In 2010 a colleague from Princeton University approached me about starting a new Educause Constituent Group on Cloud Computing. The term cloud was still new to the technology industry and we had felt that it was likely, higher education was going to jump into this new set of services right away. The cloud promised ease of adoption and cost savings to Higher Education. IT in higher educations has always dealt with a budget and set of resources that isn’t funded quite the same as our industry peers. Ease of adoption, flexibility, scalability, cost savings, and resource savings were all benefits being marketed by cloud vendors. From around 2010-2014, the cloud-primarily focused on software as a service (SAAS) offerings to higher education. Infrastructure as a service (IAAS) and platform as a service were still just getting off the ground but not a great deal of adoption in the IT industry overall.
Higher education institutions were drawn to cloud via services such as free email from Google and Microsoft. We then moved into online file sharing using services such as One Drive (previously Sky Drive), Google Drive, Box, and Dropbox. Then other software suites started to get into the fray including enterprise resource planning (ERP) systems, learning management systems, collaboration suits, and many others. Eventually, both IAAS and PAAS broke through with many organizations starting with our researchers and then moving into virtual data centers in Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure. It truly has been a revolutionary transition to the cloud for higher ed and has transformed our IT services benefited our institutions in numerous was.
"If we want to lead the way for cloud computing in the next decade we must tame the increasing costs, data sprawl and the complex security & privacy regulations facing our industry in partnership with cloud vendors"
While there has been a great deal of benefit from transition to the cloud, we also have introduced new challenges that we never could have anticipated. As the price of higher education, decreasing enrollments, and the move to online delivery continues, universities will be looking to cloud solutions to improve efficiency and operations of business processes. The challenges will continue to grow unless we meet them head-on as an industry. Here are some of the cloud challenges we must tame in higher ed IT:
Cost: Gone are the days of free cloud services. Although there are still some that provide baseline services for free, most services require add-ons for compliance requirements. Additionally, to increase year-over-year revenue for cloud vendors, they are putting out “value-added” services that have additional costs. We are also seeing significant increases to annual subscriptions and maintenance agreements at the same time we are being asked to reduce our annual IT costs at many institutions. We need to continue to band together in consortiums to get the most affordable cloud solutions for higher education. The IT cost savings we were promised by moving to the cloud are evaporating but efficiencies in the business units are increasing. We need to align both to be successful and sustainable.
Data Sprawl: As our compliance regulations are becoming increasingly complex, we are seeing a data sprawl because of the number of cloud vendors on our campuses. We used to have a single ERP, email system and storage solution. We now have cloud solutions that are more specialized. Cloud solutions provide support for student life, retention, recruiting, safety, event management and many more. Each of these cloud solutions requires the use of institutional data all of which require appropriate controls. At some point, we are going to have to find better ways to manage the sprawl of data with cloud vendor or we may increase the risk of data privacy issues.
Security and Privacy: One of the ways that higher education information security professionals ascertain whether a cloud solution is appropriately handling security is to review a System and Organization Controls (SOC) report. This report is an independent review of the vendor’s IT controls. Independent assessments provide assurance to higher education institutions that a vendor takes security seriously. The problem is that more and more, cloud vendors are hosting with AWS, GCP and Azure and what they provide to our risk management teams are SOC reports from those platform vendors. While helpful, in no way does a SOC report from one of the big three cloud platforms provide us any assurance that the architecture, design, and implementation of a cloud solution has the proper IT security controls. It is too expensive and costly to do our own individual assessments of each vendor, so as an industry we need to force cloud solutions to get reputable companies to do an independent assessment of their solution. We need to protect the privacy of our community, and cloud vendors need to take security as seriously as we do.
Looking back to on higher education’s work over the last decade, I really feel we have led the way to cloud adoption. If we want to lead the way for cloud computing in the next decade we must tame the increasing costs, data sprawl and the complex security & privacy regulations facing our industry in partnership with cloud vendors. I’m looking forward to building these partnerships with our solution providers. I can’t wait to see what the next decade brings.