how the cloud can make government archiving more secure and less expensive

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published July 2012

SPONSORED BY

sponsored by

How the Cloud Can Make Government

Archiving More Secure and Less Expensive

SPON

WH

ITE

PA

PER

SP

ON

©2012 Osterman Research, Inc. 1

How the Cloud Can Make Government Archiving More Secure and Less Expensive

EXECUTIVE SUMMARY OVERVIEW Government agencies at all levels – city, county, state and Federal – have an obligation to retain important records sent, received and stored in their email systems. Because of Freedom of Information Act (FOIA) requirements, open records laws, “Sunshine” laws and similar obligations, government agencies must retain all of their relevant records, be able to find them easily, and produce them on demand in a relatively short period of time. Moreover, government entities – like any other employer – must also retain data for purposes of e-discovery and similar types of obligations. KEY TAKEAWAYS • Government agencies must implement email archiving capabilities that will

permit them to capture very large amounts of information, retain it for many years (or indefinitely in some cases), and produce it as accurately and as inexpensively as possible.

• IT budgets for the deployment of new infrastructure are flat or declining because

most jurisdictions are experiencing a decline in tax revenue with simultaneous increases in expenditure obligations.

• Cloud-based archiving should seriously be considered by all government agencies

as a means of satisfying their content-retention obligations. Archiving in the cloud can be implemented at little or no up-front cost, allowing agencies to live within their current expenditure obligations. Moreover, cloud-based archiving offers more predictable costs over time, very high scalability, rapid deployment, highly secure storage and high availability.

ABOUT THIS WHITE PAPER This white paper explores the various obligations that government agencies have to retain email and other content, and explains the benefits of using cloud-based services to meet their archiving requirements. This white paper also provides a brief overview of Sonian, the sponsor of this white paper, and their relevant offerings.

THE IMPORTANCE OF CONTENT RETENTION IN GOVERNMENT GOVERNMENT AGENCIES HAVE AN OBLIGATION TO RETAIN DATA Every organization – regardless of its size, the industry it serves or how much data it possesses – must retain important records for various lengths of time. The requirement to retain data is imposed from a variety of sources, including legal precedent in which courts establish standards for the length of time that data must be retained, statutory obligations that specifically define the retention and production obligations for certain types of data, and internal best practices. Retention obligations apply for all forms of data, both physical and electronic. Government agencies are no exception to retention requirements and, in fact, face more such obligations than most other types of organizations. Because these agencies must satisfy sunshine laws and FOIA requirements, the obligations to preserve data are perhaps more strict for government agencies than for organizations in virtually any other industry. Moreover, we can expect that oversight and management of data will become stricter and more expansive in the future as requirements for increased transparency of government operations become more popular in theory, if not in practice.

Callout



NON-STATUTORY CONSIDERATIONS ARE ALSO IMPORTANT However, aside from the statutory and related types of requirements to retain data for long periods, there are three important reasons for government to implement archiving technology: • To lower IT costs

By migrating data from more expensive storage on email servers and other data stores, archiving can reduce overall storage costs by placing older data into less expensive archival storage systems. This can significantly reduce overall data management costs, particularly for larger agencies that store voluminous amounts of data.

• To improve storage management

An archiving system can make storage management much easier by indexing content and making it more easily discoverable and accessible. This is particularly important for agencies that must respond to sunshine-law or FOIA requests frequently, since it minimizes the amount of time that employees must spend searching for, filtering through and producing data for requestors.

• To improve email system performance

An archiving system can also dramatically improve email system performance by minimizing the amount of “live” data that must be stored on email servers. Because email messages and attachments older than 30 days are not accessed frequently, it makes sense to migrate this content to an archiving system for purely functional considerations. Doing so will reduce the amount of time required to backup email servers, it will speed the restoration of a server from backups when necessary, it will reduce the amount of overall downtime experienced in the email system, and it will make message delivery faster.

PROBLEMS THAT GOVERNMENT AGENCIES FACE There are four serious problems that government agencies face in the context of their data management practices and obligations: • Email is the de facto communications and file transport mechanism

For government agencies (and for most other types of organizations), email has become the primary method for communications and for sending files. While email is useful in this regard, using it in this way means that a large proportion of records that must be retained for long periods get stored in email systems and not in dedicated archiving or other systems focused on content management. If this content is not archived appropriately, it can become lost as a result of server crashes, data corruption or accidental deletion of information. Even if it is not lost, extracting needed content from an email server or a backup tape is arduous, expensive and time consuming.

• Content must be retained and readily available

Records generated and received by government agencies must be preserved for many years and, in some cases, indefinitely. This creates an enormous problem for agencies that do not have the indexing, storage and extraction capabilities in place to manage this information properly. Poor content management can result in an inability to produce information on demand, resulting in sanctions, adverse judgments and other negative consequences.

• BYOD complicates retention

The trend of “consumerizing” IT – that is, employees using their personal devices and a variety of Web 2.0 applications for work-related purposes, or Bring Your Own Device (BYOD) – is increasing. Employees are motivated to do so because they have the opportunity to use tools that they select and are specific to their requirements. IT departments are warming to the idea of BYOD, at least for hardware like smartphones, because employees are willing to bear the cost of



expensive communication and collaboration tools rather than requiring IT to pay for them out of an agency budget. That said, BYOD can significantly complicate content retention. For example, if users are creating and receiving records on personal devices, this content must be retained as if these records were created and received on agency-owned devices. If they are creating government records using Twitter, Facebook or other Web 2.0 applications, this content also must be retained. However, data must be extracted and retained by the employer, not an easy task for most agencies.

Enormous quantities of data make retention and access more difficult Finally, another serious problem faced by government agencies is that enormous data stores complicate the storage of content, make it more difficult to find and increasing IT costs. For example, if we assume that each employee in a 7,500-employee government agency generates 40 archivable records each day (five megabytes of content), and that this content must be preserved for 10 years, this will generate 750 million records and 89 terabytes of content over that retention period. In the absence of a robust and scalable storage and management infrastructure, finding content in data stores this large is, at worst, impossible and, at best, very difficult and expensive.

WHAT IF YOU’RE NOT ARCHIVING NOW? Every government agency – regardless of the level of government – must retain electronic records in their role as both the a) holder of personal and corporate information and b) as an employer that might be called upon to produce information for e-discovery or other purposes. Among the many requirements specific to government to retain and otherwise manage records are the following: FEDERAL REQUIREMENTS • Federal Information Security Management Act (FISMA) of 2002

“Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency…”

• The Freedom of Information Act

“Each agency, in accordance with published rules, shall make available for public inspection and copying…copies of all records, regardless of form or format…”

• Coordination of Federal Information Policy

The Director of the Office of Management and Budget shall “oversee the application of records management policies, principles, standards, and guidelines, including requirements for archiving information maintained in electronic format, in the planning and design of information systems.”

• OMB Circular A-130, par. 8a (1) (k)

Federal agencies must “incorporate records management and archival functions into the design, development, and implementation of information systems.”

• 36 CFR 1234.10

Agencies must “establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems.”

• The Paperwork Reduction Act

Agencies must “implement and enforce applicable records management procedures, including requirements for archiving information maintained in



electronic format, particularly in the planning, design, and operation of information systems.”

SELECTED US STATE REQUIREMENTS Every US state has a “sunshine” law, typically called a Public Records, Freedom of Information Act, Open Records or similarly named law. Examples of these requirements are provided below: • Alaska Public Records Act

“The public records of all public agencies are open to inspection by the public under reasonable rules during regular office hours. Public records are defined as "any document, paper, book, letter, drawing, map, plat, photo, photographic file, motion picture film, microfilm, microphotograph, exhibit, magnetic or paper tape, punched card, electronic record, or other document of any other material, regardless of physical form or characteristic, developed or received under law or in connection with the transaction of official business."

• Arizona Public Records Law

Public records are “all books, papers, maps, photographs or other documentary materials, regardless of physical form or characteristics, including prints or copies of such items produced or reproduced on film or electronic media pursuant to section 41-1348, made or received by any governmental agency in pursuance of law or in connection with the transaction of public business” and are “open to inspection by any person at all times during office hours.” Metadata has recently been deemed as subject to open records requests.

• California Education Code Sections 35250-35258, Article 8

“The governing board of every school district shall…make or maintain such other records or reports as are required by law.”

• California Public Records Act

Imposes a requirement on California’s state government to provide public records.

• Florida 119.01 and Title XIX Chapter 286

Provides that all state, county, and municipal records are open for personal inspection and copying by any person.

• Louisiana Sunshine Law

“All books, records, writings, accounts, letters and letter books, maps, drawings, photographs, cards, tapes, recordings, memoranda, and papers…are ‘public records’”.

• Massachusetts SPR Bulletin No. 1-99

“All email created or received by an employee of a government unit is a public record.”

• Missouri Public Records Law

Almost all emails are public records. • Ohio Public Records Act

Virtually every type of record created by a government entity in the state, including those of alternative schools, is a public record.

• Oregon Public Records Law

“Every person has a right to inspect any public record of a public body in this state, except as otherwise expressly provided.”

• Washington Public Records Act

“Each agency, in accordance with published rules, shall make available for public



inspection and copying all public records, unless the record falls within…specific exemptions…”

• Wisconsin Public Records Law

“Except as otherwise provided by law, any requester has a right to inspect any record.”

ARCHIVING IS A BEST PRACTICE FOR ANY AGENCY Aside from the specific retention obligations imposed upon all government agencies to retain records for FOIA or other requests is the fact that archiving is a best practice for any organization, including government agencies. However, archiving of government records is an area that continues to evolve, particularly as newer forms of communication become more commonly used. Some important examples in this regard are the following: • In March 2011, the Utah legislature passed House Bill 477 (HB477)i, which

exempted lawmakers’ emails, text messages and other online communications from the state’s public records disclosure requirements, the Government Records Access and Management Act. HB477 was scheduled to go into effect on July 1, 2011, but was repealed in late March 2011 amid vigorous protests from a variety of groups. A working group set up by the legislature following this debacle developed SB177, a bill that requires more disclosure of public information.

• In the case of Quon v. City of Ontario,ii a police sergeant’s pager was searched

by Quon’s employer and sexually explicit text messages were discovered. The Ninth Circuit Court of Appeals ruled that the City’s search violated Quon’s rights under the Constitution’s Fourth Amendment, but this decision was overturned unanimously by the US Supreme Court in 2010. The Supreme Court did not rule on whether the plaintiff had a reasonable expectation of privacy in this circumstance, but determined that “because the search was motivated by a legitimate work-related purpose, and because it was not excessive in scope, the search was reasonable..."

• In a February 2011 ruling by Judge Shira Scheindlin (who decided the famous

Zubulake v. UBS Warburg case), retention of metadata was determined to be critical in the archiving process. In this case, National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency,iii Judge Scheindlin a) underscored the importance of metadata in her determination that “certain key metadata fields are an integral part of public records,” and b) that counsel must “make greater efforts to comply with the expectations that courts now demand…with respect to expensive and time-consuming document production.”

• In a somewhat similar case in 2010, the Washington state Supreme Court ruled

that metadata must be retained under the state’s Public Records Act. In the case in question, a state resident requested a copy of an accusatory email that she supposedly had sent to the Shoreline city council, but denied ever sending. However, her request for the original email and its metadata was not honored by the council. The city’s deputy mayor had sent the requested email to her personal email account, which hid the identity of the person who actually had sent it. The deputy mayor searched her work computer for the missing email, but could not find it. The Washington Supreme Court ruled that the official’s personal computer had to be searched for the requested content.

We draw three lessons from these and similar rulings: • Content from newer information sources, such as text messaging or social

media, will increasingly need to be retained along with more traditional forms of communication like email.



• Government agencies not only have a right to search for content on personal and other devices, but also may have an obligation to do so in some cases.

• Metadata must be preserved.

SOLVING THE PROBLEM OF CONTENT RETENTION IN GOVERNMENT As discussed earlier in this white paper, government agencies face three fundamental problems in the context of their content retention requirements: • They must retain a wide variety of data for purposes of satisfying sunshine laws,

FOIA requests, potential responses to legal actions, and the like.

• They must make this data easily accessible to staff members responding to these requests and to others that may need ready access to important data.

• Given the financial strain that most government agencies are under, they must

satisfy these requirements as inexpensively as possible. WHY THE CLOUD MAKES SENSE FOR DATA RETENTION Given these critical requirements, here is our view on the 11 key reasons that cloud-based archiving makes sense for use by government agencies: • The US Federal government is open to the cloud

While many decision makers in government may continue to resist any move to the cloud, the US Federal government is increasingly open to it. For example, the Federal Cloud Computing Strategy document issued in February 2011 concludes that “Cloud computing has the potential to play a major part in addressing [government IT’s] inefficiencies and improving government service delivery. The cloud computing model can significantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite resource constraints.” Moreover, the report estimates that of the $80 billion spent annually on IT by the US government, 25% could be spent on cloud-based services.

• Low (or no) initial costs

One of the fundamental advantage of cloud-based anything – be it email, security, archiving, etc. – is the fact that there are virtually no up front costs associated with deploying a service. Because there are no initial requirements for the purchase of servers, software and other infrastructure elements as is the case with the on-premise, capital expenditure (CAPEX) model, the cloud operating expense (OPEX) model allows agencies to implement a complete archiving capability with virtually no up-front cost. While there may be some minimal costs associated with IT staff to specify capabilities, ingestion of legacy data and the like, these costs are in almost all cases very low.

• More predictable costs of ownership

Similarly, a cloud-based archiving system has more predictable costs of ownership than the traditional on-premise model, largely because the cloud provider defines the costs of the archiving capability up-front and these costs remain constant over the life of the contract. With an on-premise system, there will be periodic requirements to add more storage as more content is retained, which can lead to off-budget costs at inopportune times.

• Lower overall total cost of ownership

The combination of minimal up-front cost, combined with more predictable on-going costs, means that cloud-based archiving generally has a lower TCO than on-premise archiving even when a large number of users are supported. While



lower TCO is of benefit to virtually any organization, it is especially advantageous to government agencies that are – in these times of declining property tax and other revenues – facing severe budget cutbacks. In short, the use of cloud-based archiving can help government agencies to meet their content retention obligations and to do so in an affordable manner, and it can reduce agencies’ current expenditure obligations.

• Rapid deployment of archiving capabilities

One of the chief benefits of cloud-based services is their ability to be deployed much more rapidly than on-premise infrastructure. This allow government agencies to deploy an archiving capability in a matter of a few hours or days, unlike on-premise systems that might take a few weeks or more to evaluate, specify, deploy and configure. Moreover, new capabilities can be added very quickly with cloud-based services, such as the addition of more storage, archiving of more users’ content, or retention of new content types.

• Scalable storage

One of the more important benefits of cloud-based archiving is that it offers a virtually unlimited pool of storage, one that can be scaled to almost any level to meet increased demand. Although on-premise systems can also provide scalable storage, scalability is more easily accomplished in the cloud than with on-premise systems.

• A high level of security

While some decision makers may be concerned about the security of sensitive or confidential content in the cloud, cloud-based archiving actually offers better security than most on-premise archiving systems can provide. Because cloud providers can afford to pay for more robust security measures than most government agencies can afford, cloud security is generally better than what these agencies could hope to provide on-premise.

• Protection against changing storage standards

Particularly relevant for government agencies that must retain data for long periods is the need to “future-proof” content against changing storage standards. Because these standards change over time, content stored in on-premise storage systems must be updated periodically to reflect new standards, new media types and the like to ensure that data is still readable 10 or more years after it is initially stored. However, this is not easily accomplished with on-premise archiving systems. With cloud-based archiving, on the other hand, changing storage standards become the provider’s problem and not the problem of the agency that is charged with storing data. This not only reduces TCO, but also ensures that records can easily be read for many years.

• High speed search capabilities

Cloud-based archiving can provide very high-speed search capabilities, allowing agencies to respond to FOIA and other requests very quickly. This is particularly important where FOIA searches are provided at no cost to the requestor, as in the case of some non-commercial, non-scientific and non-media requestors under US Federal FOIA laws who receive two hours of search services at no chargeiv. The ability to search through enormous data stores quickly can reduce the amount of time – and cost – for these searches.

• Highly available storage

Archiving in the cloud also results in highly available storage. Cloud-based archiving can provide the same or higher level of uptime as on-premise infrastructure – for example, Amazon’s S3 service guarantees server uptime of 99.99% (no more than 4.4 minutes of downtime per month). Moreover, leading cloud providers replicate content to geographically separate data centers, offering a level of disaster recovery that would be expensive to provide with on-premise infrastructure.



• Significant financial benefits over the long term Finally, cloud-based archiving can deliver significant financial benefits to government in two ways. First, by eliminating virtually all up-front expenses, cloud-based archiving can eliminate much of the initial expense associated with archiving, allowing agencies to shift the bulk of their expenses to future years. Second, cloud-based services are generally becoming less expensive over time. This is not the case with on-premise capabilities, which – because of their significant IT labor component – are becoming more expensive as the cost of labor increases. This will result in greater long term return-on-investment benefits for cloud-based archiving over time.

ABOUT SONIAN Sonian, the pioneer in Cloud Powered Archiving and Search, offers it’s archiving solutions at a fraction of the cost and complexity of other approaches. With over 8,000 customers across diverse industries and embedded into offerings from other cloud innovators – Sonian is the future of Archive and Search in the Cloud. While driving down costs is an integral part of our business model, so is developing differentiating technologies. The challenging aspect of acquiring and making petabytes of data search-able was a formidable hurdle Sonian achieved over the past 4 years. Several years ago, we perfected using the cloud to deliver a million search hits within seconds. Today we are delivering that one-in-a-million search result within a second. With our cloud-powered differentiating technology, we believe Sonian is in a unique position to maintain a leadership position in cloud-based information archiving and analytics. Sonian ‘s next generation software and a business model is based on cloud compute economics, security, and reliability. With over 8,000 customers across diverse industries and embedded into offerings from other cloud innovators – Sonian is the future of Archive and Search in the Cloud. © 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

i http://le.utah.gov/~2011/bills/hbillamd/hb0477.htm ii http://www.supremecourt.gov/opinions/09pdf/08-1332.pdf iii http://ralphlosey.files.wordpress.com/2011/02/ndlon-v-ice-10-civ-3488-metadata- foia_revised.pdf iv http://www.hanscom.af.mil/library/foia.asp

how the cloud can make government archiving more secure and less expensive

Business