Putting a Lock on Cloud-Based Information

Increasingly, the records and information management (RIM) professional is expected to work cooperatively with information technology (IT) experts in the selection and implementation of communications-related products and services. Together, records managers and IT professionals can determine the organization’s needs and requirements for these technology tools.

With collaboration comes the opportunity to trim costs and encourage more judicious use of ever-diminishing budget monies. As financial constraints accelerate, all levels of an organization must examine possible areas where dollars can be saved.

Frederick Barnes, J.D.


Bookmark and Share

With collaboration comes the opportunity to trim costs and encourage more judicious use of ever-diminishing budget monies. As financial constraints accelerate, all levels of an organization must examine possible areas where dollars can be saved.

One specific area drawing increased attention is using the “cloud” for information storage. In layman’s terms, rather than storing data or records on an organization’s internal network, that information is stored on servers generally owned by third-party providers. The servers are in the cloud and accessible on demand. The organization does not own the servers, but continues to retain ownership of its own information.

With this technology, data can be transmitted and stored more economically in a virtual environment. This is in sharp contrast to earlier times, when data transmission was facilitated by transfer to an endpoint using an organization’s hardware (i.e., fax machine) and some combination of copper wire or fiber optic lines owned by a communications network provider.

Cloud technology accomplishes data transmission via the Internet. Data travels over high-speed broadband communications networks using packet transfer services, such as frame relay and virtual private networks. Many times, providers of conventional telecommunications services may also be an organization’s provider of Internet and cloud services. Indeed, as the technology continues to evolve, major global telecommunications companies not only provide the transmission services into the cloud but, in effect, have become keepers of the cloud itself.

RIM professionals cannot afford to be out of touch with developments in communications services given their ongoing need for data transfer and data storage – both integral components of the practitioner’s toolkit. Lack of technological expertise in these areas can become particularly evident when it is time to develop a crucial request for proposal.

The transition to a virtual RIM environment, where electronic records systems dominate, continues to evolve. The technology is increasing complex. Before stepping up to the bargaining table, records managers can bring trade-savvy insights to the negotiations and add value to the contribution that RIM delivers to the deal-making process.

Understanding Cloud-Related Issues

For the RIM professional, understanding the cloud’s impact on the organization involves acquiring a cursory knowledge of how the technology works. (See sidebar, “A Primer on Cloud Technology.) And, specifically, provisioning appropriate cloud services with proper security elements entails knowing which questions should be asked of a potential vendor.

Once the RIM professional is aware of the types of cloud services available, the next and most important consideration involves security. While several of these security concerns are similar, or even identical, to those posed when an organization is managing its own data storage, there are a host of new areas to be addressed.

While security is a function of what the vendor provides in response to the unique needs of an organization, ultimately the organization (or service purchaser) is responsible for ensuring the cloud is secure. This is accomplished by communicating honestly and openly with the vendor. There must be transparency between both parties.

There are at least seven discrete security-related issues the RIM professional, in conjunction with the IT staff, should consider when choosing a cloud vendor:

  1. Privileged user access. Because the vendor is controlling the cloud, the organization should ask for detailed information concerning vendor employees and administrators who have access to the organization’s data. The organization should know the number of vendor employees with data access, as well as their level of training and expertise, degree of authority, and overall responsibility within the vendor setting.
  2. Regulatory compliance. The organization is ultimately responsible for the security and integrity of its own data. Therefore, the organization should insist the cloud vendor will provide for specific external audits and security certifications.
  3. Data location. Potentially the organization will not know the physical location of the cloud; indeed many times it could be in another country, far from the organization’s location. Therefore, the organization may want to specify acceptable location(s) whenever possible, and ensure the vendor agrees to commit, by contract, to local privacy requirements.
  4. Data segregation. Many times, the organization’s data and information in the cloud reside alongside other companies’ data. There should be a clear delineation and segregation of that information through any number of encryption techniques. Furthermore, the organization should insist that whatever encryption scheme is utilized, it is designed and tested by experienced specialists.
  5. Recovery. The vendor should offer a specified plan of action to the organization in the event of a disaster. A specific and detailed disaster recovery plan should be in place as part of the agreement between both parties.
  6. Investigative support. Any agreement or contract should include the availability of, and allowance for, a third-party investigation in the event of a specific problem requiring investigation. The agreement should allow specific information to be locked down (i.e., in the event of a legal hold) at the organization’s request; the vendor should not be allowed to destroy or change such information. Access to metadata can confirm the unaltered state of the information.
  7. Long-term viability. The vendor chosen by the organization should have long-term viability and experience in cloud computing. In addition, there should be a specific contract-based understanding of the consequences should a vendor participate in a merger and/or routine, day-to-day functioning of the cloud.

One methodology that might be utilized in evaluating cloud security is what has been termed the “layered approach.” It determines whether the vendor and the organization, acting together, have multiple levels of protection for all data and physical assets. With this methodology, the company is not dependent on a single countermeasure, but relies on multiple defenses at various levels. These levels would include:

Level 1 – physical security: There should be procedures to control, monitor, and protect the physical facility where servers and other required physical equipment are located.

Level 2 – network security: The vendor should have 24-hour trained security and network personnel monitoring and managing network filters, which are placed at various network locations. The competence and skill sets of the personnel managing the network are crucial at this level.

Level 3 – intrusion detection: The vendor should have some form of detection capability located at multiple points within the network to monitor traffic flow into and out of the cloud. The vendor should be queried about the possibility of implementing intrusion detection based upon pre-set parameters negotiated between the organization and the vendor.

Level 4 – firewall management: The organization should provide specific firewall policies unique to its needs. Firewalls can provide an additional level of security into the organization’s specific portion of the cloud.

Level 5 – data encryption: Organizations should maintain encryption techniques within and outside the cloud.

It is important to remember that confidential and sensitive material (e.g., private customer information, business data, intellectual property, trade secrets, or legal documents) will be moving through cyberspace to the cloud. It is vital that the proper and appropriate level of security is provided and maintained by the vendor, per the organization’s requirements and specifications.

Sealing the Deal: Maximizing Vendor Value

The first question the RIM professional (in conjunction with the IT group and any other key decision makers) should ask is, “Should cloud technology be utilized?” As part of the decision-making process, the value proposition should be analyzed for cost, security, performance, availability, business viability, and legal compliance.

If the organization chooses to make the move to cloud technology, cost savings are possible on a number of fronts. There are a variety of benefits associated with the cloud, including:

  • The organization does not need to purchase infrastructure or software. The best and most up-to-date technology can be implemented. The organization does not have to take down and rebuild its IT infrastructure as technology changes and improves. The technology can be acquired from the vendor providing the cloud services.
  • Personnel costs are kept to a minimum, as there is no need to hire employees to maintain and upgrade the infrastructure. With a more static internal IT infrastructure, fewer personnel are needed to manage it.
  • Cloud computing is highly scalable. An organization can maintain the proper level of capacity on an ongoing basis. This is extremely helpful for organizations with variable capacity needs, where there might be peak periods at various times throughout the year. These needs can be scaled accordingly, and more or less capacity and utilization can be purchased as necessary.

Before the contract is signed, vet the communications network vendor’s service offering against the organization’s requirements and needs and consider the following:

  1. Bundling opportunities – what, if any, services are provisioned from the vendor? Will the vendor negotiate pricing if multiple services are purchased from that vendor? For instance, voice communications, data communications, Internet access, managed network services, cloud services, and other types of products and services may be purchased on a single contract. Shop around for the best deal.
  2. How extensive is the vendor’s range of available service offerings? Does the vendor offer automated data replication on a pre-determined schedule? Will the vendor, by agreement, store copies of data in multiple geographic locations?
  3. How financially stable and viable is the vendor? This is particularly important for continuity-of-service issues.
  4. Will the vendor provide customer testaments so the vendor’s track record can be evaluated?
  5. Double-check the terms of the contract to ensure all security-related issues for cloud-based services are addressed in the agreement. Does the vendor offer experience in defending against distributed denial-of-service attacks? RIM professionals may benefit from consulting with their IT peers regarding appropriate security considerations. Does the vendor provide a service level agreement with 99.9% access reliability?
  6. Are needed boiler plate and/or standard contract clauses included? RIM professionals should work closely with the organization’s legal team to make this determination.
  7. Does the vendor have special considerations of a financial, technical, or legal nature that would need to be included in the contract? Consult the appropriate organizational representatives to develop a comprehensive plan for these types of scenarios.

Communications network services is an area where RIM practitioners can benefit from further knowledge and training. It is one more opportunity to bring added value to the role of the records manager within an organization. By embracing the bigger picture of vendor relations, it may be possible to help the organization secure higher quality cloud-related services in a more cost-efficient manner.

Download the PDF version here.

Frederick Barnes, J.D., can be contacted at barnes.frederick@ymail.com.

From July - August 2010