Cloud computing’s next step — Recognizing, managing risk

The prevalence of cloud computing has increased to the point of transforming IT and business models in every industry, including higher education. Half of higher education institutions have at least one core information system in the cloud; half of those have two cloud implementations, and one-quarter have three, according to an EDUCAUSE Core Data Service survey.1 In today’s climate, institutional leaders are moving past just considering whether to implement the cloud, and on to planning appropriate ways to adopt it.

Cloud computing is the technology that enables access to a shared resource pool of information, applications, infrastructure and/or services.
Whether the cloud is internal or external, and whether it is hosted by your IT staff or run by a third party, your institution is responsible for ensuring that appropriate controls are in place.
Sidestepping the risk management issues that other industries have confronted and resolved, higher education leaders have thus far generally chosen to start with areas that are not business critical or highly complex, and therefore do not pose undue risks. Examples include email, video streaming and office productivity tools.2 However, this will change, driven by the desires of key constituents (e.g., students, faculty and researchers); the demands for greater collaboration, information sharing and mobile access; and the need to optimize investments in technology. In line with core mission support, there will be greater focus on instructional technology. As teaching and learning methods transform, your institution’s risk management strategy must be evolve, as well.

As your institution adopts greater use of the cloud, learn from the pitfalls experienced by industries that have gone before by taking these steps to manage risk:
Trends shaping the future of cloud computing in higher education

Hybrid cloud: This is a computing environment in which an institution owns and manages some technology resources, either internally or hosted externally by a third party exclusively for the organization, and has others on the Internet provided by a public third-party vendor. Gartner states that “while actual hybrid cloud computing deployments are rare, nearly three-fourths of large enterprises expect to have hybrid deployments by 2015.”1

We expect that higher education technology deployments will be part of this trend. While certain systems and services will continue to be kept within institutions’ internal infrastructure (or on private clouds) due to issues such as mission criticality, complexity, cost or risk, other services or applications will be shifted to external clouds. The need to develop, implement and maintain the interfaces between these two environments will become a key IT management challenge.

Data analytics and big data: Institutions will benefit from leveraging analytics and big data to better understand student behavior, improve enrollment, enhance student performance, and increase faculty and curriculum effectiveness, etc. This can be accomplished by tapping into current institutional data and the data from various other sources, such as online courses, social media, blogs and surveys.

Collaborative learning: Whether or not current group learning and online learning techniques (e.g., learning management systems and massive open online courses) are sustainable, the powerful concept of collaborative learning is here to stay. This approach encourages knowledge-sharing, problem-solving and innovation, regardless of the mode of delivery. The increased processing power and connectivity offered by cloud computing enables exactly the sort of contributions and behaviors required of faculty and students to make collaborative learning an effective, successful and sustainable educational model.

1Zeng, Evan, and Bittman, Thomas. “China Summary Translation: Private Cloud Matures, Hybrid Cloud Is Next,” Gartner, Oct. 17, 2014. Gartner subscribers can read the full report.

1.    Strengthen your IT organization. Faculty and students are exploring newer and more innovative instructional and study methods, increasing their use of technology, and changing the ways it is used. Equip your IT organization to facilitate, support and sustain technologies that serve your institution’s educational mission.

To be successful within this complex reality, your IT organization needs the appropriate talent, along with the architecture and governance to provide solid support while offering a high degree of flexibility. Provide IT with the budget and personnel required to both manage external providers — outsourced services and applications — and operate and support the internal infrastructure, maintaining interfaces between the two environments and evaluating, selecting, developing and implementing new technology. The IT infrastructure and organization need to be adaptable to changing demands, and budgets need to reflect that greater investments in cloud technology may be needed to achieve downstream operational savings, generate new revenue streams, and to allow the institution to remain competitive in attracting and retaining students.

2.    Ensure that IT, academic and administrative areas are working closely together.
As with any business transformation, success in adopting cloud computing requires that efforts be orchestrated across the institution. Bring together IT, academic departments and administration to properly identify needs, manage risks and support change.  

While academic and administrative departments should drive the selection of cloud computing vendors, applications and services that shape instructional and business processes from a business requirements standpoint, IT must remain responsible for ensuring that any selection is compatible with the overall technology environment and architecture, and that potential solutions meet technical requirements of integrity, reliability, recoverability, etc.

3.    Guard information and privacy, and manage risk and compliance.
Even with the heightened focus on information security resulting from extensive media attention to recent breaches, only one-third of higher education institutions have adopted an IT risk management program or methodology.3 The need to do so is only heightened when deploying cloud technologies and using resources that are the responsibility of third-party vendors.

Your institution takes on regulatory and compliance risks by relying on a service provider’s adherence to regulations such as those imposed by the Payment Card Industry Data Security Standard, the Family Educational Rights and Privacy Act, and HIPAA. Other noteworthy risks relate to business continuity (ensuring that key operations are not disrupted in system downtime), cybersecurity and malicious insider attacks, commingled data, and compatibility issues with existing infrastructure.

To maximize protection of your institution and prevent breaches, consider privacy and security risks that are introduced when information leaves the confines of your campus security environment. Establish a comprehensive assessment structure for identifying, evaluating, and mitigating or managing IT risks, including potential for loss of control of data placed in cloud technologies. Make sure you understand how third parties secure your data and what controls remain your responsibility.

Adopting cloud computing brings benefits, but also challenges and risks. The protections you put into place will help your institution move more securely into a cloud environment.   

Back to The state of higher education in 2015

1Lang, Leah. “2013 CDS Executive Summary Report,” EDUCAUSE, Feb. 18, 2014.
2Grajek, Susan. “Top 10 IT Issues, 2015: Inflection Point,” Educause Review Online, Jan. 12, 2015.
3“IT Risk Management Poll Results, April 2013,” EDUCAUSE Center for Analysis and Research, April 2013.