By Bob Flynn, Internet2 Program Manager
Estimated reading time: 10 minutes
The second in a series of blog posts about NET+ Cloud Infrastructure and Platform Services
What’s in Play?
If you missed the set-up for this series and this conversation (a.k.a. Episode 0), take a minute to check it out before you proceed. It has the snappy title “Help Us Build Out the Internet2 NET+ Cloud Infrastructure and Platform Services Portfolio.”
That opening post spells out the Why. Now I want to get into the What. What tools do you need? What gaps do you see? What vendors could play more nicely with higher ed? There are a lot of possibilities.
That Is So Totally Cloud
When someone seeks to describe an innovative concept they will often use a metaphor. When that concept catches on, the metaphor often sticks, becoming an illustrative shorthand for those in the field. When it pushes beyond the boundaries of its own field into others it reaches buzzword status. When it hits mainstream culture, much of its meaning, certainly any of its nuance, is lost. Eventually, it may become hackneyed or trite.
The “cloud” in cloud computing is on that inexorable path and while the vanguard of its meaning is already solidifying in the amber of cliché, there remains some meaningful usage and room for refinement in the IT lexicon. For this discussion, that refinement comes at the boundary of the three fundamental models of cloud computing – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Who’s Driving This Thing?
Infrastructure as a Service (e.g., AWS, GCP, MS Azure) and Platform as a Service (e.g. Heroku, Salesforce Lightning, Red Hat OpenShift, and those run by the IaaS providers such as AWS Beanstalk, Google App Engine) are all differentiated from Software as a Service (e.g., Zoom, Canvas, DocuSign, Dropbox, Duo) by the questions of control and responsibility.
When you license SaaS, you are putting the control, responsibility, and security of your data into the hands of the provider. SaaS is a trade-off of control for innovation. You gain all the other benefits of hyper-scale computing along with the innovation, but when compared to IaaS and PaaS, it is the ceding of control, responsibility, and stewardship of our data that is the salient difference. With SaaS, you may have the ability to administer the service, but the responsibility for securing the underlying systems that manage the data is with the vendor.
When you license IaaS or PaaS, the share of responsibility that remains with you, particularly around the security of the data, is profoundly different. The vendor will not be taking care of it for you. It is far more familiar to the traditional understanding of the roles of developers, sysadmins, network engineers, security, and policy professionals than it is with SaaS. The tools and techniques may differ, but the fundamentals are the same. It is the responsibility of the IT professionals to learn the native methods necessary to build and maintain their systems and applications to the best practices of the chosen platforms.
That’s all well and good in an ideal world, but what about in the academic world? A world of academic freedom, of letting a thousand ideas bloom, and of the P-Card?
You Only Thought You Were in Control
Long before the majority of higher ed IT professionals started to think about cybersecurity CIOs and CISOs were already losing sleep over it. All those servers running under desks and in closets, seldom patched and always connected, gave them a good reason. In the past decade, institutions have increasingly worked to reduce their threat surface by pulling those machines into data centers and under the scrutiny, if not full control, of dedicated security teams. Then along comes cloud computing and every department with a P-card and every researcher able to navigate a credit request form is setting up shop on a cloud platform.
Cost Efficiency
I’ve long talked about the three boogeymen of cloud computing – security, job loss, and run-away cost. I’ve just raised the fearsome specter of the first, I’m happy to say the second is retired and living comfortably in a three-room, open-plan beach house in San Martin and the third, cost, is moping around as a 14-year-old feeling misunderstood.
Run-away cost is, not-so-sadly, a shadow of its former self. A great many cost issues, certainly those of the run-away clan, are dealt with through training, best practices, and some default controls. Tools for setting budgets and alerts are available on all platforms and FinOps basics are moving from the rarified halls of the sacred arts to the art fair on the public square. (In fact, stay tuned to this space for just such an exhibit of the FinOps arts by a number of your colleagues – coming soon.) Sure, you’re still going to have the dodos who leave the t3.2xlarge on when they go out with their new dorm buddies and only remember it’s still running at midterms, but hey, summer jobs build character. This doesn’t mean it’s no longer a problem, but it may be time to downgrade it to a cloud boogeyboy.
You Can Only Manage What You Can See
Cloud computing is barely into its toddler years in higher education. It has already brought innovative tools, on-demand power, and agility to our researchers, opportunities for the reinvention of administrative systems, and the kinds of possibilities for real-world learning faculty could scarcely imagine in their classrooms. Motivation is high. Access is distributed. Training is spotty. Controls are few. What could go wrong?
Most cloud enablement teams want to get out of the way and let their users do their work, but all institutions want to at least have an idea of what is going on in their name and would ideally like to have visibility into inventory, security practices, data exposure, spending optimization, etc. Because we are in higher education we generally must cede control of the accounts, but we have the responsibility to maintain oversight on behalf of the institution. How do we balance the advantages and opportunities of hyper-scale computing and its innovative tools and services, with the loose reins inherent in most academic institutions all while ensuring data security, efficient use of resources, and protection of institutional reputation? Sure it sounds easy, but what do we need to help make it happen?
Building this kind of monitoring is possible, but impractical. The cloud providers each have their native tools, but they are often more designed for a corporate enterprise than the demands that make the academic enterprise so special. What’s more, most of higher ed is living in a multi-cloud world and who wants to repeat all their work in triplicate?
The Soft Contours of a Hard Space
While I would argue that the challenge, at least for higher ed, is fairly well defined, and the third-party solutions are legion, none seem to be a perfect fit. Some have strengths in security, but lack the cost management and spend optimization tools. Others do a great job of spend tracking and trending while lacking global security policy controls. Some will monitor everything in your enterprise and charge you for it even if you are not concerned about those thousands of student projects in your GCP Organization. Some have a strong feature set but have yet to extend it equally to all three platforms. There is a lot of overlap and while that makes for a cool collage effect, it does not give us the easiest way to compare them head to head.
It Turns Out That You Are Driving This Thing
This is where the community comes in. The higher ed IT community is endlessly curious, highly collaborative, and knows the value of experience and recommendation. Whether through the monthly calls of the Cloud Computing Community Group, webinars in this year’s virtual Cloud Forum, conversations in the Common Solutions Group, or one of the many Internet2 working groups, higher ed cloud practitioners are sharing their questions and experiences with colleagues around the country. We help each other identify candidates for solutions, often short-cutting countless hours of online research, demos, sales calls, etc. We do that one-on-one and we do it more systematically with Internet2’s NET+ service evaluations.
Internet2 recently announced the launch of four new NET+ programs, each the culmination of the many hours of service by fellow higher education institutions, working together to share their requirements and challenges evaluating potential solutions. Two of those new programs, NET+ CloudCheckr Premium and Palo Alto Networks have tools in this cost and security management space.
They are hard to completely line up side-to-side, but they were identified by you and your peers as good solutions to meet at least some of this spectrum of needs. They are widely used by many schools and several stepped up to do the due diligence of evaluation, work to inform the vendor on how best to work with higher ed, and hammer out better contract terms than if each had gone it alone. Now that work is available to you. You can learn more about NET+ CloudCheckr Premium by checking out the recent deep-dive webinar and join the discussion about NET+ Palo Alto Networks by joining the Thursday, July 15 Town Hall “Cloud-native security for workloads and SaaS applications.” (Details and Registration).
As mentioned above, we just added NET+ CloudCheckr Premium to the IPS portfolio. There was also a great conversation about third-party monitoring and management tools at the June 23 Cloud Computing Community Group (CCCG) meeting. Check out the notes for additional ideas.
Here Is What I Am Doing
- I’ve started conversations with another tool in this space, CloudTamer. They are cost and security management with a twist (It’s not SaaS). I will be setting up a virtual community event for everyone to take a look.
- I’m reviewing the submissions that have been coming in via the suggestion form I set up for you, looking for patterns. I’m already seeing some ideas that challenge my assumptions, which is great. Keep them coming
- Every day, I engage with you one-on-one and in small groups to hear what challenges you are trying to overcome. Let me know if you want to chat.
Here Is What I Need You to Do
- This is more fun when you engage. Read the previous blog posts. Digest and debate with your campus colleagues and the community on Slack (see https://tinyurl.com/edu-cloud-community under “Community Cloud Conversations” for a link to join).
- Fill out this brief form (early and often) to submit your suggestions for specific services or even nebulous areas of need.
- Watch out for the future posts in the series where I’ll continue to open our collective cans of worms.
But Where Does That Leave ‘Cloud?’
Let’s just admit right up front that we are stuck with the term Cloud as a category label. It represents the category of tools, techniques and, let’s face it, game-changing innovations brought about with the advent of hyper-scale computing. Those of us who work with these technologies can provide a public service by educating colleagues, and the greater public, what it is and what it is not. It is not simply computing in someone else’s data center or outsourcing your IT. For those who deal in technology or are concerned about data controls, it is vital they understand that not all “cloud” is the same.
So please go forth and educate, but don’t be pedantic. Use cloud selectively and accurately like you might a word like groovy. It’s best in the right context.
My daughter brought home a new boyfriend one day. He was what I will call a “technology civilian.” She asked me to explain to him in one sentence what I do for a living, specifically what “cloud computing” was. It’s not easy coming up with your elevator speech on the spot, but I said, “It is access to nearly limitless computing power at a moment’s notice and then having it disappear when you are done with it.” We all know that it’s more complicated than that, but he thought it was groovy.