Cloud 101: Tools and Strategies for

Evaluating Cloud Services

Andrew Keating • Khalil Yazdi

 Welcome & Introductions

Andrew Keating Khalil Yazdi

Director, Cloud Services, CIO-in-Residence,
Internet2 Internet2
 Seminar Logistics

• Shared folder:
– To Join Folder: http://bit.ly/1H7tKhP
– https://internet2.box.com/educause-cloud-101
• Paper Handouts
• Online Poll
– https://pollev.com/andrewkeatin051
 Today’s Agenda

12:30pm Welcome
12:45pm Introduction to Cloud & Community Cloud
1:20pm Break
1:30pm Activity: Cloud Challenges
2:00pm Overview of Cloud Assessments
2:35pm Break
2:45pm Activity: Cloud Assessments
3:15pm Concluding Comments and Discussion
4:00pm Adjourn
Online Poll
https://pollev.com/andrewkeatin051

“What is attractive about Cloud Services?”

“What concerns do you have about Cloud Services?”

 Overview of Cloud &
R&E Community Cloud
 Founded
INTERNET2… In 1996 by research universities to take self- responsibility for
Powered by Community providing a data networking environment that would not
otherwise exist, or exist as and when the community of scholars
needed it

Mission
Develop and deploy advanced network applications
and technologies, accelerating the creation of
tomorrow’s Internet

Goals
• Enable new generation of applications
• Re-create leading edge R&E network capability
Accelerating
• Transfer technology and experience to the global
Research &
production Internet
Education
through Community
Innovation • R&E member institutions, affiliates, agencies, etc..
• Rich and complex regional network community
• Global NREN community
The Internet2 R&E Network

300+ Universities
80+ Corporations
70+ Government
agencies
42 Regional &
state networks
65+ International
R&E networks
 Goals for Today
Informed Decision-Making About This Deployment Vehicle

Cloud
Services are
Here
The Cloud is a
Become informed
deployment
as to how to best
model that
leverage these
enables
architectural
satisfaction of
building blocks
MORE use cases

Informed
Decision
Making
What Drives us to Cloud Services?
 Aging
Infrastructure
Scalability & Elasticity
 Volume Up; Prices Down

By 2020 SaaS will account for $133 billion of the $160

billion industry, while IaaS will make up 32% Year Over Year Growth With Near Quarterly Price
$5 billion, PaaS $12 billion and BPaaS $10 billion. Reductions in IaaS and PaaS
 Why Cloud?
Business Drivers – What’s Different?

Student Expectations
Faculty Roles and Requirements
Higher Education Business Needs
IT Services and Delivery
IT Procurement Strategies
Definition is Still Illusive / Amorphous
The Cloud – According to NIST
Cloud computing is a model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider
interaction.
 Cloud Computing: NIST Framework
Includes both
commercial and
Includes the
community providers NET+
entire connected
community Services
Cloud Provider Cloud Portfolio
Cloud Broker
Consumer Service

Service
Management
Orchestration

Cloud Service
Management

Intermediation
Intermediation
Security

Aggregation
Tuned to

Security

Aggregation
Privacy
Privacy
Service Layer

Arbitrage
Arbitrage
community
needs and

Cloud
validated by Control Layer
the community Cloud
Resource Layer
Auditor

Cloud Carrier The Internet2 R&E

Network and partner
* http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf networks together define
the Internet2 Community
 EDUCAUSE Top Issues:
Four Strategic Priorities

1. Contain and reduce operational … Efficiency

costs.
2. Achieve demonstrable … Effectiveness
improvements in student outcomes.
3. Keep pace with innovations in … Relevance
eLearning, and use eLearning as a
competitive advantage.
4. Meet students and faculty members'
expectations of contemporary … Value
consumer technologies and and
communications.
 Cloud Promise and Challenges
Customized Solutions? compliance with HIPAA/FERPA
CAPEX to OPEX
Reduced administrative overhead:
“automated provisioning” Restructuring administrative processes

Volume of acquisition innovative approaches?

Scale,
Elastic “Green” benefits Individual/institution has minimal impact
Speed Use what you need
vendor “lock in” commodity services
‘hybrid’ environments Focus on local specialization not
IT acquisition approaches plumbing
Who supports students, faculty and staff?
security, data privacy and accessibility
The Community’s
Response
2010 NACUBO / EDUCAUSE Cloud Summit

http://www.nacubo.org/Documents/BusinessPolicyAreas/ShapingTheHE
CloudWhitePaper.p
df
 Major Recommendations from 2010
Thirteen overall recommendations, which include:
• Create a cloud computing roadmap.
• Develop a risk-assessment framework and guide.
• Develop audit guidelines for cloud-based offerings.
• Identify needed skills and training for cloud-based
services.
• Develop and publish model service level agreements.
• Encourage identity management.
• Create a higher education demand aggregator.
Building a “Brokered Community Cloud” where
the R&E Community can act on its own behalf

COMPLETE CLOUD DEPLOYMENT

PLATFORM FOR THE ACADEMY SCALABLE AND AGILE
TO MEET BROAD USER
MOBILITY NEEDS

TRUSTED STANDARDS,
INTEGRATED IDENTITY
AND
ADVANCED NETWORK
DELIVERY
 Today’s Agenda

12:30pm Welcome
12:45pm Introduction to Cloud & Community Cloud
1:20pm Break
1:30pm Activity: Cloud Challenges
2:00pm Overview of Cloud Assessments
2:35pm Break
2:45pm Activity: Cloud Assessments
3:15pm Concluding Comments and Discussion
4:00pm Adjourn
Activity: Cloud Challenges
Discussion Questions
• What’s your role and why are you here?
• What are the business drivers at your campus for going to
the cloud?
• What are the budgetary drivers motivating consideration of
the cloud?
• What are the technical drivers for moving to the cloud?
• Who are the champions for cloud adoption on your campus?
-- what are their expectations?
• Who are the detractors and resistant to moving to the cloud?
• What do you see as major challenges to cloud adoption?
 Today’s Agenda

12:30pm Welcome
12:45pm Introduction to Cloud & Community Cloud
1:20pm Break
1:30pm Activity: Cloud Challenges
2:00pm Overview of Cloud Assessments
2:35pm Break
2:45pm Activity: Cloud Assessments
3:15pm Concluding Comments and Discussion
4:00pm Adjourn
Cloud Assessment Skills
Cloud Assessment Areas to Consider
• Technical & Architectural
• Security
• Compliance
• Legal & Contracts
• Support & Implementation
• Vendor / Service Provider Management
Aspirational View of The Cloud
Simplify / Obfuscate Complexity

From http://geekandpoke.typepad.com
 Responsibility and Management Model

Your Application
Governance

Architectural Views Testing,

Your
Monitoring,
Problem
Diagnostics and
Life Cycle
Verification
(Birth, Growth, Failure, Recovery, Death)

Web of Metadata
Categories, Capabilities, Configuration and Dependencies

Element Management Resource

Their Facilities & (Split Responsibility) Management Basic
Problem Logistics Monitoring
Software & Hardware Infrastructure
 Architectural Implications
Infrastructure as a Service
Your Application

Your
Your Your
Application
Middleware Database
Server

Your Operating System

Hypervisor

CPU Networking Storage Backup

Datacenter (Power, Cooling, Physical Security)

Your Problem Their Problem

 Architectural Implications
Platform as a Service
Your Application

Application
Middleware Database
Server

Operating System

Hypervisor

CPU Networking Storage Backup

Datacenter (Power, Cooling, Physical Security)

Your Problem Their Problem

 Architectural Implications
Software as a Service
Application

Application
Middleware Database
Server

Operating System
Hypervisor

Storage
CPU Networking Backup
YOUR DATA

Datacenter (Power, Cooling, Physical Security)

Your Problem Their Problem

 Cloud Service Functional Assessment
Review current features and functionality
Discuss existing Service Provider product roadmap (under NDA)
Determine ways in which service needs to be tuned for research and
education usage
Prioritize feature requests discuss prioritization with Service
Provider’s product team
Process and Deliverables: understand current features, functionality,
and future roadmap; determine how to request features and inform the
roadmap as well as process for reporting bugs
 Cloud Service Technical Integration
Network: Test network performance or review 3rd party testing;
determine service connectivity with the Internet2 R&E network and
optimize for enhanced delivery
Test the network connection to create benchmarks
Identity: Review Service Provider’s identity strategy and determine
InCommon integration
NET+ Identity Guidance for Services
Process and Deliverables: assign technical team members on
networking and identity; develop and review testing plans; and
produce reference documents for service subscribers
Cloud Service Security
• What are the documents involved
• Definitions, CCM, SOC 2, ISO 27001
• How to read and understand these documents
Cloud Service Security: CCM
• Cloud Controls Matrix
• Developed by the Cloud Security Alliance
• “designed to provide fundamental security principles to guide
cloud vendors and to assist prospective cloud customers in
assessing the overall security risk of a cloud provider”
• Includes variety of mappings and controls
 Cloud Service Security & Compliance

Security assessment: Customized version of the Cloud Controls

Matrix (CCM) developed by the Cloud Security Alliance
Accessibility review and Roadmap commitment. WCAG 3C
Data handling: FERPA, HIPAA, privacy, data handling

Process and Deliverables: Service Provider to give review copies

of third party audit materials, and completes Cloud Controls Matrix
for review; campus security officer review and assess service;
accessibility engineers review service and communicate needs to
Service Provider
 Cloud Service Contracts

What are the key elements in a successful cloud contract?

Description of service components, features
Pricing and business terms
Indemnification and limitation of liability
Security
Compliance and representations
Data and data handling (data retrieval on termination, data destruction, etc)
“Exit strategy”: source code escrow
Service Level Agreement (SLA)
Insurance provisions
Cloud Service Contracts: HIPAA and BAA

HIPAA: Health Insurance Portability and Accountability Act

BAA: Business Associate Agreement
Required if you (or your users) plan on storing PHI in the cloud service
PHI: Protected Health Information
 Cloud Service Support & Implementation
Who is the help desk? Where is the help desk located?
Discuss what Service Provider offers and what will be campus
responsibility
Ensure you know how to get support from your cloud service provider
AND what happens if they fail to live up to their promises
Consider the future: what will happen when new features or
functionality arrives
Process and Deliverables: understand how the service will be
deployed and managed; determine how to request help and support
from the service provider and how your end users will do so
 Vendor / Service Provider Management
Not a “once and done” proposition
Determine who on your campus or IT team will “own” the service and
manage the ongoing relationship
Ensure you have the appropriate contact(s) at the service provider;
(more than only a sales rep…)
Consider the future: what will happen when staff leave?
Process and Deliverables: understand the key individuals on campus
and at the service provider; document roles, responsibilities, and
contact information
 Today’s Agenda

12:30pm Welcome
12:45pm Introduction to Cloud & Community Cloud
1:20pm Break
1:30pm Activity: Cloud Challenges
2:00pm Overview of Cloud Assessments
2:35pm Break
2:45pm Activity: Cloud Assessments
3:15pm Concluding Comments and Discussion
4:00pm Adjourn
Activity: Cloud Assessments
Review and Discuss Sample Materials
• Each packet contains sample materials from university,
community, and cloud service provider templates

• As you review, consider:

• What does this contract language aim to do?
• Who or what does it protect?
• What are the risk considerations for the university? For
end users? For the service provider?
• Which would you sign and agree to?
• Which would a commercial service provider sign and
agree to?
Security Clauses: Sample #1
Service Provider has established, and will throughout the Term maintain, the data security policy
and practices applicable to the Service Provider Service set forth in its then-current SSAE 16
report (“Service Provider Online Information Security Policy”), which Service Provider Online
Information Security Policy will be Service Provider Confidential Information. Notwithstanding the
foregoing, throughout the Term, Service Provider will, with respect to Enterprise Customer Data, at
a minimum abide by data security practices no less protective than the practices set forth in
the Service Provider Online Information Security Policy in effect as of the Effective Date.
Upon the request of Enterprise Customer to Service Provider to view the Service Provider Online
Information Security Policy, Service Provider will promptly provide Enterprise Customer with the
right to view the then-current Service Provider Online Information Security Policy in a
Service Provider folder that will be view-only (with no ability to download such Service Provider
Online Information Security Policy). As long as Service Provider only provides access in the
express manner set forth in the previous sentence, Enterprise Customer shall not obtain, record,
transmit, or distribute any information contained in the Service Provider Online Information Security
Policy in a manner that causes such information to lose its confidentiality protections or to become
otherwise available to the public (including by way of a freedom of information act request). Upon
the request of Enterprise Customer to receive a paper copy of the Service Provider Online
Information Security Policy, Service Provider shall send a copy to the Enterprise Customer
once a representative of Enterprise Customer has executed an NDA in the form of Exhibit F3
(and Service Provider shall send such copy to the attention of such representative).
Notwithstanding anything to the contrary contained herein or in the Service Provider Online
Information Security Policy, in the event of any conflict between the terms and conditions of the
Service Provider Online Information Security Policy and the terms and conditions of this
Agreement, the terms and conditions of this Agreement shall be deemed to control.
Security Clauses: Sample #2
Security. We will maintain appropriate administrative, physical, and technical
safeguards for protection of the physical facilities, and those servers and
networking equipment over which we have administrator access or control and use
to provide the Service Offering. You are responsible for protecting the security of Your
Content, including any access you might provide to Your Content by your employees,
customers or other third parties, and in transit to and from the Service Offering. The
Service Offering provides you with certain software and functionality to help you protect
Your Content from unauthorized access. You will properly configure and use the Service
Offering so that it is suitable for your use. You will take and maintain appropriate security,
protection and backup for Your Content, which may include the use of encryption
technology to protect Your Content from unauthorized access. You are responsible for
providing any necessary notices to your users and obtaining any legally-required consents
from your users concerning your use of the Service Offering. You are solely responsible
for complying with any laws or regulations that might apply to Your Content, and you
understand that the Service Offering is not intended for data regulated by the Health
Insurance Portability and Accountability Act (unless you have entered into a
business associate agreement with Us). You are responsible for any losses or other
consequences arising from your failure to encrypt or back up Your Content. If we determine
that there has been unauthorized access to, or use or disclosure of, Your Content, we will
use commercially reasonable efforts to notify You, taking into account any applicable law,
regulation, or governmental request.
Security Clauses: Sample #3
Data Security. Without limiting Provider’s obligation of confidentiality as further
described herein, Provider shall establish and maintain a data security
program to: (i) ensure the security and confidentiality of the University
Data; (ii) protect against anticipated threats or hazards to the security or
integrity of the University Data; (iii) protect against unauthorized access to
or use of the University Data; (iv) ensure proper disposal of University
Data; (v) ensure that all subcontractors of Provider, if any, comply with the
foregoing; (vi) continue to safeguard University Data in the event this
Agreement terminates or expires. All facilities used to store and process
University Data shall implement and maintain administrative, physical,
technical, and procedural safeguards and best practices at a level
sufficient to secure such Data from unauthorized access, destruction, use,
modification or disclosure. Provider will establish procedures and controls for
determining who should have access to University Data. If University Data is
hosted in a multi-tenant environment, Provider must have controls in
place to prevent University Data from being disclosed to another
customer, appearing with the data belonging to another customer or being
accessible by another customer.
Security Clauses: Sample #4
Without limitation of any other provision contained in this Agreement, Service Provider represents and warrants
that:
within the twelve (12) month period prior to the Effective Date, an Independent Third-Party Auditor (as defined
below in this Section 8.3(e)) conducted (A) a Statement on Standards for Attestation Engagements (“SSAE”)
16, SOC 2, Type 2 audit examination of Service Provider (inclusive of the primary data centers owned or
operated by Service Provider from which Service Provider provides the Service Provider Platform to Participants),
conducted in accordance with AT section 101 of the American Institute of Certified Public Accountants (“AICPA”)
attestation standards, and issued Service Provider an SSAE 16, SOC 2, Type 2 service organization control report
(a “SOC 2 Report”); and (B) an audit of Service Provider (inclusive of the primary data centers owned or operated
by Service Provider from which Service Provider provides the Service Provider Platform to Participants) for
compliance with ISO 27001, certified Service Provider as compliant with ISO 27001 and issued Service
Provider an ISO 27001 service organization control report (an “ISO 27001 Report”) (the audit types identified in (A)
and (B) above are sometimes hereinafter referred to collectively as “Audits”); and the copies of the SOC 2 Report
and the ISO 27001 Report that Service Provider has provided to Internet2 (collectively, the “Provided Audit
Reports”) are true and correct copies of the original organization control reports issued by the Independent
Third-Party Auditor.
On not less frequent than an annual basis during the Term, Service Provider will have an Independent Third-
Party Auditor conduct Audits of Service Provider and issue a SOC 2 Report and ISO 27001 Report resulting from
such Audits. Service Provider will provide Internet2, all Internet2 NET+ Partners and all Participants with a true and
correct copy of each such additional service organization control report within thirty (30) days after issuance (all
such additional service organization control reports are, together with the Provided Audit Reports, sometimes
hereinafter referred to collectively as the “Audit Reports”). Service Provider will promptly remediate (1) any
errors identified in an Audit Report that could reasonably be expected to have an adverse impact on the Services,
and (2) material control deficiencies identified in an Audit Report. As used in this Agreement, “Independent Third-
Party Auditor” shall mean a reputable independent third-party auditor (i) experienced in conducting in-depth audits
of third-party service organizations and issuing service organization control reports in accordance with statements
on auditing standards issued by the Auditing Standards Board of the AICPA; and (ii) accredited to conduct (A)
SSAE 16, SOC 2, Type 2 audits of third-party service organizations, and (B) audits of third-party service
organizations for compliance with ISO 27001.
Data Handling Clauses: Sample #1
University Data shall be and remain the sole and exclusive
property of the University. University hereby grants Service
Provider a license to University Data for the sole and
exclusive purpose of providing the Services, including a
license to store, record, transmit, maintain and display
University Data only to the extent necessary to provide
Services. For avoidance of doubt, Service Provider agrees
that it will not, and will not authorize any other party to,
engage in any data mining, marketing, or other use of
University Data.
Data Handling Clauses: Sample #2
Service Provider will use Enterprise Customer Data only for the
purpose of fulfilling its duties under this Agreement and Service
Provider will not share such Enterprise Customer Data with or
disclose it to any third party except as expressly provided for in this
Agreement or authorized in writing by Enterprise Customer. By way of
illustration and not of limitation, Service Provider will not use
such data for Service Provider’s own benefit and, in particular,
will not engage in “data mining” of Enterprise Customer Data or
the sale of Personal Data, including, without limitation, the sale of
Managed User e-mail addresses. Service Provider may, however,
collect, monitor and analyze the file type metadata (e.g., .doc,
.pdf, .xls) of Enterprise Customer Data for the purpose of
providing and improving the delivery of the Service Provider
Service to Enterprise Customer under this Agreement, including
Service Provider’s operations management and services deployment,
and monitoring and risk reduction.
Data Handling Clauses: Sample #3
Relationship Data. We may collect Relationship Data. We use Relationship Data to provide
the Service Offering to you, manage your account, send you notifications (including about the
availability of our or our affiliates' other products and services), bill you for purchased services,
enforce compliance with this Agreement, provide support, and comply with our contractual
obligations and applicable law. We may share Relationship Data with our affiliates and third
party service providers for these purposes, or as otherwise required by applicable law.
Usage Data. We may collect Usage Data. We use Usage Data to assist us in providing the
Service Offering (including tracking and managing our infrastructure, network, storage, and
software for billing, capacity planning, troubleshooting, and other forecasting and improvement
purposes), and comply with our contractual obligations and applicable law. We may share Usage
Data with our affiliates and third party service providers for these purposes or as otherwise
required by applicable law.

[14 Pages Later…] Definitions

14.6 “Relationship Data” means personal information that we collect during the registration,
activation and maintenance of your account. It may include names and contact details of your
personnel involved in maintaining or using the Service Offering. It does not include information
collected through the publicly accessible portions of our webpages, which is subject to the Privacy
Policy posted on those webpages.
14.13 “Usage Data” means information regarding your consumption of the Service Offering,
such as information on the amount of computing and storage resources purchased or consumed,
user counts, and third party licenses consumed. Usage Data may also include information related
to the consumption of optional or third party or co-branded services provided to you through
the Service Offering.
Cloud Assessments: Conclusions
• Specifity matters
• Consider whether it is more helpful to spell out what a
Service Provider will do OR what they will not do
• Some flexibility is required: if you want to use a commercial
service determine what is reasonable
• Do not accept standard commercial terms or “click through”
• Do not assume the worst of commercial service providers
• Consider the future and ongoing relationship
• Remember that both sides are managing risk and the overall
aim is to come up with something that both your campus and
the service provider can live with
 Today’s Agenda

12:30pm Welcome
12:45pm Introduction to Cloud & Community Cloud
1:20pm Break
1:30pm Activity: Cloud Challenges
2:00pm Overview of Cloud Assessments
2:35pm Break
2:45pm Activity: Cloud Assessments
3:15pm Concluding Comments and Discussion
4:00pm Adjourn
Building a “Brokered Community Cloud” where
the R&E Community can act on its own behalf

COMPLETE CLOUD DEPLOYMENT

PLATFORM FOR THE ACADEMY SCALABLE AND AGILE
TO MEET BROAD USER
MOBILITY NEEDS

TRUSTED STANDARDS,
INTEGRATED IDENTITY
AND
ADVANCED NETWORK
DELIVERY
 57

Internet2 NET+ Services: Current Phases

57
 Examples of Cloud Services Deployed at Scale
Leveraging community developed offerings, preferred pricing and business terms

120+ universities cloud storage and collaboration

campus-wide (24 months)

70+ universities leveraging the NET+ Splunk

offering (12 months) 58

30+ universities moved their LMS to Instructure’s

Canvas (6 months)

25+ universities leveraging Code42’s CrashPlan

offering (12 months)

58
 Cloud Success takes more than technology
PROVISIONING TO SCALE CHANGE MANAGEMENT
COMMUNITY
MASTER AGREEMENTS
INTEGRATION
TEMPLATES
FOCUS ON INNOVATION POSITION DESCRIPTIONS
SKILLS 59

TRANSFORMATIVE BUSINESS BEST PRACTICES

MODELS
REPOSITORIES

TRAINING: RISK CONTRACTS

COMMUNITY LEVEL STRATEGIC
ENAGEMENT DEVELOPMENT: CLOUD ELEMENTS

LEADERSHIP MATTERS

59
Discussion
Help Us Improve and Grow

Thank you for participating

in today’s session.

We’re very interested in your feedback. Please take

a minute to fill out the session evaluation found within
the conference mobile app, or the online agenda.