Cloud Computing's Top Issues for Higher Education _ University Business Magazine

Embed Size (px)

Citation preview

  • 7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine

    1/5

    15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine

    www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 1/5

    Also in this article

    10 Questions and Answers About the Cloud

    Cloud Email: The Good, the Bad, and the Uptime

    Cloud-based system captures lectures and student

    attention at Vermont college

    By: John L. Nicholson

    TweetTweet 1 Like 2

    Cloud Computing's Top Issues for HigherEducation

    University Business, Jun 2009

    The cloud computing trend of

    replacing software traditionally

    installed on campus computers

    (and the computers themselves)

    with applications delivered via the

    internet is driven by aims of

    reducing universities IT complexity

    and cost. While todays cloud powered higher education institutions can gain

    significant flexibility and agility, the corresponding migration of their sensitive data into

    remote, worldwide data centers--the cloud itself--introduce profound legal,

    compliance, and political issues. This is particularly true in the university community,

    which, given the data members handle, can be subject to everything from financial

    regulations and insurance laws to export controls.

    To safely assess cloud computing options, evaluate vendors, and implement service

    agreements, colleges and universities should define their requirements and pay close

    attention to critical privacy and security issues. They should also look carefully at critical

    contract terms and conditions in this emerging and fast-moving field. As enterprise IT

    decisions go, cloud computing brings a host of legal issues to the table.

    First, Know Your Clouds

    While there is a lot of discussion about what cloud computing really means, at its most

    basic sense, it is one party such as a university customer obtaining IT services from a

    provider. The National Institute of Standards and Technology has a more detailed

    definition of what cloud computing is at http://csrc.nist.gov/groups/SNS/cloud-

    computing/.

    There are several layers of cloud-based services:

    --Infrastructure as a Service (IaaS) - some service providers offer cloud-based

    storage, much the same as a campus storage area network (or SAN);

    --Computing as a Service (CaaS) ? sometimes included in IaaS, CaaS service

    providers offer access to raw computing power on virtual servers, such as Amazons

    EC2 service;

    --Platform as a Service (PaaS) - certain providers are opening up application

    platforms (as opposed to the applications themselves) to permit customers to build

    their own applications using that platforms underlying operating system(s), data

    models and databases, pre-built application components and interfaces;

    --Software as a Service (SaaS) ? application service providers have been hosting

    applications for quite some time, but the difference with SaaS in the cloud is that the

    servers hosting the applications are also virtualized.

    Promises of higher accessibility, availability, and efficiency are prompting universities,

    government agencies, and businesses to consider cloud-based services. Todays

    cloud computing providers are offering higher education the opportunity to substitute a

    presence in the cloud for universities existing data centers, servers, and applications,

    replacing these machines traditional physical presence on campus. For academia,

    cloud computing lets students, faculty, staff, administrators, and other campus users

    access file storage, e-mail, databases, and other university applications anywhere, on-

    demand. This expanded, device-neutral access theoretically lets everyone useinformation more effectively. Centralizing applications and data in a cloud providers

    data centers is also promoted as affording a high degree of data recovery, particularly

    for smaller educational institutions, as large service providers can theoretically invest in

    high-capacity infrastructures and hosting to keep software available in the event of

    technical glitches or heavy traffic. It is easy to see how university IT staffs traditional

    ShareShare 1

    http://csrc.nist.gov/groups/SNS/cloud-computing/http://www.universitybusiness.com/article/cloud-based-system-captures-lectures-and-student-attention-vermont-collegehttp://www.universitybusiness.com/article/cloud-email-good-bad-and-uptimehttps://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-education&text=Cloud%20Computing%27s%20Top%20Issues%20for%20Higher%20Education%20%7C%20University%20Business%20Magazine&tw_p=tweetbutton&url=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://twitter.com/search?q=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://csrc.nist.gov/groups/SNS/cloud-computing/http://www.universitybusiness.com/issue/university-business-jun-2009http://twitter.com/search?q=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttps://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-education&text=Cloud%20Computing%27s%20Top%20Issues%20for%20Higher%20Education%20%7C%20University%20Business%20Magazine&tw_p=tweetbutton&url=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://www.universitybusiness.com/node/848http://www.universitybusiness.com/article/cloud-based-system-captures-lectures-and-student-attention-vermont-collegehttp://www.universitybusiness.com/article/cloud-email-good-bad-and-uptimehttp://www.universitybusiness.com/article/10-questions-and-answers-about-cloud
  • 7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine

    2/5

    15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine

    www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 2/5

    missions, from supporting mobile and remote users to enabling more self-service type

    systems for employees benefit, seemingly mesh well with cloud computing from a high

    level perspective.

    On the financial end of things, the efficiency argument likely resonates even more with

    universities in a down economy. Amazons E2C IaaS product lets users order as

    many virtual servers as they need and pay for them by the hour. Once they are done, the

    virtual servers disappear and the user doesnt pay anything else. Some of Amazons

    customers turn on their servers first thing in the morning, use them during the business

    day, and turn them off, again, at the end of the day. In this new environment, a

    researchers grant application might request 100 hours of virtual server time, rather thanrequesting the funding for a new server.

    The Privacy and Security Imperative

    Privacy and security remain the top concerns for educational institutions (or anyone

    else) looking at cloud computing, simply due to the models migration of proprietary and

    sensitive data outside campus walls. In addition to the usual security concerns for any

    enterprise, educational institutions, by virtue of their diverse operations, are subject to

    numerous compliance regimes, and when it comes to compliance, universities are well

    aware that you can outsource responsibility but you cant outsource accountability.

    Understanding security in an IT environment requires two things: transparency and

    control. Transparency lets you document who has accessed systems and data, whenand where. Transparency can even compensate for a lack of control?allowing

    monitoring to demonstrate that unauthorized activity is not happening, even when those

    doing the monitoring lack the control to prevent the activity. Cloud computing, in its

    current structure, requires customers to give up a significant degree of both. Cloud

    services customers generally have no idea where their data is being processed or

    stored, who is accessing their information, how their data is protected, and what data

    has been accessed for what reason.

    Key Concepts to Consider

    First and foremost, anyone considering moving to a cloud service should look under

    the hood. The cloud is a nice illustrative metaphor, but your universitys data or

    applications will be sitting on real, physical servers in a data center somewhere.Education CIOs need to know where their data will be hosted?especially if it could be

    multiple places?and they will want to perform the same due diligence required for any

    other outsourcing. One place to begin is the Cloud Security Alliances Guidance for

    Critical Areas of Focus in Cloud Computing (available at

    http://www.cloudsecurityalliance.org/guidance/csaguide.pdf).

    Because data centers powering cloud computing platforms frequently exist in multiple

    nations, this triggers cross-border issues that can pose additional complex regulatory

    questions, or outright barriers, for university buyers. Institutions holding sensitive

    government contracts, for example, or those subject to export controls over their

    research materials and intellectual property cannot permit digital material pertaining to

    these leave the country or even be subject to a deemed export through access to the

    information by foreign nationals. Research heads do not want to wake up one morningand discover that, simply by employing a cloud service provider, their department has

    accidentally violated U.S. export laws, risking not only continued funding but also

    criminal charges. Even without the export issue, state-funded institutions must pay

    attention to the political sensitivity of moving on-campus (i.e., in-state) jobs to a

    corporate provider, particularly one that might be in another state or even another

    country.

    Universities, of course, are typically subject to numerous state and federal laws

    covering data on academic grades, health records and financial aid, among other

    things. Certain countries have very strict rules about cross-border transfers of personal

    information, and complying with those rules can be challenging in the virtual world of the

    cloud.

    Once universities establish where their data will reside and how it will be secured, they

    need to carefully consider availability, the flip-side of data security. Authorized users

    need assured access to information, and cloud computing platforms are designed to

    be a robust, continually backed-up environment for data. However, while the cloud itself

    becomes a simplified data repository, it is also a single point of failure. A loss of

    http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
  • 7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine

    3/5

    15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine

    www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 3/5

    internet connectivity anywhere between a university customer and their cloud providers

    network will cause interruptions of varying severity. Indeed, users of Googles web-

    based e-mail and calendar services, recently unavailable to some users due to a

    service outage, can attest that even the biggest and most ubiquitous clouds are not

    bulletproof.

    Typical cloud agreements define service level agreements (SLAs) establishing

    providers expected uptime and performance. Customers should look carefully at the

    math behind those measurements and figure out Certain countries have very strict rules

    about cross-border transfers of personal information, and complying with those rules

    can be challenging in the virtual world of the cloud.

    Once universities establish where their data will reside and how it will be secured, they

    need to carefully consider availability, the flip-side of data security. Authorized users

    need assured access to information, and cloud computing platforms are designed to

    be a robust, continually backed-up environment for data. However, while the cloud itself

    becomes a simplified data repository, it is also a single point of failure. A loss of

    internet connectivity anywhere between a university customer and their cloud providers

    network will cause interruptions of varying severity. Indeed, users of Googles web-

    based e-mail and calendar services, recently unavailable to some users due to a

    service outage, can attest that even the biggest and most ubiquitous clouds are not

    bulletproof.

    Typical cloud agreements define service level agreements (SLAs) establishingproviders expected uptime and performance. Customers should look carefully at the

    math behind those measurements and figure out what they actually mean in terms of

    end-user experience and the customers operations. Beyond resolving minor glitches,

    universities should have cloud providers define their data recovery and business

    continuity postures in detail, particularly regarding what they are responsible for during

    a natural disaster affecting their data centers, for example, or other crises.

    Are You Trapped in a Cloud?

    Portability, whether from cloud-to-cloud or from a provider to back within campus

    walls, is another often overlooked and very important consideration. Cloud vendors

    want to get customers data in their cloud platform, but may not be as helpful when it

    comes to letting them take data out of their infrastructure, in the event the customerdecides to end the relationship. A good way for universities to estimate the portability of

    their data is to consider the nature of what they are contemplating to send into the

    cloud. If an institution is simply using the cloud for data storage or raw computing

    power, for example, those files can probably migrate to another provider relatively

    easily. If, however, universities select providers using proprietary web-based platforms

    or applications to create, store and manage data, they might be effectively locked in

    that system for all practical purposes. Most cloud providers will not want to go through

    the trouble of converting a universitys files into a transferrable format, simply to help

    them re-compete or transition a contract.

    Moving to a cloud, and particularly to a SaaS model, also has substantial software

    licensing and hardware procurement implications upon termination. The ability to move

    to a utility model for hardware and software usage is one of the key economic benefitsof cloud computing. However, should you choose to leave a cloud provider, you may

    need to re-purchase (or at least get up to date with maintenance payments) for your

    installed software base and you may need to acquire new hardware to run it all.

    Thinking through the exit strategy before you enter the relationship is critical for those

    considering any outsourcing, but especially for those considering a move to a cloud

    environment.

    Ownership, Clouds vs. Their Contents

    Potential cloud service customers also need to ask who owns the data. With cloud

    computing, customers do not own the underlying software. Again, depending on the

    nature of the service and/or applications in question, universities should read the fine

    print carefully and approach each service provider from the standpoint of maintainingownership over not only their raw, unique data, but the valuable results of data

    processing occurring on the providers cloud platform. Such results could include

    reports pinpointing trends in student performance, or savings potential in contract

    management or accounting. Because campus leaders rely on managerial reports,

    more so than raw data, their status and ownership over time is a critical issue.

  • 7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine

    4/5

    15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine

    www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 4/5

    Related to data ownership is the important question of what happens if either the

    customer or cloud provider cannot pay for, or deliver the service, leading to its effective

    termination. Is there a means for customers to recover their organizations critical data

    when a provider fails? Is a provider obligated to return, or maintain data in the event a

    customer can no longer pay for the cloud, or suspends payments in a dispute? These

    are all questions universities should consider up front, before any costly disruptions

    occur due to providers insolvency or other hardships.

    When Trouble Arises, Who Is Liable?

    Potential cloud service customers also need to carefully consider the parties roles andthe allocation of risks and liabilities under the cloud model. Cloud service providers

    want to plug into universities offices as seamlessly as possible, but because they are

    fundamentally service providers, complying with all applicable laws is ultimately the

    schools responsibility. Given this significant fact, educational institutions should seek

    out providers who can accommodate their specific or unique requirements. For

    example, whether a cloud computing solution complies with the Payment Card Industry

    Data Security Standards (PCI)?a requirement for anyone processing credit and debit

    card transactions?is something of an open question right now. Much depends on

    certain interpretations of the rules. Therefore, certain cloud computing models might not

    be as good a solution for campus functions that have to be PCI compliant, at least until

    that issue gets sorted out. If a campus has to retain these functions and the

    responsibility for verifying PCI compliance, that could adversely impact the business

    case for moving other aspects of the university computing to the cloud.

    Formally assigning liability risk is essential for universities and other buyers faith and

    confidence in cloud computing, because customers want assurances that as long as

    they abide by specific rules?ideally tailored to their existing internal policies?providers

    will shoulder remaining liabi lity. Customers are generally concerned about cloud

    providers liability for things like data breaches occurring on their infrastructures, or a

    providers facing a court-ordered shutdown as a result of patent infringement or other

    penalty, which could leave customers with disrupted services. Providers, in turn, usually

    want university customers to assume liability for the placement or copyright-infringing or

    other illegal material into their cloud platforms, for example. They also typically want

    customers to accept liability for using the cloud for other prohibited activities, such as

    sending spam.

    Providers hosting e-mail or web-based services may have Acceptable Use Policies

    (AUPs) with which the customer must comply, and that the provider can modify in its

    discretion. Provider AUPs frequently give the provider the right to suspend the services

    if a customer does not comply. While some limited ability to turn off the service might be

    acceptable in very specific circumstances such as halting the spread of an internet

    worm, those considering moving to the cloud should consider carefully the leverage

    such a right gives the provider.

    As universities consider these issues and others, their primary focus should remain on

    how effectively cloud providers can meet educational institutions unique operating and

    compliance requirements. Determining providers flexibility is essential because many

    purposely offer what amount to one-size-fits-all packages, since it is in their interest to

    leverage large economies of scale.

    Universities should continually look for new technological advantages, but they need to

    keep their unique requirements and regulatory factors at the forefront of decision

    making, ahead of pure IT trends or short-term budget advantages. Cost, complexity,

    and compliance are on every CIOs mind, and IT and legal stakeholders should work

    with advisors who can assess these areas and offer insight gained from experience

    with major cloud computing providers business models, terms, and conditions.

    To the greatest degree possible, universities weighing cloud computing should survey

    providers, prioritize their requirements and seek objective insight on lessons different

    industries are learning in this and other emerging technology trends.

    John L. Nicholson ([email protected]) is an attorney in PillsburyWinthrop Shaw Pittman, LLPs Washington, D.C., office and a member of the firms

    Privacy & Data Protection practice team. He advises a diverse range of organizations,

    including retailers, higher education institutions and web businesses on privacy and

    legal implications surrounding technology implementation, policy and management.

    mailto:[email protected]
  • 7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine

    5/5

    15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine

    www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 5/5

    Enterprise Leadership Hardware cloud computing

    Email this Page

    http://www.addthis.com/bookmark.phphttp://www.universitybusiness.com/forward?path=node/2208http://www.universitybusiness.com/tags/cloud-computinghttp://www.universitybusiness.com/topic/hardwarehttp://www.universitybusiness.com/topic/leadershiphttp://www.universitybusiness.com/topic/enterprise