responsive documents - crew: nara: regarding record management and cloud computing: 11/28/2011 -...

8/3/2019 Responsive Documents - CREW: NARA: Regarding Record Management and Cloud Computing: 11/28/2011 - Cloud Computing Training for NRMP

1/21

Bulletin on

Managing Federal Records inCloud Computing Environments

ERM/NRMP TeamSeptember 8, 2010


2/21

Development Team Members

ERM

Denise Pullen

Mark Giguere

Arian Ravanbakhsh

Don Rosen

Beth Cron

Jill Shaver

NRMP

Addie Compton

Scott Roley

We also interviewed four agencies who reviewed a

draft. Concurrence within NARA, OMB, and FRC.

2


3/21

Outline

We will highlight: Purpose

Definitions Examples of Use

RM Challenges

Tactics to solve challenges Contracting

Questions?

3


4/21

Purpose

Administration backing Cloud Computing

Agencies are adopting it

NARA put out an FAQ and promised a Bulletinlater this year

FAQ is largely definitional

Bulletin includes

expanded definitions

recommendations

agency uses of cloud computing

4(Bulletin Question 1 & 2)


5/21

Cloud Computing: Definition

Basically, using shared resources over the

Internet

Many interpretations exist Renting storage space

Social Media Tools (only in SaaS)

We are using NIST definitions

5(Bulletin Question 3)


6/21

Cloud Computing: Definition

NIST defines cloud computing as a model forenabling convenient, on-demand networkaccess to a shared pool of configurable

computing resources (e.g., networks, servers,storage, applications, and services) that can berapidly provisioned and released with minimalmanagement effort or service provider

interaction. (NIST Definition of CloudComputing, Version 15, 10-07-2009)



7/21

NISTs Essential Characteristics

On-demand self-service

Increase storage, etc. automatically

Broad network access

Capabilities are available over the network

Resource pooling The providers computing resources are pooled to serve multiple

consumers

There is a sense of location independence; customer generally has nocontrol or knowledge over the exact location of resources

Rapid elasticity

Quickly scale out or scale in computing power Measured Service

automatically control and optimize resource through a meteringcapability



8/21

Cloud Computing Service Models Cloud Software as a Service (SaaS)

Providers applications running on a cloud infrastructure

Consumer does not manage or control the underlying cloud infrastructure

Web mail systems in the cloud

Cloud Platform as a Service (PaaS)

Consumer-created or acquired applications created using programming

languages and tools supported by the provider Consumer does not manage or control the underlying cloud infrastructure

Cloud Infrastructure as a Service (IaaS)

Consumer receives computing resources that the consumer is able to deploy

and run arbitrary software, which can include operating systems and

applications

Consumer does not manage or control the underlying cloud infrastructure but

has control over operating systems, storage, deployed applications, and

possibly limited control of select networking components (e.g., host firewalls)



9/21

Cloud Computing Deployment Models

Private cloud

Cloud is operated solely for an organization by the organizationor a third party

Community cloud

Cloud is shared by several organizations and supports a specificcommunity that have mutual concerns

Public cloud

Cloud is made available to the general public or a large industrygroup and is owned by an organization selling cloud services

Hybrid cloud Cloud is a composition of two or more clouds (private,

community, or public) that remain unique entities but are boundtogether by standardized or proprietary technology that enablesdata and application portability



10/21

Cloud Computing Use By Agencies

Team interviewed four agencies using clouds All received business benefits to solve various

problems

Some created private cloud others usedcommercial offerings

All had some issues with records management

One keeps everything, but is working to figure it

out Two are still working on agreements that place

responsibility on participating agencies, but notthe providing agency



11/21

So Is There A Problem?

Potentially

If the benefits of the drivers outweighperceptions of records management

responsibilities If cloud solutions are procured without

consideration of records managementrequirements

If particular cloud deployments presentinsurmountable obstacles to exercising recordsmanagement

11


12/21

Some RM Challenges

Cloud applications may lack the capability toimplement records disposition schedules

Maintaining records in a way that maintains

their functionality and integrity throughoutthe records full lifecycle

Maintaining links between the records andtheir metadata

Transfer of archival records to NARAaccording to NARA-approved retentionschedules



13/21

Some RM Challenges

Depending on the application, vendors may

not be able to ensure the complete deletion of

records

Various cloud architectures lack formal

technical standards governing how data are

stored and manipulated in cloud

environments



14/21

Some RM Challenges

A lack of portability standards may result in

difficulty removing records for recordkeeping

requirements or complicate the transition to

another environment

Agencies and cloud service providers need to resolve

issues if a cloud service ceases or changes

dramatically



15/21

Meeting RM Challenges

Provisos1. Differences between service models affect how

and by whom (agency/contractor) records

management activities can be performed

2. Service or Deployment Models used could affect

where records are stored or created

PaaS and IaaS might contain no Federal records

depending on how they are used3. In SaaS model, records may often be held in

contracted space



16/21


Include RM staff in cloud computing solution

Define which copy of records will be declaredas the agencys record copy (value of records

in the cloud may be greater than the value ofthe other set because of indexing or otherreasons)

Include instructions for determining if recordsin a cloud environment are covered under anexisting records retention schedule



17/21


Include instructions on how all records will be

captured, managed, retained, made available to

authorized users, and retention periods applied

Include instructions on conducting a records

analysis, including records scheduling

Include instructions to periodically test transfers

of records to other environments, includingagency servers, to ensure the records remain

portable



18/21


Include instructions on how data will be

migrated, so records are readable throughout

their entire life cycles

Resolve portability and accessibility issues

through good records management policies

and other data governance practices



19/21

Contracting

Agency is always responsible for its Federal

records even if they are in contracted space

Agencies must ensure contractors are awareof the agencies RM responsibilities

Agencies must work with contractors to

manage records

If a contractor quits the business, agencies

must get the records back



20/21

Contracting

We created model language that informs allparties of RM responsibilities

Working to add similar language to GSAs apps.gov

store

Agencies can modify as needed, other clausescan be included in contracts

Agencies may be partners in a private orcommunity

Include RM in MOUs or other agreements



21/21

Questions?

Bulletin points agencies with questions to

NRMP staff

Toolkit is a resource

Contact Information:

[email protected] [email protected]

Blog: http://blogs.archives.gov/records-express

21(Bulletin Question 9, etc.)