Up, Up and Away: Three Key Issues for Educational Institutions to Consider in Cloud Computing Deals

A higher educational institution makes significant investments in technology to perform critical functions for the institution. More and more frequently, these technology solutions are provided on a cloud basis, in which the computing functions and the storage and processing of the institution’s data are performed remotely by the vendor. While the cloud-based model can provide significant benefits to institutions, the negotiating team for any institution considering entering a cloud transaction must understand the potential risks and address them up front. Cloud transactions are complicated and require sophisticated business, technology, and legal resources to document properly. This article focuses on three key issues that any institution entering a cloud transaction should consider as it selects and negotiates with a cloud technology vendor.

Hallmarks of a Cloud Technology Transaction.

For purposes of this article, the term cloud transaction refers to a technology outsourcing transaction in which the vendor provides software functionality, database storage, and associated services on a hosted basis—whether in the vendor’s own data center or in a third-party cloud environment, such as Google, Microsoft Azure, or Amazon Web Services. Common elements of cloud transactions include

• the provision of software and computing functionality and the storage, processing, and analysis of information on servers that are external to the institution, rather than the installation of software on equipment located within the institution’s systems;
• browser-based access via the Internet to an institution-specific instance within the vendor’s systems;
• a multi-tenant structure in which multiple customer environments are hosted on a single set of servers, separated via logical—not physical—security; and
• multi-year, subscription-based agreements that require the customer’s agreement to pay a minimum annual subscription fee with provisions for variable use.

Benefits of cloud transactions include (a) the reduction of capital expenses and the need for an institution to manage its own infrastructure; (b) the outsourcing of IT management, which can reduce the need for internal IT headcount; (c) the ability to scale flexibly if more resources are required; and (d) the expertise of a vendor whose business it is to provide IT services, which can enable enhanced security and the deployment of innovations more quickly than would be possible in an internally-managed environment.

These benefits are accompanied by risks associated with outsourcing to a third party key institutional functions, such as finance, business intelligence, human resources management, and the management of student information. In order to lay the groundwork for a successful relationship and to mitigate the risks noted above, institutions engaging with cloud vendors should consider the three issues outlined below.

Issue 1: Setting Expectations.

A cloud transaction resembles a marriage—a highly integrated, long-term relationship that must work for both parties in order to work for either one. The most successful long-term relationships begin with the participants’ alignment of expectations.  

In the context of a cloud transaction, this alignment can be accomplished by clearly defining what performance means, the consequences for failures to perform, and how differences in opinion will be addressed. Specifically, an institution should document the following points in any cloud transaction it enters.

• Clearly define the scope of the technology solution and the associated services required for it to function properly. This entails describing the software or technology solution and its features and functionality, as well as the respective responsibilities of the vendor and the institution for the solution’s implementation and day-to-day functions.
• Identify up front any internal or third-party systems with which the cloud solution will need to interface (e.g., payment processing technology, CRM systems, learning management systems) and build specific requirements for the vendor to work with the institution or third party to do so.
• Document a governance structure that provides for regular status meetings for the line-level personnel as well as periodic executive-level reviews. Include a defined escalation path and time-line for disputes.
• Use the Service Level Agreement to define performance (availability and proper functionality) and to create a service credit structure that includes meaningful consequences for failures to perform.

Issue 2: Trust But Verify.

By entering a cloud transaction, an institution entrusts its vendor to host and manage functions that are critical to the institution’s ability to operate and to fulfill its own obligations to students, faculty, and other constituents. Institutions can and should take steps up front and throughout the relationship to make sure this trust is well-placed. There is no silver bullet to ensure a vendor acts responsibly, but by taking a multi-layered approach, an institution can mitigate its risk and put itself in a position to identify problems before they become full-blown crises.

• Perform due diligence on the vendor up front. Engage cross-functional teams to assess the vendor’s security practices, financial stability, legal and regulatory status, and history of performance with other customers.
• Identify up front where validation issues may arise and tailor audit provisions to address those areas.
• Require that the vendor agree to security provisions. In most cases, cloud vendors will insist on adhering to their own policies, as their multi-tenant structure makes it difficult to agree to different standards for different customers. But an institution should engage its security team to evaluate the adequacy of the policies and should include contractual provisions providing rights to validate the vendor’s compliance with those policies.
• Require that the vendor take responsibility for the acts and omissions of and to flow down the security requirements to any subcontractors it engages.

Issue 3: Business Continuity.

An institution’s reliance on a vendor to perform key functions creates unique business continuity concerns, particularly if the vendor is unable to perform due to financial problems. Again, a multilayered approach can serve as an effective way to mitigate this risk and to allow for a transition from the vendor’s platform while avoiding a major disruption of service.

• Perform financial due diligence up front to assess a vendor’s financial stability and potential areas of vulnerability. For smaller or privately held vendors, consider requiring periodic financial reviews to identify early warning signs of trouble.
• Provide for access to key assets if the vendor cannot perform. Provisions can include step-in rights, source-code escrow, and/or access to and the ability to fulfill agreements with the vendor’s key suppliers.
• Address transition requirements up front, including rights to access data and information owned by the institution and the methodology for setting professional services rates if vendor assistance is required.
• Require the vendor to report adverse financial events (e.g., loan defaults) and provide right of termination if the vendor cannot provide adequate assurances of performance.

The three issues discussed above (setting expectations, trust but verify, and business continuity) illustrate only some of the complex considerations raised by cloud transactions. Each transaction must be evaluated individually based on the nature of the technology and services at issue, the function that the vendor is providing, the data and information that the vendor will process and host, and the unique characteristics of the vendor. To set the table for success, a cloud transaction should be preceded by strong vendor due diligence, documented by an agreement that helps the parties align their expectations, and implemented pursuant to a robust governance process that includes the institution’s exercise of its verification and review rights. By engaging a cross-functional team to perform these activities, an institution can set itself up to enjoy the benefits provided by cloud transactions while mitigating the associated risks.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Hilary Billingslea, Director, Marketing Communications & Operations, The Tambellini Group.