Campus considerations for purchasing cloud computing services Cloud computing services are services that are available over the Internet and are not hosted locally on Pace‐
operated systems. Cloud computing services are commonly referred to as ‘Software as a Service (SaaS)’ – also known as ‘Hosted Services’, ‘Infrastructure as a Service (IaaS)’, or ‘Platform as a Service (PaaS)’. Each of these offer varying degrees of flexibility and control. Benefits of cloud computing systems include: reduced implementation time; flexibility to quickly add new features; ability to rapidly expand resources such as storage, bandwidth, or processing power; and enhanced availability. Unlike traditional computing systems which are under Pace control, cloud computing services are managed by the provider and typically integrated with Pace systems. Considerations ‐ 








Pace Authentication: Does the vendor support Pace authentication and use systems such as Shibboleth? This allows use of current Pace ID and password while not revealing it to the vendor. Integration: Will the service need to access data in Banner or other Pace systems? Does the vendor support or have experience with integrations? Is data sent securely between systems? Vendors need to ensure that data is exchanged in a secure manner, such as STFP (Secure File Transfer Protocol). Service Level Expectations and Agreements: How will the vendor provide support? Are there costs associated with different levels of support? What are the hours of support? How quickly will they respond? How often will they perform upgrades? How do they communicate system problems? Service Level Agreements (SLA) should be reviewed and discussed during the selection process. Costs: Are all costs of a system taken into consideration? What are the implementation or integration costs? What does the license cover? Not cover? Are there additional costs for storage capacity and/or bandwidth? Data Security, Protection, and Compliance: Does the vendor certify that their systems comply with pertinent regulations such as PCI‐DSS (Payment Card Industry Data Security Standards) for credit card processing or HIPAA (Health Insurance Portability and Accountability Act) for human research or medical data? These regulations dictate very specific methods for the storage and processing of data as well as maintenance of systems and infrastructure. Do they regularly audit their security posture and systems? Vendors should provide the details of their security plans and outcome of any security and system audits. Data Ownership, Location, Access and Use: Will the vendor ensure that university data will only be used to deliver services under the contract and not for any other purposes? Will Pace data be kept on servers located within the US? Many countries do not have the same level of protection for intellectual privacy and data security as we do in the US. Does the vendor provide the ability to download raw data when requested and at the end of any service contract? Accessibility: Does the vendor provide interfaces that are functionally accessible and comply with section 508 of the US Federal Rehabilitation Act? Service providers should be asked to demonstrate how their system meets these regulations. Exit Strategy: How easily can the service be terminated and replaced with another service? What happens if the vendor goes out of business or is acquired? Ask for References: Does the vendor have higher education experience? How well do they provide services and support? It’s often a good idea to speak with other customers to verify vendor experience before making a final decision. ITS can help to navigate this list of considerations and our staff will assist in the evaluation and review of vendor viability. Contact us at [email protected] .