1 NAGARA Crossroads 2009-3

Crossroads

Distributed Computing - Cloud Computing and Other Buzzwords:

Implications for Archivists and Records Managers

NAGARA Crossroads 2009-3

This issue of Crossroads continues a series of white papers on various topics related to electronic records written by

members of the Committee on Electronic Records and Information Systems (CERIS). This white paper covers the

topic of cloud computing. It was written by Mark Conrad, Archives Specialist, with the National Archives and

Records Administration’s Center for Advanced Systems and Technologies. The views expressed in this document

are the author's. While his perspective has been informed by his work at the National Archives and Records

Administration, he does not speak for the institution. All statements, opinions and conjectures are the author's unless

otherwise attributed.

CERIS White Paper Distributed Computing - Cloud Computing and Other Buzzwords: Implications for Archivists and Records Managers Cloud computing is a term that is used a great deal these days. Many IT departments and resource allocators are considering implementing technology related to this term. Two of the reasons most cited for using cloud services are potential cost savings brought about by economies of scale, and the ability to rapidly deploy new applications and services.

Cloud computing has the potential to have a substantial impact on archival and records management programs as well. It would be impossible to provide an exhaustive list, but this document will explore a few of the possible implications of deployment of cloud computing and related technologies for archivists and records managers and the organizations that they serve.

Caveat Emptor

This paper will have a relatively short “shelf life.” To say that cloud computing continues to evolve is a gross understatement.

Define Terms Rigorously

One of the biggest problems with the term, cloud computing, is that there is no consensus on exactly what it means. In the August 2009 issue of Communications of the ACM, there is an article concerning a roundtable discussion with some of the key players in the development and deployment of cloud computing services. Even among this group there was not much consensus on what exactly cloud computing is. One of the more interesting quotes from the article comes from Lew Tucker, Chief Technology Officer of cloud computing at Sun Microsystems. He said, “Cloud computing is not so much a definition of a single term as a trend in service delivery taking place today. It’s

2 NAGARA Crossroads 2009-3

the movement of application services onto the Internet and the increased use of the Internet to access a variety of services traditionally originating from within a company’s data center.”1

On August 21, 2009 the National Institute of Standards and Technology issued version 15 of its, “Draft NIST Working Definition of Cloud Computing.” The document begins with two interesting caveats:

Note 1: Cloud computing is still an evolving paradigm. Its definitions use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.

Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.2

If your organization, or an organization that you provide services for, is proposing to implement cloud computing, it will be very important to make sure that all parties involved – including the potential vendors of the cloud solutions - share the same understanding of what exactly is being proposed. From a records management and archives point of view it will be very difficult to identify the recordkeeping implications of implementing a cloud computing environment without having a clear understanding of exactly what is being proposed.

Pieces of the Cloud

For example, the NIST draft definition identifies:

Five Essential Characteristics of Cloud Computing:

On-demand self-service – A person or organization can procure computer services such as additional computing resources, server time, or network storage at any time without having to communicate directly with people who provide the services.

Broad network access – The services should be available over the network (often the Internet) using standardized tools that allow the user to access them from their office computer, laptop, personal digital assistant, or mobile phone.

Resource pooling – In a typical organization most of the computational resources of that organization sit idle for long periods of time or are not used at their full capacity. One of the advantages of cloud computing is the ability to repurpose or reconfigure the available computing resources on-the-fly. This enables rapid response to the changing computing needs of the consumers of computing services. It also facilitates much more efficient use of computing resources by quickly repurposing the resources for other tasks once the current tasks have been completed. This allows organizations to operate their computing resources at or near their capacity much of the time.

1 Creeger, “CTO roundtable,” 52.

2 Mell and Grance, “Draft NIST Working Definition of Cloud Computing, version 15,” 1-2.

3 NAGARA Crossroads 2009-3

Rapid elasticity – The consumer should have the ability to rapidly (often automatically) increase or decrease the computing resources needed to carry out their work.

Measured Service – The cloud computing services are designed so that units of cost can be established, measured, and billed. For example a cloud service vendor might charge a fee based on the number of bytes of data an organization stores on their storage system each month, the number of users from a particular organization that use the vendor’s service, the number of computing cycles used, or the amount of bandwidth consumed.

Three Service Models for Cloud Computing:

Cloud Software as a Service (SaaS) – Under this service model, the end-user is provided with access to the vendor’s software applications over a network. Some examples of this type of service would be vendor-provided, web-based e-mail and word-processing, and spreadsheet applications that the end-user accesses over the Internet.

Cloud Platform as a Service (PaaS) – In this case the end-user organization deploys their own applications on the vendor’s computing resources. The vendor usually limits the programming languages, operating systems, etc., that they will support in order to host these applications. For example, an organization might develop or acquire a new enterprise-wide database application. Rather than purchase all of the necessary servers, networks, storage, etc., the organization may decide to deploy the new application on the computing resources of a cloud computing vendor.

Cloud Infrastructure as a Service (IaaS) – Under this service model the end-user organization is provided access to the vendor’s underlying computing resources and is given much wider latitude in terms of what applications, operating systems, etc., the end-user can use on the vendor’s computing resources. Essentially the end-user is outsourcing the majority of their IT infrastructure while maintaining their prerogatives as to what applications, operating systems, etc., they deploy on that infrastructure.

Four Deployment Models for Cloud Computing:

Private cloud - The cloud infrastructure is operated solely for one organization. That infrastructure may be on premise or off premise. The organization or a third party may provide the infrastructure.

Community cloud – The cloud infrastructure is operated for several organizations with similar requirements for particular cloud services. It may be managed by the organizations or a third party and may exist on premise or off premise.

Public cloud – The cloud infrastructure is made available to the general public or a large segment of the public and is owned by an organization selling cloud services. Hybrid cloud – The cloud infrastructure is a combination of the other deployment models that operates as a single cloud infrastructure.

Getting on the Same Page

Given the many possible ways an organization could use cloud computing services, it is important to ensure that all stakeholders are involved in the decision-making process.

4 NAGARA Crossroads 2009-3

Archivists and records managers should be among those stakeholders. In fact, many of the issues that would be concerns for records managers and archivists could serve as the basis for reaching consensus among all of the stakeholders as to exactly how the organization is going to use cloud computing services.

Listed below are a few issues that archivists and records managers might want to consider if their organization is considering using cloud computing services. This is by no means an exhaustive list.

Scope – What organizational information will be stored, processed, accessed through the cloud? Will restricted data (personally identifiable information, trade secrets, law enforcement information, etc.) be stored, processed, and/or accessed through the cloud?

Retention – Cloud computing services often create multiple copies of the data that they store for an organization on geographically-dispersed computing resources in order to ensure that no data is lost and that it is constantly available to the end-user. It would be important to know how the vendor would ensure the destruction of all copies of records that had reached the end of their retention period.

Location – Cloud computing is often implemented in such a way that the end-user has no idea where their information is stored or processed. Some cloud service providers will let you place broad limits on where your data will be stored (e.g., in the continental United States, in a particular state, etc.) If your organization is contemplating placing data in a cloud that must be maintained within jurisdictional boundaries it will be important to establish that as a requirement before you procure services and ensure that it is included in the contract with the vendor.

Legal/Policy Compliance – The issues surrounding the ability of cloud services – especially public/community cloud services - to comply with the rules, regulations, laws and policies that govern the management of an organization’s information are often cited as one of the most significant barriers to wide-spread adoption of cloud computing by government entities and highly-regulated organizations. Vivek Kundra, the U.S. Chief Information Officer, in announcing the launch of Apps.gov, indicated that, “we will need to address various issues related to security, privacy, information management and procurement to expand our cloud computing services.”3 Debra Logan, an enterprise content management analyst at Gartner, Inc., has indicated security, privacy, and compliance concerns will prevent many highly-regulated industries and global organizations from adopting cloud services through 2012.4

Analysts have listed a number of compliance issues that they believe most public cloud services cannot meet at the time this paper was written. For example, at the October 2009 Gartner Symposium IT/Expo, a Gartner analyst indicated that he did not believe that public cloud services were appropriate at that time for credit card information that would be covered by the Payment Card Industry (PCI) security requirements.5 Some of the other requirements that are frequently cited include:

3 Kundra, “Streaming at 1:00: In the Cloud | The White House.”

4 Tucci, “Addressing compliance requirements in cloud computing contracts.”

5 Messmer, “Gartner on cloud security: 'Our nightmare scenario is here now'.”

5 NAGARA Crossroads 2009-3

The Health Insurance Portability and Accountability Act (HIPAA)

The Sarbanes-Oxley Act of 2002

The Federal Information Security Management Act of 2002 (FISMA)

E-Discovery – If your organization is involved in an e-discovery exercise you will have to be able to locate relevant information throughout your organization quickly. You also have to be able to place litigation holds on all responsive information subject to destruction under existing records schedules. How do you ensure that you can comply with an e-discovery order if some or all of your information is stored in a cloud? Caryn Wojcik outlined many of the questions that a records management program must be prepared to answer when confronted with a discovery order in a previous CERIS white paper.6 That paper also cites a list of potential questions that Caryn developed that could be asked of information technology departments as part of a legal discovery process. These same questions would be good to ask any potential vendor of cloud services.

Interoperability – Because the information stored in many information systems will need to be kept and used long after the system has become obsolete, it is important to consider an exit strategy at the same time that an organization considers the deployment of any new information technology. Cloud computing services are no different. It is important to ensure that your information is not trapped in a proprietary system in a manner that will require considerable expense or effort to remove it from that system and move it to another system.

Several groups are attempting to address this issue. The Open Grid Forum (www.ogf.org) is working on the Open Cloud Computing Interface. The Distributed Management Task Force (DMTF) has formed the Open Cloud Standards Incubator (www.dmtf.org/about/cloud-incubator). The Open Cloud Consortium (www.opencloudconsortium.org) is working on a standard that would create an intermediary format that would make it easier to migrate distributed data and applications across cloud platforms.7 There are other efforts underway as well. Many vendors and other interested parties have indicated their support for the Open Cloud Manifesto (www.opencloudmanifesto.org). Given the large number of cloud interoperability initiatives underway it is hard to predict if one or more of these initiatives will emerge as de facto standards in the near term.

Security – Currently there is a debate taking place as to whether or not cloud services provide more or less security than “traditional” IT infrastructure. Bob Gourley summarizes some of the arguments on both sides in his white paper for the National Security Council and the Homeland Security Council:

Security typically improves due to centralization of data, increased security-focused resources, increased ability to patch and upgrade, increased ability to monitor, increased ability to encrypt and many other reasons. However, there are

6 Wojcik, “Discovery: How the Legal Process Can Impact Records Management

Professionals,” 2-3. 7 Lawton, “Addressing the Challenge of Cloud-Computing Interoperability.”

6 NAGARA Crossroads 2009-3

concerns about loss of control over certain sensitive data. When designed in at the beginning, security of cloud architectures is significantly higher than non-cloud approaches. Enterprises requiring significantly enhanced security should consider private clouds, where the data center is controlled by the enterprise vice outsourced. 8

The Jericho Forum (www.jerichoforum.org) and the Cloud Security Alliance (www.cloudsecurityalliance.org) are just two organizations that are looking at how to address security issues related to cloud computing.

Getting Started

Non-sensitive information

Many organizations at all levels of government are beginning to procure and use cloud computing services. Often these organizations undertake their first foray into cloud computing with a project using non-sensitive information.

Private Cloud

Many organizations that want to put sensitive information in a cloud are opting for a private cloud. Under this deployment model the cloud services are only made available to a single organization – often in the organization’s data center. This approach allows the organization to better utilize its computing resources and at the same time maintain a greater measure of control over its information.

Pilot Project

In an effort to entice organizations to use their services, some vendors are letting potential customers try their services for free for a limited period of time (e.g., 30 days). This is a relatively risk-free way of trying cloud computing services.

Community Cloud

Some organizations are planning and implementing clouds for a consortium of similar organizations that have similar requirements. For example, the State of Utah is planning to offer e-mail and other web-based applications to cities and counties throughout the state.9 Similarly, the State of Michigan is developing cloud services for state agencies, cities, counties, and schools across Michigan.10 At least one major vendor of cloud computing services has announced that they will provide a government cloud – a separate infrastructure for just government agencies.11

Audits

Many providers of cloud services are now furnishing their clients with Statement on Auditing Standards (SAS) No. 70 Service Auditor's Reports. SAS No. 70 is an auditing standard developed by the American Institute of Certified Public Accountants. A SAS 70

8 Gourley, “Cloud Computing and Cyber Defense,” 4.

9 Towns, “Utah Plans Private Cloud for Local Agencies.”

10 Towns, “Michigan Plans New Data Center and Government Cloud.”

11 Williams, “Q&A: Former Salesforce.com Executive Steve Cakebread Sees Big Move to Cloud for

Government.”

7 NAGARA Crossroads 2009-3

Audit Report indicates that a vendor has had an audit conducted to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. There are two types of Service Auditor's Reports – Type 1 and Type 2. Type 2 reports are the more thorough of the two types of reports. Type 2 reports require an auditor to monitor a vendor’s systems and controls over a minimum of a six month period.12 Such audit reports should not be used as a substitute for due diligence.

Conclusion

Many analysts say that it is not a matter of if, but when, cloud computing services will be used by most organizations. When your organization or an organization you serve contemplates deploying cloud computing services, it will be important to make sure that issues like those raised in this document are addressed upfront. Cloud computing services will continue to evolve over the near term. It will be important to continually monitor new developments in this area. Because of the complex nature of both the technology and policy implications of cloud computing it will be important for archivists and records managers to work in concert with other stakeholders in addressing these developments.

References

“About SAS 70.” About SAS 70. http://www.sas70.com/about.htm. Creeger, Mache. “CTO roundtable: cloud computing.” Communications of the ACM 52,

no. 8 (2009): 56, 50. Gourley, Bob. “Cloud Computing and Cyber Defense,” March 21, 2009.

http://www.whitehouse.gov/files/documents/cyber/Gourley_Cloud_Computing_and_Cyber_Defense_21_Mar_2009.pdf.

Kundra, Vivek. “Streaming at 1:00: In the Cloud | The White House.” White House Blog, September 15, 2009. http://www.whitehouse.gov/blog/streaming-at-100-in-the-cloud/.

Lawton, George. “Addressing the Challenge of Cloud-Computing Interoperability.” IEEE. Computing Now | News | September 2009 | . http://www.computer.org/portal/web/computingnow/archive/news031.

Mell, Peter, and Tim Grance. “Draft NIST Working Definition of Cloud Computing, version 15.” National Institute of Standards and Technology, October 7, 2009. http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc.

Messmer, Ellen. “Gartner on cloud security: 'Our nightmare scenario is here now'.” TechWorld, October 22, 2009. http://www.techworld.com.au/article/323110/gartner_cloud_security_our_nightmare_scenario_here_now.

Towns, Steve. “Michigan Plans New Data Center and Government Cloud.” Government Technology. http://www.govtech.com/718213.

---. “Utah Plans Private Cloud for Local Agencies.” Government Technology, August 24, 2009. http://www.govtech.com/gt/714321.

12

“About SAS 70.”

8 NAGARA Crossroads 2009-3

Tucci, Linda. “Addressing compliance requirements in cloud computing contracts.” SearchCIO.com, June 11, 2009. http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1359026,00.html.

Williams, Matt. “Q&A: Former Salesforce.com Executive Steve Cakebread Sees Big Move to Cloud for Government.” Government Technology, October 29, 2009. http://www.govtech.com/gt/732506?id=732506&full=1&story_pg=2.

Wojcik, Caryn. “Discovery: How the Legal Process Can Impact Records Management Professionals.” Crossroads 2009, no. 1. CERIS White Papers. http://www.nagara.org/associations/5924/files/Crossroads_2009_1.pdf.

For Further Reading:

Defining Cloud Computing

Armbrust, Michael, Armando Fox, Rean Griffith, Anthony Joseph, Randy Katz, Andy Konwinski, Gunho Lee, et al. Above the Clouds: A Berkeley View of Cloud Computing, February 10, 2009.

www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf.

Brodkin, Jon. “FAQ: Cloud computing, demystified: What is cloud computing, and can it be trusted? Key questions answered,” May 18, 2009.

http://www.networkworld.com/supp/2009/ndc3/051809-cloud-faq.html.

Buyya, Rajkumar, Chee Yeo, and Srikumar Venugopal. “Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities.” In HPCC '08: Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications, 13, 5. IEEE Computer Society, 2008. http://dx.doi.org/10.1109/HPCC.2008.172.

Creeger, Mache. “CTO roundtable: cloud computing.” Communications of the ACM 52, no. 8 (2009): 56, 50.

Foster, I, Yong Zhao, I Raicu, and S Lu. “Cloud Computing and Grid Computing 360-Degree Compared.” In Grid Computing Environments Workshop, 2008. GCE '08, 10, 1, 2008. http://dx.doi.org/10.1109/GCE.2008.4738445.

Jaeger, Paul, Jimmy Lin, Justin Grimes, and Shannon Simmons. “Where is the cloud? Geography, economics, environment, and jurisdiction in cloud computing.” First Monday 14, no. 5 (2009). http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2456.

Mell, Peter, and Tim Grance. “Draft NIST Working Definition of Cloud Computing, version 15.” National Institute of Standards and Technology, October 7, 2009. http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc.

Leavitt, N. “Is Cloud Computing Really Ready for Prime Time?.” Computer 42, no. 1 (2009): 15-20.

9 NAGARA Crossroads 2009-3

Vaquero, Luis, Luis Merino, Juan Caceres, and Maik Lindner. “A break in the clouds: towards a cloud definition.” ACM SIGCOMM Computer Communication Review 39, no. 1 (2009): 55, 50.

Viega, J. “Cloud Computing and the Common Man.” Computer 42, no. 8 (2009): 106-108.

Getting Started

“17 Steps to Cloud Migration -- Washington Technology.” http://washingtontechnology.com/microsites/cloud-computing/17-steps-to-the-cloud.aspx.

Schultz, Beth. “How to buy cloud computing services: Five key questions to ask any prospective cloud provider .”, May 18, 2009.

http://www.networkworld.com/supp/2009/ndc3/051809-cloud-buy-services.html.

Stantchev, Vladimir, and Christian Schröpfer. “Negotiating and Enforcing QoS and SLAs in Grid and Cloud Computing.” In Advances in Grid and Pervasive Computing,

25-35, 2009. http://dx.doi.org/10.1007/978-3-642-01671-4_3.

Interoperability

Bernstein, D, E Ludvigson, K Sankar, S Diamond, and M Morrow. “Blueprint for the Intercloud - Protocols and Formats for Cloud Computing Interoperability.” In Internet and Web Applications and Services, 2009. ICIW '09. Fourth International Conference on, 336, 328, 2009. http://dx.doi.org/10.1109/ICIW.2009.55.

Lawton, George. “Addressing the Challenge of Cloud-Computing Interoperability.” IEEE. Computing Now | News | September 2009 | .

http://www.computer.org/portal/web/computingnow/archive/news031.

Nelson, Michael R. “Building an Open Cloud.” Science 324, no. 5935 (June 26, 2009): 1656-1657.

Security

Cloud Security Alliance. “Security Guidance for Critical Areas of Focus in Cloud Computing,” April 2009. http://www.cloudsecurityalliance.org/guidance/csaguide.pdf.

“cloud_cube_model_v1.0.” Jericho Forum, April 2009. http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf.

Douglis, F. “Staring at Clouds.” Internet Computing, IEEE 13, no. 3 (2009): 4-6.

Everett, Catherine. “Cloud computing - A question of trust.” Computer Fraud & Security 2009, no. 6 (June 2009): 5-7.

Gourley, Bob. “Cloud Computing and Cyber Defense,” March 21, 2009. http://www.whitehouse.gov/files/documents/cyber/Gourley_Cloud_Computing_and_Cyber_Defense_21_Mar_2009.pdf.

10 NAGARA Crossroads 2009-3

Kaufman, Lori. “Data Security in the World of Cloud Computing.” IEEE Security & Privacy Magazine 7, no. 4 (July 2009): 64, 61.

Messmer, Ellen. “Gartner on cloud security: 'Our nightmare scenario is here now'.” TechWorld, October 22, 2009. http://www.techworld.com.au/article/323110/gartner_cloud_security_our_nightmare_scenario_here_now.

National Institute of Standards and Technology. “Recommended Security Controls for Federal Information Systems and Organizations,” August 2009.

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf.

Marinos, Alexandros, and Gerard Briscoe. “Community Cloud Computing” (2009). http://arxiv.org/abs/0907.2485.

Perez, Sarah. “Forget Google and Amazon, the DoD Shows Off What a Real Cloud Platform Can Do.” ReadWriteWeb, October 7, 2009. http://www.readwriteweb.com/archives/forget_google_and_amazon_the_dod_shows_off_what_a_real_cloud_platform_can_do.php.

---. “Gartner: Vetting security of third-party partners in five steps.” SearchCIO-Midmarket.com, May 6, 2009. http://searchcio-midmarket.techtarget.com/news/article/0,289142,sid183_gci1355739,00.html.

Government Implementations

“GSA Outlines U.S. Government's Cloud Computing Requirements -- Cloud Computing -- InformationWeek.” http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?articleID=218900541.

Sarno, David. “Los Angeles adopts Google e-mail system for 30,000 city employees | Technology | Los Angeles Times.” Los Angeles Times, October 27, 2009. http://latimesblogs.latimes.com/technology/2009/10/city-council-votes-to-adopt-google-email-system-for-30000-city-employees.html.

“The White House - Blog Post - Streaming at 1:00: In the Cloud.” http://www.whitehouse.gov/blog/streaming-at-100-in-the-cloud/.

Towns, Steve. “Federal Web Portal Moves to Cloud Computing Platform.” Government Technology, May 1, 2009. http://www.govtech.com/gt/654240.

---. “Michigan Plans New Data Center and Government Cloud.” Government Technology. http://www.govtech.com/718213.

---. “Utah Plans Private Cloud for Local Agencies.” Government Technology, August 24, 2009. http://www.govtech.com/gt/714321.

“White House unveils cloud computing initiative | Geek Gestalt - CNET News.” http://news.cnet.com/8301-13772_3-10353479-52.html.

Williams, Matt. “Feds Launch Apps.gov Cloud Storefront for Purchasing.” Government Technology, September 15, 2009. http://www.govtech.com/gt/723606?id=723606&full=1&story_pg=1.

11 NAGARA Crossroads 2009-3

---. “Q&A: Former Salesforce.com Executive Steve Cakebread Sees Big Move to Cloud for Government.” Government Technology, October 29, 2009. http://www.govtech.com/gt/732506?id=732506&full=1&story_pg=2.

Compliance

Howard, Alexander. “Gartner and CA on addressing compliance requirements in cloud computing.” IT Compliance Advisor, June 11, 2009. http://itknowledgeexchange.techtarget.com/it-compliance/gartner-and-ca-on-addressing-compliance-requirements-in-cloud-computing/.

Joint, Andrew, Edwin Baker, and Edward Eccles. “Hey, you, get off of that cloud?.” Computer Law & Security Review 25, no. 3 (2009): 270-274.

Navetta, David. “Legal Implications of Cloud Computing — Part One (the Basics and Framing the Issues).” InfoSecCompliance.com - Technology, Privacy and Security Law & Risk Management » Blog Archive », September 18, 2009. http://infoseccompliance.com/2009/08/18/legal-implications-of-cloud-computing-part-one-the-basics-and-framing-the-issues/.

---. “PCI Service Provider Contracting.” InfoSecCompliance.com - Technology, Privacy and Security Law & Risk Management » Blog Archive » , June 11, 2009. http://infoseccompliance.com/2009/06/11/pci-service-provider-contracting/.

Pearson, Siani. “Taking account of privacy when designing cloud computing services.” In CLOUD '09: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, 52, 44. IEEE Computer Society, 2009. http://dx.doi.org/10.1109/CLOUD.2009.5071532.

Tucci, Linda. “Addressing compliance requirements in cloud computing contracts.” SearchCIO.com, June 11, 2009. http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1359026,00.html#.

Watkins, John. “Cloud Computing - The Legal Issues Are Somewhat Cloudy in the Cloud.” Ezine@rticles. http://ezinearticles.com/?Cloud-Computing---The-Legal-Issues-Are-Somewhat-Cloudy-in-the-Cloud&id=2532393.

All hyperlinks in this issue were valid as of the date of publication.

Issues of Crossroads are available on the NAGARA Web site at www.nagara.org in Portable Document Format

(PDF) for downloading and easy printing.

Crossroads is sponsored by the NAGARA Committee on Electronic Records and Information Systems (CERIS).

CERIS members include LaDonna Wagers (Chair), State Library and Archives of Florida; Glenn McAninch (Vice

Chair), Kentucky Department of Libraries & Archives; Mark Conrad, National Archives and Records Commission;

Cindy Bendroth, Pennsylvania Historical and Museum Commission; Scott Leonard, Kansas State Historical Society

Caryn Wojcik, State Archives of Michigan; and Patty Davis, Ohio Historical Society.

Crossroads is edited by LaDonna Wagers, State Library and Archives of Florida, 500 S. Bronough Street, Mail

Station 9A, Tallahassee, Florida 32399, 850-245-6777, lwagers@dos.state.fl.us.