Paper: Cloud computing at Plymouth University
Author: Adrian Hollister, Head of Strategy and Architecture
The Technology research company Gartner, lists cloud computing amongst its top 10 disruptive forces in the IT industry today: “Cloud computing is an important and disruptive long-term force in the industry, with a significant potential for impact on every aspect of IT, the business and how users access applications, information and business services. Cloud computing is shifting from an isolated project to a central IT strategy, and most organizations now assume that cloud computing, in some form, will become a reality.” Moreover, estimates of global spending on cloud services show it increasing from $110 billion in 2012 to $210 billion in 2016.
Clearly as the technology behind cloud computing develops and the market matures into the mainstream it is important for the University to consider the implications and how we should respond.
So what is all the fuss about?
Although the subject of a lot of hype, and somewhat shrouded in mystique, cloud computing is simply a method of commoditising certain IT services by delivering them across the Internet and structuring the pricing regime, at least to a degree, on utilisation. This is analogous to the electricity and gas industries, which for many years have delivered their supply across a common network and base their prices partly on a unit of consumption. There are a variety of units of measures that can be used for IT services (e.g. number of users, processor utilisation, storage volumes) the choice of which differing by vendor and service.
As they are able to leverage the benefits of consistency and considerable scale – often at a global level Cloud services also tend to be extremely cost efficient. This compares with traditional IT models which frequently are tailored in terms of their design and/or delivery by individual implementation.
However, by their nature cloud computing services do present issues which require consideration before their adoption. This paper discusses these issues as they pertain to the University.
2 Benefits of Cloud Computing
Apart from the lower TCO advantage, there are many additional benefits of cloud computing, the relevance of which varying depending upon an organisation’s size, scale, sector and strategic goals. However, the five most common are listed below: –
Lower capital expenditure
The ability to source IT services on-demand allows organisations to move to an investment model based on operational expenditure as it is the vendor that takes responsibility for the majority of the capital intensive IT infrastructure costs. A key commercial implication of this approach is that it enables organisations to shift their IT costs from the ‘fixed’ to the ‘variable’ which in IT capital intensive businesses can be a crucial benefit.
Greater flexibility and mobility
By virtue of their delivery across the Internet, cloud services can be accessed from virtually any location. This is particularly important for services where mobility is highly desirable e.g Email, Office apps, websites and CRM.
Continuity of business
An associated benefit of remote working capability is that in the event of a local disaster preventing people from making it into the office (e.g. fire, flood or snow etc) they have the option of working from a different location.
Maintenance and upgrades
Because cloud-computing providers are responsible for the IT infrastructure for a large number of customers they tend to employ dedicated teams whose sole responsibility is ensuring hardware, software and networks are maintained properly across a substantial assortment of platforms. These teams will by necessity have a considerable range of skills and follow strictly controlled quality processes that any single client would find problematic to maintain from both a cost and staff retention perspective.
Improved IT security
Rather than weakening IT security (see below), there is a case for saying that cloud computing actually improves an organisation’s defences. This is because of the significant investment cloud providers put into securing their data centre infrastructure, and keeping their customers’ data safe. Vendors benefit from economies of scale – they can afford to invest in the latest solutions and preventative approaches, whereas relatively few individual organisations can to the same degree.
3 Considerations with Cloud computing
Broadly speaking there are two main issues we have to be cognizant of when considering cloud computing as an option for any of our IT services: –
- Compliance and regulatory control
- Security and availability of service
3.1 Compliance and regulatory control
As the market for cloud emerged in the USA most cloud providers have to date located their host data centres there as well. Whilst from a pure technology perspective this is of minor importance, the consequence of locating our data in a different jurisdiction does have implications. There are three pieces of legislation in particular that are of interest and are discussed below. However it should be noted that as the industry matures and efforts to drive cost efficiency are sought we can expect to see a shift towards Asia – which will of course stimulate its own considerations.
• UK Data Protection Act
• EU Safe Harbour
• USA Patriot Act
UK Data Protection Act
UK data protection laws facilitate criminal and anti-terrorism investigations. The University is a data controller and it is vital that personal information is handled in a responsible compliant manner and that services and their integration adhere to the Data Protection Act whilst observing the Information Commissioner’s guidelines around fair use and informed consent.
Each element hosted by a cloud provider needs to be evaluated in the context of the purpose of the service. Email addresses for example, while considered by many as harmless, often contain the trifecta (name, gender, location) of personally identifying attributes that should not be disclosed unless the application specifically depends upon such information and the user has been informed in advance.
EU Safe Harbour
The eighth data protection principle under the EU’s Data Protect Act is the EU Safe Harbour. This requires personal data not to be transferred outside the EEA unless the destination country ensures an adequate level of protection for the data subject in relation to the processing of personal data.
Traditionally, the USA was perceived not to satisfy this test and so EU data was not permitted to transfer to the USA. To overcome this problem, the EU and USA negotiated the Safe Harbour arrangement in 2000 under which USA companies can sign up to the Safe Harbour principles and undertake to process data in accordance with EU requirements. They can then receive EU personal data even though USA-based. Accordingly, the transfer of data between the EU and those companies in the USA who have signed up to the Safe Harbour (and their non-USA subsidiaries) is not interrupted. It is through this vehicle that Microsoft UK, for example, can send data to its USA parent.
The Safe Harbour is not controlled by the EU or USA government but is self-regulated by the private sector, subject to the oversight of the USA Dept of Commerce and sanctions of the Federal Trade Commission against companies who breach its requirements.
US Patriot Act
The Patriot Act (“the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”) was introduced following 9/11 and allow ‘special measures’ to be taken against information of relevance to the USA government. The effect of the legislation is that it permits the USA government or a federal judge to access any data hosted in the USA or by a USA-based company regardless of where it is hosted (whether or not the owner of the data is American).
In the context of cloud computing, if the University stores data in the cloud and some of it ends up being stored in the USA or is stored by a company that is USA owned, (even under the EU Safe Harbour), that data might potentially become subject to the Patriot Act.
Key points of note for the University are firstly, that The University, staff or students using services provided by a USA-based company, such as Google, would be subject to the Patriot Act. Even Google UK or Microsoft UK which are wholly-owned subsidiaries of USA companies could be forced by their parent company to comply with that Act. Secondly, a UK owned/based company which provides cloud storage or services to only UK citizens residing within the United Kingdom would be wholly under UK/EU law and would be outside the Patriot Act.
The Information Commissioners Office states the following in their Good Practice Guide:
“You should take into account the legislation in place in the country or territory where your chosen processor is located and any obligations this may impose on you, for example, the US PATRIOT Act.
As part of your assessment as to the adequacy of the protection available for the information being transferred you will need to consider other legislation, any risks this may pose, the likelihood of you or your processor being subject to that legislation and how you will respond if necessary.
You will need to make sure you have procedures and measures in place to deal with any requests for information you or your processor may receive under legislation in the country in which the processor is located.”
The advice from the Leadership Foundation for Higher Education as articled in their journal ‘Getting to grips with Information and Communications Technology’ states:
“In practice [the Patriot Act] presents a very low risk, as the US government has to go through a rigorous process to justify access before it is granted.”
3.2 Security and availability of service
Any system delivered over the Internet is of course subject to the availability of the World Wide Web. It is important to recognise however that given the pervasive nature of the internet today a catastrophic failure of the WWW would be akin to the loss of a basic utility so perhaps a more realistic concern for the University is the potential for a localised interruption in connectivity to the internet.
Maintaining our own private IT infrastructure means that we have control over the measures deployed to ensure our environment is protected against external or internal threats. However, when consuming cloud services the responsibility for protection against these threats pass to the service provider. Security is always seen as one of the highest risk areas for cloud service providers and most invest significant sums to ensure their services are adequately protected. After all, in a consumer model, customers can move to another cloud provider relatively easily. However, this still does not provide complete protection – large collections of information in one place becomes a highly valuable prize to those that seek to collect and profit from key information (such as email addresses, telephone numbers, bank details or IP).
A small number of smaller cloud and hosting providers have gone bankrupt in the UK. At the beginning of 2013, the UK cloud provider 2e2 collapsed and informed it’s customers that they needed to “pay £40,000 just to keep the lights on.”.
These risks can however be mitigated by careful selection of the cloud provider and by confirming their continued adherence to relevant IT standards, security certifications and regulatory controls as well as ensuring cloud provision is underpinned by adequate business continuity and disaster recovery arrangements (e.g. through the independent storage of entire system configurations).
4 Examples of Cloud Provision Today
4.1 Cloud in Public Sector
Within the UK Public Sector there is a realisation that significant savings can be found when sharing services in the Cloud. Indeed as part of the Coalition Government’s ICT strategy over £22m has been spent on the UK Governments Cloud Store – a service created specifically to promote the use of cloud based services.
Moreover, central government departments are now mandated to consider public cloud first in any IT procurement and the wider public sector is strongly recommended to take the same approach. Two recent services placed in the Cloud are shown below.
£1.3M G-Cloud deal with IBM for immigration service
£3M G-Cloud PaaS service with Skyscape
Suppliers such as Salesforce.Com have a business model based almost entirely upon cloud provision and have targeted the UK public sector as a growth market as evidenced by their recent investment in a UK based data.
4.2 Cloud within Higher Education
Within Higher Education in the USA the move to realise the benefits of cloud computing is running at a pace. For example, California State University is an example of a University moving to a largely cloud based implementation for many key services including their data backup system. Moreover, companies such as Blackboard and Joomla (providers of Virtual Learning Environments) are now provisioning their hosted services in the Cloud.
The comparative conservative nature (in terms of IT) of UK HE has so far seen it behind the curve on adoption. However organisations such as JISC are helping UK universities improve their IT service delivery through the Cloud. JISC committee member and Pro Vice Chancellor of Roehampton University, Chris Cobb, has commented: “With cultural barriers to shared services [via the cloud] now dissipating, the time is right to consider shared services more strategically and not just opportunistically as has been the case so far.”
We are not alone in thinking about the Cloud. Indeed many UK Universities are making some use of it, if only at a basic level such as with Google Mail and Application services and Microsoft’s Office 365.
4.3 Cloud within Plymouth University
The University already utilises cloud services, the recent Alma service along with Office365, Primo, ePayments, and Aspire are all delivered at least in part via the cloud. All are delivered across the Internet with data held in multiple countries.
The combination of the benefits of cloud computing together with the increasing maturity of the marketplace represents a compelling case for further adoption. However the issues outlined above demonstrate that this is not without risk.
Fortunately these risks can be mitigated through careful and informed planning together with continued diligence of the market, vendors and service delivery levels.
6 Further Reading
- Getting to grips with Information and Communication Technology, Resources for Govenros of UK Higher Education Institutions, 2013, http://www.lfhe.ac.uk/governance/publications
- The Government Cloud Store, Overview, http://gcloud.civilservice.gov.uk/new-cloudstore/
- Cloud Computing, You need to run your business in the cloud — where do you start? http://www.gartner.com/technology/topics/cloud-computing.jsp
- JISC reports on Cloud Computing http://www.jisc.ac.uk/whatwedo/topics/networkinfrastructure/cloudcomputing.aspx
 Gartner, Top 10 Technology Trends, 2013: Cloud Computing and Hybrid IT Drive Future IT Models, 6 February 2013
 Gartner, Forecast: Public Cloud Services, Worldwide, 2010-2016, 4Q12 Update
 U.S.-EU & U.S.-Swiss Safe Harbor Framework, http://export.gov/safeharbor/
 ICO, Data Protection Good Practice Note Outsourcing – a guide for small and medium sized businesses, 2009
 p39, section 7.10 of “Getting to grips with Information and Communications Technology”, March 2013. www.lfhe.ac.uk
 ‘Stricken 2e2 threatens data centres: Your money or your lights’, The Register 2013, http://bit.ly/XSDoOZ