Being a treasure trove of personal information, colleges and universities are subject to numerous state and federal laws covering data on academic grades, health records and financial aid, among other things. Some may have additional regulatory burdens. Institutions holding sensitive government contracts, for example, or those subject to export controls over their research materials and intellectual property cannot permit pertinent digital material to leave the country or even be accessed by foreign nationals.
Under these circumstances, hesitancy to risk this important information to cloud infrastructures is understandable but increasingly unfounded. Security in the cloud can be certainly as good as or better than maintaining your own data center operations exclusively. It depends primarily on the abilities of the service provider and not the viability of cloud computing in general.
Accordingly, evaluating prospective providers must begin with assessing their infrastructure security and their standing with industry and agency data security requirements, regulations and laws, none of which are operational requirements for cloud service providers (CSPs).
A security- and compliance-minded CSP submits to annual independent auditing under the SSAE 16 , ISAE 3402 and AT-101 audit standards. Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA/HITECH), and self-certification under the EU Safe Harbor Directive show that the CSP has taken initiative to serve customers subject to strict security standards.
These providers will also be sensitive to jurisdictional issues concerning data storage and processing. Data centers powering cloud computing platforms frequently exist in multiple nations, which can trigger cross-border issues. This can increase complexity for university buyers, or prevent them entirely from using certain CSPs who cannot or will not guarantee that data will remain exclusively within the U.S.
A CSP that owns, operates and maintains its own IT and cloud infrastructure is generally preferable to one that does not. That CSP is in control of its own destiny and that of its customers. The same applies to a reseller’s services provider. Transparency may be even more important when an intermediary is involved, and the reseller should be proud of who it provisions services from.
Review all aspects of infrastructure. Obvious areas include network capacity, redundancy, access controls and physical security; data storage and back-up; and compute capacity. Ask who the CSP’s product and technology partners are – this says a great deal about the quality and integrity of its systems – and what its maintenance and test processes are.
Many public cloud providers have fixed product and services offerings and a self-provisioning service model, which lacks flexibility or customization. Having access to a knowledgeable collaborator to assist with cloud strategy and a tailored design, a professional staff with current and relevant hardware, software and network certifications, and local accountability to resolve issues quickly is a much more adaptable, as well as responsive model.
The flexible CSP is likely to have additional services to assure security, availability and performance matched to current and projected needs. Such services could include firewall management, intrusion detection and prevention, patch and vulnerability management, data back-up and disaster recovery services, to name a few.
Not to be lost is this discussion are all the other benefits that come with cloud computing: scalability, availability, cost reductions, economies of scale, professional management and latest technologies, among many others.
While many prospective cloud users, be they in academia, government or business, still think of the cloud monolithically, it is constantly and unequally evolving and maturing. New models, services and advancements are created continually. Being clear about what your IT issues are, what goals you want to achieve and what your expectations are going into the cloud is really the first step to finding what you want. This is true for security, availability, business continuity or any other priority you may have for cloud computing or storage.
If not everything you want is available at the moment, it’s reasonable to assume it will be soon. Making that journey with a cloud partner/collaborator you can trust will be more effective and rewarding than going it alone.