A path to greater local value
Over 45% of the University’s core information systems and departmental applications are now in the cloud, or more accurately Software-as-a-Service (SaaS). This means that instead of purchasing a copy of the software, installing it on University-owned server, in a University-owned data centre, we often purchase an annual subscription to an online, web-based service that is running on servers somewhere else. This shift to the cloud can be recognized in our personal use of computers and devices, too (e.g. storing of photos, watching movies online).
SaaS at Waterloo
The University’s human resources (HR) system, financial system, and learning management system, are all Software-as-a-Service, as is Microsoft Office 365. All of these systems were selected through 'Request for Proposal' (RFP), which is an open competitive bidding process, a requirement for most major expenditures as per the University’s Policy 17 "Quotations and Tenders" and Ontario's Broader Public Sector Procurement Directive.
Nearly all system RFP's issued by IST over the last five years have been awarded to cloud vendors. Often, only cloud vendors respond to the RFPs, and in cases where both on-premises and cloud vendors respond, the cloud solution is typically stronger in a cost/benefit analysis. This is a trend in the software industry. The options for on-premises installation of software are decreasing, and in cases where they are available, they require significant local effort and expertise to install, maintain, and operate. It is estimated that about 50% of the systems used by small and medium-sized businesses (SMBs) are cloud hosted, while large enterprises have about 30% of their systems in the cloud.
How we manage risk
For the University’s information systems, Information Systems & Technology (IST) has put a significant amount of effort into managing risk: the risk of unlawful access to our data, destruction of data, fraud, and loss of service. We have been managing these system risks in our data centres for a long time, using industry-standard approaches, including:
- Redundant data centres and servers to maintain service during equipment failures.
- Battery backups and generators to maintain service during power failures.
- Locks, alarm systems, cameras, firewalls, operating systems patching, monitoring, and a myriad of equipment and activities to keep servers secure.
Enter a new way of doing things – The Cloud. Many of those things we’ve historically done to manage risk are now out of our direct control. With the cloud, someone else is doing those things for us. This loss of direct control can feel like an increase in risk, but the traditional way isn’t risk free either and requires significant resources in terms of staff time, facilities, equipment, and expertise across broad topic areas.
Managing risk with cloud solutions
All new systems that store or process personal information, or present other significant risks, undergo an Information Risk Assessment (IRA). During this process, IST works with the Privacy Officer, Procurement & Contract Services, Finance (when e-commerce is involved), the functional department that owns the new system (e.g. HR for Workday), and the vendor to ensure risks associated with data loss, privacy, availability, etc., are acceptable. Other steps taken to mitigate associated risk include standard language in our Request for Proposal (RFP) templates to allow comparison of vendor responses across risk areas; a continuous improvement model for our IRA; an internal audit of our processes and controls for new cloud computing arrangements; and our increasing knowledge of, and experience in, procurement and use of cloud services, which has matured over the last eight years of using such services.
This does not mean cloud solutions are without risk. With systems in our data centres, we had greater direct control of many of the risks. With the cloud, there is a greater dependence on processes and contracts to manage those risks, as well as a stronger vendor management practice within IT.
The cloud and people
Cloud solutions still require people. The implementation of a large system (e.g. Unit4) is a major undertaking that requires business processes be analyzed and mapped to the product functionality, building integrations with other systems, and populating the system with data. A personal touch is also required for ongoing work, including enabling new capabilities, building integrations with new systems, and creating solutions for gaps in delivered functionality.
With cloud, the type of work we are doing is gradually changing. With 45% of our systems in the cloud, we are now doing less work in areas of systems and database administration, for example. This creates an opportunity to do additional new things, things the University needs, without increasing costs. We still have deep expertise across multiple service delivery models, from local development to open source, on-premise commercial software, and cloud, and we are still innovating and delivering value to the campus in new ways, such as increased capabilities in areas of business analysis, project management, security, reporting and analytics (and associated data warehousing), system configuration, and custom development.
What the future may hold
Commercial software, whether on premises, or in the cloud, still doesn’t do everything we need out of the box. The combination of cloud, customized reporting and analytics, and custom development when needed, is very compelling, and, to date, we are experiencing great success with this model. As existing information systems go through their regular cycle of renewal, we expect we could reach over 80% of our systems in the cloud within five years. Our next data centre upgrade, expected to be needed within a decade, could look significantly different. Perhaps smaller, less expensive, and more sustainable. However, it is important to remember that while our work is changing, there may still be instances where requirements or cost/benefit analysis favour an on-premise solution.
I hope this helps explain our journey to the cloud, and the new value we’re delivering.
(originally posted December 17, 2019. Updated December 7, 2020)