Cloud Computing Guidelines - DIGITAL TRANSFORMATION

lovingbangInternet and Web Development

Nov 3, 2013 (3 years and 8 months ago)

65 views

Assistant VP of IT

*Cloud Computing*
Some Guidelines

Kelly McDonald


Dec. 8, 2011

Assistant VP of IT

Off
-
Campus Clouds?


Contracted computing is not always a ‘cloud’


Blackboard Example


Most popular cloud computing example is Gmail


Might be processed in one of many Google Data Centers


Could be multi
-
tiered


Dropbox

resides on Amazon’s S3 storage


ZeroPC

leverages
Dropbox

for its data sharing functionality


C
ampus services will eventually utilize both on and
off
-
campus cloud components in a very seamless
manner.


The major concern is the integrity of university data

Assistant VP of IT

The Information Security and Privacy
Committee


Organized by the ERMCC in 2006


Chartered to advise them on information security
and privacy issues


Helped to reduce the Social Security Number
footprint in on
-
campus applications


Recommended the concept of a sensitive data
registry for tracking use


Most recently developing the framework for an
Information Security Program for campus use


Infosec.byu.edu

Assistant VP of IT

Guidelines for Cloud Computing


ISPC has been working on these documents for the
past 10 months


It is evident that there are degrees of concern,
based upon the level of university impact.


We are producing a set of guidelines to assist the
average faculty/staff/administrator in making wise
choices in how they use cloud services for their
individual work.


We are also producing a set of guidelines and a
questionnaire to help guide departmental transitions
into cloud service agreements.

Assistant VP of IT

Individual Cloud Computing …


Faculty want to:


Share files via
Dropbox
,
Skydrive
, etc.


Communicate with students via Facebook, Gmail, blogs,
etc.


Collaborate via Google Docs, wikis, etc.


Yet they are constrained by compliance with FERPA


Students must be permitted to inspect their own
educational records


Faculty may not disclose personally identifiable information


Other Issues:


License terms of cloud services


Reliability of
c
loud services


Assistant VP of IT

Larger Risks and Concerns…


Availability



The service provider should demonstrate that
they can maintain business continuity and deliver services
with minimal disruption, and that the data is properly backed
up.


Accessibility



Provisions should be made to ensure that
the university can recover data, should anything happen to
the cloud computing provider.


Security and Privacy



Data should be protected in
accordance with university policies, and privacy laws such as
FERPA, HIPAA, etc.


Compliance with Laws and Regulations



For
example, information subject to export controls should not be
located in other countries.

Assistant VP of IT

More Risks and Concerns…


Legal Concerns



Since cloud computing relationships are
governed by contract, there are items to be considered prior
to entering into an agreement, such as:


Data definition and use


Data ownership


Service level expectations and performance metrics


Liability concerns for breaches of data


Termination of service terms


Assistant VP of IT

General Cloud Guidelines …


Acquiring Cloud Computing Services


Will sensitive university information be stored or
processed?


How critical is the provided service to the business process
or academic activity?


If the service or data is not accessible during critical times,
would it create a significant hardship or financial loss?


Are there regulatory or contractual requirements that
govern the use or protection of the information? (data
privacy, export controls, human subjects research, etc.)


The ITPC has developed a Cloud Computing
Questionnaire, to assist departments during cloud
computing acquisition.

Assistant VP of IT

Guidelines cont’d…


Revise business procedures and practices to ensure
that cloud computing services are properly managed


Assess the specific risks


Define roles and responsibilities


Establish security procedures


Monitor the service to ensure that performance and
availability expectations are being met


Update your business continuity plans to properly reflect
the cloud computing service

Assistant VP of IT

The Movement is Inevitable…

“At
a purely economic level, the similarities between electricity and
information technology are even more striking. Both are what
economists call general purpose technologies. Used by all sorts of
people to do all sorts of things, they perform many functions rather
than just one or a few. General purpose technologies, or GPTs, are
best thought of not as discrete tools but as platforms on which many
different tools, or applications, can be constructed. Compare the
electric system to the rail system. Once railroad tracks are laid, you
can pretty much do only one thing with them: run trains back and
forth carrying cargo or passengers. But once you set up an electric
grid, it can be used to power everything from robots in factories to
toasters on kitchen counters to lights in classrooms. Because they're
applied so broadly, GPTs offer the potential for huge economies of
scale
-
if their supply can be consolidated
.”


The
Big Switch: Rewiring the World, from Edison to
Google
, Nicholas Carr, Jan. 2008