- Khalil Yazdi, CIO in Residence, Internet2
- Andrew Keating, Director, Cloud Services Internet2, firstname.lastname@example.org
Assets from this session (shared box folder):
I’m looking forward to this session because there are so many SaaS, PaaS and IaaS tools that I’m being asked to review by my colleagues. There is a box link http://bit.ly/1H7tKhP that contains the notes from this session. The Sample Security Clauses and Sample Data Handling Clauses were worth the price of admission, btw.
The EDUCAUSE app says about this session:
This seminar will introduce participants to the technical, legal, and risk management considerations important to evaluating and selecting cloud services for their campuses. Learn the key aspects of the Cloud Controls Matrix for security assessments as well as legal terms and conditions that make for successful cloud contracts.
OUTCOMES: Categorize the elements of cloud service assessment * Identify risks associated with cloud services and develop mitigation strategies * Distinguish how to engage campus stakeholders in evaluating cloud services
POLL: What’s Attractive to You About Cloud Services?
- Reduced overhead
- DR / BC
- Value-add functionality for staff
POLL: What Concerns do you Have About Cloud Services?
- Integration of systems
- Data and data analysis
- What happens if your provider goes away
- Data location (regulatory)
- Data ownership / retrieval
- Manage cloud service, not our actual work
- Funding / budgeting model CapEx > OpEx
- Governance: accessibility, PCI, FERPA, etc.
- “Too easy” i.e. barrier to entry is very low
- Enterprise vs. consumer purchasing
Items that are attractive and items that are concerns can (mostly) be argued either way!
Overview of Cloud and R&E Community Cloud
- Internet2 founded 1996
- National network
- 300 member universities; 80 corps; 70 govt. orgs, etc.
- Supports research and education
Goal for Today: Informed Decision-Making About This Deployment Vehicle
- It’s no longer an emerging technology
What Drives Us to Cloud Services?
- Reducing costs
- Realigning staff
- Meet institutional goals
- Help students learn more effectively
- Aging infrastructure
- Scalability & elasticity, simplicity, expandability (ebb and flow of normal campus activities)
- Volume up; prices down (with these kinds of services, IT is more like a portfolio manager of financial assets)
Business Drivers: What’s Different?
- Student Expectations
- Faculty Roles & Requirements
- Higher Education Business Needs
- IT Services & Delivery
- IT Procurement Strategies
Definition is Still Elusive & Amorphous
NIST definition: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
In short: it’s a shared experience.
Underneath it all, you need a network carrier; Internet2 has this.
We wanted to created a scalable community approach for the higher ed space to communicate with cloud providers.
The NIST framework is not perfect: identity is missing, it has overhead, security lives in the “cloud provider” segment, etc.
EDUCAUSE Top Issues: Four Strategic Priorities
- Efficiency: reduce operational costs
- Effectiveness: achieve demonstrable improvements in student outcomes
- Relevance: keep pace with innovations in eLearning, and use eLearning as a competitive advantage
- Value: Meet students and faculty member expectations of contemporary consumer technologies and communications
You have to be able to speak to the above issues if you want to be relevant when pushing cloud services on your campus.
- What’s Your Role and why are you here? I’m director for Web & Technology Services in the division of Student Affairs. I’m here because I want to get a handle on the approaches needed to manage the adoption of cloud services beyond web site and web application hosting (i.e. – product purchasing, governance, security, etc.)
- What are the business drivers at your campus for going to the cloud? Speaking for my own unit: cost, better understanding of service utilization.
- What are the budgetary drivers motivating consideration of the cloud? Changing from CapEx to OpEx model.
- What are the technical drivers for moving to the cloud? Reduction of technical overhead in maintaining a web infrastructure, reliability, flexibility.
- Who are the champions for cloud adoption on your campus? What are their expectations? Often, those who can’t or don’t want to support the technology themselves, but typically people who want stuff we can’t deliver.
- Who are the detractors and resistant to moving to the cloud? Not many detractors, but there are people who continue to retain latent suspicions of the technology. Central IT itself is often resistant to moving to the cloud.
- What do you see as major challenges to cloud adoption? Scalability within the organization; how do we approach adoption in a holistic sense.
Cloud Assessment Skills
Technical & Architectural
- Aspirational view of the cloud: simplify and obfuscate complexity
- Responsibility and management model: need to understand the vendor’s relationships on all the different components of what represents “their problem” versus “your problem.”
- IaaS: is all purely infrastructure. Provider says: “we’re just giving you hardware in the cloud. Everything else is your problem.”
- PaaS: Provider says: “we’re giving you everything EXCEPT your application. You’re responsible for that.”
- SaaS: Provider says: we’ll manage everything for you.” However, it’s all about who owns your data.
Cloud Service Functional Assessment
- Review current features and functionality
- Discuss existing Service Provider product roadmap (under NDA)
- Determine ways in which service needs to be tuned for research and education usage
- Prioritize feature requests discuss prioritization with SP’s product team
Process and Deliverables: understand current features, functionality, and future roadmap; determine how to request features and inform the roadmap as well as process for reporting bugs.
Cloud Service Technical Integration
Network: test network performance or review 3rd party testing; determine service connectivity with the Internet2 R&E network and optimize for enhanced delivery. Test the network to create benchmarks!
Identity: review SP’s identity strategy and determine InCommon integration. Net+ Identity Guidance for Services
Process and Deliverables: assign technical team members on networking and identity; develop and review testing plans; and produce reference documents for service subscribers
Security & Compliance
- What are the documents involved?
- Definitions, CCM or Cloud Control Matrix (self-reported like a VPAT, not audited), SOC 2 (an audit report), ISO 27001 (an audit report pass/fail)
- How to read and understand these documents
- Security assessment: customized version of the CCM developed by the Cloud Security Alliance
- Accessibility review and roadmap commitment
- Data handling: FERPA, HIPAA, privacy, data handling
Process and deliverables: SP to give review copies of 3rd party audit materials, and completes Cloud Controls Matrix for review; campus security officer review and assess service; accessibility engineers review service and communicate needs to SP.
Legal & Contracts
What are the key elements in a successful cloud contract?
- Description of service components, features
- pricing and business terms
- Indemnification and limitation of liability
- compliance and representations
- Data & data handling (data retrieval on termination, data destruction, etc.)
- “Exit strategy,” source code escrow
- Insurance provisions
When Reviewing Sample Contract Materials
The following questions were based on sample templates in the Box share described waaaay above.
- What does this contract language aim to do?
- Who or what does it protect?
- What are the risk considerations for the university? For end users? For the service provider?
- Which would you sign and agree to?
- Which would a commercial service provider sign and agree to?
Cloud Assessments: Conclusions
- Specificity matters
- Consider whether it is more helpful to spell out what a SP will do OR what they will not do
- Some flexibility is required: if you want to use a commercial service, determine what is reasonable
- Do not accept standard commercial terms or “click through”
- Do not assume the worst of commercial SPs
- Consider the future and ongoing relationship
- Remember that both sides are managing risk and the overall aim is to to come up with something that both your campus an the SP can live with