Making the cloud work for you:

institutional risk and governance

Dr Richard Hall, De Montfort Universityslideshare.net/richardhall@hallymk1rhall1@dmu.ac.uk

context: organisation and risk

Cloud(s) or hosted or in-house?

Amplified issues around the following [risks].

1. Curriculum control/change-management: ad hoc vs strategic control vs staff digital/technical literacy.

2. Support and skills in-house: quality/distinctive or interesting vs boring.

3. Elasticity of demand and service-provision: developing technologies that will enable emerging and future web applications.

See: http://bit.ly/VXKGTQ

Value and institutional risk:

a competitive cloud

Education markets are one facet of the neoliberal strategy to manage the structural crisis of capitalism by opening the public sector to capital accumulation. The roughly $2.5 trillion global market in education is a rich new arena for capital investment.

(Lipman, P. 2009: http://bit.ly/qDl6sV)

See: http://bit.ly/WqABKq

The UK Treasury position, on shared services:

2.191 VAT: cost sharing – Following the announcement at Autumn Statement 2011 the Government will introduce a VAT exemption for services shared between VAT exempt bodies including charities and universities.

HM Treasury (2012) http://bit.ly/GCRYCy

See: http://bit.ly/GI2nP4

See: http://bit.ly/MNPOpn

See: http://bit.ly/11NUoLR

Technology deployed inside hegemonic, fiscal “realities”.

1. Public-private partnerships: services; re-engineering; applications; outsourcing; consultancy.

2. Discourses of efficiency/productivity to be rooted: analytics; big data; reduced circulation time; changes in production; workload monitoring.

3. Legitimation of R&D: value-for-money; commercial efficiency; business process re-engineering (c.f. European Vision 2020; HEFCE 2012).

4. Moral depreciation and constant innovation/value-creation.

Governance and institutional risk

See: http://zd.net/oE0oq3

See: http://bit.ly/yqsrps

See: http://bit.ly/QvjavY

1. Twitter: EFF/American Civil Liberties Union; Birgitta Jonsdottir; U.S. Department of Justice; Wikileaks.

2. LinkedIn: cracking a service; aggregating data for future cracking; confirming guesses about passwords; comparing hacked data against pre-computed versions; broadening "guessable” data.

3. Facebook, Google and Twitter: new obligation to identify “trolls” ; internet companies will have to surrender the details of those posting libellous messages.

4. Leveson: Hunt’s private Gmail account; role of the information commissioner; use of private (email) accounts to conduct official business is subject to FoI.

Service resilience; confidentiality/privacy; copyright/copyleft/content distribution; data security/back-ups; control/deletion

See: http://bit.ly/SmGgoz

See: http://ars.to/RY2NXC

See: http://bit.ly/WeQmGx

the legal standard for production of information by a third party, including cloud computing services under US civil (http://www.law.cornell.edu/rules/frcp/rule_45) and criminal (http://www.law.cornell.edu/rules/frcrmp/rule_16) law is whether the information is under the "possession, custody or control" of a party that is subject to US jurisdiction.

It doesn’t matter where the information is physically stored, where the company is headquartered or, importantly, where the person whose information is sought is located.

The issue for users is whether the US has jurisdiction over the cloud computing service they use, and whether the cloud computing service has “possession, custody or control” of their data, wherever it rests physically.

EFF (2012): http://bit.ly/yqsrps

• We have a Governance Unit, a set of IT regulations and an IT Governance Group: http://infogov.our.dmu.ac.uk/

“The cloud has its own challenges, not least of which is the fact that the name can lead non-tech savvy folks to imagine that their data is bits of magic floating about in the ether rather than sitting on a server subject to the laws of the land in which it is located. There are concerns about ensuring safety of information.”

“Additionally, potentially big problems with 'offshoring' corporate assets outside of corporate governance.”

• Risk-management at a range of scales: does it matter if someone accesses your stuff? [Dropbox; subject to FoI]

• What about corporate governance, including access to services that are marketised? [Google-Verizon and a two-speed internet; costs of accessing data in marketised HE?]

• Does it matter if the responsible academic gets hit by a bus? [assessment; what should be managed in-house or hosted via a contract?]

• Do we understand that data is being transferred into a service and that we have responsibilities? [T&Cs; IP; protected characteristics; indemnities for libel]

• How do we work-up the digital literacies of our staff/students in this space? [staff guidelines http://bit.ly/LnazH5 ]

The University and the Cloud: a health warning is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.