Where should your business store its data?
Businesses of all sizes, at all stages of growth, and across every industry struggle with the same question: Where should we store our data? Emerging companies usually deal with this question early on. More mature companies have existing data-storage practices already in place but, given the growth of “big data,” are often forced to reevaluate.
Changing regulatory landscapes necessitate changes in practice and often require extensive updates to software, hardware, and physical security measures. Below is a chart comparing the three primary options for storing data: onsite, at an offsite data center, and in the cloud. While the chart is very simple and not exhaustive, it provides a basic visual comparison of data-storage options.
|
Onsite |
Offsite Data Center |
Cloud |
Scalability |
Limited by physical space constraints, costly to procure additional hardware, limited options to recoup investment if downsizing is needed, and limited by availability of qualified personnel to oversee expansion and manage enhanced capabilities. |
Relatively simple, and easy to add additional storage capacity by increasing number of racks leased at data center. Ability to decrease number of racks, through review contract for relevant terms and limitations. The data center itself is restricted as to facility size. Most data centers work with managed services companies that purchase data center space and then lease small portions to multiple companies to allow for enhanced scaling options. |
Easy to scale up or down. Consult contract for relevant terms and limitations. |
Cost |
Usually the most costly, though cost depends upon a particular enterprise’s experience, capabilities, current equipment, and business sector. Costs include the initial investment into the physical space and equipment, ongoing utility access/service, regular maintenance, keeping up with changing technology, and personnel with data-storage experience. |
Most likely less costly than onsite. Capabilities, security measures, and age of technology employed directly impact cost. Many companies find that data centers are not as costly as expected because data centers are able to drive prices down based on size and usage. |
Least expensive. |
Access to Data |
Allows for greatest access to data, so long as up-to-date systems are in place and the process is overseen by qualified personnel. |
Subject to contractual relationship with data center, but data centers strive to provide uninterrupted remote access and the ability to physically visit the data center site. The contract with the data center should include representations as to downtime and other issues that would limit a company’s ability to access its data. |
Access is entirely dependent on third parties. Many cloud services provide very lean “guarantees” regarding access. |
Security |
Onsite data storage can be very secure, but in reality companies that use onsite storage are all over the map with regard to how secure the data really is. A company must have very well-developed policies and procedures to ensure security and must be willing to continually upgrade technology and train personnel. |
Good data centers have extremely impressive security measures in place. These measures include state-of-the-art technology, physical measures that limit actual access to the facility, and administrative policies and procedures. Good data centers are continually testing and upgrading security measures as new technology becomes available and new risks are identified. Contracts with data centers allow businesses to shift some of the risk associated with data security to the data center. |
The cloud is not secure. Personal pictures, messages, and documents should not be stored in the cloud. Important/private/sensitive business and customer information should not be stored in the cloud. Some cloud services claim to be encrypted, but this is difficult to verify unless the service is based on open-source software. |
Regulatory Compliance |
Companies with a highly developed internal compliance program that is integrated with the IT department can address regulatory compliance issues, but the company must be willing to assume the cost of retaining capable, qualified personnel; continually reviewing and updating technology; and actively monitoring changes in the regulatory landscape. |
While there are multiple tiers of data centers, some are PCI DSS compliant, HIPAA compliant, and SSAE 16 Type II certified. Other compliance certifications also exist. Contractually, companies can obtain warranties and indemnification related to a data center’s regulatory compliance. |
Be very cautious when storing any data in the cloud that is subject to regulatory compliance requirements. Many cloud providers, for example, specifically state that the service is not HIPAA compliant. |
Small or Emerging Company |
Developing onsite data storage for a small or emerging company is extremely costly and would likely not be the approach used for all of the company’s data-storage needs. |
Small or emerging companies may not have a large enough need for data storage to justify executing a typical data center contract. Managed service companies partner with data centers to offer small companies access to premier data centers without having to commit to extensive storage capacity. |
If the data does not need to be kept secure — if it does not include personal customer information or sensitive company materials — then the cloud is a great, cost-effective alternative, but likely not the answer for all of a company’s data-storage needs. |
(Continued)
Deciding how to store and secure data can be challenging for companies of any size and at any stage of growth. When making your decision, it’s most important to know: 1) your data and how to categorize it based on security needs; 2) your internal capabilities (technology, financial resources, personal capabilities, internal practices/policies); 3) your business partner, if you decide to use an outside service provider; and 4) your legal obligations with regard to the data and how to make sure that any contract with an outside service provider appropriately allocates risk and obligations.
Kate Bechen is an attorney with the law firm of Whyte Hirschboeck Dudek S.C., practicing in the areas of privacy law, technology law, health law, and general business matters. She can be reached at kbechen@whdlaw.com.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.