"Can we put it in the 'Cloud'?"

It's a simple question, and more importantly, one that if it isn't at least being asked, someone probably isn't doing their job.

To say that cloud computing has been pivotal in changing the way businesses can achieve their goals would be an understatement. Providing near limitless resources (at a cost) while allowing  technicians to focus on strategic direction instead of server uptime has been instrumental in increasing services available to campuses. As technology has advanced, the "cloud" has become easier to use, and more visible to the general public.

For me, the "can we" question is a great start, but I think we should move the question one step further, "Why CAN'T we put it in the cloud?"

Done right, cloud computing can, and should, save your company time, money, and resources, while helping eliminate those pesky "surprise" capitol investments. Today, you can get any level of service and support that you are willing to pay for that come with the added benefits of having contracts that guarantee service uptime. These environments are hosted by companies that literally stake their reputation on their ability to provide privacy and security, which means they have budgets and training to ensure that your systems are safe. For all of these reasons, cloud computing is hugely popular while also allowing you to shift capitol investments to be moved into a fixed (read: budget item) operational cost while helping to alleviate some of the ever mounting stress on your IT staff as the system expands.

I have a list of resources available that I will be updating as time goes on here, but typically, people talk towards the Patriot Act, FOIP, PIPA, and PIPEDA;. If you haven't heard of these yet, you will; especially if you are considering the move of any of your data to the cloud.  All of these bills and acts are often cited as reasons for not moving to the cloud, and while there is some truth to those outcries, at the same time they are the reason why you should consider it.

These are various privacy and security papers that are intended to protect us. While they open up some concerns from a data protection standpoint, they help stop cheap and lazy companies from leaving your personal data open to the internet for all sorts of dastardly people to steal and use for their nefarious reasons. Basically these acts and bills mean that a company now has a real, chargeable, contractual, reason to defend data but caution is always required to ensure that you are doing your part. Make sure you review their privacy and data policies at the very least. Some argue that cloud computing opens up your company to data breaches, that you may never know about, but any contract should include this information release as part of the contract.

It is important to know that your institution is still responsible for the data, even though it is possibly now residing on someone else's system. This is especially important to know as a Canadian institution, as the Patriot Act comes in to play. Many hosted solutions are squished from the beginning because of the following clause:

"Under the Act, U.S. officials could access information about citizens of other countries, including Canada, if that information is physically within the United States or accessible electronically. The potential exists, therefore, for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a U.S.-based company."

This means as a Canadian institution, we must pay attention to not only where the data is stored (Canadian data centre) but also, in case of backup, failover or emergency where that data ends up and how it is routed to ensure that we are doing our best to protect our data, and our clients.

For me, I believe that a mixed environment is a great place to start. These environments give your institution an opportunity to leverage the cloud for applications, services, while maintaining ownership of the data through storing it on premise. This mixed environment helps to minimize the hardware IT requirements on site (as you are able to eliminate any application servers and their backups), and maintain a dedicated SQL and possibly authentication (ADFS) servers (all of which are typically virtual). Your cloud provider is able to run the update or patch to ensure your systems are secure while being responsible to ensure proper communication, and testing to confirm that your system will work when it is done. In this fashion you get most of the benefits of cloud hosting, while still keeping your data on site, allowing you to bypass some of the additional legislation that may or may not allow your data to be stored elsewhere.

Now, I have spent a lot of time talking about how great and advantageous the cloud is, so why doesn't everyone do it? Like anything, it comes with it's downside. As mentioned above, depending on where you are located, there are any number of rules, regulations (federal and local), and company policies that can hamper your ability to make the move.

While most of us have worked in a hosted application environment at least a little bit, be it your Gmail or learning management system, we have all seen it. We have also tried to log in to use those services, and we get some cryptic "404 not found" or "501 resource error" or any other number of errors, and as a client, there is nothing you can directly do to fix the problem. You simply call the 1-800 number and "hope."

Lets follow the below example, and because I am so imaginative, lets call the local resource/technician Dave:

With an on premise solution, you have someone you call, and people are more comfortable working with an on campus person to get everything going. Typically you call Dave, you are panicked, because something is broken, so you can no longer do your job. Dave talks to you, helps alleviate some of the immediate panic, while simultaneously logging an issue and working to resolve the problem. By the end of the call, you feel better.  The biggest thing of note here is that you know the someone who is looking into the issue. By hosting your solution in the cloud, when this happens you call Dave, he still tries to talk you down a little, but then after he did his initial look says that he will log an issue with your cloud provider.

Hard stop. What?

Yeah, by increasing the convenience of hosting our applications we have less perceived "control" over the issue resolution. We have contracts guaranteeing uptime, Dave said it would be fixed soon, but how do we know. Simply put, we don't. We rely on the contracts that were put in place, and the knowledge that our on premise resources will work with the cloud provider to get the service up and running again.

Let's take another example. On Thursday your cloud hosted system goes down, and nobody can figure out why. Your local resources look and don't seen anything on the institutional IT side of things, so they go back to the provider. The provider can't see anything, so they do a restore and everything works and call it a one off.  While you lost an hours worth of transactions, you are working again and everyone is happy with the quick response. Then the same thing happens the next Thursday, and the one after that. When it is escalated, they find that there was a problem with their configuration causing corruption when a full backup was done. It's great that it is fixed, however you have now had multiple instances in a row where people were unable to use your service. For a campus card system, this is huge as it ties into every aspect of your campus life. Access, events, shopping, meal plans, laundry, the list can seem almost endless. Depending on your system, this could render your entire system, and possibly parts of your campus unavailable causing thousands in lost sales and immeasurable impact on reputation and trust.

"Uncontrollable" downtime is a valid fear and one that should be talked about when hosting. You should always ensure that you are building response times, outage minimums and maximums. Something that need to be discussed and confirmed before any hosting agreement takes place is server and application maintenance timings; in other words, when does the vendor do its patches and updates, which although scheduled, could possibly result in an unusable system. We are all responsible in being active participants in building a hosting strategy. Ensure you are defining allowable outage windows because there is nothing worse than having your system taken offline in the middle of opening week for "routine" maintenance.

Overall, I believe in this time of tightened budgets, and increase need for fiscal responsibility that cloud hosted solutions should be engaged when possible as long as you are ensuring the laws and regulations/bills that apply to you are adhered to. A mixed environment allows for a solid product to be maintained by a vendor while decreasing your on campus costs and allowing staff to focus on system growth, and institutional strategic direction.

This is a very general overview, and if it feels like I only skimmed the surface of some of the topics, its because I have. The overall discussion of hosting, mixed, and on premise could occupy far more time. But ultimately it comes down to your institution and risk. If you would like to talk about what options are out there, I would like to help you find a solution that meets not only today's needs for streamlined resources, but keeps in mind your needs and ensures that you are able to succeed moving forward.