Skip to main content

Will your data be held for ransom at your public cloud vendor?

(Image credit: Image source: Shutterstock/bluebay)

Ransomware, which is a type of malicious software that blocks access to your computer and/or data, until a large sum of money is paid, is on the rise.  In fact, according to recent news coverage (opens in new tab), ransomware attacks are up by 250 per cent in 2017, with the U.S. hardest hit.  And, the hackers are getting more creative and devious every day, even turning victims into attackers in order to increase the number of computers infected and held hostage for payment.  

However, one need look no farther than some public cloud vendors to feel similar pain.  Many organisations that store content in cloud-based archives are delighted with the ability to move huge amounts of content into a public cloud for “free” or relatively low-cost and then stunned to learn the cost should they wish to move it out.  Whether you need to export data in response to an eDiscovery or regulations compliance request, or (heaven forbid) you have become dissatisfied with your cloud vendor and want to move your data elsewhere, the cost to extract and migrate your data can climb to shockingly ridiculous levels.  

So, is that a form of ransomware?  It is paying to get your data back, after all.  We have had customers relate stories of being told it would cost anywhere from $7 to $50 per GB to extract their data out of their public cloud service provider archive.  Do the math.  If you have a 100 TB archive, which isn’t unreasonable – perhaps even on the small side, you would pay between $700,000 to $5,000,000 (yes, that’s millions) just to get YOUR data out.  

Think about it like this.  Its like being given or buying an inexpensive airline ticket, taking off, spending hours in the air, and then landing and being told by the pilot if you want to get off the plane you need to pay a “departure fee” that is 20 times or more the cost of the original ticket. 

Another tactic being used by some cloud archiving service vendors to discourage customers from leaving is to throttle the outbound data bandwidth so far down that it could effectively take months, if not years, for a medium-to-large customer to get completely out.  Staying with the plane example, this is like the captain, upon arriving at your destination, informing you that only one passenger may depart the plane each month, starting from the front of the plane – and you are in the 45th row.  Oh, and while you are on the plane, you will now have to pay an added occupancy fee.  

The question you are likely asking yourself, and I have asked customers, is, “Why did you agree to pay such exorbitant data extraction fees in your contract?”

For the most part, the responses I have received have fallen into two camps.  The first are those that were driven by financial regulatory requirements, and at the time, many of the public cloud vendors who claimed they met financial regulatory requirements were all priced comparatively with similar levels of high extraction fees.  Overtime, new compliance alternatives became available, but now they were stuck, and the cost to move was prohibitive.  The second are those that – quite simply – didn’t pay attention or catch the pricing structure in their contract.  

The solution – The devil is in the detail

Today, organisations have a great deal more cloud archiving solutions from which to choose.  As you are choosing your public cloud vendor, may I offer these pieces of advice:

1.) Do your internal homework.  Work across organisational groups, such as IT, business unit heads, the C-suite, legal and regulations compliance to fully understand your archiving requirements today, and into the long-term.

2.) Do your external homework.  Take the time to fully understand the costs up front, each month, and especially the cost to leave (both in dollars and in bandwidth/time).  And, get it in writing.

3.) Enlist the assistance of a solution that will help you to ensure the success of your public cloud archiving endeavours.  The solution should be able to find, consolidate, migrate, manage and extract everything from legacy email archives, journal folders, inactive or departed employee work files, free range PSTs, file share content, backups, system generated data, and eDiscovery data to compliance data.  The solution should never change a thing – allowing you to maintain all data in its native format.  And, of course the solution should never charge you should you wish to use it to extract and reclaim your data.  

     a. If you are seeking to meet stringent governance and regulations compliance mandates, choose a solution that provides data immutability, data-at-rest encryption, and meets or exceeds all regulatory data retention/disposition requirements (See “Do Your Homework” above).  This will enable your organisation to “store and forget” your low-touch compliance data for long periods of time, but still be assured its protected and available, should you need it.  

     b. Want to kick your compliance and eDiscovery capabilities up a notch?  Seek a solution that enables document retrieval by custodian and date range, without the need of an index engine.  Again, the solution should ensure archive data is stored in an immutable format to meet strict SEC record keeping regulations.  It should provide advanced retention management and encryption for compliance.  It should also offer built-in compliance disposition allowing for data removal/destruction with detailed policy execution management and reporting.  And, data should be available for search, retrieval, and regulatory investigations via web or API SDK access.  

     c. Ready to go compliance platinum?  Need to be able to find a needle in a haystack?  Layer on a solution that delivers powerful data analytics, search and discovery.  The solution should offer data analysis and search that in on-demand with unlimited index fields definitions.  And, be sure the solution lets you manage data access via quick searches, case management and user entitlement.   

4.) Test it.  Move data in, manage it, and try to move it out.  Don’t migrate everything at once.  Don’t like what you see?  Move on.  Whichever service you are with, they are not the only fish in the sea.

Bill Tolson, Vice President of Marketing, Archive360 (opens in new tab)
Image source: Shutterstock/bluebay

Bill has 25+ years of technology experience, including 15+ years in archiving, information governance, and eDiscovery. He is a frequent speaker at legal and information governance events and has authored numerous books, articles and blogs.