Cloud Computing Toolkit launched by ARA and Aberystwyth University

ARA and Aberystwyth University launch the Cloud Computing Toolkit: Guidancefor Outsourcing Information Storage to the Cloud.  Cloud Computing Toolkit TheArchives and Records Association (ARA) has a long tradition of supportingprofessionals in the recordkeeping sector. As part of this aim to providetimely advice on emerging professional issues, the ARA funded a researchproject to investigate the management, operational and technical issuessurrounding the storage of information in the cloud. The aim of the projectwas to develop a toolkit that could assist information professionals inassessing the risks and benefits of outsourcing information storage andprocessing to the cloud.

Cloud computing can be described as the ability to access a pool of computing resources which are owned and maintained by a third party via the internet. It is not a new technology but a new way of delivering computing resources based on long existing technologies such as server virtualisation. The 'cloud' as such is composed of hardware, storage, networks, interfaces and services that provide the means through which infrastructure, computing power, applications and services are accessed by the user on-demand and independent of location. In a cloud infrastructure information, applications and processing power are distributed across many servers which allows very flexible up and down scaling of resources. In a multi-tenant environment, all the cloud provider's customers share applications, storage and servers. Customer information can physically be distributed across many servers and stored together with other customers' information separated only through logical isolation mechanisms.

Top 10 questions

The research identified A Top 10 of Cloud Computing Concerns. These cluster loosely into those attendant with performance, specifically efficiency and cost, monitoring and total costs; those relating to alignment with organisational objectives i.e. organisational responsibility and impact of outsourcing; those associated with ensuring information assurance and value through RiM programmes and the protection of systems. The perceived risk to the organisation and the robustness of the contracts and outsourcing procedures figured highly in ranking.

                                                                                                  

Which process, application and information can be moved to the cloud to gain efficiency and cost benefits while satisfying the organisation's security and compliance requirements?

How can the organisation be harmed if systems, applications, services or information are accessed by unauthorised people and information is being made available to the public?

How are information and systems protected against unauthorised access (e.g. hacking, interception, user misuse) by the cloud service provider?

How can the organisation ensure the integrity, authenticity and reliability of information stored in the cloud?

What are the organisation's responsibilities regarding the security of infrastructure and information in the cloud for the chosen cloud service and deployment models?

How can the organisation apply its records and information management programmes (e.g. classification, retention) to the cloud environment?

What is the impact of outsourcing services and information to the cloud on the legislative and regulatory requirements of the organisation (e.g. DP, FOI, SOX, e-discovery, copyright, licensing etc.)?

How should the organisation audit and monitor cloud services and establish relevant service level agreements?

Will the organisation be able to negotiate contracts and agreements that fit their risk assessment and compliance environment?

What are the total costs of setting up and managing the cloud services?

A detailed analysis of the challenges of cloud computing and a fuller list of questions can be found in the accompanying

Cloud Computing Project Report

Solutions and approaches

Risk management

Consensus emerged from the various consultations that cloud computing can be seen as essentially a risk assessment and management exercise that should be familiar from other outsourcing projects. Cloud computing, however, invariably generates new risks, many of which can be transferred to the provider or mitigated through audit and monitoring of the provider's services and infrastructure. Other risks might have to be accepted as part of a trust relationship that is being established with a cloud service provider. As one unconference participant put it: "You can have security in the cloud, it is just more expensive."

Procurement

Cloud computing can change the nature of services and products being acquired from a 3rd party and there are concerns about limitations on the ability to independently audit cloud providers and assess their security controls. Most outsourcing policies and guidelines are not currently suitable to cloud computing services agreements (in terms of payments, jurisdiction, sub-contractors etc.) and would need to be adapted.  

Policies

Records management theory and practice has long focussed on centralising control over information in order to apply classification, appraisal, access and preservation (CAAP) processes. Cloud computing de-centralises information storage even further than traditional electronic records management environments and guidelines on how to apply CAAP processes are widely missing.

Standards

For cloud computing to mature, it is necessary that not only suitable policies are established internally but also that related standards are developed and adopted across the cloud computing market. This will not only facilitate cloud computing services implementation but also enable organisations to better choose and move among cloud service providers. Governments adopting particular industry standards and subsequently requesting compliance to these standards from cloud service providers will push consolidation of the existing cloud computing market. Adoption of these developing standards depends to a certain extent on market pressures from cloud computing customers and on incentivising cloud service providers to remain competitive by adopting such standards.