Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

Databases selected: National Newspaper Abstracts (3), Research Library

A Walk in the Cloud

Patrick Cunningham, Jesse Wilkins. Information Management Journal. Lenexa: Jan/Feb 2009. Vol. 43, Iss. 1; pg. 22, 8 pgs
Abstract (Summary)

Perhaps no technology buzzword has engendered as much discussion in records management circles as Web 2.0. It's been hailed as everything from the solution to all of everyone's information management problems to the death of records management as a discipline. Organizations will move faster or slower to Web 2.0 depending on their regulatory environment and tolerance for risk. The bottom line is that there are benefits to using these tools: They tend to be less expensive than their mainstream competitors; they are easier to implement; and if they don't meet the organization's needs, there may be another provider with similar capabilities ready to ink a deal. However, moving to the cloud presents the enterprise with a number of risks to assess. At the top of the list of risks for many organizations is security of information. If the data storage shifts to the cloud, the ability to obtain uncontaminated copies of evidentiary data maybe reduced, if not eliminated.
Full Text (4804 words)

Copyright ARMA International Jan/Feb 2009 Internet- or "cloud"-based tools, are making their way - sanctioned or not - into more and more workplaces. Two records management experts suggest how organizations can leverage their benefits while mitigating their risks. Perhaps no technology buzzword has engendered as much discussion in records management circles as Web 2.0. It's been hailed as everything from the solution to all of our information management problems to the death of records management as a discipline. It's been the target of extensive discussion on a number of records-related e-mail lists, including those based in the United States, the United Kingdom, and Australia. And it's even the subject of a book by Steve Bailey, Managing the Crowd: Rethinking Records Management for the Web 2.0 World. (See a review of this book on page 50.) But what is Web 2.0 and why should organizations care about it? The 'Cloud' as the Well 2.0 Foundation "Web 2.0" has at least as many definitions as "records." Tim O'Reilly, publisher of O'Reilly Media and widely credited with coining the term, defines Web 2.0 as . . . the business revolution in the computer industry caused by the move to the Internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better the more people use them (emphasis added). In other words, Google, Facebook, YouTube, and applications like them are successful precisely because they get better as more people use them, whether to create information or merely to consume it. This is already making an impact on the way organizations create information - and must be understood in order for organizations to manage the information that is being created. Web 2.0 tools generally provide three main classes of functionality, regardless of the specific capabilities of the tool: 1. The Web as Platform: The application and the data it creates reside "in the cloud," hosted by a third party. It is generally accessed through a web browser - and may not be available at all in the absence of Internet access or if the application provider goes down. 2. Participation: The tools make it easy to create content by hiding or eliminating complexity. Google Docs and Zoho Write don't offer anything near the capabilities of Microsoft Word, but they offer enough capabilities for most users and in most circumstances. Similarly, blogs and wikis make it easy for users to create and consume content or collaborate. 3. Emergence: Web 2.0 tools allow users to create their own content with few or no rules or restrictions. Instead of saving information into enterprise repositories with access controls and rigid taxonomies, users can simply create, save, and publish

1 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

their work in the manner most useful to them. Users are not required to declare and classify records according to file plans and retention schedules, but can simply "tag" their documents with keywords that they can use later to find them. Organizations are looking at Web 2.0 tools for several reasons. The first reason, of course, is that they are the latest buzzword. Whether it's Web 2.0 in general, or specific tools like blogs, wikis, and social networking, Web 2.0 is frequently featured in technology trade and mainstream business publications. All vendors tout their Web 2.0 applications. They tend to be lower cost, at least initially, and many Web 2.0 applications are free for personal or small-office use, which makes them useful for pilot projects. They allow easy collaboration across time and geography. And many users, particularly those who are just entering the workforce, have ready access to them and are comfortable with them already. This last point speaks to the relatively rapid acceleration of growth of acceptance of Web 2.0 technologies in the workplace. Much like personal computers entered the workplace when end users began to acquire them in large quantities, many of the applications and services in the cloud are coming to the enterprise through end users who identify needs and solutions that can be met by tools and services with which they are already very familiar. The primary value proposition for Web 2.0 is reduced cost. Much like commercial records centers have displaced in-house records centers for many organizations, moving data and applications to the cloud takes the real estate and operational costs out of the equation for many IT departments. Storage and computing power can scale to meet the need of the moment. An organization does not need to build in capacity for peak periods, incurring costs for resources that are consumed only on a part-time basis. In addition, the organization is not continually chasing the storage capacity curve. Web 2.0: Benefits & Considerations Jesse Wilkins, CDIA+ Organizations will move faster or slower to Web 2.0 depending on their regulatory environment and tolerance for risk. But they are moving toward the technology - for a number of reasons. 1. Tools are simple to provide and maintain. One of the challenges many organizations experience is maintaining an increasingly complex IT infrastructure. Even smaller organizations still have to provide their employees with e-mail, office productivity tools, and all the other capabilities required by the modern knowledge worker. Those applications require specialized, highly skilled people to provide, operate, and maintain them. For most organizations, something as simple as moving to the most current version of software is not so simple; ask your IT staff what the process is for upgrading to a new version of Microsoft Exchange. Web 2.0 tools are much simpler to provide and require no maintenance from the perspective of the organization. 2. They have little downtime. The next benefit is a bit counterintuitive and may not be applicable for the largest, most sophisticated organizations. But for the rest, uptime is a major issue. Most Web 2.0 tools simply don't have downtime. Gmail has been in the news lately because it has experienced several outages; then again, it provides more than 7 GB of storage each to some 50 million users worldwide. Even taking those outages into account, Google has provided better than 99.9% uptime over the past 12 months, averaging 10 to 15 minutes downtime per month. That compares pretty favorably to all but the most mature enterprises. 3. They are low-cost. The previous two points lead to a third, which is perhaps the most important benefit of Web 2.0 tools. These tools are a fraction of the cost to provide and even lower cost to maintain. Granted, they generally include fewer capabilities, but some organizations see that as an additional benefit. Consider a small organization without the budget or technical expertise to implement a massively resilient e-mail system with automated failover and multiple stage-gate deployment capabilities. The cost to implement Web 2.0-based e-mail capabilities is significantly lower, and it requires almost no technical expertise. There are no upgrades, hot fixes, or service packs to apply, and no need to migrate - in fact, Web 2.0 tools have begun to turn the entire concept of software versioning on its head. Almost all organizations today, regardless of their industry, sector, or size, rely on office productivity suites to get their work done. More than 90% of those organizations use a version of Microsoft Office. The average cost of Office 2007 to an organization is significantly higher, even for upgrades, than the cost of Google Apps, Thinkfree, Zoho, or any of a number of other competitors. These competitors offer much less functionality than Office, but this is not necessarily a bad thing for many users. They are generally compatible with basic Office files. And many of them are free - which is even harder to beat. 4. It takes little effort to make them productive. Another benefit of Web 2.0 is the ability to fail. What this means is that when an organization selects an enterprise software

2 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

application, the cost and the effort to implement it generally demand that it be used by everyone in the organization, even when it comes with a steep learning curve and even when it isn't necessarily the right tool for every usage. Web 2.0 tools cost very little and are generally easy enough to provide and use that the time required to be productive with them is short. And if the tool turns out to be the wrong one, it is relatively easy to move on to another tool. One of the reasons Web 2.0 has found its way into organizations is because of users' frustrations with IT and the difficulty they have encountered in getting access to the tools they need. So far, most organizations haven't deployed wikis because the CEO read about them in a business magazine, or the CIO developed a detailed set of requirements and did a year-long analysis and feasibility study. Instead, wikis infiltrate organizations because users have a need for the collaboration capabilities and can deploy one as easily as signing up for a free pbwiki or Wikispaces account. Organizations are also increasingly running into the "shadow IT department" - users that use these types of tools at home and are comfortable enough with them to be able to provide them without, and even in spite of, the organization's IT department. And they are not that easy to stop. At last count, there are more than 250 Twitter-like tools, at least 40 web-based document creation and sharing tools, and more than 10,000 other Web 2.0based tools. IT departments that try to completely prevent the usage of these tools face a rapidly moving target. 5. They facilitate collaboration. Finally, one of the most significant benefits of using Web 2.0 tools is how well they facilitate collaboration. Collaborating through e-mail and attachments is the norm for many organizations. Everyone has e-mailed to a group of people a message with an attachment for review. Most recipients review the attachment and send comments back; some send their comments in a message; some mark up the electronic document with change tracking; and others simply make changes to the document before sending it back. The sender receives all the comments, bods them down into the necessary changes, and sends them back out for another review cycle - and then gets additional comments from the first draft. This process is broken for most organizations. From document-sharing tools like Scribd or Google Docs, to the wiki that was used to write this article, Web 2.0 tools include inherent collaboration capabilities. Many of them also offer networking and communication capabilities, so users know the status of a shared document: who is editing it and what changes were made when. This is particularly important when collaboration is required across a geographically dispersed organization. Managing the Tools So, given that users will use these tools, that organizations will find it increasingly difficult to block them, and that many organizations are looking at them as a legitimate opportunity to control costs and improve collaboration, how do organizations manage them effectively? First, while users know they shouldn't talk about their internal issues and challenges in public, they may not know that blogs, wikis, social networking, and other Web 2.0-type tools default to public access. Users also need to know that even if they don't use their organization's name, other people may recognize them and consider them to be publishing on their organization's behalf. Second, many of the tools have begun to mature. As they move from "bleeding edge" into mainstream usage, organizations are increasingly looking for the same types of functionality as from their other applications: identity integration, security, records retention and disposition, and the ability to place and enforce legal holds. And the market is responding. There are enterprise-focused versions of almost every major class of Web 2.0 application, including wikis, blogs, web conferencing and document sharing, and even social networking. Many of these can be implemented behind the organization's firewall and integrated into the identity infrastructure such as Active Directory. They generally use open protocols and data structures (often XML-based), so organizations should have minimal difficulty exporting from one solution to another or applying retention controls and policies. The key consideration for these tools, as with any other tools, is to do due diligence for the particular application. Review the service level agreement to see how realistic it is, how enforceable it is, and what happens if something happens. Select a vendor with a track record - and call its reference accounts. Integrate the tool into existing backup and disaster recovery protocols; many of these applications are web interfaces to database back ends, and database maintenance is mature technology. The Bottom Line The bottom line is that there are benefits to using these tools: They tend to be less expensive than their mainstream competitors; they are easier to implement; and if they don't meet the organization's needs, there may be another provider with similar capabilities ready to ink a deal.

3 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

There are risks to using these tools, but they are not insurmountable. Not every tool will be right for every organization or situation, but many will be useful for particular purposes. Organizations need to be smart about how to use the tools to maximum benefit while maintaining effective control over their usage. And many organizations will want to consider enterprise versions of these tools and do their due diligence before committing. Records managers must be full partners in the process of selecting and evaluating these services and tools. They will need to adapt their principles to suit this new environment. They cannot afford to bury their heads in the sand in hopes that this is a passing fad. Why Use Web 2.0 Tonis? * They support collaboration across time and space. * They are easily accessible and easy to use. * Many people already have a comfort level using them. * They are low-cost (sometimes even free). * They do not require much IT support. * They have very little "downtime." * Because they are inexpensive and easy to use, there is little risk in trying them. ...there are more than 250 Twitter-like tools, at least 40 web-based document creation and sharinf tools, and more than 1,000 other web 2.0-based tolls. IT departments that try to completely prevent the usage of these face a rapidly moving target. Jesse Wilkins may be contacted at jwilkins@accesssciences.com. See his bio on page 54. Web 2.0: Issues & Risks Patrick Cunningham, CRM Organizations are moving to the cloud, some faster than others. However, moving to the cloud presents the enterprise with a number of risks to assess. Depending upon an organization's risk appetite, these risks may be significant. At the core of these risks is the inability of many cloud/Web 2.0 vendors to meet regulatory and legal requirements that are commonly encountered by many enterprise customers. Security At the top of the list of risks for many organizations is security of information. This may be driven by a need to protect intellectual property, trade secrets, personally identifiable information, or other sensitive information. Putting that information into the hands of a third party is certainly not uncommon. Having the third party place that information into a shared storage environment is somewhat less common. Having that information available on the Internet requires a significant investment in security controls and monitoring. Of concern is that many of the Web 2.0 applications contain no provision for monitoring content or traffic to ensure that sensitive information is not being transmitted inappropriately. Use of Web 2.0 tools also requires assurance that the pathway to the data is adequately secured. With information theoretically accessible from any point on the Internet, the provider must be assured that the computer/user accessing the data or application is properly authorized. This requires a very high degree of coordination between the enterprise and what may be multiple service providers. The information being stored by the third party needs to be secured from the third party's access as well. This need will likely be met by increased use of file and message encryption and public key infrastructure. Increased encryption, however, will likely mean loss of information when decryption keys are lost or a file becomes corrupted. Nonetheless, ensuring security of information outside the enterprise will be a growth opportunity both for the enterprise and the supplier community. Resilency Today's buzzword for what we knew as "disaster recovery," resiliency refers not only to uptime and availability, but it also has a focus on not allowing critical information to be corrupted or lost. A challenge for many providers is ensuring that customer information is protected, but with shared data centers and storage devices, information from multiple customers may end up in the same backup media, creating issues when the media is restored and potentially exposing confidential customer information to third parties.

4 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

The enterprise will need to pay special attention to the means by which the provider will ensure uptime and access to information, as well as where and how the information will be stored and backed up. Some Web 2.0 suppliers will be unable to customize their offerings to meet these requirements and will be unwilling to make fundamental changes to their business model to meet enterprise resiliency requirements. Free services will typically offer no enterprise-level resiliency. A significant concern is enterprise data managed on consumer-grade systems. While, statistically, Web 2.0 applications "simply don't have downtime," the reality is that an interruption in service by the provider can seriously affect numerous customers. E-discovery The current climate for e-discovery assumes, for the most part, that an enterprise knows specifically where its information is being stored, how it is being backed up, and how it is secured. The rules also assume that an enterprise will be able to physically examine storage devices and, when required, examine storage media for evidence of erased and/or deleted files. In the cloud/Web 2.0 environment, the enterprise may have little or no visibility to storage and backup processes and little or no physical access to storage devices. As noted above, the data from multiple customers may be stored in a single repository. This will create significant challenges to forensic inspection of the storage media and a proper understanding of file access and deletion. Arguably, the enterprise can document what it knows about the mechanics of hosted storage and applications, but it will likely need to contract with the provider for support with e-discovery and litigation matters. E-discovery and the Law Some pundits suggest that laws and regulations tend to lag the reality of technological advances by at least 10 years. The most recent amendments to the U.S. Federal Rules of Civil Procedure can thus be considered to reflect the computing environment of the late 1990s, rather than today's environment. As noted above, the current set of legal expectations regarding electronically stored information (ESI) makes many assumptions about the manner and location of the enterprise's ESI and the ability of the enterprise to describe how that information is created and stored. Of additional concern, particularly in criminal proceedings, is the ability of the enterprise to describe the flows of information, as well as the specific storage locations of information, so law enforcement can apply appropriate provisions of the criminal codes to criminal matters (e.g., a federal wiretapping statute may be applied in a matter because a data flow crossed a state border or a particular set of data was stored in another state). Computer Forensics For many organizations, computer forensics is a critical component both of e-discovery efforts and internal investigations. Computer hard drives, e-mail and local area network servers, thumb drives, and various storage media are all key locations of evidence for legal proceedings or actions against employees. The science of computer forensics often requires physical access to the storage device or computing resource. As is often shown on popular television programs, the process of collecting and examining data must be done in a manner that limits contamination of the evidence. Much can be learned from information stored by a computer's operating system, both in physical storage and volatile storage (information that is retained in a computer's random access memory, which will disappear almost immediately after a computer is turned off). When data and applications are moved off a local computer, the forensics investigator may lose the ability to access critical information for the case. The provenance of a particular file or the time the file was last accessed can often be crucial in determining how the file was used and who had access to it. If the data storage shifts to the cloud, the ability to obtain uncontaminated copies of evidentiary data may be reduced, if not eliminated. Basic Records Management Like the law, records management practices often trail technology. Steve Bailey's Managing the Crowd makes this point numerous times. At the same time, technology is often designed and implemented without regard for even basic records management principles. Many Web 2.0 applications allow the user to create and delete content at will. E-mail stored in the cloud is designed to use search capabilities rather than classification and retention processes. Many service providers believe that because data storage is incredibly cheap, deletion of data is unnecessary. The systems are thus designed with no retention management functionality. Data Privacy On the heels of all these issues, increasing awareness and attention to the protection of personally identifiable information (PII), as well as other data of concern to individuals, plays a role in determining the enterprise's appetite for risk. EU data privacy requirements mandate that PII be deleted as soon as it is no longer required. Other principles of data privacy require disclosure of data transfers and data processing beyond local jurisdictions, which can be a problem for data that is processed and maintained in the cloud. Infrastucture Duplication

5 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

While many end users find the capabilities of Web 2.0 applications meet their everyday needs, many organizations will need to retain e-mail infrastructure and licenses to commercial off-the-shelf software. This defeats an aspect of cost savings and infrastructure management that Web 2.0 applications promise. Connectivity Requirements For the desk-bound office worker, Web 2.0 applications may make a lot of sense. Most organizations have "always-on" connectivity to the Internet with high bandwidth. The worker likely doesn't know where the applications or data reside. The experience is seamless and trouble-free. The gap is for mobile workers who are relying on consumergrade cable or DSL connections that may lack the bandwidth and uptime of office colleagues. High-speed Internet offerings in hotels and retail establishments are sometimes unreliable, with help desks incapable of resolving connectivity issues. For mobile workers relying on Web 2.0 applications to make a living, lack of connectivity means they are unable to work. This contrasts with mobile workers who have a full suite of office and e-mail applications loaded on their computers. Those workers can be productive in an offline mode, even with little or no connectivity. This remains a significant barrier to full adoption of Web 2.0 applications. The "Don't Be Stupid" Factor The public nature of many Web 2.0 applications invites users to share about themselves. The blurring of lines between what is personal and what is business is another factor to be considered. Many organizations already have significant challenges with employees leaking company information in their "personal spaces" on the Internet. As organizations adopt more Web 2.0 tools, great care will need to be taken to clearly define what belongs to the enterprise and what belongs to the individual. The organization that implements YouTube-like video sharing for business purposes will need to be cautious about employees posting inappropriate content. While most users know that they shouldn't talk about internal issues in public, the reality is that many find it difficult to draw that line - or simply choose not to draw the line. As noted above, the organization will need to work closely with the service provider to secure sensitive information and monitor access to, and distribution of, that information. Migration Paths While many Web 2.0 applications are open and standardized, there is still a significant risk involved if the business relationship does not pan out for an organization. Migrating petabytes of stored files and e-mail to another provider will be a significant task. Converting a sales application or human resource data is a substantial undertaking, regardless of who is managing the application. The organization moving down this path will always have an exit strategy in place - one that accounts for potential incompatibility between applications, and one that ensures that the information can be quickly and efficiently moved to another provider. Web 2.0 and the cloud present the enterprise with considerable risks to consider when making the shift. For some organizations, the risks will be too great; for others, the reduction in cost will be the compelling driver. In either event, the enterprise must develop requirements to mitigate or accept risks that conflict with policy or law. And while today's low-cost business models are driving many organizations to consider moving to the cloud, the costs to the providers are not insubstantial and will require significant cash inflows to grow and sustain the infrastructure. The lesson today is that you get what you pay for. Adding necessary functionality, security, and resiliency will require service providers to spend considerable sums of money on behalf of the customer - all of which will need to be recovered over time. While the economies of scale wl mitigate these costs to some extent, service providers will need to monetize and make profitable their offerings in some fashion. Wy Hot Use Web 2.0 Tools? * Information is more difficult to monitor and secure. * Service interruptions are outside the organization's control. * E-discovery is more difficult without physical access to storage media. * Data available for forensic examination is lost when data is moved from local storage. * They do not allow systematic control over creating, storing, or deleting information. * Lack or loss of connectivity prevents work for those depending on them.

6 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

* Their casual nature may blur the line between business and personal use. The provenance of a particular file or the time the file was last accessed can often be crucial ... If the data storage shifs to the cloud, the ability to obtain uncontaminated copies of evidentiary data may be reduced, if not eliminated. Web 2.0 and the cloud present the enterprise with considerable risks to consider when making the shift. For some organizations, the risks will be too great; for others, the reduction in cost will be the compelling driver. Patrick Cunningham may be contacted at patrick.cunningham@motorola.com. See his bio on page 54. Other Terms Often Mentioned in Web 2.0 Related Discussions Enterprise 2.0: Andrew McAfee, associate professor at Harvard Business School, defines Enterprise 2.0 as "the use of emergent social software platforms within companies, or between companies and their partners or customers." This term is often used in contrast with Web 2.0 where the "enterprise" refers to the need for, and access to. controls, security, identity infrastructure, etc. Many of the web/enterprise/buzzword 2.0 thought leaders describe a spectrum where Web 2.0 is the 'Wild, Wild West" and increasing in control until the tools end up at Enterprise 2.0. Cloud Computing: Often used as a generic term for any type of web-based application, it can. in fact, refer to: * End-user-oriented web-based applications like Gmail * Platform-as-a-service applications like Salesforce.com * Utility computing, which is almost "hardware^as-aservice primarily for storage; examples include Amazon Web Services and Joyent. It is most commonly used today to refer to the grid or utility computing model, where it replaces local hardware and storage input/output. It is often metered, similar to the way electricity is metered, and can scale up or down very easily in nearly real time for spikes in usage. Software-as-a-Service (Sa a S) is more in line with the commonly accepted definition of Web 2.0. It refers to applications that are delivered over the web to the end user's browser. Most software billed as SaaS provides fairly rich functionality and may provide much or all of the comparable desktop application's capabilities. Examples might include Salesforce.com for customer relationship management or Microsoft Hosted Exchange for e-mail. Patrick Cunningham, CRM & Jesse Wilkins, CDIA+ Patrick J. Cunningham, CRM, is director, information management, collection & preservation for Motorola Inc., where his team's responsibilities include global records management, IT data privacy, and litigation and investigation support. Previously, he worked in various RIM management, strategy, and consulting roles. Cunningham holds a master's degree in public history from Loyola University of Chicago and has been a Certified Records Manager since 1992. He may be contacted atpatrick.cunningham@motorola.com. Jesse WHons, CDIAi-, is a principal consultant with Access Sciences, where he assists organizations with enterprise content and records management strategy, system design, and implementation oversight. He is a leading expert on managing e-mail and messaging technologies and a frequent author and speaker on emerging information management issues and technologies. He may be contacted a.tjwilkins@accesssciences.com.
Indexing (document details) Subjects: Classification Codes Locations: Author(s): Document types: Document features: Publication title: Source type: ISSN: Systems integration, Records management, Information storage, Data integrity, Risk management 9190, 5140, 5240, 3300 United States--US Patrick Cunningham, Jesse Wilkins Cover Story Photographs Information Management Journal. Lenexa: Jan/Feb 2009. Vol. 43, Iss. 1; pg. 22, 8 pgs Periodical 15352897

7 of 8

4/26/2010 10:43 AM

Document View - ProQuest

http://proquest.umi.com/pqdweb?index=7&sid=1&srchmode=1&vinst=...

ProQuest document ID: 1635159181 Text Word Count Document URL: 4804 http://proquest.umi.com/pqdweb?did=1635159181&sid=1&Fmt=3&cl ientId=10335&RQT=309& VName=PQD

Copyright 2010 ProQuest LLC. All rights reserved.

8 of 8

4/26/2010 10:43 AM