloud based data management is the answer. One can instantly preserve and collect content or capture the state of an application environment by taking a logical picture of it and securing it near-line in a secure backup environment.
Reduced cyberattack surface area.
In the information security world, the term “cyberattack surface area” loosely refers to the exposure points through which bad actors can penetrate enterprise infrastructure in order mount cyberattacks. For example, when one thinks of a traditional enterprise with lots of devices (mobile devices, desktops and laptops), information security experts see “lots of cyberattack surface area” made available by the presence of disparate devices, operating systems, login protocols, networks and supporting applications. Making things more complex is the fact that an organization's governance and policy layers which may or may not have kept up with infrastructure or fast moving regulatory changes governing data management.
Contrast the above scenario with a cloud based, virtual data center environment comprised of virtual desktops, servers and computing environments governed by uniform security, access and data governance protocols. The very nature of today's modern cloud based environments reduces the cyberattack surface area through which cyberattacks can be mounted.
The other key point about cloud environments is that sensitive data proliferation can be limited. This is a concept that can have significant implications on how information is produced to 3rd parties, how protective orders are negotiated, how litigation document review can be conducted by law firms in matters involving highly sensitive intellectual property and how damages or other experts from various and sundry disciplines can access content.
Financial benefits – where Ray Kroc meets the virtual data center.
With cloud infrastructure, any organization can stand up a secure data center within 24 hours or less with hundreds of terabytes of high speed SSD storage, multiple 40GB backplanes and unlimited amount of processing power, memory, virtual network switches on any OS they desire. Together with the right solutions architects, organizations can scope, build, test virtual environments and move from test to production in record time. They can have servers capable of collecting, de-duplicating and applying advanced analytics to tens of terabytes of unstructured data a day. These virtual servers can be stood up and made functional for any data intensive initiative in a matter of hours for any client anywhere in the world.
This incredible uniformity of virtual server and environment functionality is the data management equivalent of a fast food connoisseur ordering and getting the same Big Mac® in NY, London and Tokyo. The server and desktop templates used for collection, processing and analysis of data can be ported to multiple jurisdictions, using the same equipment, same software, implemented and run by the same skill levels; we'd simply deploy identical computing environments in 3 continents...remotely and subject to the local data management laws and rules.
Did I also mention the reduced cost of total ownership and the conversion of capital expenditures to operational expenditures?
There's a lot to be said for moving to the cloud, especially when it comes to creating heightened efficiencies, cost containment and managing risk. Seeing and feeling is believing, so if you’d like to learn more about cloud based collection and preservation infrastructure models, have us lead a seminar on information governance for your IT leadership teams or even provide you with a Legal Data Lifecycle™ use case pilot environment. Start your journey by contacting me at the coordinates below. - Rich
Holistic Information Governance as a Service
Litigation/Arbitration | Merger, Acquisition, Divestiture Data Migration | FTC / DOJ 2nd Requests
Rich E. Davis
Davis & Associates, LLC © 2017