Prepared for Campus IT Directors (CITD) by the Cloud Services Working Group
- Executive Summary
- Cloud Services Working Group
- Guiding Principles
- General Considerations
- Business Process Analysis
- Risk Management
- IT Governance
- Staffing and Skills for Cloud Initiatives
- Other Considerations
- Reaping the Advantages
- Support Considerations
- Infrastructure as a Service
- Appendix 1: Data Security
- Appendix 2: Additional Readings
- Appendix 3: Selected Relevant NC State PRRs (Policies, Regulations and Rules)
- Cloud Services at NC State: Recommendations and Checklist for Prospective Users
- Cloud Services at NC State: Recommendations for Governance
When the university and its constituents consider the adoption of any IT service, there are certain guiding principles that apply to the decision. For example, security, accessibility, and economic concerns must be addressed. In the case of cloud services, there are additional considerations, and the usual ones may require additional thought.
In this report, we offer guidelines for the specification, adoption and use of cloud services by university units, faculty and staff.
The report includes:
- Guidance for analyzing business processes and practices
- Explanation of considerations for security, risk management, and legal issues
- Discussion of the role of IT governance with cloud computing
- Suggestions for managing support and staffing issues
- Considerations for the adoption of Infrastructure as a Service
Recommendations to IT governance include:
- Defining a group responsible for maintaining these guidelines and for providing assistance to campus users who are considering cloud solutions
- Creation of a campus-wide service catalog
- The development of an overall cloud strategy for NC State through IT governance
- The use of IT governance for communication about cloud adoption and issues
Recommendations to prospective cloud users include:
- Communicate early and often with IT staff about interest in cloud services
- Become familiar with the considerations in this report
- Be prepared for change
- Take advantage of IT governance for communication and coordination
- Think about security
- Debbie Carraway, Coordinator
- Everette Allen
- Charles Cline
- Bill Coker
- Leslie Dare
- Danny Davis
- Dan Deter
- Josh Gira
- Dan Green
- Damon Armour
- Greg James
- Greg Kraus
- Harry Nicholos
- Sarah Noell
- Aaron Peeler
- Ron Reed
- Henry Schaffer
- Eric Silberberg
It is relatively easy to acquire many cloud services – they may be free, or available at low cost, perhaps requiring only a university purchase card. Consequently, it is also relatively easy to overlook the impact to the purchaser and the university that the adoption of a given cloud service may have.
This report provides guidelines and raises issues that should be considered by any university unit, faculty or staff member who is thinking of adopting a cloud solution for use at NC State. While some of the material is most obviously applied to larger-scale acquisitions that involve contract negotiations, the fundamental considerations in each section apply to any cloud service, even smaller, seemingly innocuous ones.
When we talk about “the cloud,” we are generally referring to public cloud services. These are computing services that are provided over the Internet by third parties to the public at large. Examples include the familiar G Suite and Amazon Web Services, as well as cloud services meeting more specific needs, such as grade books, quiz and assessment applications, blogging sites, project management tools, data analytics resources, or customer relationship management software.
The usual motivations for “moving to the cloud” are to get a service or feature set which is not available locally, or to get a service more economically than doing it locally. Cloud solutions are available that may benefit many segments of the NC State community. From research and academics to administration, from individual faculty to the professional and business community on campus, a cloud solution may answer a need that is not met on campus.
However, it is important to note that just because a cloud solution is available, it is not necessarily the best solution. When choosing any solution, there are things to consider beyond cost. Some factors require particular attention when the solution being considered is in the cloud rather than on-premises. The sections that follow describe these considerations.
The report concludes with a set of recommendations to NC State governance bodies regarding needed resources and next steps.
The guidelines given in this document emerge from a set of guiding principles:
Alignment with NC State IT Strategic Plan
Significant investments in cloud services should be consistent with the goals and objectives of the NC State IT Strategic Plan.
The University’s reputation must be protected through appropriate risk management.
The University’s data and resources must be protected.
The privacy of the university’s data must be maintained, and individuals must be protected from the disclosure of private information.
University units and users must ensure that a cloud solution is indeed suitable for the purpose for which it is intended.
It is essential that any selected cloud service is compliant with applicable laws, regulations, university policies, and other legal requirements.
All costs for the cloud service must be identified, and should be balanced against the costs of providing the service on-premises.
All cloud services must comply with NC State’s accessibility regulations, and accessibility should be a consideration in service evaluation and selection.
Selecting a cloud solution requires the careful consideration of what is needed, what is already available, what should be made available, and how such a solution can be leveraged for the common good.
- First step: gather your requirements.
The first step is deciding if a cloud solution is appropriate is to gather your requirements and perform a needs-based assessment and evaluation. Without a clear description of the desired service it will be impossible to perform a reasoned evaluation and comparison among cloud solutions and any locally available services.
- Is a similar service or feature available on campus?
Before adopting a cloud solution, campus units and users should determine whether there are on-campus services that provide the needed functionality at a competitive cost. A service may be provided through a central resource, such as OIT, or through another NC State unit. If the service is already provided on campus, is there a compelling reason for duplicating the service in the cloud? Or, will it be more cost-effective to replace the local services with the cloud version?
- Should campus start offering the feature or service?
If the service or feature set is not available on campus, then before moving to the cloud solution a determination needs to be made whether it makes more sense to go to a hosted cloud solution or to start providing the service on campus, whether centrally or in the units. Factors include costs (initial, ongoing, and refresh costs), the amount of staff effort and the particular skills required for setup and ongoing support, strategic alignment, and anticipated growth or future use, among others.
- Consider collaboration and common use.
If a cloud solution seems to be the best solution, then it is time to look at whether other units on campus are also considering a similar solution, and whether these individual efforts can be consolidated. The NC State IT governance process can be used to facilitate such collaborations. While the cloud may be more economical than locally provided services, further economies are often available via sharing in a larger group purchase.
Cloud solutions offer many potential benefits to NC State as a whole, as well as to individual units. To realize these benefits, a thorough analysis needs to be performed to determine that a cloud solution is the best fit, is not an unnecessary duplication of an existing service, and that the considerations in the other sections of this report have been addressed. There is great benefit when potential users of similar services work together to make the best possible use of the cloud solution.
Cloud solutions can offer an opportunity to improve business processes and provide low cost models that offer rapid deployment with minimal upfront cost. A business impact analysis is useful when evaluating the resources, time, and costs that are required to implement and maintain the cloud solution and related dependencies with other systems and services. In addition to other key sections outlined elsewhere in this document, consider the following topics when considering business process improvements offered with a cloud solution.
Understand and document your requirements in relation to how the cloud solution will be integrated into your existing business processes. Adjust the degree and time expended on requirements gathering based upon the criticality and complexity of the business processes impacted by the potential cloud solution. Establishing clear and measurable objectives and timelines will help ensure expectations are met. Because public cloud offerings are not generally easily customized to correct accessibility problems, it is important to consider accessibility well before the cloud service is selected.
- Input dependencies
Reliance that the potential cloud solution may have on existing systems or applications that are required for the service to function. Integration with or dependencies upon existing legacy systems or data significantly increases the complexity and risk to the implementation and maintenance of potential cloud solutions, and this must be taken into account.
- Output dependencies
Evaluate any ‘downstream’ dependencies that other services, systems, or applications may have on the potential cloud solution. Output dependencies may take the form of reports, dashboards, and data feeds that have specific formats, transmission or data structure requirements.
- Stakeholder Expectations
Evaluate and communicate impact, risks, advantages, disadvantages, status, and expected timelines to internal and external customers and administrators that interact with the existing or proposed system.
- Manage Scope
Before implementation, it is important to establish reasonable timelines, expectations and milestones. After a solution has been implemented and is seen to be working satisfactorily, there is often a tendency, based on familiarity and the prospect of obtaining additional significant benefits to extend the scope of services obtained from a particular cloud solution. As this cloud solution satisfies more complicated business needs, this develops increased reliance upon a particular service offering or vendor provider. Diligence is required in order to manage the scope and reliance on a particular vendor.
- Operational Continuity
Differences in change management may impact business practices. Cloud providers generally make changes to the service on their own schedules, will not coordinate these changes with NC State, and possibly not provide advance notification. These changes could disrupt existing business practices if the changes involve differences in product functionality or processes. It is important to understand the provider’s change policies and notification schedules, and to assess the degree of flexibility in the business practice, and the users’ tolerance to change.
- Consider All Costs
Consider all costs associated with the cloud solution and not just the initial purchase cost of the cloud solution. Obtain a full and complete picture of current, recurring costs and exit costs associated with the solution. Consider one time or implementation costs, periodic maintenance costs or transaction costs as a solution scales to fill additional needs. As reliance on a particular vendor or solution increases, it is important to recognize that it may be more difficult to change providers in the future as well as negotiate favorable pricing structures.While costs are always a factor in service selection, cloud services can provide a particular challenge. Dynamic usage, and costs for transactions that are not normally part of an on-premises cost model must be considered. Cloud services are not necessarily less expensive than on-premises solutions. As a strategic direction, the university must consider capital and operational costs, and determine whether a comprehensive cloud sourcing strategy is warranted.
- Business Impact on Development Lifecycle
Consider the potential impact on overall processes related to application development, testing and production rollout. While development in and of itself may not change with a cloud implementation, testing may result in a new set of issues. If the application needs to be interconnected with on-premises systems or data, or even other cloud systems, additional integration development and testing may need to be done. Integration with other non-core systems functionality such as authentication and authorization, backup, security logging and monitoring, and other infrastructure services should also be considered.
All of these topics should be considered along with the rest of this report’s recommendations. When considering adoption of cloud based services or solutions it is critical to evaluate the short, medium, and long-term impact on business and operations for your department and unit. As is the case with most business process improvements, upgrades, or service changes, it is critical to evaluate the impact on related services, systems, infrastructure and/or personnel when considering the adoption of a cloud solution. The degree of the evaluation or analysis performed is directly influenced by the criticality and complexity of the business process.
For the most part, security in the cloud is similar to traditional on-premises security; however, while we maintain 100% of the accountability for our systems and data in the cloud, operational and technical responsibilities are shared between the cloud provider and us. This presents new risks that must be carefully considered before university data and systems are migrated to cloud services.
Cloud users are responsible for ensuring that security best practices are followed, and that all applicable regulations are adhered to. In selecting cloud services, security is both a high priority, and a complex topic to address. Unlike the services we provide on-premises, the way that the university can manage security in the cloud is largely limited to contracts, service level agreements, and a comprehensive understanding of the terms and conditions of the provider’s service. Following are key considerations for ensuring security of university systems and data stored in the cloud.
When evaluating a cloud service, an important initial step is Determining Sensitivity Levels for Shared Data to assess the NC State classification level (purple, red, yellow, green) and other requirements (FERPA, HIPPA, PCI-DSS, other PII) of the data that will be stored, processed or transmitted in the cloud. The most sensitive data classification levels require the most stringent protection. Once the data have been classified, the cloud provider’s security features should be reconciled with the university’s Controls for Securing University Data – Best Practices. You should ask how your provider will work with you when there is a security incident, including specifying the provider/customer roles in responding to incidents (e.g., who sends out/pays for breach notices).It is the responsibility of the people acquiring and using cloud services to adhere to the restrictions on storage, and removal, of their data. Note that the countries in which data might be stored need to be considered in order to comply with state and federal regulations and policies. See the Legal topic in this report for more information.
Privacy considerations in the traditional on-premises environment also extend to the cloud. University data often includes private information, whether it is personally identifiable data subject to regulatory standards such as FERPA or HIPPA, personnel files, research data, or sensitive university communications. With cloud services, this requires a careful understanding of the provider’s privacy policies, and should be addressed contractually. This includes a review of click-wrap agreements.
Identity and Access Management
Authentication for access to the vast majority of IT services on campus is provided through university Unity IDs. Authorization and privileges are generally provided by role-based control features in university directory services, and in applications themselves. It is important, when considering cloud services, to evaluate whether existing university authentication systems (e.g., Unity, Active Directory, Shibboleth) will be used or new credentials will be created based on the cloud provider’s systems. In any case, the strength of the authentication and authorization controls used for accessing cloud services should meet or exceed university requirements (e.g., password strength, change frequency, and role-based access to sensitive information and privileged capabilities).
Cloud data centers are attractive targets for hackers and “hacktivists” as a result of the large central repositories of valuable data from thousands of service consumers. As such, the cloud provider’s physical security controls should be considered. Geo-political factors are also important considerations.
Security audits of cloud services are often more challenging than for on-premise services, due to limited physical and logical access to the cloud provider’s information systems. However, many cloud providers contract with third party audit firms to review their security controls and provide statements of compliance (SOC) that can be leveraged by client organizations. See Appendix 1, Data Security, for more details.
Effective response to cyber incidents is especially difficult for services hosted in the cloud, primarily as a result of shared responsibilities between the cloud provider and consumer. As such, evaluation of cloud services should include review of the cloud provider’s practices relating to incidents detection, response, notification and recovery. Points of contact should be identified for both the provider and the university, and roles and responsibilities should be clearly defined as part of incident response planning. For example, there should be agreement with the cloud provider about who will be responsible for declaring an incident, performing forensics and other investigations, and notifications. Additionally, arrangements should be made with the cloud provider regarding prioritization of response and recovery for university services against other cloud tenants.
Encryption of data in the cloud offers an important layer of confidentiality protection. It is important to ensure that the cloud provider uses appropriate encryption techniques, and that data confidentiality is assured throughout its lifecycle, including storage (encrypting “data-at-rest”), transmission, and disposition (securely removing data). See Appendix 1, Data Security, for additional details.
Disaster Recovery and Business Continuity Planning (DR/BCP)
Choosing the right cloud services can offer significant improvements in the area of DR/BCP as a result of the resilient nature of many cloud architectures. However, advanced DR/BCP planning of a cloud provider does not absolve us of our responsibilities to meet university requirements for recovery and continuity following a disaster. Will a proposed cloud solution fit into your current DR Plan, or are modifications needed? An approach to consider in selecting a cloud service is to back up data to a separate cloud provider or cloud instance, or to utilize on-premises storage. Best practices in periodically testing recovery should be followed.
When considering the adoption of a cloud service, it is important to evaluate the risk factors associated with moving to those services. There are many companies in the market that offer cloud based services, but not all companies are equal. Each company has its own level of risk depending on size of the company and financial health, as well as how they deliver the service and how they have constructed it. In evaluating a particular cloud service offering, it is critical to consider the risk tolerance in each of the areas listed below. This is, by no means, an exhaustive list, but provides a good starting point for things to consider.
It is in the economic interest of a provider to make it difficult for you to consider switching to another provider. This tends to make it difficult for you to take advantage of competitive advantages of price, services or quality – whether because of improvements in the marketplace or of degradation of service by the current provider. The initial contract and service configuration as well as contract length should be carefully evaluated to assess the degree of lock-in.
A person or group looking into cloud services may want/need to consider the portability of the service from one cloud provider to another or from private cloud to public cloud. If this is a concern or a need, then one needs to inquire how interoperable the provider is with other providers as well as consider the implications if portability is not possible. A good resource is Cloud Computing Portability and Interoperability: Cloud Portability and Interoperability.
It is important to have an exit strategy in place before adopting a cloud service. When it is time to discontinue using the service, and/or the cloud provider stops providing the service, concerns such as data retrieval, data formats, and costs should be planned for. Some considerations include:
- How much time will it take to move my data to another provider (or to copy locally?) There are limiting technical factors, such as network bandwidth and processing power, when moving large amounts of data across the Internet.
- If I want to copy the data locally, is there enough storage capacity on-premises to do so? How much time, effort and funding would be required to provide this capacity?
- What format will my data be in when I retrieve it? Think about what format will be usable by other providers or applications, whether formatting will be retained, and whether you will be able to decrypt any encrypted data.
- What costs will I incur? Some cloud providers may charge a fee for the use of network bandwidth, or may charge per storage transaction. This can be quite expensive for significant amounts of data.
For an insightful discussion on this topic, see: Will You Ever Need an Exit Strategy?
Backup and Restoration
If the backup, and potential restoration of data is needed, it is important to know what the cloud provider’s backup and restore policies are, and what costs are associated. Cloud providers may provide self-service restore tools that allow end users to restore their own data – or may not provide backup and restore services at all. You should know the interval at which backups or snapshots of the data are taken – weekly, daily, or hourly? You should also understand the process for requesting a restore, and know the turnaround time on such a request. It is important that the provider’s backup and restore policies work with your business processes and practices.
Cloud provider’s business viability
One of the questions to ask is, “how long has this company been in business?” Additional research for ratings, such as Gartner’s Magic Quadrant, can help.
Service level assessment
Is there a way for you to monitor the service to assure yourself that you are receiving the quality of service you paid for (or expect)?
Auditability and compliance
Will the service allow you to meet your audit needs – or provide you with acceptable audit reports?
Operational Usage Variability
One of the advantages of a cloud service is the ability to add additional capacity during peak times, or as needed. However, you need to plan for the associated variability in costs.
In conclusion, before a group or department makes the decision to move or create a service in the cloud, there are many factors that should be evaluated for risk. Consideration should be made for the likelihood of the risk happening and the impact to the organization if that risk does occur. If the impact to the organization is high, are there ways to mitigate the risk that make it worth moving to the cloud?
With cloud services, accessibility refers to the ability of users to fully interact with a service, regardless of any functional impairment (disability) the user may have. In this context, accessibility is mostly concerned with the user interface that must be used to interact with the service.
There are many considerations when designing a user interface to be accessible to all users, such as color selection and not requiring the use of a mouse to perform certain actions. There are guidelines which define what makes a particular technology accessible or not. The Web Content Accessibility Guidelines 2.0 (WCAG 2), Level AA Conformance is the accepted industry standard and is expected to become the accepted Federal standard for defining what is required of digital content to be considered accessible.
Designing to meet this standard does not happen by accident. It takes careful planning when designing user interfaces to ensure accessibility, however, modern Web development often does not make accessibility a priority. If a particular service is designed without regard to accessibility, we as consumers of the technology have very little we can do to remediate the situation.
Further, when these services are tied to essential educational functions or job duties and there are accessibility problems with the service, we will have created an inequitable environment on our campus which can lead to civil rights violations, litigations, and potentially severe remediation requirements placed on us. An average of two to three major settlements are announced each year between higher education institutions and the Federal government from situations of deploying inaccessible technologies. Each settlement easily reaches into the hundreds of thousands of dollars in terms of resources required to address the problems.
In developing Web services, accessibility needs to be considered from the initial design phases. If accessibility is treated as an after thought or a bolt-on, often early decisions will make it very difficult to impossible to make something accessible. Because accessibility can be such a difficult issue to fix later, it should not be assumed that a particular service will be able to be easily made accessible. This is why it is important to consider accessibility in the earliest stages of selecting cloud based services. If a particular service is procured that has accessibility problems, there is no guarantee that we or the vendor will ever be able to realistically make it accessible to all of our users.
Determining if a particular service is accessible can be a challenging task. Some products have accessibility documentation with them, sometimes called a Voluntary Product Accessibility Template (VPAT). The information in VPATs can often be vague, incomplete, or misleading. Additionally, and accessibility statement by a company needs to be verified.
When considering cloud services, accessibility needs to be one of the essential requirements when selecting among potential candidates. If there are two products that meet all of the essential business needs, and if all things are equal except for one product being accessible and the other one not being accessible, the accessible product must be purchased. However, in most cases accessibility is not a binary situation but falls on a spectrum. In these cases there a number of factors to consider.
- Which product provides accessible interactions to more of the essential features of the software?
- What is the company’s commitment to improving accessibility over time?
- What is the likelihood that a product can eventually be made more accessible?
- If none of the otherwise acceptable cloud services meet the accessibility requirements, then the cloud service solution must be reconsidered. In such cases, consultation with the NC State Office of IT Accessibility is strongly advised.
The NC State Office of IT Accessibility (email@example.com) provides consultation services to help evaluate these factors.
Although cloud computing is becoming more commonplace, and the benefits of the university not relying solely on its own IT infrastructure are becoming clear, negotiating contracts with cloud providers can be a challenge. New concerns and liabilities are created when university data is store by third parties, and when third parties are relied on for production services. Thus it is necessary to perform a thorough review of the contract terms to ensure that the contract satisfies federal, state and university regulations. Below are some of the more important legal aspects the university should focus on when negotiating cloud contracts.
When cloud contracts are reviewed, terms and conditions must be analyzed to ensure compliance with university policies, rules and regulations (PRRs) (see Appendix 3), as well as state and federal laws.
In cloud computing, the provider and the consumer share liability. When a cloud provider is unwilling to negotiate on liability terms, the university should be prepared to walk away from a deal. For example, if a cloud provider insists that their liability is limited to the university’s spend on the contract in the prior twelve months, and the university’s risk associated with a potential data breach may far exceed that fixed amount, the university should be prepared to talk with other cloud providers. The university may choose to find a cloud vendor who is willing to offer indemnification for a security breach, or may decide it is more important to avoid the cloud for the time being. It is not advisable for the university to consider placing sensitive employee or student data with a third party cloud provider that simply refuses to negotiate on liability.
Click-wrap license agreements
Please keep in mind that on smaller cloud purchases that only involve click-through license agreements (“click-wraps”), there is typically a limitation of liability clause that is based on some multiple of what the customer has paid. Although there is no “signed” contract, clicking results in the university entering into a legal and binding contract, and so is subject to University contracting policy. As such, cloud service purchases that utilize click-wrap agreements must be reviewed for liability and security risks. Click-wraps can be submitted for review by going to About Clickwraps.
Where the cloud service stores, transmits and processes data
It is important to consider whether university data will be processed, transmitted or stored at offshore locations when choosing a cloud provider. This is important because data stored outside of the United States may be subject to international laws that are contrary to US requirements. Some regulated data (e.g., export controlled data, some classes of Department of Defense data) is only permitted to be stored in the US to reduce the risk of compromise by foreign groups or governments.
When it has been determined that university data should only be stored in the US, guarantees should be written into the contract from the cloud provider that the data will not be stored or processed outside of the United States, including for disaster recovery This is not always stated in the agreement, so the university may need to have this language added.
Other considerations include:
- The country of origin of the cloud provider as this may be an indication of possible data storage outside of the United States.
- The location of system administrators and technical staff who support the cloud service.
Service Level Agreements (SLAs)
Service Level Agreements (SLAs) for cloud services are important and serve as a type of warranty for cloud computing. The SLA should confirm that the university owns the data stored on the cloud provider’s system and that the university has a right to that data. It should also spell out minimum levels of service and the consequences for the failure of the cloud provider to meet those requirements. The SLA should detail the system infrastructure and security standards, as well as the university’s right to audit their compliance.
Below is a common list of important criteria that need to be considered when establishing an SLA with a cloud provider:
- Availability (e.g. 99.9% during work days, 95% for nights/weekends)
- Performance (e.g., maximum response times)
- Security / privacy of the data (e.g., encrypting all stored and transmitted data)
- Disaster recovery expectations (e.g., worst case recovery commitment)
- Location of the data (e.g., consistent with federal laws/regulations, local legislation)
- Access to the data (e.g., data retrievable from provider in readable format)
- Portability of the data (e.g., ability to move data to a different provider)
- Process to identify problems and resolution expectations (e.g., call center)
- Change management process (e.g., communicating changes – updates or new services)
- Dispute mediation process (e.g., escalation process, consequences)
- Exit strategy with requirements for the provider to ensure smooth transition
When negotiating a contract with a cloud provider, the university needs to keep litigation holds in mind. The contract should clearly identify the steps necessary to notify the cloud provider of the litigation hold. This information should include the specific contact information for whom the university should notify if a litigation hold is necessary.
The cloud provider must also show that they have the technical ability to:
- Prevent university cloud users from modifying or deleting data subject to the hold.
- Implement holds on only a subset of the overall data housed for the user.
- Restore the data so that nothing relating to the litigation is lost even if the cloud provider’s system crashes.
The agreement should also clearly state what happens in the event the cloud contract is terminated during a litigation hold, and define how the university will get its data back under those circumstances.
Purchases of services in the cloud, including cloud storage, sometimes result in purchases that can put sensitive university data at risk, do not meet the needs of the campus population with disabilities or that require integration with enterprise level applications. OIT is currently working with Purchasing and the Office of General Counsel on a process to track these purchases to determine:
- Data sensitivity of data stored in the cloud
- Possible security vulnerabilities and data breaches
- Non-compliance for accessibility
- Possible integration with enterprise applications
- Licensure compliance
Once this process is finalized, it will provide a resource for campus to review cloud services that have been reviewed, or are being reviewed, to assist purchasers in determining whether the cloud applications meet the standards set by federal and state laws and NC State University regulations. It will also permit users to request review of potential cloud services.
Although some considerations have been provided above, they may not reflect all the legal issues that are possible in each contract. Even if the contract with a cloud provider appears strong and incorporates many of the items listed above, it is still important to do thorough due diligence to be certain the contract meets the necessary legal requirements. Those considering adopting a cloud solution should work with the appropriate university units (such as Office of General Counsel, Contracts and Grants, and Purchasing) to ensure the contract meets all requirements.
Information technology (IT) governance provides the framework for decision-making regarding goals, policies, investment, infrastructure and architectures for IT resources at the university.
At NC State, the IT governance structure consists of committees responsible for technical and policy recommendations, reporting to the Vice Chancellor for Information Technology & Chief Information Officer. See About IT Governance for more information.
The university will benefit from strong IT governance involvement with the adoption, selection and lifecycle management of cloud services. NC State’s IT governance structure provides a mechanism to ensure input from the diverse set of campus stakeholders, and is designed to allow the university to make strategic IT decisions, as well as to manage risk.
IT governance can assist campus with its adoption and use of cloud services. Some of the areas in which IT governance can help:
- Strategic fit
Governance can make strategic decisions about the use of cloud services that have the potential to impact campus services and business practices.
- Risk management
Governance can help ensure that cloud services meet the university’s security and privacy guidelines, in cooperation with OIT Security & Compliance.
Governance can track what is outsourced to the cloud, and what is currently hosted on-premises, to help campus take advantage of existing agreements and services.
Governance can help campus users understand the factors to consider when choosing to use cloud services.
When considering adoption of a cloud solution, a proposal should be presented to the appropriate governance committee or subcommittee when the cloud solution will require:
- Changes to university business practices
See the Business Practices section of this report for more information.
- Changes to campus IT services
If the cloud solution requires changes to the campus IT infrastructure/networking, service delivery, staffing, training or support needs, governance should be included.
- Substantial financial investments
Large financial investments involve risk, which should be considered by governance. Also, other campus units may benefit from participation, or may already be using the solution; coordination can add efficiency.
- Storage, transmission or processing of sensitive data
IT governance, along with OIT Security & Compliance, should be involved when a cloud solution would involve sensitive data.
- Deviation from the IT Strategic Plan
All cloud solutions should be congruent with the NC State IT Strategic Plan. If there is a significant departure from the principles, goals or strategies in the IT strategic plan, governance must be involved in the decision-making.
IT governance can help campus units make wise decisions when considering the adoption of cloud services. Communication and coordination can ensure that risks are managed, financial investments are optimized, supporting resources are available, and that the solution is consistent with NC State’s IT strategies. Campus units should take advantage of the IT governance process when considering the adoption of cloud solutions.
Cloud computing requires a different mix of skills than those existing in an established enterprise. IT leaders are accountable for service quality to customers; yet cloud services diminish control over those services. Cloud does offer the potential to enhance business agility, innovation, and reduce costs, but you may find that your staff is optimized for directly managing systems and components. They may not be ready to manage services and service providers indirectly. You may discover that rather than staff reductions, you need to create new roles with new skills, and especially since cloud vendors may not describe the “hidden” costs as much as they describe the promise of staff and cost reduction.
Many IT organizations are not prepared to take full advantage of cloud computing. Research shows that frequently existing resources (staff, technology, etc.) and capabilities (training, skills, etc.) are inadequate to manage services and service providers effectively — a prerequisite for success with cloud computing. Managing an IT system isn’t the same as managing services. Don’t assume that experience with application service providers means your team is ready for cloud service management. See The Impact of Cloud Computing on Staffing.
This section presents the knowledge from several online reports regarding cloud computing and staffing. Several are footnoted and a short reading list is provided at the end of the report (see Appendix 2).
Transitioning to a cloud-enabled IT environment and maintaining a well-aligned cloud computing platform implies a more dynamic, project-oriented requirement for IT organizations. Systems designed for agility and responsiveness, such as cloud and cloud-related technologies, rely more heavily on project and program managers to ensure that interdependencies are identified and accommodated.
The nature of cloud computing requires managing contracts, relationships and collaborations. Whether resolving disputes, producing an agreement on a course of action, or bargaining for individual or group advantage, strong negotiation skills are vital.
Business analysts and enterprise architects need to be conversant with both the business requirements and the technical options while being aware of the key service-level requirements and even the principles of service-oriented architecture.
Data integration and analysis skills
Data is more valuable than ever in today’s economy. Having actionable information on which to base business decision requires consistency and timeliness. Will data generated through cloud systems mesh seamlessly with on-premises ERP, data warehouse or other systems? See The 8 Most Important Skills Needed for Cloud Computing Today.
The increased expectations of “anytime, anywhere” computing will require development of services that can be accessed by any device from any location. Demand for professionals who can build and deliver applications that reside in the cloud yet take appropriate advantage of particular device’s capabilities will expand. API’s and control panels take a front seat to deep installation and configuration experience and emphasize strategic capacity and disaster recovery planning. “While the types and extent of skills required on staff will depend on how much of the cloud will be built and managed in-house, there’s no question that the ability to build applications that can run quickly on the Internet will prevail. The knowledge base needs to be heavily focused on Internet capabilities. Specialized programming skills may come to the forefront, as well as knowledge of virtualization. Knowledge of open-source tools and languages may also come into play as well.” See The 8 Most Important Skills Needed for Cloud Computing Today.
Operations and Networking
As data and systems are increasingly dispersed, the integration and controlled movement of data between systems and providers will also become essential capabilities of IT organizations. Making sense of high volumes of data, including how to organize and analyze large data stores, will also be increasingly important.
Contract and Service Level Management
There will be an increased need for staff with contract negotiation, contract management, and service level management skills. Understanding how to ensure compliance with relevant legal, financial, and business requirements is required. Managers and staff involved in managing cloud contracts must understand such factors as the risk profile of the institution and their unit, as well as related institutional policies. This will help in deciding what services to use in the cloud and which services need to remain in-house, and the pace of adoption of cloud services.
Cloud security skill sets will continue to be in high demand. Security staff will need to help the institution or individual administrative units move core business processes and data securely to private, public, or hybrid cloud solutions. Staff must stay abreast of new security models and technologies, and develop skills in the areas of data protection, privacy standards, securing message integrity (encryption, digital signing and malware protection), federated identity management, authentication methods, and auditing. See Desperately Needed: More Cloud Training, More Cloud Skills.
While end-user support is necessary in legacy environments, it becomes a core function of a cloud-enabled environment. At the front end, proper service level definition will be essential. Equally important will be the ability to isolate and diagnose trouble between an increasingly large portfolio of systems. Staff will need higher order analytical skills, in addition to strong communication skills.
Increasing hosting in the cloud provides opportunities for increased economies of scale, which will only be realized if done strategically. The number of systems supported per IT staff member can be greatly increased because the automation cloud services provide can make many of the traditional and mundane tasks easily manageable through dashboards and control panels. However, loss of direct control–but not loss of accountability–is a big consideration when outages occur.
Training continues to be a pain point for migration to cloud initiatives. For example, a new survey of 286 federal managers (see Accenture Research Shows Federal Agencies Struggling with Cloud Implementation) finds only 10 percent of U.S. federal agencies have been able to migrate significant portions of their IT portfolios to the cloud, despite the government’s aggressive “Cloud First” policy. The reason for this lag: not enough skills in the cloud arena. More than two thirds of respondents said their agencies lack the necessary skilled staff to execute its cloud strategy and 31 percent said they would need to hire at least one new employee. About half of survey respondents (45 percent) said training is necessary to develop those skills, estimating that cost between $25,000 and $50,000 per employee. (See Desperately Needed: More Cloud Training, More Cloud Skills.) To that end, skills development not only at the technical level, but also across the skills spectrum discussed above is critical for a successful deployment of a cloud solution.
Cloud computing is a complex environment with a variety of enabling technologies. Most organizations will need technical proficiency and even expert proficiency in a wide range of these technologies to be successful. However, cloud computing is more than simply a technical paradigm: At its most beneficial, cloud computing reflects a fundamental shift in the relationship between the business and the consumption of IT.
This new relationship requires the IT organization to better understand the business requirements and the intersection of business activities and the supporting technologies. IT managers who are hiring for cloud-related jobs find that understanding the relationship between cloud computing and other activities, such as service management, business continuity, and even the business value of cloud, is as important as understanding the specific technologies being leveraged. See Climate Change: Cloud’s Impact on IT Organizations and Staffing (PDF).
One important and often neglected consideration when moving to the cloud is how the service will provide support to the end user, and how IT staff will interact with the provider’s support. The level of support offered by cloud providers can vary significantly. For example, IaaS services may or may not include support for the operating system. SaaS services may provide 24×7 support through multiple contact methods, or may only provide community support through web forums.
The cloud provider’s support services may be available directly to end users, or only through a defined contact. Additionally, consideration must be given to who will provide support locally, and who will coordinate with the cloud provider’s support services.
Questions to ask
When considering a cloud service, there are some basic questions to ask about the provider’s support. These include:
- What type of end user support is available from the vendor?
- What is the cost for support? Is more in-depth support available for a fee?
- How is support provided?
- Who can submit support questions (some vendors limit who can submit support issues or questions)
- What is the availability of the support (24×7? 12×5?) (Note that an online forum or “community support” can be of high quality, but response times can vary widely.)
- What is the expected turnaround time on requests?
- What other support resources are available? For example, community user groups, online documentation, troubleshooting tools or dashboards
- How will communications and notifications be handled?
- Are there defined maintenance windows? Is support available for the institution as a whole (from the administrative infrastructure perspective) and how does that work?
And there are questions to ask about on-campus support:
- Is there any support or help available at the local or university level?
- How in-depth is that support (e.g., at the Tier 1 level)?
- Are there other users on campus that might be a resource?
- What training and resources will local IT staff need to support the service? (E.g., will local IT staff need their own access to the service? training classes?)
Local IT support
As one goes through the process of evaluating cloud services, be sure to reach out to the local IT support before purchasing or beginning to use a cloud service. Talk with them about specific needs and what, if any, support they may be able to provide. In addition, if it were a service that might benefit others, it would be helpful for the IT staff to be aware of the service being investigated.
Adopting cloud services does not eliminate the need for IT support personnel, instead it simply changes the roles and focus of the personnel. IT support may focus on helping users understand a cloud solution’s interface and capabilities, rather than on installing, customizing and configuring an on-premises solution. Local IT staff may be responsible for troubleshooting, integrating the cloud service with local systems, and/or programming of interfaces.
Points of contact
For cloud services that are used by one or more university units, it can be beneficial for there to be a single contact point that will work with the cloud provider to coordinate support services. That contact might be part of the department that adopted the cloud solution, or may be part of a central IT unit depending on how the solution is used and licensed.
As with any service, when a cloud service is adopted, an escalation path for support requests should be defined and communicated to the end users and IT support staff. For example, when end users contact the NC State Help Desk, help desk staff need to know how to direct their support requests.
What to support
One support challenge is that there are many cloud services that are free or of minimal cost which may be used by faculty, staff, or students without them ever notifying the IT support structure of their use. In the past, when information technology units were better able to control the IT services that were available, the limits of support were easier to define. Now, with the ubiquity of cloud services, IT support is faced with either enforcing rigid policies about what’s supported, or becoming more flexible and developing the skills needed to work with a broad range of cloud applications.
Roles and responsibilities
The end user and the IT unit on campus should understand the roles and responsibilities of each of the parties.
Depending on the scale of the service or product, the IT unit may have responsibilities for maintaining parts of the cloud service such as account and password management, monitoring and metering usage, or configuring which features are available. On the other hand, some of these items may be the responsibility of the end user or the cloud provider.
One of the more interesting challenges when services are moved to the cloud is the loss of control over the service. The expectations of IT staff and users of the service may need to change if IT staff are not able to make changes to the service, or to fix problems with the service, as they might have with an on-premises solution.
For example, with cloud email services, what options does the university have if a user is misbehaving or has their account compromised? Can the university re-enable that account or does the vendor decide? These types of issues should be understood before moving the service or purchasing the product.
Infrastructure as a Service (IaaS) refers to cloud solutions that provide services such as storage, virtual server hosting, networking or other infrastructure components via the Internet. IaaS can be provided through the public cloud, through a private cloud that is run either by a third party or by NC State, or through a hybrid cloud solution. This report focuses on public cloud solutions.
IaaS offers a number of advantages, allowing its users to rapidly self-provision computing resources, and to make adjustments to the amount of computing resources that are available, depending on resource demand. In some cases, a provider’s economies of scale mean that services can be provided at a lower cost than could be achieved locally.
When considering IaaS in the public cloud or provided by a third party, campus users must consider a number of factors, including:
Be aware of “hidden costs”. Some cloud providers charge fees for bandwidth usage, storage transactions, restores from backups, and other items not normally charged separately by campus services.
Cloud services make it easy to add resources during peak times, but this makes costs less predictable. Funding must be allocated to cover any dynamic usage. It is important to ensure that the cloud provider offers adequate tooling for monitoring, metering and measuring elastic usage.
An exit strategy should be developed before infrastructure services are deployed in the cloud. See the Risk Management section.
Integration with existing campus services
IaaS solutions may require resources from, or changes to, existing campus infrastructure services. Some key areas include:
ComTech should be consulted about necessary networking resources, such as DNS, VPN connectivity and bandwidth usage.
Federated authentication services are available on campus — current examples include Shibboleth and Active Directory Federation Services. Whenever possible, user authentication should use NC State authentication services, and a separate password should not be used or stored in the cloud provider’s system.
How are permissions managed? For supportability, it may be desirable to use campus resources such as Active Directory to control access to the cloud service and its components.
- Identity management
The impact to the campus identity management system should be considered. Will the cloud service require access to identity data?
Integration with the campus storage infrastructure should be considered. For example, if storage is required, can the cloud service access campus storage, or will the data be stored in the cloud?
When choosing cloud services, a needs assessment should be performed to determine whether the features of the cloud solution are needed, and meet business requirements. Features to be considered include:
- Elasticity of demand
A cloud solution may be appropriate if there are spikes in resource usage, and if there is a need to dynamically allocate resources (although related costs must be planned for).
- Rapid/self-service provisioning
A cloud solution may be appropriate if there is a business need for self-service provisioning, or rapid turnaround in the provisioning of computing resources.
If automation of the provisioning or management of the service and its resources is needed, or if different views or reports than the default provided by the service are desired, then there is a need for appropriate APIs to be made visible by the service.
The types of support, and hours available, vary. Cloud providers may be able to offer 24×7 support through global help desks that “follow the sun”, which can be an advantage over local services. However, some may offer less support, such as 8×5, or may only offer email or chat support. The criticality of the infrastructure service must be considered and matched with an appropriate level of support.
- Other features
Cloud services may have additional desirable features, which should be balanced against business need, cost and supportability.
It is critical that units be aware of data location requirements (export controls, grant requirements, etc.). Some cloud providers enable users to specify the location of the data center that will hold their resources, while others do not. See the Legal section of this report for more information.
When hosting infrastructure with a third party, particularly in the public cloud, attention to security is essential. See the Security section of this report for more information.
IaaS includes many features and benefits. Campus units and users must determine whether these meet business requirements, whether the costs are in fact lower than similar campus services, whether security requirements can be met, and whether the work required to integrate the cloud solution with existing campus infrastructure is achievable. An exit strategy is essential and should be planned before IaaS is implemented. If these considerations are successfully addressed, IaaS may provide substantial benefits.
Cloud functions sound attractive, but don’t get taken in by attractive sales talk. To make the cloud work for you and achieve your goals takes some good planning and evaluation. But you aren’t in this alone, in our university environment there are many complications but there are also many avenues of support. Going through this report will illustrate how to fly through the clouds to your benefit.
Cloud security can be a complex subject, depending on the kinds of data that are being stored with the cloud provider. The OIT Security & Compliance office can provide professional assistance with assessing security risks and controls. The following information is provided for those who would like more details about security considerations.
Encryption and Key Management
There are several challenges that need careful considerations when evaluating the appropriateness of encryption in the cloud. First and foremost, verify that encryption is done with standard algorithms (e.g., 3DES, AES) instead of proprietary techniques, and that encryption keys are of appropriate lengths. Serious considerations should also be given to ownership and management of the encryption keys, to ensure that access to the data is appropriately limited, including from the cloud provider’s staff in some cases. Considerations should be given to data confidentiality throughout its lifecycle including storage, (encrypting data-at-rest). transmission (e.g., using SSL, TLS), and disposition (e.g., “crypto-shredding”
The current standard for Reporting on Controls at a Service Organization is the SSAE 16 Auditing Standard. The Statement on Standards for Attestation Engagements (SSAE) No. 16 was developed by the American Institute of Certified Public Accountants to replace the SAS 70 report. The SSAE 16 type 2 report (SOC 2) provides the results for the evaluation of the cloud provider’s information systems relevant to security, availability, processing, confidentiality or privacy. OIT Security & Compliance often uses the cloud provider’s SSAE 16 report to validate their security controls.
- IDC: Climate Change: Cloud’s Impact on IT Organizations and Staffing (PDF)
- ComputerWorld: CareerWatch – Staffing Needs in the Cloud
- EDUCAUSE: Professional Development and Staffing for the Cloud
- GlobalKnowledge: The Impact of Cloud Computing on Staffing
- Paranet: Last two paragraphs of IT Staffing in 2013
- Dice: Search results for Cloud Jobs in Raleigh NC
- Forbes Tech: The 8 Most Important Skills Needed for Cloud Computing Today
- Forbes Tech: Desperately Needed: More Cloud Training, More Cloud Skills
- ComputerWorld: Cloud jumping: When it’s time to switch providers
- EDUCAUSE Center for Analysis & Research:
This list highlights some of the relevant policies, regulations and rules relevant to cloud computing. This list is not exhaustive. The additional references in each PRR should be consulted for additional information.
- Policies, Regulations and Rules (PRR) Website
The university community is subject to all of these policies, regulations and rules.
- Information Technology section of PRR
There are a number of PRRs that apply specifically to information technology.
- Public, Non-public and Confidential Information (Office of General Counsel)
Helps define confidential information. This information should be combined with the data sensitivity framework and data storage locations guidance.
- REG 08.00.02 – Computer Use Regulation
Note particularly the references to software licensing.
- REG 08.00.03 – Data Management Procedures
Besides the regulation, the additional references link to information about data classification, data storage locations, and confidentiality of data.
- REG 01.20.02 – Delegation of Authority to Sign Contracts
Note the references to click-wrap agreements.
- REG 10.00.05 – Export Control Compliance
Discusses data that must reside in the United States.
- REG 04.25.05 – Information and Communication Technology Accessibility
Accessibility requirements apply to cloud services.
- REG 08.00.11 – Online Course Material Host Requirements
These requirements for online courses apply to cloud services.