ISO/TR 22428-1:2020

TECHNICAL ISO/TR
REPORT 22428-1
First edition
2020-09
Managing records in cloud computing
environments —
Part 1:
Issues and concerns
Gestion des documents d'activité dans les environnements
d'informatique en nuage —
Partie 1: Enjeux et préoccupations
Reference number
©
ISO 2020
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Stakeholder model . 4
4.1 General . 4
4.2 Cloud records management service customer . 5
4.2.1 General. 5
4.2.2 Cloud records producer . 5
4.2.3 Cloud records manager . 6
4.2.4 Cloud records user . 6
4.3 Cloud records management service provider . 6
4.3.1 General. 6
4.3.2 Records management SaaS provider . 6
4.3.3 PaaS provider . 7
4.3.4 IaaS provider . 7
4.4 Cloud records management service partner . 7
4.4.1 Cloud records management agent . 7
4.4.2 Cloud records management auditor . 7
5 Cloud records management environments . 8
5.1 General . 8
5.2 Records management processes in the cloud environment . 8
5.3 Metadata in cloud records management services . 9
5.4 Cloud reference architecture for managing authoritative records .10
6 Use cases in cloud records management .11
6.1 General .11
6.2 SaaS shared by customers .12
6.3 SaaS developed by customers .13
6.4 Records management based on IaaS .13
6.5 Multiple IaaS used by customers .14
6.6 Records management agent .15
7 Risks in cloud records system .16
7.1 General .16
7.2 Cloud service risks .16
7.3 Cloud system risks .18
7.4 Cloud stakeholder risks .19
8 Social and legal issues of cloud services .19
8.1 General .19
8.2 Legal issues .20
8.2.1 General.20
8.2.2 Cross-border data jurisdictional issues .20
8.2.3 Inability to enforce contractual terms .20
8.2.4 Non-negotiable licensing terms .21
8.2.5 Data ownership issues .21
8.2.6 Conflict between the terms and conditions .21
8.3 Social issues .21
8.3.1 General.21
8.3.2 Limitations of technical security .22
8.3.3 Social impact of personal information leakage accidents .22
8.3.4 Unavailability of personal records.23
8.3.5 Risk of long-term preservation of records in the cloud service .23
Bibliography .24
iv © ISO 2020 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out by
ISO technical committees. Each member body interested in a subject has the right to be represented on
the relevant technical committee if such committee has been established. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates
closely with the International Electro-technical Commission (IEC) on all matters related to electro-
technical standardization.
The procedures used to develop the present document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the various approval criteria needed for
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be listed in the Introduction
and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is given for the purpose of information for users’ convenience
and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO-specific terms and
expressions related to conformity assessment, as well as information on ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/ iso/
foreword .html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
A list of all parts in the ISO 22428 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
A cloud service refers to capabilities offered via cloud computing where users can borrow, to use
flexibly, physical or virtual resources which include software and platform, as well as computing
infrastructure, such as data storage and computing servers. The cloud service offers benefits, such as
dynamic scalability, enhanced organizational agility, resilience and cost reduction, enabling improved
organizational competitiveness and efficiency. Cloud services are emerging as an essential aspect of
information technology due to location-independent resource sharing, availability via the Internet and
mobile devices, and the ability to deliver on-demand services and lower costs.
Currently, the explosive growth of digital content through mobile platforms and the Internet of things
is driving organizations to move their computing systems and information assets to the cloud. As a
result, a number of companies and government organizations have shifted their business systems to
cloud services, and many other organizations are planning to adopt cloud services. In the near future, it
is expected that most data will be processed and stored in cloud services.
Cloud services might prove to be an alternative for organizations that are reluctant to invest in
establishing their own computer systems for digital records management. Cloud services can provide
the software, hardware, and platform needed to implement a system for records at an affordable price.
It is often not easy for an organization to implement a system for records that meets all the criteria set
out in ISO 15489-1. If there is a cloud service that satisfies all the criteria set out in ISO 15489-1 and
which is provided at a low price, organizations have good reasons to consider using the cloud service.
However, organizations can be reluctant to adopt cloud services for their records management due
to unknown risks, safety and privacy concerns, and an absence of convincing use cases. While the
advantages of cloud services are well-advertised, awareness of the risks and issues that should be taken
into account in a records management context is often lacking.
Cloud services are based on the concept of borrowing computing resources provided by third
parties. The functions, processes or architectures inside the cloud are not disclosed externally. Even
if a customer agrees with a cloud service provider about their requirements, it is difficult to know
in advance whether their requirements can be met. In particular, it can be very difficult for general-
purpose cloud services to fully satisfy the requirements of the records management process. There are
various types of cloud services according, each of which offers different capabilities. In order to apply a
cloud service to the records management task, the customer could select a cloud service that is suitable
for the characteristics of the records management. The customer also to understands the general
characteristics of cloud services. Otherwise, there is a possibility that desired records management
outcomes will not be able to be delivered after adopting a cloud service.
In addition, in the case of large cloud services, cloud systems can be distributed around the world
transcending national borders. Users from various countries or regional communities can share a cloud
service belonging to a particular country. These characteristics of the cloud can cause various conflicts
and issues because the jurisdictional structure and social environment of the country where the cloud
service provider belongs is different from those of the cloud users. As a result, cloud users can be faced
with unexpected risks associated with immature legal and social agreements for cloud technology.
Therefore, when records managers introduce cloud services to records management, they should
consider the legal and social aspects as well as the technical aspects in advance in order to prepare for
potential risks. Records managers can provide cloud service providers with prerequisites for managing
risks, specified in contracts to reduce the probability of risks coming to fruition. This document aims
to provide guidelines for persons and organizations who are intend to adopt cloud services for records
management.
vi © ISO 2020 – All rights reserved

TECHNICAL REPORT ISO/TR 22428-1:2020(E)
Managing records in cloud computing environments —
Part 1:
Issues and concerns
1 Scope
This document presents a model for cloud records management and outlines the risks and issues that
are considered by records managers before adopting cloud services for records management. The
model for cloud records management includes a stakeholder model, processes, metadata, architecture,
and use cases. Risks and issues are classified into those originating from cloud services internally and
those originating from cloud services externally. Internal risks are associated with cloud services,
systems and stakeholders. External risks and issues can occur in the social and legal context in which
cloud services operate.
The target audience of this document includes:
— records, information, knowledge, and governance professionals;
— cloud service architects;
— archivists using cloud services for managing records;
— developers of cloud-deployed records management software;
— ICT staff; and
— providers of cloud-based records management services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300, Information and documentation — Management system for records — Core concepts and
vocabulary
ISO 13008, Information and documentation — Digital records conversion and migration process
ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300, ISO 13008,
ISO/IEC 17788 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
cloud computing
paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
[SOURCE: ISO/IEC 17788:2014, 3.2.5]
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and
storage equipment.
3.2
cloud capability type
classification of the functionality provided by a cloud service to the cloud service customer, based on
the nature of resources used
[SOURCE: ISO/IEC 17788:2014, 3.2.4]
3.3
cloud deployment model
ways in which cloud computing (3.1) can be organized based on the control and sharing of physical or
virtual resources
[SOURCE: ISO/IEC 17788:2014, 3.2.7]
3.4
cloud records
digital records created, preserved or managed by a cloud service
3.5
cloud records management
records management entrusted to cloud service
3.6
cloud records management service customer
party that is in a business relationship with the records management service provider for the purpose
of using cloud records management services
3.7
cloud records management service partner
party that is engaged in support of, or as auxiliary to, activities of either the cloud records management
service provider (3.8) or the cloud records management service customer (3.6), or both
3.8
cloud records management service provider
party that makes cloud records management (3.5)services available
3.9
cloud service
one or more capabilities offered via cloud computing (3.1) invoked using a defined interface
[SOURCE: ISO/IEC 17788:2014, 3.2.8]
3.10
cloud service customer
party which is in a business relationship for the purpose of using cloud services (3.9)
[SOURCE: ISO/IEC 17788:2014, 3.2.11]
2 © ISO 2020 – All rights reserved

3.11
cloud SLA
cloud service level agreement
part of the cloud service agreement that includes cloud service level objectives and cloud service
qualitative objectives for the covered cloud service(s)
[SOURCE: ISO/IEC 19086-1:2016, 3.4]
3.12
cloud service provider
party which makes cloud services (3.9) available
[SOURCE: ISO/IEC 17788:2014, 3.2.15]
3.13
IaaS
Infrastructure as a Service
cloud service category in which the cloud capabilities type (3.2) provided to the cloud service customer
is of the infrastructure capabilities type
[SOURCE: ISO/IEC 17788:2014, 3.2.24]
3.14
multi-tenancy
allocation of physical or virtual resources such that multiple tenants (3.21) and their computations and
data are isolated from and inaccessible to one another
[SOURCE: ISO/IEC 17788:2014, 3.2.27]
3.15
PaaS
Platform as a Service
cloud service category in which the cloud capabilities type (3.2) provided to the cloud service customer
is of the platform capabilities type
[SOURCE: ISO/IEC 17788:2014, 3.2.30]
3.16
private cloud
cloud deployment model (3.3) where cloud services (3.9) are used exclusively by a single cloud service
customer (3.10) and resources are controlled by that cloud service customer
[SOURCE: ISO/IEC 17788:2014, 3.2.32]
3.17
public cloud
cloud deployment model (3.3) where cloud services (3.9) are potentially available to any cloud service
customer (3.10) and resources are controlled by the cloud service provider (3.12)
[SOURCE: ISO/IEC 17788:2014, 3.2.33]
3.18
SaaS
Software as a Service
cloud service category in which the cloud capabilities type (3.2) provided to the cloud service customer
is of the application capabilities type
[SOURCE: ISO/IEC 17788:2014, 3.2.36]
3.19
SOA
Service Oriented Architecture
architectural style that supports service orientation and is a paradigm for building business solutions
using IT
[SOURCE: ISO/IEC 18384-1:2016, 2.48; ISO/IEC TR 30102:2012]
3.20
SORMA
Service Oriented Records Management Architecture
reference architecture model for records management based on cloud services, which includes service
components for supporting records management in the form of SOA (3.19)
3.21
tenant
one or more cloud service users sharing access to a set of physical and virtual resources
[SOURCE: ISO/IEC 17788:2014, 3.2.37]
4 Stakeholder model
4.1 General
The cloud stakeholder model in this document is borrowed from the service model provided by
ISO/IEC 17788, and extends it to the records management domain. A cloud records management service
customer is a party that enters a business relationship with a cloud records management service
provider for the purpose of using cloud records management services. A cloud records management
service provider is a party that makes cloud records management services available. A cloud records
management service partner is a party that is engaged in support of, or as auxiliary to, activities of
either the cloud records management service provider or the cloud records management service
customer, or both.
4 © ISO 2020 – All rights reserved

Key
party
entity
Figure 1 — Cloud records management stakeholder model
4.2 Cloud records management service customer
4.2.1 General
Cloud records management service customers use cloud services to produce, transmit, maintain, and
dispose of digital records and metadata. Customers strive to negotiate records management policies
and procedures with cloud service providers on prior to entering the service contract. Customers can
have cloud SLA contracts with cloud service providers to ensure confidence in the quality of records
management.
Customers can be divided into several entities (individuals, teams, organizations) based on their
records management role internally as follows:
— cloud records producer;
— cloud records manager;
— cloud records user.
4.2.2 Cloud records producer
Cloud records producers use cloud records management services to produce reliable records. This
means that the cloud records producer ensures the authenticity, integrity, and reliability of the records
by means of a cloud service. Cloud records producers inspect the records they write and verify that the
records are stored in the cloud service without compromising their attributes.
When creating a record, cloud records producers are able to generate metadata that includes business
context and verify that the metadata are generated without distortion. Cloud records producers is
responsible for verifying that metadata are registered and preserved at a cloud service.
4.2.3 Cloud records manager
Cloud records managers have the responsibility of managing the records of their organization using
cloud records management services. The cloud records manager leverages cloud services to perform
administrative tasks such as registration and preservation of records, migration and conversion,
search/query requests, verification of records integrity, and user authentication. The cloud records
manager is expected to be familiar with the data management policies of the cloud service provider
before using the cloud service, and consult with the cloud service provider if necessary.
The cloud records manager is responsible for reviewing the cloud service, ensuring that all requirements
that arise from business and stakeholder expectations and the organization’s regulatory environment
can be met. The cloud records manager is responsible for inspecting the cloud service to see whether
there are any constraints or problems in the functionalities by which records are created, registered,
preserved, retrieved, browsed, and destructed.
When constraints are required for records management in the cloud, cloud records managers can
establish records management policies and procedures for those constraints, and may make specific
demands from cloud service providers as needed. For example, a cloud records manager may require
a private cloud service provider to store records in a separate repository. The cloud records manager
may ask the cloud service provider for access control policy on the records.
The cloud records manager manages access to records by setting the access level of each cloud records
and specifying the access rights of cloud records users. The access rights of cloud records users are
specified depending on their role, seniority, security clearance, location, etc.
The cloud records manager periodically monitors the registration and classification of records, their
preservation status, and security mechanisms. Cloud records managers can maintain records stability
and security quality beyond a certain level through the cloud SLA contract with a cloud service provider.
In addition, the cloud records manager establishes a disaster recovery plan in advance with the cloud
service provider in order to resolve any potential problem related to records within the cloud service.
4.2.4 Cloud records user
A cloud records user is an entity (such as an individual, team, or organization) that searches, accesses,
or browses records through cloud services. Cloud records users are authenticated to cloud service
providers before they use records. Cloud records users' authorization to access to cloud records is
managed by the cloud records manager.
4.3 Cloud records management service provider
4.3.1 General
Cloud service providers are classified as IaaS providers, PaaS providers, and SaaS providers, depending
on the capabilities they provide, and have the roles and responsibilities necessary to perform secure
and reliable digital records management.
4.3.2 Records management SaaS provider
A records management SaaS provider is a party that provides application services for records
management. Records management SaaS includes all functions required for records management. The
records management SaaS provider makes public SaaS service quality that he can afford. Based on the
quality of service, cloud customers contract cloud SLA with the cloud service provider, by which the
provider is legally bound to keep the quality level specified in the cloud SLA.
6 © ISO 2020 – All rights reserved

The records management SaaS provider is familiar with the data management policies, data processing
capabilities, as well as distributed processing, backup, and recovery mechanism of the IaaS and PaaS.
The records management SaaS provider implements the records management service considering these
factors. The records management SaaS provider clearly states in Terms of Service the limitations of the
records management SaaS they are offering due to the constraints of PaaS or IaaS. Records management
SaaS providers can contract the cloud SLA with PaaS providers or IaaS providers.
4.3.3 PaaS provider
One of the key roles of a PaaS provider is to provide a platform for developing and running records
management SaaS in a secure and reliable manner. SaaS providers can develop SaaS services based on
PaaS service, and a customer could use PaaS to develop directly his own applications. SaaS providers
enter the cloud SLA contract with PaaS service providers to obtain stable and superior platform
services.
4.3.4 IaaS provider
IaaS providers provide hardware such as data storages, servers, and networks in the form of services.
For records management, IaaS providers need to provide reliable storage to keep records even if they
use storage virtualization. Digital records and their metadata are stored stably and securely in IaaS
storage. IaaS providers who are specialized in records management may develop and provide functions
for records management, such as long-term preservation or record registration, to customers.
4.4 Cloud records management service partner
4.4.1 Cloud records management agent
A cloud records management agent is an entity that is contracted by a customer to procure a cloud
service and manage records stored in the cloud service on behalf of the customer. The cloud records
management agent can perform tasks such as selecting the appropriate cloud capability or cloud records
management service, and contract with a cloud service provider. The cloud records management agent
ought to be familiar with the characteristics of digital records management and cloud services. The
cloud records management agent needs the knowledge and experience to perform digital records
management services in the cloud environment. The cloud records management agent acts as follows:
— The cloud records management agent, who has delegated records management authority from
the customer, stores the customer-generated record in the cloud systems, and manages the stored
record on customer’s behalf.
— If a cloud records management agent is delegated legal authority from a customer, the cloud records
management agent acts as a legal representative for legal disputes arising from issues related to
cloud records management.
4.4.2 Cloud records management auditor
A cloud records management auditor may be internal or external to the customer’s organization. Their
role is to audit the organization’s digital records management processes within the cloud records
management service environment with specified standards. The cloud records management auditor
evaluates whether the cloud service is being provided in accordance with the cloud digital record
contract. The cloud records management auditors need especially audit service quality whether they
are afforded as specified in the cloud SLA.
Another role of the cloud records management auditor is to conduct an examination and evaluation
when the cloud records management service is closed. At the time, the auditor needs to be able to
confirm that all records and metadata have been migrated out of a system and that the source records
or "trace" of the record has gone from the service providers system. In addition, the following items are
audited regarding cloud services:
— procedures for digital records creation and management;
— procedures for sending and receiving digital records;
— security, availability, stability, performance;
— different types of cloud records management services and billing systems;
— long-term preservation plan;
— backup plan;
— migration plan;
— disaster measures;
— whether access control policies are being used appropriately;
— whether disposal is being undertaken as required;
— whether records are able to be located, retrieved, presented and interpreted;
— whether records are portable and can be managed during transition from one service arrangement
to another.
5 Cloud records management environments
5.1 General
Cloud services may have both positive and negative effects on records management due to the intrinsic
nature of cloud services. Negative effects (associated with risks and discussed in Clause 7) are mostly
caused by the transfer of all or part of the records management control to the cloud service provider.
In order to apply cloud services to records management, positive effects of cloud services should
be maximized, and the negative effects of cloud services should be minimized. This clause presents
considerations for processes, metadata and architecture for cloud-based records management services
to minimize the potential negative impacts from adopting cloud services for records management.
5.2 Records management processes in the cloud environment
The cloud service provider provides services supporting to all or part processes for records, from
records creation to disposition of records. Customers leverage cloud services to manage records
directly, or may entrust whole records management to cloud service providers. Customers and cloud
service providers may consider the following in the cloud-based records management process.
— Creating/Capturing records: Customers need to use SaaS to create or capture their own records and
preserve them in cloud storages. Records created or captured in SaaS are transferred to the cloud
server via the open network, which exposes them to the risk of record integrity or authenticity.
Therefore, the data transport protocol is confidential and reliable, and ensures the integrity of the
record. Customers also use SaaS to store records in cloud services, which reliably stores the records
and metadata for the records in the cloud storage. The link data between a record and its metadata
are stored safely and not lost in the cloud storage. Multiple customers share SaaS through a multi-
tenancy mechanism. Therefore, SaaS service providers clearly present access control methods
and ownership of records and metadata created by each customer. SaaS service providers need to
understand the computing resource management policies of PaaS service providers or IaaS service
providers and inform customers of SaaS quality level. Role and responsibility associated with
record generation, access control and ownership, and the service quality level may be specified in
an agreement between a customer and a SaaS service provider.
8 © ISO 2020 – All rights reserved

— Classification and indexing: When a customer requests a classification for records to a cloud service
provider, the cloud service provider provides this classification service. If the customer provides
records and contextual data, the cloud service provider index the records in the classification with
the contextual data. Records once indexed might need to be reclassified at the customer's request,
in which case the cloud service provider reclassifies the records with modifying metadata.
— Access control: The cloud service providers need to establish principles for the authority to access,
conditions and restrictions regarding the stored records, and provide the customer with search
tools for metadata and classification category. Customers can browse only their own records
or records that they are allowed to access. Technical measures to prevent illegal copying, leaks,
falsification, etc., are taken when allowing browsing by a customer.
— Storing records: In cloud services, records are stored in the form of several copies for easy
availability, where management and tracking of each copy is essential. This can cause conflict if
they differ from the customer's requirements. Cloud service providers and customers agree on the
applicable data management policies. The cloud service has in place a process and storage for the
stable preservation of the records and prevent loss of the records due to disaster, system failure, etc.
In addition, when a customer requests long-term retention of a record, the cloud service provider
has the long-term management policy and long-term stable storages.
— Use and reuse: As long as records are kept in a cloud service, they are useable. Cloud service providers
can manage records metadata and metadata for cloud systems to maintain records usability. The
records are convertible to alternative formats available at customers desire. In addition, cloud
service providers need a plan to ensure continued access and usability of records in the event of a
disaster.
— Migration: At the request of a customer, records can be migrated from a cloud service to another
or from a cloud service to a customer's server. For the migration of cloud records, an agreement on
migration schedules, storage file types, data transfer protocols, security, transfer file types, and
integrity verification methods are preceded. After the migration, there is a process for ensuring the
integrity of the records and metadata contents and structure. If an error is detected in the process,
the cloud service provider informs the customer of the error and clears the error. The records
migrated are completely disposed in cloud servers, and the cloud service provider needs to notify
the customer of the results of the disposition.
— Disposition: Records stored in a cloud service are disposed of either at the request of the customer
or when the retention period specified in the contract expires. Cloud service providers may ask
the customer to extend the retention period before the records are automatically disposed at the
end of the retention period. The cloud service provider controls disposition processes and destroys
records and associated metadata. The cloud service provider has the capabilities to dispose of all
distributed copies of records.
— Audit trail: Activities performed by cloud service customers or cloud service providers are recorded
in audit trails. Audit trails are protected against unauthorized loss or alteration. They are available
upon request for agents who are authorized to do so.
5.3 Metadata in cloud records management services
To ensure the authenticity of records stored in the cloud, the records' metadata need to be reliably
managed. In the cloud records management environment, metadata can be classified as: 1) records
metadata and 2) system metadata generated by cloud services. The records metadata could be generated
by a customer, either through a SaaS application or a customer-owned software. The customer remains
responsible for the integrity of the records metadata. The system metadata are needed to manage
records and operate in cloud systems.
Most of system metadata are automatically generated in the cloud system, but the cloud service provider
may generate them partly by referring to the records metadata. Such metadata can be used as an audit
trail for records management or as evidence to verify the integrity and authenticity of records. The
following are the metadata items that could be used for records management by cloud capability type:
— Metadata for SaaS: Tenant ID, User ID, Terms of use, role, and responsibility of the cloud records
management service provider, etc.
— Metadata for PaaS: Name and version of execution platform, name and version of the service
development platform, API version, name of the application used for continuous integration and
continuous development, etc.
— Metadata for IaaS: OS name and version, storage type, container type; Network type, number of
record copies; file system name, type and version of hypervisor, etc.
The records metadata are available at any time at the customer's request. However, system metadata
may be proprietary to the cloud service provider and may not have to be provided to customers. This
could be an issue in situations where there is no prior agreement on ownership of the system between
the customer and the cloud service provider. The cloud service provider makes this clear at the time of
contracting the obligations to provide metadata and its ownership, depending on the type of metadata.
Figure 1 shows the relationship between records metadata and system metadata generated in cloud
services.
Figure 2 — Records metadata on cloud services
5.4 Cloud reference architecture for managing authoritative records
Cloud services are classified into IaaS, PaaS, and SaaS depending on the capabilities of the computing
resources they provide. IaaS are services that provide flexible computing infrastructures to a number of
customers by virtualized physical server (CPU, Memory, Operating System [OS], storage, and network).
PaaS provide on demand the underlying functions and capabilities needed for the development and
deployment of SaaS. PaaS are likely to be generic, and not specific to the records management function.
SaaS are applications in the form of service.
The IaaS is sustainable enough and prepare for any form of incident for the reliable and secure storage
of records. The IaaS for records management also provides functions related to preservation and
disposition of stored records as well as backup and recovery services. The SaaS for records management
has the functions necessary to acquire, preserve, search, and browse records.
Cloud computing essentially has a service-oriented architecture, which means that cloud records
management services are delivered on a modular basis of self-contained business activities with
specified outcomes, and whose detailed workings are opaque to the cloud service customer. It would
be helpful to have a reference standard for cloud records management services that organization scan
refer to when performing records management through cloud services. This document provides a
clou
...