1 / 34

Partly Cloudy? What a CBO Should Know about Cloud Computing

Partly Cloudy? What a CBO Should Know about Cloud Computing. Rodney Petersen – EDUCAUSE Steven J. McDonald – Rhode Island School of Design. Alternative IT Sourcing Strategies.

penn
Download Presentation

Partly Cloudy? What a CBO Should Know about Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Partly Cloudy?What a CBO Should Know about Cloud Computing Rodney Petersen – EDUCAUSE Steven J. McDonald – Rhode Island School of Design

  2. Alternative IT Sourcing Strategies The range of options institutions have for providing technology services or operating technology functions aside from doing these things themselves. It includes traditional outsourcing of all or part of the IT organization, accessing externally managed applications, development environments, or hardware via the Internet, and support from consortia (e.g., open source). Survey: IT Services Sourcing – November 2008 EDUCAUSE Center for Applied Research (ECAR)

  3. Sourcing IT in Higher Education College/Departmental Infrastructure Central IT Infrastructure Shared Higher Education Infrastructure Third Party Infrastructure

  4. Cloud Computing (Gartner) ". . . a style of computing where massively scaleable IT‐enabled capabilities are delivered 'as a service' to external customers using Internet technologies." Gartner, Inc.

  5. Cloud Computing (Berkeley) Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay-as-you-go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus, Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds. Above the Clouds: A Berkeley View of Cloud ComputingFebruary 10, 2009

  6. Software as a Service (SaaS) Delivery Platforms Managed hosting – contracting with hosting provider to host or manage an infrastructure (IBM, OpSource) Cloud computing – using an on‐demand cloud‐based infrastructure to deploy an infrastructure or applications (Amazon Elastic Cloud) Development Platforms Cloud computing – using an on‐demand cloud based development environment to provide a general purpose programming language (Bungee Labs, Coghead) Application-led Platforms SaaS applications – using platforms of popular SaaS applications to develop and deploy application (Salesforce.com, NetSuite, Cisco‐Webex)2 Cloud Computing in Higher Education Richard Katz, Phil Goldstein, and Ron Yanosky

  7. Why Cloud Computing is Appealing Cost Consumerization of IT Scalability and availability of services Sustainability or green IT

  8. Enabling the Cloud Economic Value Full connectivity Open Access Reliability Security Privacy Interoperability and User Choice Sustainability Envisioning the Cloud: The Next Computing ParadigmMarketspace Point of View (March 20, 2009)

  9. Public Policy "If, as argued, cloud computing represents a potentially transformative democratization of technology by making the same computing power available to individuals and small- and medium-sized businesses that the largest enterprises enjoy, elected officials have the opportunity to help deliver its enormous benefits to the full diversity of their constituents." Envisioning the Cloud: The Next Computing Paradigm Marketspace Point of View (March 20, 2009)

  10. Let's Make a Deal All of the things that you have to worry about when you do it, they should be worrying about when they do it But it may not be in their business model Or they may not even be aware of it Trust, but verify Ignore: "No one's ever complained about that before" "We can't do that – it's 'free'"

  11. Contracts 101: What Doesn't It Take to Make a Contract? A negotiation Non-negotiable forms (like EULAs) are still enforceable Courts will strike out terms of non-negotiable contracts only if they are "unconscionable" A written document (usually) A written document that is consistent with your negotiations A written document that you have read A signature (usually) Terms that are "fair" and "reasonable" All that matters is that you have "manifested your mutual assent" to the contract

  12. Legal (and Contractual)Issues to Watch Out For FERPA/Privacy/Confidentiality Data security and data breach responsibilities E-discovery Patent infringement Incorporated URL terms that are modifiable at will Responsibility for end users Export controls Service level agreements Suspension/Termination and their aftermath Warranties (and lack thereof) Indemnification (both ways) Choice of law and jurisdiction

  13. FERPA "'Education records' . . . means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution"

  14. FERPA "'Education records' . . . means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution"

  15. FERPA "'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche"

  16. FERPA In general, a record is "directly related" to a student if it contains "personally identifiable information" about that student (broadly defined), including: Name Address ID number Biometric identifier Indirect identifier such as date or place of birth or mother's maiden name Collection of demographic data . . .

  17. FERPA "Maintain" is not defined! Supreme Court: "FERPA implies that education records are institutional records kept by a single central custodian, such as a registrar." "The ordinary meaning of the word 'maintain' is 'to keep in existence or continuance; preserve; retain.'" Requires conscious decision on the part of the institution?

  18. E-mail? Record? Directly related? E-mail address in the "to" or "from" line Student name, address, ID number, or other identifying information (broadly defined) within the body of a message Not every message will be personally identifiable, but do you really want to look? Maintained? Messages residing in student accounts Messages residing in faculty and staff accounts

  19. FERPA "A contractor, consultant, volunteer, or other party to whom an . . . institution has outsourced institutional services or functions may be considered a school official . . . provided that the outside party – Performs an institutional service or function for which the agency or institution would otherwise use employees; Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and Is subject to the requirements . . . governing the use and redisclosure of personally identifiable information from education records."

  20. Data Security/Breach • FERPA – student records • HIPAA – medical records • Gramm-Leach-Bliley – "financial" records • PCI-DSS – credit card records • "Personal information" under a state data protection statute • Especially "personal information" about Massachusetts residents, wherever located . . .

  21. Data Security/Breach All have "safeguarding" requirements of varying degrees of intensity In general, must specifically require vendors to comply with them on your behalf by contract (not to mention monitor them as well) Who is responsible/liable in the event of a breach?

  22. E-Discovery It's 3 a.m., and you've just received notice of a possible lawsuit. Do you know where your data is, and how to access it? It's your data, and ultimately your responsibility, regardless of where it's located Do you have ready access to it, and the tools you need to review and produce it?

  23. Patent Infringement Blackboard v. Desire2Learn Acacia Media Technologies v. The World Is your vendor willing to warrant that it actually owns what it's selling?

  24. URL Terms • "This Agreement, and all documents referenced herein, is the parties' entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. The terms located at a URL and referenced in this Agreement are hereby incorporated by this reference." • Typically "as may be modified from time to time at vendor's sole discretion" . . . . • Translation: "This document is meaningless"

  25. Responsibility for End Users Institution shall be responsible for ensuring that its users comply with the terms of this agreement (which is confidential, and which it therefore may not tell them about) Institution shall use its best efforts to ensure that its users comply with the terms of this agreement Institution shall use reasonable efforts to ensure that its users comply with the terms of this agreement Institution shall inform its users of their obligations under this agreement Institution shall not authorize its users to engage in actions that violate this agreement Vendor may establish reasonable rules of conduct for users

  26. Export Controls 1.7. Data Transfer. As part of providing the Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data.

  27. Service Level Agreements • How much "uptime" do you need? • How many "9's" after the "99."? • What is the penalty/remedy for violation?

  28. Suspension/Terminationand Their Aftermath • How fast, and for what reasons, can the vendor suspend or terminate service? • Will you have time to make the necessary transition to another vendor? • Will you have access to your data? • In what format, and for how long?

  29. Warranties "VENDOR MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, AND NONINFRINGEMENT." Translation: "Abandon all hope, ye who enter here"

  30. Indemnification • By you for actions of users • Employees and agents vs. students • By vendor for patent infringement, data breach, breach of agreement, and general negligence • Make sure it's not undermined by the (lack of) warranty clause • Beware limitation of liability to refund of fees paid

  31. Choice of Law and Jurisdiction Yours v. theirs Limitations on state institutions Delete it and defer the argument till later Suit must be filed in defendant's jurisdiction

  32. Finally . . . Your lawyer really isn't trying to botch the deal for you by raising these issues You're paying him or her to be a professional pessimist, for your protection If it's not in the contract, it's not enforceable, no matter what the salesman said Ultimately, much of this is a question of risk management, and you make the call!

  33. Questions and Discussion

More Related