Look Before You Leap: Imperatives for Cloud Implementation

While the idea of saving money and streamlining IT operations in school districts is very attractive, administrators and IT professionals alike need to be aware that cloud computing is still an emergent technology, with some very real concerns and weaknesses that need to be addressed.

A) Security
In surveys of IT leaders, security is always the No. 1 reason organizations hesitate to either adopt or further implement cloud computing. Headlines like PC World's "Microsoft Cloud Data Breach Heralds Things to Come" in December 2010 are enough to give some technology executives second thoughts.

You have to do your due diligence about security, stresses Kentucky's Austin. "You have to inspect their premises and security policies," he says. He explains that the state of Kentucky has a duty to require a degree of inspectability. "Upon an open records request, we have to have legal and technical capacity to inspect and open mailboxes, and we got that from Microsoft."

But Austin also believes there are myths about security in the public cloud. "People who are nervous about it and really want to keep that server under the desk with the lights blinking have to be aware that they always have security problems themselves," he adds, "with users forgetting passwords and keeping them on a sticky note on their keyboard."

Yankee Group principal analyst George Hamilton notes that "cloud providers don't want to make their privacy policies public because it may invite hackers." But customers should turn to valid third-party audits such as ISO 27001 and the SysTrust audit. "You show me a cloud service provider that won't open the kimono," Austin says, "and I'll show you one I don't want to do business with."

Private cloud consortia can bring certain security benefits to smaller districts. IlliniCloud's Peterson says its members recognize that their data is actually more secure in the cloud. In the past they manually backed up data to tape in a time-consuming process. Now their data is backed up instantaneously each night in one of IlliniCloud's three data centers located in different parts of the state.

Before migrating to cloud technologies, school districts should evaluate applications and infrastructure for vulnerabilities and ensure that security controls are in place and operating properly, says Booz Allen's Marglin. He also suggests setting up an active monitoring program that uses services such as intrusion prevention, access and identity management, and security event log management to identify any security threats to the cloud implementation. Schools could turn to tools such as VMware's Horizon Application Manager, which allows organizations to set up authentication and policy controls for SaaS applications. IT security executives can monitor who is using which application and can set granular policies about access.

Before contracts were signed, the Oregon Department of Justice had to make sure Google's service met all federal guidelines and state statutes, including the Children's Online Privacy Protection Act (COPPA), Children's Internet Protection Act (CIPA), and Family Educational Rights and Privacy Act (FERPA). Hamilton predicts that in a few years cloud storage providers will appeal to specific vertical markets, vowing to comply with whatever regulatory requirements apply to education, healthcare, etc. In the near term, of course, school districts will continue to operate in a heterogeneous environment, with some data on dedicated servers behind firewalls, some in private or consortium clouds, and some in public clouds.

Hudson Falls’ Partch says he would be somewhat reluctant to put any student demographic information or grades in the public cloud. "Everything like that stays on our side of the firewall," he says, "but student-created work and content is fine. We have 80 terabytes of storage, so there's no need to use a public cloud for data storage."

He believes that the public cloud is not mature enough yet to place his district's Windows applications there. "We like a hybrid environment. If a student brings his or her own device, it sees our network and we drop down a login screen for credentials. They connect to our private apps, but we can also provide links to public cloud apps through a single sign-on."

B) Contracts
School districts have been negotiating contracts for computing services now for decades. In many ways, negotiating the fine print on a contract for cloud computing services is similar to what those administrators have always done--but there are differences. Two experts on the matter agreed on one thing: It is important to sweat the small stuff.

According to Thomas Trappler, director of software licensing at the University of California, Los Angeles and an authority on cloud computing contracts, "You can't walk away. With cloud computing, everything comes back to the contract."

Trappler and David Cottingham, senior director of managed services at technology products and services provider CDW, suggest four questions to always ask when working with a cloud computing services provider and four pieces of good advice.

Ask these questions:

  • If you end up not being satisfied with the services you receive, how do you terminate the contract? Can you terminate for convenience or must you have cause?
  • If there is a provider outage, what are you entitled to? Consider a service level agreement (SLA) for this that defines service terms, including how many hours and minutes the service must be accessible. If the provider fails to meet the SLA, what are the penalties or credits to be awarded to the district?
  • In case of a catastrophe (for instance, a natural or man-made disaster) or major data loss, what are the provider's contingency plans?
  • Finally, what responsibilities do you have as a customer? For example, if a student or staff member uses an application or uploads a virus that damages the system, what is the district's responsibility? In some cases, the provider's acceptable use policy can shut your service down. If that happens, the district must have its own independent contingency plans to be able to operate in the meantime.

Follow this advice:

  • Gather input first. Form a group of key stakeholders or subject matter experts that can review and evaluate the impact of a cloud service before it gets adopted. The membership of this group may vary depending upon organizational needs, but would typically include: the business process owner department, IT vendor management/IT procurement, IT technical, legal, IT security, IT policy, risk management, and audit/compliance.
  • Describe--precisely--the level of service that will meet your needs. Spell out the parameters and definitions for each element of the service you expect, along with remedies for service levels that are not met. For example, information security standards will vary depending on what a certain department is doing with its data. Make sure you have all the information on your needs before you start negotiating with a provider.
  • Trust, but verify. Check out the physical infrastructure of the provider's facility. Don't forget that your data still resides in a brick-and-mortar building. Where is the data center? Are there security guards and video cameras? Even if you're moving to the cloud, there's still a "there there" somewhere. Know where it is.
  • Conduct due diligence. Some organizations, such as the Cloud Computing Association, are trying to establish cloud computing standards, but none of these is yet perfect. Nothing beats an old-fashioned investigation. And much of that involves (you guessed it) reading the fine print.

For more on the topic of cloud computing contracts, Trappler has written what may be the definitive article on the subject, "If It's in the Cloud, Get It on Paper," available online.

C) Migration and Lock-in
Porting your data to a service provider is sometimes easier than getting it out. When assessing and managing the risk of cloud computing, you often hear concerns about "vendor lock-in." Given the relative immaturity of the cloud business model, some vendor shutdowns and acquisitions are inevitable. Therefore, school districts must have an exit strategy, a plan for moving data to another provider or back in-house if things go bad. Chief information security officers interviewed for this article suggest that contracts make clear that school districts are able to take their data elsewhere. Agreements should also require the vendor to delete all of the district's data from storage media after handing it over, they add.

Of course, providing services again after eliminating hardware, software, and personnel is no small task. The state of Oregon worked out an agreement with Google that if the search giant ends the service it provides, the state would get five months’ termination notice. Austin says the Kentucky Department of Education's legal representatives had to negotiate potential exit strategies with Microsoft. "They at first said they wanted to give us 30 days notice if they chose to terminate the service. We said it would take us a full year to stand it back up on premises," he says. "So they agreed to give us a year's notice." With Tyler, the commonwealth had to negotiate and agree to stay with the service for a certain time period in order to get the cost it wanted. In turn, Tyler agreed to only raise the price a certain percent per year during that time period.

Having redundant vendors is a good idea whenever it's feasible. When Amazon Web Services have had outages, some customers were just down during that time, while others had built-in redundancy, either with other Amazon servers or by automatically cutting over to other vendors.

Migrating from one infrastructure as a service vendor to another is definitely possible, but could be expensive and require consulting help from cloud experts.

The term platform as a service (PaaS) refers to a web-based development environment for cloud-based services. It offers enterprises access to shared, scalable IT resources on demand. But software developers building applications on a cloud platform such as Microsoft's Azure Services or Google's App Engine should look for the capability to port those applications from one vendor to another or move them in-house without having to rewrite them.

You might consider looking at open source options. In collaboration with NASA, Rackspace Hosting has launched OpenStack, whose development model is meant to foster cloud standards, remove the fear of proprietary lock-in for cloud customers, and create a large ecosystem that spans cloud providers.

Booz Allen's Marglin says it is best to view public cloud services as you would a utility, so how much you can negotiate with the vendors may be limited. "You may not have a lot of choice," he adds, "but you should have your eyes open and always have a backup plan."

D) How to Plan
In spite of vendor promises to get you up and running in mere hours, early adopters have learned that undertaking a cloud initiative is like tackling any other transformational IT project in your organization. Therefore, it calls for the same basic script: Start small; work hard to prepare users for coming changes; learn as you go; continuously improve what you're doing. And beyond that--prepare to improvise.

Featured