Like any other organization, higher learning institutions (“HLIs”) seek to manage and reduce the risks and losses that arise from the delivery of their services.
Some risks have been limited through legislation: for example, the enabling statutes of most Canadian HLIs provide legal immunity from certain types of legal actions. Losses have been mitigated by organization: banding together in reciprocal insurance organizations, HLIs have pooled their financial resources to reduce the likelihood that any one of them could be debilitated by a catastrophic loss. HLIs have also used private contracting to directly manage risks and limit losses: whether dealing with students, staff or suppliers, HLIs often have significant bargaining power that allows them to favourably apportion risk and limit liabilities.
In addition, HLIs use technology–both old and new–to protect assets from interference or loss. Simple practices like locking the doors to university buildings, or using passwords and firewalls to lock away sensitive data, are integral parts of HLI asset maintenance and security programs designed to control and limit losses. Yet, technology is constantly changing, and new technological innovations create both opportunities for and challenges to the successful management of risk. “Cloud computing” is one such innovation.
What is cloud computing?
In the loosest possible terms, cloud computing refers to the delivery of computing services over the internet. In contrast to more traditional computing models under which data and applications are stored locally on hardware controlled by the equipment owner or its agents, in a cloud computing model, the data and applications are stored remotely (in the metaphorical “cloud”), on hardware in the custody of third party service providers.
While “cloud computing” has gained recent profile, the concept isn’t new. In fact, it has been around for a long time, in many simple and very public guises.
Take webmail. Microsoft’s Hotmail, one of the oldest and best known webmail services, is not a recent innovation–it has been around since 1996. Since use of the Hotmail service does not require any real financial investment by or technical knowledge on the part of the user, and given that the responsibility to control the application and all related data falls upon the service provider, Hotmail can be fairly described as an early example of popular cloud computing.
Services like Hotmail–limited function applications reliant upon the cloud for processing power and storage, accessible through a web browser–are wildly popular today: many of the burgeoning Web 2.0 applications like Facebook, MySpace, YouTube and Second Life meet the definition of cloud computing services. But cloud computing isn’t all social networking and personal entertainment applications: the cloud is large and its many service offerings are varied. Amazon Web Services provides researchers and developers access to the highly–scalable computing resources of its Elastic Compute Cloud at the flip of a switch; Google’s AppEngine provides a technology infrastructure on which new cloud applications can be built, along with the computing power to deliver them.
Whatever the implementation, cloud computing makes it possible for almost anyone to deploy tools or to obtain processing power or storage, scalable on demand, to serve as many users as desired. Applications and data are always available and accessible from any computer, supported by thin–client tools that are inexpensive, if not free.
Cloud computing and HLIs
In the educational context, the potential for positive returns from the use of cloud service offerings is significant: basic cloud services can provide HLIs with low-cost alternatives to expensive, proprietary software; Web 2.0 tools allow students, staff and researchers to share, access, comment and change information in ways that were previously not possible or practical; complex cloud service offerings have great potential for large scale research, experimentation and collaboration. On the enterprise level, cloud services also offer attractive possibilities for HLIs seeking assistance with their own business and administrative endeavours.
Whatever the application, newcomers to the cloud often find that service uptime and stability increases over previous levels, since cloud service providers often employ distributed and redundant infrastructure resources exceeding those typically available to the HLI. Similarly, many commercial cloud service providers use audit, handling and security practices for customer data superior to those that the HLI has in place.
In addition, organizations of all stripes are taking note of cloud computing’s cost saving potential. Reducing the need for significant capital investments in server farms and software licenses, along with the employees to support them, can be an attractive proposition for HLIs, particularly when endowments and government funding are shrinking.
Some HLIs have already embraced high-profile large-scale cloud service implementations. In 2006, Lakehead University began to provide access to a limited edition of Google Apps to over 45,000 students, faculty, staff and alumni users (though this implementation was not without some controversy, as discussed below). In fact, a report released last fall indicated that of the more than 10 million users of the Google Apps suite worldwide, two million of these were educational users.
Risks of cloud computing
However, cloud computing is not a risk free proposition: instituting a cloud computing program that is ill-conceived or shoddily maintained can quickly do significant damage to an HLI’s reputation and its bottom line. Poorly executed, cloud computing can also see HLIs forfeit the security of their data, their processes and potentially the security of their IT enterprise.
And cloud computing model’s democratizing effect on access to computing power can exacerbate these concerns. With so many applications and so much computing power readily available, users are no longer as dependent upon HLI finance and IT departments for the funding and expertise traditionally required to obtain and support computing resources. Since most HLIs choose not to lock down and monitor all web traffic (for reasons both practical and philosophical) users have some ability to obtain cloud services–at least on the small to intermediate scale–without the HLI’s knowledge or involvement. Researchers can execute clickwrap service agreements binding upon the HLI, even if the HLI’s administrative or legal departments are entirely unaware of them. Professors may require the use of cloud based Web 2.0 applications in their classes (such as wikis, virtual worlds, social networking applications or other collaboration tools); when the student and professor alike sign up for the service, they too execute clickwrap agreements that can impact the ownership, safety and security of data to the possible detriment of the HLI.
In this new paradigm, the ability of IT, finance and corporate governance groups to dictate investment priorities, manage vendor relationships and mitigate risks through the careful review and negotiation of legal agreements is being sapped by the rise of the cloud computing model—a model whose impact can be difficult to detect. And the resultant risks to HLIs are not insignificant: users can unwittingly draw the HLI into multi-party, multi-product arrangements, potentially conflicting or competitive with one another (whether from a technology standpoint or otherwise). These applications may be reliant upon practices which are non-compliant with the HLI’s best practices or even applicable law.
Management of cloud computing
The challenge for HLIs in relation to cloud computing services is to ensure that technical, security and data privacy issues are dealt with in a manner that meets the HLI’s legal and other contractual obligations (which may be somewhat different than what the service provider has anticipated), as well as their technology needs.
So how does an HLI manage the opportunities and challenges present by the rise of the cloud computing model? While each organization will come up with its own approach, a well thought out response should account for at least the following considerations:
- Revisit employee and student technology use policies: ensure that these policies properly account for the latest technological developments (reflecting the new ways in which technology is being used) and legal developments (reflecting the latest judicial decisions which set boundaries on staff and employee technology use, and supervision thereof by the HLI.) Subject to any collective agreements, consider requiring professors to seek approval from the HLI before requiring or recommending that students use a particular cloud service as part of a class. Require that policies be reviewed by both HLI IT and HR departments, as well as legal counsel with HR and technology expertise.
- Educate staff and students about the policies, explaining the rationale for any limitations and setting out the penalties for non-compliance. Then, make sure the policies are enforced consistently.
- For Web 2.0 applications or other cloud service arrangements which are likely to be initiated by staff or students (policies notwithstanding), ask your IT staff to identify those currently most popular. Of these, try to identify applications that may be helpful or otherwise benign to your IT enterprise, and those that may not. (Popular services like MySpace and Facebook allow users to create and upload their own applications for use with the service that are not vetted through site security policies: as a result, such applications can contain malware.) Consider practical measures to protect the integrity of the HLI IT enterprise: simply banning access to these sites may not be popular or even possible for HLIs, in light of freedom of speech and access issues.
- When contemplating larger-scale cloud service acquisitions, take care in assembling your acquisition team. Personnel comfortable with the legal and technical issues implicated in large-scale hardware purchases and software licensing are not necessarily the right people to assist with a cloud service acquisition. Consider involving legal counsel who can assist your purchasing specialists to understand cloud computing: such deals often implicate multiple jurisdictions and legal regimes. Lakehead University took some heat for its GoogleApps implementation, not because it did not go well from the technical side, but rather because of privacy concerns relating to the multi-jurisdictional nature of the parties, the location of data, and the impact of foreign laws upon Canadian privacy rights. For example, the privacy laws binding HLIs in British Columbia are stringent, limiting certain cloud computing opportunities. To some extent, legal issues like these can be anticipated and mitigated with proper due diligence and the right personnel, who ask the right questions and implement sound strategies.
- Perform due diligence on your service provider. Since you are giving up some degree of physical control over your technology, your confidence in the cloud provider becomes all the more important. In addition to looking at the cloud provider’s answers to technical questions (inquire about data access control methods, segregation, regulation, support, backup, two-factor authentication, encryption, location and investigative support) make inquiries about the prospective provider’s financial health and long-term viability, and seek referrals from their other clients.
- Invest sufficient time and money in negotiating the terms of service level and other related agreements with the provider. These agreements are your best means to control the service provider, and by extension, your data. Once the agreement has been negotiated and put in place, don’t just set it aside–revisit it periodically and exercise any audit, access and other transparency rights you may have.
While cloud computing justifiably has many vocal advocates–particularly given the unique combination of economics and convenience that the cloud service model offers–HLIs must remember that characteristics inherent to the cloud computing model increase the need for HLIs to take a punctilious approach to maintenance and security of their technology resources, and place increased emphasis on private contracting arrangements. In addition, there are no guarantees of the long-term viability of chosen service providers or that the cloud computing model itself won’t be superseded. However, if well-thought out and properly implemented, cloud based computing services can provide unique opportunities and advantages to HLIs and their stakeholders.