Abstract
The procurement of cloud computing services involves a wide range of issues and risks for educational institutions. The technologies and services available are rapidly evolving, differ greatly between providers, and are subject to complex contractual arrangements with potentially serious legal and business implications. There is no specific cloud computing legislation, but the area is subject to a wide and growing range of laws relating to Internet-based services, some written decades ago (Baker, 2009). Resolution of the new issues relating to security, privacy, and regulation in the cloud will take many years (Kaufman, 2009). This chapter outlines the key issues institutions need to investigate when considering the deployment of services in the cloud to students, faculty, and staff.
TopIntroduction
Cloud providers develop legal agreements for those who wish to use their services. These are rarely written with the specific needs of educational institutions in mind, nor generally to protect the customer (Brukbacher, 2011). Negotiation is however often possible over these contracts, resulting in variations to standard agreements which can reduce risks and be otherwise advantageous to institutions. This is likely to be easier for larger or more prestigious universities than for small schools, where the resulting business for the cloud provider is minimal. The University of Cambridge for example was able to obtain significant amendments to its contract for Google Apps (Google, University of Cambridge, 2010), while smaller universities anecdotally report minimal flexibility on the part of large providers in their negotiations for similar services.
When cloud-based services are provided for free to educational institutions, there is likely to be little incentive for a provider to engage in expensive contractual negotiations. Where services are paid for however cloud providers will be more willing to negotiate over terms and conditions, and also be willing to carry a higher level of risk. Companies are also likely to provide higher levels of service to their best customers; this is arguably simply good business practice (Daley & Rudolph, 2010c). Educational institutions should bear this in mind when discussing contracts with providers; the adversarial approach encouraged by their lawyers may be counterproductive.
Agreements are often more about perception than reality; they can give confidence about how security breaches or disruptions to service will be dealt with but may be difficult to enforce legally. While contracts transfer responsibility for certain computing tasks to cloud providers, ultimate accountability continues to reside with the educational institution (Julisch & Hall, 2010). Lawsuits against some of the vast computing companies involved in the field may also be too expensive to contemplate, particularly if they would have to be enacted in foreign jurisdictions. Neither however is the cloud provider likely to want any adverse publicity from serious contractual breaches or lawsuits. There are very good business reasons for the vendor to provide adequate service and for both parties to avoid legal action.