Storing Information in the Cloud

Transcription

1 DEPARTMENT OF INFORMATION STUDIES, ABERYSTWYTH UNIVERSITY Storing Information in the Cloud Project Report Nicole Convery 29/09/2010 This report is primarily a management report that aims to provide an account of the project s methodology and findings

2 Contents 1. Executive summary Audience Recommendations Introduction Purpose Scope Objectives Methodology Literature review Consultations Interviews Events Analysis Cloud computing definition Cloud computing versus hosting Cloud computing, Software-as-a-Service (SaaS) and Web Background to cloud computing and records management Policies, procedures and contracts Cloud service providers Cloud computing drivers and use cases Cloud computing drivers Cloud computing use cases Cloud computing challenges Top 10 questions Solutions and approaches Risk management Procurement Policies Standards Recommendations Appendix 1: Survey results Appendix 2: Case studies Case study 1: Guardian Media Group Google Apps Case Study Case study 2: Melrose Resources plc Disaster Recovery case study Case Study 3: Cabinet Office The G-Cloud Appendix 3: People and organisations consulted during the project Appendix 4: Cloud provider comparison

3 1. Executive summary The Archives and Records Association (ARA) has a long tradition of supporting professionals in the recordkeeping sector with professional support in the form of best practice guidelines, research articles and quality training events. As part of this aim to provide timely advice on emerging professional issues, the ARA funded a small research project to investigate the management, operational and technical issues surrounding the storage of information in the cloud. The aim of the project was to develop a toolkit that can assist information professionals in assessing the risks and benefits of outsourcing information storage and processing to the cloud. This report is primarily a management report that aims to provide an account of the project s methodology and findings. It should be read as a complementary document to the actual toolkit which is available from the ARA s website and provides more of a background to the use of cloud computing in the UK. Based on the information gathered through a literature review, questionnaire, an unconference as well as interviews with cloud providers and customers, the report offers an overview of the benefits and challenges of storing information in the cloud from primarily a records and information management perspective. It highlights attitudes of information professionals towards that new kind of technology delivery model. Neither the report nor the toolkit should be regarded as standards or best practice guides but as decision support. They aim to alert information professionals to some of the questions that should to be addressed as part of a wider risk assessment exercise before an organisation outsources processes and information storage to the cloud. Key recommendations of the report are the need for a better understanding of cloud technologies and services as well as the development of industry standards for the procurement and implementation of cloud services. 1.1 Audience This report is intended primarily for the use of the project sponsor, the ARA. As it provides an overview of the project findings and a background to the toolkit, it might but also be of interest to information professionals with an interest or involvement in cloud computing projects in their organisations. 1.2 Recommendations The following recommendations are made for the project sponsor as well as for the wider research community: Further research into the implications of cloud computing for recordkeeping principles and practice and the development of cloud-specific guidance and policies should be funded. Research into cloud computing should be extended to consider its implication for the longterm preservation of digital material. Professional bodies should develop a more active role in bringing together information professionals and in forming interest/working groups on specific issues (e.g. compliance, information security, procurement, metadata) related to cloud computing. A pool of resources relating to cloud computing and information management should be established to support education and further development of guidance and standards. 2

4 2. Introduction 2.1 Purpose This report aims to provide an overview of the use of cloud computing in the UK and highlights attitudes of professionals towards this new technology delivery model. It assesses how cloud computing impacts recordkeeping principles and practice and where further guidance and research is needed. The report is based on information obtained through consultation with information professionals via an online questionnaire, interviews and an interactive event. The conclusion and recommendations are based on the findings from these consultation mechanisms as well as from an extensive literature review. 2.2 Scope The scope of this report is to consider uses, challenges and benefits of storing information in the cloud. Research findings are based on consultation with information professionals which was specifically aimed at records and information managers, archivists and to some extent librarians. It was outside the scope to consult with the wider IT or legal communities. The report considers all cloud computing service models (SaaS, IaaS and PaaS) where information is stored or processed on the cloud providers infrastructure. Social media (or web 2.0) was not a main focus of the project and is only considered as part of the SaaS environment where information is stored in the cloud. Due to the small scale of this project, digital preservation considerations were not in scope but it is recommended that they be considered in a separate project. 2.3 Objectives The Storing Information in the Cloud project aims to provide the ARA and information professionals with an overview of cloud computing uses and challenges in relation to common recordkeeping practices (report), and guidance for assessing risks and opportunities when outsourcing processes or information storage to the cloud (toolkit) This report aims to assess the extent of cloud computing usage as well as the general interest in this new technology delivery model within the information professions provide use cases of cloud computing that have relevance to records and information management professionals working environments identify some of the business benefits as well as legal, operational and technical challenges of cloud computing form a basis for the on-going development of good practice guidelines which information professionals can apply as applicable to their organisational contexts make recommendations for further research in the area of cloud computing and recordkeeping. 3

5 3. Methodology 3.1 Literature review A thorough literature review has been conducted in preparation for the following project methods and to inform findings and recommendations. There is a vast amount of literature on cloud computing in general available online. However, much of it is either in the form of white papers from cloud providers or focussed on information technology aspects of cloud computing such as server virtualisation, infrastructure security and identity management. Few studies are available that focus on organisational or information management aspects such as life-cycle management, compliance or risk management. Most notable here is a study by the European Network and Information Security Agency (ENISA) on the risks and benefits of cloud computing for SMEs which also contains recommendations regarding information security in the cloud. Even fewer sources concern themselves with the more specific relationship between cloud computing and records and information management. In that sense, the literature review provided a first indication of the fact that cloud computing is still in an early adoption stage in which technical concerns and product reviews dominate. Thorough analysis of the state of cloud computing and the development of cloud standards and strategies are widely missing. However, a recent JISC study on cloud computing for research produced two reports analysing cloud computing barriers and drivers which also provide research-focussed use cases and technical specifications for cloud computing. A list of cloud computing resources relevant to the records and information management community has been made available on Google Docs and can be accessed at Everyone can contribute further relevant resources to the Google document. Online resources have been bookmarked in Delicious and are available at Consultations Online questionnaire An online questionnaire hosted by Bristol Online Surveys was conducted in March 2010 and distributed on a range of JISC lists including archives-nra, records-management-uk and lisukeig. It was also advertised on the microblogging service Twitter and on the Department of Information Studies VLE (Moodle) and homepage. A total of 41 people completed the questionnaire. Although this might appear to be a small number of respondents, the return is comparable to similar research projects such as the ENISA cloud survey which attracted 74 responses in a European-wide survey. The relatively low number of responses provides another indication that in cloud computing in general and interest in discussing its associated benefits and challenges in particular still have to gain ground among the information professions. The survey results can be found in Appendix Interviews Interviews were conducted with representatives from two private sector organisations who have successfully implemented cloud computing services. These interviews have informed the 4

6 two case studies in Appendix 2. A representative from the Cabinet Office was interviewed about the G-Cloud, the government s private cloud initiative (see case study 3 in Appendix 2). A range of cloud service providers have been interviewed either in person or over the telephone to discuss their services, security measures and pricing models Events Storing Information in the Cloud Unconference The project team organised an unconference on 21 May 2010 at which 30 people from a wide range of professional backgrounds, including archivists, records managers and IT managers, participated. The workshop-based, participant-driven unconference format was chosen over more traditional conference formats because it was felt that an unstructured, facilitated environment would encourage an open exchange of experiences, concerns and solutions to managing information stored in the cloud. As cloud computing is still an emerging field and not many professionals have practical experience in outsourcing to the cloud, an explorative event was adequate for fostering debate on the topic. The organisers diverted from the completely open, unstructured unconference format by providing three expert speakers who each gave a 20 minute overview of particular cloud computing concerns (information security, compliance and records management) and then facilitated the following discussions among participants. This was done because it became obvious from the earlier online questionnaire that many information professionals felt unsure about what exactly constitutes cloud computing and that there was a need for more information on the subject in general. The participants discussed a variety of topics relating to the storage of information in the cloud which focussed around information security and the need for standards and guidance for outsourcing information storage and processing. Most of the participants enjoyed the unconference format and felt that they benefitted from exchanging experiences and concerns with other professionals. Some participants thought that the use of case studies could have focussed discussions more. Feedback included the following statements: I wanted to get a feel for what opinions were in this area and I got them in spades so it was very helpful. Learn from peers about their experiences of cloud computing. This was achieved in part and certainly there was lots of discussion. I think the mix of the group meant that quite a few were either not in the cloud or just thinking about it. I left with lots of things to think about which is always good. Outcomes of the unconference in the form of participants concerns and suggestions widely inform the findings and recommendations of this report. Speaker sessions and participant feedback have been recorded and are available at 5

7 4 Analysis 4.1 Cloud computing definition Cloud computing can be described as the ability to access a pool of computing resources which are owned and maintained by a third party via the internet. It is not a new technology but a new way of delivering computing resources based on long existing technologies such as server virtualisation. The 'cloud' as such is composed of hardware, storage, networks, interfaces and services that provide the means through which infrastructure, computing power, applications and services are accessed by the user on-demand and independent of location. Cloud computing usually involves the transfer, storage and processing of information on the provider s infrastructure which is outside the control of the customer. There is as yet no standard definition for cloud computing but the National Institute of Standards and Security (NIST) defines it as a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST distinguish between three delivery models (Software-as-a-service (SaaS), Platform-as-a-service (PaaS) and Infrastructure-as-a-service (PaaS)) and four deployment models (public, private, hybrid, and community clouds). NIST s definition of cloud computing can be found at For a more in-depth discussion of cloud computing, please refer to the Cloud Computing Toolkit which complements this report and which is available from the ARA s website Cloud computing versus hosting For many information professionals, cloud computing appears to be very similar to traditional hosting services where information storage or applications are outsourced to a third party provider and accessed by the organisation through a network connection. The difference lies in the fact that in a cloud infrastructure information, applications and processing power are distributed across many servers which allows very flexible up and down scaling of resources. Whereas in a hosting environment, information is stored on a number of dedicated servers with limited resources that often do not allow for flexible scaling. In a hosted environment, resources are not shared with other customers whereas cloud computing is based on multitenancy. In a multi-tenant environment, all the cloud provider s customers share applications, storage and servers. Customer information can physically be distributed across many servers and stored together with other customers information separated only through logical isolation mechanisms Cloud computing, Software-as-a-Service (SaaS) and Web 2.0 Uncertainty over the interrelationship between popular terms and services such as Web 2.0 and SaaS is widespread among information professionals. Web 2.0 refers to a second generation of web applications such as blogs, wikis and social networks which facilitate userinvolvement, collaboration, and information sharing. The focus is on how websites are used and not so much on how services and applications are delivered to the customer. SaaS allows the sharing of applications and storage in a one-to-many environment, products are massively scalable, and are paid for on a pay-for-use or subscription basis. Following this classification, some typical web 2.0 applications such as Facebook and Flickr can be characterised as SaaS but others such as wikis cannot. SaaS is only one of three cloud computing delivery models. 6

8 4.2 Background to cloud computing and records management Cloud computing is not a new technology as such but rather a new business model based on a combination of existing technologies such as server virtualisation and networking. Cloud computing services make use of economies of scale in large server farms or data centres which enable them to reduce the cost of using information technology resources through optimal resource utilisation. Organisations can access these cheap computing resources via an internet connection on-demand and on a pay-per-use basis without having to invest in their own IT infrastructure. But while cloud computing is seen as revolutionising the way organisations use and provision IT resources, cloud providers in the UK find that actual adoption of cloud services remains low compared to the US. The online questionnaire showed that around 58% of respondents are not currently using cloud computing but are either interested or actively planning to do so in the future and 29% have already been using cloud computing for at least a year. Widespread interest in but low adoption of cloud computing can be explained with the status of cloud computing as an emerging business model that has yet to be sufficiently tested. Whereas most technologies associated with cloud computing have been around for many years, making them available easily and at such low cost as a form of utility is a relative recent development initiated by such companies like Amazon and Google. There is a general feeling in the records and information management community that the cloud computing market needs to mature and standardise before organisations will feel comfortable enough to explore cloud services. There is also a desire to evaluate other organisations cloud computing projects and experiences first in order to assess whether it is a viable business model. However, there are increasingly more examples of organisations taking to lead and experimenting successfully with cloud computing services (Guardian, Telegraph, Westminster University etc.). Lack of trust is a main factor stalling the adoption of cloud computing because information is perceived as an important business asset that needs to be protected. Outsourcing information storage to the cloud is often associated with a transfer of control over information security to the cloud provider. Therefore, cloud delivery models that provide a higher degree of control over the applications and infrastructure on which information is stored are preferred. It is expected that private cloud models where use of existing infrastructure within an organisation is optimised through server virtualisation and centralisation will be adopted more widely in order to avoid information security risks associated with multi-tenancy and distributed data centres. 26% of respondents use or intend to use a private cloud deployment model whereas 24 % selected a public and 12 % a hybrid or community cloud deployment model. Interestingly, concerns about information security which are reflected in the preferred choice of a cloud deployment model are not reflected in the choice of a cloud service model. SaaS is one of the most commonly used cloud service models with many productivity applications such as Google Apps, Microsoft Office Live or media sharing and collaboration tools such as YouTube, Flickr, Facebook, and Basecamp being adopted to complement traditional office applications. SaaS is the cloud service model in which most of the responsibilities for information, network and infrastructure security are transferred to the cloud provider leaving customers little influence over the security of their information assets once they have been captured in the application. 7

9 Twice as many respondents selected SaaS as the cloud service model they use or intend to use than selected IaaS and PaaS. However, the majority of respondents claimed to use cloud services for data storage, followed by and office applications and collaboration tools. Storing information in the cloud appears to be mainly as side-effect of the widespread usage of SaaS and not as part of a business strategy for effectively managing the information lifecycle, for a solution to long-term preservation needs or for creating a digital repository. These areas are of interest to the record and information management community for the future but adoption is dependent on evidence of the security of the cloud providers services and infrastructure which is seen as effectively a question of being able to build a trust relationship with cloud providers Policies, procedures and contracts Internally, existing records and information management policies and procedures which have been developed with a view towards the increasing management of digital information on the organisation s infrastructure will need to be adapted to the new management environments necessitated by information stored and processed on third party infrastructure in the cloud. 56% of respondents do not feel that they have relevant policies, procedures and guidance in place to support the effective management of information stored in the cloud, only 22% feel they do and a further 22% are not sure. Records and information management is to a certain extent based on the notion of organisational control over information often in centralised repositories such as content management systems or electronic document and records management systems. Centralised control over information is needed to manage information through the life-cycle to ensure secure access, use, storage and disposition of valuable information assets in accordance with records and information management policies. When organisations intend to store information in the cloud, these policies and procedures need to be extended or adapted to fit a more distributed information environment. To be in a position to adapt existing policies and procedures to effectively manage information stored in the cloud, records and information professionals overwhelmingly felt a need for more guidance and information on the legal, management and technical aspects of cloud computing. 33 respondents were hoping for best practice guidance, 21 for an online toolkit and 18 for technical standards and reports. The demand for best practice guides and technical standards is a reflection of the general push for more standardisation and certification processes for the cloud computing industry. Standardisation efforts range from application programming interfaces to the way in which services are priced in order to ensure interoperability and enable provider comparisons. There is also a demand for standard cloud computing contracts and sets of technical requirements which can be developed and shared among user communities. 61% of respondents have an outsourcing policy in place but 81% of respondents fell that the policy is not suitable to assists with outsourcing to cloud computing services. A majority of respondents feel confident that they can negotiate relevant service level agreements (SLAs) with cloud service providers and that they will be able to monitor and 8

10 enforce these SLAs. This confidence is not reflected in interviews and talks with information management and IT professionals or in most of the industry literature in general. However, SaaS as the most popular cloud service model does often not offer much functionality or customisation and is more likely to be used by organisations for their non-business critical information, so that there might be less expectation or need to negotiate particular SLAs Cloud service providers Selecting a suitable cloud service provider has emerged as an area of concern. Cloud computing is an emerging market and dominated by a handful of established providers such as Amazon, Microsoft, IBM and Google. Smaller, less well established providers, especially in the SaaS market, are proliferating who often offer niche or more customised products and services. A market for managed services is emerging (Cloudreach and SymetriQ) where cloud providers offer customers a range of models from simple usage monitoring to complete integration projects and managed services that maintain and monitor instances, backup and usage, patch and update servers and software, and add additional layers of security. These managed services often act as reseller for Amazon and Google products and provide a wealth of experience in integrating cloud services with internal applications. Whereas bigger providers might offer cheaper products and services and provide more security in terms of the providers long-term financial and business position, smaller providers are often more accommodating towards specific customer demands. Transferring security responsibilities for infrastructure, network, application, and information security to cloud providers is one of the biggest hurdles to cloud computing adopting and providers are working hard to demonstrate their often extensive security controls through whitepapers and certifications. Both case study organisations were satisfied that the chosen cloud provider offers better security and availability than could have been achieved in-house. The ability to compare cloud providers in terms of what they offer technically (services, functionality and customisation), of cost and especially in terms of their information security processes is a recurring topic. Although an overview of all cloud providers and their various products is out of scope of this project, below is a rough comparison of a variety of providers. The providers have been chosen because they illustrate the breadth of cloud computing services and products on offer by organisations that range widely in size. Bigger providers (Google, Amazon, CA and Iron Mountain) do often not allow for contract negations, customisation or individual information security audits by customers. Instead they offer standard contracts, terms and conditions, and products and would provide customers with standard certification and audit documentation on request. Smaller providers (Storetext, Alfresco, SymetriQ, Cloudreach) might be more expensive and offer lesser scalability but are often willing to negotiate contracts, customise products and be audited. Providers flexibility in these matters might change in the future depending on pressures from customers, especially from governments, or when relevant standards in the cloud computing field emerge. Carnegie Mellon developed a Service Measurement Index (SMI) which provides IT and information management professionals with a standardised method for measuring and comparing cloud services as well as a comparison of cloud providers is available here: 9

11 4.3 Cloud computing drivers and use cases Cloud computing offered as a kind of utility can provide cost savings and improve organisational efficiencies which makes this new delivery model attractive to IT departments and business process owners alike. Cloud service providers offer a range of services and resources from pure infrastructure and computing power to web-based applications and services. These resources are highly flexible and can be scaled up and down depending on the organisation s demands. Cloud computing services are often easy to set up and relatively commitment free, and thereby provide an attractive option to traditional ICT provisions. This view is reflected in the online questionnaire where 27 respondents cite reduced ICT spending as the main driver for using cloud computing, 25 increased flexibility and scalability and 20 optimisation of IT infrastructure Cloud computing drivers Reduced ICT spending: Instead of investing in their own data centres (which involves buying and maintaining software and hardware, providing secure facilities to house machines and personnel to keep the data centre running) to meet increasing demands for computing power and storage capacities, organisations can avoid capital expenditure by purchasing only the amount of computing resources on demand that the organisation needs to keep systems running or to perform business transactions. Cloud services are metered and billed based on actual usage and can therefore be treated as an operational expense. Moreover, using infrastructure flexibly and on scale in the cloud can reduce start-up costs for small organisations that do not have to invest in costly IT resources before the business is established. Similarly, cloud-based applications and infrastructure can enable larger organisations to complete projects faster or reduce time to market for new products because time and money can be saved on acquiring and setting up IT resources. Cloud computing can provide quick and easy test conditions for new products without having to invest upfront in infrastructure or licences. Higher flexibility and scalability: Instead of estimating and provisioning for peak computing resource demands in in-house data centres, organisations can access nearly unlimited amounts of computing power and storage capacities in the cloud on demand. Cloud services are highly elastic and allow customers to scale up computing power for periods of high demand and down for periods of less demand. This is an attractive option for organisations with seasonal or periodic high computing demands such as the HMRC in January or Exam marking bodies at exam times. Optimising IT infrastructure: Outsourcing IT resource intensive applications and processes such as , transaction processing systems or data sets to be computed in the cloud allows organisations to focus on the business processes and not on the infrastructure that hosts them thereby releasing IT resources (both in terms of computing and manpower) to focus on developing non-business critical applications or innovating existing business processes. Internally, existing servers are hardly ever used to full capacity and utilisation can be improved by setting up a private cloud environment through server virtualisation (see case study 3 in Appendix 2) which allows for the dynamic provision of applications, storage in computing across the infrastructure. 10

12 A more detailed analysis of the benefits of cloud computing can be found in the accompanying cloud computing toolkit. Cost and technical reasons appear to be the main drivers for cloud adoption and indicate a very IT-centric view of cloud computing. Optimising IT infrastructure and better flexibility and scalability are benefits of cloud computing that tend to improve existing provisions of ICT in organisations and do not so much improve actual business processes or indicate an appetite for systems and process innovation. The Telegraph Group, for example, moved to the cloud to enable them to reallocate IT resources to develop customer facing web application. More business-oriented and, therefore, more records and information management specific drivers such as business process modernisation, new application development and business continuity strategies are listed as benefits too but do not rank as high which would be explained by the previously mentioned focus on SaaS models. Cloud computing projects seem to be mainly driven by IT departments in response to changing business needs, shrinking budgets, and overloaded IT systems. Most organisations perceive cloud computing as limited IT implementations or as initial test beds for larger projects like Guardian News & Media who adopted Google Apps to improve internal collaboration quickly and following success with Google Docs moved on to implement Google s cloud-based solution. Few organisations have developed an overall cloud computing strategy that aligns with business and IT strategies. However, Melrose Resources PLC is planning to extend their usage of cloud computing services with a vision to completely replace the in-house IT services by outsourced services following the successful implementation of a business continuity solution. This case study provides an example of how initially limited cloud computing projects can lead to the development of a wider cloud computing strategy that will transform the way in which information is managed and accessed in the future. More and more organisations find themselves in a position where individual employees adopted free and easy-to-sign up cloud-based services such as SaaS products like Basecamp, Zoho or even Gmail to complement restricted organisational ICT offerings. This was certainly the case at Guardian News & Media where adoption of cloud services such as Google Apps was seen as one way to bring users back to organisationally approved services and applications and to meet actual user demand. Questions of who is driving cloud computing initiatives in organisations and how records and information professionals can assure that they get involved from the beginning are a frequent concern to information professionals. In the case of both case studies presented in this report, cloud computing projects were driven by the IT department. Other relevant stakeholders such as legal and compliance departments and information professionals were if at all - consulted at a later stage when contract negotiations had commenced or even when systems had already been in place. Although the lack of involvement of information professionals in many IT projects is not a new concern, when projects involve the storage of information in the cloud new challenges to information security and compliance arise which can leave organisations in breach of laws and regulations. Moreover, when cloud computing initiatives are not driven by IT departments, it is essential to ascertain that the relevant technical expertise to establish, implement and integrate cloud computing services are available within the organisation. On a larger scale, public sector cloud computing initiatives are driven by government in both the US and the UK. The US government is already advancing adoption of cloud computing as 11

13 part of the president s initiative to modernise IT infrastructure and provisioning. It offers a wide range of business applications and IT services through its application store ( for which agencies will be charged through government issued purchase cards. The SaaS products available in the apps store are provided by 3 rd party providers and are so far not accredited by the Federal Information Security Management Act (FISMA). However, Google s recent FISMA accreditation of its Google Apps for Government product is an indicator that in future many cloud service providers will seek accreditation to recognised standards in order to attract public sector business. Similar to the US, the G-Cloud is part of the UK government s ICT strategy ( which aims to improve efficiencies and cut cost though standardisation and consolidation of infrastructure and capabilities, and the adoption and promotion of common standards. The government is looking to develop a private government cloud computing infrastructure which will comprise of all cloud computing service models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The cloud computing strategy is based on 3 strands: a private government cloud, data centre consolidation and an application store. The G-Cloud will be compliant with a set of selected, existing standards and being built on the government s own existing infrastructure means that some security risks such as multitenancy and data centre locations can be avoided. The promotion of these still to be selected standards and the development of common cloud architectures will further consolidate and standardise the cloud computing market and will provide assurance to both the public and private sector. (For more information on the G-Cloud see case study 3 in Appendix 2) Cloud computing use cases As cloud computing paves the way for improving business processes through outsourcing, it can have as many benefits for recordkeeping in organisations as it can pose challenges for organisations records and information management processes. Many of the services offered by cloud providers and adopted by organisations directly involve the transfer, storage and processing of information on the cloud provider s infrastructure. Questionnaire respondents cited information storage, the use of and office applications and collaboration tools such as project management tools among the main uses of cloud computing. Information storage in the cloud can take many forms and certainly indicates an interest in products that allow some form of document management in the cloud ranging from simple repositories or information stores to more advanced applications that provide document management functions similar to those of traditional document or records management systems (e.g. Alfresco and Iron Mountain). Storing information in the cloud offers out-of-hours, location-independent access to information and makes it easier for geographically dispersed organisations to work together on the same documents. Moreover, when storing inactive information in the cloud, organisations can free up computing resources, save cost and concentrate on the management and use of active, vital information. Using cloud services to establish a central digital repository is an option currently being investigated by some institutions and will certainly present challenges for long-term preservation of information. 12

14 Storing information in the cloud can also enable e-discovery when used in conjunction with cloud-based data analysis applications that have the capacity to filter unlimited volumes of information in preparation for legal disclosure or defence processes. Information storage also encompasses strategies for business continuity in the cloud where vital organisational information is replicated to cloud providers infrastructure to be accessed in case of an emergency or systems failure. Instead of having to invest in expensive infrastructure on to which information can be redundantly replicated which is never used to its full capacity, organisations can set up redundant information storage in the cloud for often much lower cost (see Case study 2 in Appendix 2). and office applications in the cloud offer the possibility of location-independent access to information and facilitate information sharing and collaboration. Many private sector organisations and universities are now outsourcing applications to the cloud (usually to Google Apps) because they offer a cheaper alternative to traditional clients, have 24/7 customer support lines, are often more reliable than in-house applications and have a generous amount of storage that is automatically redundantly backed-up. applications are often perceived as stand-alone, off-the-shelf products for which integration with other business applications such as an EDRM system has long been a challenge for organisations. Google s attempt to link with text editing and document storage through their Google Apps product can be perceived as a step forward to integrating with other business applications. Online office applications such as Google Docs and Microsoft Live offer easy online access and collaboration, version controls, simultaneous editing and in the case of Google Apps a direct link between and documents that can reduce the amount of attachments sent (see case study 1 in Appendix 2). These applications are essentially scaled down versions of traditional office software deployed on the organisation s own servers which have been adapted for hosting and access in the cloud and which lack some of the functionality of traditional software. Using office applications in the cloud does not solve problems encountered in the traditional way of IT provisioning because just like traditional office products they certainly lack essential records management functionality (e.g. ability to apply retention and classification). However, for organisations that cannot afford to or do not want to invest in EDRM systems, cloud-based applications are an easy step towards reducing duplication and improving versioning and collaboration through the provision of an easily accessible online document editing tool. Collaboration tools in the cloud facilitate shared access to information not just across organisational teams but with the organisation s external partners and customers. Internal and external collaboration is increasingly seen as a way to improve knowledge creation and use which in turn has positive effects on creativity, research and development and the efficiency of business processes. Traditional office software products do no longer provide enough functionality to enable staff to collaborate on projects or tasks and many organisations are therefore looking for better tools online. As collaboration tools such as project management applications and shared document repositories are not mission-critical applications and are not used frequently enough, organisation often do not want to invest in expensive software 13

15 and licences. Cloud-based products have the advantage of being easily acquired, deployed and accessed when used as stand-alone products and the pay-per-use subscription model provides cost benefits. Project management products such as Basecamp or Zoho provide as much, if not more functionality than more traditional products such as Microsoft Project and are more frequently updated and improved. Cloud-based project management tools are proliferating and organisations with specialist requirements are more likely to find an affordable niche product that can be used for one-off projects or tasks. Again, using collaboration tools in the cloud can have benefits for the organisation but do not solve some of the existing records and information management issues such as a distributed storage environment and potential duplication of material in a variety of proprietary formats that make it difficult to apply general information management processes. Business Process Outsourcing to the cloud has been facilitated by the SaaS model through the development of a wide range of business applications available on pay-per-user or monthly subscriptions via the Internet from established IT solution providers such as IBM and Salesforce. Popular business applications are: HR: employee information management, payroll, benefits, and recruitment processes Finance: expense and transaction processing as well as decision support Supply chain management: customer relationship management, logistics, procurement and supplier management Instead of having to acquire expensive software and user licences for many transaction processing applications which lock the organisation into a product in the long-term and make it reliant on usually long update cycles, organisations can make use of online applications that are regularly updated, often with new features requested by customers themselves, easily set up and relatively commitment free. Unless these products are used as stand-alone applications, integration with existing systems or databases can be difficult and affords inhouse expertise. 4.4 Cloud computing challenges Cloud computing can provide a wide range of benefits to organisations ranging from cost to efficiency savings and business process improvements. However, it also poses challenges to the organisations which are both well-known issues arising from outsourcing ICT and new issues arising from the specific way on which cloud computing services are offered, acquired, provisioned, used and terminated. From the literature review it became obvious that the main challenges are seen to be in the information security and systems availability domains. Whereas infrastructure and network security and access management are familiar challenges to IT departments and information professionals, availability management and interoperability issues are just some of the more cloud-specific issues that need to be addressed. 29 respondents to the online questionnaire see the retrieval and destruction of information in the cloud as the main challenges, 26 perceived loss of control over information, and 25 the protection of personal data as a challenge. 14

16 Since respondents to the online survey are mainly information and records management professionals, it is to be expected that the selection of cloud computing challenges focuses more on information security and management related issues than is to be found in the technical literature. Many of the issues raised with cloud computing, especially those that focus on information management such as information life-cycle management, application of retention decisions and the ability to prove information authenticity, reliability and integrity, are not new for information professionals. Storage of information in the cloud in that sense appears as only adding to the complexities that many professionals face when managing information across the organisation s systems and infrastructure. However, there are concerns to be taken into consideration when planning to move information to the cloud that are unique to cloud computing and that might afford a change in the way information management is perceived and approached in organisations. Retrieval and destruction of information encompasses a range of issues relating to how information can be identified, searched and destroyed once they have been stored in the cloud. When information is moved to the cloud provider s system for use in applications or for storage, there needs to be a mechanisms to classify, tag or search for information in order to be able to retrieve it when needed. The ability to apply classification schemes through metadata depends on the cloud provider s systems and programmes. Similarly, it needs to be established in which format information can be transferred and used in the cloud providers systems and applications in order to avoid that information formats are changed during transfer as this might impact the organisation s ability to provide the information s authenticity. Once a cloud computing service or contract is terminated an exit strategy for the retrieval or destruction of the information stored in the cloud needs to be in place. Information retrieval can be difficult, time consuming, and costly, if the cloud provider does not offer standard mechanisms for information retrieval. Transfer of information between different cloud providers can be difficult as cloud providers use proprietary API and interoperability is widely lacking. The execution of retention decisions in the cloud can be difficult to achieve, if the cloud provider does not offer retention management functionality. Moreover, most cloud providers will delete nodes that point to information in virtual instances, so that locating that information on the vast and distributed physical server environment will be impossible. Information is, however, often not wiped from hard drives as such but will be overwritten over time and could potentially be accessible by a third party, should it be able to get access to some of the cloud provider s infrastructure. Since customer information in the public cloud deployment model will be stored in a distributed, multi-tenant environment, only parts of an organisation s information will be accessible on each hard drive and only until it has been completely overwritten. Loss of control over information stored in the cloud is a concern that has implications on the ability to manage the information life-cycle, on information security and authenticity. The ability to fully perform information life-cycle management (e.g. access, classification and retention) in the cloud depends on the cloud provider system s functionality and the kind of information that is stored in the cloud (e.g. inactive information in buckets with the same retention period can be easier deleted). Organisations transfer responsibilities for information security to the cloud provider when they stored information in the cloud and the extent of the loss of control over the security of and access to information depends on the selected cloud service model. Generally, the higher up the stack (from IaaS to SaaS), the more control is transferred to the cloud provider. 15

17 The ability to monitor and audit the cloud provider s systems is often restricted as cloud providers aim to keep details of their infrastructure and security processes secret from the competition and hackers. Failure to obtain access logs and incident reports from cloud providers can impact on the evidential value of information stored in the cloud for legal and compliance requirements. A lack of standards and audit procedures makes it difficult for the organisation to obtain the relevant information to satisfy their compliance and due diligence requirements. Many of the bigger cloud providers, however, have already or aim to achieve certification against national (FISMA, PCI DSS, SAS 70Type II, or HIPPA in the USA) or international (ISO27001, ITIL, ISO9000) standards which should provide some assurance to organisations. To address security and compliance concerns Google now offers a FISMA accredited version of Apps for government agencies in the US. In similar vein, Amazon offers a virtual private cloud that should provide organisations with the scalability and flexibility of public cloud services while avoiding pitfalls of a multi-tenant environment. Protection of personal data in the cloud in compliance with data protection legislation is dependent on the ability of the organisation to determine in which country information is physically stored, so that it does not violate Principle 8 of the Data Protection Act 1998 by inadvertently moving information out of the EEA to a country that does not provide the same level of protection demonstrate that the cloud provider has appropriate technical and organisational measure in place to protect personal information from unauthorised access or loss in accordance with Principle 7 of the Act ensure that personal information is not kept longer than necessary to comply with Principle 5 produce all relevant personal information within set time limits in response to data access requests Cloud providers do often not or are actually unable to specify were a customer s information is physically stored in their distributed server environment which can lead to an organisation s information being stored across various countries in which the provider operates data centres. Some providers (Amazon and many smaller providers) allow customers to specify where information is stored, others like Google with their government specific Apps product appear to give in to pressure from the public sector to disclose and specify data centre locations. Keeping information secure yet accessible for access requests rests on the above mentioned ability to audit and monitor the cloud provider s services and being able to trust that their infrastructure, networks and applications are protected from unauthorised access or security breaches. 46% of respondents claim to be confident about achieving Data Protection compliance when storing information in the cloud against 34% who are not and 20% who are not concerned about Data Protection issues. Some industry experts claim that there can be no compliance with the Data Protection Act when storing information in the cloud and, indeed, one mechanism to avoid non-compliance or 16

18 risks to information security is to make the decision not to store personal or mission-critical information in the cloud. 27 respondents intend to store non-confidential information, 23 data sets, only 18 confidential and 19 personal information in the cloud. Given strong information security and compliance concerns regarding the storage of information in the cloud that became evident during the consultation process, it can be expected that in the near future mainly non-mission critical applications storing nonconfidential information will be selected for outsourcing to the cloud until the cloud computing market has matured and relevant standards and legislation are in place to ensure information security and compliance. 4.5 Top 10 questions The following 10 questions should provide an indication of the breadth and depth of issues that need to be taken into consideration before outsourcing information storage to the cloud: Which process, application and information can be moved to the cloud to gain efficiency and cost benefits while satisfying the organisation s security and compliance requirements? How can the organisation be harmed if systems, applications, services or information are accessed by unauthorised people and information is being made available to the public? How are information and systems protected against unauthorised access (e.g. hacking, interception, user misuse) by the cloud service provider? How can the organisation ensure the integrity, authenticity and reliability of information stored in the cloud? What are the organisation s responsibilities regarding the security of infrastructure and information in the cloud for the chosen cloud service and deployment models? How can the organisation apply its records and information management programmes (e.g. classification, retention) to the cloud environment? What is the impact of outsourcing services and information to the cloud on the legislative and regulatory requirements of the organisation (e.g. DP, FOI, SOX, e-discovery, copyright, licensing etc.)? How should the organisation audit and monitor cloud services and establish relevant service level agreements? Will the organisation be able to negotiate contracts and agreements that fit their risk assessment and compliance environment? What are the total costs of setting up and managing the cloud services? A more detailed analysis of the challenges of cloud computing and a fuller list of questions can be found in the accompanying cloud computing toolkit. 17

19 4.6 Solutions and approaches Risk management Consensus emerged from the various consultations that cloud computing can be seen as essentially a risk assessment and management exercise that should be familiar from other outsourcing projects. When outsourcing to the cloud, the organisation transfers much of the control over computing resources, services and information to the cloud service provider. However, the organisation remains responsible for the security and management of these resources and needs to assess what risks are associated with outsourcing to the cloud. Risk assessment needs to include compliance as well as records and information management aspects and not just technical aspects of the provider s IT infrastructure which appear to be the main focus in current professional literature on cloud computing. It also needs to include a wide range of stakeholders including IT professionals, legal and compliance experts, procurement managers, records and information managers, archivists and digital preservation experts, and the business process managers and users. There is a wide-spread concern that records and information management related risks are overlooked when organisations make the move to the cloud. Contributions from information professionals in the consultation process are either not valued or not evident to the organisation and records and information professionals are often not part of the cloud computing consultation processes or project team from the outset. Risks mainly fall into two categories: management risks (including information lifecycle management, compliance, contracts and cost) and operational risks (including security, access and business continuity risks). An organisation s risk framework and appetite widely determine which cloud services and deployment models can be selected when outsourcing information storage to the cloud, e.g. private clouds are deemed safer but may offer less flexibility and scalability, SaaS transfers most responsibilities for information security to the provider etc. Cloud computing invariably generates new risks, many of which can be transferred to the provider or mitigated through audit and monitoring of the provider s services and infrastructure. Other risks might have to be accepted as part of a trust relationship that is being established with a cloud service provider. Security and monitoring risks that occur where cloud providers either do not provide enough transparency or the relevant tools can be mitigated by 3 rd party cloud services that specialise in offering managed services such as Cloudreach. As one unconference participant put it: You can have security in the cloud, it is just more expensive Procurement Most outsourcing policies and guidelines are not currently suitable to cloud computing services agreements (in terms of payments, jurisdiction, sub-contractors etc.) and will need to be adapted. Cloud computing can change the nature of services and products being acquired from 3 rd party providers as in the case of the government apps store where organisations are encouraged to procure solutions that can be made available across the public sector (Case study 3 in Appendix 2). A good example of how organisations can adapt or extend existing policies to incorporate cloud computing specific concerns such as data centre location for DP compliance is Goldsmith College London ( where the records manager established an approval process for outsourcing information to the cloud and provided a checklist for initiatives involving the use of IT facilities provided by other institutions on servers away from the organisation s infrastructure. 18

20 Concerns about limitations on the ability to independently audit cloud providers and assess their security controls as part of the due diligence process could be mitigated by the development of a central, government-led audit process for cloud computing service providers similar to that for financial services (SAS 70) established in the US. This would help both the cloud customer who would not have to conduct their own burdensome audits of each potential provider and the providers who would only be audit once by a centrally established and accepted body according to common standards Policies Records and information management policies and procedures need to be adopted for managing information stored in the cloud. Records management theory and practice has long focussed on centralising control over information in order to apply classification, appraisal, access and preservation (CAAP) processes. Cloud computing de-centralises information storage even further than traditional electronic records management environments and guidelines on how to apply CAAP processes are widely missing. Records and information management processes are specific to organisational contexts and standards such as ISO 15489, the international records management standard, only provide high-level frameworks for records and information professionals. Professional bodies are looking to fill that gap and are starting to produce relevant guidance for their membership. Some examples of cloud-specific guidance for records and information managers are National Archives and Records Administration (NARA) who produced Guidance on Managing Records in Cloud Computing Environments ( Association of Records Managers & Administrators (ARMA) who produced many articles on cloud computing and security risks ( Archives and Records Association (ARA) who commissioned this report and the accompanying toolkit Standards For cloud computing to mature, it is necessary that not only suitable policies are established internally but also that related standards are developed and adopted across the cloud computing market. This will not only facilitate cloud computing services implementation but also enable organisations to better choose and move among cloud service providers. Governments adopting particular industry standards and subsequently requesting compliance to these standards from cloud service providers will push consolidation of the existing cloud computing market. An area in which government-led standardisation would be invaluable to facilitate the cloud provider selection and procurement process However, standardisation efforts also come from within the cloud computing community and a range of groups have been formed who work on particular aspects of cloud computing such as open API formats, security and identity management best practices, interoperability, and common interfaces. Adoption of these developing standards depends to a certain extent on market pressures from cloud computing customers and on incentivising cloud service providers to remain competitive by adoption such standards. 19