Director's Blog
Cloud computing

Universities everywhere are seeing pressure to adopt “cloud computing” services.  Cloud computing is a general class of application, also called “Software As A Service (SAAS)”, where a third-party vendor offers a web-based application service instead of a traditional desktop-based application.  An example that everyone is familiar with is gmail–to use gmail, you don’t need to install anything on your computer except a web browser.  The service is fully portable (you can get it from anywhere), it usually lacks platform dependencies, and in most cases it’s free or very inexpensive.  Google is offering universities the option to use gmail for their student email at no cost to the institution; on its surface, that option looks very attractive.  Google has a number of other cloud-based services, notably Google Docs, which offer great functionality at no or low cost.  Microsoft, Yahoo, and Amazon also offer cloud-based services, and a number of smaller vendors, such as Salesforce.com (more on Salesforce below) offer more targeted applications via cloud infrastructure.

So what’s the downside?  The reason it’s called cloud computing is that the application and the data have no specific location; the servers can be located anywhere in the world, and data backup is handled by storing data in multiple locations.  The problem this causes is that there’s very little control over what happens to data stored in the cloud; when we have legal or policy requirements to protect data security or privacy, it is often difficult or impossible to get assurances from vendors that the data will be handled according to our requirements.  This can put us at risk for audits or lawsuits.

The campus is now providing guidance on outsourcing.  The key part of the new policy is:

Before “sourcing” your technology offsite — campus individuals, departments, managers, and support staff must consider risks to the following:

• privacy and confidentiality of personal, sensitive, or restricted information
• availability of business data and electronic communications (e.g. backup retrieval, evidence for legal disputes)
• cyber security and support for forensics
• access to records in the event a company is acquired or goes out of business

When you process, store, or otherwise use University information (including information about colleagues, research subjects, correspondents, customers, etc.) in an off-campus site, legal and business consequences need to be expertly reviewed, documented in writing, and must be accepted or modified by an authorized individual for your department or the Campus.

The standard agreements a user might click through to sign up for a free service normally do not provide protection to the university in these areas–in fact, they usually explicitly waive our rights to protection and indemnify the vendor from harm.  It is important to consider the implications of conducting university business through cloud services.

That being said, the services offered are in some cases compelling, and the campus is interested in enabling access to them.  One example is the new agreement we’ve signed with Salesforce.com.

Salesforce is a company that started out providing Customer Relations Management (CRM) software as a cloud service, but now has expanded to offer a development platform where organizations and third parties can build applications related to tracking information about customers.  IST is deploying Salesforce to start keeping track of all of its customers–with any luck, their implementation will lead to a better shopping cart and better billing system.  Departments might be interested in using Saleseforce to track alumni, or current students.  LSCR will consider whether it makes sense for us as well.

The agreement the campus has signed verifies that Salesforce meets our criteria for data protection and liability.  Departments who want to try it out can sign on to the umbrella agreement and know they’re within campus policy and recommended practice.  I’m hoping to see similar agreements in the future for Google and other cloud vendors.  For now, if you have interest in using cloud services for university business, feel free to contact me for guidance.