Identifiying your Data Storage Needs
The first and foremost factor when considering whether to use a cloud-based data storage service vs an in-house data storage service is the extent to which the privacy and security of sensitive data can be maintained.
This is particularly important for businesses that need to comply with specific confidentiality obligations.
The following are options for maintaining the highest level of control and confidentiality over crucial data.
Option A: Choose a cloud-based provider that can effectively minimize the inadvertent disclosure of sensitive, identifying and/or confidential information, either internally or externally.
Option B: Keep equipment and software in-house, and have policies and infrastructure in place to minimize inadvertent disclosure of sensitive, identifying and/or confidential information.
Option C: Use a hybrid data storage solution combining cloud-based services for non-survivor data and use in-house systems for sensitive, identifying and/or confidential information.
In-House Data Storage
In-house equipment and software includes dedicated servers and on-premise setups and applications.
Benefits of In-House Data Storage
Control: For the most part, if a business owns its equipment and the software, they have full control over the data, from determining who gets access to when the data gets deleted.
Flexibility: Businesses may be able to make changes without having to wait on an external company, to the extent that technology is maintained by well-trained, on-site staff. Businesses may also have more flexibility over customizing certain features.
Confidentiality & Privacy: Since both equipment and software are in-house, the business itself can determine who has access, when information can be disclosed, and how to adjust security and privacy policies based on what they are doing.
Drawbacks of In-House Data Storage
Cost: Purchasing and maintaining equipment and software may be much more expensive than using cloud-based services. Businesses should take into account the “total cost of ownership” including upgrades to equipment and software, on-going training for front-line and administrative staff, as well as IT staffing and security.
Staffing: Businesses will need to hire IT staff or an external IT consultant to maintain and update equipment and software including servers, networks, databases and back-up devices. If an outside vendor, consultant or volunteer maintains these systems, policies and procedures should be in place to protect sensitive data, clearly communicate expectations and spell out consequences for data breach.
Security: Businesses still need to ensure that they have policies and infrastructure in place to secure sensitive data. Policies should include access levels, user passwords, and retention and destruction guidelines. Infrastructure includes servers, networks, back-up devices, and software updates to maintain databases and protection against breaches and malware.
Cloud Data Storage
Cloud-based products can include online data storage services, cloud-based databases, cloud-based communication tools, or cloud-based office products and software solutions.
Benefits of Cloud Data Storage
Cost: In most cases, cloud-based services are less expensive than purchasing an in-house server, database, and software.
Maintenance: With cloud-based services, the business is responsible for maintaining and updating the equipment and service.
Security: In general, cloud-based providers will have basic security in place to protect the data they are storing. The level of security will differ depending on the type of service; some services may have stronger security than others. Even major cloud-based providers have experienced breaches and hacks, however.
Adaptability & Flexibility: Depending on the service, a business may be able to increase or decrease storage size, number of users, or add or remove features based on changing needs.
Drawbacks of Cloud Data Storage
Access by the Cloud-based Provider: Cloud-based providers store data created by a business, and most providers can themselves also access that information. This can be extremely problematic, particularly when the data contains survivors’ personally identifying information (PII). Businesses must consider the degree to which the cloud-based service is secure, how the company might purposely or inadvertently share data, and how much control the business has over access to and retention of its own data.
Many cloud-based providers don’t actually own the servers where the data is being stored, but rather contract with yet another provider/company for the data storage and that company may have different policies and practices around security and access. These companies may state that their employees are not allowed to access customer data, but that doesn’t mean that they can’t access it. While this access could be necessary as part of their business practices or for maintenance purposes, the ability of a third-party such as the cloud-based company or its employees to access any PII about survivors would be a violation of confidentiality laws.
As an added protection, some cloud-based providers offer what is called “Zero Knowledge Encryption,” which means that the provider has zero knowledge of or access to the agency’s data. With zero knowledge systems, the agency retains complete control over the data by maintaining the encryption key to its own data.
Even if they can’t access the sensitive data itself, cloud-based providers may collect information such as usage, user accounts, and IP addresses and share this information with affiliates and other third parties, such as advertisers. Businesses that are considering using cloud-based services need to be aware of all the ways in which cloud-based companies may access and share their data.
Business Access: In addition, the business must still manage access in-house by staff, volunteers and any IT consultants. The ability to access data from anywhere is one of the often-touted features of cloud-based services. This is also one of its major drawbacks when prioritizing the confidentiality and security of survivor and agency information. The more access points to the data, the more vulnerable that data is, and the more opportunities exist for that data to be disclosed. Businesses will need to develop policies and best practices on the security of agency devices and networks (including wi-fi) and staff access to cloud-based services from personal devices (which is not recommended).
Another drawback with cloud-based products is that they rely on the internet to access the data or service. If there is power or technological failure – on the agency side or the company side – the agency might not be able to access their information. In an emergency situation, this lack of access may pose a risk to safety.
Data Disclosures: Most cloud-based services that have the ability to see the data being stored with them will disclose their clients’ data under certain circumstances, such as when responding to a subpoena or search warrant. Businesses should review the provider’s terms of use, privacy policies, and security policies to learn exactly when the provider will disclose their data and under what circumstances. If a cloud-based provider would not fight a subpoena to the same extent that a business itself would, that is a significant concern.
Even in the absence of a subpoena or other external request for data, the mere fact that a provider can see the data in the first place may violate federal confidentiality obligations.
Businesses should also be aware of what happens to their data if the cloud-based provider closes or changes ownership. Will the business be informed and given the opportunity to remove their data? Businesses should clarify the process of how they would get their data back, and how long they would have to remove their data.
Security: Although most cloud-based services will have security measures in place, no provider is 100% immune to security failures or data breaches. Businesses should know how and when they will be informed if any of their data has been breached and what steps the company will take to address the breach.
Additionally, many cloud-based services may say that their service is “encrypted,” but this can mean different things. Usually cloud-based products only encrypt the communications sent between the user and the cloud service (encryption in transit). But the system may not also encrypt the data while on the company’s servers (encryption at rest), leaving it vulnerable. It’s also important to note that data encrypted at rest can still be fully visible to employees at the company if the provider retains control of the key used to encrypt the data.
No form of encryption can protect an business if one of their own computers becomes infected by a virus or is otherwise controlled by an outside party. Businesses will still have to ensure that their devices are secure.
Retention and Destruction Policies: One of the benefits of cloud-based services is that they automatically back up their client’s data to ensure against loss. However, this also means that a business’ data could be in multiple places and accessible even after the business itself has “deleted” it. Businesses should ask how the cloud-based provider handles retention and destruction of data.
Limitations to Customization: Many cloud services sell a specific product, and businesses don’t have the ability to customize the product to fit their needs. Even if customization is available, it’s often limited. If businesses are looking for very specific features or have unique needs, cloud-based services may not meet those needs.
ABAS Ltd can assist you in determining the most cost-effective data storage plan for your business, and provide installation and maintenance using the most suitable providers and infrastructure
