This document discusses institutional risks related to cloud computing in education. It raises several issues that universities should consider: [1] maintaining control over curriculum and change management with faculty digital literacy; [2] whether support and skills are best kept in-house or outsourced; and [3] ensuring technology can adapt to emerging needs. Data privacy, security, jurisdiction, and governance are also discussed as major risk factors for educational institutions adopting cloud services.

1. Making the cloud work for you:
institutional risk and governance
Dr Richard Hall, De Montfort University
slideshare.net/richardhall
@hallymk1
rhall1@dmu.ac.uk

2. context: organisation and risk

3. Cloud(s) or hosted or in-house?
Amplified issues around the following [risks].
1. Curriculum control/change-management: ad hoc vs
strategic control vs staff digital/technical literacy.
2. Support and skills in-house: quality/distinctive or
interesting vs boring.
3. Elasticity of demand and service-provision: developing
technologies that will enable emerging and future web
applications.

4. See: http://bit.ly/VXKGTQ

5. Value and institutional risk:
a competitive cloud

6. Education markets are one facet of the neoliberal
strategy to manage the structural crisis of
capitalism by opening the public sector to capital
accumulation. The roughly $2.5 trillion global
market in education is a rich new arena for
capital investment.
(Lipman, P. 2009: http://bit.ly/qDl6sV)

7. See: http://bit.ly/WqABKq

8. The UK Treasury position, on shared services:
2.191 VAT: cost sharing – Following the
announcement at Autumn Statement 2011 the
Government will introduce a VAT exemption for
services shared between VAT exempt bodies
including charities and universities.
HM Treasury (2012) http://bit.ly/GCRYCy

9. See: http://bit.ly/GI2nP4

10. See: http://bit.ly/MNPOpn

11. See: http://bit.ly/11NUoLR

12. Technology deployed inside hegemonic, fiscal “realities”.
1. Public-private partnerships: services; re-engineering;
applications; outsourcing; consultancy.
2. Discourses of efficiency/productivity to be rooted: analytics;
big data; reduced circulation time; changes in production;
workload monitoring.
3. Legitimation of R&D: value-for-money; commercial
efficiency; business process re-engineering (c.f. European
Vision 2020; HEFCE 2012).
4. Moral depreciation and constant innovation/value-creation.

13. Governance and institutional risk

14. See: http://zd.net/oE0oq3

15. See: http://bit.ly/yqsrps

16. See: http://bit.ly/QvjavY

17. 1. Twitter: EFF/American Civil Liberties Union; Birgitta Jonsdottir; U.S.
Department of Justice; Wikileaks.
2. LinkedIn: cracking a service; aggregating data for future cracking;
confirming guesses about passwords; comparing hacked data against pre-
computed versions; broadening "guessable” data.
3. Facebook, Google and Twitter: new obligation to identify “trolls” ; internet
companies will have to surrender the details of those posting libellous
messages.
4. Leveson: Hunt’s private Gmail account; role of the information
commissioner; use of private (email) accounts to conduct official business is
subject to FoI.
Service resilience; confidentiality/privacy; copyright/copyleft/content
distribution; data security/back-ups; control/deletion

18. See: http://bit.ly/SmGgoz

19. See: http://ars.to/RY2NXC

20. See: http://bit.ly/WeQmGx

21. the legal standard for production of information by a third party, including cloud
computing services under US civil (http://www.law.cornell.edu/rules/frcp/rule_45)
and criminal (http://www.law.cornell.edu/rules/frcrmp/rule_16) law is whether the
information is under the "possession, custody or control" of a party that is subject
to US jurisdiction.
It doesn’t matter where the information is physically stored, where the company is
headquartered or, importantly, where the person whose information is sought is
located.
The issue for users is whether the US has jurisdiction over the cloud computing
service they use, and whether the cloud computing service has “possession,
custody or control” of their data, wherever it rests physically.
EFF (2012): http://bit.ly/yqsrps

22. • We have a Governance Unit, a set of IT regulations and
an IT Governance Group: http://infogov.our.dmu.ac.uk/
“The cloud has its own challenges, not least of which is
the fact that the name can lead non-tech savvy folks to
imagine that their data is bits of magic floating about in
the ether rather than sitting on a server subject to the
laws of the land in which it is located. There are concerns
about ensuring safety of information.”
“Additionally, potentially big problems with 'offshoring'
corporate assets outside of corporate governance.”

23. • Risk-management at a range of scales: does it matter if
someone accesses your stuff? [Dropbox; subject to FoI]
• What about corporate governance, including access to
services that are marketised? [Google-Verizon and a two-
speed internet; costs of accessing data in marketised HE?]
• Does it matter if the responsible academic gets hit by a
bus? [assessment; what should be managed in-house or
hosted via a contract?]
• Do we understand that data is being transferred into a
service and that we have responsibilities? [T&Cs; IP;
protected characteristics; indemnities for libel]
• How do we work-up the digital literacies of our
staff/students in this space? [staff guidelines
http://bit.ly/LnazH5 ]

24. The University and the Cloud: a health warning is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
License.