Thursday, December 18, 2008

Data in the Clouds with Casdex

From a legal point of view, if you work for a publically traded company, you must meet certain terms of compliance. However, even if your organization is compliant while using a cloud service provider, the big question remains: who is liable for the data? There is always a risk when using a provider, but David Barley, Chief Technology Officer for Casdex, (a digital archiving firm that also ensures full compliance and security) said, “At the end of the day, if your organization does experience a data loss, you want to be able to prove what happened. Whether it’s an act of God or an error, things happen.”

For instance, when you use Google e-mail, you’re using a free service. If there’s down time, Google doesn’t have to communicate with their users. Barley stresses the importance of trust while performing business operations in the cloud: “If you have the information you need and you have a trusted relationship [with your provider], it makes it easier. When you join with a provider, you’re joining a business relationship. It’s your company, but the service providers need to be able to help,” said Barley.

Before committing to any data storage provider, there are a few questions you should ask of the service before becoming a customer. Barley said you should be clear on exactly what the service provider is offering: data storage, e-mail, transactional data for the database, archiving and long term protection of data? Even though you may choose to go with a service provider brand name you trust, Barley stresses to learn more about the people running it: “Have they run IT shops in the past? Managing storage at the enterprise level is a different skill set.” Most importantly, what are the rules in place to get access to your data? “Information is your most critical asset. Even if you operate a dry cleaners, your contact list, your list of customers; that’s your gold,” said Barley. You want to be sure you would be able to retrieve your data in the event the provider is no longer in business. “Are they using fly by night facilities?” These are some things to watch out for as you want your provider to be readily available to you when you need to access your data. Barley said, “What types of guarantees do they offer? Things happen; companies go out of business. How do you get your data back?”

The Linkup, formerly known as MediaMax, allowed users to backup and share files online, but then lost 45 percent of their customers’ data. They had about 20,000 paid, disgruntled subscribers. Much of the error was a result of all of the data being on a few computers instead of a system where the data is spread out and stored at several locations. “Casdex’s data is in more one place because it has to be.” As an archive data company, most of their customers’ data does not need to be pulled for everyday business use, but more for auditors. That’s why the data is stored in different locations so if access to Los Angeles is busy, you can be redirected to Las Vegas.

Casdex has setup an escrow account, a fund that is set aside for your organization, in the worst-case scenario that they would go out of business. The funds are set aside as Casdex’s guarantee to continue to run your services for a period of six months. Within those six months, you would be able to go into the service to download your data back out to retrieve it.
In the past, companies backed up their data in filing cabinets, offsite paper file storage facilities and onsite with CDs or thumb drives. Now with an increased risk of data theft, new government regulations, natural disasters, an increasing number of businesses need digital archiving. Casdex offers an Internet storage solution to provide proof of authenticity in court and guarantees that the data has been accurately reproduced. Casdex’s digital archiving solution allows businesses to maintain full compliance with federal regulatory retention policies outlined by the SEC, HIPAA and SOX. When archiving a document, the owner may program the retention time, at the end of which the document is both destroyed and deleted from the server.

There are several different regulations that most companies need to comply with that include retention policies, grant access, etc. “But when you turn on compliance, retention policies tend to change,” said Barley. Casdex can prove with hashes that your data is the same file that it was three years ago to prove compliance or for court cases. With data archiving, it’s important to be able to verify that the data you stored ten years ago is the same data today. HIPAA states that the files stored can’t be read by third parties and to delete the data after ten years, so there are mechanisms in place to control these regulations. Barley said, “Everything is logged, and you can’t tamper with them. If you want to meet these regulations, you need these mechanisms in place. You need these log reports to prove compliance which is as simple as logging into the portal and pulling the report yourself.”

Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange,, May 17-21 in Las Vegas.

Designed By Seo Blogger Templates