As more organizations are looking to the cloud for hosting their data, there is a crucial question to ask: are you the true owner of your data? I won't try to get into a legal or contractual discussion, but there are some simple ways to identify whether a vendor respects your ownership of your data.
First, does the vendor provide an easy and free way to get your data out of their system? If exporting your data requires paying the hosting vendor a fee, purchasing 3rd party software, and/or hiring a professional services group to perform the export, you are not truly in control. If the vendor will perform the export for you at no charge but places any limits on when and how the export is performed, you are still not in complete control. Ideally, you will have the ability to export your data and any related metadata at your discretion without notifying the vendor. Your data should not be held hostage when you are looking to do something with it. As our sales and marketing teams will tell you, friction anywhere in the relationship is still friction, and a customer should be free to end a relationship as easy as they start one.
The second question gets even more technical as we delve into encryption keys. Every cloud vendor should encrypt your data at various levels. For example, they should encrypt your data at rest, which means it is encrypted wherever the file is stored when not in use. This encryption may be storage-level or application-level, the benefits of each worthy of a separate discussion. However, someone owns the encryption keys that are securing that data. We have seen more vendors offer Customer-Managed Encryption Keys (CMEK), which means the customer is the owner of those keys and in control of applying or removing them. If a customer wants to remove access to content, they can remove the respective key(s), assuming a key backup has been performed, and access is immediately removed. If they want to restore access, they simply restore the key.
The benefit of CMEK is often noted as a defense against silent subpoenas. This is debatable based on the "silent" nature. However, CMEK can provide tremendous benefit if needing to make sensitive data immediately inaccessible for any reason. It could be a case of a rogue employee (vendor or customer) or even a breach of some sort. You have the comfort of cutting off access until you are comfortable that the situation has been resolved. Ideally, the vendor CMEK option provides that keys can be applied selectively and do not require taking down the entire system just to lock a subset of data.
For vendors providing the CMEK option, you may ask if they should provide as part of the service vs. charging extra. This feature does require extra infrastructure and management, so there is validity in it being an add-on unless it becomes standard for all customers. Many customers do not feel they need that level of protection and would prefer a lower price point.
There are other points to consider when choosing a cloud vendor, but be sure to explore the control of your data fully!
If you have any questions about your data or selecting a cloud vendor, don't hesitate to reach out to us. Contact the Document Management Team at Affinity by calling 877-676-5492, or simply request a consultation.
