Did you hear about the university professor signed up for a cloud service and unknowingly left his department on the hook for two years of service beyond his grant….or the university who had more than 500,000 student records (social security, addresses and grades) hacked? Cloud computing poses special demands upon Universities who can no longer employ the same procurement process used to acquire computers and software since the 1980s.
Are you aware that today many Universities (and K12 School districts) use a popular email marketing program that sells contact information of students to vertical marketing firms who in turn re-sell them to other marketing and product companies?
Today’s aggressive marketplace and the business of cloud services has radically changed the procurement process. Many of us have a fiduciary duty to protect data of our students, research and institutions. Regardless of how students freely give away their data on Facebook, our institution will still be held responsible to protect all of our institution’s data.
My views on the impact of Cloud Computing in Higher Education have been slowly evolving. This past May I was given an incredible opportunity to further my learning by participating in an Engineering & Technology Short Course with the UCLA Extension.
Remember those “must-take classes” in college? UCLA’s Contracting for Cloud Computing Services is one on my list of those opportunities you cannot afford to ignore. My advice: Find your way to UCLA.
Again, I hope this can help as many people as possible understand the lessons taught in class. Due to the nature of the beast they are in no specific order. They are all top level concerns:
BACKGROUND
For over a generation traditional desktop PC vendors focused on features and price. Since the late 1980s schools established trust in vendor’s products to conduct business, educate students and store student data. From floppy disks to magnetic tape all data was stored locally on campus.
Today’s globalized internet marketplace is radically different when compared to the modem era of computing. The cloud computing model represents a number of fundamental shifts including Software as a Service(SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS) are well established.
And although it’s a bit ahead on the radar we should not overlook the quickly emerging SuperComputer as a Service. While there is no standard acronym, there are established vendors like SGI’s Cyclone, Amazon’s Cluster Compute, IBM’s Watson, and with forthcoming merge between PiCloud and D-Wave‘s quantum computing….more options for High Performance Computing will be available to many smaller, lean and aggressive institutions.
These new services are directly tied to the “consumerization” of technology: advanced technologies at affordable price points. As a result the new focus is around access. The shift to mobile computing via netbooks, smartphones and tablets is well underway, yet many school’s do not have a sufficient wireless infrastructure. Students, faculty and administrators are today carrying a laptop, smartphone and probably an iPad. Schools are struggling to to handle bandwidth demands of so many devices in concentrated areas around campus, from the Student Union to the ResHalls.
IMHO the tipping point with Cloud computing and digital devices is the convenience of access. Today many diverse schools have a campus community that simply demands anytime/anywhere access to data. And it’s no longer just email and web. Its BIG data from data base research to the delivery of HD media. For better (or for worse) society has become trained to demand mobile solutions that easily integrate into the app economy and their mobile lifestyles.
As a result if anyone at your school contracts with a cloud vendor there is a really good chance your fundamentally altering the workflow of teaching, learning, research or administration. Welcome to the campus cloud:
SET THE TABLE
Your campus absolutely MUST gather the right team to approach contracting with cloud vendors. Include your technology, procurement and legal officers. Small colleges are not immune. If you are under the assumption that your small campus can purchasing software licenses like cloud services –– your dead wrong. You must come around on this issue.Sorry to be blunt but the course revealed how small schools have already exposed student data without even knowing the risks. And we understand a state university system like California (with over 425,000 students) can negotiate better deals due to their long tail than say….a 400 student music college, we must all strive to protect the data of our students regardless of enrollment or endowment.
START WITH THE END IN MIND
As surprising as it sounded, consider each cloud vendor by their termination conditions. In today’s marketplace its easy to join and potentially difficult to leave. You can thank PR advertising for this one.Please let me be clear: the FIRST thing to consider is to fully understand what happens to your data when you cancel your contract. Remember nothing lasts forever in today’s marketplace. I was more than surprised to learn how established vendors place totalitarian-like terms when you want to stop paying them. See below for a couple of examples.
THE CLOUD IS GLOBAL
Ask every potential cloud vendor where they store data. Due to the globalized internet you need to learn what regulations restrict your choices when vendors offshore your data. Don’t be surprised (again) that long time computing vendors have servers located and supported in “less-than-friendly” countries to the United States.KEEP YOUR LAWYER ON RETAINER
Bill Miller was Frank Sinatra’s piano player for over 50 years. He was quoted as saying “Frank keeps me on a full–time retainer, just to be available.” A number of cloud contracts reviewed during class taught me how important your University’s attorney will be in order to modifying terms and conditions to protect your students and institution.I found case studies where many long time computing vendors who now sell cloud services have placed terms into contracts that permit them to legally keep a copy of your data. How does that sit with you? Your lawyers MUST negotiate more favorable terms to protect your institution BEFORE you sign-up for their service. Don’t put the cart before the horse.
As cloud vendors and their services continue to proliferate your procurement officer will be able to help direct requests for cloud services to the best contract based upon established terms and conditions that have proven successful.
BUYER BEWARE: STORM CLOUDS ARE ON YOUR HORIZON
Personally I see too many students, faculty and staff that view cloud computing as simply the “easy way” to get immediate access to cloud-based apps and services. I feel its critical for the institution (students, faculty and staffs and executives) to understand the full implications of cloud services.If your school believes placing the needs of students comes first in priority –– then everyone on your campus must understand how student data and research can become “vulnerable” with the wrong cloud vendor.
MANAGE EXPECTATIONS
When you find an aggressive faculty/staff member demanding immediate an immediate cloud solution who clearly does not understanding all the implications (yes, we all have them) you must quickly work to educate, and more importantly — manage their expectations. A big challenge is working with seemingly impossible deadlines from colleagues who simply do not know the fast-changing business practices found on today’s global internet.Once your team begins investigating cloud vendors your attorneys will be caught up in a series of communications (phone calls, emails and even face to face meetings) that can go on for weeks. Give your procurement and legal teams at least six months advanced notice that you’re considering a cloud service. That’s right: 6 months. Nobody plans to fail – they fail to plan. Again, this process can be streamlined once your school contracts a credible cloud vendor.
EDUCATE YOUR CAMPUS ABOUT THE COMING PARADIGM SHIFT
Institutions have a fiduciary responsibility to inform their faculty and staff of pending changes in business workflow. Your campus must understand it cannot overlooked a core component of cloud computing: your data is no longer touching servers on your campus. For some this is a big change — and as a rule — people do not embrace change.How does this impact staff who take an iPad to a conference to present student data? Are ALL your digital devices secure against physical loss or theft via SCCM or a MDM solution? These shifts in workflow and tech support will take time getting used to …. simply because we have all come to rely upon local, hardwired access to data for over a generation. Yes change is hard.
SECURITY
The biggest difference between the desktop era and today’s mobility era is security. Companies, organizations and educational institutions are being required to address data security compliance. You may already be aware of these requirements:Children’s Internet Protection Act (CIPA)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPPA)
Payment Card Industry Data Security Standard (PCI DSS)Federal laws and private industry regulations are forcing schools (not the cloud vendors) to protect data within their existing enterprise networks. This is now becoming very complex when you consider moving to a cloud service. Get your IT Security officer involved.
Does your school process credit card data online? Then you should be talking to your bank about PCI-DSS compliance in conjunction with your IT Security officer and Financial Auditor. Working to achieve compliance with PCI-DSS can be a bit draconian.
If your not documenting steps toward compliance your campus is at risk of financial penalties or bank-driven changes to your campus business practices. Consider the ripple effect of your school’s bank stopping the ability to process credit cards on campus. Yes, that risk.
Security requirements will dramatically shape future enterprise application rollouts as never before imagined in the PC era. Even PCI-DSS SAQ-D has compensating controls that may help secure your existing infrastructure. It’s definitely worth the read.
THE GOLDEN RULE
PCI-DSS is controlled by the credit card industry, primarily by Visa. While attending a August 2011 vendor PCI briefing I learned as early as 2017 Visa (via PCI-DSS) will shift financial penalties from insurance companies directly to schools. Can your University handle a direct six-figure penalty due to a breach? Remember He who has the gold makes the rules….EVERY CLOUD VENDOR HAS A DARK SILVER LINING
For over 25 years I have watched computer vendors grow their business in the education market. Back in the days of modems the world focused on the features, enhancements and bug fixes.This class has taught me to change how I look at every vendor’s modified terms and conditions before even considering product features and enhancements.
This class has forced a fundamental shift of thinking upon me. Take a look at these cloud vendors and consider how their terms and conditions impact student, research and institutional data on your campus:
Cisco’s Terms of Service: http://www.cisco.com/web/siteassets/legal/connect_cloud_supp.html |
Cisco Connect Cloud SupplementNote that this page is a supplement to the Cisco Privacy Statement. In order to understand the data collection and use practices relevant for a particular site or solution, you should read both the Cisco Privacy Statement and any applicable supplement.The following describes our practices with respect to the Cisco Connect Cloud service, which includes any Cisco-authored apps that are part of this service (the “Service”).The following describes our practices with respect to the Cisco Connect Cloud service, which includes any Cisco-authored apps that are part of this service (the “Service”).Collection and Use of Information In order to use the Service, you must register online at http://www.ciscoconnectcloud.com. As part of the registration process, we ask you to supply us with Personal Information, such as name, address and email address (collectively “Personal Information”). All of this Personal Information is used to process your registration, set up the Service, communicate with you about Service features and streamline future Service purchases. If you do not provide the requested Personal Information, you will not be able to access or use the Service.As part of the Service registration process, you can also opt in to having your router product registration information sent to Cisco’s product registration database. This helps streamline the registration process for your router in the event you need to contact us for support, and saves you the extra step of having to register your router separately. You can also opt in to receiving marketing information about other Cisco products by email as part of the Service registration process. When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information (“Other Information”). We use this Other Information to help us quickly and efficiently respond to inquiries and requests, and to enhance or administer our overall Service for our customers. We may also use this Other Information for traffic analysis (for example, determining when the most customers are using the Service) and to determine which features within the Service are most or least effective or useful to you. In addition, we may periodically transmit system information to our servers in order to optimize your overall experience with the Service. We may share aggregated and anonymous user experience information with service providers, contractors or other third parties to assist us with improving the Service and user experience, but any shared information will be consistent with Cisco’s overall Privacy Statement and will not identify you personally in any way. You may have the opportunity to opt in to receive tailored information about upcoming products and features of Cisco Connect Cloud that are specific to your network. For example, if you have a particular game console in your home network, Cisco could provide you with information about upcoming games or movies that play on that game console. If you do not opt in to receive tailored information, your version of Cisco Connect Cloud will provide you with generic information about upcoming features or products. Tailored or generic information will appear in a separate box within the Cisco Connect Cloud user interface. In addition, Cisco may collect and store detailed information regarding your network configuration and usage for the purpose of providing you technical networking support. The information is associated with you only when you provide a unique ID number to the support representative while you are receiving help. The unique ID is generated randomly on your computer upon installation and is completely under your control.Access to and Accuracy of Your Personal Information You can access and update your Cisco Connect Cloud profile by signing into your online account at http://www.ciscoconnectcloud.com.Storage and Security of Personal Information Our servers retain Personal Information such as the user’s name, country and email address, and other information uploaded, provided or created using certain Service features. In addition to the Service storing Personal Information, such Personal Information may also be stored on the computer utilized with the Service. If you use the Service from a public computer, such information may be stored on such public computer. Your Service password is stored in encrypted form. Other Personal Information is stored unencrypted on the computer. If you do not want your Personal Information to be available to other users on a public computer, do not use the Service on a public computer.Third Party Developed Apps The Service features apps that are developed by third parties. These apps may provide additional services that work within the Cisco Connect Cloud infrastructure, such as providing enhanced parental controls, media players and viewers and network status monitoring. In order to use these apps within the Cisco Connect Cloud infrastructure, you must provide your Cisco Connect Cloud log in credentials (email address and password) when you launch the app. This log in information is only used to authenticate you as a Cisco Connect Cloud user and is not kept or stored by the third party in any way. If you do not provide the requested log in information, you will not be able to use the app as part of the Service. Some of these third party developed apps may provide the third party with information about your network or devices in your network or what media you are using or downloading. For some apps, if you use the app in the manner intended, sharing between the Service and the third party will be required. For example, if you download a media app, the Service will need to share information with the third party about what media content you have in your home network, or if you download a parental control app, the Service will need to share information with the third party about what devices are inside your home network. Cisco sees a benefit to enabling third party developers to offer these apps to you to enhance your use of the Service, but we will only provide information relating to your home network to a third party if you have consented to such sharing. Opt-in consent will be required for any sharing of information about your home network with a third party. This consent will require you to authorize the app to use your Service account as part of the app download process. You should also review and familiarize yourself with the privacy policies of any third party company that provides apps for this Service.Future Features and Services Cisco Connect Cloud software is updated from time to time to provide additional features, address technical issues, and generally make your user experience better. We may add to or upgrade the Service to provide you with new features on an ongoing basis. We may also make available new services in the future. New services provided by third parties or service providers will be governed by the privacy policies of the respective third party or service provider. The Service automatically checks for updates to the firmware/software to help keep your network running at a peak performance and provides alerts as to the latest firmware/software. The auto-update feature offers the ability to download the next available version in the background. Cisco Connect Cloud offers the auto-update feature by default, but you can change your auto-update options by changing your settings within Cisco Connect Cloud. By leaving the auto-update feature as a default, however, you will avoid disruption to your home network and overall Internet connectivity. In some cases, in order to provide an optimal experience on your home network, some updates may still be automatically applied, regardless of the auto-update setting.Other When you use Cisco Connect Cloud, you are subject to the applicable End User License Agreement and Terms of Service, as well as the overall Cisco Privacy Statement. Please see Support if you have questions about this service. |
READ MORE ABOUT IT:
Six biggest breaches of 2012 so far:
http://bostinno.com/channels/6-biggest-breaches-of-2012-so-far/College Data Breaches Underscore Security Challenges:
http://www.eweek.com/c/a/Security/College-Data-Breaches-Underscore-Higher-Ed-Security-Challenges-174782/For corporations who are under mandate by the SEC to report cybercrime many do not fearing the PR damage:
http://www.federalnewsradio.com/523/2923811/Cybercrime-disclosures-rare-despite-new-SEC-ruleK12 School district security breach at the Eugene School District in Oregon:
http://www.cr80news.com/2012/06/13/school-district-security-breach-affects-15-500-studentsOutside of what regulators may fine an organization there seems to be no shortage of lawsuits that result from security breaches: LinkedIn sued for $5 million over data breach: More than six million stolen passwords turned up on websites frequented by hackers.
Hope this strikes a chord with you, triggers a conversation on your campus and in some small way preps you and your campus for the cloud. I have found some clouds are indeed storm clouds and the forecast should be avoided at all costs.
2 replies on “University cloud computing contracts”
Hi, Don,
This article is information-filled! What a terrific reference for personnel at all levels of academic leadership as they venture into the world of cloud computing!
As I read your post, I was most gratified to learn from your tips about the issues most likely to cause long-term institutional grief. For example, you emphasized the need for the university’s legal team to predetermine the ramifications of contract cancellation. This one tip could save hours of misery for countless educators who are less vigilant. The strength of this post lies in the depth of information provided on the many facets of complexity and responsibility involved before stepping into cloud computing. Your message is valuable, I think: “Clear the haze before leaping into the cloud!”
After rereading the post, I walk away with a clear understanding that schools must “step up” to higher levels of responsibility for protecting school data. This realization comes slowly and reluctantly to many educational institutions. We’ve been collectively naive and complacent in trusting vendors to secure our networks and our data for too long. You make it clear that we no longer have the luxury of allowing vendors (business) to cater to our child-like need for protection. It is time to step up. Thank you for helping us take note, Don!
Beth Holmes
[…] touches on the very important component of Procurement. Procurement and Cloud contract solutions taught by UCLA has been very beneficial to my cloud projects. My own contributions to migrate a […]