Cloud 101 Workshop at EDUCAUSE Recap
At the EDUCAUSE Conference last month in Indianapolis, my colleague Khalil Yazdi and I led a workshop designed to help higher education community members assess cloud services for their campuses. The preconference session, “Cloud 101: Tools and Strategies for Evaluating Cloud Services,” aimed to engage participants in discussion about the various factors to consider in selecting cloud services. In particular, the seminar introduced the technical, legal, risk management, security, and compliance considerations that campus IT executives and practitioners may want to consider as they move to the cloud.
We began the session by posing questions to the group, and asked them to identify first what they found attractive about cloud services and also, what their concerns about cloud services were. Our hunch in starting out this way, which was soon confirmed, was that the appeal or promise of cloud services actually mirrored many of the risks or concerns. For instance, participants identified security as an appeal about cloud, and cited the resources and ability of large scale commercial providers to secure their infrastructure and services as an important advantage. Even campuses with robust IT security offices are relying upon a single person or team whereas commercial cloud service providers have dozens or hundreds of people devoted to security 24 hours a day and 365 days per year. Conversely, the participants also agreed security was a key concern with respect to cloud services, but it became apparent through the discussion that the wariness centered around understanding and evaluating the security and risks of a service as well as ensuring it would be properly configured and that end users would be prevented from inadvertently or intentionally causing problems.
Our presentation introduced key concepts related to cloud services, such as the definition according to NIST and the framework they developed for understanding the various elements of effective cloud service delivery. The NIST Framework is especially useful because it can be applied to IT services delivered on campus as well as those that would be traditionally associated with commercial cloud offerings. Understanding the framework pushes us toward “cloud” as a mindset and a set of practices and considerations for doing IT work, rather than a vague and indeterminate description of where the service is run.
For the remainder of the seminar, we covered at a high level some of the key tools for analyzing and understanding security related to cloud services, in particular, the Cloud Controls Matrix and how it differs from third party audits like the SOC2. We also presented some sample (anonymized) snippets from actual cloud service agreements in use in higher education, including some standard “click through” terms, university developed templates, and some developed through the Internet2 NET+ program by groups of universities negotiating together. Each had strengths and weaknesses, which we outlined and discussed with the group. Our aim was to demonstrate the importance of becoming knowledgeable about cloud contracts and the ways in which the legal agreements form the linchpin of a successful cloud service implementation.
By the end of our half-day workshop, I believe that we developed a consensus among the nearly 50 participants representing a range of campuses about the key issues at stake for the higher education community in considering cloud services for their campuses.
I hope we can continue the conversations from the workshop and we invite feedback from community members if you would be interested in participating in similar events in the future. Mark your calendars as I will be presenting on cloud services at the EDUCAUSE Connect conferences in Denver and Miami next year with community members.
Contact me with any questions you have, or to share insight about the work your university is doing in considering or implementing cloud services.