Challenges to Governing Remote Information

Organizations and record managers need to be cautious in meeting internal and regulatory requirements for the cloud

Records and information management (RIM) offers reduced risk to organizations sending data to the cloud. In recent years, some organizations sent data first and then asked records analysts to manage the informationan inverted sequence that produced problems. Even when well planned, records management in the cloud is a serious challenge.

The latest attempt to define age-old records management concepts comes from ARMA Internationals Generally Accepted Record-keeping Principles (GARP). These principles apply millennia of learning through a universal system thats appropriate for the cloud, as well as for ancient scrolls. To apply GARP to the cloud, organizations and their records managers need to address the following:

1. Connectivity requirements: To meet the principle of availability, cloud providers must install adequate capacity for rapid retrievals and reliable availability. The communication system must consistently operate at an acceptable speed. Neither bandwidth nor processing loads should bring delivery speeds below specifications.

2. Loss of control: Storage in the cloud inherently lowers record owners control over their data. Information from a single source may be stored in physically diverse locations. Control may further degrade when cloud providers merge, go out of business, or otherwise add layers of insulation between the provider and the user.

3. Responsibility: Cloud computing multiplies the variables at each stage of a records life cycle. This increases the responsibilities of the information manager. To apply GARP in the cloud, a records manager must have resources in technology, compliance and legal matters.

For example, many nations severely restrict the export of private information. If a service providers cloud is in one of those countries, records may be trapped there. The savvy records manager will engage the services of a contract attorney to be sure any agreement with the cloud provider keeps private information both safe and available. The records manager cannot rely on the service provider to know the host countrys law.

4. Liability: The principle of compliance has two sides. First, it requires that a records management program meet all applicable laws, regulations and ethics. Second, it requires a defined level of participation in records management by record owners and custodians. In the cloud, this can be problematic.

Implementations of cloud storage may be poorly defined with changing policies. Can a cloud user, having yielded aspects of RIM to a service provider, prove legal and regulatory compliance? Can the cloud provider guarantee, for example, that legal holds are effectively applied? Can the records manager easily audit the records to measure staff compliance with the organizations policies and procedures? Without definitive, positive answers to these questions, an organization may find itself legally liable for records policies beyond its control.

5. Disaster methodology: Usually, risk analyses direct disaster recovery and business continuity strategies. When records reside in indeterminate locations under unstated or fuzzy rules for protection against disaster, the risks are incalculable. Precise contracts, policies and procedures mitigate these risks, but it can be difficult to prove cloud vendor compliance.

6. Disposition: Disposing of unneeded records is as important as retaining needed ones. Cloud providers may not clearly state their means of disposition, and assessing their practice of disposition may be impossible. And they may not under- stand the threats lurking in residual traces of data and metadata. Records managers need reliable proof that disposed records are truly gone or, alternatively, ineligible for legal discovery.

7. Persistent preservation strategy: Similarly, it is difficult to ensure long-term, persistent (permanent) integrity of records in the cloud. In the intermediate term, routine maintenance and measurements threaten records metadata. In the long term, changes in hardware, operating systems, application software, storage media, encryption keys, security utilities and more threaten to render records unreadable.

8. Interoperability: There are few defined provisions for interoperability in cloud storage. Evolution in technology can render records irretrievable or corrupted. Protection against this threat is hard to write into contracts, and when it is, compliance with the wording may be difficult to enforce.

9. Continuity: The rules of cloud governance are still fluid, and potential users must evaluate vendors stability. Among the plethora of cloud providers, some will undoubtedly fail, merge, be acquired or evolve into using other technologies. Records managers must be futurists and plan for potential breaks in their cloud providers continuity. Contracts can provide for third-party receiverships, source code in escrow and advance warnings, but risks remain.

Practicing GARP becomes a framework for risk reduction. It allows organizations to ask the question, How can we use best practices while taking advantage of the cloud? How can we enjoy the benefits while minimizing the risks?

In the not-too-distant future, the obstacles to RIM in the cloud will diminish as cloud providers incorporate GARP into their offerings. And, as new technologies appear, and records managers will apply GARP to them as well.

Gordon E.J. Hoke, Certified Records Manager, is an independent consultant based in Plainview, Minnesota.

New Balance


Add new comment