IT Trends | Feature

How Solid Is Your Clouded Data?

• By Bridget McCrea
• 09/09/10

As more institutions of higher education turn to software-as-a-service (Saas) or cloud computing options as alternatives to traditional purchase-and-install software, a growing number of challenges are cropping up. With this type of Internet-based computing, resources, software, and information are provided to computers and shared with other devices on a subscription basis.

The cloud setup is attractive for colleges and universities that want to beef up their technology arsenals without having to pay large upfront fees or spend the time and resources needed to install the systems on their own servers. Instead, schools pay monthly or quarterly subscription fees to use the software on the Web, and to share information back and forth with those online systems.

As cloud computing has matured, the relationships between vendors and users has become a hot topic, with data security and the ownership rights for that data, being two of the biggest concerns. To help, analyst firm Gartner of Stamford, CT recently released a set of guidelines designed to ease the tension between cloud computing users and vendors.

Daryl Plummer, managing vice president and chief of research for emerging trends and cloud computing, called Rights and Responsibilities for Consumers of Cloud Computing Services a "bill of rights" for any institution using a vendor's contract services. In the report, Gartner specified six rights and one responsibility of service customers. Plummer said the guidelines were written up to help providers and consumers establish and maintain successful business relationships. Here's a snapshot of each "right":

• The right to retain ownership, use and control of one's own data.
• The right to service-level agreements that address liabilities, remediation and business outcomes.
• The right to notification and choice about changes that affect the service consumer's business processes.
• The right to understand the technical limitations or requirements of the service upfront.
• The right to understand the legal requirements of jurisdictions in which the provider operates.
• The right to know what security processes the provider follows.
• The responsibility to understand and adhere to software license requirements.

Plummer said the guidelines are applicable in the educational environment, namely owing to the growing number of compliance issues and regulatory rules. "Schools have to deal with all kinds of matters along these lines," said Plummer, who added that schools in Florida, for example, must comply with the state's sunshine law, which requires all state, county, and municipal records to be open for personal inspection and copying by any person.

The right to retain ownership, use, and control of one's own data is one area that Plummer cited as especially relevant for institutions using cloud computing. "Basically what we're saying is that you should have the right to look at your own data, even when that data is placed on a cloud server," said Gartner. "In the university setting, there's intellectual property flying all over the place--from researchers sending files to one another to the e-mail system that's running on a Google or Yahoo data center."

In the latter scenario, Plummer said, questions like "Is the researcher the sole owner of the data?" and "Does Google retain some ownership of the data?" can create problems between the university and the SaaS provider. "The vendor will say that it doesn't own the data, but history has shown that cloud computing providers have asserted themselves and used some of the data without approval," Plummer said. In one instance, a photo that was uploaded through Google was later used (without approval of the user) in a company billboard advertisement.

"Many cloud service providers do not explicitly state their position on the issues of ownership, use, and control of data," Plummer said. "When a service provider hosts data, processes and applications on behalf of a service consumer, does the provider earn the right to use, access or manipulate those resources without the permission of the service consumer?"

The assumption is "certainly not," said Plummer. "However, without a statement from the provider to this effect, there is a potential risk to the service consumer." As part of its guidelines, Gartner focused on the importance of data security in the issue of ownership and control and said service providers must take steps that include furnishing an audit statement of data ownership and usage practices; stating policies and procedures for e-discovery; and disclosing the location, movement, and usage assumptions about data and applications.

Emmanuel Garcin, vice president and general manager at open source, Java-based Web content integration solution provider Jahia Inc. in Washington, DC is one technology provider who agreed with the need for cloud computing guidelines. "For standalone installations, we respect a customer's right to retain ownership, use, and control of one's own data," said Garcin, "and encourage other cloud computing vendors to do the same."

It sounds simple enough in theory, but will all SaaS vendors play by the new rules? That answer may not come until Gartner releases a new report on vendor response to the cloud computing bill of rights, said Plummer, who is working on that project now, as of this writing.

Also expect to see Gartner publishing more "bill of rights" documents and guidelines for other, ambiguous computing issues (such as what happens to a user's data when a provider goes out of business overnight). "If you're a university, and if that business sells its assets, can your intellectual property get sold along with it?" said Plummer. "These are the important questions that need to be answered."