Interview: Samantha Lofton and the Records Implications of Cloud Computing

Posted on Jul 15, 2010 in Records Management News

By MIMI DIONNE | Pub­lished Jul 14, 2010

FREE Webi­nar: How New Enter­prise CMS Deploy­ment Mod­els Can Save You Money (Aug 5th)

If you don’t know Saman­tha Lofton, you should. A qui­etly impres­sive and gen­er­ous Records and Infor­ma­tion Man­age­ment pro­fes­sional, she estab­lished her superb rep­u­ta­tion through edu­ca­tion and prac­ti­cal experience.

From an entry-level posi­tion in the Clin­i­cal Research Indus­try to Firmwide Records & Infor­ma­tion Man­ager for Greenebaum, Doll & McDon­ald PLLC, she built her sophis­ti­cated Records pro­gram from an idea using indus­try stan­dards and best practices.

In addi­tion to being a life-long stu­dent of RIM, she also serves the mem­ber­ship of ARMA Inter­na­tional of its elected Direc­tors. Swiftly emerg­ing in the Records field as one of the fore­most experts in the rela­tion­ship between infor­ma­tion man­age­ment pro­grams and cloud stor­age solu­tions, I had the good for­tune to sit down with her recently to talk about one of her favorite topics.

Q: Saman­tha, you’ve taken on mul­ti­ple roles for your firm. What prompted you to pick up this topic?

Lofton: I’m inter­ested in this topic because of the indus­try trend towards mar­ket­ing of cloud stor­age solu­tions to busi­nesses and clients as a good alter­na­tive to reduc­ing cost asso­ci­ated with data stor­age, IT infra­struc­ture, archi­tec­ture, appli­ca­tion and other asso­ci­ated data ware­house and main­te­nance costs.

In a review of cloud stor­age as a method to reduce stor­age costs, orga­ni­za­tions must also con­sider the Records & Infor­ma­tion Man­age­ment impli­ca­tions — how will they man­age and con­trol infor­ma­tion in the cloud to ensure infor­ma­tion secu­rity and pri­vacy (includ­ing authen­ti­cat­ing user access and iden­tity in the cloud)? How will they admin­is­ter and man­age lit­i­ga­tion holds, dis­cov­ery requests, and reten­tion and destruc­tion requirements?

Q: What sources did you find the most help­ful in prepar­ing your readi­ness for the topic?

Lofton: There are many white papers on the topic, such as the UC Berke­ley arti­cle “Above the Clouds: A Berke­ley View of Cloud Com­put­ing” (02/10/2009). I like arti­cles where sev­eral gov­ern­ment offi­cials weigh in regard­ing the rela­tion­ship between pri­vacy and secu­rity because they cite both the risk and the ben­e­fits of the cloud stor­age approach. I also find help­ful any arti­cles on pilot projects and ini­tia­tives where cloud stor­age is con­sid­ered as a viable alter­na­tive to main­tain­ing appli­ca­tions and data stores for the US Gov­ern­ment. My research isn’t restricted to domes­tic instances only, though. Other sources I use include:

Cana­dian Pri­vacy Com­mis­sioner paper ” Reach for the Cloud(s): Pri­vacy Issues related to Cloud Com­put­ing” priv.gc.ca/information/pub/cc_201003_e.cfm
World Pri­vacy Forum: Pri­vacy in the Clouds: Risks to Pri­vacy and Con­fi­den­tial­ity from Cloud Com­put­ing by US lawyer Robert Gell­man www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf
EU, Euro­pean Cyber-Security Agency ENISA “Cloud Com­put­ing Secu­rity Risk Assess­ment” and related doc­u­ments
Cloud Com­put­ing in the Cana­dian Envi­ron­ment www.cloudbook.net/canadacloud-gov
Q: Cloud com­put­ing and records man­age­ment have spe­cific oblig­a­tions to each other. What do you find most intrigu­ing about the dynam­ics of the relationship?

Lofton: The biggest issue that an orga­ni­za­tion faces when deploy­ing cloud com­put­ing is the oblig­a­tion to ensure that the company’s poli­cies sur­round­ing reten­tion, pri­vacy and secu­rity are admin­is­tered and val­i­dated in the cloud. Ven­dors must have the abil­ity to meet their poten­tial client’s needs relat­ing to the authen­ti­ca­tion of users, data access and the phys­i­cal stor­age of data in the cloud.

Orga­ni­za­tions can look to ARMA International’s Gen­er­ally Accepted Record­keep­ing Prin­ci­ples (GARP) to ensure that those prin­ci­ples are incor­po­rated to the orga­ni­za­tions infor­ma­tion gov­er­nance plan which extends to the cloud. The GARP Prin­ci­ples include: Account­abil­ity, Integrity, Pro­tec­tion, Com­pli­ance, Avail­abil­ity, Reten­tion, Dis­po­si­tion and Transparency.

Q: How does a cost ben­e­fit analy­sis of cloud com­put­ing part­ner into a more prof­itable Records program?

Lofton: Should an orga­ni­za­tion choose to deploy cloud com­put­ing, the cost sav­ings asso­ci­ated with this alter­na­tive can be allo­cated to other RIM and tech­nol­ogy ini­tia­tives within the orga­ni­za­tion. Cloud com­put­ing alter­na­tives also elim­i­nate some of the bar­ri­ers to costs asso­ci­ated with build­ing an advanced IT infra­struc­ture to sup­port appli­ca­tions internally.

Q: How does this rela­tion­ship between cloud com­put­ing and RM pair with mobile devices?

Lofton: Mobile devices allow users to access their data from vir­tu­ally any­where in the world. When trav­el­ing abroad e-mail may be on a ded­i­cated server that bridges through another wire­less net­work in order to con­nect to your cloud stor­age ven­dor. The Records and Infor­ma­tion Man­ager should ask, how long do you back up what is on your servers? What version(s) would be dis­cov­er­able in the cloud? What are the avail­able encryp­tion options? The secu­rity of these devices, should a user lose such a device, must be man­aged remotely.

Q: Records and Infor­ma­tion Man­agers are always con­scious of con­trac­tual oblig­a­tions and you pur­pose­fully men­tion it in your pre­sen­ta­tions. What ques­tions stand out to you as impor­tant in the dia­logue between com­pany and poten­tial vendor?

Lofton: There are var­i­ous require­ments that orga­ni­za­tions must com­ply with such as SOX, HIPPA — HITECH etc. The key is to ensure that your ven­dor will pro­tect your data with the same care you would. If a ven­dor does not meet your organization’s stan­dards with a planned approach and response, then they are not the right ven­dor for you. I advise col­leagues to ask at least the following:

How will the ven­dor pro­tect the data and authen­ti­cate users?
How will they notify us if a third party makes a dis­cov­ery request?
What is their dis­as­ter recov­ery process and how will they ensure our data is avail­able in the event of a dis­as­ter?
What is their process for per­ma­nent removal of data?
Where is data phys­i­cally stored and could the phys­i­cal data whare­house be moved to another coun­try and if so how much notice will we be given?
Are they apply­ing USDOD 5015 stan­dards to their data secu­rity protocols—indeed, are they USDOD 5015 cer­ti­fied?
What is their approach to com­pli­ance audits and Lit­i­ga­tion Holds?
In the case of a data breach, how will we be noti­fied?
Are they will­ing to enter into a BAA Busi­ness Asso­ciate Agree­ment with us to pro­tect pri­vate health infor­ma­tion and fol­low pro­ce­dures to be HITECH ACT com­pli­ant?
Q: Do you have any pre­dic­tions for what will hap­pen in the next year for cloud com­put­ing and RM?
Lofton: As orga­ni­za­tions move toward adopt­ing cloud com­put­ing approaches such as Soft­ware as a ser­vice (SAAS), Infra­struc­ture as a ser­vice (IAAS) or Plat­form as a ser­vice (PAAS), they will look to orga­ni­za­tions such as ARMA Inter­na­tional, AIIM and tech­nol­ogy asso­ci­a­tions for best practices.

I am inter­ested par­tic­u­larly in a check­list of items to con­sider when out­sourc­ing to cloud stor­age, as well as trends and case stud­ies of orga­ni­za­tions using cloud stor­age, includ­ing inter­na­tional pri­vacy issues sur­round­ing phys­i­cally mov­ing data stores from one coun­try to another.

Editor’s note: Mimi Dionne also recently inter­viewed Susan Scrup­ski. Read that Inter­view in Inter­view: Susan Scrup­ski and Her New Socio-Collaborative Vir­tual Net­work Part 1

for more infor­ma­tion: http://www.cmswire.com/cms/enterprise-cms/interview-samantha-lofton-and-the-records-implications-of-cloud-computing-008025.php

Com­pli­ments of File­Man Research

Read More