Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Transcription

1 Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division Benjamin Young, Assistant General Counsel U.S. Department of Agriculture 1

2 Disclaimer The views expressed in this presentation are solely those of the panel members and do not necessarily reflect those of the US U.S. Department of Justice, the Department of Agriculture, or any component thereof.

3 Overview E Discovery Challenges in the Cloud Advantages of the Cloud Minimizing Litigation Risk and Cost Cloud E Discovery IT Issues Practical Suggestions 3

4 What is Cloud Computing? NIST Definition Cloudcomputing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of fiveessentialessential characteristics, three servicemodels models, and four deployment models. Source: NIST, Definition of Cloud Computing, Draft version 15, computing/index.html Laymen's Definition Cloud is essentially utility computing Automated services (no humans needed for change in services) Services are consumed as used ( pay per drink ) Enabled via the internet (accessible anywhere) Elasticity in amount of services consumed (rapid provisioning and deii i Transition from capital expenses to operating provisioning) expense 4

5 Federal Timeline for Cloud Cloud First 25 Point Plan to Reform Federal IT FedRAMP Policy Memo December 9, 2010 December 8, 2011 Federal Cloud Computing Strategy February 8, 2011 Creating Effective Cloud Computing Contracts February 24,

6 Cloud: 25 Point tplan to Reform Rf IT Cloud First Policy Point 3 of the White House s 25 Point Plan to Reform Federal IT Requires agencies to evaluate safe, secure cloud options before making any new investments. This means agencies should evaluate their technology sourcing plans to include cloud solutions as part of the budget process. Three Cloud Projects by June 9, 2012 Cloud First mandates agencies move three projects to the cloud At least 1 project had to move to the cloud by December 9, 2011; 2 additional must move by June 9,

7 Cloud and E Discovery 7

8 Cloud E Discovery Challenges Data volume in the cloud may be overwhelming 1TB of data can cost <$100 to store but >$1million in litigation costs Cloud type impacts strategy Comingling of data (private vs. public cloud) Actual data location complicates E Discovery efforts Collection from multiple sources Outsourcing by the cloud provider Transfer of data issues (i.e. cross borders) 8

9 Cloud E Discovery Challenges Further challenges Implementing litigation holds Incurring the cost of identifying relevant data Determining i the collection method for relevant data Accessing the data Locating the original custodian of the data Production of data 9

10 Advantages of E Discovery in the Cloud Centralized litigation hold capabilities Stream line search and production Technology upgrades and access Efficiency of process Decreased response time 10

11 Minimizing Litigation Risks & Costs Proactive (pre litigation) steps Evaluate Type of cloud needed (e.g. private vs. public) Type of data to be stored or service needed Security and Privacy considerations Cloud provider contract language Use the White Paper: Cloud Computing and the Federal Government: Effectively Acquiring IT as a Service Include mechanism to ensure compliance (e.g. audit rights, certifications) Address subcontracting of cloud services For example, who providing E Discovery tools and support 11

12 Minimizing Litigation Risks & Costs Proactive (pre litigation) steps Document Retention Policy Data volume control Whose policy rules True data destruction Jurisdictional concerns Cross borders issues NARA considerations 12

13 Minimizing Litigation Risks & Costs Legal and IT dialogue on cloud service selection is crucial. Legal will have to defend d use IT will have to implement and support Understand the end to end costs of storage, access, and litigation 13

14 Minimizing Litigation Risks & Costs Reactive (once litigation exists) steps Identify relevant data in the cloud Act quickly to preserve data Work with IT & specialists to understand burdens 14

15 Minimizing Litigation Risks & Costs Reactive (once litigation exists) steps Negotiate and limit cloud data discovery early in litigationi i Educate court, opposing party, litigators, etc. about cloud and related burdens Ensure data security when collecting from cloud Understand how the cloud services are managed and executed Who are the key holders? Ask for help from IT and Legal 15

16 Cloud E Discovery IT Issues How will I manage content in the cloud? Cloud vendors offer two options Use cloud vendors product Send a copy to an archive 16

17 Cloud E Discovery IT Issues Manage content Business Functions E Discovery FOIA Electronic Records Management Privacy Etc. IT Functions Preserve Dispose Find Produce 17

18 Cloud E Discovery IT Issues Challenges with archival Data is dynamic, therefore, metadata is dynamic Encrypted data Data transmission and synchronization Management of legacy data and equipment 18

19 Cloud E Discovery IT Issues Challenges with archival Why first Many agencies have targeted as primary cloud implementation is most challenging content type Most E Discovery cases involve 19

20 Lessons from USDA Prior state over a dozen systems, no archive capability, no cross search search capability, no on demand preservation capability. Retrieval of took weeks. Security issues with multiple systems. Solution Cloud based system with separate repository to journal all for all users (120,000+) and a preservation, search, and retrieval component 20

21 Lessons from USDA Issues Keys to the kingdom who has access and who manages the preservation and search function? Retention period longer the period > costs, shorter less likely to capture known unknown triggers Training combining preservation and collection steps into one Chain of custody Need to have a protocol for requests and access Processing platform build on it or handle separately Legacy what to do with it and keeping track of it? User control to download and save defeats purpose of not having to search all machines Processing build platform on top or simply export to process separately? 21

22 Lessons from USDA End Result NIRVANA!! (or close to it) What took weeks now takes hours 22

23 Cloud Procurement White Paper Overview Top 10 areas Federal agencies need to address when procuring cloud Gives description of issues along with ways to address issues within contracts Provides tactical guidance through a questionnaire checklist 23

24 Partnership of IT, Acquisition, Legal Toda Today, the CIO Council, CAO Council, and Federal Cloud Compliance Committee released: Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service. This guide enables Federal agencies to make smarter, more informed cloud purchasing decisions i by utilizing i lessons learned and best practices of early adopters moving us to a more efficient and more effective government. Steven VanRoekel U.S. Chief Information Officer, OMB February 24,

25 Two Tier Approachto Creating Guidance. Development of White Paper Eiti Existing Cloud Contracts t FC3 Guidance Develop lessons learned from early adopters Informal data call through OMB to collect ~15 existing Federal cloud contracts Review of contracts to see variance of contract terms, establish baseline and identify themes Interview project managers and contracting officers of each contract: What worked What doesn t work How various issues were addressed Guidance Developed by Federal Cloud Compliance Committee (FC3) Informal interagency group comprised of Federal Attorneys, procurements officials, i and cloud SMEs. Mission: create tactical guidance to proactively assist agencies when contracting cloud Created four working groups: Security Privacy E Discovery Records Management/FOIA 25

26 Goals of White Paper Cloud Computing and the Federal Government: Effectively Acquiring IT as a Service Merge the Cloud First mandate and the visionary Cloud Computing Strategy The next step in government s move to cloud with specific guidance in effectively buying cloud services Provide guidance to agencies in developing requirements for a cloud computing contract. Highlight top ten areas for Federal agencies to address in cloud contracts Help shape the way that cloud computing services are purchased and consumed Establish common practices for the Federal government to take advantage of its position as the largest purchaser of IT 26

27 Top 10 Focus Areas 1) 2) Selecting a Cloud Service CSP and End User Agreements 3) Service Level Agreements (SLAs) 4) CSP, Agency, and Integrator Roles and Responsibilities 5) Standards 6) Security 7) Privacy 8) E Discovery 9) Freedom of Information Act (FOIA) 10) E Records 27

28 Selecting a Cloud, End User Agreements ONE Selecting a Cloud Service Agencies must choose the appropriate cloud to meet their needs Determine the appropriate service model dl to meet user needs Determine the appropriate p deployment model that meets data protection needs TWO CSP & End User Agreements Terms of Service Agreements (TOS) need to be negotiated TOS must be compliant with Federal laws and statutes Need to ensure NDA enforceability End User Agreements need to be integrated fully into cloud contracts 28

29 SLAs and CSP, Agency, Integrator t Rs & Rs THREE Service Level Agreements SLAs should clearly define CSP performance standards Need clear terms and dfiii definitions Need to determine how CSP performance will be measured Needs to establish enforcement mechanisms for SLA compliance FOUR CSP, Agency, & Integrator Roles and Responsibilities Establishes a contract with (at least) three parties Determine integrator role with CSP Need to clearly define the roles and responsibilities of all actors to ensure effectiveness of the cloud contract 29

30 Standards and Security FIVE Standards Agencies should ensure CSPs align with government standards Map services to NIST Rf Reference Architecture Ensure government participation p in standards creation Compliance with Internet Protocol version 6 SIX Security FedRAMP Compliance Clearly defined requirements Continuous monitoring activities iti Incident response to attacks and vulnerabilities Key escrow/encryption Forensic capabilities Multi factor authentication with HSPD 12 Audit capabilities 30

31 Privacy and E Discovery SEVEN Privacy Ensure compliance with the Privacy Act of 1974 and PII requirements Privacy Impact Assessments Adequate privacy training i Clearly defined data location requirements How to respond to a breach where privacy data was compromised EIGHT E Discovery Provide information management in the cloud Ability to locate relevant documents Ability to preserve data in a cloud environment Moving documents through the e discovery process Cost avoidance by inclusion of tools with CSP solution 31

32 FOIA and Federal Recordkeeping NINE FOIA Access Ability to conduct a reasonable search to meet Freedom of Information Act (FOIA) obligations Ensure the processing of information is pursuant to FOIA requirements Allow for the tracking and reporting of information pursuant to FOIA TEN Federal Recordkeeping Agencies should have proactive records planning before using a cloud service Ensure the ability to have timely and actual destruction of records in accordance with mandated records schedules How to deal with permanent records Process for transitioning to a new CSP 32

33 Appendix A: Questionnaire Overview Translates the paper to tactical questions to ask when reviewing i or creating a cloud contract Maps to the ten areas of focus within the paper Tactical approach for Agencies to use 33

34 White Paper: Key Takeaway Tk All necessary stakeholders s should dbe included when creating cloud computing contracts. OCIO OGC Privacy Records E Discovery FOIA Acquisition staff This will enable Federal agencies to more effectively procure and manage IT as a service 34

35 Cloud Resources CIO Council Federal Cloud Computing Initiative FedRAMP NIST NARA mgmt/bulletins/2010/ html 35

36 Questions? Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division Benjamin Young, Assistant General Counsel U.S. Department of Agriculture 36