Compliance, the Cloud, and Crazy Talk

As a Doculabs consultant for 13 years, I’ve seen many organizations struggle to contain the exploding glut of content and information we create and store every day. It’s most apparent in regulated industries such as insurance, banking, and life sciences, where compliance requirements change frequently and where mistakes can result in huge penalties.

Regulated content is prickly for a variety of reasons: It may contain personal, financial, or health information, and when companies fail to be in compliance, people go to jail. In the financial services industry, non-compliance could result in great loss; in the pharma sector, promising new drugs are prevented or delayed from being brought to market.

The regulations are both broad and complex and often clearly dictate the conditions within which information and content must be protected.

As a result, many companies have spent vast resources to implement enterprise-class managed repository solutions from vendors like IBM, EMC, and OpenText, but like the regulations themselves, the solution landscape evolves quickly. There are better, faster, and cheaper options for managing regulated content. This includes (you guessed it) storing regulated information in the cloud.

But that’s crazy talk. Or is it?

Many IT executives reject this idea without much consideration. It’s seen as too risky, too soon, too costly, or just plain foolish. Furthermore, many have spent years building and stabilizing their ECM implementations and are concerned about what “starting over” again means to their business customers, their budgets, and, understandably, to their reputations.

I’ve spent a lot of time listening to these concerns and the perceptions about the cloud. I’ve addressed them below.

Is it “legal” to store regulated content in the cloud?

Regulations such as Sarbanes Oxley, PCI and HIPPA are clear about who is accountable for information security and privacy, but where or how your information must be stored is not mandated. It’s critical to understand that regulators are requiring organizations to extend their compliance programs to protect content no matter where it is stored – and this includes laptops, mobile devices, or a data center in the cloud.

In other words, to be “legal” in the cloud, your organization will need to ensure that the cloud provider that you choose will strictly adhere to the same compliance requirements that you are bound to. If your cloud provider flounders, it’s your neck, not theirs.

As more cloud services appear, competition will likely drive vendors to make these guarantees as part of their standard offerings. If not, they risk the opportunity to serve a huge segment of the market. When assessing a vendor’s offerings, always approach the compliance assessment as if it were your own, onsite datacenter.

Is it “safe” to store regulated content in the cloud?

My conversations with executives understandably focus on the fear of non-compliance – the penalties. However, most IT managers I've spoken with understand the potential benefits of off-premises content management, and because of the investment that cloud providers must make in securing their data centers, the risk is generally lower in the cloud than it is on premises.

What are the primary risks?

As I mentioned, I believe that content in the cloud is equally (or more) secure than in a corporate data center. There are some real risks to consider, however. The proliferation of content in numerous different cloud platforms increases the number of instances that could be compromised. It’s an eggs-in-one-basket dilemma. What’s better? A stronger basket, or just more baskets in different locations?

Assuming you prefer the “more baskets” approach, where content is stored in different cloud solutions, what happens during an e-discovery event? You’d have to go to numerous systems to collect content. While this does not differ from an on-premises event where you must work with a multitude of systems inside the firewall, and use various administrative interfaces to do so, in this scenario it is the cloud vendors who decide if, what, when, and where to archive – and sometimes without the subscriber’s knowledge.

From an IT strategy perspective, isn’t it safer to “wait and see?”

Looking at other tech and software segments, and the general outsourcing of enterprise software, the practice of buying hardware, building infrastructure, and administering your own physical servers is becoming less common. These new options are tools in your IT strategy toolbox. And they’re not “coming soon.” They’re here today.

What kinds of new tech should I be watching?

Some of these products are simply managed repository solutions with extra layers of security. Others are products that act as a firewall-outside-your-firewall to monitor and scan the activity around the regulated content you’re storing off-premises.

There are also services that provide industry-specific content management services specifically for regulated content, with solutions for life sciences, manufacturing, and financial services industries. These aren’t limited to repackaged cloud versions of old ECM products; there are new approaches, fresh thinking, many with plenty of promise. Even the ERM vendors are beginning to offer solutions in this segment.

There are also vendors that sell hardware solutions to allow organizations to store regulated content in Box.com or SharePoint Online. To be clear: They don't prevent you from storing regulated content in the cloud; they allow you to do so, safely.

Would the effort to move to a cloud solution for regulated content be like starting over again with ECM?

In some scenarios, yes. But this time around, there is help. As a result of market demand, there are many new vendors, products, and services designed to allow organizations to leverage the benefits of cloud storage, and offering assistance with migration planning and tools for moving content into its new home.

Does the availability of cloud storage vendors, services, and products (for any kind of content) mean I can decommission my ECM solutions?

Probably not immediately, but I recommend that you begin the discussion now.

Today’s concerns about data security, performance, and cost of cloud implementations are reminiscent of the fears and doubts in the 1990s about the safety of e-commerce. There will still be missteps, accidents, penalties and fines—of course, compliance isn’t the result of technology alone.

Overall, storing regulated content in the cloud should be assessed on an individual basis and will always require the same attention given to regulated content stored in on-premises solutions: There must be airtight policy and a solid program of governance that includes communication and training.

It won’t be long until enterprise cloud storage of regulated content will simply be the "new normal."

Rich Medina
Jeff Phillips
I’m a Principal Consultant, specializing in strategies for using ECM tools such as Microsoft Office 365 for information management.