CUNY 8th Annual IT Conference

 Turning Down the Volume on IT Project Risk
For more than 50 years, since application developers and end users first met, fewer than 30% of IT projects have been considered successful. Join this lively discussion with leading IT managers and CUNY faculty as they examine areas of recurring project risk. Topics covered will include poor communications, misunderstood requirements, and lack of sustaining support from business owners and sponsors.

Presenters:
Jeff Barnes, Deputy Chief Information Officer, Queens College
Bill Bernhardt, Associate Professor of English, College of Staten Island
Chris Ianniello, Director, Application Services, Computing and Information Services (CIS)
Phil Pecorino, Professor of Philosophy, Queensborough Community College
Brad Orcutt, Associate Dean, Information Technology, LaGuardia Community College
Jennifer Sparrow, Dean for Academic Affairs, Medgar Evers College
(Moderator) Claudia Colbert, Director, CIS Project Management Office

                             IT Clouds and Institutional Responsibilities

Philip A. Pecorino

CUNY Graduate School and University Center

School of Professional Studies

CUNY Queensborough Communty College

From time to time I have offered comments on matters of an ethical nature or on professional responsibilities related to information technology to the CUNY IT Steering Committee.  The last set of comments offered in May of 2008 dealt with the issue of Institutional Responsibility and the Provision of IT Services and Functions.  In it I concluded with this list:

With concern for the Institutional Responsibility to provide for the security and reliability of the support structures for the instructional program, I submit the following for the consideration of IT professionals of this university.

A. The provision of IT services through outside vendors is warranted if, in so doing, Institutional Responsibility is better fulfilled.    This is particularly the case when security, privacy and/or confidentiality are at greater risk if provided by CUNY as compared to an outside vendor.

B. The provision by an outside vendor of IT services that are needed would be unwarranted when these three conditions are met:

1.       When using the outside vendor/source for a service places security, privacy and/or confidentiality at greater risk.

2.       When there are other sources available for provision of the service or function that would be under greater or total control of the institution and at considerably less risk to security, privacy or confidentiality.

3.       When the increase in cost in the provision of the service without the use of the outside vendor is acceptable.

C. The more the provision of services and functions are under the control of the institution the greater the possibility for respect for and provision of the security, privacy and confidentiality needed by those served by the institution.

Whenever possible CUNY should plan to have the provision of services under as much control of the university itself as is possible where security, privacy and confidentiality are of importance.

Now due to CUNY experiences with the Blackboard Course Management Program and with what has been appearing in the IT literature I turn again to the issues of institutional and professional responsibilities as they relate to Software as a Service (SaaS aka the Cloud) or the placing of services and operations into the Cloud.  

Several IT leaders have been commenting recently on these issues.  Some were interviewed recently in CAMPUS TECHNOLOGY[1] on the safety and security issues that arise with educational institutions place services into the "cloud" and with software as a service (SaaS) providers.  More and more colleges and universities are putting more data and more critical data in the cloud.   CUNY is placing its student email there and its course work and course materials there and perhaps, through organizational groups in BlackBoard, placing other work and materials into the cloud as well.  Relatively unimportant academic committee work and sensitive committee work related to searches and disciplinary proceedings are lofted into that cloud and some of that, perhaps most of that, happening without the full realization of those doing that work.  Just how safe is that information kept?  How secure is it and how certain are its creators and users that it will be available to the proper authorities when needed and for how long?

Anthony Hill, CTO for SaaS-based student lifecycle management provider Top School and previously CIO of Golden Gate University (CA), where he led a major initiative to move the university's IT services to the cloud, offers this observation or warning: "It's a mistake for schools to think that by moving to a cloud, they are absolving themselves of some responsibilities." CAMPUS TECHNOLOGY[2]

Hill states that "I think they should ask what mechanisms the SaaS provider has to respond to security incidents, and I think they should ask themselves that very same question. Things that universities typically have not been rigorous about, they need to become more rigorous about in a cloud environment."  He offers these Top 10 Questions to ask a cloud service provider:

1. What kind of team does your company dedicate to security issues (e.g., number of people, background, focus, and priorities)?
2. Do you replicate data at various geographical locations?
3. What technologies and procedures do you have in place to protect your facilities?
4. Do you offer encryption for client connections to your servers?
5. What procedures do you have in place to limit internal access to data?
6. Can you provide third-party, independent verification of the security controls you have in place?
7. Can you cite as references other organizations that use your services?
8. Do you have information on how your services meet regulatory requirements that may apply to my institution and to the education market?
9. What is your response plan for security incidents?
10. Can my institution move large amounts of data to or from the cloud? In particular, what are my institution's options for retrieving its data when we stop using your services? CAMPUS TECHNOLOGY[3]

Has CUNY done this? ( I am particularly interested in items 8, 9, 10. That last one, #10, is of great interest to me.) 

On the need for cloud providers to show hard evidence of their security practices, this is what Jeff Keltner, business development manager at Google, responsible for Google Apps in the education sector worldwide, offered with regard to standards or groups that can certify cloud vendors.

"At Google we've tried to find standard ways to be more open about what we do. The one big one we've gone through is what's called the SAS 70 Type II [Statement on Auditing Standards No. 70   http://www.sas70.com/ certification, where we have third parties auditing, with a control document-- a confidential document we can show to customers that specifies how we are operating the data centers and what our privacy and security mechanisms are. We are also working toward a FISMA [Federal Information Security Management Act; csrc.nist.gov/sec-cert] certification, which is commonly used by federal government agencies. So we've tried to choose the right ways to be open and transparent, but this is still a very new and emerging space. I'm sure we'll continue to see this space evolve as more and more people get involved and some more standards emerge. "  CAMPUS TECHNOLOGY[4]    

Does CUNY insist on this sort of thing?

The placing of an institution’s IT operations into the Cloud appears fast becoming a most popular option for colleges and universities.  In Campus Technology [5] there appeared an article by the Chancellor of the Ohio Board of Regents in which there is no word of any concern for security, safety, confidentiality, and disaster recovery or business continuity assurances.  The institutional values of efficiency and economy are well displayed as his concerns.  These attempts to realize those values identify them as having the predominant position guiding institutional decision making.  This is something I have been noting in the decision making process for large institutions and for IT in CUNY in particular.  There needs to be a balancing of those institutional values with the values of those being serving by the services and resources of the institution.  The mission critical operations must be kept secure in all senses.  I identify that as among the primary professional responsibilities of IT managers. 

Michael Dieckmann, CIO of the University of West Florida has laid out the case that IT departments are tasked to maintain a high level of service and ,as their budgets are pared down, economy becomes a watchword.  “There are massive economies of scale that have evolved in cloud computing that are going to drive many of these cloud solutions to the most cost-effective way for us to provide services for our institutions,” he said in Inside Higher Education[6].  At the same time and place Melissa Woo, director of cyberstructure research at the University of Wisconsin at Milwaukee, has challenged the notion that, putting security matters aside, SaaS will always or often prove to be cost effective when compared to in house solutions. “We don’t even have a basis for comparison!” she continued. “…I keep hearing about cost-effectiveness, but do we really have any data to bear that out?” Inside Higher Education[7]. 

On placing services, including mission critical services,  into the SaaS Cloud, " Christine Sexton, a Sheffield University technologist who had flown all the way from Britain for the  (EDUCAUSE)  conference, said in an interview  reported in Inside Higher Education[8] that she sided with the pro-cloud crowd. “I think we all have to trust vendors,” she said. “We all have to trust Microsoft and we all have to trust Google, and we have to trust Blackboard. You just have to trust them to do it.” 

Such commentary prompts me to reflect and to consider the matters of institutional and professional responsibilities.  Just how much trust is justifiable?   Here are just a few important questions that come to my mind as CUNY joins other universities in placing more of its services into the Cloud:

• Is it professionally responsible to place that much trust (near total trust) with the Software as a Service (SaaS or Cloud) vendors?   For how much are they to be trusted?
• Does moving services into the cloud absolve the institution of a need for having a disaster recovery or a Business Continuity plan in effect ?
• What provisions, if any, should there be in a contract with Software as a Service (SaaS or Cloud) vendors that provide for the proper discharge of the institutional responsibility for security, safety and continuity of mission critical operations?

When things go well we celebrate the economy and efficiency of operations.  When they don't go well we look at the need for the realization of those other values.   

I know that CUNY does not operate on blind faith.  Nor does it place total trust in any vendor or anything or person.  But making known just what are the security and safety and DR measures with SaaS might establish for those concerned that CUNY is exercising due diligence and fulfilling its institutional responsibilities.  Conversations on these matters might well serve CUNY IT managers with their DR and Business Continuity Plans. 

The articles cited below indicate how too many colleges focus almost totally on the efficiencies and, at least apparent, economies of SaaS to the exclusion of concerns about security, safety and continuity of services.  My hope is that CUNY contracts with SaaS vendors are not devoid of concerns beyond costs.   

I know that CUNY set a precedent with People Soft contract for the ERP (or CUNY FIRST)  in holding them responsible for more than they would generally take on in terms of a contractual guarantee of the testing of their installation and some adjustments that might be in order.   

Perhaps the learning from recent experiences CUNY might again set a precedent, or might be already setting a precedent, in having provisions in CUNY contracts with SaaS vendors for security, safety, DR and continuity for mission critical services. 

END NOTES: