As an enthusiastic user of SaaS (“Software as a Service”) applications, I’ve increased my own productivity via the cloud. But while wearing my Information Governance hat I see companies becoming sensitized to information control and risk management issues arising from SaaS use. In particular:
- Company intellectual property (“IP”) frequently leaks out through employees’ SaaS use, often when subject matter experts within a company naively collaborate with “colleagues” outside the company; and
- Company information may be preserved indefinitely rather than being deleted at the end of its useful life, thus remaining available for eDiscovery when it shouldn’t be.
To illustrate these concepts, I’ll describe a bleeding edge cloud service I recently ran across that could cut both ways, producing both impressive productivity gains and control threats. It’s the as-yet-unreleased Pi Corp “Smart Desktop” project from EMC’s Decho unit, based here in Seattle. Decho is best known for its Mozy online backup solution, but it also provides a home for Pi Corp which ex-Microsoft executive Paul Maritz founded and lead for six years before it was purchased by EMC and added to Decho in 2008. (Maritz was since tapped to take over the CEO position at EMC’s VMware subsidiary.)
Pi Corp’s Smart Desktop project is described by EMC’s CTO Jeff Nick in this video taken at EMC World last year. In a nutshell, Smart Desktop is meant to:
- provide a central portal for all of an individual’s information collected from all of the information sources they use;
- index and classify that information so it can be used more productively, for example, when a user begins performing a particular task the user will be prompted with a “view” (dashboard) of all of the information the system expects they will want, based on the user’s past performance and the system’s predictive intelligence algorithms;
- “untether” information so that it is available to the user from any of the user’s devices, including mobile devices, and interchangeable across different sources; and
- enable secure sharing such that people can share just the information they wish to share with those they want to share it with.
Much of this is not new. Online file synchronization services like Mozy competitor SugarSync already offer central portals that enable users to share information across their devices, including mobile devices, and selectively share documents with other users. But the indexing, classification, and predictive prompting promised by Smart Desktop really stand out. This could be an addictive secret sauce that turns Decho into the Facebook of business SaaS.
Once I’ve had a chance to evaluate Smart Desktop I’ll take a harder look at its Information Governance implications. Problems could arise for employers — albeit through no fault of Decho — if Smart Desktop (or Mozy, or another file sharing service, for that matter) is used by employees to share their employers’ IP with people outside of the company, or people within their company who have not been properly trained and cautioned about maintaining IP security. Similarly, if Smart Desktop (or Mozy, or another SaaS) enables employees to preserve company documents beyond their deletion dates, or to access company documents after they are no longer employees, this could prove difficult in eDiscovery or IP secrecy scenarios, where such information could become a costly surprise late in the game.
But for now I’ll presume that because Decho’s parent EMC has a strong Information Governance focus, Decho will ultimately provide not only the access controls that they currently envision, which will enable secure sharing across devices and users, but also group administration features that make it possible for companies to retain control over IP and information lifecycle management. In particular, I predict Decho will provide dynamic global indexing of information which enters any user account within a company’s user group, thereby making company information easy to find, place holds on, and collect for eDiscovery. I also predict Decho will offer document lifecycle management functionality, including automatically enforced retention and deletion policies.
And while I’m making a Decho wish list, two more items:
- The contents of employee hard drives shouldn’t remain a mystery to the company until they are imaged for eDiscovery. I’d like to see an offering for Mozy Enterprise customers wherein all information which passes across all company-owned laptops can be backed up (or at minimum indexed) in a single company-managed repository in the cloud in order to strengthen the company’s control over IP and document lifecycle management.
- Smart Desktop’s indexing, classification, and intelligence sound somewhat like the cutting edge document clustering methods used in eDiscovery. I’d like to see its indexing and classification data anonymously aggregated and pooled across users and re-used to dynamically speed up and enhance the experience of new users and users who are starting new work flows.
In sum, companies concerned about information control and risk management issues arising from SaaS use should consider:
- What cloud backup, synchronization and collaboration services are employees using, and how are they using them?
- What obligations has the company clearly spelled out for employees, in employee manuals or individual employment contracts, regarding their use of these services?
- What network management options does the company have, or could it obtain, for logging, monitoring, controlling, or blocking transfer of company information to such services?
- If the way employees are using these services now poses an unacceptable risk, how can employees be moved to safer services?