Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outsourcing to the cloud: Caveat emptor or caveat venditor

Published byJesse Shepherd Modified over 7 years ago

Similar presentations

Presentation on theme: "Outsourcing to the cloud: Caveat emptor or caveat venditor"— Presentation transcript:

1 Outsourcing to the cloud: Caveat emptor or caveat venditor
Corinne Rogers University of British Columbia XVI Congrés d’Arxivistica de Catalunya Associació d’Arxivers-Gestors de Documents de Catalunya May 4-6, 2017 Reus, Catalonia, Spain

2 Agenda Introduce InterPARES
IP1, IP2, IP3, InterPARES Trust Discuss pros and cons of cloud computing for recordkeeping “the cloud” in 2017: status, benefits, challenges Present several tools for evaluating cloud services from the perspective of archival theory Coping with retention & disposition in the cloud Evaluating CSP contracts

3 InterPARES – 4 phases to date
InterPARES 1 ( ) Researched issues pertaining to digital records in databases and office management systems in the course of administrative activity Focused on developing theory and methods to ensure preservation of authenticity Studied records from the perspective of the records preserver

4 InterPARES – 4 phases to date
InterPARES 2 ( ) Researched issues pertaining to digital records in dynamic and interactive systems in artistic, scientific, and government activity Examined issues of authenticity, reliability, and accuracy over the lifecycle Studied records from the perspective of the records creator

5 Benchmark Requirements supporting the presumption of authenticity

6 Baseline Requirements supporting the production of authentic copies

7 Products Creator & Preserver Guidelines

8 Guidelines translated
Catalan French Portuguese Spanish

9 InterPARES – 4 phases to date
InterPARES 3 ( ) Put theory into practice in archives / records units in organizations with limited financial or human resources Applied and tested the findings of InterPARES 1 and 2 to implement sound programs supporting the creation and preservation of digital records that could be shown to be authentic, reliable, accurate

10 Impact Legislation: Italy, China
Standards: DOD (2007), MoReq 2 (2008), OAIS (2009), CGSB (2017) Policies & procedures: all participating countries, public/private sector Curriculum for continuing education, university training: ICA Education Modules for Digital Preservation (2012 with translation to Chinese, Spanish, Arabic); Digital Diplomatics and Digital Records Forensics (2013-present, UBC)

11 InterPARES Trust (2013-2018) www.interparestrust.org Purpose:
To generate theoretical & methodological frameworks to support development of integrated & consistent local, national, & international networks of policies, procedures, regulations, standards, & legislation for digital records in online, networked, environments, in order to Ensure public trust grounded on evidence of good governance, strong digital economy, & persistent digital memory

12 Research structure Studies are focused in 5 research domains and 5 research cross-domains: Access Control Security Infrastructure Legal issues Policy Social issues Terminology Resources Education

13 Research structure InterPARES Trust is a research partnership led by UBC: National libraries and archives Government departments: national, regional, municipal Academic departments International organizations Private industry Not-for-profit consortia

14 Research structure Partners are organized in regional teams spanning 6 continents North American Team Latin American Team European Team Asian Team African Team Australasian Team Transnational Team

15 What are we researching?
What is the impact of always-on, networked communications technologies and cloud computing services on records management & recordkeeping, maintaining trustworthy records & supporting client/citizen perception of trustworthiness of records?

16 Goals To discover how current policies and practices regarding the handling of digital records in online environments by institutions and professionals affect public trust In other words, what are records professionals doing to maintain trustworthy records?

17 Goals To anticipate problems in maintaining trust in digital records under the control of entities currently suffering a waning level of confidence from the public In other words, what is the public’s perception of the trustworthiness of institutional records?

18 Goals To establish what significance national or cultural contexts have with regards to the level of trust in digital records online To develop model policies, procedures, guidelines, standards, & functional requirements for creating, managing, accessing, storing, preserving trustworthy records online To test these instruments in a variety of contexts

19 Why is this research necessary?
“Cloud-first strategies are the foundation for staying relevant in a fast-paced world” Gartner, 2015 “Enterprise adoption of the cloud has truly moved into the mainstream, with 68% currently using public or private cloud… a 61% increase over last year…” IDC, 2016 “The greater the level of cloud adoption, the higher the level of business benefits achieved” IDC, 2016 “On average, per application deployed on cloud, organizations studied are achieving $3 million in additional revenue… [and] $1 million in cost reduction…” IDC, 2016 Enticing, but…

20 What is ‘the cloud’? “There is no cloud. It’s just someone else’s computer.” (Popular) True? “… if you’re saying that, the joke is on you, because it means you don’t understand what the cloud actually is.” (Branscombe, 2017)

21 Cloud computing: NIST “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Delivered in one or a combination of deployment models: public, private, community, hybrid Three main service models: SaaS, PaaS, IaaS

22 NIST interpreted “The simplest definition of cloud is a data centre that’s full of identical hardware … [in which] every deployment, update, investigation, and management process is automated.” Branscombe, 2017

23 Challenges Most challenges discussed represent present concerns with current data (data-centric thinking): Is data secure from alteration or interference? Can personal privacy be protected? Can regulations and laws be observed in the face of cross-jurisdictional data transfer? What guarantees of continuity of service exist? How will data breaches be handled?

24 Chain of custody We keep records (sometimes over long periods of time) as evidence of activity, and as memory of action, & to prove accountability – we must trust them In archival terms, we trust records based on proof of records’ authenticity, reliability, & accuracy In legal terms, trust is expressed through rules of admissibility of documentary evidence (common law systems) Demonstrable chain of responsible custody is key to both

25 Challenges Recordkeeping challenges look beyond the immediate present, reaching into the past, and projecting into the future (record-centric thinking) Can context of records be protected? Can provenance be demonstrated? Can retention & disposition be carried out? Can access and usability be assured over time? Can intellectual rights be respected?

26 Trust N. 1. Confidence of one party in another, based on alignment of value systems with respect to specific actions or benefits, and involving a relationship of voluntary vulnerability, dependence, and reliance, based on risk assessment. V. 2. To have confidence in another party with respect to specific actions or benefits Trust is subjective, existing on a continuum from trust to skepticism

27 Record Trustworthiness
Trust framework Record Trustworthiness Authenticity Identity Integrity Reliability Completeness Control Accuracy Precision

28 Trustworthy records systems
These records requirements depend on trustworthy, controlled systems Do cloud services meet the standard of trustworthy records systems?

29 Trustworthy records systems: Managing records wherever they are
Whether managing records in a paper-based in-house system, or managing any valued organizational asset, a management framework consists of: Laws & policies establishing accountability Standards & practices for management Systems & technologies for implementation People Organizational structure Awareness & continuing education Managing Records of Citizen Engagement Initiatives: A Primer

30 Hierarchy of contexts Juridical/Administrative Provenancial Procedural
Documentary Technological

31 Holistic view of considerations for adopting cloud services
Managerial, including Records Management Economic Legal Security Technical Records in the Cloud – Switzerland (2016)

32 Cloud maturity Ad hoc Opportunistic Repeatable Managed Optimized
IDC, 2016

33 Tools for evaluation Regardless of the degree of cloud adoption, there are tools to evaluate the benefits and risks from the perspective of recordkeeping based on archival science Checklist for evaluating cloud service provider contracts Checklist for evaluating retention & disposition capacity

34 CSP contracts as instruments of trust: Purpose & Research question
To explore the contract – specifically the contract between a client and a cloud service provider – as a tool for building trust How effectively do cloud service contracts meet the needs of records managers, archivists, and information governance professionals?

35 Selected contracts No marketing material
Boilerplate contracts & documents Terms of Service (ToS) Service Level Agreements (SLA) Privacy policies, Acceptable Use policies, Security terms, Jurisdiction Canada, United States, Europe Amazon.com (USA); Bluelock (USA); Dropbox (USA); Egnyte (USA); GoGrid (USA); Google (USA); ProfitBricks (USA); Rackspace (USA); CityNetwork (Sweden); SAP (Belgium); Pathway Communications (Canada)

36 Contracts review Findings: Several legal documents exist
Terms of Service Service Level Agreements Privacy Policies Acceptable Use Policies Little standardization of terms “Often incomprehensible to majority of users” Wide-ranging exclusions of liability favor the providers Terms may change

37 Related work Recordkeeping Standards, Cloud Computing Contract Standards, and related articles Public Records Office of Victoria (2012) European Commission subgroup on service level agreements (established 2013) ISO/IEC (2016) SLA Standardization Guidelines

38 CSP contracts in the courts
Case Law and Related Articles Relatively few cases decided, but several legal tenets involved Complexity results from jurisdictional and industry differences Contract law Privacy and access Confidentiality and security of data Data jurisdiction and conflict of laws

39 Comparative Analysis Regardless of jurisdiction, sector, or industry, common risks to records exist: Unauthorized access Privacy breach Loss of access, control Lack of transparency of service Lack of ability to negotiate service Location ambiguity Contract ambiguity

40 Specific Considerations
Data ownership Availability, retrieval and use Data storage and preservation Data retention and disposition Security, confidentiality, privacy Data location and cross-border data flow End of service; contract termination

41 The Checklist - sections
Agreement Data Ownership and Use Availability, Retrieval, and Use Data Storage and Preservation Data Retention and Disposition Security, Confidentiality, and Privacy Data Localization and Cross-border Data Flows End of Service; Contract Termination

42 The Checklist

43 Integration & Review Integrated with NA03: Standards of Practice
Integrated with NA06: Retention & Disposition checklist Released for comments in fall 2015 Presented at ICA in Rekjavik, Iceland Tested in several venues including the International Federation of Red Cross and Red Crescent Societies

44 Resources Cloud Service Contracts: An Issue of Trust, Canadian Journal of Library and Information Science (CJLIS): Special Issue on Data, Records and Archives in the Cloud, June 2015 /Dissemination Annotated bibliography Checklist Final Report

45 Retention & disposition checklist
How does the use of cloud services affect retention & disposition of records in accordance with the law and other applicable guidelines? Study carried out as part of InterPARES Trust by researchers from San Jose State University (California), British Columbia Government Records Service, archivists & records managers from Universities of BC and Victoria

46 Findings Survey of members of ARMA International: 168 respondents
62% worked in government 60% used some aspect of cloud computing 92% confirmed their organization has a retention policy 50% confirmed that the policy applied to records in cloud storage 69% said that vendor terms and conditions were not consistent with their policies, or they did not know 81% said dispositions on cloud content had not yet been performed, or they did not know

47 Internal & external obstacles
External factors are risk related, or imposed Internal factors reveal level of cloud maturity knowledge Differences in IT and RIM culture Decisions often cost-driven, or made solely by IT department Lack of knowledge about cloud computing

48 Retention & disposition: questions for evaluation of service
Privacy and security Establishing disposition authorities Applying disposition authorities Executing disposition authorities Documenting disposal actions Reviewing disposition System integration

49 More resources for decision-making
Ensuring Trust in IaaS at This Checklist is designed to offer guidance for individuals, businesses, government agencies or other organizations to assess the security and ongoing trustworthiness (i.e. authenticity, reliability, and accuracy) of their data when stored in an Infrastructure-as-a- Service (IaaS) platform. It is the result of a study in the international InterPARES Trust Research Project ( Ensuring Trust in Storage in Infrastructure- as-a-Service (EU08). The goal of the study was to establish the minimum amount of information necessary to support users’ trust in an IaaS provider and also position the provider as a trusted service provider. The checklist consists of 36 questions divided into 10 categories: General information (4 questions), Governance (4 questions), Compliance (4 questions), Trust (5 questions), Architecture (6 question), Identity and Access Management (1 question), Software Isolation (2 questions), Data Protection (5 questions), Availability (2 questions), Incident Response (3 questions). This checklist can be used by records managers and archivists when assessing a CSP offering IaaS as well as by CSPs as a guideline for providing online information about their service. The full report from this study can be found at rageIaaS_FinalReport_Final.pdf.

50 Who is responsible? Caveat emptor, or caveat venditor?
Should you outsource IT to the cloud? Guidance from IDC, 2016 “Simply adopting cloud is not enough; you should increase your cloud maturity level” “Go with a provider you trust” Standards of trustworthiness may be identified in terms of levels of expectation of responsibility. The highest level is the fiduciary relationship – that legal relationship between a person in a position of some vulnerability, the trustee, and the trustor, whose aid, advice, or protection is sought on the basis of its justifiable trustworthiness. These phrases express the trust relationship between two parties, where caveat emptor is the level of trust with the least expectation of responsibility – this is the type of trust represented in the ordinary marketplace – buyer beware. But the principle of caveat emptor only works when the buyer has sufficient knowledge of the product he is buying and opportunity for inspection. This was the way of medieval fairs, but doesn’t serve the consumer in the digital age. The mirror image of caveat emptor is caveat venditor – let the seller beware – where the responsibility is shifted to the seller.

51 Who is responsible? Caveat emptor, or caveat venditor?
Selected tools to help, InterPARES Trust, 2017 Checklist for ensuring trust in SaaS (EN, SP) Checklist for comparative analysis of governmental e-services Checklist for single sign-on systems Economic models for could storage decision-making Archival standard of practice Functional requirements for retention & disposition in cloud Managing records of citizen engagement initiatives: a primer Checklist for evaluating cloud contracts (EN, AP, FR, NL)

52 www.interparestrust.org www.interparestrust.com corinne.rogers@ubc.ca
Tag cloud by Ashashyou (Own work) [CC BY-SA 4.0 ( via Wikimedia Commons

Download ppt "Outsourcing to the cloud: Caveat emptor or caveat venditor"

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Long-Term Preservation of Authentic Digital Scientific Data: Sherry (Li) Xie PhD Student University of British Columbia, Canada 2006-10-24 The InterPARES.

Long-Term Preservation of Authentic Digital Scientific Data: Sherry (Li) Xie PhD Student University of British Columbia, Canada The InterPARES.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
INTOSAI Compliance Audit Guidelines (ISSAI )

INTOSAI Compliance Audit Guidelines (ISSAI )
Kevin L. Glick Electronic Records Archivist Manuscripts and Archives Yale University ECURE Arizona State University March 2, 2005 Fedora and the Preservation.

Kevin L. Glick Electronic Records Archivist Manuscripts and Archives Yale University ECURE Arizona State University March 2, 2005 Fedora and the Preservation.
Cloud Usability Framework

Cloud Usability Framework
Information ITIL Technology Infrastructure Library ITIL.

Information ITIL Technology Infrastructure Library ITIL.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
InterPARES Trust Trust and Digital Records in an Increasingly Networked Society InFuture2013 7 Nov 2013 Adam Jansen University of British Columbia.

InterPARES Trust Trust and Digital Records in an Increasingly Networked Society InFuture Nov 2013 Adam Jansen University of British Columbia.
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
The Accomplished Connoisseur: Professional Expertise in Support for the Corporate Law Department Presented by: Lisa Daulby Canadian Association of Law.

The Accomplished Connoisseur: Professional Expertise in Support for the Corporate Law Department Presented by: Lisa Daulby Canadian Association of Law.
Simone Görl │ 18th may 2006 Preserving Authentic Electronic Records: The InterPARES Project & The InterPARES Model DIGITAL PRESERVATION.

Simone Görl │ 18th may 2006 Preserving Authentic Electronic Records: The InterPARES Project & The InterPARES Model DIGITAL PRESERVATION.
Digital Preservation: Current Thinking Anne Gilliland-Swetland Department of Information Studies.

Digital Preservation: Current Thinking Anne Gilliland-Swetland Department of Information Studies.
E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007.

E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007.
Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.
Paperless Government and the Law John D. Gregory Ministry of the Attorney General June 5, 2009.

Paperless Government and the Law John D. Gregory Ministry of the Attorney General June 5, 2009.

Similar presentations

Ads by Google