Wednesday 24 February 2010

Information Management: the forgotten issue of the cloud

There was an interesting supplement on Cloud Computing from MediaPlanet within this Saturday’s Daily Telegraph (Ok I know it’s now Wednesday, but it takes me most of the week to wade through the weekend papers!).
The supplement - of which I can sadly find no English language online version - appears to be aimed at a senior management audience and is deliberately light on the technical detail, choosing to focus more on the benefits to the organisation which moving towards cloud-based computing can bring (institutional agility, flexibility and cost saving seem to be the main arguments in favour). It also includes ‘5 steps to making the most of cloud’ which are:

1. See the possibilities
2. Consider security
3. Use it to your advantage
4. Push the boundaries
5. Consider logistics

It would be hard to disagree with any of these, but its steps 2 and 5 which interested me most. For whilst steps 1, 3 and 4 (and, indeed, the rest of the content in the supplement) is designed to articulate the advantages and to push the potential it is these two steps which are designed to sound a note of caution and to instil the need for a cautious, managed approach to the management of the risks involved.

But if you were to rely solely on this supplement for guidance you’d be mistaken for assuming that data security should be your only concern when adopting a cloud-based computing environment (especially as the ‘logistics’ which Step 5 encourages you to consider relate to issues of security and mobile devices so is, in effect, just an extension of Step 2: Consider Security).

Aside from a passing mention of data protection and the potential need for some organisations to keep certain data within ‘certain geographic boundaries’ (which I’m assuming is again essentially related to the requirements of the Data Protection Act) what is entirely missing is an appreciation of the information management implications of moving data to the cloud. There is no acknowledgement of the need to ensure that current levels of record and information management control, say in relation to resource discovery or retention, must be continued into the cloud; nor any recognition of the potential problems of ensuring that this is so.

Interestingly, some of the issues which may come to the surface if these concerns are ignored are obliquely and inadvertently acknowledged – for example the point is made that in the cloud you pay as you consume, but the point is not expanded to its logical conclusion that it therefore pays to know exactly what information you still need to store (and pay for) and what can safely be destroyed. Likewise, the point is made that one of the biggest advantages foreseen for the ‘G Cloud’ (the UK Government Application Store which is currently being trialled) “could be allowing departments to share non-sensitive data so paper work is reduced and processes sped up” but no consideration is given as to how ‘sensitive’ and ‘non-sensitive’ data might be appropriately identified and controlled within the cloud.

On a more positive note Mark Taylor from Microsoft draws attention to the need for increasing standardisation so that the cloud ‘runs along the same principles and business models no matter who is managing the hosting’. Might the development of such standards and interoperability offer a potential means by which a single management layer can be placed on top of the cloud to allow organisations to consistently manage their information wherever it happens to reside in the cloud? And in doing so might it help address some of the management information issues which this supplement failed to acknowledge?

3 comments:

Nicole said...

Hi Steve

another thoughtful post! You are right, DP is often seen as one of the main security risks that need to be considered alongside the usual IT network security considerations when moving data into the cloud. I recently attended a Unicom event on cloud computing and was surprised that RMs mostly focussed on how to comply with the DPA when storing data in the cloud and not at all on how to apply classification and retention or even access security measures. There is a lot of work to be done to make RMS aware of the full spectrum of potential risks and ways to mitigate them. I think the work needs to start with an identification of cloud use cases and types of data that can or should be stored in the cloud. Only then can RMS assess compliance risks etc. - Just a thought - I might be completely off there!

Sally Newton said...

Hi Steve

I keep coming back to your blog to see if there are any new posts.

I found your blog when I had to set up a blog for Net Communications a subject I am studying.

I had to choose a "niche" so I chose Information Management. A search of the blogosphere turned up your site.

records management said...

This is great to know about the issue related to the cloud. Basically, Information management is the collection and management of information from one or more sources and the distribution of that information to one or more audiences. It includes both electronic and physical information.