There are now several universities, colleges and other educational institutions that are seriously considering getting on the cloud or are in the process of doing so. According to D. Frank Smith at EdTechMagazine.com, the market for education related cloud computing technology is expected to reach $12.4 billion by 2019, which is close to a 150% increase from 2014’s estimated market size at $5.1 billion.
Yet, there are challenges and roadblocks for educational institutions on their way to the cloud. For one, colleges and universities need to ensure the security of their system and that of the cloud service provider. They would also need to ensure that their users’ privacy is protected, as well as a host of other legal hurdles that they need to consider.
According to findings from an Open Security Foundation study, more than three out of every ten breaches involve higher education. This is due to the fact that hackers tend to get a windfall of personal information when they succeed. Close to half of these breaches happen inside the university’s network as well.
Add to that the adoption of BYOD in schools and universities wherein IT departments face a dilemma between fearing a breach that would easily happen or putting up firewalls that would secure the different devices used by students, employees and faculty but frustrates their users to no end. The latter would mean that users would need to memorize different logins and passwords in order to access the system, or use its apps. Indeed, IT departments are trying to live with a trade-off between security.
While it is important for users to have a good experience with your system and to avoid frustrating them, it would be foolish to think that security could be neglected. For one, security breaches happen a lot more often than one may think. Huffington Post reports that in 2014 alone, 30 educational institutions reported data breaches in 2014. Five of these universities reported breaches bigger than the highly damaging and highly publicized hack at Sony.
- University of Maryland reported data breaches involving 300,000 user records in March 2014, including birth dates, names, social security numbers and ID numbers.
- North Dakota University reported that close to 300,000 user records were hacked in February 2014.
- Butler University reported that data of close to 200,000 users were compromised, including bank account information and social security numbers.
- Indiana University also disclosed that data for more than 146,000 users were compromised in an attack that cost the school around $130,000 to combat.
- Around 50,000 users at Arkansas State University were compromised and hackers were able to get social security numbers as part of the hack.
That simply means that it could happen to you, as well. And when it does, it might prove to be very costly. Taking a look at enterprises that have suffered data breaches in 2014, the average cost of a breach reached more than $6.5 million, which translates to an average of around $217 for every stolen record, $74 of which went to legal fees, technology investments and other direct costs in solving the data breach, while the remaining $143 was due to indirect costs, such as the loss of customers.
When Universities Get on the Cloud…
When an enterprise gets onto the cloud, their IT personnel usually have a plethora of literature and best practices to rely on to ensure that their cloud deployments go without too much hitches or that the potential for costly and embarrassing mistakes are eliminated. But the same could not be said when it comes to educational institutions such as colleges and universities when they decide to get on the cloud.
Learn from the enterprise experience
Like corporations and enterprises getting on the cloud, it would help to consider the availability of your cloud applications. Your users – faculty, employees and students – would need to be able to access the apps when they need to. Take a look at the providers’ service level agreements to get an idea of expected uptime and their performance. Additionally, you should be aware of the provider’s backup, business continuity and disaster recovery methods to ensure that you can minimize downtimes and loss of data after a natural disaster or a crisis affecting their data centers.
Another aspect you should be looking at is portability. A cloud provider might be extra helpful getting your data on their platforms, but they might be very difficult to deal with when it comes to letting you take it out of their systems when you terminate the relationship with them. Additionally, you should be able to move from one SaaS service provider to another instead of being trapped or tied down to a particular service.
Speaking of your data, you should also thresh out the issue of ownership. Who would own the data that you put or create in the cloud? Because the university would not be purchasing the software used on cloud platforms, the data that they store or create on such platforms are not going to be considered as their property by default. This has to be clear before you sign that contract. You will need to read the fine print for this. Moreover, you should also know if you would be able to recover the information and the data you put on the cloud when you terminate the relationship or if the service provider shuts its doors.
Another major consideration you should iron out early on is the liability aspects of being on the cloud. When it comes to educational institutions working with third party providers, you will have to accept the fact that much of the responsibility when it comes to compliance to laws and regulations would fall on you. Being a mere service provider, the cloud platform service you choose will not be responsible for your data’s privacy and security. You would need to ensure that your user data is kept private and secure.
There are some cases wherein it is not that clear cut, however. For instance, there is a disagreement whether compliance with the Payment Card Industry Data Security Standards should fall as the responsibility of the cloud service provider or the customer. In these cases, you should be able to formally assign liability in a clear and concise manner. This way, the university would know which laws and regulations to comply with while the service provider takes care of all the rest.
Pore over the acceptable use policies laid out by the service provider to get an idea of your liabilities and responsibilities, as well as the things and activities that you can do with a certain cloud provider. For instance, cloud e-mail service providers will have acceptable use policies on sending out spam and what constitute spam messages.
What all of these boil down to is whether or not a service provider would be able to meet your unique operational needs as well as compliance requirements. You might also want to look at how flexible a provider really is, beyond the one-size-fits-all model that they push towards their customers. Remember, you have unique needs that are different from enterprises and businesses that they usually deal with, so most of the time you would need to add or remove some services to the standard package, or get something different altogether.
Moreover, a university looking to get on the cloud should also be aware of the latest technologies coming out. But that should be second priority to their prime considerations: costs, compliance and complexity.
Stay tuned for the second part of this article next week.
Photo courtesy of Charis Tsevis.