Your SlideShare is downloading. ×
Distributed Computing - Cloud Computing and Other Buzzwords: Implications for Archivists and Records Managers
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Distributed Computing - Cloud Computing and Other Buzzwords: Implications for Archivists and Records Managers


Published on

Discusses some of the implications of the use of cloud and other distributed computing for electronic records management

Discusses some of the implications of the use of cloud and other distributed computing for electronic records management

Published in: Technology

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Crossroads Distributed Computing - Cloud Computing and Other Buzzwords: Implications for Archivists and Records Managers NAGARA Crossroads 2009-3This issue of Crossroads continues a series of white papers on various topics related to electronic records written bymembers of the Committee on Electronic Records and Information Systems (CERIS). This white paper covers thetopic of cloud computing. It was written by Mark Conrad, Archives Specialist, with the National Archives andRecords Administration’s Center for Advanced Systems and Technologies. The views expressed in this documentare the authors. While his perspective has been informed by his work at the National Archives and RecordsAdministration, he does not speak for the institution. All statements, opinions and conjectures are the authors unlessotherwise attributed.CERIS White PaperDistributed Computing - Cloud Computing and Other Buzzwords:Implications for Archivists and Records ManagersCloud computing is a term that is used a great deal these days. Many IT departmentsand resource allocators are considering implementing technology related to this term.Two of the reasons most cited for using cloud services are potential cost savingsbrought about by economies of scale, and the ability to rapidly deploy new applicationsand services.Cloud computing has the potential to have a substantial impact on archival and recordsmanagement programs as well. It would be impossible to provide an exhaustive list, butthis document will explore a few of the possible implications of deployment of cloudcomputing and related technologies for archivists and records managers and theorganizations that they serve.Caveat EmptorThis paper will have a relatively short “shelf life.” To say that cloud computing continuesto evolve is a gross understatement.Define Terms RigorouslyOne of the biggest problems with the term, cloud computing, is that there is noconsensus on exactly what it means. In the August 2009 issue of Communications ofthe ACM, there is an article concerning a roundtable discussion with some of the keyplayers in the development and deployment of cloud computing services. Even amongthis group there was not much consensus on what exactly cloud computing is. One ofthe more interesting quotes from the article comes from Lew Tucker, Chief TechnologyOfficer of cloud computing at Sun Microsystems. He said, “Cloud computing is not somuch a definition of a single term as a trend in service delivery taking place today. It’s1 NAGARA Crossroads 2009-3
  • 2. the movement of application services onto the Internet and the increased use of theInternet to access a variety of services traditionally originating from within a company’sdata center.”1On August 21, 2009 the National Institute of Standards and Technology issued version15 of its, “Draft NIST Working Definition of Cloud Computing.” The document beginswith two interesting caveats: Note 1: Cloud computing is still an evolving paradigm. Its definitions use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time. Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.2If your organization, or an organization that you provide services for, is proposing toimplement cloud computing, it will be very important to make sure that all partiesinvolved – including the potential vendors of the cloud solutions - share the sameunderstanding of what exactly is being proposed. From a records management andarchives point of view it will be very difficult to identify the recordkeeping implications ofimplementing a cloud computing environment without having a clear understanding ofexactly what is being proposed.Pieces of the CloudFor example, the NIST draft definition identifies:Five Essential Characteristics of Cloud Computing:On-demand self-service – A person or organization can procure computer services suchas additional computing resources, server time, or network storage at any time withouthaving to communicate directly with people who provide the services.Broad network access – The services should be available over the network (often theInternet) using standardized tools that allow the user to access them from their officecomputer, laptop, personal digital assistant, or mobile phone.Resource pooling – In a typical organization most of the computational resources of thatorganization sit idle for long periods of time or are not used at their full capacity. One ofthe advantages of cloud computing is the ability to repurpose or reconfigure theavailable computing resources on-the-fly. This enables rapid response to the changingcomputing needs of the consumers of computing services. It also facilitates much moreefficient use of computing resources by quickly repurposing the resources for othertasks once the current tasks have been completed. This allows organizations to operatetheir computing resources at or near their capacity much of the time.1 Creeger, “CTO roundtable,” 52.2 Mell and Grance, “Draft NIST Working Definition of Cloud Computing, version 15,” 1-2.2 NAGARA Crossroads 2009-3
  • 3. Rapid elasticity – The consumer should have the ability to rapidly (often automatically)increase or decrease the computing resources needed to carry out their work.Measured Service – The cloud computing services are designed so that units of costcan be established, measured, and billed. For example a cloud service vendor mightcharge a fee based on the number of bytes of data an organization stores on theirstorage system each month, the number of users from a particular organization that usethe vendor’s service, the number of computing cycles used, or the amount of bandwidthconsumed.Three Service Models for Cloud Computing:Cloud Software as a Service (SaaS) – Under this service model, the end-user isprovided with access to the vendor’s software applications over a network. Someexamples of this type of service would be vendor-provided, web-based e-mail and word-processing, and spreadsheet applications that the end-user accesses over the Internet.Cloud Platform as a Service (PaaS) – In this case the end-user organization deploystheir own applications on the vendor’s computing resources. The vendor usually limitsthe programming languages, operating systems, etc., that they will support in order tohost these applications. For example, an organization might develop or acquire a newenterprise-wide database application. Rather than purchase all of the necessaryservers, networks, storage, etc., the organization may decide to deploy the newapplication on the computing resources of a cloud computing vendor.Cloud Infrastructure as a Service (IaaS) – Under this service model the end-userorganization is provided access to the vendor’s underlying computing resources and isgiven much wider latitude in terms of what applications, operating systems, etc., theend-user can use on the vendor’s computing resources. Essentially the end-user isoutsourcing the majority of their IT infrastructure while maintaining their prerogatives asto what applications, operating systems, etc., they deploy on that infrastructure.Four Deployment Models for Cloud Computing:Private cloud - The cloud infrastructure is operated solely for one organization. Thatinfrastructure may be on premise or off premise. The organization or a third party mayprovide the infrastructure.Community cloud – The cloud infrastructure is operated for several organizations withsimilar requirements for particular cloud services. It may be managed by theorganizations or a third party and may exist on premise or off premise.Public cloud – The cloud infrastructure is made available to the general public or a largesegment of the public and is owned by an organization selling cloud services.Hybrid cloud – The cloud infrastructure is a combination of the other deployment modelsthat operates as a single cloud infrastructure.Getting on the Same PageGiven the many possible ways an organization could use cloud computing services, it isimportant to ensure that all stakeholders are involved in the decision-making process.3 NAGARA Crossroads 2009-3
  • 4. Archivists and records managers should be among those stakeholders. In fact, many ofthe issues that would be concerns for records managers and archivists could serve asthe basis for reaching consensus among all of the stakeholders as to exactly how theorganization is going to use cloud computing services.Listed below are a few issues that archivists and records managers might want toconsider if their organization is considering using cloud computing services. This is byno means an exhaustive list.Scope – What organizational information will be stored, processed, accessed throughthe cloud? Will restricted data (personally identifiable information, trade secrets, lawenforcement information, etc.) be stored, processed, and/or accessed through thecloud?Retention – Cloud computing services often create multiple copies of the data that theystore for an organization on geographically-dispersed computing resources in order toensure that no data is lost and that it is constantly available to the end-user. It would beimportant to know how the vendor would ensure the destruction of all copies of recordsthat had reached the end of their retention period.Location – Cloud computing is often implemented in such a way that the end-user hasno idea where their information is stored or processed. Some cloud service providerswill let you place broad limits on where your data will be stored (e.g., in the continentalUnited States, in a particular state, etc.) If your organization is contemplating placingdata in a cloud that must be maintained within jurisdictional boundaries it will beimportant to establish that as a requirement before you procure services and ensurethat it is included in the contract with the vendor.Legal/Policy Compliance – The issues surrounding the ability of cloud services –especially public/community cloud services - to comply with the rules, regulations, lawsand policies that govern the management of an organization’s information are oftencited as one of the most significant barriers to wide-spread adoption of cloud computingby government entities and highly-regulated organizations. Vivek Kundra, the U.S. ChiefInformation Officer, in announcing the launch of, indicated that, “we will needto address various issues related to security, privacy, information management andprocurement to expand our cloud computing services.”3 Debra Logan, an enterprisecontent management analyst at Gartner, Inc., has indicated security, privacy, andcompliance concerns will prevent many highly-regulated industries and globalorganizations from adopting cloud services through 2012.4Analysts have listed a number of compliance issues that they believe most public cloudservices cannot meet at the time this paper was written. For example, at the October2009 Gartner Symposium IT/Expo, a Gartner analyst indicated that he did not believethat public cloud services were appropriate at that time for credit card information thatwould be covered by the Payment Card Industry (PCI) security requirements.5 Some ofthe other requirements that are frequently cited include:3 Kundra, “Streaming at 1:00: In the Cloud | The White House.”4 Tucci, “Addressing compliance requirements in cloud computing contracts.”5 Messmer, “Gartner on cloud security: Our nightmare scenario is here now.”4 NAGARA Crossroads 2009-3
  • 5. The Health Insurance Portability and Accountability Act (HIPAA) The Sarbanes-Oxley Act of 2002 The Federal Information Security Management Act of 2002 (FISMA)E-Discovery – If your organization is involved in an e-discovery exercise you will haveto be able to locate relevant information throughout your organization quickly. You alsohave to be able to place litigation holds on all responsive information subject todestruction under existing records schedules. How do you ensure that you can complywith an e-discovery order if some or all of your information is stored in a cloud? CarynWojcik outlined many of the questions that a records management program must beprepared to answer when confronted with a discovery order in a previous CERIS whitepaper.6 That paper also cites a list of potential questions that Caryn developed thatcould be asked of information technology departments as part of a legal discoveryprocess. These same questions would be good to ask any potential vendor of cloudservices.Interoperability – Because the information stored in many information systems willneed to be kept and used long after the system has become obsolete, it is important toconsider an exit strategy at the same time that an organization considers thedeployment of any new information technology. Cloud computing services are nodifferent. It is important to ensure that your information is not trapped in a proprietarysystem in a manner that will require considerable expense or effort to remove it fromthat system and move it to another system.Several groups are attempting to address this issue. The Open Grid Forum( is working on the Open Cloud Computing Interface. The DistributedManagement Task Force (DMTF) has formed the Open Cloud Standards Incubator( The Open Cloud Consortium( is working on a standard that would create anintermediary format that would make it easier to migrate distributed data andapplications across cloud platforms.7 There are other efforts underway as well. Manyvendors and other interested parties have indicated their support for the Open CloudManifesto ( Given the large number of cloudinteroperability initiatives underway it is hard to predict if one or more of these initiativeswill emerge as de facto standards in the near term.Security – Currently there is a debate taking place as to whether or not cloud servicesprovide more or less security than “traditional” IT infrastructure. Bob Gourleysummarizes some of the arguments on both sides in his white paper for the NationalSecurity Council and the Homeland Security Council: Security typically improves due to centralization of data, increased security- focused resources, increased ability to patch and upgrade, increased ability to monitor, increased ability to encrypt and many other reasons. However, there are6 Wojcik, “Discovery: How the Legal Process Can Impact Records ManagementProfessionals,” 2-3.7 Lawton, “Addressing the Challenge of Cloud-Computing Interoperability.”5 NAGARA Crossroads 2009-3
  • 6. concerns about loss of control over certain sensitive data. When designed in at the beginning, security of cloud architectures is significantly higher than non- cloud approaches. Enterprises requiring significantly enhanced security should consider private clouds, where the data center is controlled by the enterprise vice outsourced. 8The Jericho Forum ( and the Cloud Security Alliance( are just two organizations that are looking at how toaddress security issues related to cloud computing.Getting StartedNon-sensitive informationMany organizations at all levels of government are beginning to procure and use cloudcomputing services. Often these organizations undertake their first foray into cloudcomputing with a project using non-sensitive information.Private CloudMany organizations that want to put sensitive information in a cloud are opting for aprivate cloud. Under this deployment model the cloud services are only made availableto a single organization – often in the organization’s data center. This approach allowsthe organization to better utilize its computing resources and at the same time maintaina greater measure of control over its information.Pilot ProjectIn an effort to entice organizations to use their services, some vendors are lettingpotential customers try their services for free for a limited period of time (e.g., 30 days).This is a relatively risk-free way of trying cloud computing services.Community CloudSome organizations are planning and implementing clouds for a consortium of similarorganizations that have similar requirements. For example, the State of Utah is planningto offer e-mail and other web-based applications to cities and counties throughout thestate.9 Similarly, the State of Michigan is developing cloud services for state agencies,cities, counties, and schools across Michigan.10 At least one major vendor of cloudcomputing services has announced that they will provide a government cloud – aseparate infrastructure for just government agencies.11AuditsMany providers of cloud services are now furnishing their clients with Statement onAuditing Standards (SAS) No. 70 Service Auditors Reports. SAS No. 70 is an auditingstandard developed by the American Institute of Certified Public Accountants. A SAS 708 Gourley, “Cloud Computing and Cyber Defense,” 4.9 Towns, “Utah Plans Private Cloud for Local Agencies.”10 Towns, “Michigan Plans New Data Center and Government Cloud.”11 Williams, “Q&A: Former Executive Steve Cakebread Sees Big Move to Cloud forGovernment.”6 NAGARA Crossroads 2009-3
  • 7. Audit Report indicates that a vendor has had an audit conducted to demonstrate thatthey have adequate controls and safeguards when they host or process data belongingto their customers. There are two types of Service Auditors Reports – Type 1 and Type2. Type 2 reports are the more thorough of the two types of reports. Type 2 reportsrequire an auditor to monitor a vendor’s systems and controls over a minimum of a sixmonth period.12 Such audit reports should not be used as a substitute for due diligence.ConclusionMany analysts say that it is not a matter of if, but when, cloud computing services will beused by most organizations. When your organization or an organization you servecontemplates deploying cloud computing services, it will be important to make sure thatissues like those raised in this document are addressed upfront. Cloud computingservices will continue to evolve over the near term. It will be important to continuallymonitor new developments in this area. Because of the complex nature of both thetechnology and policy implications of cloud computing it will be important for archivistsand records managers to work in concert with other stakeholders in addressing thesedevelopments.References“About SAS 70.” About SAS 70., Mache. “CTO roundtable: cloud computing.” Communications of the ACM 52, no. 8 (2009): 56, 50.Gourley, Bob. “Cloud Computing and Cyber Defense,” March 21, 2009. d_Cyber_Defense_21_Mar_2009.pdf.Kundra, Vivek. “Streaming at 1:00: In the Cloud | The White House.” White House Blog, September 15, 2009. cloud/.Lawton, George. “Addressing the Challenge of Cloud-Computing Interoperability.” IEEE. Computing Now | News | September 2009 | ., Peter, and Tim Grance. “Draft NIST Working Definition of Cloud Computing, version 15.” National Institute of Standards and Technology, October 7, 2009., Ellen. “Gartner on cloud security: Our nightmare scenario is here now.” TechWorld, October 22, 2009. re_scenario_here_now.Towns, Steve. “Michigan Plans New Data Center and Government Cloud.” Government Technology. “Utah Plans Private Cloud for Local Agencies.” Government Technology, August 24, 2009. “About SAS 70.”7 NAGARA Crossroads 2009-3
  • 8. Tucci, Linda. “Addressing compliance requirements in cloud computing contracts.”, June 11, 2009.,289142,sid182_gci1359026,00.htm l.Williams, Matt. “Q&A: Former Executive Steve Cakebread Sees Big Move to Cloud for Government.” Government Technology, October 29, 2009., Caryn. “Discovery: How the Legal Process Can Impact Records Management Professionals.” Crossroads 2009, no. 1. CERIS White Papers. Further Reading:Defining Cloud ComputingArmbrust, Michael, Armando Fox, Rean Griffith, Anthony Joseph, Randy Katz, Andy Konwinski, Gunho Lee, et al. Above the Clouds: A Berkeley View of Cloud Computing, February 10, 2009., Jon. “FAQ: Cloud computing, demystified: What is cloud computing, and can it be trusted? Key questions answered,” May 18, 2009., Rajkumar, Chee Yeo, and Srikumar Venugopal. “Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities.” In HPCC 08: Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications, 13, 5. IEEE Computer Society, 2008., Mache. “CTO roundtable: cloud computing.” Communications of the ACM 52, no. 8 (2009): 56, 50.Foster, I, Yong Zhao, I Raicu, and S Lu. “Cloud Computing and Grid Computing 360- Degree Compared.” In Grid Computing Environments Workshop, 2008. GCE 08, 10, 1, 2008., Paul, Jimmy Lin, Justin Grimes, and Shannon Simmons. “Where is the cloud? Geography, economics, environment, and jurisdiction in cloud computing.” First Monday 14, no. 5 (2009)., Peter, and Tim Grance. “Draft NIST Working Definition of Cloud Computing, version 15.” National Institute of Standards and Technology, October 7, 2009., N. “Is Cloud Computing Really Ready for Prime Time?.” Computer 42, no. 1 (2009): 15-20.8 NAGARA Crossroads 2009-3
  • 9. Vaquero, Luis, Luis Merino, Juan Caceres, and Maik Lindner. “A break in the clouds: towards a cloud definition.” ACM SIGCOMM Computer Communication Review 39, no. 1 (2009): 55, 50.Viega, J. “Cloud Computing and the Common Man.” Computer 42, no. 8 (2009): 106- 108.Getting Started“17 Steps to Cloud Migration -- Washington Technology.” cloud.aspx.Schultz, Beth. “How to buy cloud computing services: Five key questions to ask any prospective cloud provider .”, May 18, 2009., Vladimir, and Christian Schröpfer. “Negotiating and Enforcing QoS and SLAs in Grid and Cloud Computing.” In Advances in Grid and Pervasive Computing, 25-35, 2009., D, E Ludvigson, K Sankar, S Diamond, and M Morrow. “Blueprint for the Intercloud - Protocols and Formats for Cloud Computing Interoperability.” In Internet and Web Applications and Services, 2009. ICIW 09. Fourth International Conference on, 336, 328, 2009., George. “Addressing the Challenge of Cloud-Computing Interoperability.” IEEE. Computing Now | News | September 2009 | ., Michael R. “Building an Open Cloud.” Science 324, no. 5935 (June 26, 2009): 1656-1657.SecurityCloud Security Alliance. “Security Guidance for Critical Areas of Focus in Cloud Computing,” April 2009.“cloud_cube_model_v1.0.” Jericho Forum, April 2009., F. “Staring at Clouds.” Internet Computing, IEEE 13, no. 3 (2009): 4-6.Everett, Catherine. “Cloud computing - A question of trust.” Computer Fraud & Security 2009, no. 6 (June 2009): 5-7.Gourley, Bob. “Cloud Computing and Cyber Defense,” March 21, 2009. d_Cyber_Defense_21_Mar_2009.pdf.9 NAGARA Crossroads 2009-3
  • 10. Kaufman, Lori. “Data Security in the World of Cloud Computing.” IEEE Security & Privacy Magazine 7, no. 4 (July 2009): 64, 61.Messmer, Ellen. “Gartner on cloud security: Our nightmare scenario is here now.” TechWorld, October 22, 2009. re_scenario_here_now.National Institute of Standards and Technology. “Recommended Security Controls for Federal Information Systems and Organizations,” August 2009., Alexandros, and Gerard Briscoe. “Community Cloud Computing” (2009)., Sarah. “Forget Google and Amazon, the DoD Shows Off What a Real Cloud Platform Can Do.” ReadWriteWeb, October 7, 2009. ows_off_what_a_real_cloud_platform_can_do.php.---. “Gartner: Vetting security of third-party partners in five steps.” SearchCIO-, May 6, 2009. http://searchcio-,289142,sid183_gci1355739,00.html.Government Implementations“GSA Outlines U.S. Governments Cloud Computing Requirements -- Cloud Computing -- InformationWeek.” saas/showArticle.jhtml?articleID=218900541.Sarno, David. “Los Angeles adopts Google e-mail system for 30,000 city employees | Technology | Los Angeles Times.” Los Angeles Times, October 27, 2009. google-email-system-for-30000-city-employees.html.“The White House - Blog Post - Streaming at 1:00: In the Cloud.”, Steve. “Federal Web Portal Moves to Cloud Computing Platform.” Government Technology, May 1, 2009. “Michigan Plans New Data Center and Government Cloud.” Government Technology. “Utah Plans Private Cloud for Local Agencies.” Government Technology, August 24, 2009.“White House unveils cloud computing initiative | Geek Gestalt - CNET News.”, Matt. “Feds Launch Cloud Storefront for Purchasing.” Government Technology, September 15, 2009. NAGARA Crossroads 2009-3
  • 11. ---. “Q&A: Former Executive Steve Cakebread Sees Big Move to Cloud for Government.” Government Technology, October 29, 2009., Alexander. “Gartner and CA on addressing compliance requirements in cloud computing.” IT Compliance Advisor, June 11, 2009. addressing-compliance-requirements-in-cloud-computing/.Joint, Andrew, Edwin Baker, and Edward Eccles. “Hey, you, get off of that cloud?.” Computer Law & Security Review 25, no. 3 (2009): 270-274.Navetta, David. “Legal Implications of Cloud Computing — Part One (the Basics and Framing the Issues).” - Technology, Privacy and Security Law & Risk Management » Blog Archive », September 18, 2009. part-one-the-basics-and-framing-the-issues/.---. “PCI Service Provider Contracting.” - Technology, Privacy and Security Law & Risk Management » Blog Archive » , June 11, 2009., Siani. “Taking account of privacy when designing cloud computing services.” In CLOUD 09: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, 52, 44. IEEE Computer Society, 2009., Linda. “Addressing compliance requirements in cloud computing contracts.”, June 11, 2009.,289142,sid182_gci1359026,00.htm l#.Watkins, John. “Cloud Computing - The Legal Issues Are Somewhat Cloudy in the Cloud.” Ezine@rticles. Issues-Are-Somewhat-Cloudy-in-the-Cloud&id=2532393.All hyperlinks in this issue were valid as of the date of publication.Issues of Crossroads are available on the NAGARA Web site at in Portable Document Format(PDF) for downloading and easy printing.Crossroads is sponsored by the NAGARA Committee on Electronic Records and Information Systems (CERIS).CERIS members include LaDonna Wagers (Chair), State Library and Archives of Florida; Glenn McAninch (ViceChair), Kentucky Department of Libraries & Archives; Mark Conrad, National Archives and Records Commission;Cindy Bendroth, Pennsylvania Historical and Museum Commission; Scott Leonard, Kansas State Historical SocietyCaryn Wojcik, State Archives of Michigan; and Patty Davis, Ohio Historical Society.Crossroads is edited by LaDonna Wagers, State Library and Archives of Florida, 500 S. Bronough Street, MailStation 9A, Tallahassee, Florida 32399, 850-245-6777, NAGARA Crossroads 2009-3