Caveat emptor or caveat venditor Corinne Rogers University of British Columbia XVI Congrés dArxivistica de Catalunya Associació dArxiversGestors de Documents de Catalunya ID: 618926
Download Presentation The PPT/PDF document "Outsourcing to the cloud:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Outsourcing to the cloud: Caveat emptor or caveat venditor
Corinne RogersUniversity of British ColumbiaXVI Congrés d’Arxivistica de CatalunyaAssociació d’Arxivers-Gestors de Documents de CatalunyaMay 4-6, 2017Reus, Catalonia, SpainSlide2
Introduce InterPARESIP1, IP2, IP3, InterPARES TrustDiscuss pros and cons of cloud computing for recordkeeping“the cloud” in 2017: status, benefits, challenges
Present several tools for evaluating cloud services from the perspective of archival theoryCoping with retention & disposition in the cloudEvaluating CSP contractsAgendaSlide3
InterPARES 1 (1998-2001) www.interpares.org Researched issues pertaining to digital records in databases and office management systems in the course of administrative activity
Focused on developing theory and methods to ensure preservation of authenticity Studied records from the perspective of the records preserverInterPARES – 4 phases to dateSlide4
InterPARES 2 (2002-2007) www.interpares.org Researched issues pertaining to digital records in dynamic and interactive systems in artistic, scientific, and government activity
Examined issues of authenticity, reliability, and accuracy over the lifecycleStudied records from the perspective of the records creatorInterPARES – 4 phases to dateSlide5
Benchmark Requirementssupporting the presumption of authenticitySlide6
Baseline Requirements supporting the production of authentic copiesSlide7
ProductsCreator & Preserver Guidelines
http://www.interpares.org/ip2/ip2_products.cfm
Slide8
Guidelines translated
CatalanFrenchPortugueseSpanishSlide9
InterPARES 3 (2007-2012) www.interpares.org Put theory into practice in archives / records units in organizations with limited financial or human resources
Applied and tested the findings of InterPARES 1 and 2 to implement sound programs supporting the creation and preservation of digital records that could be shown to be authentic, reliable, accurateInterPARES – 4 phases to dateSlide10
Legislation: Italy, ChinaStandards: DOD 5015.2 (2007), MoReq 2 (2008), OAIS (2009), CGSB 72.34 (2017)Policies & procedures: all participating countries, public/private sector
Curriculum for continuing education, university training: ICA Education Modules for Digital Preservation (2012 with translation to Chinese, Spanish, Arabic); Digital Diplomatics and Digital Records Forensics (2013-present, UBC)ImpactSlide11
www.interparestrust.org Purpose:
To generate theoretical & methodological frameworks to support development of integrated & consistent local, national, & international networks of policies, procedures, regulations, standards, & legislation for digital records in online, networked, environments, in order toEnsure public trust grounded on evidence of good governance, strong digital economy, & persistent digital memoryInterPARES Trust (2013-2018)Slide12
Studies are focused in 5 research domains and 5 research cross-domains:Research structure
Access
Control
Security
Infrastructure
Legal issues
Policy
Social issues
Terminology
Resources
EducationSlide13
InterPARES Trust is a research partnership led by UBC:National libraries and archivesGovernment departments: national, regional, municipalAcademic departments
International organizationsPrivate industryNot-for-profit consortiaResearch structureSlide14
Partners are organized in regional teams spanning 6 continentsNorth American TeamLatin American Team
European TeamAsian TeamAfrican TeamAustralasian TeamTransnational TeamResearch structureSlide15
What is the impact of always-on, networked communications technologies and cloud computing services on records management & recordkeeping, maintaining trustworthy records & supporting client/citizen perception of trustworthiness of records?
What are we researching?Slide16
To discover how current policies and practices regarding the handling of digital records in online environments by institutions and professionals affect public trustIn other words, what are records professionals doing to maintain trustworthy records?
GoalsSlide17
To anticipate problems in maintaining trust in digital records under the control of entities currently suffering a waning level of confidence from the public
In other words, what is the public’s perception of the trustworthiness of institutional records?GoalsSlide18
To establish what significance national or cultural contexts have with regards to the level of trust in digital records onlineTo develop model policies, procedures, guidelines, standards, & functional requirements for creating, managing, accessing, storing, preserving trustworthy records online
To test these instruments in a variety of contextsGoalsSlide19
“Cloud-first strategies are the foundation for staying relevant in a fast-paced world” Gartner, 2015“Enterprise adoption of the cloud has truly moved into the mainstream, with 68% currently using public or private cloud…
a 61% increase over last year…” IDC, 2016“The greater the level of cloud adoption, the higher the level of business benefits achieved” IDC, 2016“On average, per application deployed on cloud, organizations studied are achieving $3 million in additional revenue… [and] $1 million in cost reduction…” IDC, 2016Why is this research necessary?Enticing, but…Slide20
“There is no cloud. It’s just someone else’s computer.” (Popular)True?“…
if you’re saying that, the joke is on you, because it means you don’t understand what the cloud actually is.” (Branscombe, 2017)What is ‘the cloud’?Slide21
“A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”Delivered in one or a combination of deployment models: public, private, community, hybridThree main service models:
SaaS, PaaS, IaaSCloud computing: NISTSlide22
“The simplest definition of cloud is a data centre that’s full of identical hardware … [in which] every deployment, update, investigation, and management process is automated.”
Branscombe, 2017NIST interpretedSlide23
Most challenges discussed represent present concerns with current data (data-centric thinking):Is data secure from alteration or interference?Can personal privacy be protected?Can regulations and laws be observed in the face of cross-jurisdictional data transfer?
What guarantees of continuity of service exist?How will data breaches be handled?ChallengesSlide24
We keep records (sometimes over long periods of time) as evidence of activity, and as memory of action, & to prove accountability – we must trust them
In archival terms, we trust records based on proof of records’ authenticity, reliability, & accuracyIn legal terms, trust is expressed through rules of admissibility of documentary evidence (common law systems)Demonstrable chain of responsible custody is key to bothChain of custodySlide25
Recordkeeping challenges look beyond the immediate present, reaching into the past, and projecting into the future (record-centric thinking)Can context of records be protected?Can provenance be demonstrated?
Can retention & disposition be carried out?Can access and usability be assured over time?Can intellectual rights be respected?ChallengesSlide26
N. 1. Confidence of one party in another, based on alignment of value systems with respect to specific actions or benefits, and involving a relationship of voluntary vulnerability, dependence, and reliance, based on risk assessment.V. 2. To have confidence in another party with respect to specific actions or benefits
Trust is subjective, existing on a continuum from trust to skepticismTrustSlide27
Trust frameworkSlide28
These records requirements depend on trustworthy, controlled systemsDo cloud services meet the standard of trustworthy records systems?
Trustworthy records systemsSlide29
Whether managing records in a paper-based in-house system, or managing any valued organizational asset, a management framework consists of:Laws & policies establishing accountability
Standards & practices for managementSystems & technologies for implementationPeopleOrganizational structureAwareness & continuing educationManaging Records of Citizen Engagement Initiatives: A Primerhttps://interparestrust.org/assets/public/dissemination/EU08_IaaS_Checklistv1.2_.pdfTrustworthy records systems:Managing records wherever they areSlide30
Juridical/AdministrativeProvenancialProceduralDocumentaryTechnological
Hierarchy of contextsSlide31
Managerial, including Records ManagementEconomicLegalSecurityTechnical
Records in the Cloud – Switzerland (2016) https://interparestrust.org/assets/public/dissemination/RiCSwitzerland_rapport_final_complet.pdf Holistic view of considerations for adopting cloud servicesSlide32
Ad hocOpportunisticRepeatableManagedOptimized
IDC, 2016Cloud maturitySlide33
Regardless of the degree of cloud adoption, there are tools to evaluate the benefits and risks from the perspective of recordkeeping based on archival science
Checklist for evaluating cloud service provider contractsChecklist for evaluating retention & disposition capacityTools for evaluationSlide34
CSP contracts as instruments of trust:Purpose & Research question
To explore the contract – specifically the contract between a client and a cloud service provider – as a tool for building trustHow effectively do cloud service contracts meet the needs of records managers, archivists, and information governance professionals?Slide35
Selected contractsNo marketing material
Boilerplate contracts & documentsTerms of Service (ToS)Service Level Agreements (SLA)Privacy policies, Acceptable Use policies, Security terms,JurisdictionCanada, United States, EuropeAmazon.com (USA); Bluelock (USA); Dropbox (USA); Egnyte
(USA
);
GoGrid
(USA
);
Google
(USA
);
ProfitBricks
(USA
); Rackspace
(USA
);
CityNetwork
(Sweden
); SAP
(Belgium
); Pathway
Communications (Canada
)Slide36
Contracts reviewFindings:
Several legal documents existTerms of ServiceService Level AgreementsPrivacy PoliciesAcceptable Use PoliciesLittle standardization of terms“Often incomprehensible to majority of users”Wide-ranging exclusions of liability favor the providersTerms may changeSlide37
Related workRecordkeeping Standards, Cloud Computing Contract Standards, and related articles
Public Records Office of Victoria (2012)European Commission subgroup on service level agreements (established 2013)ISO/IEC 19086 (2016) SLA Standardization GuidelinesSlide38
CSP contracts in the courtsCase Law and Related Articles
Relatively few cases decided, but several legal tenets involvedComplexity results from jurisdictional and industry differencesContract lawPrivacy and accessConfidentiality and security of dataData jurisdiction and conflict of lawsSlide39
Comparative AnalysisRegardless of jurisdiction, sector, or industry, common risks to records exist:
Unauthorized accessPrivacy breachLoss of access, controlLack of transparency of serviceLack of ability to negotiate serviceLocation ambiguityContract ambiguitySlide40
Specific ConsiderationsData ownershipAvailability, retrieval and use
Data storage and preservationData retention and dispositionSecurity, confidentiality, privacyData location and cross-border data flowEnd of service; contract terminationSlide41
The Checklist - sectionsAgreement
Data Ownership and UseAvailability, Retrieval, and UseData Storage and PreservationData Retention and DispositionSecurity, Confidentiality, and PrivacyData Localization and Cross-border Data FlowsEnd of Service; Contract TerminationSlide42
The ChecklistSlide43
Integration & ReviewIntegrated with NA03: Standards of Practice
Integrated with NA06: Retention & Disposition checklistReleased for comments in fall 2015Presented at ICA in Rekjavik, IcelandTested in several venues including the International Federation of Red Cross and Red Crescent Societies Slide44
ResourcesCloud Service Contracts: An Issue of Trust, Canadian Journal of Library and Information Science (CJLIS): Special Issue on Data, Records and Archives in the Cloud
, June 2015https://interparestrust.org /DisseminationAnnotated bibliographyChecklistFinal ReportSlide45
How does the use of cloud services affect retention & disposition of records in accordance with the law and other applicable guidelines?Study carried out as part of InterPARES Trust by researchers from San Jose State University (California), British Columbia Government Records Service, archivists & records managers from Universities of BC and Victoria
Retention & disposition checklistSlide46
Survey of members of ARMA International: 168 respondents62% worked in government60% used some aspect of cloud computing92% confirmed their organization has a retention policy
50% confirmed that the policy applied to records in cloud storage69% said that vendor terms and conditions were not consistent with their policies, or they did not know81% said dispositions on cloud content had not yet been performed, or they did not knowFindingsSlide47
External factors are risk related, or imposedInternal factors reveal level of cloud maturity knowledgeDifferences in IT and RIM cultureDecisions often cost-driven, or made solely by IT department
Lack of knowledge about cloud computingInternal & external obstaclesSlide48
Privacy and securityEstablishing disposition authoritiesApplying disposition authoritiesExecuting disposition authoritiesDocumenting disposal actions
Reviewing dispositionSystem integrationRetention & disposition:questions for evaluation of serviceSlide49
Ensuring Trust in IaaS at https://interparestrust.org/assets/public/dissemination/EU08_IaaS_Checklistv1.2_.
pdf More resources for decision-makingSlide50
Should you outsource IT to the cloud?Guidance from IDC, 2016“Simply adopting cloud is not enough; you should increase your cloud maturity level”“Go with a provider you trust”
Who is responsible? Caveat emptor, or caveat venditor?Slide51
Selected tools to help, InterPARES Trust, 2017Checklist for ensuring trust in SaaS (EN, SP)Checklist for comparative analysis of governmental e-services
Checklist for single sign-on systemsEconomic models for could storage decision-makingArchival standard of practiceFunctional requirements for retention & disposition in cloudManaging records of citizen engagement initiatives: a primerChecklist for evaluating cloud contracts (EN, AP, FR, NL)Who is responsible? Caveat emptor, or caveat venditor?Slide52
Tag cloud by
Ashashyou (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commonswww.interparestrust.org
www.interparestrust.com
corinne.rogers@ubc.ca