Why cloud computing?

Cloud computing is a form of information technology (IT) provision that treats computing as a set of services that can be purchased on-demand through networks. Individuals and businesses can thereby use the amount of service they want to use without having to make large infrastructure investments that may lead to idle resources when computing needs are lower than maximum capacity. This arrangement allows computing infrastructure, hardware, and software to be treated as largely modular services that can be scaled up and down easily and with minimal ongoing interaction and negotiation with one’s computing resource provider. This arrangement also allows organizations to minimize the number of information technology professionals necessary to meet the IT needs of the organization.

Cloud computing has become associated with the notion of economic sustainability in a number of IT circles. Because it allows organizations to make use of large amounts of computing power without having to make correspondingly large capital investments in IT infrastructure (Creeger 2009), numerous organizations have found shifting to “the Cloud” to be both cost effective and operationally straightforward. Some have even argued that the movement to the Cloud is an inexorable, overarching shift from one mode of industrialization to an entirely new mode (McAfee 2009), similar in nature to the shift from steam power to electrical power during the late nineteenth and early twentieth centuries (Carr 2008).

The Obama administration has made cyber-infrastructure in general and cloud computing in particular key priorities for the federal sector (InformationWeek 2009). In September 2009, the federal government announced its “Cloud Computing Initiative,” outlining both the rationale for the initiative and some of its key components, such as its major characteristics, its delivery methods, and its deployment models (Lewin 2009). In May

2010, then first Chief Information Officer (CIO) of the United States of America Vivek Kundra published a report on the state of public sector cloud computing, describing thirty high-profile implementations that were in place or in process (Kundra 2010). Kundra has since left his position as the U.S. CIO, but new U.S. CIO Steven VanRoekel announced very early in his tenure that he intended to continue Kundra’s “Cloud First” policy (proofpoint 2011), which requires federal agencies to evaluate “safe, secure cloud computing options” before making any new investments (Kundra 2011, 2). Since that time, VanRoekel has reported,

With our Cloud First initiative, agencies identified 79 services to move to the Cloud in order to reap savings and service improvements. This year, agencies successfully migrated 40 services to the Cloud and were able to eliminate more than 50 legacy systems in order to save taxpayer dollars while expanding capabilities. As part of this effort, agencies created six services in the Cloud that they weren’t previously able to provide (2011).

In late 2011 the U.S. General Services Administration (GSA) launched the FedRAMP (GSA 2012), “a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services which every agency will be required to use” (VanRoekel). In addition, in 2012 the CIO Council, in conjunction with the Chief

Acquisition Officers’ Council, published a set of best practices for agencies acquiring cloud computing services (2012).

An examination of the websites of state governments in the United States (US) shows that at least three-quarters of all states have adopted cloud computing or are in the process of adopting cloud computing within one or more of their state-level agencies (excluding basic website hosting services). For example, Wyoming has shifted the email of all of its

approximately 10,000 state government employees to Google Apps for Government, “putting them on a single email platform for the first time” (Office of Governor Matt Mead 2011).

Minnesota implemented Microsoft Office 365 to deliver the state’s Enterprise Unified Communications and Collaborations services (MN OET). New Jersey’s Transit Authority implemented an on-demand, cloud-based customer relationship management (CRM) service from Salesforce.com, allowing it to handle more than five times the number of customer inquiries than it had before implementing the service. The transit authority’s response time reportedly dropped by more than 35 percent, and its productivity increased by 31 percent (Kundra 2010). The State of Utah implemented a hybrid6 solution that uses an internal private cloud (Towns 2009) in conjunction with Force.com for CRM, Google Earth

Professional for shared Geographic Information System (GIS) planning, and Wikispaces for self-provisioned wikis. These contracts are managed centrally through the state’s Department of Technology Services (DTS). Initial estimates suggested that Utah, which has an IT budget of $150 million per year, will save four million dollars per year as a result of moving to the Cloud (Kundra 2010).

However, if cloud computing sometimes seems straightforward from the point-of- view of IT costs and service provision, its benefits for records management are murkier. The U.S. National Archives and Records Administration (NARA) has suggested that agencies should be aware of the potentially adverse effects of cloud computing on records

management work (2011). NARA noted that some cloud architectures “lack formal technical standards governing how data is stored and manipulated in cloud environments,” thereby threatening the long-term trustworthiness and sustainability of the data. In addition, a lack of portability standards might make it difficult to dispose of or transfer records in accordance

6 _{This is yet another disciplinary-specific use of the term “hybrid.” Here, “hybrid” refers to a cloud computing} implementation which includes both a public cloud and a private cloud jointly. The organization thus provides and manages some cloud computing resources in-house and some externally.

10

with recordkeeping requirements. ARMA International pointed out that a wide range of potential records management risks are associated with cloud computing, such as the potential failure to meet recordkeeping regulatory requirements, jurisdictional issues regarding data storage, vendor continuity concerns, lack of clarity surrounding data

ownership, and interoperability challenges (2010). Although some vendors are beginning to produce records management applications that can be integrated with cloud computing services (Miller 2011; Alfresco 2011; SpringCM 2011), state government professionals must be diligent to ensure that their agencies adopt appropriate records management policies and procedures when cloud computing services are contracted in order to satisfy state and federal recordkeeping requirements.

As threats to the long-term trustworthiness and sustainability of data, the risks that NARA and ARMA International associate with cloud computing strike at the heart of ARM goals. Richard Cox argued that records management exists to “support accountability, the protection of crucial evidence, and the nurturing of corporate memory” (2001, 13). He pointed to records’ role in ensuring organizational accountability and providing evidence of organizational transactions and decisions. Likewise, Anne Gilliland-Swetland (2005), examining the development of a research agenda for electronic records management, noted that since the late 1980s ARM professionals have largely accepted that recordkeeping as an activity is geared toward ensuring the evidentiary quality of records. The international recordkeeping standard ISO 15489-1, which “provides a framework for any organization, public or private, to adopt and use to manage its records, irrespective of the medium on which they are created, captured and maintained” (McLeod 2003), adds that in addition to providing evidence and ensuring its accountability, an organization has the responsibility to

manage its records so that it can support the continuing conduct of its business and remain compliant with its regulatory requirements. To do this, ISO 15489-1 says an organization must “create and maintain authentic, reliable and useable records, and protect the integrity of those records for as long as required” (ISO 2001, 6). Both the Society of American

Archivists (SAA) code of ethics (2012) and the ARMA International code of ethics (2011) agree, stating that protecting the authenticity, integrity, and accessibility of records is a key ethical and professional responsibility of ARM workers. Thus, to the extent that cloud computing presents a risk to an organization’s ability to effectively manage and maintain its records, it threatens the goals of the organization’s ARM professionals.

In addition, as will be seen in the next chapter, cloud computing represents a new and unfamiliar technology for most recordkeeping professionals, increasing the risk that lack of knowledge about the nature of the technology will lead workers to overlook some of the procedures in which they should engage when attempting to ensure the authenticity of records over time or fail to address all of the potential risks that inhere in this technological approach.