Pharmaceutical firm trusts the cloud
At AMAG Pharmaceuticals, storage is part and parcel of a cloud computing strategy aimed at reducing IT costs and optimizing business capabilities. The Lexington, Mass., biopharmaceutical company uses Amazon's EC2 infrastructure and S3 storage services, as well as software-as-a-service options when possible, says Nate McBride, executive director of IT. "We're moving all of our storage to that environment, in two buckets -- for files and email," he says, noting that the company uses Egnyte's Cloud File Server on the front end for files and Google and Postini systems for storage and archiving of email.
McBride dismisses common concerns about cloud storage, saying he trusts the vendors to provide better data security than his small organization, and he notes that AMAG is in compliance with all relevant federal and state mandates, including the Sarbanes-Oxley Act. Simplistically speaking, he says, it's done by not linking AMAG and its personnel with the respective data types.
For public cloud storage users like McBride and PBS's Engelson, the question seems to be, "What's the fuss?"
"Talking about S3 seems so mundane; it really has become something that I don't worry about," Engelson says. "It's really just an extension of what we do -- we have to store our data somewhere, and S3 is our standard for that."
Encrypt data stored in the cloud
Encryption should help relieve any concerns about security and compliance that IT professionals might have when they're contemplating public cloud storage use, experts say.
"If the data is all encrypted and the keys are managed by the enterprise, then the company is pretty much protected from privacy regulations like PCI and HIPAA," says Ted Ritter, an analyst at Nemertes Research. "Physical location of the data might come into play for some companies, but really the key is to encrypt."
Gartner analyst Adam Couture agrees. "I've seen companies say, 'Oh, we're HIPAA-compliant and so our cloud storage provider needs to be HIPAA-compliant, too.' But HIPAA says nothing about the architecture of the storage itself," he says. "It's really loosey-goosey."
What that means, according to Couture, is that regulatory concerns might affect a cloud storage decision, but the No. 1 trepidation is really security. "And for that, all I can say is if you're going to put stuff out there, you'd better encrypt it. And then at the end of a retention period, throw away the encryption keys," he says. "Your data might still be sitting out there on Amazon, but it's unusable" if it's encrypted.
Amer Khan, senior vice president of product management and development at eGistics, a Dallas-based provider of hosted document management software, agrees that it's important to encrypt data. A user of AT&T Synaptic Storage as a Service, eGistics encrypts its data locally and as it moves into the storage cloud.
The company also checked out AT&T's data centers prior to committing to using its cloud storage service. "AT&T is SAS 70 Type II- as well as PCI- and HIPAA-compliant. Those are important to us," Khan says. "Historically, all the data was under our control and management. As we give that up, we have to make sure all the same types of controls are in place and that we're not dropping the level of security on that data. That's paramount to our customers."
At eGistics, the decision to use cloud storage was part of a move to cloud computing in general; it also uses AT&T Synaptic Hosting. That's not uncommon, says Ritter: "First you make the decision to do cloud computing, then you figure out how to handle the storage."