Research

Public Research Dissemination

This section provides access to publicized research dissemination for the Records in the Cloud project.

Sub-Section Title

    Alva, A., Endicott-Popovsky, B., David, S.
  • "Forensic Barriers: Legal Implications of Storing Information in the Cloud," UNESCO Conference: The memory of the World in the Digital Age: Digitization and Digital Preservation. Vancouver, B.C.
    Barloura, G., Pan, W., Rowe, J.
  • Weimei Pan, Joy Rowe, Georgia Barloura (2013) "Records in the Cloud (RiC): Profile of Cloud Computing Users," Proceedings of the Inaugural International Conference on Cloud Security Management (ICCSM-2013), Seattle, WA.
  • Weimei Pan, Joye Rowe, Georgia Barloura (2013) "Records in the Cloud (RiC): Profile of Cloud Computing Users," Poster presentation at Inaugural International Conference on Cloud Security Management (ICCSM-2013), Seattle, WA.
  • "Records in the Cloud (RiC): Profile of Cloud Computing Users," Poster presentation at ARMA International Conference, Las Vegas, NV. October 2013.
    Borglund, E., Bushey, J., Shaffer, E.
  • "Records In the Cloud: A Collaborative Research Project," Panel Session at the Information Management in a Changing World (IMCW) International Symposium, Limerick, Ireland
    Bushey, J., Shaffer, E., Borglund, E.
  • Jessica Bushey, Erik Borglund, Elizabeth Shaffer (2013) “Records in the Cloud: A Collaborative Research Project.” Information Management in a Changing World (IMCW) International Symposium. September 4-6. Limerick, Ireland
    Dupuis, M., Endicott-Popovsky, B., Crossler, R.
  • Marc Dupuis, Barbara Endicott-Popovsky, and Robert Crossler (2013) "An Analysis of the Use of Amazon’s Mechanical Turk for Survey Research in the Cloud." In Proceedings of the International Conference on Cloud Security Management: ICCSM 2013 , Barbara Endicott-Popovsky ed. October 17-18. Seattle, USA: Academic Conferences and Publishing International Limited. pp.10-18.
    Duranti, L., Goh, E., Chu, S.
  • "Archival Legislation for Engendering Trust in an Increasingly Networked Digital Environment," International Congress on Archives. Brisbane, Australia.
    Duranti, L., L
  • "Focusing on Relationships in the Networked Environment: InterPARES Trust," Association of Canadian Archivists Annual Meeting, Winnipeg, MB
    Duranti, L., Rogers, C.
  • Luciana Duranti, Corinne Rogers (2016) "Trust in Records and Data Online." in Integrity in Government Through Records Management: Essays in Honour of Anne Thurston, eds., James Lowry, and Justus Wamukaya, Routledge (New York, NY): pp. 203-214.
  • Luciana Duranti, Corinne Rogers (2012) "Trust in digital records: An increasingly cloudy legal area." Computer Law & Security Review. Vol. 28, Issue 5, pp. 522-531.
    Duranti, L., Rogers, C., Bushey, J.
  • "Different Communities, Same Issue: Trust Relationships in a Networked Environment," Association of Canadian Archivists (ACA) Annual Conference 2013
    Duranti, L., Shaffer, E.
  • Luciana Duranti, Elizabeth Shaffer (2013) "E-Learning Records: Are There Any to Manage? If So, How?" in Social Media and the New Academic Environment: Pedagogical Challenges, eds., Bogdan Patrut, Monica Patrut, Camelia Cmeciu, Information Science Reference (an Imprint of IGI Global), (Hershey, Pennsylvania): pp. 273-292.
  • "The Potential Challenges of E-Learning Records: Are We Up to the Task of Managing Them?," Vancouver, B.C. -- 9th International Conference on Technology, Knowledge and Society.
    Endicott-Popovsky, B.
  • Barbara Endicott-Popovsky, ed. (2013) The Proceedings of the International Conference on Cloud Security Management ICCSM-2013 . Seattle, USA: Academic Conferences and Publishing International Limited. 17-18 October 2013.
    Franks, P.
  • Patricia Franks (2016) "Capitalizing on the Cloud - examples of local government use of cloud-based software and services, risks and suggested solutions." NYALGRO School. June 7. Callicoon, United States.
    Léveillé, V., Maklouf Shabou, B.
  • Basma Maklouf-Shabou and Valerie Léveillé (2014) "Records in the Cloud: Résultats préliminaires." 43e Congrès de l\'Association des archivistes du Québec. May 28.
    Marciano, R.
  • Richard Marciano (2013) "Socializing 'Big Data': Collaborative Opportunities in Computer Science, the Social Sciences, and the Humanities." Duke University Franklin Humanities Institute and Social Science Research Institute.
  • Richard Marciano (2013) "Big Data Curation." Research talk. University of Washington iSchool.
    Pan, W., Guo, W., Fang, Y., Li, D.
  • Wei Guo, Yun Fang, Weimei Pan, Dekun Li, (2016) "Archives as a trusted third party in maintaining and preserving digital records in the cloud environment" Records Management Journal , Vol. 26 Iss: 2, pp.170 - 184.
    Pan, W., Mitchell, G.
  • Weimei Pan and Grant Mitchell. (2015) Records Management in the Use of Software as a Service (SaaS) Applications: A Case Study. 3rd International Conference on Cloud Security and Management, October 22. Tacoma, WA.
    Rogers, C.
  • "Records in the Cloud," SLAIS Research Day (poster)
    Rudolph, C., Kuntze, N., Endicott-Popovsky, B.
  • Carsten Rudolph, Nicolai Kuntze, and Barbara Endicott-Popovsky. (2013). “Forensic Readiness for Cloud-Based Distributed Workflows.” In Proceedings of the International Conference on Cloud Security Management: ICCSM 2013 , Barbara Endicott-Popovsky ed. October 17-18. Seattle, USA: Academic Conferences and Publishing International Limited. pp. 59–67.
    Schweiger, M., Chung, S., Endicott-Popovsky, B.
  • Michael Schweiger, Sam Chung, and Barbara Endicott-Popovsky. (2013). "Malware Analysis on the Cloud: Increased Performance, Reliability, and Flexibilty.” In Proceedings of the International Conference on Cloud Security Management: ICCSM 2013 , Barbara Endicott-Popovsky ed. October 17-18. Seattle, USA: Academic Conferences and Publishing International Limited. pp. 127-135.
    Shaffer, E.
  • "Social Media and Digital Records," Barbados, West Indies, International Council of Archives Section on University and Research Institutions Archives Annual Conference 2013
    Sheppard, A.
  • "Building a legal framework to facilitate long-term preservation of digital heritage," UNESCO Conference: The memory of the World in the Digital Age: Digitization and Digital Preservation. Vancouver, B.C.

Select a Section above to view its content.

Project Description

The research focuses on the benefits and risks of keeping records in the cloud. The term "cloud" is a metaphor for the Internet, where it is possible to create a virtual computing infrastructure replacing in whole or in part that internal to an organization. Hence, "cloud computing." Five essential characteristics make the cloud what it is:

  1. on-demand self-service, that allows users to access as many computing capabilities as they need;
  2. broad network access, so that a user can access the cloud from any machine that has a connection to the Internet;
  3. resource pooling, which makes of the cloud a multi-tenant model, supporting multiple users at the same time;
  4. rapid elasticity, in that users can change the amount of computing resources they need at any time, and the cloud will instantly expand to support their needs; and
  5. measured service, in that how much a user utilizes is precisely measured in terms of storage, processing, bandwidth, etc., and these resources can be monitored, controlled and reported to the users, who are only charged for what they need, using a pay-as-you-go model, in most cases reducing costs.

The most attractive aspect of the cloud is low cost. But how high is the price that organizations which keep records in the cloud pay in terms of control on their records or, as is the case with archives, on the records entrusted to them? The proposed research seeks to address that question in the context of the Canadian legal, administrative, and value system by investigating the following more specific research questions:

  1. How can confidentiality of organizational records and data privacy be protected in the cloud?
  2. How can forensic readiness of an organization be maintained, compliance ensured, and e-discovery requests fully met in the cloud?
  3. How can an organization's records accuracy, reliability, and authenticity (i.e., identity and integrity) be guaranteed and verifiable in the cloud?
  4. How can an organization's records and information security be enforced in the cloud?
  5. How can an organization maintain governance upon the records entrusted to the cloud?

This research is urgent and critical, addressing a demand as yet unmet. A fast growing number of public and private organizations, in an effort to save resources, is joining the cloud and entrusting the control of its records to external service providers without a full understanding of the risks involved with regard to legal jurisdiction on the records, security, privacy, processing, compliance, forensic readiness, and last, but not least, the ability to prove the records accuracy, reliability and authenticity. To these issues one has to add those related to the potential loss of access to the records due to law enforcement investigations of records of co-tenants, to the closing down of the CSP, or to the breaking down of retrieval systems. And how is an organization to know whether the records that were scheduled for destruction still exist when most, if not all CSPs, do not allow audit? The questions are many, but there are no answers based on facts ascertained through research. The dearth of academic literature, the inconsistency of legal opinions, and the sensationalism of media stories that fuel uncertainty and fear all support the urgency of this research. This project aims to enable small and medium-sized organizations which cannot afford a full-fledged digital recordkeeping and/or records preservation system to decide what is the best way to ensure that their records, or the records of others entrusted to them, will be safe, accessible, trustworthy, and under their control by developing the knowledge supporting such decision.


Theoretical Framework

Our approach to the development of knowledge about digital records and systems has consistently and successfully relied upon the theoretical constructs of archival science and diplomatics, centuries-old disciplines that study, respectively, the nature, structure, context, use and management of records aggregations, and the genesis, formal characteristics, transmission, and legal nature and consequences of individual records (Duranti, 1996, 1998). This project will continue to use the archival/diplomatics theoretical framework because it requires an understanding of digital records in complex systems, their authenticity and means of authentication, the conditions of their access and use, and the means of their long-term preservation. The concepts developed by the InterPARES (www.interpares.org) and the Digital Records Forensics (www.digitalrecordsforensics.org) projects constitute the necessary foundation for the research, which is also grounded on the principles governing risk management and information governance and assurance, as well as forensic readiness in the context of legal theory, especially as it regards the law of evidence.


Objectives

  1. To identify and examine in depth the management, operational, legal, and technical issues surrounding the storage and management of records in the cloud
  2. To determine what formal policies and procedures a CSP should have in place for fully implementing the records/archives management regime of the organization outsourcing the records, and for responding promptly to its needs
  3. To determine what formal policies and procedures a CSP should have in place for detecting, identifying, analyzing and responding to incidents
  4. To develop a methodology and an instrument for assessing the risks and benefits of outsourcing records/archives storage and processing to a CSP
  5. To develop guidelines for contractual agreements between organizations and CSPs, and for certifications and attestations by CSP
  6. To develop policy and procedural models for the integration of outsourcing to the cloud with an organization's records management and information governance programs, or archival preservation program

Methodology

A key part of the methodology will be gathering feedback from the two types of stakeholders, CSPs and users, not only in the structured way provided by the focus groups in third year of the research, but also informally though the delivery of workshops, continuing education opportunities, and papers at conferences.

View our Research and Privacy Statement

Year 1: Data Collection

We will collect and analyze data iteratively. We will first identify on the basis of the writings mentioned in the literature review above and of CSPs' websites various types of providers, and categorize them in terms not only of size and services (including the technology delivering them), but also of targeted clients. Then the team will select a small number of providers from each category to interview, in order to gather a clear understanding of their services and the conditions under which they are offered. In preparation for the interviews the team will collect from these providers samples or models of contracts and any other documentation, such as list of actual clients, if available and public. At the same time, the team will search for relevant legislation, regulations, case law and standards to identify the requirements that CSPs must satisfy and, on the basis of the accumulated information, prepare the interview questions. After interviewing the CSPs, the team will create a web survey directed to Canadian small and medium-sized public and private organizations - the most interested potential adopters of cloud computing - in order to assess how many use cloud services for recordkeeping and preservation and their level of satisfaction with the services received, and how many are thinking of using such services and why. Responses to the questionnaire will be coded and analyzed with NVivo Qualitative Research Software, and follow up interviews will be conducted with selected survey respondents who will have identified themselves as interested in participating in the research. We wish to interview a cross-section of those who are presently using cloud services (across types of services) and of those who are thinking of doing so.

Year 2: Analyze Data

The interview transcripts will also be analyzed using NVivo. Triangulation of data from the questionnaire and interviews, collected examples of CSPs' and clients' policies, sample contracts, etc., will be sought through document analysis conducted on a) legal and regulatory texts and case law, and b) reviewed literature, websites and documentation. On the basis of our findings, the team will draft the model policies and procedures, model contracts, strategies, and guidelines described among the objectives.

Year 3: Consult, Review, Test

The team will assemble focus groups of stakeholder's representatives among participating CSPs and potential clients to discuss, criticize and make suggestions about the draft material. The stakeholders will be sent the materials well in advance of a one day long face-to-face meeting in Vancouver, during which the two parties, CSPs and potential clients, will express their point of view and make recommendations, first separately and then jointly. The research team will write the proceedings compiling all the recommendations and will send them to both groups of stakeholders for review. Based on this feedback, the team will edit the material and ask the two groups of stakeholders' representatives to take it to their respective organizations to assess whether it is implementable and, if applicable, with what adjustments.

Year 4: Collect Tests' Results, Finalize Products, Write Research Findings

On the basis of the second feedback, the team will write the final version of model policies, procedures, contracts, strategies, and guidelines. The team will conclude the project by writing several scholarly articles discussing the findings of the research project from the point of view of each of the areas of knowledge involved, including archival science, diplomatics, records and information management and governance, information technology security, risk management, digital forensics, information assurance and forensic readiness, and the law of evidence.