Evaluating cloud services – check this!

evaluatingcloudservices.pngResearch partners of InterPARES Trust are conducting research from many different perspectives into issues of trust and trustworthiness of digital records and data in online environments – that is, over the internet and in the cloud. Some researchers are investigating users’ perspectives of trust – do we as citizens trust the records that our governments provide in open government frameworks? or in social media? Other researchers are looking at how trustworthiness – that is, authenticity, reliability, and accuracy – is being handled and managed within organizations, whether they are national or local archives, government agencies, businesses, international organizations, or by individuals. Still others are investigating how sensitive cultural heritage collections are being managed online. These collections may be the records of or about indigenous populations, containing sensitive cultural material or evidence of trauma. All of these situations raise critical concerns for archivists and records managers, and for all individuals whose information, personal or not, may be available online, whether by their own intention or through the actions of others.

Results of InterPARES Trust studies are reported in many papers, conference presentations, interim reports, and final reports. Public dissemination of our findings is all available on the InterPARES Trust website.

Today I want to introduce two Checklists, developed by researchers in the North American Team and European Team respectively, that will be useful to you if you are evaluating your contract with a cloud service provider to see if they have your best interests (and those of your records) at heart, or if you use a Single Sign-On system (SSO).

But first things first. In InterPARES Trust’s terminology database the term “trust” is defined as “confidence of one party in another, based on alignment of value systems with respect to specific actions or benefits, and involving a relationship of voluntary vulnerability, dependence and reliance, based on risk assessment.” This means that the users of cloud services should have enough information about a particular service (e.g. in Terms of Service) in order to trust it, or that the service level agreement (SLA) between users and cloud service provider (CSP) should equally protect interests of both parties involved.

The Checklist for Cloud Service Contracts will help you understand what to look for in boilerplate contracts or what to ask for in negotiated contracts so that you can be confident that your records will be secure and can be presumed authentic, reliable, and accurate while they are in the cloud. This Checklist approaches cloud service contracts from a records management, archival, and legal perspective.

The target audience for this document is records managers, archivists, chief information officers, and others who are assessing cloud services for their organization. The aim of this document is to provide a tool to:
  • gain an understanding of boilerplate cloud service contracts;
  • verify if potential cloud service contracts meet their needs;
  • clarify recordkeeping and archival needs to legal and IT departments;
  • communicate recordkeeping and archival needs to cloud service providers.

Be aware, this checklist is a tool for consideration only and does not constitute legal advice! We do not recommend for or against any particular cloud service provider (or the use of cloud services in general). Individuals and organizations should consult legal counsel if they want legal advice on a particular contract.

The other Checklist I want to introduce today is the Checklist for Single Sign-On Systems. It is designed to offer guidance to records managers and archivists in businesses, government agencies or other organizations to assess single sign-on (SSO) systems, as well as by SSO developers in order to ensure that they have provided sufficient information on the system they are developing in order to detect the possibilities of exchanging identification and authentication credentials.

The Checklist results from an analysis off implemented governmental e-Services in the EU in the context of national single sign-on systems in order to detect possibilities of exchanging identification and authentication credentials among them, thus creating a network of trust between the national systems enabling citizens to seamlessly use other country’s e-Services. Single sign-on systems and their key components were analyzed in 28 European countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. This analysis built on findings by the research team that there was an absence of publicly available information important for establishing trust in e-Services, particularly information about ‘Storage and long-term content availability’ and ‘System operation transparency.’

Both of these Checklists are made available through a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.

If these Checklists are useful to you, we would love to hear from you! Send you comments and suggestions. The research teams will consider all feedback.

Further Reading