170 likes | 184 Vues
Explore impact of cloud computing on archival practices in state government settings, analyzing roles and risks, aiming to create a digital curation governance model.
E N D
Evidence-as-a-Service: State Government Recordkeeping in Cloud Computing Environments Lori Richards, SILS, UNC – Chapel Hill | AERI 2012 | July 10, 2012
Long-Term Research Motivation • To understand how emerging technologies affect the theory and practice of archives and records management in complex organizational settings • This motivation is not entirely new to the field of archives and records management
For Example… • In the past 40 years, ARM researchers have examined the changing nature of the field as technology has advanced, asking questions about things like • Computerized index systems and automated retrieval mechanisms (1970s – 1980s) • How moving to electronic from paper-based records creation and storage impacts archival processes and user access patterns • How the notion of “records lifecycle” changes in electronic environments • Concerns about personal privacy and security in digital environments • Concerns about government and organization accountability in a world where erasure of documents is an ever-present risk • How concepts such as “record,” “provenance,” and “document” change in electronic environments
Gaps • Studies do not yet exist that examine how digital curation roles and responsibilities within complex organizations change in the light of highly distributed electronic information processing infrastructures • The information processes are highly distributed, but • They are often managed in highly centralized and controlled ways, often using • combination of internal and external resources that manage the information through several layers of service provision
Project Goals • Examine how the functions of archives and records management are instantiated in state government cloud computing environments • Gain a clearer understanding of how the various parties who play a role in the records continuum understand their roles and responsibilities, understand how operating in the cloud affects those roles and the risks to the resulting records, and impacts incentives to engage in “accountability-sensitive” and “preservation-sensitive” professional activities
Projected Outcome • Develop a “digital curation governance model” that could serve records managers in organizations moving into the cloud and that could provide clues as to the types of knowledge and skills these people will need to gain in educational programs or on the job
Study Methodology • Multi-case study embedded in a wider study that includes semi-structured interviews with professionals from a variety of states that are performing recordkeeping (i.e., digital curation) activities in cloud environments • Minnesota – Statewide implementation of Microsoft 365 email and collaboration system, including SharePoint in the Cloud (externally hosted cloud, dedicated statewide environment) • Kentucky – Department of Education movement of their entire Instructional Technology environment into the Cloud (externally hosted cloud, dedicated educational institution environment) • North Carolina – Movement of syndromic surveillance healthcare data into a newly developed Cloud-based system managed by the CDC, which shares data with other state and local agencies nationwide • Documentary analysis • Requirements documents, business case and/or TCO analysis, IT governance documents, organizational charts, retention schedules, and data practices legislation
Alternative Title: “We Keep Everything Forever” (Except what IT destroys according to its contract-negotiated schedule)
Second Alternative Title: *WHOSE job is this, anyway?*
Participation • Interviews: • Executive level management in state CIO offices • State Archivists • Archivists and collections managers • Records Managers • IT Management from central IT groups • Agency-level IT management • Agency directors • Product manager and systems engineers • Data Practices and Compliance liaisons • Experts from NASCIO and RTI International
States Providing Information • Florida • Kentucky • Massachusetts • Minnesota • Nebraska • New Jersey • North Carolina • South Carolina • Wyoming
Some Preliminary Findings • Of the risks that have been discussed in journals related to recordkeeping in the cloud, virtually no one seemed to be aware of them • IT sees itself as an integrator rather than a builder. Hence, they don’t really feel ownership of the information, although the program/agency personnel feel that they have LOST ownership of the information due to IT consolidation
Key Questions to Ask • Do we have the ability and right to audit written into our contracts with this vendor? • Do we know who all the participants in the supply chain are, so that we can engage in our (legally mandated) contracts with every party that touches this information? • What will happen to our data at the end of the contracting period? Can we move some or all of our data from one provider to another? • Does the provider have the technical capabilities to destroy data according to our disposition schedules? If not, can they offer an acceptable proxy for destruction? • Who owns our data and how does this impact our eDiscovery and other legal mandates? • Can this vendor assure us that when a breach of privacy occurs we are immediately notified and that we can immediately notify those whose privacy was breached? • How is our data segregated from other tenants of this provider? What security mechanisms do they use to ensure that the data is segregated? What encryption mechanisms do they use?
Appendix A: Some Risk Considerations • Cloud services are often layered • ALL service providers must meet your regulatory requirements • Access-related issues • Ensuring that those who do not have permission to access records are barred from viewing them: what are your provider(s) security and data isolation techniques? • Ensuring that you continue to have access to records: data ownership must be contracted! • Disposition schedules • You really can’t destroy records in the cloud: encryption matters! • eDiscovery • Ensure your SLAs specify how your provider will respond in the event of a subpoena or government request for information • Provenance
Appendix B: Concerns for Collaborations • Resource sharing can lead to new collaborative policy requirements • Records are shared, but the different partners have different retention requirements. The central repository has a 6 year retention policy – retention policies need to be negotiated during contracting, something that hasn’t happened yet. • What if a partner picks up only a portion of a record? What is the status of the new information? • What happens to the data when the participant leaves the exchange or the cooperative goes out of business? • No answer to this question yet; it remains an issue.
Questions? Lori Richards UNC Chapel Hill lorraine.richards@unc.edu