Cloud Computing and Records Management
The National Institute of Standards and Technology (NIST) defines cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” At its core, cloud computing can be understood as the acquisition and sharing of computing resources in a way similar to traditional utilities. Typically, service is available on-demand and customers pay for the amount of service they use. This model usually refers to infrastructure usage rather than licensing. Those fees are negotiated separately. The growing popularity of cloud computing over the past few years is a by-product of the provisioning of IT services over the Internet. It provides access, typically through the Internet, to services traditionally provided and supported in-house.
Cloud computing uses several preexisting technologies such as high-speed Internet, clustering, client-server computing, and large geographically distributed data centers. Cloud computing is merely the collection of these services offered together as one package. While adoption by the government sector (federal, state, regional, and local) has progressed more slowly than the private sector, government entities are increasingly looking to the cloud to be part of the solution for a range of IT needs. “Hybrid IT” is an emerging pattern where a portion of one’s IT services are deployed to a public cloud while core services are retained in-house. Cloud computing allows employees to access content and services regardless of their location or preferred computing device. This mobility is one of many advantages offered by cloud technology. Other commonly cited benefits for using “the cloud” include lower IT operating costs, faster IT implementation, increased productivity, and enhanced security.
Essential characteristics of cloud computing include multi-tenancy, on-demand self-service, broad network access, pooling of resources across multiple users, elasticity to respond to increased demands, and measured service based on pay- per-use. In other words, the service offers scalability to meet increased or decreased demand without requiring additional investment in fixed cost infrastructure to the agency. The service provider is tasked with bearing the brunt of those costs and incorporates that structure into its business model. There are four service models for adopting cloud computing: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS) and Data- as-a-Service (DaaS).
These models are often referred to as “cloud layers” because services are built on top of one another. IaaS is the foundation of all cloud services. PaaS builds upon IaaS. And SaaS builds upon PaaS. NIST describes the models as follows:
| Service | Who uses it? | What services are available? | Why Use it? |
|---|---|---|---|
| DaaS | Business Users | Geographic, financial, and historical data necessary for customer business. | To aid in business decisions. |
| SaaS | Business Users | Email, Office Automation, CRM, Website Testing, Wiki, Blog, Virtual Desktop, etc. | To complete business tasks. |
| PaaS | Developers and Deployers | Service and application test, development, integration, and deployment. | Create or deploy applications and services for users. |
| IaaS | System Managers | Virtual machines, operating systems, message queues, networks, storage, CPU, and memory, backup services. | Create platforms for service and application test, development, integration, and deployment. |
Cloud Service Model Definitions
The on-demand infrastructure, a combination of hosting, provisioning, hardware, and basic services, offered to a user to operate a cloud. The user does not manage the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications. Examples of cloud infrastructure include Amazon’s Elastic Cloud Compute© and RedHat’s Cloudforms®.
The capability offered to users to deploy their own applications onto the cloud through the provider’s resources. The user does not manage or control the underlying infrastructure, but does maintain control over the deployed applications. Examples of platforms include Facebook©, Intuit©, Force.com®, Rackspace©, and Sharepoint®.
Software applications are remotely owned or managed by the provider and are accessible to users through a client, typically the Internet. The user controls neither the underlying infrastructure nor applications. Examples of SaaS applications include web-based email, iCloud©, GoogleDocs™, Dropbox©, and Survey Monkey™.
The Cloud and Government
State agencies are required to adhere to the Statewide Information Security Manual and other statewide IT policies maintained by the Department of Information Technology (NC DIT). When vetting potential service providers, it is important to keep in mind that vendors of cloud computing services must agree with all Statewide Information Security standards. State agencies must also consider Session Laws of North Carolina when adopting new tools and services.
Computer systems that are not part of the State of North Carolina computer system but require connectivity to the state network or to agency networks must conform to state and agency security standards. Local governments and agencies should consider both federal and state best practices with regard to cloud computing as they move forward with their implementation of cloud base solutions. When considering cloud technology it is important to realize that cloud technology is not an all or nothing endeavor. Your office may choose to use it for only part of their technology needs. You should evaluate and understand your agency’s operational needs in order to determine if adopting all or part of a cloud-based solution is feasible. When considering cloud technology, determine what motivates the decision:
- An inability to provide in-house services?
- A need to reduce costs?
- A desire to access content anywhere regardless of location?
- A need to redirect resources from IT infrastructure towards other organizational needs?
- Do you need to consider more than one cloud vendor to meet your business needs? Cloud applications can be used for a variety of purposes including collaboration, communication, storage, access, or delivery of content.
Records (any Word document, email, text, chat, calendar, database, Excel document, etc.) that are made or received in connection with public business are public records. Transactions of public business conducted through cloud-based services are also public records and must be managed in accordance with record retention schedules. This requires greater attention to an office’s records retention procedures and consideration as to how records will be handled in the cloud. If the office is going to offer content through the cloud while also hosting the data in-house, records management may proceed as it traditionally would with locally managed data. However, if the records are managed exclusively in the cloud, careful consideration should be taken regarding the implications of cloud storage for records management. For example, if the contract with the cloud vendor expires or the service is no longer supported by the vendor, you will need to download those records as well as any corresponding metadata onto a local system. The transfer must maintain the integrity of the files and you must be able to assure that the files are transferred accurately and completely. The use of cloud applications for storage will shape concerns related to security and confidentiality, ownership, ease of data removal/portability, and disaster recovery.
Regardless of your agency’s intended use for cloud technology, understanding user expectations and whether they are being met by the service provider is critical. Ultimately, your agency should understand the impact of those issues before investigating cloud services or software.
North Carolina State Agency-Specific Compliance Issues
All state agencies in North Carolina must adhere to the Statewide Information Security Manual (SISM). Depending on the operations of the agency, additional standards and statutory requirements may apply, such as the Health Insurance Portability and Accountability Act (HIPAA). Agencies are also required to follow § 132-1.10, which states that any agency of the State or its political subdivisions, or any agent or employee of a government agency, that experiences a breach of personal information, as defined in Article 2A of Chapter 75 of the General Statutes, shall comply with the requirements of G.S. §75-65. From a records management standpoint, North Carolina law does not distinguish between records stored in the cloud and records stored on site. However, cloud technology presents new challenges and complicating factors for records retention that must be addressed. It is important to remember that records generated and retained in the cloud remain public records. They are subject to the Functional Schedule and generally subject to public access.
G.S. §75-65 requires notice be given to those affected when there has been a breach following discovery or notification of the breach. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement and “consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
Any business that maintains or possesses records or data containing personal information of North Carolina residents, or conducts business in North Carolina that maintains or possesses records or data containing personal information not owned or licensed by the business shall notify the owner or licensee of the information of any security breach immediately following discovery. Thus, in the event of a security breach, both the government entity and cloud provider are responsible for disclosure to affected persons.
Additionally, state agencies should be mindful of Session Law 2012-142, §6A.9.(b), State Private Cloud. The law declares that “the creation of a secure and flexible State private cloud is in the best interest of the people of this state.”
Summary
Despite complicated issues related to cloud computing, with due diligence and foresight, your office can prepare for any challenges. First, understand the obligations and guarantees established in the Service Level Agreement. Second, be prepare to negotiate with a service provider to ensure that the contract fulfills the legal and operational requirements of your agency. This requires knowing the specific requirements and needs of the agency as well as how adoption of cloud solutions can adequately meet these needs. Finally, discuss any decision to use cloud services with other groups in the agency, particularly attorneys and IT, to ensure that legal and technical requirements are met.
Public records produced in the transaction of state business are subject to several North Carolina statutes and executive orders:
- G.S. §132–the Public Records Law
- G.S. §121–the Archives and History Act
- G.S. §147.33-89(a).–Business continuity planning
- NCAC 04M.0101–Statement of Purpose of Archives and Records Section
- Executive Order No. 201, Michael Easley, Office of the Governor, "Executive Order No. 201, Continuity of Operations and Continuity of Government Planning."
- Executive Order No. 18, Bev Perdue, Email Retention and Archiving Policy
As such, regardless of where public records physically reside for storage or access, they are subject to the same criteria. If your office is considering moving records into the cloud, externally hosted infrastructure, this document provides guidance on issues impacted by such a decision. As records creators and custodians, state and local employees must ensure that their records are protected if confidential and accessible in the event of litigation or a public records request.