Enterprise IT departments need guidance for deploying eDiscovery applications and for crafting Service Level Agreements (SLAs) with cloud service providers, so that new cloud computing initiatives don’t undermine the enterprise’s investments in eDiscovery.
Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 P 408 517 4710 F 408 517 4711 firstname.lastname@example.org www.proofpoint.comA Proofpoint White PaperWhat Every Enterprise Should Know About Cloud Computing and eDiscoveryUntitled DocumentEnterprise IT departments need guidance for deploying eDiscovery applications and for crafting Ser-vice Level Agreements (SLAs) with cloud service providers, so that new cloud computing initiatives don t undermine the enterprise s investments in eDiscovery.This paper offers guidelines for evaluating cloud service providers and for defining SLAs that meet the business and IT goals of cloud computing as well as the legal re-quirements for eDiscovery.Untitled DocumentContentsCONTENTSExecutive Summary 1An Unexpected Challenge: Cloud Computing vs. eDiscovery 1 The Conflict: ESI in the Cloud 2 IT Departments are Ill Prepared 2Assessing the eDiscovery Readiness of a Cloud Service Provider 3 Data Preservation 3 Data Collection 4 Data Integrity and Authentication 4Conclusion 5About Proofpoint, Inc. 5Notes 5Untitled DocumentPage 1Proofpoint White Paper - Cloud Computing and eDiscoveryEXECUTIVE SUMMARYTwo important trends in enterprise computing are operating at cross purposes:" Enterprises are investing heavily in cloud computing. They re renting infrastructure from cloud vendors such as Amazon.com, and they re replacing on-premise applications with Software-as-a-Service (SaaS) applications. By adopting cloud computing, enterprises hope to increase operational agility while lowering IT costs overall." The other trend is enterprises setting up their own eDiscovery infrastructure and processes. In-stead of relying on outside consultants to find Electronically Stored Information (ESI) relevant to civil suits, enterprises are deploying eDiscovery applications in-house and conducting man-aging processes themselves. The cost savings can be substantial, especially since the average Fortune 500 company is facing 150 lawsuits at any time.But some enterprises are finding that their investment in cloud computing particularly for email stor-age can become at odds with their in-house eDiscovery strategies. Cloud computing makes IT operations fast and nimble, but it doesn t necessarily make ESI easier to discover or legal holds easier to enforce. On the contrary, cloud computing can make legal holds and ESI searches more complex, time-consuming, and difficult. The vast majority of cloud providers would be unable to satisfy the stringent security, privacy, and data access requirements of corporate counsel and other stakeholders responsible for managing legal risk exposure.Enterprise IT departments need guidance for deploying eDiscovery applications and for crafting Service Level Agreements (SLAs) with cloud service providers, so that new cloud computing initiatives don t un-dermine the enterprise s investments in eDiscovery.This paper offers guidelines for evaluating cloud service providers and for defining SLAs that meet the busi-ness and IT goals of cloud computing as well as the legal requirements for eDiscovery.AN UNEXPECTED CHALLENGE: CLOUD COMPUTING VS. EDISCOVERYTwo important trends in enterprise computing are operating at cross purposes.The first trend is the growth of cloud computing. To save money and to increase operational agility, enter-prises are taking advantage of a broad range of cloud offerings, including:" Infrastructure as a Service leasing virtual computing environments as needed" Platform as a Service leasing application stacks (e.g., Windows or Linux environments) to run custom applications as needed" Software as a Service buying seats or licenses for complete applications, such as email or business automation applicationsThe agility offered by cloud computing is astounding. Enterprises can launch hundreds or thousands of application instances within minutes, crunch data for business analysis, clinical trials, or other compute-intensive projects, and just as quickly shut the instances down once the computation is complete some-times for less than the cost of a low-end laptop. Or they can provision an application for thousands of users in a fraction of the time required in traditional on-premises IT environments.1Won over by this highly affordable agility, enterprises are investing heavily. Worldwide cloud service rev-enue grew 16.6 percent in 2010, according to Gartner, reaching 68.3 billion. Gartner expects that over the next five years, enterprises will spend 112 billion cumulatively on IaaS, PaaS, and SaaS.2In addition to purchasing cloud services, enterprises are also launching their own internal private clouds. They re configuring their data centers to make computing resources available on an as-needed basis, as though they were being leased from a cloud service provider. Instead of requiring multi-month provisioning cycles to bring applications online, they re offering business users and IT engineers ready access to as much or as little computing power as they need for as long or as brief a time as they need it. The second trend is enterprises taking control of their legal eDiscovery infrastructure and operations. Until recently, nearly all enterprises responding to eDiscovery requests would rely on outside service pro-viders to search, collect, and preserve information in data repositories that could be relevant to specific litigation. The service provider would set up shop in the IT department to determine where responsive information could potentially exist, then painstakingly hunt through mountains of email back-up tapes and install special hardware and software to search computer hard disks, file servers, user-created PST fles, and email archives. The collected information now considered as potential evidence within a legal Untitled DocumentProofpoint White Paper - Cloud Computing and eDiscoveryPage 2matter would then need to be physically delivered to the service provider facility where every individual item would be culled and processed. The price for this service typically ends up running several hundreds of dollars per gigabyte.Needless to say, this process was time-consuming, expensive, and most importantly to the legal team inexact and risky given the high standard required to maintain data chains of custody and defensibility of processes used. As email archiving and eDiscovery applications become more sophisticated and affordable, many enter-prises are choosing to minimize use of these outside services and to instead deploy their own eDiscovery infrastructure and supporting processes. The goal for bringing eDiscovery capabilities in-house? Reduced legal costs, faster access to the electronically stored information (ESI) relevant to an investigation, and more control over the data involved in the process. With the average Fortune 500 company defending itself against 150 lawsuits at any time, the investment in eDiscovery technology is bound to pay off in some cases, after only 1-2 litigation instances.3The Conflict: ESI in the CloudBut some enterprises are finding that their investment in cloud computing particularly for email stor-age is raising a new set of concerns over how they can manage in-house eDiscovery processes. Cloud computing makes IT operations fast and nimble, but it doesn t necessarily make ESI easier to discover or legal holds easier to enforce. In some cases, cloud computing can make the search, collection, and preserva-tion of ESI more complex, time-consuming, and difficult.Many cloud service providers today are simply not prepared to address the needs of complex eDiscovery processes. Many public cloud providers maintain global networks of servers move data freely across bor-ders for capacity management reasons. These providers would be hard pressed to address how they adhere to privacy and disclosure requirements of the country where data originates or where data is currently stored. Other providers would be challenged demonstrate automated processes for executing legal holds and suspending retention schedules on ESI. The bottom line: the vast majority of cloud providers are un-able to meet the stringent security, privacy, and data access requirements of courts, corporate counsel, and those responsible for managing legal risk exposure.Courts are increasingly holding enterprises to higher standards for storing, protecting, and producing data, whether that data is being managed internally or through a third-party cloud service provider.4 Regardless of whether data is in-house or in the cloud, enterprises are responsible for complying with the require-ments for delivering electronic evidence as set forth in the Federal Rules of Civil Procedure. Under Rule 34 of the FRCP, a party may serve on any other party a request to produce data that is in the responding party s possession, custody, or control. Failure to comply with FRCP guidelines can result in severe sanctions. And after the recent experiences of Qualcomm, Pipper Jaffrey, Rambus, Intel, and many others, it would appear unlikely that courts would respond favorably to arguments that IT strategies that have moved data to the possession or custodianship of a third party cloud provider have changed the organization s obliga-tions to control ESI.IT Departments are Ill PreparedWhen enterprises bring eDiscovery in house, they re really adding a new job function to their IT depart-ment. But IT departments typically have limited experience dealing with issues such as litigation holds and other matters relevant to eDiscovery. These days, IT departments are rewarded for acting quickly, setting up services, and allowing business users to get the data they need. Increasingly, IT departments are expected to act with the speed and agility of de-velopment organizations, many of whom now pace their work in 15-day sprints. While IT departments are recasting themselves as nimble, improvisatory organizations, they are now being asked to implement and manage eDiscovery applications and projects that require that information be handled as potential evi-dence in a legal matter. Implementing eDiscovery solutions requires a new level of rigor in defining and au-diting internal workflows and processes, as well as a high level of understanding of eDiscovery procedures. IT departments need guidance in identifying and planning for the potential litigation risks that eDiscovery creates as they make decisions involving the Cloud. They especially need guidance for crafting Service Level Agreements (SLAs) with cloud service providers, so that new cloud computing initiatives complement, rather than undermine, the enterprise s strategy to bring eDiscovery in-house. Signing up a new SaaS ser-vice that lowers capital expenses can turn into a pyrrhic victory if the service s inability to deliver ESI in a timely fashion results in the enterprise being subject to a hefty legal fine.Fast Facts about eDiscoveryEmployee email is subpoenaed with surprising freque ncy:" In its March 2008 survey of more than 300 email decision makers at US enter-prises with more than 1000 employees, Proofpoint found that nearly a quarter (24%) of companies were ordered by a court or regulatory body to produce employee email in the past 12 months alone." The larger the company, the more likely it is that email will have to be produced. Of companies with more than 20,000 employees, more than one-third (34%) had employee email subpoenaed in the past 12 months." 2008 research by analyst firm Oster-man Research found that nearly two-thirds (63%) of organizations have been ordered by a court or regulatory body to produce employee email or instant messages. Additionally, two-thirds (66%) of IT organizations have referred to email or IM archives or back-up tapes to support their organization s innocence in a legal case. Untitled DocumentPage 3Proofpoint White Paper - Cloud Computing and eDiscoveryASSESSING THE EDISCOVERY READINESS OF A CLOUD SERVICE PROVIDERTo be prepared for legal discovery, enterprises must know where all their data is stored, and be able to search through and retrieve that data in a short period of time regardless of whether that data is stored locally or in the remote data center of a cloud service provider, and regardless of cost.5eDiscovery in the Cloud requires that IT departments and corporate counsel collaborate to assess cloud service offerings with eDiscovery in mind, they can ensure that their new cloud services never jeopardize the enterprise s ability to produce ESI. IT managers and counsel should assess the capabilities of cloud service providers in these three key areas:" Data preservation" Data collection" Data integrity and authenticationLet s examine each of these in turn.Data PreservationEnterprises must ensure that cloud service providers preserve data in way that enable the enterprise to comply with legal disclosure and other requests of the court. Recent rulings have made it clear that courts expect enterprises to know where their data is and to have their data under control, whether or not that data is in house or in the cloud. To avoid unpleasant surprises about the location or preservation of data, enterprises should expect that cloud service providers can address questions such as:Data Location" Where is data stored? " If data is stored in multiple geographic jurisdictions, where are they? " What process determines where data is stored? If data is copied or moved across jurisdictions, what process ensures that complete, accurate data can be accessed in a controlled fashion?" Is data being stored in any locations where privacy laws would make it difficult to retrieve data in response to a subpoena?Encryption" Is data encrypted? If so, what encryption processes are used?" Is data encrypted both in transit and at rest?" Does the cloud provider use their own encryption technology or others?Privacy" Who has the ability to view the enterprise s data?" How is potentially sensitive data managed?" How does the cloud provider adhere to the privacy requirements of specific nations or inter-state organizations?Backups" Is data backed up?" Where are backups stored? " Does the service provider regularly test its backup and recovery processes?Compliance with Internal Policies and Regulations" Can data be preserved in accordance with the enterprise s internal data security and preserva-tion policies?Untitled DocumentProofpoint White Paper - Cloud Computing and eDiscoveryPage 4" Does the service provider have a disaster recovery plan? " Should a disaster occur, where would the enterprise s data be located? Would it still be search-able and retrievable?" Are the service provider s data centers regularly audited and certified? For example, have they been certified for compliance with SAS 70-2?" Does the service provider comply with all applicable industry regulations, such as GLBA or HIPAA?Business Continuity" If the service provider were to go out of business, how much notice would be given to the enterprise? " What process would govern the preservation and return of the enterprise s data?Data CollectionEnterprises should ensure that cloud service providers can enforce legal holds and retrieve data requested by the court.Enterprises should ask questions such as:Legal Holds" What is the process for executing legal holds? Is the process automated or manual?" What reporting or audit trail demonstrates that legal holds are enforced?" What reporting or audit trail demonstrates that existing retention schedules have been sus-pended?Data Access" How can ESI be accessed? Does the provider limit the number of times data can be accessed?" How quickly can the enterprise retrieve data? At what data rates can ESI be downloaded?" Does the service provider offer tools, or other means by which an enterprise s internal team can enforce legal holds and retrieve selected data?" What processes are outlined to deal with outages that may render ESI inaccessible?Costs" Does the provider impose an incremental charge for eDiscovery activities?Data Integrity and AuthenticationCloud service providers must ensure that legal holds can be enforced and that ESI can be retrieved through a process that eliminates the possible of data tampering.Enterprises should ask questions such as:Data Security" How can we ensure that our data is secure?" How we ensure that its data is safe from unauthorized access?Data Integrity" How can we ensure that our data has not been tampered with?" Are any data security or authentication measures affected by data migration, scalability, or service loads?Untitled DocumentPage 5Proofpoint White Paper - Cloud Computing and eDiscoveryLogs, Reports, and Documentation" How is the service tested and documented? " What logs or reports are available to verify the security and integrity of data?CONCLUSIONThrough the collaboration and joint due diligence of IT and legal experts, enterprises can take full advan-tage of cloud computing services while remaining confident that they can meet all the requirements of ESI preservation and eDiscovery.Proofpoint Enterprise ArchiveTM offers the most advanced discover and compliance features and the highest performance in an easy-to-use solution: Proofpoint Enterprise ArchiveFeatureBenefiteDiscoveryRetention Policy ManagementMitigates discovery risk by preserving a copy of every messageActive Legal Hold ManagementImproves efficiency in managing discovery hold processEarly Case AssessmentHigh-speed search enables real-time insights to set case strategyComplianceSupervision Review to Systematically Review Selected EmailSimplify compliance audit process, comply with SEC and FINRA regulations for emailEmail Storage ManagementHybrid ArchitectureSaaS TCO advantage combined with on-premise functionalityPatented DoubleBlind Encryption"Guarantees that data is fully protected in transit and at restUnlimited, Self-Service InboxIncreased end-user productivity via easy access to historical emailTo learn more about email archiving and eDiscovery, please visit www.proofpoint.com or call +1 (408) 517-4710.FOR FURTHER READINGProofpoint offers a variety of free educational whitepapers that further describe the risks associated with outbound email and the policies, processes and technologies that can be used to reduce those risks. Visit our online resource center at http://www.proofpoint.com/resources for the latest information.ABOUT PROOFPOINT, INC.Proofpoint focuses exclusively on the art and science of cloud-based email security, eDiscovery and com-pliance solutions. Organizations around the world depend on Proofpoint s expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy, encrypt sensitive information, and archive messages for easier management and discovery. Proofpoint s enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging. Learn more at www.proofpoint.com. Notes1 For example, the Washington Post was able to convert over 17,000 non-searchable PDF pages into a query-able database in 9 hours, while consum-ing less than 200 of Amazon EC2 services. Cloud Computing, http://www.authorstream.com/Presentation/aSGuest57634-454160-a-s-khedim-dacar-wor-kshop-cloud-computing/. SunTrust was able to deploy a relationship-management application to 2,000 employees in just 77 days. Cloud Computing: An Enterprise Perspective, Infosys, http://research.microsoft.com/en-us/people/sriram/raghu-cloudcom-puting.pdf 2 Gartner Says Worldwide Cloud Services Market to Surpass 68 Billion in 2010, http://www.gartner.com/it/page.jsp?id=13893133 CIO Update, Top 7 Things to Know about Cloud, SaaS and eDiscovery, http://www.cioupdate.com/insights/article.php/3916016/Top-7-Legal-Things-to-Know-about-Cloud-SaaS-and-eDiscovery.htm4 In Flagg v. Detroit, 252 F .R.D. 346 (E.D. Mich. 2008), the court found a party to be in control of text messages even though those text messages were maintained by a third-party cellular service provider. How to Keep the Cloud From Bursting in Litigation, Law Technology News, Bohorquez and Rodriguez, December 21, 2010.5 For example, in Best Buy v. Developers Diversified Realty (February 1, 2007), the court ordered the defendant to pro-duce ESI even though the files existed only on backup tapes and retrieval costs were estimated to run 125,000. See http://blog.proofpoint.com/frcp for this and other examples.Untitled Documentwww.proofpoint.comUS Worldwide HeadquartersProofpoint, Inc.892 Ross DriveSunnyvale, CA 94089United StatesTel +1 408 517 4710 US Utah Satellite OfficeProofpoint, Inc.13997 South Minuteman Drive, Suite 320Draper, UT 84020United StatesTel +1 801 748 4610Asia PacificProofpoint APACSuntec Tower 2, 9 Temasek Boulevard, 31FSingapore 038989Tel +65 6559 6128EMEAProofpoint, Ltd.200 Brook Drive Green Park Reading, UKRG2 6UB Tel +44 (0) 870 803 0704JapanProofpoint Japan K.K.BUREX Kojimachi Kojimachi 3-5-2, Chiyoda-ku Tokyo, 102-0083 JapanTel +81 3 5210 3611 CanadaProofpoint Canada210 King Street East, Suite 300Toronto, Ontario, M5A 1J7CanadaTel +1 647 436 1036MexicoProofpoint MexicoSalaverry 1199 Col. ZacatencoCP 07360M xico D.F.Tel: +52 55 5905 5306 2011 Proofpoint, Inc. Proofpoint and Proofpoint Enterprise Archive are trademarks or registered trademarks of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 02/11 Rev AProofpoint focuses exclusively on the art and science of cloud-based email security, eDiscovery and compliance solutions. Organizations around the world depend on Proofpoint s expertise, patented technologies and on-demand delivery system to protect against spam and viruses, safeguard privacy, encrypt sensitive information, and archive messages for easier management and discovery. Proofpoint s enterprise email solutions mitigate the challenges and amplify the benefits of enterprise messaging. Control tomorrow s email risks today