Moving data and IT solutions to the cloud is changing the way organizations manage their data and think about their processes for complying with data discovery, production, and retention regulations. In the past, organizations managed every level of the infrastructure and the process behind the comprehensive protection of all data and content from all threats to integrity and availability; therefore, there needed to be much tighter integration between managing live system storage, archival storage, backup purging and data discovery, production, data retention, and defensible destruction.
Essentially, because of a myriad of technology-driven requirements and not business-driven need, responsibility for all these functions fell to IT. Over time, many of the concepts around these terms and processes have become blurred, causing different usages by different speakers in different spheres of responsibility.
Many customers are used to using their archival backups, either off-site or otherwise redundantly stored to provide the retention of data to meet regulatory compliance. For a variety of reasons, this raises challenges of access for discovery, document production, and disposal of content at the granular item level. There were many reasons this was widely adopted, primary among them cost; though complexity and technology or IT industry immaturity played a role. But once an organization has shifted to the cloud, it becomes imperative to reevaluate the processes, roles, and responsibilities for maintaining backups and ensuring compliant data retention.
Backup should never have been the primary retention method in use. Backup’s primary function has always been to be the “copy of last resort that always exists” rather than your “officially retained record.” Unfortunately, due to the constraints mentioned above, backed up content search and retrieval had to be built into the backup or archival system, as this was the only copy of the content available for the retention period.
Once the content has moved out of “live storage” it would only be after interfacing with IT to load the tape, or re-mount the database that content would be available for e-discovery processes and/or document production. Making the situation even worse, in many ways backup and retention of records are directly at odds since a large part of the responsibility of records management and retention execution is proper and timely data destruction.
The records management team may be operating under the assumption their destruction of data is complete, while IT still has copies of backups on file that may (or may not, who knows?) contain data with critical destruction requirements.
This complexity in process due to limitations imposed by outside considerations (storage cost, off-site retrieval, etc) is no longer required. With cloud vendors at every level (I/PaaS such as Microsoft 365 as well as SaaS cloud backup solutions such as AvePoint Cloud Backup) offering very affordable storage options and licensing plans, storage cost considerations are no longer a constraint that should be driving the processes to preserve the integrity, availability, and proper retention of content.
To repeat that bluntly: in Microsoft 365 it is not necessary to move content from its original location if it is being retained for regulatory reasons. It does not materially affect the licensing costs of your cloud subscription or your compliance with regulatory requirements.
Organizations can be confused about what they are responsible for and what Microsoft is responsible for within their Microsoft 365 environment. Essentially, Microsoft provides disaster recovery for catastrophic events, like a natural disaster and very small, short-term mistakes. Conversely, customers are responsible for protecting their content over long periods of time (months and even years) and maintaining compliance with all their data retention regulations.
This is allowing organizations to eliminate the responsibility for these administrative tasks from the IT personnel that managed the hardware. Now, records managers can have the system access to audit and report on the records and their disposition. Legal can now be assigned eDiscovery access to the Compliance Center for discovery activities and case management. Privacy Officers can use the reports provided by sensitivity labels and AIP to ensure organizations are compliant and risk is properly managed. In this new world, IT can get back to what it does best: moving the organization forward using technology.
Come back next week to learn when to backup data and when to use retention policies!