momius - Fotolia


Business data management risks can't be solved just with SOA, cloud

SOA and the cloud are not the answers to everything. We examine the steps organizations need to take in order to solve problems surrounding business data retention.

SOA and the cloud can be highly effective solutions to extremely vexing problems; that we already know. But it's important to remember that they are not the direct answers to everything -- especially when your issues are steeped in business data management risks, not technology.

Allow me to relay a seemingly harmless question posed recently by a real-world systems administrator, who wanted to know, "What should we do with a terminated employee's email?" The responses quickly ballooned outward from focusing strictly on email to including all organizational information, and ranged from, "It's a legal liability, so delete everything right away," to, "Cloud storage is cheap, so keep everything forever."

The correct answer, of course, is "it depends" -- on the industry you're in, on your field's best practices and on your consistency of approach. It does not depend upon your technical architecture, for the underlying data management risks relate to business, not the hosting model.

Pointed counterpoints

To be sure, the legal liability angle just mentioned is a worthwhile one to explore. Minus any negotiated constraints, discovery initiatives ("e" or otherwise) are "free range," and any information uncovered thereby is fair game. So, it's always better to know the business data management risks before an opposing counsel tells you what he or she has found -- and to get rid of anything potentially damaging before it becomes part of a proceeding.

Less dramatically, keeping everything can lead to fire-code violations as boxes of paper records stack up against emergency exits in storage rooms and office basements. This may sound trite, but you'd be surprised how often this one practical problem leads to a much larger exercise in information management improvement.

But what happens if you end up ditching things that your people still need to use? The problem with a universal dictate to toss content after an arbitrary period of time is that such a criterion has nothing to do with why that content was collected in the first place. The result usually is the disruption of some important business process as a byproduct of your well-intentioned housecleaning.

What if you don't toss anything? We often hear that "storage is free," but while it may be less expensive than ever on a per-byte basis, it isn't without cost. Besides hardware, software and maintenance, there's electricity and support staff and other factors to consider.

"Cloud solutions are a dime a dozen" is another popular argument, "so just dump everything into a virtual storage bin and 'Google' on it when you need to find something" -- all of which is well and good until you realize that your compliance requirements may not permit this, and that brute-force searching may not be the most efficient strategy to employ even if they did.

Herein lies the business data management rub

The scariest contribution to the aforementioned thread perfectly encapsulates all that is wrong with combining business risk with a hosting model:

"We use [a] spam filter to also archive all emails that enter and exit our mail server," said a replier to the thread, whom we will not identify to protect the guilty. "This lets us delete mailboxes without having to worry about mail retention for legal purposes. It's cheap and effective, and liability of finding the mail falls on a third party rather than our company."

First of all, spam filters are designed for a purpose that is not archiving, and furthermore, archiving is not the same thing as email management. Although spam filters use rules to separate messaging wheat from chaff, they typically are not sophisticated enough to apply the granular context needed to determine what should be kept and for how long.

Second, efforts to pass liability onto a third party are nearly always unsuccessful. Unless the software terms of use and service-level agreement state otherwise -- and perhaps even then, you are responsible for the information in your care, be it email-, database-, document-, or otherwise-based. No exceptions.

And, most importantly, these two things are true whether the software lives on premises or in the cloud. The hosting model is irrelevant.

The lesson here is that addressing issues related to business risk requires significant, up-front thinking about organizational policies and procedures including how they are to be propagated and enforced. Only then does it make sense to discuss what role SOA and cloud technology may play, for it certainly can bring certain efficiencies to the table in terms of user management, search/find, workflow rules processing and other useful capabilities.

Next Steps

Why record managers and legal teams must join forces to face data risks

When does collecting data add value for your organizations?

How data analyst training is changing

Dig Deeper on Application development planning