Rodney Petersen –EDUCAUSE Steven J. McDonald –Rhode Island ...
Transcript of Rodney Petersen –EDUCAUSE Steven J. McDonald –Rhode Island ...
Partly Cloudy?What a CBO Should Know about Cloud Computing
Rodney Petersen – EDUCAUSESteven J. McDonald –Rhode Island School of Design
Alternative IT Sourcing StrategiesThe range of options institutions have for providing technology services or operating technology functions aside from doing these things themselves. It includes traditional outsourcing of all or part of the IT organization, accessing externally managed applications, development environments, or hardware via the Internet, and support from consortia (e.g., open source).
Survey: IT Services Sourcing – November 2008
EDUCAUSE Center for Applied Research (ECAR)
Sourcing IT in Higher Education
College/Departmental Infrastructure
Central IT Infrastructure
Shared Higher Education Infrastructure
Third Party Infrastructure
Cloud Computing (Gartner)
". . . a style of computing where massively scaleable IT‐enabled capabilities are delivered 'as a service' to external customers using Internet technologies."
Gartner, Inc.
Cloud Computing (Berkeley)Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. The services themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware and software is what we will call a Cloud. When a Cloud is made available in a pay‐as‐you‐go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing. We use the term Private Cloud to refer to internal datacenters of a business or other organization, not made available to the general public. Thus, Cloud Computing is the sum of SaaS and Utility Computing, but does not include Private Clouds.
Above the Clouds: A Berkeley View of Cloud ComputingFebruary 10, 2009
Software as a Service (SaaS)Delivery Platforms• Managed hosting – contracting with hosting provider to host or
manage an infrastructure (IBM, OpSource)• Cloud computing – using an on‐demand cloud‐based infrastructure to
deploy an infrastructure or applications (Amazon Elastic Cloud)Development Platforms• Cloud computing – using an on‐demand cloud based development
environment to provide a general purpose programming language (Bungee Labs, Coghead)
Application‐led Platforms• SaaS applications – using platforms of popular SaaS applications to
develop and deploy application (Salesforce.com, NetSuite, Cisco‐Webex)2
Cloud Computing in Higher EducationRichard Katz, Phil Goldstein, and Ron Yanosky
Why Cloud Computing is Appealing
Cost
Consumerization of IT
Scalability and availability of services
Sustainability or green IT
Enabling the CloudEconomic ValueFull connectivityOpen AccessReliabilitySecurityPrivacyInteroperability and User ChoiceSustainability
Envisioning the Cloud: The Next Computing ParadigmMarketspace Point of View (March 20, 2009)
Public Policy"If, as argued, cloud computing represents a potentially transformative democratization of technology by making the same computing power available to individuals and small‐ and medium‐sized businesses that the largest enterprises enjoy, elected officials have the opportunity to help deliver its enormous benefits to the full diversity of their constituents."
Envisioning the Cloud: The Next Computing ParadigmMarketspace Point of View (March 20, 2009)
Let's Make a DealAll of the things that you have to worry about when you do it, they should be worrying about when they do itBut it may not be in their business modelOr they may not even be aware of itTrust, but verifyIgnore:• "No one's ever complained about that before"• "We can't do that – it's 'free'"
Contracts 101: What Doesn't It Take to Make a Contract?
A negotiation• Non‐negotiable forms (like EULAs) are still enforceable• Courts will strike out terms of non‐negotiable contracts only if they are "unconscionable"
A written document (usually)A written document that is consistent with your negotiationsA written document that you have readA signature (usually)Terms that are "fair" and "reasonable"All that matters is that you have "manifested your mutual assent" to the contract
Legal (and Contractual)Issues to Watch Out For
FERPA/Privacy/Confidentiality
Data security and data breach responsibilities
E‐discovery
Patent infringement
Incorporated URL terms that are modifiable at will
Responsibility for end users
Export controls
Service level agreements
Suspension/Termination and their aftermath
Warranties (and lack thereof)
Indemnification (both ways)
Choice of law and jurisdiction
FERPA
"'Education records' . . . means those records that are:
(1) Directly related to a student; and
(2) Maintained by an educational agency or institution or by a party acting for the agency or institution"
FERPA
"'Education records' . . . means those recordsthat are:
(1) Directly related to a student; and
(2) Maintained by an educational agency or institution or by a party acting for the agency or institution"
FERPA
"'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche"
FERPAIn general, a record is "directly related" to a student if it contains "personally identifiable information" about that student (broadly defined), including:
• Name• Address• ID number• Biometric identifier• Indirect identifier such as date or place of birth or
mother's maiden name• Collection of demographic data• . . .
FERPA"Maintain" is not defined!Supreme Court:• "FERPA implies that education records are institutional records kept by a single central custodian, such as a registrar."
• "The ordinary meaning of the word 'maintain' is 'to keep in existence or continuance; preserve; retain.'"
Requires conscious decision on the part of the institution?
E‐mail?
Record?Directly related?• E‐mail address in the "to" or "from" line• Student name, address, ID number, or other identifying information (broadly defined) within the body of a message
• Not every message will be personally identifiable, but do you really want to look?
Maintained?• Messages residing in student accounts• Messages residing in faculty and staff accounts
FERPA"A contractor, consultant, volunteer, or other party to whom an . . . institution has outsourced institutional services or functions may be considered a school official . . . provided that the outside party –• Performs an institutional service or function for which the agency or institution would otherwise use employees;
• Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
• Is subject to the requirements . . . governing the use and redisclosure of personally identifiable information from education records."
Data Security/Breach
FERPA – student records
HIPAA – medical records
Gramm‐Leach‐Bliley – "financial" records
PCI‐DSS – credit card records
"Personal information" under a state data protection statute• Especially "personal information" about Massachusetts residents, wherever located . . .
Data Security/Breach
All have "safeguarding" requirements of varying degrees of intensity
In general, must specifically require vendors to comply with them on your behalf by contract (not to mention monitor them as well)
Who is responsible/liable in the event of a breach?
E‐Discovery
It's 3 a.m., and you've just received notice of a possible lawsuit. Do you know where your data is, and how to access it?
It's your data, and ultimately your responsibility, regardless of where it's located
Do you have ready access to it, and the tools you need to review and produce it?
Patent Infringement
Blackboard v. Desire2Learn
Acacia Media Technologies v. The World
Is your vendor willing to warrant that it actually owns what it's selling?
URL Terms
"This Agreement, and all documents referenced herein, is the parties' entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. The terms located at a URL and referenced in this Agreement are hereby incorporated by this reference."
Typically "as may be modified from time to time at vendor's sole discretion" . . . .• Translation: "This document is meaningless"
Responsibility for End UsersInstitution shall be responsible for ensuring that its users comply with the terms of this agreement (which is confidential, and which it therefore may not tell them about)Institution shall use its best efforts to ensure that its users comply with the terms of this agreementInstitution shall use reasonable efforts to ensure that its users comply with the terms of this agreementInstitution shall inform its users of their obligations under this agreementInstitution shall not authorize its users to engage in actions that violate this agreementVendor may establish reasonable rules of conduct for users
Export Controls
1.7. Data Transfer. As part of providing the Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data.
Service Level Agreements
How much "uptime" do you need?• How many "9's" after the "99."?
What is the penalty/remedy for violation?
Suspension/Terminationand Their Aftermath
How fast, and for what reasons, can the vendor suspend or terminate service?
Will you have time to make the necessary transition to another vendor?
Will you have access to your data?• In what format, and for how long?
Warranties
"VENDOR MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, AND NONINFRINGEMENT."
Translation: "Abandon all hope, ye who enter here"
Indemnification
By you for actions of users• Employees and agents vs. students
By vendor for patent infringement, data breach, breach of agreement, and general negligence• Make sure it's not undermined by the (lack of) warranty clause
• Beware limitation of liability to refund of fees paid
Choice of Law and Jurisdiction
Yours v. theirs
Limitations on state institutions
Delete it and defer the argument till later
Suit must be filed in defendant's jurisdiction
Finally . . .
Your lawyer really isn't trying to botch the deal for you by raising these issues
You're paying him or her to be a professional pessimist, for your protection
If it's not in the contract, it's not enforceable, no matter what the salesman said
Ultimately, much of this is a question of risk management, and you make the call!