Cloud Computing's Top Issues for Higher Education

Cloud Computing's Top Issues for Higher Education

The “cloud computing” trend of replacing software traditionally installed on campus computers (and the computers themselves) with applications delivered via the internet is driven by aims of reducing universities’ IT complexity and cost. While today’s “cloud powered” higher education institutions can gain significant flexibility and agility, the corresponding migration of their sensitive data into remote, worldwide data centers--the “cloud” itself--introduce profound legal, compliance, and political issues. This is particularly true in the university community, which, given the data members handle, can be subject to everything from financial regulations and insurance laws to export controls.

To safely assess cloud computing options, evaluate vendors, and implement service agreements, colleges and universities should define their requirements and pay close attention to critical privacy and security issues. They should also look carefully at critical contract terms and conditions in this emerging and fast-moving field. As enterprise IT decisions go, cloud computing brings a host of legal issues to the table.

While there is a lot of discussion about what “cloud computing” really means, at its most basic sense, it is one party such as a university customer obtaining IT services from a provider. The National Institute of Standards and Technology has a more detailed definition of what cloud computing “is” at http://csrc.nist.gov/groups/SNS/cloud-computing/.

There are several “layers” of cloud-based services:

--Infrastructure as a Service (“IaaS”) - some service providers offer cloud-based storage, much the same as a campus storage area network (or SAN);

--Computing as a Service (“CaaS”) ? sometimes included in IaaS, CaaS service providers offer access to raw computing power on virtual servers, such as Amazon’s EC2 service;

--Platform as a Service (“PaaS”) - certain providers are opening up application platforms (as opposed to the applications themselves) to permit customers to build their own applications using that platform’s underlying operating system(s), data models and databases, pre-built application components and interfaces;

--Software as a Service (“SaaS”) ? application service providers have been hosting applications for quite some time, but the difference with SaaS in the cloud is that the servers hosting the applications are also virtualized.

Promises of higher accessibility, availability, and efficiency are prompting universities, government agencies, and businesses to consider cloud-based services. Today’s cloud computing providers are offering higher education the opportunity to substitute a presence in “the cloud” for universities’ existing data centers, servers, and applications, replacing these machines’ traditional “physical” presence on campus. For academia, cloud computing lets students, faculty, staff, administrators, and other campus users access file storage, e-mail, databases, and other university applications anywhere, on-demand. This expanded, device-neutral access theoretically lets everyone use information more effectively. Centralizing applications and data in a cloud provider’s data centers is also promoted as affording a high degree of data recovery, particularly for smaller educational institutions, as large service providers can theoretically invest in high-capacity infrastructures and hosting to keep software available in the event of technical glitches or heavy traffic. It is easy to see how university IT staffs’ traditional missions, from supporting mobile and remote users to enabling more “self-service” type systems for employees’ benefit, seemingly mesh well with cloud computing from a high level perspective.

On the financial end of things, the efficiency argument likely resonates even more with universities in a down economy. Amazon’s E2C IaaS product lets users “order” as many virtual servers as they need and pay for them by the hour. Once they are done, the virtual servers “disappear” and the user doesn’t pay anything else. Some of Amazon’s customers “turn on” their servers first thing in the morning, use them during the business day, and turn them “off,” again, at the end of the day. In this new environment, a researcher’s grant application might request 100 hours of virtual server time, rather than requesting the funding for a new server.

Privacy and security remain the top concerns for educational institutions (or anyone else) looking at cloud computing, simply due to the model’s migration of proprietary and sensitive data outside campus walls. In addition to the usual security concerns for any enterprise, educational institutions, by virtue of their diverse operations, are subject to numerous compliance regimes, and when it comes to compliance, universities are well aware that you can outsource responsibility but you can’t outsource accountability.

Understanding security in an IT environment requires two things: transparency and control. Transparency lets you document who has accessed systems and data, when and where. Transparency can even compensate for a lack of control?allowing monitoring to demonstrate that unauthorized activity is not happening, even when those doing the monitoring lack the control to prevent the activity. Cloud computing, in its current structure, requires customers to give up a significant degree of both. Cloud services customers generally have no idea where their data is being processed or stored, who is accessing their information, how their data is protected, and what data has been accessed for what reason.

First and foremost, anyone considering moving to a cloud service should “look under the hood.” The cloud is a nice illustrative metaphor, but your university’s data or applications will be sitting on real, physical servers in a data center somewhere. Education CIOs need to know where their data will be hosted?especially if it could be multiple places?and they will want to perform the same due diligence required for any other outsourcing. One place to begin is the Cloud Security Alliance’s Guidance for Critical Areas of Focus in Cloud Computing (available at http://www.cloudsecurityalliance.org/guidance/csaguide.pdf).

Because data centers powering cloud computing platforms frequently exist in multiple nations, this triggers cross-border issues that can pose additional complex regulatory questions, or outright barriers, for university buyers. Institutions holding sensitive government contracts, for example, or those subject to export controls over their research materials and intellectual property cannot permit digital material pertaining to these leave the country or even be subject to a “deemed” export through access to the information by foreign nationals. Research heads do not want to wake up one morning and discover that, simply by employing a cloud service provider, their department has accidentally violated U.S. export laws, risking not only continued funding but also criminal charges. Even without the export issue, state-funded institutions must pay attention to the political sensitivity of moving on-campus (i.e., in-state) jobs to a corporate provider, particularly one that might be in another state or even another country.

Universities, of course, are typically subject to numerous state and federal laws covering data on academic grades, health records and financial aid, among other things. Certain countries have very strict rules about cross-border transfers of personal information, and complying with those rules can be challenging in the virtual world of the cloud.

Once universities establish where their data will reside and how it will be secured, they need to carefully consider “availability,” the flip-side of data security. Authorized users need assured access to information, and cloud computing platforms are designed to be a robust, continually backed-up environment for data. However, while the cloud itself becomes a simplified data repository, it is also a single point of failure. A loss of internet connectivity anywhere between a university customer and their cloud provider’s network will cause interruptions of varying severity. Indeed, users of Google’s web-based e-mail and calendar services, recently unavailable to some users due to a service outage, can attest that even the biggest and most ubiquitous clouds are not bulletproof.

Typical cloud agreements define service level agreements (SLAs) establishing providers’ expected uptime and performance. Customers should look carefully at the math behind those measurements and figure out Certain countries have very strict rules about cross-border transfers of personal information, and complying with those rules can be challenging in the virtual world of the cloud.

Once universities establish where their data will reside and how it will be secured, they need to carefully consider “availability,” the flip-side of data security. Authorized users need assured access to information, and cloud computing platforms are designed to be a robust, continually backed-up environment for data. However, while the cloud itself becomes a simplified data repository, it is also a single point of failure. A loss of internet connectivity anywhere between a university customer and their cloud provider’s network will cause interruptions of varying severity. Indeed, users of Google’s web-based e-mail and calendar services, recently unavailable to some users due to a service outage, can attest that even the biggest and most ubiquitous clouds are not bulletproof.

Typical cloud agreements define service level agreements (SLAs) establishing providers’ expected uptime and performance. Customers should look carefully at the math behind those measurements and figure out what they actually mean in terms of end-user experience and the customer’s operations. Beyond resolving minor glitches, universities should have cloud providers define their data recovery and business continuity postures in detail, particularly regarding what they are responsible for during a natural disaster affecting their data centers, for example, or other crises.

“Portability,” whether from “cloud-to-cloud” or from a provider to back within campus walls, is another often overlooked and very important consideration. Cloud vendors want to get customers’ data in their cloud platform, but may not be as helpful when it comes to letting them take data out of their infrastructure, in the event the customer decides to end the relationship. A good way for universities to estimate the portability of their data is to consider the nature of what they are contemplating to send into the cloud. If an institution is simply using the cloud for data storage or raw computing power, for example, those files can probably migrate to another provider relatively easily. If, however, universities select providers using proprietary web-based platforms or applications to create, store and manage data, they might be effectively “locked” in that system for all practical purposes. Most cloud providers will not want to go through the trouble of converting a university’s files into a transferrable format, simply to help them re-compete or transition a contract.

Moving to a cloud, and particularly to a SaaS model, also has substantial software licensing and hardware procurement implications upon termination. The ability to move to a “utility” model for hardware and software usage is one of the key economic benefits of cloud computing. However, should you choose to leave a cloud provider, you may need to re-purchase (or at least get up to date with maintenance payments) for your installed software base and you may need to acquire new hardware to run it all. Thinking through the exit strategy before you enter the relationship is critical for those considering any outsourcing, but especially for those considering a move to a cloud environment.

Potential cloud service customers also need to ask who owns the data. With cloud computing, customers do not own the underlying software. Again, depending on the nature of the service and/or applications in question, universities should read the fine print carefully and approach each service provider from the standpoint of maintaining ownership over not only their raw, unique data, but the valuable results of data processing occurring on the provider’s cloud platform. Such results could include reports pinpointing trends in student performance, or savings potential in contract management or accounting. Because campus leaders rely on managerial reports, more so than raw data, their status and ownership over time is a critical issue.

Related to data ownership is the important question of what happens if either the customer or cloud provider cannot pay for, or deliver the service, leading to its effective termination. Is there a means for customers to recover their organization’s critical data when a provider fails? Is a provider obligated to return, or maintain data in the event a customer can no longer pay for the cloud, or suspends payments in a dispute? These are all questions universities should consider up front, before any costly disruptions occur due to providers’ insolvency or other hardships.

Potential cloud service customers also need to carefully consider the parties’ roles and the allocation of risks and liabilities under the cloud model. Cloud service providers want to plug into universities’ offices as seamlessly as possible, but because they are fundamentally service providers, complying with all applicable laws is ultimately the school’s responsibility. Given this significant fact, educational institutions should seek out providers who can accommodate their specific or unique requirements. For example, whether a cloud computing solution complies with the Payment Card Industry Data Security Standards (PCI)?a requirement for anyone processing credit and debit card transactions?is something of an open question right now. Much depends on certain interpretations of the rules. Therefore, certain cloud computing models might not be as good a solution for campus functions that have to be PCI compliant, at least until that issue gets sorted out. If a campus has to retain these functions and the responsibility for verifying PCI compliance, that could adversely impact the business case for moving other aspects of the university computing to the cloud.

Formally assigning liability risk is essential for universities and other buyers’ faith and confidence in cloud computing, because customers want assurances that as long as they abide by specific rules?ideally tailored to their existing internal policies?providers will shoulder remaining liability. Customers are generally concerned about cloud providers’ liability for things like data breaches occurring on their infrastructures, or a provider’s facing a court-ordered shutdown as a result of patent infringement or other penalty, which could leave customers with disrupted services. Providers, in turn, usually want university customers to assume liability for the placement or copyright-infringing or other illegal material into their cloud platforms, for example. They also typically want customers to accept liability for using the cloud for other prohibited activities, such as sending spam.

Providers hosting e-mail or web-based services may have “Acceptable Use Policies” (AUPs) with which the customer must comply, and that the provider can modify in its discretion. Provider AUPs frequently give the provider the right to suspend the services if a customer does not comply. While some limited ability to turn off the service might be acceptable in very specific circumstances such as halting the spread of an internet worm, those considering moving to the cloud should consider carefully the leverage such a right gives the provider.

As universities consider these issues and others, their primary focus should remain on how effectively cloud providers can meet educational institutions’ unique operating and compliance requirements. Determining providers’ flexibility is essential because many purposely offer what amount to “one-size-fits-all” packages, since it is in their interest to leverage large economies of scale.

Universities should continually look for new technological advantages, but they need to keep their unique requirements and regulatory factors at the forefront of decision making, ahead of pure IT trends or short-term budget advantages. Cost, complexity, and compliance are on every CIO’s mind, and IT and legal stakeholders should work with advisors who can assess these areas and offer insight gained from experience with major cloud computing providers’ business models, terms, and conditions.

To the greatest degree possible, universities weighing cloud computing should survey providers, prioritize their requirements and seek objective insight on lessons different industries are learning in this and other emerging technology trends.

John L. Nicholson (john.nicholson@pillsburylaw.com) is an attorney in Pillsbury Winthrop Shaw Pittman, LLP’s Washington, D.C., office and a member of the firm’s Privacy & Data Protection practice team. He advises a diverse range of organizations, including retailers, higher education institutions and web businesses on privacy and legal implications surrounding technology implementation, policy and management.


Advertisement