Upload
noddynoddy
View
213
Download
0
Embed Size (px)
Citation preview
7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine
1/5
15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine
www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 1/5
Also in this article
10 Questions and Answers About the Cloud
Cloud Email: The Good, the Bad, and the Uptime
Cloud-based system captures lectures and student
attention at Vermont college
By: John L. Nicholson
TweetTweet 1 Like 2
Cloud Computing's Top Issues for HigherEducation
University Business, Jun 2009
The cloud computing trend of
replacing software traditionally
installed on campus computers
(and the computers themselves)
with applications delivered via the
internet is driven by aims of
reducing universities IT complexity
and cost. While todays cloud powered higher education institutions can gain
significant flexibility and agility, the corresponding migration of their sensitive data into
remote, worldwide data centers--the cloud itself--introduce profound legal,
compliance, and political issues. This is particularly true in the university community,
which, given the data members handle, can be subject to everything from financial
regulations and insurance laws to export controls.
To safely assess cloud computing options, evaluate vendors, and implement service
agreements, colleges and universities should define their requirements and pay close
attention to critical privacy and security issues. They should also look carefully at critical
contract terms and conditions in this emerging and fast-moving field. As enterprise IT
decisions go, cloud computing brings a host of legal issues to the table.
First, Know Your Clouds
While there is a lot of discussion about what cloud computing really means, at its most
basic sense, it is one party such as a university customer obtaining IT services from a
provider. The National Institute of Standards and Technology has a more detailed
definition of what cloud computing is at http://csrc.nist.gov/groups/SNS/cloud-
computing/.
There are several layers of cloud-based services:
--Infrastructure as a Service (IaaS) - some service providers offer cloud-based
storage, much the same as a campus storage area network (or SAN);
--Computing as a Service (CaaS) ? sometimes included in IaaS, CaaS service
providers offer access to raw computing power on virtual servers, such as Amazons
EC2 service;
--Platform as a Service (PaaS) - certain providers are opening up application
platforms (as opposed to the applications themselves) to permit customers to build
their own applications using that platforms underlying operating system(s), data
models and databases, pre-built application components and interfaces;
--Software as a Service (SaaS) ? application service providers have been hosting
applications for quite some time, but the difference with SaaS in the cloud is that the
servers hosting the applications are also virtualized.
Promises of higher accessibility, availability, and efficiency are prompting universities,
government agencies, and businesses to consider cloud-based services. Todays
cloud computing providers are offering higher education the opportunity to substitute a
presence in the cloud for universities existing data centers, servers, and applications,
replacing these machines traditional physical presence on campus. For academia,
cloud computing lets students, faculty, staff, administrators, and other campus users
access file storage, e-mail, databases, and other university applications anywhere, on-
demand. This expanded, device-neutral access theoretically lets everyone useinformation more effectively. Centralizing applications and data in a cloud providers
data centers is also promoted as affording a high degree of data recovery, particularly
for smaller educational institutions, as large service providers can theoretically invest in
high-capacity infrastructures and hosting to keep software available in the event of
technical glitches or heavy traffic. It is easy to see how university IT staffs traditional
ShareShare 1
http://csrc.nist.gov/groups/SNS/cloud-computing/http://www.universitybusiness.com/article/cloud-based-system-captures-lectures-and-student-attention-vermont-collegehttp://www.universitybusiness.com/article/cloud-email-good-bad-and-uptimehttps://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-education&text=Cloud%20Computing%27s%20Top%20Issues%20for%20Higher%20Education%20%7C%20University%20Business%20Magazine&tw_p=tweetbutton&url=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://twitter.com/search?q=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://csrc.nist.gov/groups/SNS/cloud-computing/http://www.universitybusiness.com/issue/university-business-jun-2009http://twitter.com/search?q=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttps://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-education&text=Cloud%20Computing%27s%20Top%20Issues%20for%20Higher%20Education%20%7C%20University%20Business%20Magazine&tw_p=tweetbutton&url=http%3A%2F%2Fwww.universitybusiness.com%2Farticle%2Fcloud-computings-top-issues-higher-educationhttp://www.universitybusiness.com/node/848http://www.universitybusiness.com/article/cloud-based-system-captures-lectures-and-student-attention-vermont-collegehttp://www.universitybusiness.com/article/cloud-email-good-bad-and-uptimehttp://www.universitybusiness.com/article/10-questions-and-answers-about-cloud7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine
2/5
15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine
www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 2/5
missions, from supporting mobile and remote users to enabling more self-service type
systems for employees benefit, seemingly mesh well with cloud computing from a high
level perspective.
On the financial end of things, the efficiency argument likely resonates even more with
universities in a down economy. Amazons E2C IaaS product lets users order as
many virtual servers as they need and pay for them by the hour. Once they are done, the
virtual servers disappear and the user doesnt pay anything else. Some of Amazons
customers turn on their servers first thing in the morning, use them during the business
day, and turn them off, again, at the end of the day. In this new environment, a
researchers grant application might request 100 hours of virtual server time, rather thanrequesting the funding for a new server.
The Privacy and Security Imperative
Privacy and security remain the top concerns for educational institutions (or anyone
else) looking at cloud computing, simply due to the models migration of proprietary and
sensitive data outside campus walls. In addition to the usual security concerns for any
enterprise, educational institutions, by virtue of their diverse operations, are subject to
numerous compliance regimes, and when it comes to compliance, universities are well
aware that you can outsource responsibility but you cant outsource accountability.
Understanding security in an IT environment requires two things: transparency and
control. Transparency lets you document who has accessed systems and data, whenand where. Transparency can even compensate for a lack of control?allowing
monitoring to demonstrate that unauthorized activity is not happening, even when those
doing the monitoring lack the control to prevent the activity. Cloud computing, in its
current structure, requires customers to give up a significant degree of both. Cloud
services customers generally have no idea where their data is being processed or
stored, who is accessing their information, how their data is protected, and what data
has been accessed for what reason.
Key Concepts to Consider
First and foremost, anyone considering moving to a cloud service should look under
the hood. The cloud is a nice illustrative metaphor, but your universitys data or
applications will be sitting on real, physical servers in a data center somewhere.Education CIOs need to know where their data will be hosted?especially if it could be
multiple places?and they will want to perform the same due diligence required for any
other outsourcing. One place to begin is the Cloud Security Alliances Guidance for
Critical Areas of Focus in Cloud Computing (available at
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf).
Because data centers powering cloud computing platforms frequently exist in multiple
nations, this triggers cross-border issues that can pose additional complex regulatory
questions, or outright barriers, for university buyers. Institutions holding sensitive
government contracts, for example, or those subject to export controls over their
research materials and intellectual property cannot permit digital material pertaining to
these leave the country or even be subject to a deemed export through access to the
information by foreign nationals. Research heads do not want to wake up one morningand discover that, simply by employing a cloud service provider, their department has
accidentally violated U.S. export laws, risking not only continued funding but also
criminal charges. Even without the export issue, state-funded institutions must pay
attention to the political sensitivity of moving on-campus (i.e., in-state) jobs to a
corporate provider, particularly one that might be in another state or even another
country.
Universities, of course, are typically subject to numerous state and federal laws
covering data on academic grades, health records and financial aid, among other
things. Certain countries have very strict rules about cross-border transfers of personal
information, and complying with those rules can be challenging in the virtual world of the
cloud.
Once universities establish where their data will reside and how it will be secured, they
need to carefully consider availability, the flip-side of data security. Authorized users
need assured access to information, and cloud computing platforms are designed to
be a robust, continually backed-up environment for data. However, while the cloud itself
becomes a simplified data repository, it is also a single point of failure. A loss of
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine
3/5
15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine
www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 3/5
internet connectivity anywhere between a university customer and their cloud providers
network will cause interruptions of varying severity. Indeed, users of Googles web-
based e-mail and calendar services, recently unavailable to some users due to a
service outage, can attest that even the biggest and most ubiquitous clouds are not
bulletproof.
Typical cloud agreements define service level agreements (SLAs) establishing
providers expected uptime and performance. Customers should look carefully at the
math behind those measurements and figure out Certain countries have very strict rules
about cross-border transfers of personal information, and complying with those rules
can be challenging in the virtual world of the cloud.
Once universities establish where their data will reside and how it will be secured, they
need to carefully consider availability, the flip-side of data security. Authorized users
need assured access to information, and cloud computing platforms are designed to
be a robust, continually backed-up environment for data. However, while the cloud itself
becomes a simplified data repository, it is also a single point of failure. A loss of
internet connectivity anywhere between a university customer and their cloud providers
network will cause interruptions of varying severity. Indeed, users of Googles web-
based e-mail and calendar services, recently unavailable to some users due to a
service outage, can attest that even the biggest and most ubiquitous clouds are not
bulletproof.
Typical cloud agreements define service level agreements (SLAs) establishingproviders expected uptime and performance. Customers should look carefully at the
math behind those measurements and figure out what they actually mean in terms of
end-user experience and the customers operations. Beyond resolving minor glitches,
universities should have cloud providers define their data recovery and business
continuity postures in detail, particularly regarding what they are responsible for during
a natural disaster affecting their data centers, for example, or other crises.
Are You Trapped in a Cloud?
Portability, whether from cloud-to-cloud or from a provider to back within campus
walls, is another often overlooked and very important consideration. Cloud vendors
want to get customers data in their cloud platform, but may not be as helpful when it
comes to letting them take data out of their infrastructure, in the event the customerdecides to end the relationship. A good way for universities to estimate the portability of
their data is to consider the nature of what they are contemplating to send into the
cloud. If an institution is simply using the cloud for data storage or raw computing
power, for example, those files can probably migrate to another provider relatively
easily. If, however, universities select providers using proprietary web-based platforms
or applications to create, store and manage data, they might be effectively locked in
that system for all practical purposes. Most cloud providers will not want to go through
the trouble of converting a universitys files into a transferrable format, simply to help
them re-compete or transition a contract.
Moving to a cloud, and particularly to a SaaS model, also has substantial software
licensing and hardware procurement implications upon termination. The ability to move
to a utility model for hardware and software usage is one of the key economic benefitsof cloud computing. However, should you choose to leave a cloud provider, you may
need to re-purchase (or at least get up to date with maintenance payments) for your
installed software base and you may need to acquire new hardware to run it all.
Thinking through the exit strategy before you enter the relationship is critical for those
considering any outsourcing, but especially for those considering a move to a cloud
environment.
Ownership, Clouds vs. Their Contents
Potential cloud service customers also need to ask who owns the data. With cloud
computing, customers do not own the underlying software. Again, depending on the
nature of the service and/or applications in question, universities should read the fine
print carefully and approach each service provider from the standpoint of maintainingownership over not only their raw, unique data, but the valuable results of data
processing occurring on the providers cloud platform. Such results could include
reports pinpointing trends in student performance, or savings potential in contract
management or accounting. Because campus leaders rely on managerial reports,
more so than raw data, their status and ownership over time is a critical issue.
7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine
4/5
15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine
www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 4/5
Related to data ownership is the important question of what happens if either the
customer or cloud provider cannot pay for, or deliver the service, leading to its effective
termination. Is there a means for customers to recover their organizations critical data
when a provider fails? Is a provider obligated to return, or maintain data in the event a
customer can no longer pay for the cloud, or suspends payments in a dispute? These
are all questions universities should consider up front, before any costly disruptions
occur due to providers insolvency or other hardships.
When Trouble Arises, Who Is Liable?
Potential cloud service customers also need to carefully consider the parties roles andthe allocation of risks and liabilities under the cloud model. Cloud service providers
want to plug into universities offices as seamlessly as possible, but because they are
fundamentally service providers, complying with all applicable laws is ultimately the
schools responsibility. Given this significant fact, educational institutions should seek
out providers who can accommodate their specific or unique requirements. For
example, whether a cloud computing solution complies with the Payment Card Industry
Data Security Standards (PCI)?a requirement for anyone processing credit and debit
card transactions?is something of an open question right now. Much depends on
certain interpretations of the rules. Therefore, certain cloud computing models might not
be as good a solution for campus functions that have to be PCI compliant, at least until
that issue gets sorted out. If a campus has to retain these functions and the
responsibility for verifying PCI compliance, that could adversely impact the business
case for moving other aspects of the university computing to the cloud.
Formally assigning liability risk is essential for universities and other buyers faith and
confidence in cloud computing, because customers want assurances that as long as
they abide by specific rules?ideally tailored to their existing internal policies?providers
will shoulder remaining liabi lity. Customers are generally concerned about cloud
providers liability for things like data breaches occurring on their infrastructures, or a
providers facing a court-ordered shutdown as a result of patent infringement or other
penalty, which could leave customers with disrupted services. Providers, in turn, usually
want university customers to assume liability for the placement or copyright-infringing or
other illegal material into their cloud platforms, for example. They also typically want
customers to accept liability for using the cloud for other prohibited activities, such as
sending spam.
Providers hosting e-mail or web-based services may have Acceptable Use Policies
(AUPs) with which the customer must comply, and that the provider can modify in its
discretion. Provider AUPs frequently give the provider the right to suspend the services
if a customer does not comply. While some limited ability to turn off the service might be
acceptable in very specific circumstances such as halting the spread of an internet
worm, those considering moving to the cloud should consider carefully the leverage
such a right gives the provider.
As universities consider these issues and others, their primary focus should remain on
how effectively cloud providers can meet educational institutions unique operating and
compliance requirements. Determining providers flexibility is essential because many
purposely offer what amount to one-size-fits-all packages, since it is in their interest to
leverage large economies of scale.
Universities should continually look for new technological advantages, but they need to
keep their unique requirements and regulatory factors at the forefront of decision
making, ahead of pure IT trends or short-term budget advantages. Cost, complexity,
and compliance are on every CIOs mind, and IT and legal stakeholders should work
with advisors who can assess these areas and offer insight gained from experience
with major cloud computing providers business models, terms, and conditions.
To the greatest degree possible, universities weighing cloud computing should survey
providers, prioritize their requirements and seek objective insight on lessons different
industries are learning in this and other emerging technology trends.
John L. Nicholson ([email protected]) is an attorney in PillsburyWinthrop Shaw Pittman, LLPs Washington, D.C., office and a member of the firms
Privacy & Data Protection practice team. He advises a diverse range of organizations,
including retailers, higher education institutions and web businesses on privacy and
legal implications surrounding technology implementation, policy and management.
mailto:[email protected]7/27/2019 Cloud Computing's Top Issues for Higher Education _ University Business Magazine
5/5
15/08/2013 Cloud Computing's Top Issues for Higher Education | University Business Magazine
www.universitybusiness.com/article/cloud-computings-top-issues-higher-education 5/5
Enterprise Leadership Hardware cloud computing
Email this Page
http://www.addthis.com/bookmark.phphttp://www.universitybusiness.com/forward?path=node/2208http://www.universitybusiness.com/tags/cloud-computinghttp://www.universitybusiness.com/topic/hardwarehttp://www.universitybusiness.com/topic/leadershiphttp://www.universitybusiness.com/topic/enterprise