Can University IT, Privacy, and Security Personnel Fan Away Clouds?
Although all universities provide data storage, transfer, and remote software access services to students and faculty through their own systems, a threat to these modes of data transmission and services looms—and it is one that has IT leaders at major universities concerned on a number of fronts. This threat, of course, is the intangible, unreachable data solution that is rapidly usurping once internal server-based functions. Before, the university system was the hub for storing teaching materials, student projects, and even university-related social networks and communications. It was all manageable, decipherable, and more importantly, there was some accountability for privacy and security. The cloud, however, is just out of reach of university control, privacy, security, stability, and general use concerns float about and collide.
Despite the use of internal secure file-sharing and other university-specific IT services provided by institutions for faculty and students, several colleges are discovering that it will be critical to produce a set of best practices and policies to govern cloud-based services when sharing or sending university data. Since there are few broad policies that have been adopted by large institutions or organizations in the cloud environment, however, these first-draft policies are merely warnings and guides about the possible privacy, stability, and other dangers that lurk in the swirling mists of the cloud.
This morning, Robin Beck, Vice President of Information Systems and Computing at Pennsylvania State University, and colleague Mary Lee Brown, Associate Vice President of Audit, Compliance and Privacy produced a set of broad-ranging suggestiongins (as opposed to mandates) concerning student and faculty use of cloud computing resources. While there were no policies instituted or announced in the release, there was a wealth of information about all of the possible dangers, which meant that this statement, like those produced by other institutions of similar size and scope data-wise, was a warning, not a best practices or concrete change in policy.
In the Penn State release, trepidation about the subject of this change from local or virtual literally leaps off the page, in part due to the consistent use of “cloud computing” and “in the cloud” in quotations, as though the term itself is open to question or was a sort of uncomfortable lingo of a different generation. The fact is, however, that perhaps to university IT departments who have very legitimate concerns about data security and the transmission of student and faculty information in this mysterious “cloud” this is something of a generational crisis. After all, as Penn State reminds its staff and student population at the bottom of its long list of warnings (which includes issues of data stability and lack of backup, privacy risks and concerns, and the possibility that “foreign government access to data of interest” could occur since in this strange cloud) the only safe thing to do is stick with the familiar—use the university-supplied data storage and file transfer service.
Every decade has produced one type of general generational crisis that manifests on the playing field of college campuses, but who knew this one would be so unique, specific, and data-driven? The cloud is replacing storage and sharing functions that were once relegated to university servers and with this change comes a divide in how university IT departments can envision their future; do they calmly (if not a little resignedly) accept and hurry to sweep up mounting each new privacy or security concern as it emerges or do they instead urge extraordinary caution to this thing the kids are calling “the cloud” that seems to be all the rage?
While these institutions must make every effort to minimize risk by relying on sound collaboration between privacy, data, and general IT university leaders, they should address the wide and ever-increasing use of the cloud for nearly every task or purpose that occurred exclusively on their own servers only a few short years ago. In other words, this is certainly not to minimize the risks and concerns. It is, however, very pertinent that they recognize that treating this “problem” by simply warning students and faculty about risks might not be enough. A broad set of policies (rather than suggestions that inspire fear alone) could be more beneficial that several releases that explore the dangers. With time, most universities will very likely have distinct governance measures in place to regulate university data over other networks rather than warnings that cannot be enforced.