Records and the Threat of Cloud Computing

I recently hosted a panel for ARMA that discussed compliance and records management issues related to Cloud Computing. It proved to be one of the most thought-provoking sessions I have been involved in for a long time. What became abundantly clear very early on was that records managers and compliance officers really need to get their head around cloud computing, and fast.

In the session we spent some time explaining that for every vendor out there that claims to have a cloud solution, only one in ten really has. That "cloud" relates to a virtualized world utilizing the Internet as a network -- whereas hosted and SaaS options (the nine out of ten) almost always have a specific data center location that they operate from.This short blog entry is no place to get into the intricacies of this topic, so suffice it to say that with most hosted and SaaS options you can impose an SLA that will tell you, at any time you need to know, exactly where your data resides. With a true cloud option, this is simply impossible -- nobody (literally nobody) actually knows where your data resides. That is currently a complete no-no for most regulated data.

Secondly, when cloud-based vendors tell you (and many do) that you never need to delete anything, and that this is the beauty of the cloud, you need to run a mile in the opposite direction. The secure disposition of data is a legal requirement, with the onus on you, the data owner (and not on your technology supplier) to dispose of data and show how you did it. You need to know exactly how data is disposed of, and how that can be verified. Keeping everything forever is not a legal option.

The cloud is a truly amazing development in computing -- whether we take the grid or the supercomputer route -- but laws are laws, and technology vendors don't write them, and if they don't like them they need to lobby politicians to change them. Simply ignoring laws you don't like, or willfully breaking them, is not an option. Even genuine ignorance is no defense.

Just for the record, I believe that cloud computing is a very important element of our computing future, but IT departments need to figure out the implications of what they are getting themselves into before signing up to such services, both legal and records management departments need to be involved in drafting such agreements from the get-go.

As readers of CMS Watch ECM research know, retention and disposition are the core principals of records management, and cloud computing brings into question the relevance and value of both principles. I think cloud computing is the biggest threat records management has ever faced. Yet records managers are still trying to figure out how to deal with the decades-old problem of e-mail, so the cloud remains on the distant horizon for most.

My concern is that there could come a time where records management -- not legal compliance but good old fashioned information management -- will become an irrelevance; that would be tragic, but that time could come, and sooner than some may imagine.I recently hosted a panel for ARMA that proved to be one of the most thought-provoking sessions I have been involved in for a long time. What became abundantly clear early on was that records managers and compliance officers really need to get their head around cloud computing, and fast.