BYOD and Cloud Computing

Transcription

1 BYOD and Clud Cmputing AIIM First Canadian Chapter May 22, 2014 Susan Nickle, Lndn Health Sciences Centre Chuck Rthman, Wrtzmans Sheila Taylr, Erg Infrmatin Management Cnsulting

2 Clud cmputing Agenda What is the clud? What s different frm the way things are dne traditinally? What s the future ging t be like with the clud? The clud and Infrmatin Gvernance - benefits, challenges and risks BYOD (bring yur wn device) technlgies Why care abut BYOD? BYOD plicies BYOD best practices BYOD and Infrmatin Gvernance - benefits, challenges and risks The team apprach: multi-disciplinary appraches t clud cmputing and BYOD Litigatin readiness: best practices t supprt e-discvery when cludand BYOD-based infrmatin is invlved Canadian case law: what are the curts saying abut issues relating t clud cmputing and BYOD?

3 Infrmatin Gvernance Reference Mdel

4 The Clud

5 What is The Clud? A catchall phrase fr using an Internet based prgram r string infrmatin n a server accessed ver the Internet. It is nt new Clud prgrams and strage have grwn quickly in the past few years Still very misunderstd

6 Different Types f Cluds Public Clud Private Clud Hybrid Clud

7 Clud Service Mdels Sftware as a service (SAAS) Infrastructure as a service (IASS) Platfrm as a service (PASS) Everything as a service (XaaS)

8 Hw is the Clud Different? Virtualizatin Demcratizatin Scalability Cmmditizatin

9 Clud Value Prpsitin $ factrs Mve IT infrastructure csts frm capital t perating budget Pay fr what yu use cmputing pwer, bandwidth, and strage Rapid elasticity - increase r decrease capacity n demand Sftware implementatin may be less cstly than traditinal implementatin Ease f use On-demand self-service -users can set themselves up withut assistance Brad netwrk access - available thrugh standard Internet-enabled devices Imprved reliability and security Mdernizatin f business prcesses

10 The Clud s Bright Future The Clud will becme the standard platfrm Hybrid cluds will be predminant Custm app develpment will increase Security will imprve SMB will becme largest clud client base Mre clud specializatin

11 Clud Infrastructure Challenges Security Resiliency Prtability

12 Clud Data Challenges Integrity and cnfidentiality Lng-term infrmatin management Privacy

13 The Clud and IG Strage lcatin Availability Recvery Cmpliance Viability

14 Planning and Implementatin 1. Internal business impact and risk assessment 2. Clud cmputing plicy 3. Due diligence when selecting a prvider 4. Service level agreement (e.g.) Availability/uptime agreement (ften %) Penalty clauses that can be invked if the agreement is nt hnured Hw infrmatin may be accessed and retrieved fr legal hlds, FOI requests, and recrds retentin and dispsitin prcessing 5. Service prvider mnitring 6. Apply apprved retentin plicy 7. Cntingency plan and exit strategy

15 BYOD

16 Why Bther with BYOD? Gartner 2014 Mbile Device Survey: The rise f bring yur wn device (BYOD) prgrams is the single mst radical shift in the ecnmics f client cmputing fr business since PCs invaded the wrkplace.

17 BYOD Value Prpsitin Fr the emplyer $ savings by nt having t prvide (r upgrade) the devices Adaptability t a changing wrkfrce Increased emplyee prductivity Fr the emplyee Cnvenience why carry mre than ne device? Persnal device is ften better than what the emplyer wuld prvide Increased emplyee chice ver the types f devices used fr wrk Increased flexibility wrk when and where they want

18 Security (e.g.) Lst/stlen devices Device misuse BYOD Risks Mbile malware/spyware and malicius texting/smsing Insufficient data encryptin Apps may be able t access a lt f ther infrmatin n the devices Lack f interperability fr cntent and systems Increased csts t supprt different mbile platfrms and acquire mre sftware licenses fr the same user Legal issues related t e-discvery, cnfiscatin rights, wiping rights, and liability issues

19 BYOD s RIM Challenges Capture (e.g.) Identificatin f recrds when cntent may be lcated in multiple places Capturing cmplete recrds in a manner that ensures their authenticity and availability when recrds frequently change and are lcated in many places Ownership and cntrl f data that resides with a 3 rd party Identifying and cllecting infrmatin fr legal hlds/access t infrmatin requests Strage Data stred/replicated n the device (r in an applicatin) instead f nly being accessible frm a central repsitry Retentin and dispsitin Develp and implement retentin schedules, including the ability t transfer and permanently delete recrds Surces and frmats f recrds will cntinue t change and it may be difficult fr RIM plicies, prcesses, and technlgy t keep up

20 The Team Apprach Effective Clud and BYOD plicies cannt be develped r implemented with sils Team apprach t develp plicies: RIM IT Legal Security & Privacy HR Internal audit/cmpliance Business units

21 RIM Create recrds needed t d the rganizatin s business, recrd decisins and actins taken, and dcument activities fr which they are respnsible Fllw apprved prcedures fr managing data/recrds cntaining persnally identifiable infrmatin (PII) r security-classified infrmatin Ensure infrmatin can be fund when needed, i.e. set up directries and files, and file materials (in whatever frmat) regularly and carefully s they will be safely stred and can be efficiently retrieved when necessary Apply retentin and dispsitin rules

22 IT s Rle Main pint f cntact fr clud vendrs Usually defines what clud services t purchase Administers vendr s service level cntract Cnfigures systems fr BYOD Determine service level and types f supprt t be prvided Prvide BYOD access t rganizatin-related resurces Cntrls what can be used n the device Mbile device and applicatin management Cntrls hw infrmatin is transferred t/frm device Mbile cntent management Implements user-centric prcedures Audits access

23 Security Defines prtectin level fr clud strage, data transmissin and data prcessing Audits clud systems Prvides input t service level agreement Defines security f crprate data n device Passcde, remte lck, and remte wipe Prhibit/limit sftware applicatins emplyees can dwnlad Require use f apprved security-related sftware t access the rganizatin s systems and servers Prcedure fr retrieving the rganizatin s data when the user s emplyment is terminated r the device is lst r stlen

24 Privacy Fr SaaS, ensures that crprate privacy plicies are met. Fr BYOD, crprate privacy plicy needs t be updated t ensure Business and private/persnal infrmatin are clearly defined Access t private/persnal (nn-crprate) infrmatin is prevented

25 Clud Cncerns Legal Review and negtiate clud service level agreements Ensure clud-based data can be searched and cllected fr regulatry/ legal matters BYOD cncerns Require emplyees t sign a waiver r release frm Prcedure fr retrieving the device if it is needed fr data cllectin and preservatin in assciatin with a legal hld Enable an emplyee t segregate the rganizatin s infrmatin frm persnal infrmatin n the device withut risk f spliatin Ensure Legal Hld plicy extends t clud and BYOD data Hw will backups be preserved? Cnsider hw will rganizatinal plicies be affected, audited, assessed, and enfrced?

26 Business What infrmatin needs t be remtely accessible in the clud and/r n a device? Make business case fr clud and/r BYOD Cnsider if/hw emplyees will be reimbursed fr rganizatin-specific use f a persnal device?

27 E-Discvery

28 E-Discvery Implicatins f BYOD and Clud-Cmputing data n phases f e-discvery: Identificatin Preservatin Cllectin Prcessing Analysis Review Prductin

29 What the Curts are Saying T date, Canadian curts have said virtually nthing specifically abut BYOD and/r clud strage The bligatins f litigants t apprpriately manage all ptentially relevant data remain in place, regardless f the data surce Hwever, there are sme practical impacts: A ntable increase in ver time class prceedings An increase in expectatins f privacy (nte: R. v. Cles; U.S. case Mintz. v. Mark Bartelstein & Assciates Inc.) A recgnitin f the imprtance f gd infrmatin gvernance

30 Thank-yu Susan Nickle, Chuck Rthman, Sheila Taylr,

31 Sme Resurces (1) BYOD (Bring Yur Own Device): Is Yur Organizatin Ready? (December 2013) Clud Cmputing Tlkit: Guidance fr Outsurcing Infrmatin Strage t the Clud t-2.pdf Recrdkeeping Implicatins f Mbile and Smart Devices (April 2013) ents/mbiledeviceguideline.pdf

32 Sme Resurces (2) Legal definitin f a recrd Canada Evidence Act, S. 30.(12) Ontari Evidence Act, S. 35.(1) Legal definitin f an electrnic dcument r electrnic recrd Canada Evidence Act, S (electrnic dcument) Ontari Evidence Act, S. 34.1(1) (electrnic recrd) Law Sciety f British Clumbia Clud Cmputing Checklist