So recently a friend asked me about Cloud-computing. They were looking at it from a business perspective, trying to assess the benefits and risks. Like any good person in the business field they were trying to assess the risks. They understood that the security aspect of cloud computing had “ improved significantly” but were trying get a feel for the general consensus on “the cloud” as it applies to the records management world?
As a good business person I was certainly not the only person they asked nor is this the only research they did, but I did weigh in. Below you can find my response in case you are looking for one more opinion on the topic.
What do you mean by the Cloud?
One of the difficulties in stating a general consensus on the whole of cloud computing, is that the term covers such a broad spectrum of services. For example cloud computing as defined by National Institute of Standards and Technology, http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf focuses on the characteristics of a cloud, and therefore will include private clouds. Most folks when talking about “moving to the cloud,” however, are referring to the outsourcing of network technologies (such as servers, etc) that used to reside in house.
The records management (RM) perspective would be primarily concerned with, software as a service (SaaS) and storage as a service (STaaS). While it seems that anything can go “up into the could,” records managers would worry about having these two aspects of the business hosted, maintained and managed by an entity outside of the organization. Storage may be obvious, but software is important too since RM is concerned with the entire lifecycle of a record or document. If the software used to create records is hosted off site, a RM professional might want to ask some questions of the SaaS provider, because there is potential for a copies to find their way outside of the defined lifecycle procedure or policy. While this may seem like a minor risk for most companies it is something to think about.
To get back to the question at hand
I think there are three major risks associated with Cloud computing from an RM perspective.
Security. To be specific the concern is for who can gain unauthorized access to the organizations files.
There is risk from the cloud because you are relying on their security and their protocols. Also your people will likely be able to log in remotely so education on password security will be very important – no “qwerty” or “123456”. Some might also argue that because the cloud provider contains the records from lots of companies it is a bigger target for hackers.
My personal opinion and I think many agree with me, is that most big cloud organizations are actually pretty well secured. Especially when compared to the company that is thinking about switching. This of course will vary by organization, the department of national defense, or a Lockheed Martin may already have in place top notch security. Many organizations, including several in Nova Scotia, likely can’t afford or choose not to employ a dedicated software security team. In fact I would not be surprised if many do not even have a permanent in house IT professional. Thinking about it that way, what is really more secure, Amazon’s cloud, or the server in the basement that was set up two years ago and hasn’t had anyone look at it in professional capacity in the last 5 months? As for the cloud services being a big target… well I think the bank analogy works fairly well. Do you keep your money in the bank or in a safe on site?
E-Discovery. This risk concerns when a court of law orders an organization to produce digital documentation. For RM I think that there are two problems in this area.
The first is that (and this is probably much like physical discovery) there will be court ordered examiners, who should be able to check to see if you started destroying stuff after the court ordered it turned over. While I’m not an expert in this area, I understand that can be tough with cloud solutions to do this sort of investigation. To counter that point, some might argue (and I would be one of them) that as long as your Cloud provider has assured you they could handle E-Discovery forensic audits properly, it is not really your problem as a business if the forensic folks are having trouble assessing the servers.
Another potential E-Discovery problem is that the cloud might enable is the circumvention of a solid and correctly implemented document life cycle. Since cloud storage is often cheap, people might be tempted to push back or ignore the destruction portion of the life cycle policy. This can result in the existence of files that should have been removed, which will at worst extend the length of time lawyers billing by the hour are wading through your files, and at worst will provide ammunition against your organization. I feel however, that if the convenience and simplicity of cloud storage are not at least replicated by the organization, employees will begin to implement rogue practices which also put the organization at risk. People want the convenience of syncing files between workstations and their mobile devices, many people use Google Software and Drive storage, Dropbox, or Boxes.net at home, and will simply set up adhoc networks outside corporate control without consulting their RM or Risk managers. Using cloud services, or a private cloud will help reduce the risk of these activities.
Access and Uptime. This risk refers to getting the organizations files in a timely manner and using software to compete important tasks. If the organizations files and software are controlled by a third party and there is no local back up (for shame), there is some risk these files will never be seen again. While the smart money would say Google is not going to collapse without warning, big businesses do fail so this is a real risk that needs to remote storage that must be mitigated. The internet can also go down, for a variety of reasons, and crucial files might need to be accessed during that outage. There are ways to mitigate this risk, I’m not really an IT guy so with out doing some real research I would know the best options, but I think something like backing up to a RAID system that is located on site somewhere might do it. This is kind of a good question and I hope to come back to it and learn more about it.
There are likely many other factors, out there but addressing those three will needed before a good RM professional will sign off on “moving to the cloud.” There are many technical and financial reasons for organizations to use cloud technologies. This white paper by Deloitte sums them up very nicely. As well as those factors I personally think that organizations will need to embrace the multi-screen sync world that we currently inhabit. If employees can’t access, edit, and create documents on multiple devise and have some way to simply keep them synced up, organizations will start to see breaches of their RM workflow as individuals use the “free” cloud services offered.