US Capital Building

What Happens to Your Cloud Data if the Government Wants It?

In the summer of 2011, Microsoft warned consumers that the U.S. Patriot Act could compel the company to hand over customer data to the United States authorities, without their permission. This data would extend not only to customer contact information, but also to any files stored in Microsoft Cloud Services. Additionally, this data transfer would be kept secret, violating the European Union Date Protection Directive. The directive requires organizations to inform users when personal information is disclosed. Since this news surfaced, concerns have been mounting about the access to personal data stored on cloud services. However, as this article will explain, there is minimal threat to cloud services.

The Patriot Act and Your Data

While Part II of the Patriot Act allows the FBI to petition courts for documents, including those in the cloud, the government has rarely used the Foreign Intelligence Services Act (FISA) order. In 2010, only 96 applications were made for business records.

Another part of the Patriot Act, the National Security Letter, could also impact cloud services. The National Security Letter enables the FBI to access subscriber information and electronic communications records. However, the scope is very limited, and they can’t view the actual message–just the transmission.

The idea of a safe haven from the U.S. Patriot Act, as promoted by some European companies, is misleading. If a suspected terrorist has data stored in a cloud outside the United Sates, the information can still be obtained, provided that country is an ally. The United States is not different from many countries in this regard. Likewise, if prosecutors in Europe needed data held in the United States for terrorism, the U.S. would likely seize that data.

Many countries have privacy challenges in their own right. For example, Internet Service Providers in the European Union must retain telecom customer data for between six and 24 months. Additionally, the European Union’s data-retention directive gives investigators access to information that may be deleted in other countries. Under this directive, police can access details such as IP address and the frequency of every email, phone call, and text message sent or received. Other regulations include the international transfer of certain kinds of data.

Keeping Your Data Safe

The safeguarding and protection of data ultimately resides in your hands. Business owners must make informed, calculated decisions before deciding whom to do business with.

When deciding on a cloud provider, business owners should ask themselves a number of questions:

  • How sensitive is the information being stored?
  • What is the risk if that information is leaked?
  • What role does jurisdiction play in that risk?

When people express fears about storing their data in the cloud, they are mostly afraid of the control they will lose when they hand over the storage reigns. Although data is stored securely in the cloud every day–even safe from the government’s eyes–those one or two stories you hear to the contrary are likely to stick in your mind. Just remember that most cloud computing companies are well-trained, have reliable backup systems and contingency plans in place, and employ a full staff of professionals to be sure disaster doesn’t strike.

Cloud storage icon

4 Tips for Backing Up Your Data in the Cloud

Every IT manager knows that backing up data is essential to protecting a company’s most valuable commodity. Backing up your data off-site is easier than ever, but you need to examine your needs in depth before choosing this important service.

As you examine your options, consider these four ways to backup your data in the cloud.

1. Consider how you will restore data

When you back up a system and all of its storage, you are protecting everything on that OS instance. This is useful if you find yourself needing to restore an entire environment using bare metal recovery scenarios. However, if you just want to protect a service, such as a database like Microsoft Exchange, you may want to restore only a specific mailbox. The point is to consider what you might want to restore, and then make a backup decision that will facilitate your goals.

Also keep in mind that Internet connectivity from the data source to the backup location plays a key role when it’s time to recover. If you have hundreds of gigabytes or more to restore, restoring from the Internet could take many more hours than you can afford. Consider local backup as a first line of defense. See item three!

2. Understand that hypervisor level backup may not be enough

Virtualization offers numerous capabilities, including the ability to perform backups at the hypervisor level of the virtual machines (VMs). However, this type of backup limits your restore to a VM-only level or to files within the VM. Consider running backup agents within the VM OS, rather just on the virtualization host, for the best restoration options, or use a tool that leverages both OS-level and VM-level backup.

3. View local protection as a first line of defense

Using the public cloud offers unlimited server and storage resources, and cloud storage is flexible and scalable. However, while the public cloud is a valuable step in securing your data, consider on-premise backup as your first line of defense for greater peace of mind. Using resources local to the systems and data often yields the best performance.

4. View cloud protection as a second line of defense

In the event of a disaster, cloud-based backup protection can literally save your company. So, if local protection is your first line of defense, then cloud protection should be a necessary second. Prioritize the servers and data that need offsite disaster recovery protection by identifying key business processes that are critical to your company’s day-to-day operations, and don’t forget to include the dependencies of those services, such as databases and middleware.

Software license audit feature img

How to Prepare for a Software License Audit

It’s an interesting time for software audit licensing, and companies are, all too often, finding themselves in the storm of an audit. Perhaps it is due to the fact that licensing use rights are being applied to increasingly complex IT environments that have changed beyond the terms of their former software agreements. Or, maybe it is because revenue for new software licenses is down, forcing vendors to focus more on licensing audits to recover some of the lost income.

Whatever the reason, IT organizations need to be diligent if they are audited. And, taking some simple steps to avoid an audit in the first place wouldn’t hurt, either.

Staying Compliant with Software Licensing

The best way to handle a license audit is to stay out of trouble in the first place. While sometimes easier said than done, you can take a few steps to stay in the clear.

  • Maintain robust software asset management (SAM) processes.
  • Make software licensing a core part of change management.
  • Consider how normal IT actions, like upgrading servers, will affect your software licenses and address any issues at the time actions are taken.
  • Don’t just rely on spreadsheets for compliance management — look into how an automated solution might help you stay on top of things better.
  • If you discover a licensing issue, admit to it. It can be advantageous to pursue proactive remediation to possibly avoid punitive costs and other consequences of an audit.
  • Don’t look the other way if there are unlicensed copies of software being used in your organization. Ensure that your written policies and procedures are consistent with your actual policies and procedures, and make sure your employees, consultants, and vendors understand the rules.

Preparing for the Software License Audit

If, despite your best efforts to remain compliant, you find yourself being audited, take these steps to make the process go as smoothly as possible.

  1. Contact the vendor to find out the scope of the audit because audit procedures vary by provider.
  2. Begin an internal audit so you can learn more about the problem and discover any additional shortfalls.
  3. Get all your ducks in a row: Make sure all communications between your team and the vendor are appropriate, and ensure that the process includes an opportunity to review findings prior to settlement. Also, validate that the auditor has included all licenses to which you are entitled.
  4. Along that same vein, make sure your company clearly understands the audit rights by reviewing the provider agreement. Within reason, push back against anything you do not believe is mandated.
  5. If the audit proceeds, manage the process with a proactive mindset. Do not sit back and wait for instructions — find out what you need to do, and just dive in.
  6. Approach settlement talks as a negotiation. Don’t just accept the initial settlement demand as carved in stone. If your company’s non-compliance was inadvertent, or otherwise reasonable, consider a counter-offer based on achieving and maintaining future compliance instead of back-dated compensation, retributory list pricing, and other punitive actions.
  7. If you know you will have to pay punitive costs, have in mind a dollar value settlement before going into talks. The cost will vary based upon the provider and the situation, but a reasonable target settlement amount is the estimated supplementary costs had your company remained in compliance. Expect to pay something, but use any leverage as a customer (current and future) that you might have to come to an agreement.

Whatever you do, don’t be passive and simply accept the audit terms, process, and results. Admit whatever fault may be yours, but stand your ground when it comes time to work with auditors and, especially, when it comes time to work out a settlement agreement.