Cloud Shift Requires Vendor Leadership and New Procurement ProcessesTracy Mitrano | Director of Internet Culture Policy and Law, Cornell University
Cloud-hosted products and services are becoming commonplace across the higher education spectrum, but moving from on-premises hosting of major systems and information to the cloud brings with it a host of issues of which leaders must be aware. Chief among these issues are privacy and compliance regulations that dictate the storage and protection of information. In this interview, Tracy Mitrano sheds some light on some of the issues higher education leaders need to be aware of when shifting to the cloud and shares her thoughts on the role vendors must play in this new technology environment.
The EvoLLLution (Evo): Why do higher education leaders need to be very aware of security and compliance concerns when considering migrating major administrative system to the cloud?
Tracy Mitrano (TM): Higher education leaders need to be aware of security and compliance concerns when considering adopting cloud services because the calculus of privacy and security shifts from on-site to the cloud.
The contracts become the principle issue by which an institution can manage its privacy and security. Prior to the cloud, the emphasis would be on technology because it would be under the institution’s own management.
Evo: Is the cloud more susceptible to a breach than a system hosted on-premises?
TM: I don’t think there is a greater risk in moving to the cloud than hosting on-premises. Technology is moving to the cloud so assiduously that it’s not something that can be avoided. But it is something that requires careful management and a significant shift in the procurement process.
Procurement used to be a linear process when technology was on-site. Cloud requires a coordinated process among IT, legal counsel, information security, information privacy and communications departments, along with whatever other stakeholders are involved in the particular administrative system.
That’s a very different approach than institutions have taken within the last 25 years of using information technology.
Evo: It seems as though a move to the cloud necessitates the role of vendors changing from software salespeople to operational and strategic partners.
TM: That’s absolutely right; moving to the cloud means that vendors need to take on the role of strategic and operational partners. Higher education needs to learn how to change it up internally in order to address its compliance requirements. These requirements don’t go away because you’re using a hosted cloud system. They just change in how you address and manage them.
The vendors’ responsibility has not been discussed adequately as yet. It would be enormously helpful if vendors came prepared, understanding the landscape of higher education, its particular compliance requirements—for example, FERPA and in many cases HIPAA—as well as a host of other privacy and security rules and regulations associated with federal grants.
If the vendors came to the table understanding that landscape, it would be helpful. But let me also say this: it would be enormously beneficial for them because they would win the contract versus other providers that are far less prepared to understand and work with the administration.
Evo: What are the ramifications of migrating to the cloud and experiencing a data breach for a university?
TM: That’s a provision that must be thoughtfully worked out in the contract. The data breach responsibilities must be specifically articulated in the contract, covering every aspect from mitigation of the immediate breach right on through to notification of the institution. Then, of course, the contract needs to define who is financially responsible.
There are many issues involved in this, in particular because, in the absence of federal breach laws, we all have to contend with the state laws. As such, any contract needs to be tailored to the specific state where the university resides.
Evo: What must higher education leaders look for in a cloud provider to minimize these security and compliance risks?
TM: University leaders need to look for a vendor who comes to the table understanding the higher education landscape, its business processes, its compliance processes—which are broad, deep and complex—and is willing to work with the institution on a dynamic procurement process and implementation.
Evo: Is there anything you’d like to add about the importance of understanding the higher education landscape for vendors who are trying to sell cloud-based services?
TM: Higher education’s own understanding of how it has to change up its procurement process, in the way I described earlier, is only slowly emerging, but it is emerging.
If vendors can work with the institutions that are at the lead of that process, such that they would know how to be of assistance to other institutions down the road, it becomes a win-win situation.
The vendor wins, the institution wins and it impacts not just the speed of acquisition and implementation, but also the institution’s assurance that the transition to the cloud is happening while maintaining and even bolstering the institutional compliance profile.
Author Perspective: Administrator