In the most recent article on the ever-growing MBTSSC (don’t think that will catch on as an acronym) I looked at filtering and monitoring. This time around we are looking at Cloud solution standards.
Reader Advisory – this one goes on a bit.
Cloudy with a chance of pain
For many IT folk “cloud” is a bit of a double-edged sword. Primarily because it has become something of a catch-all marketing term for a range of wildly divergent offerings which can at times lead to some fairly dubious marketing of services as “cloud” and partly because the people marketing those solutions have done a good job of equating cloud with cheaper than on-premise solutions which isn’t entirely accurate for many purposes. And yes, that second part is the polite version.
Before I go on and look at the actual standards there are a couple of things to note. Firstly, I am a huge advocate for getting services off-site where this is the appropriate place for them to be. As someone who has spent a long time working in IT within Further Education, I will stick to my principle that FE colleges are not well-placed to operate commercial-level data centres. For a start, not many FE colleges have IT staff who work 24 hours a day. Increasingly there are also non-technical considerations such as environmental and sustainability impacts.
Secondly, the preamble to this element of the standards defines cloud as “solutions or services [that] are hosted and managed on the internet rather than locally in the school.”. Putting aside for a second that by this point the authors seem to have become tired or writing “schools and colleges”, this isn’t a bad definition for the cloud. It may be oversimplified from a technical perspective but as a concept to grasp it is pretty decent.
Use cloud solutions as an alternative to locally-hosted systems, including servers
Whoah. Right in there. Use cloud rather than on-premise systems. Bang. Done. Lets all go home.
Except. At the end of this section, there is the “When to meet the standard” section and the answer is as soon as possible to realise the benefits. Which raises some questions. What are the benefits and more broadly, what problem are you trying to solve.
This brings us back to that pesky marketing of “cloud”. What we generally mean when we talk about the cloud is some service being hosted and managed by somebody else. In the beginning, there were three main elements:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
Generally, the common thread with these is that they shift not just from delivery of services onsite, but more importantly they are delivered via a subscription model, as long as you pay the bills you can access the service.
There are now a host of other aaS’s and the term XaaS has started to appear. In the end though, whether this is backup as a service, security as a service or desktop as a service they all broadly map to one of the original three so lets take a look at each and why it may or may not work in an education context.
SaaS
Software as a Service would be my go-to category for looking to move to the cloud. The basis here is that instead of licensing and hosting software in-house, you pay a subscription for the ongoing use of the software and any elements normally hosted on a server in-house is instead hosted and managed by the vendor.
This can be anything from general productivity software, Office 365 or Google Workspace for example, to more specialist software such as finance or HR systems.
Perhaps the most obvious benefit of using SaaS is that all the responsibility for the running of the system moves to the provider of the service. No more having to provide servers, make sure that updates are applied, worry about securing the software or allowing access to the system remotely. All of that comes as standard.
The most obvious downside to SaaS is that once you stop paying for the service you lose access to it and any data that you haven’t exported beforehand. The secondary potential downside is that you no longer have control over updates and upgrades. This shouldn’t technically be a bad thing but if the provider of your finance system suddenly does a major update and your finance team can no longer work out how to do anything that would be problematic. Of course, such things should be part of your due diligence when selecting a system.
I said earlier that this was my go-to for cloud migration. I’ll go further. If you are a school or college and you are running your email on-premise then you might want to have a word with yourself. Unless you have some very niche reason it is a no-brainer to move to Office 365 or Google Workspaces. Other options are available but again, I’d need some major convincing.
SaaS is also the most palatable in financial terms, often the existing on-premise service is already subject to an annual licence fee so moving to a subscription won’t be a major wrench.
Even with a change this obvious though it needs to be clearly thought out and migration is never quite as easy as the salespeople will have you believe. However, that goes for any change and I’m sure I’ll come back to change management in some future article.
IaaS
Infrastructure as a Service operates at the other end of the spectrum to SaaS. Here what you are “renting” are the lower-level parts of the infrastructure normally housed in your data centre. Or server room as is probably more accurate in a school or college context.
These elements can include servers, storage, networking and this can include technologies such as virtual server hosting.
There are some really great options here in this technology stack but for this we need to consider once again, what problem are we trying to solve by using cloud?
It is possible to replicate pretty much every facet of your on-premise infrastructure as IaaS. However, although the hardware will be hosted in a data centre with all the inherent plus points such as a reduction in power usage onsite, not having to maintain cooling for as many servers and having 24×7 monitoring of the physical hardware, the actual services running on the IaaS platform still remain your responsibility.
That is to say; if you are running a system which needs a server for the application, a server for the database and a server for the front-end website, you still have to install and maintain the operating systems on those servers, still have to apply security patches to all elements on those servers, still need to ensure that the web front-end is hardened and not leaving a security hole for exploitation and still have to make sure that all those elements are correctly licensed and work together effectively.
So in terms of what problem you are trying to solve, if the answer is to gain more reliability, gain more security or save on your internal IT support costs this probably isn’t going to help a great deal. While the hardware reliability is probably greater (and no longer your problem), the functionality still relies on your internal people and processes.
What it will do though is move your costs from an infrequent capital expense to replace physical hardware to an ongoing revenue cost to pay for the service. When working through the cost-benefit analysis this is often a stumbling block, particularly if your capital replacement programme for hardware is shall we say, less than scientific (in other words if replacement is only discussed when it breaks or gets to end of support where if it breaks it stays broken).
That isn’t to say that IaaS is a non-starter. For smaller-scale infrastructures, it may allow the site to remove servers altogether or reduce the amount needed to function. This still has the provisos that management of those servers is still an internal matter but it does result in a reduction of power, cooling, space etc and although it becomes an operating expense paid monthly this at least gives a reasonably stable cost profile as opposed to a large capital requirement every 5 or so years and of course the actual support of the physical hardware is part of that subscription charge.
The other area of consideration is capacity management. When looking at hardware replacement internally, the only sensible option is to specify the requirements based on maximum load, however for much of the education arena, load is highly concentrated at key times of the year and what IaaS allows is to only consume additional capacity when needed.
Often the calculations surrounding IaaS are extremely complicated and certainly for larger organisations a hybrid model of on-premise and IaaS will be the likely way forward for the foreseeable future.
PaaS
Platform as a Service is somewhere between the other two we’ve discussed. Here, a bundle of IaaS elements, along often with some additional software (sometimes known as middleware), are brought together. Perhaps the most common usage or PaaS is as a starting point for custom development applications where the SaaS provider will supply servers, database, storage and other components that allows the customer to then build applications specific to their business.
Here, all the management of the infrastructure is part of the subscription as with other “cloud” it is a pay-as-you-consume model, the more resources used the higher the cost. From a custom application perspective, there is an advantage here in that if additional capacity is required it can be scaled up and down to meet demand without having to invest in physical hardware. As before, the costs are fairly predictable in the short term.
It is I think fair to say that there is limited use of PaaS within schools and colleges at present as few still have large-scale in-house development activities.
So Cloud?
To be fair to the authors of the standards, they do in fact suggest that before moving to the cloud you consider a few things:
- understand the software, devices and data you currently use and what you use them for
- consider the types of data you need to import and export easily from the cloud
- ask your IT service provider about free cloud services
I’d go back to my question. What problem are you trying to solve and how does moving to a cloud service help you do that and what are the pros and cons, costs and benefits for doing so.
This would include reviewing your current operations, if your internal team (or service provider) deliver a service 5 days per week between 8 and 5 then the cost comparison to an offering with 24×365 support may not be favourable but there may not be an option for a lower price tier. The question then becomes, is our current service sufficient to meet the needs? If not, what are the costs of delivering that enhanced service internally vs the costs of a like-for-like service in the cloud?
Beware of geeks bearing grifts
Before we move onto the rest of the standard there is a particular element of this section that I want to touch on. There is a suggestion here that there are free cloud services that could be used by schools and colleges and these should be considered.
This is not technically untrue, although there are probably more free opportunities for schools than colleges. However, I am reminded of the old adage that anything free is worth what you pay for it. There is a risk with free tiers of various services that they will lack the full features available on the paid-for subscription and that if adopted, the requirement for moving from the former to the latter may be irresistible.
Worse, there are cases where organisations have been enticed to move from their existing systems to “the cloud” on the basis of massive savings that have not only not materialised but have in fact ended with them spending substantially more as they added back in functionality that was not available.
As an extreme example I am aware of, not in the education space I should say, a large organisation moved from their on-premise solutions provided by one vendor to a “low cost”, “pure cloud” service of another only to find that they lacked so much functionality that they ended up paying for both services as they tried to migrate and even at the end of their, much delayed and extended, journey they still ended up with both technologies which they then had to spend more money linking together. A cynic might note that the original sales folk of the “free” service made quite a lot of money out of the process.
Cloud solutions must follow data protection legislation
Back to the DfE document. This should be pretty obvious. Any software or service that you take on should have a data impact assessment and cloud services are no different.
One thing to watch here is where the data is going to be stored. Although most education focussed providers will have UK (or at the very least EU) data centres, care must still be taken that they are not going to be moving data to countries that are not covered by GDPR. Knowing where your data could end up is vital when assessing a cloud service.
Cloud solutions should use ID and access management tools
This issue is not a unique one for cloud solutions. The standard talks about the fact that cloud solutions often work independently of one another giving rise to the need for multiple usernames and passwords. It goes on to talk about the importance of centralised ID and access management tools.
However, this could also be the case for on-premise software and services as well. If you were to use a virtual learning environment for example, chances are that out of the box it may well use its own username and password system. This would be the case whether you were running that system on your own servers, on IaaS in the cloud or indeed buying it as SaaS from the vendor.
In each case, you would probably be wanting instead to tie access to your existing usernames and passwords via a single sign-on service. There are lots of options here and there are indeed services that will work to bring multiple SSO options into one easy-to-manage service (is that an SSSO?).
When choosing a solution to solve whatever problem you are seeking to solve you should have integration with your existing systems as one of the key considerations.
Unless?
Unless of course this isn’t desirable. It may be that for certain systems you want to maintain an additional layer of authentication to limit who can access it. For example, you may not want to be able access to your HR system via SSO. Or you may want staff members to do that for their self-service activities but not to gain access to the full system.
There is nothing wrong with having multiple ID systems and controlling access to systems via their own built-in mechanisms. If doing so though, you must consider the CyberSecurity standards and ensure that each system complies with the requirements for password strength, complexity and consider whether MFA should be used.
Cloud solutions should work on a range of devices and be available when needed
The purpose of this element of the standard is to make sure that when choosing a service you understand what availability level is offered. Sometimes this will be a one-size fits all standard SLA, others there will be different SLA options usually based on the overall cost.
The standard gives examples for what a given percentage figure means in terms of monthly downtime from 99% which is around 7 hours per month to 99.99% which is around 5 minutes per month.
The key element here is less that percentage but what are the consequences for not hitting that target availability. For example, if you are paying a subscription that includes a 99.9% availability guarantee, what happens if that isn’t met? Is there a cost reduction, service credit or some other penalty attached to the SLA? If not, what is the control mechanism to ensure that the provider doesn’t simply miss the SLA?
There is a need here to also be realistic as to what is and isn’t reasonable. When looking at a service to determine if the cloud is an appropriate route to take there is a need to also compare what, if any, are the SLA guarantees from your internal team or service provider? The answer often is that this isn’t a formally agreed percentage and often isn’t even routinely measured.
Make sure that appropriate data backup provision is in place
This is an important and sometime overlook aspect of cloud technologies. The systems will often talk about how the data is protected and there may be multiple data centres involved but this isn’t quite the same as a traditional backup.
You must therefore consider for each type of data what level of protection is appropriate. Each service should be able to detail what data is backed up, where it is stored, how long it is held for and how often a backup is taken.
This is exactly the same process as when implementing on-premise servers and services and should be part of a regular review process to ensure that your assumptions about data remain valid.
And with that we draw to a close the subject of cloud. Next up we look at what considerations are needed should you still want to have servers and storage directly under your control.
