May 25, 2009, 10:09 AM — Cloud computing has become a major buzzword in recent years, and the concept does have a compelling argument. It reduces reliance on internal resources, cuts down on manpower requirements, and lets somebody else worry about administration and about fixing problems. On the other hand, the fact that somebody else is worrying about all those things may well be a very big downside as well.
When implementing cloud-based backup, the solution will please some but annoy others. One of the first to complain will be the compliance officer, who must ensure that all data storage, backup, and archiving strategies are in line with the many different regulations and internal policies that govern how data is stored and for how long. As such, it may be necessary to revisit the cloud decision when it relates to data that falls under one or more of these regulations.
Ensuring compliance that relates to data storage is hard enough when storage is internal, but when using a cloud system, you’re relying on the provider. If you’re in healthcare for example, your internal strategies revolve around HIPAA, but if you’re a cloud provider, technically you’re not bound by the regulation. Because of these regulations, you will typically have to have a long-term data retention policy. Can an online backup service meet such a long-term commitment? There have been several online backup services, including those run by very large companies such as Hewlett-Packard (with its Upline service which was shut down earlier this year), which have clearly been unable to meet long-term storage strategies.
Lastly, one must also consider access—if using an online backup service, who has access and how is it governed? Compliance with HIPAA and other regulations call for strict access controls to be in place, often going beyond simple memorized password access (in some cases, two-factor access may be called for). In short, there are several questions regarding cloud storage in environments that are regulated by compliance legislation such as HIPAA or Sarbanes-Oxley, making a strong case for continuing to manage it in-house.