Cloud Computing Rodney Petersen – EDUCAUSE Steven J
Total Page:16
File Type:pdf, Size:1020Kb
Partly Cloudy? What a CBO Should Know about Cloud Computing Rodney Petersen – EDUCAUSE Steven J. McDonald –Rhode Island School of Design Alternative IT Sourcing Strategies The range of options institutions have for providing technology services or operating technology functions aside from doing these things themselves. It includes traditional outsourcing of all or part of the IT organization, accessing externally managed applications, development environments, or hardware via the Internet, and support from consortia (e.g., open source). Survey: IT Services Sourcing –November 2008 EDUCAUSE Center for Applied Research (ECAR) Sourcing IT in Higher Education College/Departmental Infrastructure Central IT Infrastructure Shared Higher Education Infrastructure Third Party Infrastructure Cloud Computing (Gartner) ". a style of computing where massively scaleable IT‐enabled capabilities are delivered 'as a service' to external customers using Internet technologies." Gartner, Inc. Cloud Computing (Berkeley) Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay‐as‐ you‐go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus, Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds. Above the Clouds: A Berkeley View of Cloud Computing February 10, 2009 Software as a Service (SaaS) Delivery Platforms • Managed hosting – contracting with hosting provider to host or manage an infrastructure (IBM, OpSource) • Cloud computing –using an on‐demand cloud‐based infrastructure to deploy an infrastructure or applications (Amazon Elastic Cloud) Development Platforms • Cloud computing –using an on‐demand cloud based development environment to provide a general purpose programming language (Bungee Labs, Coghead) Application‐led Platforms • SaaS applications –using platforms of popular SaaS applications to develop and deploy application (Salesforce.com, NetSuite, Cisco‐Webex)2 Cloud Computing in Higher Education Richard Katz, Phil Goldstein, and Ron Yanosky Why Cloud Computing is Appealing Cost Consumerization of IT Scalability and availability of services Sustainability or green IT Enabling the Cloud Economic Value Full connectivity Open Access Reliability Security Privacy Interoperability and User Choice Sustainability Envisioning the Cloud: The Next Computing Paradigm Marketspace Point of View (March 20, 2009) Public Policy "If, as argued, cloud computing represents a potentially transformative democratization of technology by making the same computing power available to individuals and small‐ and medium‐sized businesses that the largest enterprises enjoy, elected officials have the opportunity to help deliver its enormous benefits to the full diversity of their constituents." Envisioning the Cloud: The Next Computing Paradigm Marketspace Point of View (March 20, 2009) Let's Make a Deal All of the things that you have to worry about when you do it, they should be worrying about when they do it But it may not be in their business model Or they may not even be aware of it Trust, but verify Ignore: • "No one's ever complained about that before" • "We can't do that –it's 'free'" Contracts 101: What Doesn't It Take to Make a Contract? A negotiation • Non‐negotiable forms (like EULAs) are still enforceable • Courts will strike out terms of non‐negotiable contracts only if they are "unconscionable" A written document (usually) A written document that is consistent with your negotiations A written document that you have read A signature (usually) Terms that are "fair" and "reasonable" All that matters is that you have "manifested your mutual assent" to the contract Legal (and Contractual) Issues to Watch Out For FERPA/Privacy/Confidentiality Data security and data breach responsibilities E‐discovery Patent infringement Incorporated URL terms that are modifiable at will Responsibility for end users Export controls Service level agreements Suspension/Termination and their aftermath Warranties (and lack thereof) Indemnification (both ways) Choice of law and jurisdiction FERPA "'Education records' . means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution" FERPA "'Education records' . means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution" FERPA "'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche" FERPA In general, a record is "directly related" to a student if it contains "personally identifiable information" about that student (broadly defined), including: • Name • Address • ID number • Biometric identifier • Indirect identifier such as date or place of birth or mother's maiden name • Collection of demographic data • . FERPA "Maintain" is not defined! Supreme Court: • "FERPA implies that education records are institutional records kept by a single central custodian, such as a registrar." • "The ordinary meaning of the word 'maintain' is 'to keep in existence or continuance; preserve; retain.'" Requires conscious decision on the part of the institution? E‐mail? Record? Directly related? • E‐mail address in the "to" or "from" line • Student name, address, ID number, or other identifying information (broadly defined) within the body of a message • Not every message will be personally identifiable, but do you really want to look? Maintained? • Messages residing in student accounts • Messages residing in faculty and staff accounts FERPA "A contractor, consultant, volunteer, or other party to whom an . institution has outsourced institutional services or functions may be considered a school official . provided that the outside party – • Performs an institutional service or function for which the agency or institution would otherwise use employees; • Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and • Is subject to the requirements . governing the use and redisclosure of personally identifiable information from education records." Data Security/Breach FERPA – student records HIPAA –medical records Gramm‐Leach‐Bliley – "financial" records PCI‐DSS –credit card records "Personal information" under a state data protection statute • Especially "personal information" about Massachusetts residents, wherever located . Data Security/Breach All have "safeguarding" requirements of varying degrees of intensity In general, must specifically require vendors to comply with them on your behalf by contract (not to mention monitor them as well) Who is responsible/liable in the event of a breach? E‐Discovery It's 3 a.m., and you've just received notice of a possible lawsuit. Do you know where your data is, and how to access it? It's your data, and ultimately your responsibility, regardless of where it's located Do you have ready access to it, and the tools you need to review and produce it? Patent Infringement Blackboard v. Desire2Learn Acacia Media Technologies v. The World Is your vendor willing to warrant that it actually owns what it's selling? URL Terms "This Agreement, and all documents referenced herein, is the parties' entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. The terms located at a URL and referenced in this Agreement are hereby incorporated by this reference." Typically "as may be modified from time to time at vendor's sole discretion" . • Translation: "This document is meaningless" Responsibility for End Users Institution shall be responsible for ensuring that its users comply with the terms of this agreement (which is confidential, and which it therefore may not tell them about) Institution shall use its best efforts to ensure that its users comply with the terms of this agreement Institution shall use reasonable efforts to ensure that its users comply with the terms of this agreement Institution shall inform its users of their obligations under this agreement Institution shall not authorize its users to engage in actions that violate this agreement Vendor may establish reasonable rules of conduct for users Export Controls 1.7. Data Transfer. As part of providing the Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data. Service Level Agreements How much "uptime" do you need? • How many "9's" after the "99."? What is the penalty/remedy for violation? Suspension/Termination and Their Aftermath How fast, and for what reasons, can the vendor suspend or terminate service? Will you have time to make the necessary transition to another vendor? Will you have access to your data?