Embed Size (px)
Citation preview
Partly Cloudy?What a CBO Should Know about Cloud Computing
Rodney Petersen – EDUCAUSE
Steven J. McDonald – Rhode Island School of Design
Alternative IT Sourcing Strategies
The range of options institutions have for providing technology services or operating technology functions aside from doing these things themselves. It includes traditional outsourcing of all or part of the IT organization, accessing externally managed applications, development environments, or hardware via the Internet, and support from consortia (e.g., open source).
Survey: IT Services Sourcing – November 2008EDUCAUSE Center for Applied Research (ECAR)
Sourcing IT in Higher Education
College/Departmental Infrastructure Central IT Infrastructure Shared Higher Education Infrastructure Third Party Infrastructure
Cloud Computing (Gartner)
". . . a style of computing where massively scaleable IT enabled capabilities are delivered ‐'as a service' to external customers using Internet technologies."
Gartner, Inc.
Cloud Computing (Berkeley)
Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay-as-you-go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus, Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds.
Above the Clouds: A Berkeley View of Cloud ComputingFebruary 10, 2009
Software as a Service (SaaS) Delivery Platforms
• Managed hosting – contracting with hosting provider to host or manage an infrastructure (IBM, OpSource)
• Cloud computing – using an on demand cloud based infrastructure to ‐ ‐deploy an infrastructure or applications (Amazon Elastic Cloud)
Development Platforms• Cloud computing – using an on demand cloud based development ‐
environment to provide a general purpose programming language (Bungee Labs, Coghead)
Application-led Platforms• SaaS applications – using platforms of popular SaaS applications to
develop and deploy application (Salesforce.com, NetSuite, Cisco‐Webex)2
Cloud Computing in Higher Education
Richard Katz, Phil Goldstein, and Ron Yanosky
Why Cloud Computing is Appealing
Cost Consumerization of IT Scalability and availability of services Sustainability or green IT
Enabling the Cloud Economic Value Full connectivity Open Access Reliability Security Privacy Interoperability and User Choice Sustainability
Envisioning the Cloud: The Next Computing ParadigmMarketspace Point of View (March 20, 2009)
Public Policy
"If, as argued, cloud computing represents a potentially transformative democratization of technology by making the same computing power available to individuals and small- and medium-sized businesses that the largest enterprises enjoy, elected officials have the opportunity to help deliver its enormous benefits to the full diversity of their constituents."
Envisioning the Cloud: The Next Computing ParadigmMarketspace Point of View (March 20, 2009)
Let's Make a Deal
All of the things that you have to worry about when you do it, they should be worrying about when they do it
But it may not be in their business model Or they may not even be aware of it Trust, but verify Ignore:• "No one's ever complained about that before"• "We can't do that – it's 'free'"
Contracts 101: What Doesn't It Take to Make a Contract?
A negotiation• Non-negotiable forms (like EULAs) are still enforceable• Courts will strike out terms of non-negotiable contracts
only if they are "unconscionable" A written document (usually) A written document that is consistent with your
negotiations A written document that you have read A signature (usually) Terms that are "fair" and "reasonable" All that matters is that you have "manifested your
mutual assent" to the contract
Legal (and Contractual)Issues to Watch Out For
FERPA/Privacy/Confidentiality Data security and data breach responsibilities E-discovery Patent infringement Incorporated URL terms that are modifiable at will Responsibility for end users Export controls Service level agreements Suspension/Termination and their aftermath Warranties (and lack thereof) Indemnification (both ways) Choice of law and jurisdiction
FERPA
"'Education records' . . . means those records that are:
(1) Directly related to a student; and(2) Maintained by an educational agency or
institution or by a party acting for the agency or institution"
FERPA
"'Education records' . . . means those records that are:
(1) Directly related to a student; and(2) Maintained by an educational agency or
institution or by a party acting for the agency or institution"
FERPA
"'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche"
FERPA
In general, a record is "directly related" to a student if it contains "personally identifiable information" about that student (broadly defined), including:• Name• Address• ID number• Biometric identifier• Indirect identifier such as date or place of birth or
mother's maiden name• Collection of demographic data• . . .
FERPA
"Maintain" is not defined! Supreme Court:• "FERPA implies that education records are
institutional records kept by a single central custodian, such as a registrar."
• "The ordinary meaning of the word 'maintain' is 'to keep in existence or continuance; preserve; retain.'"
Requires conscious decision on the part of the institution?
E-mail?
Record? Directly related?• E-mail address in the "to" or "from" line• Student name, address, ID number, or other identifying
information (broadly defined) within the body of a message
• Not every message will be personally identifiable, but do you really want to look?
Maintained?• Messages residing in student accounts• Messages residing in faculty and staff accounts
FERPA
"A contractor, consultant, volunteer, or other party to whom an . . . institution has outsourced institutional services or functions may be considered a school official . . . provided that the outside party –• Performs an institutional service or function for which the
agency or institution would otherwise use employees;• Is under the direct control of the agency or institution
with respect to the use and maintenance of education records; and
• Is subject to the requirements . . . governing the use and redisclosure of personally identifiable information from education records."
Data Security/Breach
FERPA – student records HIPAA – medical records Gramm-Leach-Bliley – "financial" records PCI-DSS – credit card records "Personal information" under a state data
protection statute• Especially "personal information" about
Massachusetts residents, wherever located . . .
Data Security/Breach
All have "safeguarding" requirements of varying degrees of intensity
In general, must specifically require vendors to comply with them on your behalf by contract (not to mention monitor them as well)
Who is responsible/liable in the event of a breach?
E-Discovery
It's 3 a.m., and you've just received notice of a possible lawsuit. Do you know where your data is, and how to access it?
It's your data, and ultimately your responsibility, regardless of where it's located
Do you have ready access to it, and the tools you need to review and produce it?
Patent Infringement
Blackboard v. Desire2Learn Acacia Media Technologies v. The World Is your vendor willing to warrant that it
actually owns what it's selling?
URL Terms
"This Agreement, and all documents referenced herein, is the parties' entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. The terms located at a URL and referenced in this Agreement are hereby incorporated by this reference."
Typically "as may be modified from time to time at vendor's sole discretion" . . . .• Translation: "This document is meaningless"
Responsibility for End Users
Institution shall be responsible for ensuring that its users comply with the terms of this agreement (which is confidential, and which it therefore may not tell them about)
Institution shall use its best efforts to ensure that its users comply with the terms of this agreement
Institution shall use reasonable efforts to ensure that its users comply with the terms of this agreement
Institution shall inform its users of their obligations under this agreement
Institution shall not authorize its users to engage in actions that violate this agreement
Vendor may establish reasonable rules of conduct for users
Export Controls
1.7. Data Transfer. As part of providing the Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data.
Service Level Agreements
How much "uptime" do you need?• How many "9's" after the "99."?
What is the penalty/remedy for violation?
Suspension/Terminationand Their Aftermath
How fast, and for what reasons, can the vendor suspend or terminate service?
Will you have time to make the necessary transition to another vendor?
Will you have access to your data?• In what format, and for how long?
Warranties
"VENDOR MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, AND NONINFRINGEMENT."
Translation: "Abandon all hope, ye who enter here"
Indemnification
By you for actions of users• Employees and agents vs. students
By vendor for patent infringement, data breach, breach of agreement, and general negligence• Make sure it's not undermined by the (lack of)
warranty clause• Beware limitation of liability to refund of fees paid
Choice of Law and Jurisdiction
Yours v. theirs Limitations on state institutions Delete it and defer the argument till later Suit must be filed in defendant's jurisdiction
Finally . . .
Your lawyer really isn't trying to botch the deal for you by raising these issues
You're paying him or her to be a professional pessimist, for your protection
If it's not in the contract, it's not enforceable, no matter what the salesman said
Ultimately, much of this is a question of risk management, and you make the call!
Questions and Discussion
