05 January 2017

Seven Risks in the Beneficent Cloud



Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

User beware: amid the security and budgetary advantages of the Cloud, risks lurk, ready to sabotage the unprepared or unsuspecting.  Make sure you are not caught unaware.

Records Management in the Cloud cries for Information Governance (IG).  It requires input, energy, and synergy from the organization’s Records, technology, and Legal groups.  Each has necessary skills, perspectives and insights beyond the scope of any one of these disciplines.

Theoretically, you can manage information in the Cloud with the same care and quality of locally stored records.  But there are complications that may not appear with local storage.  Addressing those requires teamwork from those three major constituents of IG.  Cloud-based storage is an important option, so it’s worth considering the safety, integrity, availability, and other critical aspects of your information stored there. 
   
Here’s the plus side: Cloud providers generally secure information better than local IT departments can.  Disaster recovery/business continuity should be better as well.
 
Also, economic advantages come from “elasticity”, that is, you only buy what you need.  If the need for online storage varies by the season or by the year, you can pay for Cloud storage when you need it, and conversely, you pay less when your needs diminish.  Contrast that with storage inside the firewall: you buy enough to cover your maximum use, but you still have paid for that maximum capacity even when your need is less.  If I were a seasonal retailer, doing most of my business during three months of the year, there is no way I would want to have that much capacity sitting idle inside the firewall for the other nine months.

But there are dangers.  These include:
1.       Discovery in a legal matter: Can legal holds be applied to Cloud-stored information, or does it have to be retrieved before it can be held for legal purposes?  When needed for litigation, can the servers and networks quickly deliver large quantities of data?
2.       Compliance:  Owners and custodians of information are responsible for complying with applicable laws and regulations.  When information that proves compliance is in the Cloud, is it accessible quickly and accurately?  Can the organization that owns the information (and is legally liable) easily audit the Cloud provider for compliance with laws and regulations? 
3.       Control:  Cloud providers may treat most or all information the same, but this is a problem if some records have geographical restrictions.  The Cloud user must know where the provider’s servers and pipelines are.  For example, Europe’s Safe Harbor provisions place limits on where information can be stored or transported. 
4.       Information disposal:  At the end of the information lifecycle, do Cloud users have to retrieve their records for subsequent disposal, or can the vendor provide reliable disposal?  And when the user retrieves information, is it really removed from the Cloud servers or simply deleted and/or overwritten?  When the Cloud provider disposes information, are the data and metadata truly irretrievable, or do vestiges remain, waiting to be subpoenaed and discovered?
5.       Long-term viability: For information with a retention period of over five years, backward compatibility of hardware and software can be an issue.  In the long run, will neglected updates make information files obsolete?  Does pixel-loss threaten to corrupt the files, or are the files protected?
6.       Longevity: Cloud vendors start with the best of intentions, but what happens when there are mergers, acquisitions, and divestitures?  What happens if a Cloud provider goes bankrupt, changes its business model, or gets out of the Cloud business entirely?  What then happens to the stored information?
7.       Derelict records:  Does your records management ensure that your organization does not keep paying for storage of outdated records?  Does the provider deliver the inventory and upcoming destruction dates monthly?

Again, the best answer to these dangers is a good coalition of information governors.  Records managers need savvy contract attorneys to write clauses clearly delineating a cloud provider’s responsibilities and restrictions, while mandating audits for compliance.  

Similarly, IT specialists need to ensure that the cloud provider’s technology is appropriate and adequate; that there is a forward migration path; that information is secure (internally and externally) and protected against disaster; and that accessibility will not be compromised under any circumstances.

Finally the attorneys and IT experts need Records Managers to apply the Generally Accepted Recordkeeping Principles to the whole endeavor.
Success with Cloud information management requires the cooperation, coordination, and investment of all the information governors.  Disciplines, such as Accounting and Quality Assurance, are welcome contributors.  Ignorance of this synergy leads to multiple risks.  But for those who apply Information Governance to the Cloud, success is enhanced.

The strategies and tactics to accomplish this success are many, and no two situations are identical.  Fortunately, there are helpful resources available.  One of the best is the MER Conference that meets in Chicago every May, where records managers, lawyers, techies, and others put their heads together.  The sessions, the connections, and the conviviality all help focus solutions to individual needs. You can watch streaming sessions later in the year, but nothing can replace being there with the many people who inform our choices.  MER is one of my top resources for information, networking, and inspiration, and I look forward to seeing you there.
n  -- 30