Cloud Computing at U-M

What is the Cloud?

Utilizing the cloud means you are storing and accessing your data and programs through online servers over the internet instead of your local business computers. The cloud is a metaphor for the Internet.

Organizations and third-party vendors must adhere to strict compliance regulations, laws, and best practices when using cloud computing services to ensure data security, privacy, and operational integrity. These standards help organizations manage risks, protect sensitive information, and maintain customer trust in the cloud environment.

Overview: What is "Cloud Computing?”

In computing, "the cloud" refers to a global network of remote servers that provide on-demand computing services over the Internet. Instead of storing data and running applications on local devices, users can access these resources remotely through the cloud, offering flexibility, scalability, and cost-effectiveness.

Use the U-M Software Directory to search for both cloud-based and traditional “on-prem” software available to faculty, staff, and students across all three campuses and Michigan Medicine.

Risks of Cloud Computing

Cloud computing offers numerous advantages, but it also presents notable risks. Downtime is a significant concern, as service outages can occur due to technical failures, cyberattacks, or natural disasters, which can impact organizations that rely on continuous access to their data. Data security is another significant risk; storing sensitive information on remote servers outside your control can lead to security incidents, such as data breaches or unauthorized access if security measures are insufficient. Additionally, data export and vendor lock-in pose challenges. Once data is in the cloud, exporting it for backups or migration can be complex and costly, and organizations might become dependent on a specific vendor’s ecosystem, limiting flexibility and driving up switching costs.

One additional risk of cloud computing that is often not considered is the financial costs involved. When you obtain a cloud environment, you are financially responsible for all activity in that environment. The vendor will charge the university for all consumed resources (storage, compute, subscriptions, etc) for the life of the account, and the university will subsequently charge the corresponding internal billing code. You should consider how these costs will be addressed both at the onset of activities and beyond the end of the project or activity.

Cloud Computing vs On-Prem Computing: Pros and Cons

Cloud computing and on-premises computing each have their pros and cons. Cloud computing offers excellent scalability, allowing organizations to adjust resources without requiring physical hardware, which can lead to cost savings as they only pay for what they use. It also shifts maintenance and updates to the provider (in the case of SaaS and PaaS solutions), easing the load on IT teams. However, it involves risks such as reduced control, data security concerns, and compliance issues due to reliance on third-party vendors.

Conversely, on-premises computing provides greater control over data and infrastructure, thereby enhancing security and compliance when managed correctly, as data remains in-house. It doesn't depend on internet connectivity, offering more consistent performance without the risk of external service interruptions. Yet, on-prem requires a hefty upfront investment in hardware and IT staffing for maintenance and upgrades. It also lacks the rapid scalability of cloud solutions, which could be inefficient for businesses experiencing fast growth or changing workload demands.

Cloud Computing Service Models

The National Institute of Standards and Technology (NIST) developed a conceptual model that illustrates these interdependencies and demonstrates how various models and the consumption of cloud services interact. The model facilitates discussions and considerations, regardless of vendor- or product-specific terms, for areas such as contracting, compliance, law, security, privacy, architecture, design, roles and responsibilities, data classification, operations, consulting, business requirements, and more.

ITS currently offers cloud computing services that enable the U-M community to consume public cloud computing more easily. It integrates resources on campus, provides consulting services and training, and seeks opportunities to offer shared services utilizing cloud computing.

There are generally three service models for cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud-based model for delivering and licensing software. Instead of purchasing and installing an app on your computer, you typically subscribe (monthly or annually) and access it via the internet, often through a web browser or mobile app. The provider hosts, maintains, and updates the software behind the scenes, allowing you to use it online with ease.

Examples of Software as a Service (SaaS) at U-M include:

• Dropbox
• Google Apps
• Qualtrics
• TeamDynamix

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, running, and managing applications without the complexity of managing the underlying infrastructure. It offers developers tools, infrastructure, and services to build, deploy, and manage applications, freeing them from the burden of server management, operating systems, and other infrastructure components.

Examples of Platform as a Service (PaaS) at U-M include:

• Container Service
• MiStorage
• MiServer
• MiDatabase

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud computing model where a third-party provider delivers virtualized computing resources over the internet. This includes resources like servers, storage, and networking, allowing businesses to rent these resources on a pay-as-you-go basis rather than owning and maintaining their physical infrastructure. It is important to note that in the case of IaaS solutions, the customer is responsible for configuring and securing these resources.

Examples of Infrastructure as a Service (IaaS) at U-M include:

• Unmanaged MiServer Hosting
• Amazon Web Services at U-M
• Microsoft Azure at U-M
• Google Cloud Platform (GCP) at U-M
• ARC Secure Enclave Services (SES)

Visit ITS Virtualization & Cloud Computing for a list of IaaS offered by ITS.

Cloud Computing Deployment Models

In addition to the various cloud computing service models, these models can be deployed with varying points of access and integration within an organization's computing infrastructure and network. Leveraging the NIST (National Institute of Standards and Technology) definitions, there are four deployment models for cloud computing: private cloud, community cloud, public cloud, and hybrid cloud.

Private Cloud

A private cloud is a cloud infrastructure or service exclusively provisioned for a single organization, potentially serving multiple departments or units within it. Ownership and operation of this cloud can be managed by the organization itself, a contracted third party, or a combination of both. The infrastructure can be located either on the organization’s premises or off-site.

Community Cloud

The community cloud model is designed for use by a specific community of consumers from different organizations that share a common interest, concern, or business requirement. This infrastructure may be owned, managed, and operated by one or more of the participating organizations or by a third party. It may reside either on-premises or off-site.

Public Cloud

Public cloud infrastructures are available for use by the general public and are accessible to anyone. They are housed on the cloud provider's premises. They can be owned, managed, and operated by a variety of entities, including businesses, academic institutions, government bodies, or third-party providers.

Hybrid Cloud

A hybrid cloud is a system that integrates two or more cloud models (private, community, or public) using technologies that enable seamless data and application portability. It allows a unified, scalable, and flexible environment while preserving the unique advantages of each cloud model.

These definitions align with the University of Michigan's standards and best practices, ensuring the secure and efficient use of cloud technologies to meet diverse institutional needs.

Links to U-M Purchasing and other helpful resources

Be sure to follow all applicable Standard Practice Guides (SPGs) and university guidelines when purchasing cloud products. Adhering to these policies helps ensure compliance, security, and responsible use of university resources.

• Standard Requirements when using Sensitive Data in the cloud (DS-20)
• Guidance on sensitive data in the cloud (Safe Computing)
• Third Party Vendor Security & Compliance provides guidance and resources to help University of Michigan units assess and manage the security and compliance risks associated with third-party vendors.
• The Procurement website provides tools, resources, and guidance to help University of Michigan faculty and staff efficiently purchase goods and services in compliance with university policies and procedures, which includes Cloud Computing purchasing information.