Records Management in the Cloud

Records Management in the Cloud

August 19, 2019 0 By Kailee Schamberger


[ Music ]>>Welcome to today’s MARA Colloquium,
Records Management in the Cloud. Our guest speaker is Mary Beth Herkert. She’s state archivist for
the Oregon State Archives. Mary Beth has had roles as archivist
as well as records manager and manager of information in records management units. I met Mary Beth working on an [inaudible] task
force, and I know she’s been active presenting in [inaudible] as well, specifically
at last summer’s conference. I was very aware of that. Mary Beth is both a CRM and a CA, so she
is very well versed in both the records and the archival aspect of the issue that
she’s going to speak with you tonight about, which is records management in the cloud, so I’m going to turn the mic
over to Mary Beth right now.>>This is I. I’ve been doing archives and records
management now for almost 30 years, and if you had told me 30 years ago that I
would be spending my time on nothing but IT or computer issues related to records, I
would’ve thought you were nuts, but anyway, it’s something that’s new, something that’s
kind of innovative for most people to think or even doing business in the cloud, although
we’re really kind of being forced into it. The whole gist, there’s a major portion
of this presentation is going to be kind of how we have embraced the cloud
to actually do records management. We’ve actually put our electronic
records management system in the cloud and have made it a stabilized system for all
state and local government agencies to use. So with that, what is really the cloud? It’s a very general term. Some people narrowly define it as
virtual servers over the internet. Others more broadly define it as anything
you consume outside your firewall. But really, it involves delivering
hosted services over the Internet. And they’re divided into kind of, like, 3
types of services: infrastructure as a service, platform as a service, and
software as a service. I am most familiar with software as a
service, as that is what we are providing, but the infrastructure as a service is,
where do you pay — you pay for what you use. It’s also kind of commonly known as utility
computing because it’s like you, your utilities. What you use, you pay for. So a lot of it has to deal with
storage, different things that you may do on the Internet like, something
like Amazon Web Services. Platform as a service is more like
development tools that are hosted on the provider’s infrastructure,
like Google Ads. The one problem with that is is there are
no standards for these services related to interoperability or portability,
so you have some limitations. And some of these platforms and service
providers will not allow you to move anything that you develop off of their platform. So you’re kind of stuck there if you’re
doing something internally on that. And then, software as a service is where your
vendor is supplying the hardware, the software, the infrastructure, and then you access it through a web portal so that
you can use the service. Basically, it really represents what
you’re doing on a day-to-day basis. If you didn’t know it was in a
cloud, you would never realize that. And most of your, with email
providers are going into the cloud now. For example, the State of Oregon has just
entered into an agreement with USA.net to provide Microsoft Outlook over, in the cloud. And we just switched over to that in June,
and really, you can’t tell the difference as if it was on your computer as it
was, you know, a internally hosted app as opposed to being a virtual hosted app. So all of them have their place, and all of them
are in a wide variety of development and use. The Synergy Data Center that
I have listed there is, that’s our host for our electronic records
management system, and we’ll continue to go and talk about that in a little bit here. But really, the 3 things
that differentiate the cloud from traditional hosting is it’s sold on demand. You only pay for what you use. So if you’re not going to
use it, you don’t pay for it. It’s elastic, so you can grow
whatever rate you want to go. Of course, if you want to grow, you’re
going to pay more for what you’re getting. So it’s not free, and that’s
the 1 thing that people need to understand is there are
costs involved with it, but you basically are only
paying for what you use. And the nice thing about it and what a
lot of people find good about this is that it’s fully managed by the provider, so
it really frees up your IT staff to do stuff that internally needs to be developed and used. So you don’t have to worry about anything. So a software upgrade comes along, the
vendor’s going to upgrade it for you. So you don’t have to expand your, expend
your IT staff to do the job for you. The reasons really for cloud development are
kind of threefold, I guess, if you want to say. I think the last is, the biggest reason,
especially when you look at government, is innovations in virtualization
and distributed computing. I mean, the industry has grown so
much over the last couple of years that it really makes it more
of an option for most people. Again, the improved access
to high-speed Internet. As more and more people have access to
it, they can do things in the cloud. However, when you get into some states, and,
I mean, it’s not just the Wild Wild West, if you want to say, but there
are a lot of states where the rural areas still only
have dial-up access to the Internet. So cloud computing’s not going
to work for them because you have to have the advantage of
the high-speed Internet. And like I said, the last reason, which I think
is the biggest reason, especially when you look at government, is it’s a weak economy, and,
you know, when we talk about our situation, you will see how much less expensive
it is for us to do this in the cloud as it would’ve been for us
to host it internally. And with government, with budgets being
cut, especially in this area of archives and records management, it’s something that
you always need to find new and innovative ways that are more efficient and cost
effective to do your business. And so I can speak to the
government perspective on this. A lot of people in the private industry,
you know, the reasons may not be the same, but speaking from the government
point of view, that’s where we’re at. There’s 2 types of cloud. There’s a public cloud, which sells
services to anyone on the Internet. You know, so USA.net is a public cloud. Amazon is a public cloud. Yahoo, Gmail — they’re all public clouds. Anybody can join. Anybody can access them. A private cloud is more where you’re
controlling who your users are, and it’s usually limited to
a certain group of people. And there’s been a lot of
talk about a government cloud. That would be a private cloud in that only
government entities would be allowed to access and use the services that are in the cloud. We have set up a private cloud. It was the only way that we could
comply with the laws in the state of Oregon to do what we are doing. So we set up a private cloud. Public clouds pose lots of problems for government entities,
and we’ll get into that too. And where we get into that is is in
the advantages and the disadvantages. And really, when you look at the advantages,
the potential savings are really key. And like I said earlier, especially
in these economic times, but, I mean, you can save hundreds of thousands of dollars
in infrastructure costs, software costs, hardware costs, and staff time, IT costs. So that’s really why people look to
the clouds is because they say, well, we’re going to save all this money,
so, and get the same package, so we’re going to go ahead and do it. But there are always, all these
advantages have their disadvantages too. Potential speed — it can be faster than
your internal setups because the people who own the clouds are, have the
latest and greatest technology. They’re ensuring that people are
only getting the best equipment, that everything is configured to the maximum,
to reach the maximum potential of the software or the service that they’re providing. So really, you’re getting a situation
where you get the best, and a lot of times, when you’re hosting it internally, you’re
dealing with maybe servers that are 3 or 4 years old, or, you know, you’ve
configured it one way, so you have to kind of adapt the piece of software
you’re trying to add so it meets your internal
configuration and that kind of thing. And so you really do have an advantage
there, but it can also be a disadvantage. And it frees up your IT staff, and for, like,
our agency, we, the agency I work for — I work for the Secretary of State
— we have about 200 employees, and our IT staff is constantly developing new
applications for the very distinct program areas that are part of the Secretary of State agency. But you really need to weigh the advantages and
disadvantages, and you need to do that business or case study that’s not even,
not only a cost-benefit analysis, but really a good business case to see if
the application you’re looking at should be in the cloud because you do have
some real distinct disadvantages. Lack of ownership and control. You do not control you information. Once you have it in the cloud, basically,
the vendor is controlling it for you. So to say that, that is a huge
give up, especially in government. That really violates almost
every statute in all 50 states when it comes to ownership of public records. They belong to the state. They belong to the citizens of the state. So when you send them off to the cloud
and you’re letting somebody else own them, you can get into some really big legal issues. Security’s another thing. On a daily, I think on the
records management LISTSERV, we see issues about something being hacked, the
cloud’s not secure, they lost this information, they lost that information, and those
are all problems that you can face when you are playing the cloud,
especially if you’re in a public cloud. How you secure your information
so it’s not getting hacked. How do you deal with things like that? So again, your advantages. Have to weigh your disadvantages. And then, finally, for me and
for records managers everywhere, how do you apply retention and disposition? If you don’t own and control the
information, it’s highly unlikely that somebody like Yahoo is going to say, oh, yeah, the
State of Oregon, the archivists there want you to keep that information for 6 years. I’m going to retain it for 6 years for them. Uh-uh. You know, they’re going to
keep it for as long as they want it, and that’s as long as it’s going to be there. And so you can’t really apply your retention and disposition unless you make
provisions for that ahead of time. And so for us, we immediately had to
eliminate playing in the public cloud for what we were doing is because we had to
maintain ownership, and we had to be able to apply retention and disposition. So those are really, you know, what you’re
looking at, but if you don’t, I mean, we’re, we put in the cloud as an
electronic records management system, so we’re going to control
retention and disposition, but if you don’t have an electronic
records management system, how are you going to apply retention
and disposition in the cloud? For example, if we didn’t have our electronic
records management system, all of our email, we pay for storage of all of our email messages. They don’t manage them for us. And so we would be paying very long-term
storage costs because we wouldn’t know how to otherwise apply retention
and disposition in USA.net. So the only reason we went into a public cloud
for email is because we had a private cloud that was going to manage our information, and
we require everybody to put email messages that have, that are considered public records
into the electronic records management system. So those are some of the things
that you need to kind of take a look at when you’re going into the cloud. And it’s fairly new, and a lot of people
don’t understand the ownership piece of it. I mean, it’s like Facebook. Anybody who has a Facebook page knows that you
don’t get to pull stuff off when you want to or retain it for as long as you want to. Facebook’s basically doing that for you. Twitter, the thing with Twitter is is
the Library of Congress are saving all of the tweets, so you definitely
don’t have any control over that. I mean, you can remove them, but Library
of Congress is keeping them forever, so every Twitter message that
you’ve sent, just remember, it’s at the Library of Congress
forever right now. So I, it’s not my favorite thing to do,
but — so pretty much I’ll get into, why did we go into the clouds with
knowing everything that we knew? Well, part of the problem is is, for the past
10 years, I have been trying to get the state to have a unified way of
managing electronic records. We at the state archives have
always kind of been proactive. My predecessor and I, in 1995, tried to get
email, an email policy written for the state that would’ve said that email messages
could only be for routine communications, and anything that had substance with it
would’ve had to have been sent as an attachment so that we could manage the
attachments outside of email and not have to worry about internal communications. We were basically laughed out of the room. Nobody thought that it was a problem in 1995. You know, what’s this email thing? It’s not going to be an issue, and
we don’t want to be bothered with it. Fast forward 10 years, 11 years, and then we
had all these CIOs coming up to us and saying, you know, we wish we had listened
to you, because now they’re having to manage all these messages that
vary in retention and content. So it became real apparent to us that
something had to be done to manage information in a routine and systematic
manner within the state. We had a state agency and a city have major
lawsuits placed against them for misuse or mishandling of public records. The first case was our State Accident
Insurance Fund, and they were fined. Basically, it came out to about
$2-and-a-half million was their fine for, well, circumventing the public records laws. And so, you know, you can buy an electronic
records management system for significantly less than $2-and-a-half million,
depending on your agency size. So why are we spending all this money on
lawsuits instead of managing our information? The City of Beaverton was probably
more noted because they faced Nike. And guess who won? It wasn’t the City of Beaverton. It was Nike. And there, you know, had all the money to throw
at it, so their fine was over a million dollars for not being able to produce
all of their electronic records. So we had beginnings that really
started with these really big lawsuits and no way of managing information. Anybody who’s tried to manage electronic records
manually finds it’s really difficult to do. I mean, how do you go through
all your terabytes of information on your file servers and apply retention to it? It isn’t, I, it is a really onerous cache. Some of the other issues are
is how to comply with the law. And the problems with the laws are is most of them were written way before even the
personal computer was developed or [inaudible]. How do we apply retention? And then, we really wanted to build off of what
we did here as the Secretary of State’s agency with our electronic records management system. We were able to get funding
for a system in 2007. We bought our system, which
was, at the time, TOWER TRIM. It’s now HP TRIM. And the reason we selected our system was
because it was extremely user friendly, and it was truly an off-the-shelf product. So it made life really easy
for us once we implemented. And so how could we let others take
advantage of what we’ve already done? Because it doesn’t make sense, it never made
sense to me that every state agency, every city, every county in Oregon, every special
district, all which I had jurisdiction over, were spending, going to spend
upwards of a million dollars to implement an electronic
records management system. Why couldn’t we have a statewide system
that people could take advantage of? So then, it became is how
we were going to do that. Well, the first thing we have to do — and we’re
moving along without it happening quite yet — but if you look at the public records
law, our public records law — and that’s the top part right here — our public records law is like every
other state’s public records law, except ours is divided into 2
parts, so we have 1 for retention and disposition and we have 1 for access. They’re basically the exact same. This current law was written in 1961. Really, at that time, computers
occupied entire rooms. Nobody has a personal computer. Nobody had a Facebook page. Nobody was tweeting. So really, the law assumed that a
record was something that was tangible. And in 1989, they amended to add in
the part for machine-readable records. And that was all well and good, but again, it always assumed that the
record was something tangible and something that was able to be captured. And it always was owned by the state or the
public entity that was creating the record. So not a big deal. Well, fast forward to, you know,
to now, and we have a definition that really does not work
in today’s day and age. So what I decided to do was that
we needed to get a new definition. And the definition, the proposed
new definition is at the bottom. And it basically makes the law technology
independent and focuses on the fact that it is the content of the information
that carries the retention and not the media that transmits or used to
communicate the record. So currently, it has been
through the House because we’re in a legislative session right now. It’s passed the House. It was then sent to the Senate, was amended
in the Senate, but passed the Senate. So now, it has to go back
to House for concurrence. Right now, my bill’s being held hostage for
another bill like any good public records or I guess good any piece of legislation, it
always gets held hostage for something else. Rumor has it that it may have its
concurrence, though, tomorrow. We’re really hopeful because this will
make my life a lot easier when I’m trying to work managing information,
especially in the cloud. I originally wanted to change it for social
media, but it really even becomes more important when you’re trying to manage
information in the cloud. Are there any questions, or anybody have
anything right now that they have a question on? So we came up with this idea of having a
statewide electronic records management system, and it’s now known, affectionately known
as Oregon Records Management Solution, or the Oregon Records Management Solution. We looked at doing it in
house, hosting it in house, and allowing people to just buy off of it. It was far too costly. We couldn’t get the price under 100
and, probably $150 per use or per month, and there was nobody who would
buy into the system for that. The State of Michigan is currently doing
this, pursuing this option in house, and their fee is somewhere between 100 and
$125 per user per month to use the system, and it’ll be interesting to
see how well it’s received and how well theirs is going to be used. We have, so then we decided,
actually, it’s really, it gives, my CIO of my agency is probably as crazy
as I am when it gets to creative, new, and innovative ideas, and so she’s the
one who came up with the SaaS solution, or the software as a service solution. But what were going to be the logistics of it? How were we going to do it? How could we bring it so it actually was
going to make sense and be affordable? First of all, we had — the way the
State of Oregon is set up is we had to get delegated authority from the
Department of Administrative Services to even offer contracts to certain state
agencies because they’re required to buy things from the Department of Administrative
Services and not from us. So we had to leap that hurdle. Then, we had to leap the Department of
Justice’s hurdles over how to actually put this out for big, you know — go through the RFP
process, go as, you know, how narrow to make it, how wide to make it, everything else. So we finally got through all of
that, and that took almost a year of the logistics piece to get it set up. We put the request for proposal out to bid,
and the only thing we did designate was that whatever the solution
was, it had to use HP TRIM as its electronic records management software. And that’s because that’s what we know. That’s what we’re, we know how to use. That’s what we’re using internally. It reinvented the whole looking
at other ERMS systems. When we went out for request for proposal
in 2007, this was the solution we chose as being the best for what we wanted it to do, and that was it’s truly a
records management tool. It was designed as a records management tool. And therefore, that’s its strong point, and
it was very, very user, end user friendly. And those were all the reasons
we chose this tool. So we did state in our RFP that whoever
the vendor was, they had to use HP TRIM. We did get some responses back, and the
winning vendor came from Baker City, Oregon, which is clear on the other side of the state. It’s almost 400 miles from Salem. It’s closer to Idaho, the Idaho
border than it is to the valley. And the Synergy Data Center. And they’re not necessarily a new company,
but they have a fairly new data center, and they were looking for applications to host. And they’re highly dedicated to this
process because of a new reasons is, A, they truly believe that the data center
that they’re offering is superior to anything the rest of the state has, and B,
for every 100 jobs they create in Baker City, it’s like creating 50,000
jobs in Portland, Oregon. So they see this as a huge boon
for their economy over there. And they have really good
IT people surrounding them. What they did in turn was
partner with, they bought and brokered all the licenses through HP TRIM. I mean, all the HP TRIM licenses
through Hewlett-Packard. So we didn’t even negotiate with them. We only negotiate with the
folks at Chaves Consulting in the Synergy Data Center, so
our partnership is with them. They can have a multitude of partners out there. Couple of things that we insisted upon was
is that, A, this had to be a private cloud that we would control all our information. They could never remove our information
from it because we are setting this up based on retention and disposition. We’re not setting it up for them to, you know,
we don’t care about what their storage is, so if we can’t expand their storage, then that
wasn’t going to be a feasible solution for us. So we set that up in the contract
so that it is a government cloud. It is a State of, you know,
a State of Oregon cloud. However, we are looking to maybe
partner with Washington and Idaho, but that’s another story for another day. So we, you know, we’re sitting there. They’re in a completely different
geographic area than we are. They are in a geographic basically
safe zone, whereas in the valley, we’re subjected to earthquakes
and volcanic activity. Baker City is basically a geographically
neutral area, unlike the coast. We couldn’t go to the coast because
of the tsunami hazard over there. So really, it was nice having it in a
different part of the state and from a part of our security and disaster recovery era. So that’s why, and they are
a Tier 3 data center. We ask for a minimum of a Tier 2 data center. They actually are a Tier 3 data
center, so that means they meet, they exceed even a state data center for
security and the ability to upgrade and grow. So that’s why we asked the
state data center to host it. They had absolutely zero interest in it because they were having a hard enough
time just managing the day-to-day stuff that they currently have. So we have got a really good
partnership with them. And to date, we have 9 pilot agencies, and
they’re all centered in the Salem/Portland area. We have 3 state agencies and 1 park and
recreation district, and the rest are cities. It was interesting because when we went
before the legislature to the session, the first comment out of one of
the legislator’s mouth were, “Well, this will probably be way too expensive
for any small entity to enter into.” And when I told her that we’re one of the first
signers on with a park and recreation district, I think she almost choked, but it is an
application that really lends itself to small, medium, and large agencies
because you only pay for the number of people who are using the system. And there is direct lines,
high-speed lines to the data center. So the folks here will be putting their data in. It will go into the data center over here. And the TRIM application resides on the servers
over in the data center with a, you know, with the application being
technically, virtually mirrored on their computers at their workstation. So it’s no different than how you use Word. You just use the TRIM product
and put your records in, and when you want to recall
them, you do it the same way. So we feel really confident that this is,
I mean, we’re still in a piloting mode. So, but we’re really confident
there’s nothing that lends us to think that it’s not going to work on this. There, I mean, from a technology standpoint,
it, here’s nothing there for it to fail. From a records management standpoint,
there’s really not much to fail. So I guess it’s a capacity
standpoint we’re looking at now. This is, are we going to have problems
with when we have thousands of users on it? Will we have a problem? We don’t anticipate it, but it is
something that we are looking at as a pilot. We currently have 9 agencies
in the pilot program. The system was configured on June 10th,
and data starts going in this week. And the first agency to put data in
will be the Department of Energy, who was one of our first signer-onners. The Secretary of State will be
moving all of their information over, but it’ll be after July 1 just because of
scheduling issues with our IT staff and, because we’re on a stand-alone system
right now, but we’re going to move over to the software as a service application. One of the big reasons that
we’re going to move over is cost. And I hope you can all see his slide. When we implemented TRIM, our total
cost was just under a million dollars. It was $915,000. We pay on a monthly basis a little over
70, well, $78.56 per month per user. That’s our maintenancy as a
stand-alone system that we’re paying to HP every month based on our users. As you can see in the far corner over
here, on the far right-hand side, the statewide service, the
monthly fee is $37.02. So we’re going to be saving over $38 a
month per user just by going into the cloud and using the software as a service model. That equates for us of over $100,000, the
agency as a whole of over $100,000 worth of savings per, you know, for the agency. So it didn’t make sense for us
to stay in a stand-alone system. Plus, after 5 years, we would have to refresh
our hardware, and that’s an added cost. We asked HP to give us some ballpark
numbers for 500 and 1000 users, and that’s what these next 2 columns look at. And as you can see, 500 users
is roughly the 1.15 million. A thousand users, about 1.77 million. And the monthly fees would be
57.83 or 47, I think 47.50. So it’s pretty expensive to stay stand alone,
and that’s what’s prohibiting a lot of agencies. They want to do this. They want to manage their information because
they don’t want to take the risk anymore of not having it managed in a manner
that’s systematic and routine. The, to go stand alone was
way too cost prohibitive. And so now, they’re looking
at, well, how can we do this? And so when we came up with this option, we
had a number of folks jump on, and thankfully, one of the first, well, the very first
city to sign on was the City of Beaverton because they had that major lawsuit,
and they’re being sued almost every day for poor management of their records. And so now, they’re putting their
information into a records management system. They were originally just going to go with
an e-discovery solution, but that never, it still didn’t manage their records. It just told them where they were. It would do fine searches, but it
didn’t really solve the problem of managing records and managing information. So they jumped on early, and their city
council, although we had some pushback from their IT folks, their city council was,
like, gung ho because they saw this as a way to get some credibility back
with their citizens. The next slide just kind of shows the
cost of, per user or, yeah, over 5 years and the total cost for ownership. And as you can see, the bottom
line is the state service, and these other lines are stand-alone systems
based on, you know, how many users you have. Our goals — we have, we do have goals —
for our first year, at the end of 1 year, we want to be able to have
2000 users in the system. Right now, at the agencies
that we have committed, we have closer to 3 or 4000 users right now. And so these are, you know, by the end
of 5 years, we hope to have 20,000 users. However, with the amount of inquiries and
amount of interest that I’ve had in this, I think it will be much sooner than 5
years that we’ll hit our 20,000 users. And as you can see, the cost, if you’re in
a stand-alone system, they stay the same. It doesn’t matter how many users that you have. You know, you’re going to pay
the same as stand-alone system because you’re not adding anybody, really. There’s no economies of scale. But as you see in the statewide system, you
know, when we hit 3000 users, we go down to $26, then we go down to 17, and
13, and then finally $10.54. And once we hit 20,000 users,
we’ll negotiate a new price scale. So there’s always cost savings because you’re
always adding more users on the system. So it really does make sense to share
something like this because it’s not something that everybody can afford, but if you make it
so that you can take advantage of, you know, and the State of Oregon, you know, has I
don’t know how many millions of people in it, and you don’t, you know, how many
of those actually are affiliated with a government entity or
work for a government entity? You know, we can have a million users
and have a really cheap cost, you know, that we would never see if we
all were having our own system. So really, it’s good government. And then, from a purely selfish point of
view, it’s, not only is it cost effective, but as the state archivist, I’m responsible
for all of these records, and really, if I have them in 1 system, it’s a heck of a
lot easier for me to deal with than I have, if I have to have, you know, 5 different
ERMSs that I’m dealing with or, you know, they’re all in a variety of systems. So it, for me, it, it’s cost effective,
it’s efficient, and then, like I said, from a selfish point of view, it’s easy. So really, is it worth it? I would say yes. And I guess I won’t have a definitive answer
until we’re done with our pilot agencies. I just think this is very good government. We need to manage our electronic information. It’s not being managed now. Even those with the best intentions have files
and, on file services that are in software that is no longer able to accessed or read. We are spending millions of
dollars in storage per year. I kind of equate — I was asked to
do a presentation before the folks who use the state data center, which is
projecting a 500% growth over the next year with the agencies that are already there. And basically, that equates really, we’ve
become a society of virtual hoarders. So any of you have seen that show Hoarding:
Buried Alive, that’s what we are when it comes to information on our servers
is we don’t manage it. We just push it away. It’s out of sight, out of mind. And if we were in the paper world still and we
had that much information, we would all be fired because nobody would’ve bought us
all those extra filing cabinets and warehouses to store this information in. It’s just, it’s out of sight, out of mind. We don’t manage it until we get an e-discovery
request, a public records request, or, you know, which it comes to the point where we
have all this obsolete information, and we have no clue as to what it is. And so can we throw it away? We don’t know because we don’t really know
what it is, so we don’t know what [inaudible] to apply to it, and we really
have no way of accessing it. So electronic records management
system is something that is really, I think is key to any archives and
records management program down the road. Having it in the cloud I think is a way to
make it affordable for the largest agencies as well as the smallest agencies. And it just makes us more cost
effective and more efficient. And I know those are the buzzwords of the day
for most state agencies, but I think that, you know, whether it’s in the cloud
or whether it’s stand alone, you know, you can make your case for both, but
I think this is an application that, in the right situation, in the
right cloud, because of all the, those steps that we took ahead of time to make
sure that we could manage, we could control and actually manage information in the
cloud, this is really a good solution for us. And we have put in a grant to see if we
can’t get the State of Washington to look at doing their, using our cloud for
their records management solution and then taking the permanent
records and also storing them at the Washington State Digital
Archives in Cheney, Washington. So working kind of a cooperative venture —
2 clouds, 1 that’s storing permanent records, 1 that’s managing the day-to-day information. And I really hope that we get the opportunity
to do that and get the grant to do it. So I guess it’s been a lot of work. It’s not something that was created overnight. But I think that using the cloud in the right
situation is a really viable alternative to managing stuff independently
and on their own. And I think really, with such a weak
economy, people had to look at ways, better ways to do things,
so we’ve got to save money, and that’s why the cloud has
really come to the forefront. We have issues that we need to deal with. Security is a huge one. But again, if we can kind of all look at,
you know, you’re the user of the cloud, and the users can have a large voice. And if your vendor doesn’t want to make
the cloud secure, the vendor doesn’t want to do different things, if the users
band together and work with that vendor, they’re going to leave the vendor
and go to somebody who will. So I think we, as more and more people
enter into the cloud, I think you’re going to see a lot of changes as far as
security, and portability, and updatability, and that sort of thing with
what’s going on there. And, but I guess only time will tell, but I don’t think the cloud is going
away unless something new comes up down the road that’s better, and
bigger, and which I’m sure it will. The one thing I’ve learned in 30 years of
doing this is there’s something always new around the corner, and that’ll
be bigger, better, and faster, and so it’ll be something else
that I need to use and learn. So if you guys have more information, you
have questions, if you have questions — do you feel that 1 software can meet
the needs of all state agencies? For electron records management, yes. I think it will. I think you need to find the right product. I know we have a couple of agencies that are
playing around with a couple other products, and they haven’t been able to fully implement. We were able to implement a lot quicker. I think it depends on who’s offering it and
who’s controlling, you know, managing it. I think the real advantage for us is we’re
the ones who are providing all the training and information for these guys, so they get
an advantage because they, for their $37, they’re getting undivided archives
retention and records management retention. But I think that there are other things
that people can put into the cloud, and I think that’s what’s going
to end up happening is you’ll see that states will start putting
more applications in the cloud. And once you get at a secure government
cloud, I think, I wouldn’t be surprised if we find other things to have
Synergy host for us as an application. I really do think that. That’s one of the — the second question was,
how do you move permanent records from the cloud to a digital preservation repository? That’s a good question. That’s what we hope to find out from
that grant is how hard or how difficult, or easy or difficult is that going
to be, and is it even feasible? And it’s going to depend a lot on Washington’s
IT folks and then our IT folks and contractors. Does HP TRIM follow DoD’s 5015? Yes, it does, and that is
a statewide requirement that any electronic records management system that any agency purchases has
to be DoD 5015.2 certified. It can’t just be compliant. It has to be certified. That was one of the keys that, to make
it give me the latitude that I need as the state archivist to ensure that these
systems are going to be around for a while and that I can move information around.>>Hi, Mary Beth. What a wonderful summary and presentation. Thank you very much. You used the word “social media”
once in your presentation. Do you intend to use software as a
service or the TRIM HP technology to manage social media in the future?>>[laughs] Yes. We’re trying to figure out to do that. One, the problem is, really right
now, is trying to capture something that was never intended to be captured. What we’re hoping to do is, with the
change in the law, is basically say that, I don’t care if you put it on Facebook. I just want to be able to — you can send it to
me in a Word document or, whatever you posted, you can send it to me in another format because the content is what we care
about, not the medium that it’s on. So, and in that case, those
documents would be put into HP TRIM. There are a couple of things that are out
there that you can capture social media in that basically exports the content into an
Excel spreadsheet or a tab-delineated text file. Those things could go into TRIM too. But I think [inaudible] developed a long way
and more government agencies are using it, they’re going to kind of,
we’ll see products developed and maybe that are better at capturing. And then, yes, we would be putting that
information into the TRIM database. Okay, we got a second, another question is– Let’s see. Do I have any idea how many state archives are
using the cloud, and who are some of the others? I know of nobody using it for
this particular application. In fact, it has become a vendor frenzy out here. I think, because I can’t copyright our
idea or our solution, so I know for a fact that HP is trying to [inaudible]
put together their own application. I know Michigan is doing
something, but it’s more internal. They really haven’t gone out to the cloud
unless, because they’re hosting it internally, so I really don’t, I think there’s a lot of
states who are using the clouds for email because it’s, that’s an easy savings to
justify, but there’s nobody who’s using it to manage their records that I know of. Let’s see. How did I get around the legal requirements
pertaining to government security on the cloud without directly owning the data stored? Well, the nice thing about
the cloud that we’re in — it is a private cloud, and we do control the
information, and we do own the information. And that’s clearly stated in our
contract, and our attorneys made sure that was clearly stated in the contract. And then, every entity that enters into the
service level agreement with the contractor or the vendor, it clearly states in
there too that it’s their information. They own it and they’re controlling
it through the use of HP TRIM. One of the things that we are doing is we’re
still going, the state archive, that is, is still going to control the destruction. We will send out quarterly
destruction requests to the agencies, and they will give us permission to delete. We toyed with the idea of giving each
agency that option and then realized that we would quickly, because I know
from working with government agencies, you get most people who never destroy
a thing or those who are going to try to manipulate it a little bit. So we’re controlling that part until
such time as I have the confidence to maybe switch that over to them. But in the, for as long, as the very near
future and the future out there for a while, we will continue to do the destructions
of the actual information in the system. So we were able — everything we did was
with regards to abiding by the statutes for ownership of public information. And then, the nice thing is, too, is this piece
of software allows us to have a web portal so the public can directly
access the immediate, the record, because we’re also classifying our information
as to whether it’s readily available. It has to be available to the
agency, is secured or is critical, so we have a classification 1 through 4. The 1’s are all readily available. All that information immediately
goes out to a public web portal so that the public can directly access it. So we’re actually making the information more
accessible than it currently is right now. So the public is still the
owners of the information. Okay, the next question is, it seems that an open-source ERMS software
would have great benefit long term. I understand that Alfresco’s the only
one that claims to be open source. Do you think there is a need for such
a development in the RM profession? I’ve been waiting almost 15 years
for the National Archives to come up with their solution and
haven’t gotten it yet. Couldn’t wait any longer, so went
out — I think it is a natural. I don’t know why it happens that we
haven’t had something that was out there. I think part of the reason is that,
from a purely vendor standpoint, is, why should they develop something that
everybody’s going to be able to use when you can sell it and make money off
of it as opposed to being, you know, open source and not maybe so profitable? You know, I don’t know. I mean, I’m all for one that I like simple. I like easy. I don’t like reinventing the wheel. So I think it’s a great thing. How long it’s going to be before
we get there, I don’t know. It would be nice. Let’s see. I’m new in this area, but I’m wondering
how the records are organized in the cloud. Does every agency have control over
how their records are organized? Yes. Every agency has a sector of
the cloud or their information. So I, well, I as the system administrator
can see everybody’s information, but let’s say I as the Secretary of State
cannot go in, and look at, and control, do anything to the City of Beaverton’s records. The City of Beaverton can’t play
with City of Milwaukee’s records. And on and on. So everybody has their own control,
and that’s set up by doing — there’s a lot of things in the
background that have to happen. For every agency that we work with, we
develop a file classification system based on the record’s retention schedule and
their core, their business processes. And we set up roles and responsibilities for
every single [inaudible] user within the city or within the agency that’s in the system
so we can control things like that. But all of Beaverton’s employees have 1 part
of it, so they’re sectored off in the system. Let’s see. Although you own the data, are you
hosting within your own infrastructure, or is it in an external site using VMs? In which case, writing your SLA, did
you negotiate for notification in case of hacking or other security breaches? We are going — currently, we’re internal. We have our own infrastructure. But after July 1, we will be
moving to the external site. And yes, in our SLAs, we did negotiate
all of this stuff for notification, for, and hacking and other security breaches. We insisted upon certain levels of
security before we would even enter it. Like I said, we insisted they
had to be a Tier 2 data center, which means they have a certain level of
infrastructure built in for security purposes, and redundancies built in,
and that sort of thing. We also have contingencies within — I don’t
know what the legal term is in the contract, but, you know, if this happens or if
something happens, who’s responsible and, you know, what steps need to be taken? So we were very careful in putting, you know,
step by step, having that process clearly stated because we did not want — I mean, if you’re,
it’s one thing if we were doing it ourselves, the Secretary of State was the only ones
doing it, but when you start adding in cities, and counties, and other state agencies. And some of the state agencies, one
of the state agencies that’s on board in the pilot is Department of Human
Services, their Child Welfare section. The last thing I need is a data breach
with child records, children’s records, and so we had to make sure that we had
all this clearly outlined in the contract. And as I said earlier, the data
center we’re in is actually Tier 3, so they even achieved higher
levels than a Tier 2. So they assure us, and we have it in all the
contract that we’re pretty secure on this.>>Thank you very much, Mary Beth. I enjoyed your presentation, and the
participants had excellent questions. So we really appreciate your being with us this
evening, and thank you, everyone, for attending. [ Music ]