ERM Team Technology Evaluation: Cloud Computing FY2009 TECHNOLOGY EVALUATION: CLOUD COMPUTING Cloud computing is still an evolving

paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time. This research was entirely conducted using resources from the Internet. Cloud Computing is a dynamic topic that generates thousands of returns from search engines. These sites are constantly being updated as the technology evolves and users report their experiences. We have provided links where appropriate, however, given these circumstances, we do not guarantee that users can return to those sites and retrieve identical information. I. Definitions

Simply defined, cloud computing is a technology that allows users to utilize and access via the Internet or a Virtual Private Network a scalable range of resources without having to build infrastructure to support these resources within their own environments or networks. The concept of cloud computing was recognized as early as the 1960s by the telecommunications industry and has evolved through advancements by leading technology companies such as IBM, Microsoft, and Google. The National Institute of Standards and Technology (NIST), Information Technology Laboratory is developing guidance for cloud computing to be released in summer 2009. The guidance includes a draft definition of cloud computing as well as a model describing characteristics, delivery models, and deployment models. The current draft defines cloud computing as, “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (Draft NIST Working Definition of Cloud Computing, 6-1-09) An easy to understand example of a simple cloud computing model is Google’s Gmail service. This service allows users to send and receive e-mail without having to install separate software on their workstation. Users can access their e-mail, which is stored in Google’s cloud, using any current Internet browser. A wide range of software applications, from photograph editing (picnik.com) to financial management (mint.com) also follow this model and are entirely cloud based. Users of these services benefit by having their data securely stored and accessible from any internet enabled device. Another easily understood configuration of cloud computing services is the online storage of data provided by services such as mozy.com or Amazon’s S3. Here, users are simply paying for the convenience of having their data -1-

ERM Team Technology Evaluation: Cloud Computing FY2009 stored in the cloud. Pricing varies by service, but can be generally characterized as “pay as you go” solutions. II. Architecture/Examples of Service Models: Cloud computing services can be grouped in the following categories or models: • Infrastructure-As-A-Service (IaaS) • Platform-As-A-Service (PaaS) • Applications-As-A-Service (AaaS)/Software-As-A-Service (SaaS) Cloud-based Infrastructure or Infrastructure as a Service (IaaS): In this model, computing infrastructure such as servers, network equipment, and data storage are offered by service providers on a scalable basis. It is a logical extension of web hosting services. Typically, users are billed only for the amount of resources used. Cloud-based Development or Platform as a Service (PaaS): In addition to having some computing resources in the cloud, PaaS adds workflow services for application development. This allows users to collaborate, develop, test, deploy, host and maintain applications in the same integrated development environment. Cloud-based Applications or Software as a Service (SaaS): In this model, the software and all required infrastructure resides in the cloud. Users log-on from anywhere and have full access to the same resources. This is the implementation of cloud computing that fully takes advantage of the benefits offered by cloud computing economies of scale, that is the hardware, operating system and software code all exist in the cloud (see table below). The table below illustrates these typical configurations of the three primary cloud computing models against the traditional client/server model (noncloud) by showing where the IT resources would most likely be physically located. “Within the organization” indicates that Federal agencies must purchase and maintain all equipment and platforms, which is currently the predominant configuration in Federal agencies. Configuration Traditional Client/Server Model Cloud-based Infrastructure (IaaS) Hardware Within the organization Cloud Operating System Within the organization Within the organization Software Code Within the organization Within the organization

-2-

ERM Team Technology Evaluation: Cloud Computing FY2009 Cloud-based Development (PaaS) Cloud-based Applications (SaaS) Cloud Cloud Cloud Cloud Within the organization Cloud

These models are constantly evolving as cloud service providers explore different levels of services and as technology allows users to identify different uses. One example of this might be the ability to have cloud services available to any device capable of being connected to the internet, like a cell phone. Depending upon users’ concerns, needs, and other considerations, the above configurations can be deployed in the following ways: • Private cloud - enterprise owned or leased • Community cloud - shared infrastructure for specific community or interest group • Public cloud - Sold to the public, open to anyone • Hybrid cloud - composition of two or more cloud configurations (Draft NIST Working Definition of Cloud Computing, 6-1-09) III. Ongoing Initiatives: The Obama Administration, including the Federal CIO, is encouraging Federal agencies to adopt cloud-based solutions for a wide range of activities. The recent deployment of the Open Government Initiative tasks Federal agencies with identifying more cost-effective and efficient ways to make government more transparent, collaborative, and participatory. Many of the recent Government 2.0 initiatives, including Data.gov, utilize cloud computing services.1 The OMB’s Infrastructure Modernization Program proposes the following areas for cloud computing applications under the “Improving Innovation, Efficiency and Effectiveness in Federal IT” section in the FY ’10 Presidential Budget request: • End-user communications and computing • Secure virtualized data centers • Portals, collaboration and messaging • Content, information, and records management
1

"The federal government's Data.gov and USA.gov are among the Web sites now running on Terremark's infrastructure-as-a-service offering, called Enterprise Cloud. A number of other agencies are soon expected to announce their own plans to host applications on the service.” J. Nicholas Hoover, “Inside Terremark's Secure Government Data Center,” Information Week, July 28, 2009

-3-

ERM Team Technology Evaluation: Cloud Computing FY2009 • • • Workflow and case management Data analytics, visualization, and reporting Enterprise Software-as-a-Service

The General Services Administration (GSA) and the Federal CIO Council are part of a working group tasked with exploring the implications for Federal agencies implementing cloud computing. They are working to find cloud services that could be used across the government and are Federal Information Security Management Act (FISMA)-compliant. To this end, GSA hired Patrick Stingley as the CTO for Federal Cloud Services to manage GSA’s cloud computing implementations. Many other agencies are also in the process of determining if components of cloud computing are a viable option, including FBI, U.S. Marine Corps, and the Department of Energy. The Defense Information Systems Agency (DISA) is actively using cloud computing to provide services to employees around the globe. Currently, Federal agencies are focused on providing these services within private and community cloud deployment models. They are also investigating options to move vendor applications and services within the private cloud boundaries to take advantage of SaaS options. The U.S. Marine Corps has implemented a private cloud and have found that the costs of running the cloud in-house are competitive with services offered by a third-party provider, such as Amazon. The following table lists several examples from the Administration’s FY 2010 budget of government pilots using cloud computing: Agency Argonne National Laboratory Government of D.C. Use Physics Research on Amazon EC2 38,000 Google Apps seats Google Sites used for procurement and contract management Amazon EC2 used for Disaster recovery and backups D.C. Geographic Information System on top of Google Earth IT Product Request Tool on Salesforce.com Partner mgmt tool (100,000 partners) in Salesforce.com Data made available in Public Data Sets in Amazon Application hosting: Amazon TIGRNET: Real-time incident reporting from the field -4-

U.S. Dept. Of Health and Human Services U.S. Census Bureau

National Geospatial Intelligence Agency Department of Defense

ERM Team Technology Evaluation: Cloud Computing FY2009 Marine Corps Reserve Mobilization Command DISA - Defense Information Systems Agency Multi-channel case management from RightNow

RACE Rapid Access Computing Environment with HP; Desktop cloud computing with Simtone/Northrop Grumman; U.S. Federal Google applications, Youtube, Flickr; Government USA.gov on Terremark’s cloud U.S. Army Recruiting Tools on Salesforce.com NASA Cloud computing integration a key award consideration in their $1.5B IT procurement budget CIA & other Intellipedia used by 35,000 active intelligence intelligence agencies users; California Public Open Campus Internal cloud & social networking Utilities Commission application Momentum U.S. Department of On-demand CRM from Rightnow; State Financial tracking solution including mobile access by Acumen; Google Applications deployment by Acumen; IV. Benefits/Concerns The benefits of pursuing cloud solutions are pretty clear and welldocumented by the vendors in their literature. The most obvious is savings in cost for IT infrastructure as cloud solutions all offer "pay-as-you go" service plans that allow flexibility in IT cost models. By definition, these plans allow purchasers to avoid overbuying IT resources and have the ability to scale up as necessary. No discussion in the literature about cloud computing in the Federal environment is without a listing of the concerns and downsides. The most commonly cited concerns are the security and privacy of information. Cloud service providers have developed their own architectures that may not comply with FISMA requirements. Providers are still developing the technology and have many challenges to face regarding the security, integrity, portability, and interoperability of data. The intelligence community, while embracing the concept of cloud computing, has moved carefully to establish private clouds for use within the intelligence community. V. Implications for Records Management NARA needs to articulate a strong position that if data meets the criteria for a Federal record and is created or stored using cloud computing services, it must be scheduled and managed as such. Agencies must take actions to -5-

ERM Team Technology Evaluation: Cloud Computing FY2009 ensure these records are properly maintained. NARA's recently released Guidance for Agencies Managing Records in Multi-agency Environments may assist agencies with these efforts. NARA has the opportunity to enter the discussions about cloud computing in the Federal government at this critical juncture to ensure agencies consider the records management implications as they develop and implement cloud computing services. The primary concern with the ongoing deployment of cloud computing solutions is that the advocates driving the technology are not considering records management in the deployment and development of cloud solutions which inevitably leads to great difficulties in meeting recordkeeping requirements. Most, if not all, of the the discussions about the drawbacks to using these solutions concern IT security and management operations with no consideration for records management implications. We identified several records management implications that should be considered by Federal agencies and the vendors they engage. One records management implication concerns interoperability and portability of the data stored in the cloud. Currently, the various cloud architectures lack formal technical standards governing how data is stored and manipulated in cloud environments. This results in a lack of portability and interoperability of data maintained in cloud solutions and is a threat to the long-term sustainability of the data. By setting aside recordkeeping copies in a cloud environment, agencies may have difficulty removing records when it is necessary to do so for recordkeeping requirements or to switch vendors. Another implication for records management is the ownership and control of data stored in cloud environments. Agencies must take precautions to ensure that ownership of the data is clearly understood, particularly when agreeing to participate in Web 2.0 services such as YouTube, Flickr, or Facebook, or in the creation of procurements contracts, as described in “Records Management Language for Contracts”. The terms of service agreements for Web 2.0 services generally claim ownership of content posted to their sites which creates issues that must be addressed by agencies exploring Web 2.0 services. Contract language for procuring cloud solutions should clearly state that the agency has ownership of “the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created.” It is the contractor’s responsibility to “deliver sufficient technical documentation with all data deliverables to permit the agency to use the data.” Discussions by the legal community about the risks of using cloud solutions center on the implications for e-discovery and tend to focus on the destruction or deletion of data. Once information is deemed to be no longer of value, it should be deleted. However, there is the some risks in discovery -6-

ERM Team Technology Evaluation: Cloud Computing FY2009 actions created by numerous back-ups of data. The design of cloud-based architecture is such that multiple backups of old records may exist in multiple places. This could pose significant issues for agencies in e-discovery and the delivery of records as part of litigation. Finally, it should be noted that some vendors are beginning to produce records management applications that can be integrated with cloud computing services. Microsoft’s Azure Services Platform provides storage with software services such as Sharepoint and Open Text has a records management and archiving service that can be integrated with Azure. Alfresco, an open source enterprise content management system with a records management component, has the ability to work with cloud storage. These developments point that some vendors are starting to consider the implications of building cloud solutions with records management capabilities. Future possibility to use cloud computing for records management services, especially for those components/business processes already in the clouds.

-7-