The uptake of cloud-based services is a key component of ICT strategy across many organisations. With appropriate consideration (including risk assessment), selection and management of service arrangements, key benefits can be derived by organisations and risk can be managed. This guidance addresses the information and records aspects of the use of cloud-based computing services and is in the form of common questions and answers.
The NSW Government Cloud Policy, issued in August 2015, should be consulted. It provides guidance to agencies about key considerations to be aware of when evaluating cloud services.
The new Standard on records management should also be consulted. It includes a range of requirements that must be addressed in cloud arrangements. See particularly minimum compliance requirements 1.7, 2.4 and 2.6.
What is cloud computing?
Cloud computing is internet-based computing whereby shared resources, software and information are provided to computers and other devices on demand. Cloud computing is a general term for anything that involves delivering hosted services over the Internet. The cloud is itself a virtualisation of resources such as networks, servers, applications, data storage and services.
What types of applications and services are offered?
There are a range of applications that can be delivered to users via cloud computing models, from email or content management to specialist applications for activities such as project management or human resources management or data storage.
Cloud computing models include:
- Software-as-a-Service (SaaS): where business applications are provided over the web. The provider supplies the hardware infrastructure and software product, and interacts with the user through a front-end portal. Services include web-based email, inventory control and database processing.
- Platform-as-a-Service (PaaS): where a set of software and product development tools are hosted on the provider’s infrastructure. Developers create applications on this platform over the Internet.
- Infrastructure-as-a-Service (IaaS): where the provider supplies ‘virtual’ infrastructure such as servers, storage and access.
Are there different types of cloud deployment?
A cloud can be private or public:
- A public cloud is a provider that anyone can purchase services from (in some cases these are free services).
- A private cloud is where the cloud infrastructure is provisioned for the exclusive use of certain users (e.g. a company or a government).
There are different considerations and risks involved in cloud arrangements depending on the model deployed and services used.
Are there risks associated with using cloud computing services?
Yes. As with any business related activity there are both risks and opportunities associated with using cloud computing services. The risks need to be assessed and managed so that they can be minimised or mitigated.
Public cloud computing usually involves transferring content to or creating content in data stores maintained by the provider and geographically remote from the customer. As a result, there are particular risks around ensuring compliance with:
- legislative requirements for the management of information, e.g. managing personal information
- government requirements, e.g. managing information security, disaster recovery and business continuity
- community expectations, e.g. ensuring that government information is safely and securely stored and not available to be used for unauthorised purposes.
More particularly, where official government business is done using cloud computing services, these data stores will contain high value Government information and records. This raises a number of risks both for the organisation and for members of the public who rely on the proper management of government information and records to provide evidence of their rights and entitlements, and to demonstrate the workings of government for accountability purposes. This means that any cloud computing service that involves the creation, management, access or storage of government information and records needs to be assessed against the requirements of the State Records Act 1998, the Standards issued under the Act and other information management legislation or polices as applicable.
What are some of the risks associated with using cloud computing services?
There are potentially a number of business and information risks associated with using cloud computing services. These risks include:
- Sensitive data is hosted or stored outside of the organisation’s own networks and servers.
- Critical data is only accessible through the cloud service provider. This may build too much dependency on the provider.
- As data is managed and/or stored externally, business continuity and disaster recovery processes are outside the organisation’s control and in the hands of the provider.
- The organisation may not be able to control the relevant information and records hosted in the cloud adequately, and may therefore fail to meet the requirement of s.11(1) of the State Records Act to ensure the ‘safe custody and proper preservation’ of State records
- A person in another State or country may claim ownership or otherwise take control of the records
- The records may be subject to local laws and therefore be discoverable in those jurisdictions. The service provider may not have in place robust backup and disaster recovery strategies/systems.
- The service provider may not be able to preserve records with long retention periods.
- The service provider may destroy or deleted records without approval, unlawfully or inappropriately.
- The service provider may not be able to perform and document common records management tasks such access control, transfer and disposal.
- The records may not be returned upon request or at the conclusion of the contract.
- The records may be returned to the organisation but in a format that the organisation cannot readily access or use.
- The provider or owner of the business may go out of business and the data may not be recoverable.
How do I manage the risks?
In order to manage the recordkeeping risks associated with cloud computing, you should:
- identify and assess the risks involved in using cloud computing service providers to store or process government information including records
- assess the software products offered by the cloud computing service providers for their capacity, appropriateness and adequacy to create, store, manage or process government information including records
- perform ‘due diligence’ when selecting a cloud computing service provider and the service offerings
- establish contractual arrangements to manage known risks
- monitor the arrangements with cloud computing service providers.
Can State records created and/or stored via cloud services be managed outside New South Wales?
Yes, in many cases records can be managed and stored via cloud services based outside of New South Wales.
State Records has approved the general authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35). This general authority gives approval for the transfer of records outside of NSW for storage with or maintenance by service providers based outside the State. However, this permission is given on the condition that an appropriate risk assessment has been made and the records are managed in accordance with all the requirements applicable to State records under the State Records Act 1998. In addition, all other legislative requirements for the management of information should also be met before entering any arrangements.
In particular public offices must:
- assess and address the risks involved in taking and sending records out of the State for storage with or maintenance by service providers based outside of NSW
- ensure that the facilities, systems and services (including software products, storage systems) of the service provider conform to requirements in standards issued by State Records
- ensure that contractual arrangements and controls are in place to ensure the security, safe keeping and on-going accessibility of records
- ensure that contractual arrangements are in place to ensure the exportability and return of records and information is addressed
- ensure that the ownership of the records remains with the public office
- ensure appropriate controls are in place to manage lawful, approved deletion or disposal of information and records
- monitor the arrangement to ensure the service provider is meeting all relevant requirements.
It should be noted that even if the cloud computing environment is managed wholly within NSW an appropriate risk assessment of the service and the provider should still occur.
Are there some State records that should only be managed ‘in-house’?
The level of risk that an organisation attributes to a proposed cloud computing arrangement will vary according to the content or subject matter of their records and their level of sensitivity or importance. In some cases, the records concerned may be too sensitive or important to trust to a public cloud computing service provider.
Should cloud services be managed within the framework of my organisation's information management framework and strategies?
Yes. All in-house systems, external service arrangements and cloud-based services which create, manage and store information and records of the organisation and its business (however conducted) should be subject to appropriate information governance arrangements. Essentially, this means that all arrangements, processes and systems by which corporate information is created, received, stored, protected, managed, accessed, preserved (to ensure on-going accessibility) and disposed of should be part of a consistent and managed organisational-wide framework and strategies for information and records management.
What are the contractual issues I should consider before using cloud computing services?
The content of the contract in these types of service arrangements is very important. An agency entering into a service arrangement for using cloud computing services for key business activities or storage of critical business information should normally seek a legal opinion.
Contracts should address a range of issues, including (but not limited to):
- data location
- data ownership
- standards used
- privacy requirements
- non disclosure requirements
- defining roles and responsibilities
- incident reporting
- enforcement mechanisms
- business continuity and disaster recovery
- data restoration
- monitoring arrangements
- return of data
- exportability of data (the transfer of data to another system or provider)
- destruction of data from providers’ systems.
Before you enter into cloud computing arrangements, ask the service provider:
- how the service or product can meet any business or recordkeeping requirements specified by your organisation
- what form the information will be exported from the system in, including what metadata is exportable
- whether any additional charges would be levied by the provider in the event of the organisation seeking to remove information from ‘the cloud’ or terminate the arrangement
- if they will commit to storing and processing your information in specific jurisdictions that are acceptable to your organisation (that have, for example, legal frameworks more compatible with Australia’s environment)
- whether they will make a contractual commitment to comply with privacy requirements on behalf of their customers – both local to the organisation and in the location or locations(s) where the information is stored
- for an assurance that no copy of the records or information is retained by the provider after the termination of the contract
- whether you are able to regularly specify records to be destroyed and whether they are prepared to provide you with assurance (e.g. certificates) of destruction
- whether they are regularly subjected to external security audit or certification processes
- how many of their staff have administrator level access to your records, and details of controls over their access
- if they can give assurances that your records cannot be used for applications not specified in the contract (for example, to data match with databases owned by other clients of the contractor)
- whether you will be consulted regarding any third party seeking to have access to your records
- how third party access to your records would be managed, for example if required by a government watchdog organisation in the jurisdiction in which the records are stored
- if they have measures such as multiple geographically separated back-up sites in place so that they can do a complete restoration of your records if needed, and how long this would take
- as well as complete restoration of data, how will they go about finding and restoring particular specified records or sets of records and what timeframes will they guarantee for this (for example, if data becomes corrupted)
- when restoring records, whether they can ensure that the structure of records (not just the content) and associated metadata is maintained whether they subcontract part of their service offering to third parties and, if so, what contractual agreements they operate under
- if there are any standards they are certified as meeting
- whether they will guarantee acceptable parameters for service provision in respect to possible disruptions, and what actions they will take in the event of service disruption (for example, do they offer any recompense?)
|Can you confirm that ....|
|1.||you have conducted a risk assessment of keeping and managing information and records and comply with the conditions listed in the General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)?|
|2.||the records to be made and kept in the cloud are not highly sensitive in nature, if so adequate safeguards are in place?|
|3.||ownership of your records remains with your organisation?|
|4.||the services selected for use are adequate for managing information and records?|
|5.||the service provider has offsite back-up and disaster recovery measures in place?|
|6.||the provider will inform you of any software/system migrations that may impact on service or data?|
|7.||a full restoration of your information is possible within a reasonable timeframe in the event of an incident?|
|8.||the provider will return all required records and associated metadata in readable formats to your organisation when requested?|
|9.||the provider will delete information and records upon your instruction, and provide assurance or evidence that they have done so?|
What other resources are there for me to read?
The NSW Government issued the NSW Government Cloud Policy in August 2015. This is a key document which provides guidance to NSW agencies on the use of cloud services.
State Records has a number of resources available to help you to manage the recordkeeping risks associated with cloud computing, including:
- General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)
- Standard on records management
What are others saying about using cloud services?
National Archives of Australia, A checklist for Records Management and the cloud, 2011
Australian Government Cloud Computing Policy, October 2014
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing the recordkeeping risks associated with cloud computing, July 2010.
Defence Signals Directorate (Commonwealth), Cloud computing security considerations, updated September 2012.
CIO Council and Chief Acquisition Officers Council (USA), Creating effective cloud computing contracts for the Federal Government: best practices for acquiring IT as a service, February 2012.
Published 2013 / Revised April 2014 / Revised February 2015/Revised September 2015