CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1
Cloud computing A style of computing where scalable and elasticity ITenabled capabilities are delivered as a service to external customers using Internet technologies Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g. network, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 11 December 2013 TOWNSHIP OF KING TATTA 2
10 internet technologies 1. Video and Podcasting-YouTube, Teacher stube, EduTube etc. 2. Presentation tools-slideshare, Vuvox etc. 3. Collaboration & Brainstorming-Mindmap, Bubbl.us etc. 4. Blogs & Blogging-Blogger, Wordpress etc. 5. Wikis-Wetpaint etc. 6. Social Networking-Facebook, Myspace etc. 7. IM-Meebo etc. 8. Twitter 9. Virtual Worlds-Secondlife etc. 10. RSS Feeds 11 December 2013 TOWNSHIP OF KING TATTA 3
characteristics Scalability Elasticity Resource pooling Service 11 December 2013 TOWNSHIP OF KING TATTA 4
Cloud solutions Software as a Service (SaaS): The software is owned and/or managed remotely by one or more providers and accessed by users with web browsers over the internet. Software as a Service (SaaS) solutions generally use resource pooling and are often built on cloud infrastructure Hosted Applications: The application infrastructure is dedicated on an organization by organization basis 11 December 2013 TOWNSHIP OF KING TATTA 5
Cloud benefits Contd Benefits: Cost Savings It is a metered service (organization can often pay actual usage) Expenditures are operational and do not require all the cost to be spent up-front Scalability and elasticity- the needed capacity can expand and shrink, often on demand IT development costs can be eliminated as the application has already been developed Better cost control and faster implementation 11 December 2013 TOWNSHIP OF KING TATTA 6
Cloud benefits Value Creation Application development could be feasible if it done in the cloud Organization can launch new services for internal or external use and then increase or decrease scope as needed Since the capital outlay is zero Low cost experimentation and even project failure in a way that does not waste significant time and/or money Failing small in the cloud and learning from the experience can speed development cycles and increase efficiencies in future projects 11 December 2013 TOWNSHIP OF KING TATTA 7
Cloud risks Contd Need to be mitigated prior to outsourcing Accessibility Data security Data location Data segregation Data integrity Data ownership 11 December 2013 TOWNSHIP OF KING TATTA 8
Cloud risks Contd Need to be mitigated prior to outsourcing Accessibility Providers may state they have 24/7- no guarantee Find out what the provider is doing to prevent access outages, e.g. mirroring of servers at different locations, alternate internet routing outages, etc. 11 December 2013 TOWNSHIP OF KING TATTA 9
Cloud risks Contd Need to be mitigated prior to outsourcing Data Security- the security of the organization s data and access to the application is completely dependent on the service provider s policies, controls and staff Determine what these controls are and if they are as good as or better than internal controls would be Must have a protocol and agreement with the provider to lock down the data (initiate a legal hold) in the face of an obligation to preserve it to avoid spoliation issues and unwanted sanctions-legal documents 11 December 2013 TOWNSHIP OF KING TATTA 10
Cloud risks Contd Need to be mitigated prior to outsourcing Data Location- sharing resources can mean, in the worst case scenario The data and applications are not in a specific physically identifiable location (many cloud providers are global enterprises-have the ability to share resources and data in physical locations around the world) Strict data protection and privacy regulations forbidding data transfer beyond specific borders e.g. European Union Countries 11 December 2013 TOWNSHIP OF KING TATTA 11
Cloud risks Contd Need to be mitigated prior to outsourcing Data Segregation- When multiple organizations are sharing an application and resource e.g. the same server It is critical to know and understand the methods used to segregate and protect each organization s data from the others Commingling of data can make subsequent segregation problematic and confidential data could be inadvertently shared with others 11 December 2013 TOWNSHIP OF KING TATTA 12
Cloud risks Contd Need to be mitigated prior to outsourcing Data Integrity- Back up and recovery of the entire application, not jut the data, should be included in the provider s services. From records perspective, it is equally important that backup data is destroyed when required by retention schedules Audit trails are also needed to prove the integrity of electronic record s creation, change, and destruction 11 December 2013 TOWNSHIP OF KING TATTA 13
Cloud risks Need to be mitigated prior to outsourcing Data Ownership- Most organizations assume they own their data, but that is not always the case or not necessarily straight-forward. What if A contract canceled or not renewed, does the organization get its data back and how quickly? There is a contract dispute, can the service provider hold the organization s data hostage? The provider goes bankrupt or is acquired by another organization? Separating the data and the application, without application context, is the data still understandable or usable? 11 December 2013 TOWNSHIP OF KING TATTA 14
RETENTION AND DISPOSITION It does not relieve an organization of its information retention and management obligation Cloud service providers are focused on the storage and retrieval of information as needed for the particular application-not on records management Vendors may not familiar with records management standards and best practices Vendors will probably be more prepared to hold information indefinitely than to ensure its timely and permanent destruction 11 December 2013 TOWNSHIP OF KING TATTA 15
Technology issues Contd Application Interface to Records Management Virtual Storage Most of the organizations change from dedicated servers and repositories to virtualized environments, clustered storage or private clouds for their information management Virtualization portends opportunities for cost cutting and more efficient use of resources as well as flexibility for the organization 11 December 2013 TOWNSHIP OF KING TATTA 16
Technology issues Virtual Storage It is possible to store records with a third party service providers in the cloud and feel confident that records are secure Care must be taken to ensure that the records are appropriately safe guarded and access is controlled The largest concern is that the management of the records is out of the organization s direct control It is vital that all parties understand their respective responsibilities as they relate to retention, access, security, destruction and exception management 11 December 2013 TOWNSHIP OF KING TATTA 17
Legal considerations Contd Records preservation for litigation Ephemeral Data Organizations using cloud technology should understand which ephemeral data might potentially warrant preservation in the event of litigation and how the service provider would enable such retention 11 December 2013 TOWNSHIP OF KING TATTA 18
Legal considerations Contd The Transnational Problem Organizations exporting data to the cloud may find that the data becomes subject to privacy or confidentiality rules of foreign countries EX: European Union Data may be subject to blocking -France 11 December 2013 TOWNSHIP OF KING TATTA 19
Recommendation to mitigate legal risks-contd Establish clear rules for employee use of corporate information systems that include use of systems outsourced to the cloud, including access to the employee s personal accounts The organization should monitor employee use and take appropriate disciplinary action when the rules are violated Social networking sites provide examples of the cloud being used for both personal and business purposes; using these types of sites for business purposes may allow information to be compromised unless specific policies and protection are in place 11 December 2013 TOWNSHIP OF KING TATTA 20
Recommendation to mitigate legal risks-contd Establish ownership of data and include language in any cloud provider s service contracts that addresses the organization s ownership. Prohibit subcontracting by the cloud provider or at least limit the number and location of subcontractors. This prohibition should contribute to data security by reassuring the organization that the party it contracted with is the only service provider. This can minimize or eliminate data transfers, in particular, cross-border data transfers 11 December 2013 TOWNSHIP OF KING TATTA 21
Recommendation to mitigate legal risks-contd Limit the location (s) where data are stored Data security Restrict data transfers and cross-borders Establish a mechanism with the cloud provider for communicating and implementing legal holds Make it clear in the service contract what the cloud provider s obligation is for implementing, and possibly managing legal holds 11 December 2013 TOWNSHIP OF KING TATTA 22
Recommendation to mitigate legal risks-contd Establish how data will be stored and segregated from or commingled with other organization s data-storage Storage confidential or vital records should be handled with their unique requirements in mind Storing such data in a separate location from anyone else s data or even other types of data from within the organization 11 December 2013 TOWNSHIP OF KING TATTA 23
Recommendation to mitigate legal risks-contd Establish access rights to data hosted by cloud providers This eliminates or at least reduce additional costs the cloud provider might impose for unusual access When an organization must produce data in response to a request for information, subpoena, or discovery request 11 December 2013 TOWNSHIP OF KING TATTA 24
Recommendation to mitigate legal risks-contd Establish the allocation of liability for loss or wrongful disclosure of data, preferably as part of the contract However, courts will likely hold the organization owning the data responsible for the event the owning organization will want the ability to hold the cloud provider liable for what it did (or failed to do) The service provider will usually seek to contractually reduce or eliminate any liability 11 December 2013 TOWNSHIP OF KING TATTA 25
Recommendation to mitigate legal risks Establish appropriate security and confidentiality measures to be taken by the cloud provider Including a communication plan for notification to the organization in the event of a breach By an unauthorized party of the provider s technology, even if it is believed that the organization s data was not effected Establish appropriate procedures and protocols for data disposition, which may include multi level approvals and audit trails 11 December 2013 TOWNSHIP OF KING TATTA 26
Vendor-related considerations-contd Information management practices It is possible for the vendor to replicate information to redundant systems both within its facility and elsewhere Where information will be stored Where information could be stored Vendor s policies concerning data backup and archiving 11 December 2013 TOWNSHIP OF KING TATTA 27
Vendor-related considerations-contd Audit Policies An organization external auditor may want to audit the vendor s facility and its practices relating to the security and management of records and information Security for cloud application is the point of integration In the past-the integration is always behind the firewall Cloud computing-integration is outside the firewall of the purchasing organization 11 December 2013 TOWNSHIP OF KING TATTA 28
Vendor-related considerations-contd Access Interruptions Internet access Internet service providers downtime Damage to cables Weather interference with satellite access at either vendor s or organization Part of any disaster recovery or business continuity plan should include how the organization will operate in the event the cloud providers services are not accessible 11 December 2013 TOWNSHIP OF KING TATTA 29
Vendor-related considerations-contd Privacy Organization must obtain, read, and understand the vendor s privacy policy Where organizations and vendor s policies conflict, additional contract negotiation will be required Vendor should be asked to identify how many and what type of personnel will have such access Vendor should be asked about its hiring and employee screening practices 11 December 2013 TOWNSHIP OF KING TATTA 30
Vendor-related considerations-contd Sub-Contracting To offer uninterrupted access, scalability and elasticity Need to have infrastructure and hardware in diverse global locations or depend on third parties for services such as storage mirroring or back up Do they have same security and privacy policies that vendor has? How is the information protected as it is transmitted between the vendor and its sub-contractors 11 December 2013 TOWNSHIP OF KING TATTA 31
Vendor-related considerations-contd Multi-Tenancy Multi tenancy model is where multiple clients or organizations store their information in a single instance of an application on the same server and/or in the same data store or repository Security-is the biggest challenge Is the multi-tenancy covered in the organizations own privacy and security policies? If not, formal understanding and guidance on this issue will be addressed and should involve input from IT,RIM and Legal departments 11 December 2013 TOWNSHIP OF KING TATTA 32
Vendor-related considerations-contd Public Cloud Allows open access in that anyone can contract for the services Public has little if any control over how the services are implemented Public can access services wherever there is an internet connection It may not be appropriate when information is covered under specific regulatory environments- Private cloud is the best substitute 11 December 2013 TOWNSHIP OF KING TATTA 33
Vendor-related considerations-contd Private Cloud It allows the customer to control how the service is supplied It allows data to be easily moved between the internal data centre and private cloud Access security is frequently controlled on the private cloud through organizations internal system It is protected by firewall The right to use and access is provided through the authentication and authorization of users 11 December 2013 TOWNSHIP OF KING TATTA 34
Vendor-related considerations-contd Hybrid Cloud It would be appropriate when there is a solution requiring ongoing exchange and connection between public users and private application With a hybrid cloud, integration at all layers (data, process, management and security) is essential Example: would be an externally facing customer relationship management (CRM) program that links to proprietary organizational data source. 11 December 2013 TOWNSHIP OF KING TATTA 35
Vendor-related considerations-contd Issues to be considered chose among Public, and Private How sophisticated is the solution and does it require complex integration between public and private? What is the security requirements for the type of information being managed? What if the information stored and managed deemed to be low-risk? What if the virtualized environment is prohibited? 11 December 2013 TOWNSHIP OF KING TATTA 36
Vendor-related considerations-contd Data Location Identify the location of the provider s repositories Identify where the provider may store the data Identify any third party providers the vendors may use and note the physical location of their operations Compliance with all applicable laws should be assured During contract negotiations, ensure the vendor is obligated by contract to store information where required, and validate that privacy issues are addressed 11 December 2013 TOWNSHIP OF KING TATTA 37
Vendor-related considerations-contd Data Backup and Recovery External service providers should offer demonstrative proof of backup data It is important to review the vendor s policy and practices for backing up th data prior to contract finalization Is the information being backed up to another system for redundancy-location What type of controls does the vendor have in place regarding access to the information Periodic tests should be performed to ensure that the backup recovery systems and process are working as specified in the contract or service level agreement 11 December 2013 TOWNSHIP OF KING TATTA 38
Vendor-related considerations-contd Data Retention If information is stored on virtual machines and can be spread among multiple locations and countries Each country s regulation can impact the retention time for that data Retention issues becomes more complicated The contract language should address the concerns The contract language needs to have provisions for the destruction of records on all media (including backups) when the retention period ends and for retaining information past the retention period in the event of legal hold 11 December 2013 TOWNSHIP OF KING TATTA 39
Vendor-related considerations-contd Physical Security The cloud provider s data centre must be evaluated for its geographical location and physical security features, including management of secured, authorized access There should be sign-in and sign-out sheets especially for any visitors Background checks should be performed on employees Contract terms should reflect all of these physical security requirements Allow the customer to conduct periodic facility audit 11 December 2013 TOWNSHIP OF KING TATTA 40
Vendor-related considerations-contd Environmental Conditions To ensure that no environmental issues exist Proximity to existing or potential environmental or industrial hazards The internal environment should be reviewed Proper temperature and humidity controls are in place Include appropriate language regarding environmental condition within the contract 11 December 2013 TOWNSHIP OF KING TATTA 41
Vendor-related considerations-contd Network Access Contract terms should address the network requirements Review the compatibility of the vendors architecture with the organizations Network saturation and bandwidth capacities should be investigated 11 December 2013 TOWNSHIP OF KING TATTA 42
Uptime Vendor-related considerations-contd No matter where information is stored System uptime must be a consideration Uninterrupted access to information is key to business operations Uptime requirements should be clearly defined and negotiated with the vendor 11 December 2013 TOWNSHIP OF KING TATTA 43
Vendor-related considerations-contd Vendor Continuity Review and validation of the vendor s credit worthiness should be performed by the organization to assess the vendor s long term viability The organizations contract should document the application, data, and platform migration strategies that will be used in the event that a vendor goes out of business or is acquired 11 December 2013 TOWNSHIP OF KING TATTA 44
Vendor-related considerations-contd Vendor Continuity During the negotiating process, the organization should devise contractual terms to provide flexibility in accessing data and define how the organizations information will continue to accessible during any migration The geopolitical climate needs to be assessed, as information could be compromised due to destabilization of the location Conduct a thorough risk assessment and review of the hosting country s current social, political, and economic conditions What strategies the vendor have in place Example: a mirror or backup in another country, to accommodate these concerns 11 December 2013 TOWNSHIP OF KING TATTA 45
summary Decision Making Process Weighing the benefits and risks of outsourcing records storage to the cloud Operational and cost concerns are paramount Appropriate protection for records and information must be in place as well RIM, IT, and Legal department staff should work together Checklist provide direction from a variety of perspectives-technology, Legal and Vendor related 11 December 2013 TOWNSHIP OF KING TATTA 46
Thank you TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 47