Bulletin on Managing Federal Records in Cloud Computing Environments

ERM/NRMP Team September 8, 2010

Development Team Members
ERM ‡ Denise Pullen ‡ Mark Giguere ‡ Arian Ravanbakhsh ‡ Don Rosen ‡ Beth Cron ‡ Jill Shaver NRMP ‡ Addie Compton ‡ Scott Roley

We also interviewed four agencies who reviewed a draft. Concurrence within NARA, OMB, and FRC.


We will highlight:
‡ ‡ ‡ ‡ ‡ ‡ ‡ Purpose Definitions Examples of Use RM Challenges Tactics to solve challenges Contracting Questions?

‡ Administration backing Cloud Computing
± Agencies are adopting it

‡ NARA put out an FAQ and promised a Bulletin later this year
± FAQ is largely definitional ± Bulletin includes
‡ expanded definitions ‡ recommendations ‡ agency uses of cloud computing
(Bulletin Question 1 & 2)

Cloud Computing: Definition
‡ Basically, using shared resources over the Internet
± Many interpretations exist
‡ Renting storage space ‡ Social Media Tools (only in SaaS)

± We are using NIST definitions

(Bulletin Question 3)


Cloud Computing: Definition
‡ NIST defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST Definition of Cloud Computing, Version 15, 10-07-2009)
(Bulletin Question 3)

NIST s Essential Characteristics
‡ On-demand self-service
± Increase storage, etc. automatically

‡ Broad network access
± Capabilities are available over the network

‡ Resource pooling
± The provider s computing resources are pooled to serve multiple consumers ± There is a sense of location independence; customer generally has no control or knowledge over the exact location of resources

‡ Rapid elasticity
± Quickly scale out or scale in computing power

‡ Measured Service
± automatically control and optimize resource through a metering capability
(Bulletin Question 3)


Cloud Computing Service Models
‡ Cloud Software as a Service (SaaS) ± Provider s applications running on a cloud infrastructure ± Consumer does not manage or control the underlying cloud infrastructure ± Web mail systems in the cloud Cloud Platform as a Service (PaaS) ± Consumer-created or acquired applications created using programming languages and tools supported by the provider ± Consumer does not manage or control the underlying cloud infrastructure Cloud Infrastructure as a Service (IaaS) ± Consumer receives computing resources that the consumer is able to deploy and run arbitrary software, which can include operating systems and applications ± Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls)



(Bulletin Question 4)


Cloud Computing Deployment Models
‡ Private cloud
± Cloud is operated solely for an organization by the organization or a third party

‡ Community cloud
± Cloud is shared by several organizations and supports a specific community that have mutual concerns

‡ Public cloud
± Cloud is made available to the general public or a large industry group and is owned by an organization selling cloud services

‡ Hybrid cloud
± Cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability
(Bulletin Question 4)

Cloud Computing Use By Agencies
Team interviewed four agencies using clouds ‡ All received business benefits to solve various problems ‡ Some created private cloud others used commercial offerings ‡ All had some issues with records management
± One keeps everything, but is working to figure it out ± Two are still working on agreements that place responsibility on participating agencies, but not the providing agency
(Bulletin Question 5)

So Is There A Problem?
Potentially ‡ If the benefits of the drivers outweigh perceptions of records management responsibilities ‡ If cloud solutions are procured without consideration of records management requirements ‡ If particular cloud deployments present insurmountable obstacles to exercising records management

Some RM Challenges
‡ Cloud applications may lack the capability to implement records disposition schedules ± Maintaining records in a way that maintains their functionality and integrity throughout the records full lifecycle ± Maintaining links between the records and their metadata ± Transfer of archival records to NARA according to NARA-approved retention schedules
(Bulletin Question 6)

Some RM Challenges
‡ Depending on the application, vendors may not be able to ensure the complete deletion of records ‡ Various cloud architectures lack formal technical standards governing how data are stored and manipulated in cloud environments

(Bulletin Question 6)


Some RM Challenges
‡ A lack of portability standards may result in difficulty removing records for recordkeeping requirements or complicate the transition to another environment
‡ Agencies and cloud service providers need to resolve issues if a cloud service ceases or changes dramatically

(Bulletin Question 6)


Meeting RM Challenges
1. Differences between service models affect how and by whom (agency/contractor) records management activities can be performed 2. Service or Deployment Models used could affect where records are stored or created
‡ PaaS and IaaS might contain no Federal records depending on how they are used

3. In SaaS model, records may often be held in contracted space
(Bulletin Question 7)

Meeting RM Challenges
‡ Include RM staff in cloud computing solution ‡ Define which copy of records will be declared as the agency s record copy (value of records in the cloud may be greater than the value of the other set because of indexing or other reasons) ‡ Include instructions for determining if records in a cloud environment are covered under an existing records retention schedule
(Bulletin Question 7)

Meeting RM Challenges
‡ Include instructions on how all records will be captured, managed, retained, made available to authorized users, and retention periods applied ‡ Include instructions on conducting a records analysis, including records scheduling ‡ Include instructions to periodically test transfers of records to other environments, including agency servers, to ensure the records remain portable
(Bulletin Question 7)

Meeting RM Challenges
‡ Include instructions on how data will be migrated, so records are readable throughout their entire life cycles ‡ Resolve portability and accessibility issues through good records management policies and other data governance practices

(Bulletin Question 7)


‡ Agency is always responsible for its Federal records even if they are in contracted space ‡ Agencies must ensure contractors are aware of the agencies RM responsibilities ‡ Agencies must work with contractors to manage records ‡ If a contractor quits the business, agencies must get the records back
(Bulletin Question 8)

‡ We created model language that informs all parties of RM responsibilities
± Working to add similar language to GSA s apps.gov store

‡ Agencies can modify as needed, other clauses can be included in contracts ‡ Agencies may be partners in a private or community
± Include RM in MOUs or other agreements
(Bulletin Question 8)

‡ Bulletin points agencies with questions to NRMP staff ‡ Toolkit is a resource Contact Information: addie.compton@nara.gov or Scott.roley@nara.gov
Blog: http://blogs.archives.gov/records-express
(Bulletin Question 9, etc.)