Challenges to Governing Remote InformationBy Gordon E.J. Hoke | Posted 2011-10-04 Email Print
Applying GARP to the cloud.
Records and information management (RIM) offers reduced risk to organizations sending data to the cloud. In recent years, some organizations sent data first and then asked records analysts to manage the information—an inverted sequence that produced problems. Even when well planned, records management in the cloud is a serious challenge.
The latest attempt to define age-old records management concepts comes from ARMA International’s Generally Accepted Recordkeeping Principles (GARP). These principles apply millennia of learning through a universal system that’s appropriate for the cloud, as well as for ancient scrolls.
To apply GARP to the cloud, organizations and their records managers need to address the following:
1. Connectivity requirements: To meet the principle of availability, cloud providers must install adequate capacity for rapid retrievals and reliable availability. The communication system must consistently operate at an acceptable speed. Neither bandwidth nor processing loads should bring delivery speeds below specifications.
2. Loss of control: Storage in the cloud inherently lowers record owners’ control over their data. Information from a single source may be stored in physically diverse locations. Control may further degrade when cloud providers merge, go out of business, or otherwise add layers of insulation between the provider and the user.
3. Responsibility: Cloud computing multiplies the variables at each stage of a record’s life cycle. This increases the responsibilities of the information manager. To apply GARP in the cloud, a records manager must have resources in technology, compliance and legal matters.
For example, many nations severely restrict the export of private information. If a service provider’s cloud is in one of those countries, records may be trapped there. The savvy records manager will engage the services of a contract attorney to be sure any agreement with the cloud provider keeps private information both safe and available. The records manager cannot rely on the service provider to know the host country’s law.
4. Liability: The principle of compliance has two sides. First, it requires that a records management program meet all applicable laws, regulations and ethics. Second, it requires a defined level of participation in records management by record owners and custodians. In the cloud, this can be problematic.
Implementations of cloud storage may be poorly defined with changing policies. Can a cloud user, having yielded aspects of RIM to a service provider, prove legal and regulatory compliance? Can the cloud provider guarantee, for example, that legal holds are effectively applied? Can the records manager easily audit the records to measure staff compliance with the organization’s policies and procedures? Without definitive, positive answers to these questions, an organization may find itself legally liable for records policies beyond its control.
5. Disaster methodology: Usually, risk analyses direct disaster recovery and business continuity strategies. When records reside in indeterminate locations under unstated or fuzzy rules for protection against disaster, the risks are incalculable. Precise contracts, policies and procedures mitigate these risks, but it can be difficult to prove cloud vendor compliance.
6. Disposition: Disposing of unneeded records is as important as retaining needed ones. Cloud providers may not clearly state their means of disposition, and assessing their practice of disposition may be impossible. And they may not understand the threats lurking in residual traces of data and metadata. Records managers need reliable proof that disposed records are truly gone or, alternatively, ineligible for legal discovery.
7. Persistent preservation strategy: Similarly, it is difficult to ensure long-term, persistent (permanent) integrity of records in the cloud. In the intermediate term, routine maintenance and measurements threaten records’ metadata. In the long term, changes in hardware, operating systems, application software, storage media, encryption keys, security utilities and more threaten to render records unreadable.
8. Interoperability: There are few defined provisions for interoperability in cloud storage. Evolution in technology can render records irretrievable or corrupted. Protection against this threat is hard to write into contracts, and when it is, compliance with the wording may be difficult to enforce.
9. Continuity: The rules of cloud governance are still fluid, and potential users must evaluate vendors’ stability. Among the plethora of cloud providers, some will undoubtedly fail, merge, be acquired or evolve into using other technologies. Records managers must be futurists and plan for potential breaks in their cloud provider’s continuity. Contracts can provide for third-party receiverships, source code in escrow and advance warnings, but risks remain.
Practicing GARP becomes a framework for risk reduction. It allows organizations to ask the question, “How can we use best practices while taking advantage of the cloud? How can we enjoy the benefits while minimizing the risks?”
In the not-too-distant future, the obstacles to RIM in the cloud will diminish as cloud providers incorporate GARP into their offerings. And, as new technologies appear, and records managers will apply GARP to them as well.
Gordon E.J. Hoke, Certified Records Manager, is an independent consultant based in Plainview, Minn.