Cloud Control | Feature

Cloud Strategy: Look Before You Leap

While the idea of saving money and streamlining IT operations on campus is very attractive, institutions need to be aware that cloud computing is still an emergent technology, with some very real concerns and weaknesses that need to be addressed.

Security
In surveys of IT leaders, security is always the No. 1 concern that keeps organizations from either adopting or further implementing cloud computing. Headlines such as PC World's "Microsoft Cloud Data Breach Heralds Things to Come," in December 2010, are enough to keep technology executives awake at night.

Before Long Island University (NY) moved students to Google Apps, says CIO George Baroudi, the university's compliance department had to be satisfied that Google could uphold the school's strong privacy and security expectations and comply with the Family Educational Rights and Privacy Act (FERPA). Baroudi also ensured that login and encryption take place at LIU, and that the university monitors everything at its end.

He also decided not to put higher-risk administrative e-mail in the cloud, partly because e-discovery laws vary depending on the state where the data reside. "Even with private clouds, it is difficult to find providers that store data all in one state," explains Baroudi.

Like LIU, most universities have few qualms about putting student e-mail and documents in the cloud, but they are holding off on more sensitive information for now. Although the intersection of e-discovery and cloud computing is still relatively new, courts are expected to require universities to ensure that their cloud providers comply with the schools' document-retention policies.

Addressing the issues of e-discovery and compliance with laws such as FERPA and the Health Insurance Portability and Accountability Act (HIPAA) is just the start. Colleges and universities should also gather as much information as possible about a cloud provider's security systems, retention policies, and history of data breaches.

Some providers have been criticized for their lack of transparency about security. "Transparency is a key differentiator among providers," says Scott Bils, a partner with the Everest Group consulting firm. Cloud providers such as Amazon, Rackspace, and Salesforce.com have the most secure data centers on the planet, he adds, but university CIOs must still establish their own policies and then discern whether the providers meet them.

"The cloud providers don't want to make their privacy policies public because it may invite hackers," explains Yankee Group principal analyst George Hamilton. But customers should turn to valid third-party audits such as ISO 27001 and the SysTrust audit.

"We need to perform security assessments of vendors when sensitive data is involved," adds Andrew Korty, deputy information security officer in the Office of Public Safety and Institutional Assurance at Indiana University. "We also need to add language to contracts to ensure the vendors continue safeguarding the data over time. Agreeing to standards on security assessments and contract language would make the process easier and more efficient for both the vendor and the institution."

At IU, cloud vendors complete a questionnaire about how they safeguard data. "We review the vendor's answers and have a follow-up call to make sure we understand each other," says Korty. "Then we consult with our data stewards [individuals throughout the institution charged with making risk decisions about various types of sensitive data] on whether the risk is acceptable."

Before utilizing cloud technologies, universities should evaluate applications and infrastructure for vulnerabilities and verify that security controls are in place and operating properly, says Ben Marglin, a principal with the consulting firm Booz Allen Hamilton who specializes in IT strategy for the public sector. He also suggests setting up an active monitoring program that uses services such as intrusion prevention, access and identity management, and security-event log management to identify any security threats.

Some universities are turning to tools such as VMware's Horizon Application Manager, which allows organizations to set up authentication and policy controls for SaaS applications. IT security executives can monitor who is using which application and can set granular policies. Users on the LAN or VPN might have certain privileges, for example, while users on public WiFi at the airport have read-only access.

Hamilton predicts that in a few years cloud storage providers will appeal to specific vertical markets, agreeing to comply with whatever regulatory requirements apply to that sector, be it education or healthcare. In the near term, universities are more likely to operate in a distributed environment, with some data on dedicated servers behind firewalls, some in private or consortium clouds, and some in public clouds.

Of course, each campus's ability to keep up with developments in data security will depend on the size and sophistication of its IT operations. Reed Sheard, vice president for college advancement and CIO of Westmont College (CA), a small liberal arts college with about 1,300 students, says that, after a thorough assessment by his staff, he was convinced the college's data "will be much safer in the cloud than in anything we could afford to do here."

The Right Questions to Ask

The Office of Public Safety and Institutional Assurance at Indiana University has developed a list of questions about privacy and security that all schools should ask themselves before adopting cloud-based solutions.

  • Security and safeguards: How would the vendor ensure that cloud service access privilege changes are applied accurately and in a timely fashion? How would the vendor ensure that only authorized individuals are able to modify access privileges? Can the vendor support encryption of data at rest or in transit if necessary?
  • Confidentiality and privacy: What are the privacy risks and/or open records consequences of the information and/or service involved? Can we control how the vendor uses our information? How do we address user concern about vendor privacy policy? Do we need to provide an alternative service for users who do not wish to expose themselves to the vendor's privacy practices?
  • Legal and regulatory consequences: How does the use of a cloud service impact our ability to comply with various legal requirements such as HIPAA, FERPA, PCI DSS, e-discovery, state data protection laws, or export control laws? Do laws where the vendor is incorporated or locates its servers (which may even be in foreign countries) potentially apply?

Contracts
College and university administrators have been negotiating contracts for computing services for decades. Contracts for cloud computing services don't diverge dramatically from what administrators are used to--but there are differences. One thing is abundantly clear, though: It is important to sweat the small stuff.

"You can't walk away," says Thomas Trappler, director of software licensing at the University of California, Los Angeles and an authority on cloud computing contracts. "With cloud computing, everything comes back to the contract."

Trappler and David Cottingham, senior director of managed services at CDW, suggest four questions to ask when working with a cloud provider, and offer four pieces of good advice.

Ask these questions:

  • If you end up not being satisfied with the services you receive, how do you terminate the contract? Can you terminate for convenience or must you have cause?
  • If there is a provider outage, what are you entitled to? Consider a service level agreement (SLA) that defines service terms, including how many hours and minutes the service must be accessible. If the provider fails to meet the SLA, what are the penalties or credits to be awarded to the university?
  • In case of a catastrophe (for instance, a natural or man-made disaster) or major data loss, what are the provider's contingency plans?
  • What responsibilities do you have as a customer? For example, if a student or staff member uses an application or uploads a virus that damages the system, what is the university's responsibility? In some cases, the provider's acceptable-use policy can shut your service down. If that happens, your institution must have its own contingency plans to be able to operate.

Follow this advice:

  • Gather input first. Form a group of key stakeholders or subject-matter experts that can evaluate the impact of a cloud service before it gets adopted. The membership may vary depending upon organizational needs, but would typically include: the business owner process department, IT vendor management/IT procurement, IT technical, legal, IT security, IT policy, risk management, and audit/compliance.
  • Describe--precisely--the level of service that will meet your needs. Spell out the parameters and definitions for each element of the service you expect, along with remedies for service levels that are not met. For example, information-security standards will vary depending on what a certain department is doing with its data. Make sure you have all the information on your needs before you start negotiating with a provider.
  • Trust, but verify. Check out the physical infrastructure of the provider's facility. Don't forget that your data still reside in a brick-and-mortar building. Where is the data center? Are there security guards and video cameras? Even if you're moving to the cloud, there's still a "there" there. Know where it is.
  • Conduct due diligence. Some organizations, such as the Cloud Computing Association, are trying to establish cloud computing standards, but none of these is perfect. Nothing beats an old-fashioned investigation. And much of that involves (you guessed it) reading the fine print.

For more on the topic of cloud computing contracts, Trappler has written what may be the definitive article on the subject: "If It's in the Cloud, Get It on Paper."

Migration and Lock-in
Porting your data to a service provider is sometimes easier than getting it out. When assessing and managing the risk of cloud computing, you often hear the term "vendor lock-in." But the impact of lock-in depends on whether you are considering software, infrastructure, or platform service clouds, each of which has its own level of commitment.

In each situation, institutions must have an exit strategy--a plan for moving data to another provider or back in-house if things go bad. Given the relative immaturity of the cloud business model, vendor shutdowns and acquisitions are inevitable. Of course, re-provisioning service on campus after eliminating hardware, software, and personnel is no small task.

During negotiations with Microsoft, a major consideration for Hofstra University was how it would take a year's worth of e-mail back if it terminated its contract. "We chose Microsoft because we felt it has a real commitment to this area long-term," recalls Robert Juckiewicz, the university's vice president for IT. "Other vendors have excellent capabilities, but who knows if they will be around? We did our best to choose a vendor that would work with us on contingencies, but making a change [still] wouldn't be easy. We just made sure there are several months built in to ending the relationship."

The level of caution you exercise may vary with the size and financial clout of the vendor. "With a company like Meraki, I had to negotiate a slightly different type of contract to protect the college than I would with much larger entities like Google," says Westmont's Sheard. "You have to weigh the potential risk of their disappearing with the perceived benefit to the college, and then make recommendations to the president and board."

Having redundant vendors is a good idea, when possible. When Amazon's web services experienced outages, some customers went down; others had built-in redundancy, either to other Amazon servers or by automatically cutting over to other vendors.

Migrating from one infrastructure as a service (IaaS) vendor to another is definitely possible, but could be expensive and require consulting help from cloud experts.

The term platform as a service (PaaS) refers to a web-based development environment for cloud-based services. It provides enterprises with access to shared, scalable IT resources on demand. University software developers who are building applications on a cloud platform such as Microsoft's Azure Services or Google's App Engine should look for the capability to port those applications from one vendor to another or move them in-house without having to rewrite them.

Open source options are often worth considering. In collaboration with NASA, Rackspace Hosting has launched OpenStack, whose development model is meant to foster cloud standards, remove the fear of proprietary lock-in, and create a large ecosystem that spans cloud providers.

Booz Allen's Marglin says it is best to view cloud services as you would a utility, so how much you can negotiate with vendors may be limited: "You may not have a lot of choice, but you should have your eyes open and always have a backup plan."

IU's Korty recommends inserting a "data liberation" clause in the cloud contract, stating that the institution will always be able to take its data elsewhere. "The agreement should also require the vendor to securely delete all of the institution's data from storage media," he adds, "including backups, after handing it over."