Demystifying the Cloud for Policymakers

Adopters of cloud technologies recognize that it requires business decisions, risk management, and policy choices.  At the Annual State of the Net Conference, EDUCAUSE Policy attempted to demystify the cloud for policy makers.

Sourcing IT (business decision)

Before we arrive at the conclusion that the best course of action is to outsource IT services to the cloud, we have to start with a more fundamental range of choices on how to best source IT solutions.  It might include centralizing services at an enterprise level, redistributing services that are better sourced at a local or departmental level, or sharing services at an interinstitutional or university system level.  As the discussion turns to outsourcing, it could start by considering the option of remotely hosted systems where the systems and data reside at a fixed location or true computing in the cloud where systems and data are located at multiple locations throughout the world.  The range of sourcing decisions must be considered.

The drivers for business decisions for sourcing IT often turn on the need for increased efficiency, improved effectiveness, and containing if not reducing costs.  Efficiency assumes that the economies of scale lead to better results, supported by specialized expertise and more support than is typically possible in a small IT organization.  Effectiveness can be measured by the increased reliability and responsiveness to user needs.  Cost is an important consideration at a time when policymakers are concerned about college affordability.  Opportunities for demand aggregation such as the services of Internet2’s NET+ Services also provide an opportunity to streamline the purchasing process for colleges and universities.  It reduces vendor costs, too.

Managing Data (risk decision)

Campus IT professionals are increasingly turning their attention to their role as data managers.  That is why we are seeing an increase in data governance and an institutional focus on enterprise risk management.  An effective data management process addresses many of the apprehensions about putting data into the hands of a third party.  Applying the discipline of risk management to the management of data is an essential part of a campus IT strategy – whether it is choosing to keep the data in-house or store it in the cloud.

Most campuses have historically accepted or assumed the risk for student information, employee information, research data that includes human subjects, and other sensitive or personally identifiable information.  They may attempt to transfer the risk through insurance.  And they might hope that by contracting with a third party that they can assign the risk to someone else.  However, it is clear from most of the compliance obligations of universities, including FERPA and HIPAA, that you cannot simply wash your hand of any responsibility or liability because the service is provided by a 3^rd party.  However, you can take steps to mitigate the risk through administrative, technical, and physical safeguards as well as contract provisions that attempt to fairly apportion the responsibility and the financial and legal burdens between the parties. 

Achieving Mission (policy decision)

Colleges and universities do not exist to provide IT services.  The mission of higher education is to facilitate teaching and learning, promote research and discovery, and provide outreach and service to the community.  IT and other administrative services enable the fulfillment of the mission.  Academic information technologies, including networking and the support of learning and research, are closely coupled with the academic mission.  But it does not mean that it is a core service that must be provided by the institution.  Consequently, higher education has made a lot of strategic choices over the years about outsourcing services that are not related to the core mission of the institution (e.g., dining services, bookstores, residence halls, etc.)

As institutions are confronted with strategic or policy choices with respect to moving to the cloud, they must consider the importance of academic or mission continuity, the availability of networked services, and the privacy and security of data. We are already hearing anecdotes following SuperStorm Sandy of how institutions with cloud providers were able to continue to deliver online course materials and how faculty could engage with students thanks to decisions to move online services to providers whose technology presence was located elsewhere than the physical campus.  We expect that the redundancy of services and distributed location of data will help contribute to an institutions ability to continuously operate.  The network is central to the availability of almost every IT service that campuses use today so it requires attention to broadband adoption and policy, the resilience of the network, and accessibility of applications for persons with disabilities.  Finally, while it may be true that third parties can do a better job at information security or protecting the privacy of user data, campus IT professionals need to do their due diligence and are asking how do we know or verify?   That is why the Internet2 NET+ Service is working with the Higher Education Information Security Council (HEISC) to develop a third party assessment framework, leveraging the expertise of the Cloud Security Alliance and the National Institute for Standards in Technology (NIST), in an effort to provide some level of assurance that cloud providers are adequately addressing privacy, security, and other compliance concerns.

Any campus that is considering a strategy that leverages cloud computing must address business decisions, risk decisions, and policy decisions.  Together, these decisions will lead to choices that maximize the use of institutional resources while ensuring that compliance obligations are appropriately addressed.