150 likes | 306 Views
*Cloud Computing* Some Guidelines. Kelly McDonald Dec. 8, 2011. Off-Campus Clouds?. Contracted computing is not always a ‘cloud’ Blackboard Example Most popular cloud computing example is Gmail Might be processed in one of many Google Data Centers Could be multi-tiered
E N D
*Cloud Computing* Some Guidelines Kelly McDonald Dec. 8, 2011
Off-Campus Clouds? • Contracted computing is not always a ‘cloud’ • Blackboard Example • Most popular cloud computing example is Gmail • Might be processed in one of many Google Data Centers • Could be multi-tiered • Dropbox resides on Amazon’s S3 storage • ZeroPC leverages Dropbox for its data sharing functionality • Campus services will eventually utilize both on and off-campus cloud components in a very seamless manner. • The major concern is the integrity of university data
The Information Security and Privacy Committee • Organized by the ERMCC in 2006 • Chartered to advise them on information security and privacy issues • Helped to reduce the Social Security Number footprint in on-campus applications • Recommended the concept of a sensitive data registry for tracking use • Most recently developing the framework for an Information Security Program for campus use • Infosec.byu.edu
Guidelines for Cloud Computing • ISPC has been working on these documents for the past 10 months • It is evident that there are degrees of concern, based upon the level of university impact. • We are producing a set of guidelines to assist the average faculty/staff/administrator in making wise choices in how they use cloud services for their individual work. • We are also producing a set of guidelines and a questionnaire to help guide departmental transitions into cloud service agreements.
Individual Cloud Computing … • Faculty want to: • Share files via Dropbox, Skydrive, etc. • Communicate with students via Facebook, Gmail, blogs, etc. • Collaborate via Google Docs, wikis, etc. • Yet they are constrained by compliance with FERPA • Students must be permitted to inspect their own educational records • Faculty may not disclose personally identifiable information • Other Issues: • License terms of cloud services • Reliability of cloud services
Larger Risks and Concerns… • Availability – The service provider should demonstrate that they can maintain business continuity and deliver services with minimal disruption, and that the data is properly backed up. • Accessibility – Provisions should be made to ensure that the university can recover data, should anything happen to the cloud computing provider. • Security and Privacy – Data should be protected in accordance with university policies, and privacy laws such as FERPA, HIPAA, etc. • Compliance with Laws and Regulations – For example, information subject to export controls should not be located in other countries.
More Risks and Concerns… • Legal Concerns – Since cloud computing relationships are governed by contract, there are items to be considered prior to entering into an agreement, such as: • Data definition and use • Data ownership • Service level expectations and performance metrics • Liability concerns for breaches of data • Termination of service terms
General Cloud Guidelines … • Acquiring Cloud Computing Services • Will sensitive university information be stored or processed? • How critical is the provided service to the business process or academic activity? • If the service or data is not accessible during critical times, would it create a significant hardship or financial loss? • Are there regulatory or contractual requirements that govern the use or protection of the information? (data privacy, export controls, human subjects research, etc.) • The ITPC has developed a Cloud Computing Questionnaire, to assist departments during cloud computing acquisition.
Guidelines cont’d… • Revise business procedures and practices to ensure that cloud computing services are properly managed • Assess the specific risks • Define roles and responsibilities • Establish security procedures • Monitor the service to ensure that performance and availability expectations are being met • Update your business continuity plans to properly reflect the cloud computing service
The Movement is Inevitable… “At a purely economic level, the similarities between electricity and information technology are even more striking. Both are what economists call general purpose technologies. Used by all sorts of people to do all sorts of things, they perform many functions rather than just one or a few. General purpose technologies, or GPTs, are best thought of not as discrete tools but as platforms on which many different tools, or applications, can be constructed. Compare the electric system to the rail system. Once railroad tracks are laid, you can pretty much do only one thing with them: run trains back and forth carrying cargo or passengers. But once you set up an electric grid, it can be used to power everything from robots in factories to toasters on kitchen counters to lights in classrooms. Because they're applied so broadly, GPTs offer the potential for huge economies of scale-if their supply can be consolidated.” The Big Switch: Rewiring the World, from Edison to Google, Nicholas Carr, Jan. 2008