Estimated reading time: 5 minutes
Editor’s Note: This conversation continues our series of interviews spotlighting the wonderful contributions that research and higher ed community members make to the NET+ Program.
Be on the lookout for additional interviews throughout the year, and email Apryl Motley if there’s a Cloud Superhero you would like us to spotlight in the future. We’re grateful for our volunteers and appreciate all they do to move our work forward.
— Sean O’Brien – Associate Vice President, NET+, Internet2
“Telling 11 year-old me that I’d be grappling with ethical issues around AI, data security, and privacy would have sounded like science fiction,” said California State University’s (CSU) Josh Callhan as he reflected on what he enjoys most about his job as the university’s systemwide chief information security officer (CISO).
“I’m never bored and always learning,” he continued. “There’s something new coming along pretty much every day, so I get to work with some extremely smart and competent people finding good solutions to novel and complex problems on the cutting edge of technology and social change.”
Prior to taking on the systemwide CISO role at CSU almost three years ago, Josh served as the information security officer and chief technology officer at Cal Poly Humboldt. He had held leadership positions at that campus since 2006, along with prior experience as a systems and network engineer at CSU Monterey Bay.
Josh credits Internet2, and particularly the NET+ Program, for “being really good at bringing people together around critical issues that are hitting wide swaths of higher ed. Then somehow, seemingly through miracles, getting those folks to consensus around requirements and cutting reusable deals with vendors to actually address some of those problems.”
He played a key role in helping to address one of those problems, the challenge of evaluating cloud vendor risk. After leading a task force at CSU that adopted the Higher Education Community Vendor Assessment Toolkit (HECVAT), Josh joined the HECVAT core team and incorporated the scoring that became the second version of the tool.
Read on as Josh offers more insights about the value of active involvement in the R&E cloud community.
Best Advice About the Cloud Josh Ever Received: “I’ve got to go back to the old classic: ‘There is no cloud; it’s just someone else’s computer,’ which I think originated with Brian Greenberg in 2016. Now I don’t take that to downplay the advantages of using the cloud: Scale, automation, elasticity, and commodity price points are really compelling and enable some very secure and resilient architectures. But it’s a really important concept to keep in mind when thinking about risk. Every cloud-based app is built by a team using different practices across different cloud architectures, and institutions accept some level of risk when they agree to store or process data in each of those.”
How does
your current role involve the cloud?
JC: So 11 year-old me is saying “how does it not”? There’s been a
shift in higher ed operations that started pre-COVID, but accelerated massively as we scrambled to support
remote learning and remote work. Pretty much every functional area now relies on some element of cloud
services. You used to see business continuity plans where a lot of operations could switch to paper during a
network or power outage, There’s a whole lot less of that these days. So, I spend a lot of time reviewing
cloud purchases and assessing vendors’ security postures.
What are
the greatest challenges and opportunities for research and education when it comes to implementing cloud
services? How does HECVAT help address them?
JC: At this point, most folks are just struggling to keep up with
the scope and volume of the [services] available. Most institutions I talk to need to do some level of
evaluation of all technology purchases across campus, and then triage down to just doing full evaluations
for the ones where institutional data is being hosted or processed. Having the standardized format of the
HECVAT really helps small teams quickly evaluate the security posture of technology service providers and
assess those risks.
What
motivated you to be actively involved as a volunteer and work on HECVAT? How has volunteering benefitted
you?
JC: At the end of 2017, I was finishing up a term as chair of our
systemwide InfoSec advisory group and asked my peers what their biggest challenge was. Even back then, it
was the challenge of evaluating cloud vendor risk. So, I set up a task force, and we worked on some common
procedures and forms as well as adopting the HECVAT as our standard evaluation tool. Because there were so
many questions, we worked up a rudimentary scoring tool for it in Visual Basic. That led to me joining the
HECVAT core team and incorporating the scoring that became 2.0. It’s been a really valuable experience to
work with the team and be more involved with EDUCAUSE, Internet2, and REN-ISAC through this process. My
presentation skills have definitely improved by helping do so many of these sessions.
Why is
it important to have an active and vibrant cloud community in R&E?
JC: The community around all this is really the most important
part. We are all in this together, facing the same threats, managing the same vendor risks, and working
under a lot of the same limitations. The original vision was to actually share these assessments, but that
quickly ran into challenges with the service providers. There are also concerns about that type of sharing
from the assessors in the community. They are worried that they will say a cloud service is low risk based
on the limited use case their institution was planning for, and then someone else may take that low-risk
label and approve the same cloud service for a broad deployment with a lot of data. We’re going to keep
chipping away at this problem and find some ways to share both assessment results and the context in which
they were done, at least within smaller subsets of our community.
What works now is that we have
this community, and we all talk to each other. Because we use the same service providers and face a lot of
the same challenges, it’s typically pretty easy for me to reach out to colleagues at other universities and
get feedback on products and services.The HECVAT both expresses this community’s needs and desires in this
space and provides us a common language and framework to have these conversations.
< Back to Internet2 News