Cloud Storage
Materials routinely copied or backed up to an independently managed, off-site data storage facility and able to be restored under contractual terms
Examples
Remote network storage provided by a third-party service under contracts, such as DropBox, Amazon, Microsoft Azure, Dell EMC, Google Cloud Platform, Google Drive, IBM, Rackspace, Iron Mountain, SAP, and others.
Hazards
Lack of skills, commitment or policy from corporate owners; Encryption; lack of routine maintenance; lack of storage replication; over-dependence on a single supplier; insufficient documentation; lack of local alternative; political or commercial instability; overly aggressive compression; poor information security; lack of transparent integrity-checking; lack of strategic investment; lack of migration plan; lack of exit strategy; unenforceable penalties; unstable pricing; unpredictable removal costs; uncertainty over IPR or the presence of orphaned works.
Complex PlatformsMitigations
Backup to different technology; backup to diverse locations; documentation of assets; integrity checking; preservation licensing and planning; export functionality; resilient to hacking; version control; resilient funding; technology watch; enforceable contract; disaster planning and documentation; stable pricing; budgeted removal costs.
Bit List History
Added to list: 2019Last Review
This entry was added in 2019 to ensure that the range of media storage is properly assessed and presented. The 2021 Jury noted increased risk in light of greater reliance on the cloud and localized disruptions to cloud services over the pandemic. A 2021 trend towards greater risk was based on the wider (global) dependence on these services, especially Google Drive, for record-keeping and business workflows. The impact of loss increased with more reliance on cloud services leading to greater risk; however, this should not deter people from using cloud storage. The 2022 review agreed with this assessment but noted no significant increase in trend for 2022.
The 2023 Council moved this entry to a new higher-level Cloud category as the previous Integrated Storage category worked less well (for hardware technologies). The Council agreed with the previous Vulnerable classification, with the overall risks remaining on the same basis as before so long as there are safeguards in place (‘No change’ to the 2023 trend). However, the Council noted that these safeguards may not, in all cases, be sufficient to address existing risks. Council members noted how some governments may cut off the internet in times of unrest, having a disastrous effect on access to cloud-based resources, and raised questions about the feasibility of recovering material after a major cloud vendor fails or due to malicious acts. For these materials, the significance of loss and effort to preserve is much greater, with the potential for a trend towards greater risk with the loss of existing safeguards.
The 2024 Council agreed these risks remain on the same basis as before, with no significant trend towards even greater or reduced risk (‘No change’ to trend).
While overall risk remains on the same basis as before, some Council members pointed out how a lack of transparency in knowledge about how a cloud service is actually built and functions is worrying from a preservation perspective. Additionally, the overall political ‘threat situation’ worldwide seems to be increasing, which means that significant changes in national political regimes can affect the predictability of how the material is handled in a cloud service and, with that, the potential for increased risk.
Additional Information
To add further clarity, Council members in the Integrated Storage category noted that there is a distinction between ‘in-house’ physical storage and cloud storage, especially if one relies on cloud storage as the only storage provider for digital content. As they understand it, this ‘Cloud Storage’ entry focuses on material copied or backed up to a third-party cloud service. This is less threatening compared to using the cloud as the sole storage provider for content preservation.
The history of digital preservation suggests that the risk of vendors going out of business or shutting down services is the key issue here, over and above any specific technical solutions or risks.
Case Studies & Examples
- The example of the Microsoft outage in July 2024, in which a software update led to the cancellation of flights, healthcare disruptions and payroll issues. See Global IT outage: More than 5,000 flights cancelled; how security 'arms race' led to crash. As it happened, Sky News (2024), [accessed at 2024-09-06].
- Case of cloud storage provider who accidentally deleted a client account – including all replicas and backups. This emphasises that a single third-party provider should only really be considered a single copy regardless of the resilience the provider puts in place. Cloud introduces new single points of failure. See Google Cloud explains how it accidentally deleted a customer account, Amadeo, R. (2024), [accessed at 2024-06-17].
- Case of a cloud storage provider who suffered major data loss (or its clients suffered data loss) due to a fire in its data centre. Those clients suffered most who did not include geographically redundant storage in the contract with the storage provider as this was more expensive. See Millions of websites offline after fire at French cloud services firm, Rosemain, M. and Satter, R. (2021), Reuters [accessed at 2023-10-24].
- Case of fired credit union employee accessing the financial institution’s computer systems without authorization and destroying over 21 gigabytes of data via remote network storage. See Fired NY credit union employee nukes 21 GB of data in revenge, Gatlan, S. (2021), BleepingComputer [accessed at 2023-10-24].
- The National Archives UK (2023) ‘Digital Services and carbon emissions in the heritage sector: some preliminary findings’, which noted areas relating to the cloud and cloud storage. They write “If we are looking for areas where significant carbon reductions could be made quickly, they are not to be found here. The evidence is that hosting digital services on site results in more carbon emissions than a sensibly located (i.e., in a territory with a high proportion of electricity generated from renewables) cloud host and that, where it might be felt that migrating services simply migrates emissions from scope 2 to scope 3, in practice cloud providers can offer the same storage and compute with lower emissions. Amazon in particular reports its view of the carbon ‘saved’ by using its services rather than your own, but these are estimates and should not be regarded as robust.” See Digital Services and carbon emissions in the heritage sector: some preliminary findings, The National Archives (UK) (2023), [accessed at 2023-10-24].