Recordkeeping In Brief 62 - FAQs about cloud computing
These frequently asked questions (FAQs) address some aspects of the use of cloud computing services. This document will be added to when new questions arise. To submit information or suggestions about additional content or coverage please email firstname.lastname@example.org.
- What is cloud computing?
- What types of applications and services are offered?
- Are there different types of cloud?
- Are there risks associated with taking up cloud computing services?
- What are some of the risks associated with using cloud computing services?
- Can State records created and/or stored via cloud services be managed outside NSW?
- Should some State records only be managed ‘in-house’?
- What are the contractual issues I should consider before using cloud computing services?
- What resources are there for me to read?
- What are others saying?
Cloud computing is internet-based computing whereby shared resources, software and information are provided to computers and other devices on demand. Cloud computing is a general term for anything that involves delivering hosted services over the Internet. The cloud is itself a virtualisation of resources such as networks, servers, applications, data storage and services. It can provide the user with many applications and services on demand via the web.
There are a range of applications that can be delivered to users via cloud computing models, from email or content management to specialist applications for activities such as project management or human resources management to data storage.
Cloud computing models include:
- Software-as-a-Service (SaaS) – This is where business applications are provided over the web (e.g. email). The provider supplies the hardware infrastructure and the software product, and interacts with the user through a front-end portal. Services can include web-based email, inventory control and database processing.
- Platform-as-a-Service (PaaS) – This is where a set of software and product development tools are hosted on the provider’s infrastructure. Developers create applications on this platform over the Internet. An example is GoogleApps.
- Infrastructure-as-a-Service (IaaS) – This is where the provider supplies ‘virtual’ infrastructure such as servers, storage and access.
A cloud can be private or public:
- A public cloud is a provider that anyone can purchase services from (in some cases these are free services).
- A private cloud is a network limited to certain users (e.g. a company, a government or a community) or a data centre that supplies hosted services to a limited number of people.
There is also the virtual private cloud, i.e. where a service provider uses public cloud resources to create a private cloud.
Yes. As with any business related activity there are both risks and opportunities associated with using cloud computing services. The risks need to be assessed and managed so that they can be minimised or mitigated.
Cloud computing usually involves transferring content to or creating content in data stores maintained by the provider and geographically remote from the customer. As a result, there are particular risks around ensuring compliance with:
- legislative requirements for the management of information, e.g. managing personal information
- government requirements, e.g. managing information security, disaster recovery and business continuity
- community expectations, e.g. ensuring that government information is safely and securely stored and not available to be used for unauthorised purposes.
More particularly, where official government business is done using cloud computing services, these data stores will contain State records. This raises a number of risks both for the organisation and for members of the public who rely on the proper management of government information to provide evidence of their rights and entitlements, and to demonstrate the workings of government for accountability purposes. This means that any cloud computing service that involves the creation, management or storage of government information needs to be assessed against the requirements of the State Records Act 1998 and the Standards issued under the Act.
There are potentially a number of business and information risks associated with using cloud computing services. These risks include:
- Data is hosted or stored outside of the organisation’s own networks and servers.
- Data is only accessible through the cloud service provider. This may build too much dependency on the provider.
- As data is managed and/or stored externally, business continuity and disaster recovery processes are outside the organisation’s control and in the hands of the provider.
- The organisation may not be able to control the relevant State records hosted in the cloud adequately, and may therefore fail to meet the requirement of s.11(1) of the State Records Act to ensure the ‘safe custody and proper preservation’ of State records.
- A person in another State or country may claim ownership or otherwise take control of the records.
- The records may be subject to local laws and therefore be discoverable in those jurisdictions.
- The service provider may not be able to preserve records with very long retention periods.
- The service provider may not be able to perform and document common records management tasks such as registration and disposal.
- The records may not be returned upon request or at the conclusion of the contract.
- The records may be returned to the organisation but in a format that the organisation cannot readily access or use.
- The provider or owner of the business may go out of business and the data may not be recoverable.
These risks are real and some of the issues we have heard about are:
- Format compatibilities – Sometimes when organisations have had their records returned to them at the conclusion of an outsourcing arrangement, they have not been in a format that the organisation can readily access or use. Some organisations have been faced with the need to purchase expensive software in order to access and reuse their data.
- Return of data –Some of the records sent to ‘the cloud’ have long retention periods (e.g. some construction project management records) and so the ability of the service provider to return data to the organisation is important to meet business needs and legal requirements.
- Records management functions – Another common problem is the ability of the service provider to perform and then document any records management operations needed, most frequently registration and disposal actions.
Yes, in many cases records can be managed and stored via cloud services based outside of New South Wales.
State Records has approved the General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35). This general authority gives approval for the transfer of records outside of NSW for storage with or maintenance by service providers based outside the State. However, this permission is given on the condition that an appropriate risk assessment has been made and the records are managed in accordance with all the requirements applicable to State records under the State Records Act 1998.
In particular public offices must:
- assess and address the risks involved in taking and sending records out of the State for storage with or maintenance by service providers based outside of NSW
- ensure that the facilities and services of the service provider conform to requirements in standards issued by State Records
- ensure that contractual arrangements and controls are in place to promote the safe custody and proper preservation of records
- ensure that the ownership of the records remains with the public office
- monitor the arrangement to ensure the service provider is meeting all relevant requirements.
Recordkeeping in brief Storage of State records with service providers outside of NSW (RIB54) provides further information about these conditions.
It should be noted that even if the cloud computing environment is managed wholly within NSW an appropriate risk assessment of the service and the provider should occur.
The level of risk that an organisation attributes to a proposed cloud computing arrangement will vary according to the content or subject matter of their records and their level of sensitivity or importance. In some cases, the records concerned may well be too sensitive or important to trust to a public cloud computing service provider.
The content of the contract in these types of service arrangements is very important. An agency entering into a service arrangement for using cloud computing services for key business activities or storage of critical business information should normally seek a legal opinion.
Some examples of matters that should be considered are given in the short flyer Managing recordkeeping risk in the cloud: ensuring the proper creation, management and disposal of official records in cloud computing environments.
Contracts should address a range of issues, including (but not limited to):
- data location
- data ownership
- standards used
- privacy requirements
- non disclosure requirements
- defining roles and responsibilities
- incident reporting
- enforcement mechanisms
- business continuity and disaster recovery
- data restoration
- monitoring arrangements
- return of data
- destruction of data from providers’ systems.
State Records has a number of resources available to help you to manage the recordkeeping risks associated with cloud computing, including:
- General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)
- Recordkeeping in brief Storage of State records with service providers outside of NSW (RIB54).
We also offer a printable flyer summarising strategies for managing records ‘in the cloud’, including a records risk management checklist for cloud computing arrangements: Managing recordkeeping risk in the cloud: ensuring the proper creation, management and disposal of official records in cloud computing environments.
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing the recordkeeping risks associated with cloud computing, July 2010, available at http://www.adri.gov.au
Defence Signals Directorate (Commonwealth), Cloud computing security considerations, April 2011, available at http://www.dsd.gov.au/infosec/cloudsecurity.htm
Department of Finance and Deregulation (Commonwealth), Cloud computing strategic direction paper: opportunities and applicability for use by the Australian Government, April 2011, available at http://www.finance.gov.au/e-government/strategy-and-governance/docs/final_cloud_computing_strategy_version_1.pdf
Archives and Records Association UK and Ireland, Cloud computing toolkit: guidance for outsourcing information storage to the cloud, August 2010, available at http://www.archives.org.uk/images/documents/Cloud_Computing_Toolkit-2.pdf – this guidance contains a comprehensive overview of the range of cloud computing services available and the recordkeeping considerations that apply to each
CIO Council and Chief Acquisition Officers Council (USA), Creating effective cloud computing contracts for the Federal Government: best practices for acquiring IT as a service, February 2012, available at http://www.cio.gov/cloudbestpractices.pdf – this is a comprehensive and useful document for those seeking to procure cloud computing services