What is the Cloud?
In our daily consulting, we often get asked questions about using the Cloud as a means of storing records. When we throw around the term “cloud storage,” we’re really talking about cloud computing, which encompasses cloud storage, or “renting” space on a server for storage; but cloud computing is much bigger. According to the National Institute of Standards and Technology (NIST), cloud computing is a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction“ (NIST).
You’ve probably been using cloud computing without even realizing it. Do you access your email via a login despite your location, or listen to music on your phone without music files taking up its precious storage space? Cloud computing makes these conveniences possible; unsurprisingly, cloud computing promotes availability. Services should meet five necessary characteristics to be considered “Cloud”: (1) on-demand self-service, (2) broad network access, (3) resource pooling, (4) rapid elasticity, and (5) measured service.
There are three cloud-computing models that offer a variety of services. Software as a Service (SaaS) provides users with access to applications, like web-based email, without the inherent maintenance and ownership tasks. Platform as a Service (PaaS) offers users access to development tools and services without the ownership or responsibility of management, like an operating system, web server, or database. Infrastructure as a Service (IaaS) grants users access to services on-demand that keep a system operational, like security, backup, and storage.
In today’s post we’ll focus on the IaaS model of cloud computing because this is the model for which state and local governments will contract cloud storage through. This service model allows the consumer, you and your government entity in this case, the ability to supplement your resources where they are lacking, perhaps in processing power,storage, or networks. The convenience and pay-for-what-you-need structure means the consumer does not control or manage the underlying cloud infrastructure.
What does TSLAC say?
TSLAC’s publications and bulletins do not strictly address cloud storage requirements and suggestions. However there are some conclusions we can draw from what the publications do say.
No matter where records are being stored, you still have responsibilities when it comes to record maintenance, storage conditions, and disposition. Namely, records cannot be destroyed before their retention period expires or compromised and changed due to migration, or changes in technology.
According to Bulletin B, local governments are responsible for ensuring records remain accessible as well as accurate and complete up until authorized destruction (13 Texas Administrative Code § 7.76). This means establishing a migration strategy to avoid technology obsolescence. Records need to be accessible not only to the government entity, but also to the public they serve, no matter what type of electronic recordkeeping system the records exist within (13 Texas Administrative Code §7.79).
Title 13 Texas Administrative Code §7.76(b) more specifically outlines how backup electronic media stored offsite must be maintained. Although these rules apply specifically to magnetic tapes and optical disks, the minimum requirements can easily be considered for the environmental conditions for offsite storage servers. When it comes to final disposition of electronic records, state agencies and local governments follow different administrative rules; however, they essentially give the same message.
For local governments, don’t destroy records unless you’re in compliance with Local Government Code, Section 202.001 or Government Code Section 441.187(a) and even then, make sure any confidential information contained within records is appropriately protected.
For state governments, there’s an added responsibility for archival records. In the event of an archival electronic state record, the agency must maintain the record’s accessibility even through hardware and software changes (Section 6.95(b)).
Concerns
Despite these requirements and procedures included in the administrative code and law, there are important potential problems and pitfalls to take into account when considering cloud storage. NARA Bulletin 2010-05 and “Governance for Protecting Information in the Cloud”† identify many of these challenges.
These challenges include matters of security during deletion of confidential information or protection against access. Records may contain personally identifiable information.
- Are records containing confidential information being destroyed appropriately and permanently to avoid possible litigation?
- Who can gain access to the records and how are they being protected against unauthorized access?
Cloud applications may lack actual records management capabilities regarding metadata, authenticity of records, and disposition. There may be reduced capabilities in comparison to managing the information on site, such as transferring archival records or permanently deleting records.
- Can the cloud infrastructure ensure metadata remains linked to its respective records?
- Will records be kept intact (authentic and with integrity) and functional throughout the lifecycle?
- When it comes to final disposition, archival transfer and deletion, what RM capabilities does the cloud application have?
Even though an agency decided to store their records on the cloud and off of their physical premises, the records still need to be as available and accessible as if they were right at hand (13 Texas Administrative Code 7.79). Though cloud storage presents possible information availability issues, these access challenges would be the same if it were your IT department managing the data and experiencing disaster, data corruption, or failure of hardware (Barclay). The difference between in-house cloud management and third-party cloud management is any potential issue needs to be talked about and configured in the contract, which will be addressed later in the post.
For example, imagine your agency receives a public information request; the 10 day response time still applies. In the event of e-discovery, an agency’s responsiveness in returning requested electronic records is required.
- How easily can the cloud environment be searched and navigated to find particular information?
- Will complicated or extensive searches effect performance and speed of the cloud environment?
There is also a lack of technical standards dictating how and where data is stored and manipulated when it lives in the cloud environment. This can threaten the trustworthiness of a record over the long-term as well as weakening the digital object.
Additionally there are no portability standards making the deletion, removal, or migration of records complicated and potentially inhibiting an agency from completing their recordkeeping responsibilities.
- Does the cloud provider, and therefore their services, adhere to any standards? Does this meet your requirements?
- Are there any export capabilities within the cloud environment making for a safer transfer or removal of records and its associated metadata from one system to another?
Where do you start?
Don’t let the potential pitfalls of cloud storage stop you and your agency from pursuing the option; go into the process with open eyes and all the knowledge.
Goals
You can start by determining what your organization’s goals are for provisioning storage in the cloud. For many it may be a space issue; did you run out of room on your local servers? Perhaps it’s for collaboration or increased access; do you need to share records and information with others in your organization remotely? This will help you determine what type of cloud infrastructure offering your organization needs, whether it is a public cloud, private cloud, or community cloud. Ultimately, the difference between these types of cloud is who has access to the information. As their names suggest, public clouds will have more open accessibility to the general public whereas private clouds would be restricted to the one organization. A community cloud is shared and accessible by organizations who share the same goals or concerns.
You might also consider going with a hybrid cloud (combination of any two of the clouds) to account for the possibility your organization will want or need something different in the future. This enables the possibility of moving information between the two, allowing your organization to protect certain types of information, keep some in a self-run private cloud, and keep the other in a public cloud.
Plan
This is the time to also decide what records you plan to store in the cloud. Much like when deciding whether to start a digital imaging project, evaluate the value of particular records and consider their retention period. Non-permanent records, or records with a retention period of less than 10 years, will be a safer bet than permanent records needing to be maintained and accessible for a long time, a feat none too easy in the digital world.
Do your due diligence by ensuring the service provider will be able to follow any requirements to which your agency is beholden.
Conclusion
It’s all in the contracts!
Before jumping into cloud storage, fully think about all that it entails. This may mean making a plan, reaching out to your legal team, and making sure any contracts and service level agreements (SLAs) with cloud storage providers cover the necessary elements. It’s important to review the cloud provider’s policies and documentation to ensure there is the ability for the successful and authentic transfer of records before entering into a contract. Cloud computing is a relatively new and increasingly popular method of providing services, meaning that providers can grow and change and you want to make sure your records are ultimately safe.
Make sure to consider the following concepts:
- Security and Privacy
- Record Management Requirements (you) and Capabilities (them)
- Metadata Preservation
- Availability and Accessibility of Records
- e-Discovery
- Portability of Records
- Standards
- Audits (if necessary)
If you have any further questions or concerns regarding cloud storage, please contact your analyst.
† Blair, B. (2010, October 22). Governance for Protecting Information in the Cloud. Hot Topic: Making the Jump to Cloud, HT1-HT4.
Are there any rules that require state agencies in Texas to only use clouds where the servers reside in Texas? Or is it okay for data to be stored on servers outside of the state?
Thank you for your question! There currently are no State of Texas rules or mandates regarding where the server hosting the cloud storage should be located. This is where planning your project becomes such a good idea; it allows you the opportunity to include all stakeholders so that any rules, regulations, or policies of the agency or funding sources can be considered.
Here are two other good sources of information regarding cloud storage from the Texas Department of Information Resources. They discuss some guidelines for cloud services (Texas Cloud Services Guide) and also include a case study of a pilot cloud project (Lessons Learned).