Cloud computing and information management

Cloud computing poses both benefits and risks for your agency. Gains in cost, efficiency, accessibility and flexibility need to be weighed up against risks associated with security, privacy and information management.

Under the Government's Cloud Computing Policy, agencies must adopt cloud computing when acquiring ICT services, where it provides adequate protection of data and delivers value for money.

You should do a risk assessment to identify and manage jurisdictional, governance, privacy, technical and security risks before engaging a cloud service provider. Information management issues must be addressed in contracts with cloud service providers.

Legislative context for business information in the cloud

Australian Government information that is created, stored and managed in the cloud is subject to the Archives Act 1983. Under the Act, all data and information your agency creates, uses or receives as part of its business is a Commonwealth record. Your agency is responsible for managing the storage, access, alteration, transfer or destruction of its business information.

Your agency must also comply with the requirements of the Freedom of Information Act 1982 and the Privacy Act 1988. You must take contractual measures to ensure cloud service providers do not breach the Australian Privacy Principles.

Issues to assess when considering cloud computing

You need to assess the following information management issues when planning to engage a cloud service provider:

Scope

Consider carefully what business information will reside in the cloud. Will restricted data, such as personal information, be stored in the cloud? The higher the value of material, the more controls need to be implemented to ensure the integrity, authenticity and reliability of information.

Ownership

Your agency needs to retain ownership over its business information stored and managed in the cloud.

Compliance

Cloud service providers must comply with all applicable laws (eg Archives Act 1983, Freedom of Information Act 1982, and Privacy Act 1988), regulations, standards and policies governing the management of Commonwealth records.

Storage location

You need to specify storage location as a requirement prior to procuring a cloud service model or negotiating contracts with a vendor.

Australian Signals Directorate (ASD) has endorsed a number of cloud providers and services on its website. The Department of Finance also published a list of approved suppliers on its Cloud Services Panel.

You must ensure that systems offered by cloud service providers not on the ASD or Department of Finance lists are located in Australia.

Preservation

Business information stored and managed in the cloud needs to be preserved so that it is accessible for as long as required.

Your cloud service provider must conduct regular integrity checks and ensure that long term and permanent business information is migrated, as needed.

Retention and disposal

Cloud service providers must only dispose of business information, including copies, under instruction from your agency.

Expertise

You should include information management specialists in the planning and implementation of cloud computing.

Contractual requirements for business information in the cloud

It is essential that contracts with cloud service providers ensure that business information created, stored and managed in the cloud is:

  • authentic, accurate and trusted
  • complete and unaltered
  • secure from unauthorised access and deletion
  • findable and readable
  • related to other relevant business information

Authentic, accurate and trusted

Storage

Cloud service providers may store business information on multiple servers in multiple locations, including across different countries.

Your business information may be seized or accessed without your knowledge if it is stored outside Australia, or it may be caught up in discovery or other legal action affecting other information sharing the same server.

Knowing the location of your information and assessing the associated risks helps ensure your business information is appropriately secure. This is fundamental to an informed risk assessment.

Audit management

Unauthorised access can diminish the evidential value and authenticity of business information. To maintain accurate and trusted information, it is essential that the cloud service provider:

  • maintains adequate system and audit logs
  • provides audit logs, or extracts information from audit logs, specific to your needs
  • detects and reports unauthorised access.

Audit logs have also evidentiary value. Your contract should specify what audit information needs to be kept and for how long and ensure that you have access to audit logs .

Security of ICT systems

Data and network security and physical security ensure that business information remains authentic, accurate and trusted. The Australian Government Protective Security Policy Framework and the Australian Government Information Security Manual set out security requirements for government ICT systems.

You should ensure that controls and protections appropriately match the value of the business information.


Contract tip: Storage location, as well as ICT security, should be outlined in the contract with your cloud service provider.


Complete and unaltered

Migration, conversion and refreshment are inevitable processes in managing digital information. If not done properly, there is a risk that the information may become incomplete or damaged. This affects its value as evidence.

You need to assess the migration, conversion and refreshment techniques used by the cloud service provider to ensure that business information is not inadvertently altered or incomplete. Service providers should obtain permission from your agency prior to conversion or migration of information.

If certain conditions are met, you can destroy business information that is no longer needed once it has been copied, converted or migrated. The National Archives permits this destruction through the 'General Disposal Authority for Source Records that have been Copied, Converted or Migrated'.

Any alteration of business information should be authorised by your agency and documented.

Secure from unauthorised access and deletion

Your contract should specify who has the right to access information and when.

When business information is accessed and used, further transactional information is created. This transactional information also belongs to your agency and you should ensure that the cloud service provider does not use this information for their own purposes. Access restrictions should be commensurate with the value of the information.

Cloud service provider's viability

If a cloud service provider ceases business, access to business information may be lost either temporarily or permanently. The new service provider may not honour previous arrangements and your agency may not know who has accessed its information. This may compromise your ability to ensure business information is secure from unauthorised alteration or deletion.

Risk of incomplete destruction of business information

Destruction or transfer of business information stored or created in the cloud is subject to authorisation by the National Archives.

Cloud service providers often create multiple copies of the information they store for an agency, on geographically-dispersed storage media, to ensure that business information is not lost and is available to users. When they are due for destruction, you should ensure that all copies of information, including the ones kept on backup and other disaster recovery systems, are destroyed by the cloud service provider as appropriate.

If business information is not destroyed when required, it may be at risk of unauthorised access or other risks associated with over retention.

Third party subcontractors

Cloud services may involve layers of subcontractors. These subcontractors need to secure your business information in the same way as the contracted provider.


Contract tip: The cloud service provider should agree in the contract that it will comply with the security obligations of the Australian Government. If your agency has obligations to keep particular business information confidential, these obligations need to be included in the contract.


Findable and readable

Readability and usability of business information

Business information has little value if it is not readable. Some cloud service providers require clients to use particular formats and software. You should consider the risks this poses to ongoing usability of your information.

Business information returned to your agency must be in a usable format.

Impact of corrupted business information

There is always a risk that digital information may become corrupted in the event of network breaks, service disruptions or network congestion. If this happens, it can be difficult or impossible to access and use it. It is important for your agency and the cloud service provider to address the need for restoring corrupted business information.

It is important that the cloud service provider undertakes regular backups and that business continuity plans are in place for recovery of information.

Compatible metadata to identify and retrieve your agency business information

Metadata is the means by which information can be confirmed as complete, authentic, findable and usable. You also need to ensure that business information has sufficient metadata to satisfy access and retention requirements.

The Australian Government Recordkeeping Metadata Standard (AGRkMS) can help your agency meet its archival requirements by describing and maintaining findable and readable records. The Standard can also assist with grouping, organising and controlling the business information.

Metadata is itself information that needs to be managed and retrieved.

Impact of vendor lock-in

A cloud service provider may require you to use proprietary software and hardware. This may lock you into arrangements with that service provider because of the difficulty in retrieving business information in a format that can be migrated to another provider, or even to your own servers. The value of the information in those cases is severely reduced.


Contract tip: Contracts with cloud service providers should specify the format in which business information and associated metadata, is returned to your agency. It should also specify formats used in storage and the migration processes. Preferably, the service provider should use open formats to support readability over time. Ensure there are provisions in your migration plan for transferring information with archival value from the cloud to the Archives.


Related to other relevant business information

Metadata maintenance and management

Mismanaged metadata may weaken the ability to link business information, and thus diminishing its context.

Relationship between business information stored in the cloud and in-house

You should ensure that business information stored in the cloud is related to information stored in other locations and the connections between them are clear. Systems for managing information in the cloud and in-house should be complementary. This may mean that additional metadata needs to be applied to business information stored in the cloud to maintain its relationship links.


Contract tip: The contract with the cloud service provider should include minimum metadata requirements for the management of business information, as described in the Australian Government Recordkeeping Metadata Standard (AGRkMS).

More information

Australian Government Cloud Computing Policy explains the Government's vision, goals and actions in the use of cloud computing. Agencies are to evaluate and select cloud computing services commensurate with the requirements of the information.

The National Cloud Computing Strategy maximises the value of cloud computing in government by identifying core goals and a set of key actions.

Cloud Computing Security describes the information security risks that need to be considered by agencies wishing to adopt cloud computing services.  It also includes a list of cloud computing services endorsed by the Australian Signals Directorate (ASD).

Australian Privacy Principles regulate the handling of personal information by most Australian Government agencies.  

Negotiating the Cloud – Legal Issues in Cloud Computing Agreements is a better practice guide developed to assists agencies navigate typical legal issues in cloud computing agreements, including security and confidentiality of information.

Advice on managing the recordkeeping risks associated with cloud computing provides a list of practical measures on how government agencies can best utilise cloud computing services.

ASD Certified Cloud Services lists a number of cloud service providers and services endorsed by the Australian Signals Directorate (ASD).

Cloud Services Panel is a list of suppliers endorsed by the Department of Finance.

Copyright National Archives of Australia 2017