News south (err… north) of the border this week as controversy erupts over the email of a current state governor and vice-presidential nominee.  This issue first hit the radar with the apparent hacking and inappropriate distribution of email sent through a free hosted service but has now resurfaced as the focal point of a debate over transparency, email records and appropriate use of communication forms that could be subject to Open Records legislation.  Alaska’s Open Records Act defines public records very much like any North American jurisdiction with Access to Information or Freedom of Information “sunshine” laws:

books, papers, files, accounts, writings, including drafts and memorializations of conversations, and other items, regardless of format or physical characteristics, that are developed or received by a public agency, or by a private contractor for a public agency, and that are preserved for their informational value or as evidence of the organization or operation of the public agency

While this particular incident is receiving front-page attention because of the impending US election, it most surely is not an isolated incident or one restricted to public sector.  Enterprise Content Management and Records Management professionals have since 2001 been working to develop awareness, solutions and information governance strategies to meet rigorous disclosure, records retention and electronic discovery requirements in the US and increasingly in Canada.

The Alaskan email controversy serves as a wake up call to information management practitioners regardless of the jurisdiction or department we serve – public business communication must be preserved, protected and disclosed regardless of the individual format, program or communication channel that is used.

Back to basics – manage the content, not the container it came in.  Use of unsanctioned email, text, chat or other electronic communication tools does not preclude the record from inclusion in an ATIP/FOI or discovery order in most jurisdictions. Unmanaged, uncontrolled business correspondence is a time bomb in government and commercial enterprise. 

Transparency is as crucial a component of compliance as is a retention schedule. 

Government tech types intrigued by cloud computing – there aren’t a lot of you, but you know who you are – may wish to reflect on yet another problematic point: Compliance.

As Sara Peters of Information Week noted recently, “thorough logs are the key to proving compliance with security regulations.”

“So how,” she wonders, “do you prove your organization is/was compliant when you aren’t able to maintain logs?”

Peters uses a definition of oft-defined cloud computing worked up by Michael Crandell of RightScale. It’s “…the notion of providing easily accessible compute and storage resources on a pay-as-you-go, on-demand basis, from a virtually infinite infrastructure managed by someone else. As a customer, you don’t know where the resources are, and for the most part, you don’t care. What’s really important is the capability to access your application anywhere, move it freely and easily, and inexpensively add resources for instant scalability.”

Right; elegantly phrased. Peters riffs on this in language that is particularly pertinent for public sector folk:

“The parts of this definition that unnerve me are ‘managed by someone else’ and ‘you don’t know where the resources are.” I’ve not yet investigated any of the usage agreements or discussed this with the companies that offer cloud services, but my guess is that organizations have neither the authority nor the ability to establish log settings, maintain logs, or view logs of any activity conducted on that ‘virtually infinite infrastructure.’

“This is particularly worrisome if you are (and I really hope you aren’t) using cloud computing services for storing sensitive/protected data. Wouldn’t you like to know whom else’s data is stored on the same server as yours? Wouldn’t you like to know when, by whom, and where to your data is copied? Wouldn’t you like to know (in the quite likely instance that the cloud data centre is employing the use of server virtualization) when the server VM holding your data is migrated to some other server? Wouldn’t you like to know that all of these things were done securely? I doubt many organizations are using cloud computing in this way, yet, but it’s worth making note of when revamping your risk model for 2009.”

She’s got more, but the point is clear if arguably unoriginal. Be careful with the cloud.

Open Text hosted its annual Canadian Public Sector Days in Gatineau, Quebec September 16-17, 2008, and were pleased to host 600 registrants from not only the Canadian Federal government, but provinces, cities and regional governments as well.  University of Waterloo Dean of Arts - Dr. Ken Coates – provided an inspirational and thought-provoking keynote on Tuesday morning, challenging public sector professionals to take up the task to help propel Canada into a leadership position internationally by accelerating our Digital Depth and becoming and information-rich nation.

One of the sessions I delivered has been an area of interest and research for the last year – Information Governance.  Inspired by some of the research from www.gartner.com over the last 2 years, Information Governance challenges information management professionals to think beyond compliance and retention pressures when considering an information management strategy.  According to researchers Debra Logan, Toby Bell and Ted Friedman, Information Governance is a “strategic business discipline that better controls data via valuation, policies and process”.  It “requires cross-disciplinary business and IT strategy … that better relate people, policies, processes and technology to the information needs of business leadership”[1]

We know that there are emerging challenges to public sector:  demographic shifts due to the retirement wave that is pending,  the disruptions to content and processes when reorganizations, mergers/spinoffs or elections occur,  the rise of the 2.0 culture and the cultural and technology changes it implies, as well as the constant need for vigilance to ensure business continuity and emergency preparedness to ensure delivery of citizen services during periods of crisis.  These challenges can only be adequately addressed by creating strategic perspectives and objectives with respect to the management of government information. Striking the right balance between security and open disclosure, aligning retention and storage practices with the value and importance of content types, ensuring meaningful categorization, metadata assignment and access controls on information throughout all key stages of its creation or capture, revision and review, publication and consumption and final storage and disposition.

Canadians can be proud that our federal government is internationally recognized as a leader in defining Information Governance strategies.  The most recent articulation of the “Management of Government Information” mandate by the Treasury Board is clear: government must “…achieve efficient and effective information management to support program and service delivery; foster informed decision making; facilitate accountability; transparency and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations”.[2]

Open Text is pleased to be a partner with government to help build an Enterprise Content Management framework as part of a strategic approach to information governance. We are committed to providing ongoing education and communication with its Canadian public sector customer base.

Interesting developments south of the border…

On July 30, 2008, the US Securities and Exchange Commission (SEC) voted “unanimously” to start looking at web sites – specifically emerging interactive technology – as new ways to open up channels of communication and disclosure between corporations and the investor and shareholder community. According to SEC Chairman Christopher Cox in the July 30 statement,  “Ongoing developments in technology have increased both the markets’ and investors’ demand for more timely company disclosure on the Web, and in turn, raised new securities law issues for public companies to consider”.  

While on the surface this new guidance might not have direct applicability to Canadian public sector, this statement represents a critical turning point in the journey to Government 2.0.  Increasingly regulatory and legislative bodies are being compelled by emerging technology and changing information worker habits to look at new content forms and channels.  This SEC development recognizes that corporate disclosures can now legitimately be made through new communication channels - including blogs and investor communities or forums. Companies who want to pursue cost effective and interactive shareholder communication can now explore these Web 2.0 inspired tools that have proved so valuable in other areas of customer engagement.

Open Text will be watching this interesting collision between 2.0 culture and content and the legal compliance obligations we see in both private and public sector.  As new forms of content and online communication become more widely accepted in the eyes of courts, regulatory bodies and public sector agencies, those of us who are concerned about records retention, preservation, corporate memory retention and appropriate disposal policies need to think hard about how new 2.0 content types are handled.  Ensuring that information governance strategies and retention best practices extend to the next generation of electronic content is what we do best.

Click here if you’ve thought about these issues. We want to know: Are You Ready?

The other day I was re-configuring a VmWare instance of our SiteMinder product when a simple realization hit me. What if this was an image containing some kind of secure application or sensitive financial data? I would be able to change the application, change the data or plant a virus. And if someone else with no knowledge of my attack copied the image to a production environment, they’d have no idea that something was wrong. Imagine if I had access to 100s or 1000s of images. The amount of damage would be significant.

The answer is governance. More precisely, it’s about setting up a process to ensure that access to sensitive images is properly managed and audited. This suggests that virtual images, or virtualization itself, could benefit from some of the traditional identity management best practices. So let’s examine specific issues that would have to be addressed.

First, a virtual image needs to be given an identity. It’s not sufficient to think of an image being a simple resource. Images end up running on virtual hosts, consume host resources, and run applications. Hence images require an identity that can be tracked. We have to track not only the user tinkering with the image, but the image itself because it will run on a virtual host. And while we’re at it, we have to track the virtual host itself. But we already knew that governance must be comprehensive.

Now that we have tagged an image with an identity, we can apply traditional identity management processes to virtualization. With the focus on the administrator, we can:

¾      Administer specific images

¾      Establish role-based administrative access

¾      Delegate administrative access

¾      Enforce administrative SoD

¾      Approve administrative change requests

¾      Audit administrative actions

¾      Generate compliance reports and perform attestation

¾      Remediate excessive administrative rights

Additionally we can begin to express policies that govern the rights an image has on a virtual host at run-time. Specifically we can:

¾      Restrict image to run on a specific host

¾      Prevent image from executing specific applications or leveraging specific host resources

¾      Capture and correlate events generated by the image

¾      Generate report on run time behavior

This list of capabilities looks a lot like traditional identity lifecycle management being used to help mitigate risk and address compliance requirements, doesn’t it? With the use of virtualization on the rise, the need for IAM systems to manage virtualization will emerge.

And while IAM for virtualization will work for few virtual images, the only way to scale is for virtualization management systems to integrate with IAM systems. Such integration will facilitate end-to-end virtualization governance and drive additional value for organizations that have already adopted IAM processes.

It’s likely the existing IAM systems will be called upon to support virtualization (we don’t want redundant silos of IAM, do we?) and integrate with virtualization management systems. To support such integration IAM systems have to become service-aware and offer IaaS (Identity as a Service) capabilities.