More charity IT
Getting your IT right is crucial for charities. So for articles on the use of IT for charities ranging from admin to marketing, click on the headline links below.
Click on the headlines of your choice.
The merits of cloud computing for charities
Charities spend too much of their funds on salaries and administration, that's according to two thirds of the public in a recent study by the Charity Commission. So as charities look to trim IT budgets as a way of cutting costs, cloud computing has emerged as an attractive option to save money and improve efficiency.
However, with growing excitement around cloud, charities have to be wary of getting swept up in the buzz and simply jumping on the bandwagon. It is important to understand the key considerations when you consider making the move.
What is "cloud"?
With all the hype surrounding cloud computing, it is easy to get lost in all the jargon. Gartner describes cloud as a "style of computing in which scalable and elastic IT-enabled capabilities are delivered using the internet". In the simplest terms, cloud computing means storing and accessing your data and programs over the internet instead of using your computer's hard drive.
The cloud removes the need to have a physical space to store all your data in your office, and instead makes it possible for you to access that from anywhere in the world with an internet connection.
So what are the things you need to consider when looking into the cloud? And what else can the cloud do for you and your charity?
Working flexibly - anytime, anywhere
It is important for a charity to consider the benefits of accessing data from outside the office and from different locations. One of the biggest advantages of cloud is that it provides access to data anywhere, at any time over an internet connection. It supports round the clock operations, which can be of great use to charities which have staff based abroad or working outside traditional office hours. Whether these are full-time employees, volunteers or project workers, cloud offers secure access to systems from remote locations 24/7.
The flexibility of cloud can drastically reduce time spent on administration, freeing up people to add value in other areas. Instead of having to wait until you get back to the office to update records or share information, you can do it from the field. You can spend more time with the people your charity is trying to help, and more importantly having all their information stored digitally can allow you to be fully briefed before you meet them.
On top of this, it saves beneficiaries revisiting your service from having to retell their difficult stories, as their data is automatically available on your system.
Scalability - changing with you
The ability to rapidly scale up or down with a cloud solution can make a real difference for charities which see seasonal or campaign peaks. It can easily scale with your team - so if you're expanding and hiring new staff, or bringing in a large group of volunteers for a big campaign, you can set them up quickly. Just as easily, you can shut down their accounts once the project is complete, meaning that you only pay for what you need at that point in time.
Lower costs and manageability
The reduced cost of entry for cloud software is making it enticing for charities looking to switch. Unlike on-premises applications, where a bigger up-front investment is required to purchase the hardware and software, you are paying monthly for the service and the computing power needed to run it. This helps manage your cash flow and in turn can reduce administration as well.
All IT administration, including licensing issues, software updates and security management will be taken care of by your cloud computing provider. Removing this burden allows charities to concentrate on their core activities and be more productive.
Of course while there are several benefits, one common concern with the cloud is data security. Particularly for charities which are collecting many donors' financial details, and maybe details about their clients, e.g. care charities, it is understandable they can be hesitant to put that information into an "unknown sphere". The security put around data centres - where all the information is secured - is among the most sophisticated in the world. On top of that, the cloud software itself is the same level of encryption as online banking, which is now commonplace in our everyday lives.
But questions around security should not simply revolve around data security - it's about physical security too. With cloud computing, your data will always be backed up and protected from threats such as theft, fire, flood or other physical threats.
Not all or nothing
The cloud has opened up new ways of operating as an organisation - of communicating, collaborating or managing data. While it can be for everyone, there's never a one-size-fits-all answer for charities and it needn't be an all or nothing decision for your charity. It should be treated as a solution to a problem, not the latest craze.
Once you understand what the main pain points of your charity are, or what could make your day to day operations run smoother, then you can have the discussion around which sort of solution is best suited for you, be that on-premises, hybrid or cloud. Some charities have moved some of their operations online while retaining physical solutions for others. Either way, the solution just has to be right for your own charity.
Think about what the short and long term priorities of your charity are, and whether your IT solution will be flexible enough to accommodate your business needs over the next one, two or five years. Cloud computing is always something you can plan towards, or revisit when your charity is ready.
For anyone considering moving to the cloud, it's important to find a trusted intermediary who understands you and how the benefits of the cloud can be moulded to your needs. A software provider is a good first port of call for help. Not only should they be well placed for advice, but they should offer the support and guidance needed to make any migration, and will manage the technology so you are left to reap the benefits.
If it's time to revaluate current expenditure or look for places to cut costs, your IT services may be the place to look. Whatever the decision, it's important to free up the time you currently spend worrying over "business" hassles, and spend that time focusing on your cause.
Sage's Rob Davis - one of the biggest advantages of cloud for charities is that it provides access to data anywhere, at any time over an internet connection.
"The ability to rapidly scale up or down with a cloud solution can make a real difference for charities which see seasonal or campaign peaks."
"Cloud computing is always something you can plan towards, or revisit when your charity is ready."
Improving the impact of IT in charities
Information technology is a common phrase but too often the emphasis is placed on technology rather than information. The rate of change in technological advance is quick and many charities struggle with how to get the best out of technology. Again the key lies not in technology but in the information. All charities tend to grow organically and processes are created that they follow to perform their daily tasks. The processes are human adaptations of what needs to be achieved and underpinning them in most offices is information technology. The relationship between the processes and the information systems is the conundrum.
How to unravel the conundrum
Well designed and thought out IT is an enhancer, adding greatly to the productivity of users but too few charities spend sufficient time in understanding their requirements or analysing their processes. This seeming ennui is perhaps due to insufficient understanding of what IT can do by those who ultimately sanction it or because the return on investment is not clearly demonstrated.
Bill Gates, the founder of Microsoft, said on the topic of IT: “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”
His assertion is fair and emphasises that the technology needs to be applied to something running well to get the maximum benefit and this is why the process analysis is crucial to getting proper value for money from IT expenditure. It is not enough for a charity to buy a piece of software that everyone in the sector runs because it is well thought of. It is more important to know what you do before looking to see if there is a package that will underpin it and support it.
How a charity should manage IT
The IT decision making in most charities is in reality delegated to a technical director, IT director or some other title, albeit under the supervision of the trustees and chief executive/finance director. But the responsibility resting on their shoulders is huge, as unlike many other operational areas, the trustees and other senior executives do not usually understand the interdependent complexities in the decisions that are being made.
If a board is going to discuss an annual budget, there will be a lot of debate on fundraising targets, marketing expenditure and advertising but IT does not get the same open forum because it is outside most of the players' comfort zones. There is an acceptance of the importance of IT and the management landscape is shifting with the introduction of roles such as chief digital officer (with charities promoting themselves digitally so much) but who should fill the role is unclear.
In larger charities certain requirements can lead to silos being created, but in smaller charities there are fewer silos and the management teams tend to work more closely and collaboratively, but they come late to appointing a dedicated IT director. The impact of a major piece of software that is unsuitable for a charity can be expensive, even catastrophic, and decisions to purchase and implement should be taken collectively.
This collectivism returns the ultimate sanction to the CEO for important decisions and ensures that the decision is understood by all interested parties. The interested parties are key as they own the processes which systems are installed to support or enhance. This reflects the paramount importance of knowing your processes.
Alignment of business and IT strategies
The alignment of IT and business strategies is the subject of many column inches in various IT journals and it is immensely important but little is ever written of how to achieve it. The mapping of business processes is a vital element of charities understanding what the IT systems need to support. Analysis of the processes as they are mapped will also help to streamline them and remove unnecessary steps that have been introduced over time.
Processes are, as previously stated, human and they evolve over time to meet the needs of the charity and changes in it, but frequently are not documented. The mapping process will elucidate the process with a simple-to-read flowchart of what happens and who performs each action. These maps form the basis from which a sound change management process can be established.
The pictorial representation of the process allows new sub-processes to be added and for impact analyses to be made of the change before implementing it. It also highlights what changes might need to be made to systems to handle the proposed change.
It is relatively simple to begin mapping a charity’s processes and at a very high level it is possible to engage the management stakeholders, but as the sub-processes are investigated, it is critical to engage with the end users. All charities are made up of people and they are the users of the systems and the guardians of the processes; they know what works and what doesn’t. In smaller charities it is easy to identify the “go to” people who are considered the authority by their peer group.
If you get all the “go to” people around a table it is very easy to see what processes you should map immediately and how the process is not always one dimensional but reliant on other departments or external partners. It is also surprising how some steps in the process add no value but are remnants of a previous method and can be excised.
Knowing what data needs capturing
The process maps tend to follow information and this brings us back to the introduction to this piece: it is the information required that is the most important part in the puzzle of how to get your IT working the way best suited for your charity. Once you know what data needs capturing, how, when and where the creation of a supportive platform is made considerably simpler.
The use of off the shelf software is understandable and cost effective but do not expect it to fit your processes and be prepared to develop any additional functionality you may need. It is very easy to explain to a developer what is needed if there is a map of the sub process you need incorporated.
The documentation of process is time heavy on important resources but is achievable, and the impact it can have when systems work well for users cannot be underestimated. It will raise morale, confidence and a sense of engagement with staff as well as act as a springboard for handling future change well and planning better.
Consequentially's Mark Mathewson - the mapping of business processes is a vital element of charities understanding what the IT systems need to support.
"...it is the information required that is the most important part in the puzzle of how to get your IT working in the best way for your charity."
Charities must focus on IT security
This article is about IT security for charities, both computer security and information security. To achieve good security can be quite demanding for charities and there are instances when they will have to go quite a few steps further than they might have envisaged, e.g. vetting software vendors to see if they are truly and adequately committed to security within their own organisations. This is not as far-fetched a requirement as may be thought - you only have to think back about some big security scares involving top IT and web company names to realise how important this is.
However, there is much for charities to do themselves before even considering the security commitment of software vendors. So let's start with the IT security responsibilities and priorities for charities themselves. There are two main misconceptions around charities:
The first misconception, shared by many, both in and outside the charity sector, is that the information and security regulations and legislation that apply to companies do not apply to charities. To be clear, charities are subject to all information and security regulations and legislation that apply to companies. The principles of the Data Protection Act, and the need to report a breach or loss of data, apply to charities, and the Information Commissioner will levy fines on a charity as promptly as for a bank or merchant.
The PCI DSS requirements to secure credit/debit card details still apply and any non-compliance penalties will be levied as readily as for an online supplier.
The second misconception is based on the dual ideas that charities have no assets to protect, and that nobody would attack a charity because everyone knows they are the good guys. Unfortunately, some people see the good guys as a soft touch.
Like every company, charities have assets that must be protected – supporters lists, financial records, HR records, bank records, credit/debit card numbers, details of drug trials, details of vulnerable adults and children. The difference is that most companies have the necessary resources to protect their assets, while charities need to do the best with what they have and make effective use of scarce resources.
There is one other difference between companies and charities – the latter have more to lose. While many companies and organisations can survive a data breach and even malpractice by staff, charities remain the last bastion of integrity in the UK. Loss of reputation will severely impact on their continued existence and good work.
The first and last line of defence is the training of your employees. However, when you look at the range of training, you have everything from the protocols used by military organisations to the training given to an employee at a petrol station franchise. The nature of the organisation dictates the depth of training required for the employees, but the mere fact that an organisation is a charity doesn't mean it can opt automatically for a lower level of training for employees. In other words, charity employees do need proper IT security training.
Challenging issue
When it comes to cyber security, this is a challenging issue in that most organisations do not have a security culture built from the ground up (such as military organisations). How do we train our call centre employees to protect the information they are supposed to protect while still providing the customer service that they need to provide? How do we ensure that our employees follow basic security practices related to the computers and services they use?
There are important aspects which apply to charities. First, it is important to split protocols and practices for sharing information related to interacting with end customers from the best practices for using computers and mobile devices internally.
When it comes to interacting with customers/beneficiaries and people outside the organisation, charity employees need to have clear guidelines to follow and very explicit instructions on how to handle conflicts and requests above and beyond what is appropriate.
The most visible example of a poor implementation and execution of these guidelines was the compromise of the personal information of Mat Honan, which was due to the mechanisms that Apple and Amazon used to handle customer service. Having clear, well thought through guidelines that are part of the fundamental training of the employees, and complementing this with blind testing, is a critical first step to ensuring that your employees are not being social engineered (i.e. their vulnerability is not being exploited to breach security).
Similar method
When it comes to the use of computers and the best practices within the charity, a similar method of enforce, train and test is required. For those things that can be enforced by the computers they should be: password policy should be enforced, and web browsing should be monitored when possible. The final line is training related to phishing - your security team should phish your employees before the hackers do. There are a number of internal security teams and small companies which will help along these lines.
The main ways the hackers use to exploit humans is through social engineering, finding flaws in policies or appealing to human emotion in order to reveal more information than appropriate. The other is to attempt to "phish" or use an email or a "watering hole" (a commonly visited website for the employee) to get them to click on a link which will then cause them to install malware.
Considerable process
Judging the security of a vendor can be a process lasting months, evaluating every aspect of development and delivery of the product. Software quality/vendor security is something the industry in general has had a very hard time setting a standard for. As there is no "gold standard" for measuring security, it is hard to require such proof from a vendor.
The trick that can be used (one that is used by major companies) is to simply ask the vendor to talk with their security team. If they can respond, provide a contact and that contact can provide a reasonable overview of the security precautions they take then you can be reasonably well assured that the vendor takes security seriously. Things to look for when talking with the vendor's security team include:
• Employee training - do they train developers and operational staff about security concerns.
• Basic security practices - if they are distributing software are they providing checksums for the download (to detect errors which may have been made during transmission or storage), if hosting a website, are they using SSL (Security Sockets Layer protection for transmitting private documents)?
• Secure development - do they have any practices related to ensuring the secure development of their software? Look for at the very least some sort of automated analysis.
• Secure operations - do they have a vulnerability assessment program? Do they hold themselves to an internal Service Level Agreement for patching known issues?
• Responsible disclosure process - do they have an established process to allow security researchers to disclose vulnerabilities found in their software or website?
This is not complete, but your purpose is not to establish if they are perfect at security, but rather to determine if they are serious about it. We will all make mis-steps, the question is whether the vendor is prepared and equipped to recover and improve. You need to establish that they have taken security seriously enough to establish a security team and that security team has the support to establish the basic practices within the organisation.
Don't be daunted by the task of checking on your vendor's commitment to security - it needn't be as fearsome as you might think. You will be surprised at how keen many software vendors are keen to demonstrate that commitment - and anyway, an unhelpful vendor should automatically cutting themselves out of being considered further. Also, how they do things may give you some interesting thoughts as to your own charity's security.
Top tips
Here are some "Top 10" tips for charities to think about when it comes to maintaining their own IT security:
1. Write an understandable security policy that spells out who is responsible for what. This doesn’t have to be War and Peace, just 10 or 12 items; probably the most important being to establish that staff should be open and professional in all communications.
2. Make it clear who owns the data. It belongs to the charity and irrespective of roles it should remain safe and secure under the (ultimate) control of a good governance framework, with the appropriate controls being put in place to ensure that this remains the case. Information security awareness is paramount. All staff should understand that the charity’s data has a value and must be treated appropriately.
3. Make it easy for users to do the right thing, and difficult to do the wrong thing when it comes to keeping information secure.
4. Tell staff how you expect them to handle and process your data before you allow access to it. Good induction for new starters is probably the best chance you'll get.
5. Don't let suppliers treat security as an optional extra. Security must be built into systems by design from the start, not added as an afterthought.
6. Be prepared to invest in information security. A good CISO (chief information officer) is a worthwhile expense, especially when compared to the cost of a fine.
7. The trustees need to understand their responsibilities and should be asking for a regular report of potential weaknesses. Even a simple penetration test of the network will highlight deficiencies and demonstrate a responsible attitude to information security. Another aspect is that this is all part of being ultimately compliant with SORP, particularly if you are a larger charity.
8. Don’t rely on contracts with third party suppliers of software and equipment. Carry out due diligence of suppliers before placing the contract and during the life of the contract. Don’t assume that everyone shares your high security standards.
9. Trustees must be aware of the regulations and laws relevant to all charities in the UK, and the impact on the charity in the event of failure to comply with these. The biggest impact of all will be adverse media attention.
10. The most important tip - use the free service and benefits of the Charities Security Forum. Membership is free and it promotes best practice across the sector, and gives advice and support to security personnel in charities of any size, sector or location.
The Charity Security Forum's Brian Shorten (left) and AlienVault's Russ Spitler - when it comes to the use of computers and the best practices within the charity, a method of enforce, train and test is required."...charity employees need to have clear guidelines to follow and very explicit instructions on how to handle conflicts and requests above and beyond what is appropriate."
"Security must be built into systems by design from the start, not added as an afterthought."
"Don't assume that everyone shares your high security standards."
Picking up donations from card payments and e-commerce
Despite the ongoing constraints of the financial crisis, charitable giving from wealthy donors is in a reasonably healthy state. According to recent research covered in the Financial Times, the total number of donations above £1m has increased since 2006, from 193 to 232. Admittedly, the total value has decreased from £1.62 billion to £1.24 billion, but charities are evidently successfully nurturing their relationships with philanthropists to encourage consistent giving, and attracting new donors at the same time, which is no simple task in the midst of the current economic climate.
However, the numbers at the other end of the scale – donations from the general public – tell a very different story. Latest figures from the UK Giving Report 2012, published by the Charities Aid Foundation, show that broader UK giving is waning. The estimated total amount donated to charity by adults in 2011/12 was £9.3 billion; compared to 2010/11, this represents a decrease of £1.7 billion, or 15%. Adjusted for inflation, the decrease climbs to £2.3 billion in real terms. These figures represent the lowest level of charitable giving since the report started recording donations in 2004.
This potentially represents a huge problem for charities in the UK. Overall, donations failing to rise is enough of an issue in isolation, but declining donations twinned with relatively high inflation and low rates could put many charities on the precipice of a funding crisis.
Possible reasons
There are various possible reasons for the drop in donations – the stalled economic recovery being one. However, this fails to explain why numbers are at their lowest now, rather than say in 2008/09 when the crisis was at its worst (at this time the figure was £9.8 billion).
Looking at the way people donate could provide us with some guidance on the decline. For all eight years of the Giving Report, cash has been the most prevalent method of donation, and in 2011/12 this remained the case. Yet the overall usage of cash in the UK is falling as consumers gradually move to electronic payment methods, such as credit and debit cards and direct debit. Charities need to think carefully about how they should be adapting to this change.
Traditionally, public focused, broad charity fundraising has focused heavily on cash – collection tins and buckets for example which rely on a combination of footfall and loose change. Recent years have seen a growing shift towards direct debit, and this has been highly successful; a third of all charitable donations in 2011/12 were made via this method. But direct debit requires a significant investment of manpower to recruit new donors, and some individuals who are happy to donate a few pence or a pound can never be converted to regular high value givers.
The key to addressing this issue is to consider how individuals in the UK are using new technology and then adapt to it to ensure that charities are well positioned to benefit. Plastic is rapidly eclipsing cash as the preferred method of payment, for example. In March 2013 the share of plastic card spend in the retail sector was 73.1%, according to statistics from the UK Cards Association. Equally, the rise in contactless card payments, of which there are now 125 every minute in the UK, is slowly edging out cash in the low value transaction space for everyday items.
Electronic systems
Using electronic donation systems, which act the same way as a collection box at the till, but operate through the card payment terminal, are one way of capturing more card spend as this transition to plastic takes place. One charity, for example, works with major retailers to give cardholders the option of rounding up to the nearest pound when they pay. This has the potential to raise huge revenues for charities given the sheer number of transactions taking place every day.
Most payment processors usually waive the charge for providing these services, and the request for the donation comes from the card terminal – a neat way of outsourcing a job a volunteer might otherwise have to do rattling a collection bucket, so their time can instead be used more productively.
Equally, handling cash is by no means free. Physically attending a shop to empty collection boxes is time consuming and the process has historically been very difficult to protect against theft.
There are other benefits in addition. For example, the rewards are potentially much greater, because consumers tend to spend more on card than they do with cash. The Giving Report research found that card and cheque donations had the largest average of £20 out of all donation methods; four times the typical value for cash. The use of plastic for larger value transactions among UK consumers means that proportionally, charities are more likely to receive higher amounts from discretionary sums added to bills and card terminals.
Online shopping
Another area where charities should focus their attentions is e-commerce. The gradual shift of many consumers to online shopping has led to an enormous rise in the number of e-payments. In 2011, according to a report from OffCom published in December 2012, the per head spending on e-commerce was £1,083 in the UK – higher than anywhere else in Europe.
Suggesting the addition of an extra few pence or a pound on to a hotel bill or big ticket item will seem minimal to the consumer, but represent enormous revenue opportunities for charities given the sheer volume of e-commerce spending taking place in the UK. This is a growing area which is being driven forward in tandem with electronic donation boxes.
It will be essential for charities to start thinking now about the way they approach the collection of donations. The reason for this is that the adoption of new technology is likely to be considerably more prevalent among young people, which needs to be a key area of focus for charities as they look to engage a new generation with charitable giving. Giving is currently skewed to the over 65s, and in general tends to increase with age – so charities must be forward thinking in preparing for the generation beneath who have grown up with a completely different approach to technology.
Thinking laterally
With the economic upheaval ongoing, charities are facing unprecedented pressures on their finances. However, by thinking laterally and placing themselves at the forefront of changing technology, they open the possibility of fundraising from completely new avenues, as well as future-proofing income flows from a new generation of donors.
Global Payments’ Andrew Langford – using electronic donation systems which act in the same way as a collection box at the till are one way of capturing more card spend as the transition to payment by plastic takes place."The key…is to consider how individuals in the UK are using new technology and then adapt to it to ensure that charities are well positioned to benefit."
"The use of plastic for larger value transactions among UK consumers means that proportionately, charities are more likely to receive higher amounts from discretionary sums added to bills and card terminals."
Why using the cloud is good for charities
But even though the term "cloud" itself is fairly new, the idea is not. We’ve been using it, often unknowingly, for years on our mobile phones and emails with all the data stored elsewhere – in the cloud. Now users can simply download all the software and data they need from a hosting provider’s datacentre via the internet, with all maintenance, software upgrades and security handled centrally as part of the service.
PARTICULAR BENEFIT TO CHARITIES: Migrating services to the cloud is of particular benefit to charities. Flexible and reliable communications are vital when dealing with a workforce of fundraisers, volunteers and project workers (among other employees), often working at multiple locations. But the hefty investment needed in systems and ongoing software and security upgrades is often beyond the means of charities.
A cloud hosting provider will give users the ability to securely access emails, software and data from wherever they are, on any device at a fraction of what it costs to set up and maintain in-house. Upgrades will be included as part of the service, with the added advantage that these can work with existing hardware.
Providers can offer also a flexible pay as you grow model which can be scaled up or down to cope with charities’ workloads, such as during seasonal periods when in-house infrastructures could be either overstretched or underused.
GREEN CREDENTIALS. And it’s green – a big chunk of your energy bills is passed to the cloud provider along with all the maintenance and licensing costs. Most in-house servers run at only 5%-10% of their full capacity, and so use far more electricity than they need. A cloud provider’s datacentres run at maximum efficiency, fitting many users onto one hosting operation with virtually unlimited capacity, so cutting electricity usage, carbon emissions and physical infrastructure.
CHECKLIST. Here are some tips for choosing the right cloud provider for your charity:
• Check that your provider offers a "pay as you grow" arrangement which can be scaled to meet your fluctuating needs and budget, and whether there is charity discount pricing.
• Check that you are offered 24/7 support and guaranteed service availability – none of your staff should be spending time sorting out IT issues.
• Check whether the provider offers a favourable cost structure to charities.
• Check that you get a simple Control Panel that allows you to retain day-to-day management of email, adding and removing users as needed.
• Check that your provider automatically upgrades your software to the latest versions.
• Check your provider’s security credentials: they should include a mimimum ISO 27001 accreditation for information security, and ISO 9001 for process management and continual improvement.
• Check how long those accreditations have been held – your services should be the provider’s main activity, not an "add on".
• Check that your provider’s data centre is rated Tier 3 or better for service availability.
• Check that your hosting provider has registered offices and data centres in the UK for maximum data security. If any of these exist outside Britain, it can’t be guaranteed that your data won’t leave European soil.
Cloud is the way forward for charity computing
Charities can benefit from introducing cloud computing and can overcome the barriers to adopting this technology. Cloud computing is changing the way people work, enabling greater numbers to work more remotely and flexibly than ever before. A recent study by analysts Gartner revealed that 84% of organisations have a remote workforce to some degree.
Charities would be included in this, e.g. in relation to fundraisers, home visit care workers, even contact centre workers. The management of charities can involve remote communications, so doing things "remotely" is something which has to be increasingly part of many charities' work. Use of the cloud should be seen as helping the remote working of managers, staff and volunteers.
However, using the cloud should be seen primarily as an "enabler" – enabling charities to afford using IT for whatever purpose they want, when they would not otherwise be able to.
Remote working is increasingly being enabled by cloud computing technologies such as virtual desktop solutions which allow people to work from any location in the world and access their emails, files and desktops using a laptop, iphone or tablet.
Research from New Philanthropy Capital (NPC) in May 212 looking into the commissioning landscape for charities, found over two thirds of charities will be cutting front line services in 2013. The redundancies will be in direct response to the high level of government funding cuts.
This research followed NCVO's "Charity Forecast" in March 2012 when a third of charity leaders reported they expected their organisation to increase the number of services they offer this year and the majority intend to collaborate with other organisations to deliver these services.
By reducing the number of staff in the front line, charities will be struggling to deliver more with even fewer resources. One solution is to look at their back office systems more closely to see if cost savings and efficiencies can be made. Changing their IT system to cloud computing is one solution charities should now be considering.
What is cloud computing?
A growing number of charities are adopting cloud computing to improve their IT usage and costs. However, many are confused about what cloud computing is and how it works. According to the Global Language Monitor, a media analytics company which tracks trends in language, the term "cloud computing" ranked second on a list of the decade's most confusing technical buzzwords that people use but don't quite understand.
In its simplest form, cloud computing involves the outsourcing of data and IT infrastructure, storage and security to a third party supplier which will host and manage it in a data centre, and deliver it to users with internet access as a service.
If an organisation opts for a cloud computing solution such as Desktop as a Service (DaaS) technology (otherwise known as virtual desktop or hosted desktop), all its software, applications, data security and back up are hosted, taking away the need for in-house servers, eliminating unproductive hours spent in IT administration and reducing expenditure on software and software licensing. In the long term, this can generate considerable savings.
For those charities which are operating in areas where internet access can be unreliable for example rural areas or parts of Africa and Asia, this doesn't necessarily mean that cloud services won't work for them. Charities should look for a service that will allow them to sync documents and email to the local machine to enable the user to work and the whole lot will sync back when a connection becomes available.
Benefits of the cloud
So what are the benefits for charities looking to adopt cloud computing? Cost is perhaps the main driver and in today's economic environment this is going to be a key benefit for charities looking to reduce their administration and back office costs. Additionally, for growing charities cloud computing can be a faster way to develop as it is quick and easy to add new users or processes to the system.
Other key benefits include flexibility – employees can work from anywhere with internet access and log onto their own desktops as if they were in the office. This is a good option for charities which don't want to rent large and expensive offices or which use freelancers or project workers regularly, or have employees who travel extensively. A hosted desktop system enables workers to log onto their desktops from anywhere and be as productive as if they were in the office.
Until now, one of the biggest barriers to cloud computing adoption has been fears over security. Understandably, charities have felt nervous about outsourcing their data and information to a third party supplier and for many this has been their main concern.
Adopting a Desktop as a Service (DaaS) ensures all the traditional functions of the computer – including email, storage, processing and security backups – are managed by the cloud computing provider, within the protection of an encrypted corporate grade firewall. Once the user enters his desktop, he is typically in an environment which is more secure than the previous local server set-up.
Charities often don't have the most up to date software and security, simply because they don't have the resources to keep pace with such a fast moving area as IT. The cloud computing service provider, however, will constantly be updating its own software and firewalls – that's its responsibility.
The management of IT licensing, software and equipment, as well as trying to keep up to date with technology is now becoming costly and extremely challenging for many charities and the option of adopting cloud computing is becoming much more attractive for them. Many charities also don't have the most up to date IT systems and so when it becomes necessary for them to upgrade cloud computing can be a much more cost effective way to do this.
Many charities find that after the initial investment period they save on IT costs in the long run and free up their staff from spending time sorting out technology problems. They also find they have new capabilities which enable them to offer new services and grow. There is also the option to have a flexible "pay as you use" model which allows charities to scale up or down as needed.
What charities need to consider
As confidence in the security of their data is paramount, charities should ensure they work with an accredited cloud computing provider with a UK data centre to ensure security is watertight. Charities should check for accreditations such as ISO 9001, ISO 27001 for IT security and ISO 14001, which is focused on environmental standards.
Charities also need to consider where their data will be held and check for example that the provider has a UK datacentre. If it is held in the US or by a US company, check they have a Safe Harbour agreement and conform to the Patriot Act because the US government or it bodies can seize data without warning.
Charities also need to be wary of the contracts they sign and read the small print. There have been cases of organisations signing up to fixed term contracts only to have these revert back to the start date when a new user is added. Needless to say, such contracts should be avoided at all costs.
Finally, charities should question the level of disaster and recovery time, time scales needed to implement the new system and make sure they have a robust project migration plan to ensure work can go on as far as possible during the migration period. Charities can be concerned that the move to the cloud will take quite a lot of time and disrupt their day to day business. Planned well this needn't be an issue – and can be done very quickly and out of office hours to ensure there is no disruption to working time.
It is important to stress that prior to finding a provider charities need to ensure they map their business objectives for the next five to ten years, plus current and future remote working IT requirements. Having a clear understanding of where the charity is going should help it decide on the right technology and the right provider for its needs now and in the future.
Embrace the cloud
Cloud computing is not going away and neither is the demand for remote working. With the option to save money, reduce IT administration and offer employees greater working flexibility, it would seem foolish for charities not to embrace "the cloud" with open arms.
Workplacelive's David Sturges – cloud computing involves the outsourcing of data and IT infrastructure, storage and security to a third party supplier which will host and manage it."…for growing charities cloud computing can be a faster way to develop as it is quick and easy to add new users or processes to the system."
Being able to implement mobile quickly
We have all learned to live with this complex and sometimes difficult relationship – Google chairman Eric Schmidt is quoted as saying that "Lovies and Techies don't get on"! And perhaps that's it, we simply have to accept that the differences between the people and the jobs are at odds, and so find workarounds and compromise.
Sadly this compromise generally falls on the side of marketing. Budget, time to market, complexity of data harvested and level of integration into other digital elements are just a few of the areas that marketers have to live with. Marketers are held hostage by their technical teams who blind with science and explain how hard it all is and how long it will all take – in a way which reminds me of the stereotypical car mechanic, who tells you that the small knocking noise coming from under the bonnet is "terminal" and will "cost a packet".
The discord between these two departments does have a cost to the organisation but it is relatively low impact because competitive operations, including charities, have the same challenges, so everything moves ahead at about the same speed and donor experience is on par across the sector. This is, however, about to change.
Mobile engagement is not only the fastest growing channel, it also carries the highest consumer expectation. 24% of mobile internet users expect a web browsing experience comparable to their desktop, if not they will abandon or switch. More than half of consumers who've shopped using their mobile have abandoned a purchase because of poor navigation or slow pages.
The same is happening with donors who are mobile internet users. So not only do you need a fully interactive mobile strategy functional within the next 6 months, it needs to use the latest techniques and technology to ensure donor retention through fast and optimised experiences. At the same time, if you are marketing to younger donors in particular, you should assume you have no alternative to implementing such a capability.
Regardless of what is said, internal IT teams do not have the experience or expertise to deliver on a mobile strategy in these timescales and certainly will not be able to up-skill to the level required. At best a DIY approach will be "on the job" learning and trial by error development, which will deliver a poor result, extend the delivery timescales, create lost opportunities, lost donors and lost revenue.
Marketers have learned that a DIY approach to specialist areas like content management, pay per click and search engine optimisation is a waste of time and resources. They know from experience that external experts get better results faster and cheaper than trying to do it themselves. Mobile is just the same. One way to move into mobile as fast as is currently required is to use external mobile experts who have a proven track record of delivering mobile projects. Alternatively work with a mobile partner which will integrate with your teams and use technology and solutions that make development fast and simple, and the ongoing management and maintenance sustainable.
Harnessing the power of technology for fundraising
Last year, a survey conducted in association with the Institute of Fundraising found that 61% of delegates were unaware of the fundraising potential of new technologies. These statistics didn't come as a surprise to me. So many charities are not aware of the multitude of different ways in which technology can be used to help fundraise. Or if they are aware, they don't know where to start.
First and foremost then, my advice is to do your research. Find out what technologies are available and how you can harness them for your charity, whether they relate to donation sites, social media or other online services. Once that's decided, you need to start spreading the word both inside your organisation and to your supporters.
Charitable technology was created to make giving easier and be a part of people's every day lives, but before this can happen we all need to work together to change behaviour. A parallel can be drawn with recycling. It is all too easy just to throw all your rubbish into one bin, but having been educated and shown the benefits that recycling brings to the environment, the public began to add another step in to a processes they had followed throughout their lives. The same needs to happen for fundraising technology.
Charities and technology companies who build fundraising technology need to work together to educate the public that a slight change in behaviour can produce a much needed revenue stream for cash-strapped charities. For example, people switching to a charitable bank account with online banking services, donating through your website, or shopping online through giving sites. These minor changes in behaviour will help charities unlock the hidden millions that are up for grabs.
Charities also need to work better together to form a cohesive unit for change, drawing on their skills and knowledge. This is starting to happen effectively in major campaigns in North America. For example, the Rainforest Solutions Project saw a group of organisations working together to preserve the Great Bear Rainforest in Canada. It took 10 years, but through collaborating and playing to their strengths they were successful in protecting and preserving an ecosystem the size of Ireland on Canada's unblemished west coast.
I feel that charities in the UK need to follow their North American counterparts and pull together to raise awareness and share knowledge of the many different fundraising technologies that are out there.
Social media is also an important medium for charities to embrace. Twitter and Facebook are, in my opinion, not being harnessed enough by charities as yet. There is huge potential for charities to engage with a new audience with the aim of turning followers into donors and lifelong supporters. Social media tools are fast, effective and – perhaps most importantly – free. Looking to North America again, we find many examples of charities using these tools to fundraise effectively. Both Charity: Water and Livestrong have effectively used Facebook pages, Twitter, and new channels such as Instagram to open up their organisations' work and attract new supporters.
It may be a daunting task to train your teams, to allocate the resource needed and to push your charity our of their comfort zone, but all the charities using social media effectively today started at the same point you are at now. So do your research, find out how other charities are using these tools and start to leverage the power of technology for your charity's fundraising. Everyone needs to start somewhere so don't be afraid to dive in and get started now. After all, the water's lovely!
Cloud computing choices for charities
The cloud provides an alternative way for charities of procuring IT services that offers many benefits, including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditised.
However, in a recent survey 30% of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterprise’s security in the next 12 months. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud. And, of course, governance is an increasingly important matter for charities. Data protection is a very serious issue.
The cloud offers a selection of services
The cloud is not one thing; it offers a series of service choices. It covers a wide spectrum of types of service and delivery models ranging from in-house virtual servers to software accessed by multiple organisations over the internet. For example, a charity can run the IT services in-house; this is the most flexible but usually the most expensive arrangement. It can contract the running of the services through a managed service or hosting agreement. This is less flexible but may be cheaper.
Infrastructure as a Service provides a commoditised and packaged hosting service, which requires no capital expenditure. A similar spectrum applies to business applications. A charity can develop its own applications, and these can be designed to the charity's exact requirements. But it is very expensive. A charity can use commercial applications which are tailored to its needs. This is usually cheaper, but still involves the management and running costs.
Software as a Service via the cloud provides access to a packaged application which is managed and run by the service provider and can be bought on a charge per use basis.
It is important to understand the varieties of cloud services and deployment models to choose the one most suitable for your needs.
Choose the right type of cloud service
Infrastructure as a Service (IaaS) provides basic computing resources that the customer can use to run software (both operating systems and applications) and to store data. IaaS allows the customer to transfer an existing workload to the cloud with minimal if any change needed. The customer does not manage or control the underlying cloud infrastructure but remains responsible for managing the operating systems and applications. IaaS removes the need to buy, house and maintain the physical servers and can provide the ability for a charity to respond quickly to changing requirements.
Platform as a Service (PaaS) provides an environment upon which the charity can use to build and deploy cloud applications. These applications may be for use by the customer or offered as a service to others. Building applications using PaaS means that they are inherently cloud enabled and the PaaS provider also provides the service upon which these applications run.
The benefits include no need for capital hardware investment and rapid deployment. The major downside for charities is “lock-in”. Most PaaS platforms are based on proprietary programming interfaces (APIs), so it can be very difficult to change provider at a later date.
Software as a Service (SaaS) provides an application and data that can be accessed via a network (usually the internet) using a variety of client devices such as web browsers, and mobile phones. The major benefit of SaaS is the immediate availability of a working solution for a specific problem with no need for up-front investment. This is particularly valuable for areas such as mature business processes which are essential, well understood and need to be delivered at minimal cost. SaaS provides an opportunity for service vendors to offer the best solution to this kind of problem at the lowest cost. The risks associated with SaaS include loss of governance, data privacy issues and return of customer data.
Mature business processes are often subject to regulations and laws and organisations have invested heavily in IT to ensure compliance. Using SaaS means the charity devolving control to the SaaS provider and it is essential to have independent confirmation that the provider will comply with the regulatory requirements. The SaaS provider also has control of the business data held by the service. Contracts need to specify how this data will be returned in a useable form at termination of contract to allow business continuity and provide flexibility to switch provider.
Choose the right cloud deployment model
Public cloud services are available for anyone to subscribe to and use. The key benefit of a public cloud approach is one of scale. The cloud provider can potentially offer a better service at a lower cost because the scale of their operation means that they can afford the skilled people and state of the art technology. The public cloud model inherently provides service on demand.
The cloud provider can dynamically reallocate resources as they are required. Spreading the service delivery across multiple locations also improves resilience. Local problems with power supplies, telecommunication, natural disasters and so forth can be managed more effectively when there are several data centres in multiple geographies.
The downside of the public cloud is the risks of compliance and data security. For example, data privacy laws in the EU mandate that personal data must be processed within defined guidelines. The cloud service customer, who is the “data controller” is responsible in law, and needs to ensure that these guidelines are adhered to. Large cloud providers have recognised this need and can offer compliant services.
Sharing applications and infrastructure with unknown co-tenants can lead to concerns over data security and data leakage. There are standards and best practices for this and it is essential to check that the cloud provider is externally certified as adhering to these.
The HMRC online tax filing service is Software as a Service with a public deployment model and this has been praised by the Audit Office, although it unclear whether it provides value for money.
A private cloud service is used exclusively by a single organisation. Private cloud allows organisations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources. The price to pay for this is that the costs are likely to be higher because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.
Isolation is one of the key techniques for ensuring security and, while in the public cloud applications and data exist in a shared environment, the private cloud offers greater isolation by dedicating resources to a particular customer.
A community cloud service is for the exclusive use of a specific community of organisations which have shared concerns (e.g. mission, security requirements, policy and compliance considerations). A community cloud provides many of the benefits of scale of the public cloud while retaining greater control over compliance and data privacy.
Community cloud services already exist but under a different name! For example NHSmail, the national email and directory service available to NHS staff in England and Scotland, is effectively Software as a Service with a community deployment model. As regards security, NHSmail is accredited to Government RESTRICTED status, and is the only NHS email service that is secure enough for the transmission of confidential patient information.
Understanding your charity's requirements
When moving to the cloud it is important that the charity's requirements for the move are understood and that the loud service and deployment models are selected to meet these needs. Taking a good governance approach is the key to safely embracing the cloud and the benefits that it provides. So, finally and really to sum up, as a charity you should bear in mind the following:
Identify your requirements for the cloud based solution. This seems obvious but many charities are using the cloud without knowing it.
Determine the cloud service needs based on your requirements. Some applications will be more business critical than others.
Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and questions to be answered. Considering the risks may lead to the conclusion that moving to the cloud is not appropriate.
Understand what the certification and accreditations offered by the cloud provider mean and actually cover, and how these support your needs.
In most organisations cloud computing will co-exist with other IT service delivery models. Therefore an approach to governance and management is needed which covers both traditional and cloud models.
Kuppinger Cole/ISACA's Mike Small – cloud offers a variety of services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and private, public or community services. "IaaS removes the need to buy, house and maintain the physical servers and can provide the ability for a charity to respond quickly to changing requirements."
"Building applications using PaaS means that they are inherently cloud enabled and the PaaS provider also provides the service upon which these applications run."
"The major benefit of SaaS is the immediate availability of a working solution for a specific problem with no need for up-front investment."
BEING CAREFUL ABOUT THE CLOUD
Being careful about the cloud
FROM THE EDITOR: Cloud technology offers big advantages to charities facing financial pressures. Its relative low cost enables them to address existing requirements more effectively. It also enables them to meet new demands, including reshaping or even expanding their operations, with confidence – without having to spend nearly as much money as they would have on IT before the evolvement of the cloud. Cloud technology is a great enabler. Low cost "pay as you use" in the sky is the way forward for charities needing access to the latest technology as it comes onto the market.
However, and it really is a big "however", there are some major issues with the cloud and they cannot blithely be ignored. The four contributions – from David Gibson, Mike Small, Oliver Moazzezi and Marc Vael – to the discussion below of these issues should be read as a whole. Not only does each bring a differing perspective to the examination of the merits and demerits of charities using cloud technology, but they also, in total, provide a good explanation of the structure and principles of cloud.
So it is hoped that when you have read all four sets of comment you will have acquired a good grasp of what constitutes cloud. It can be a real "life saver" in these difficult financial times for charities as a low cost IT resource, as long as you are aware of the pitfalls.
The need to protect personal information
DAVID GIBSON of VARONIS SYSTEMS comments: While the cloud can offer significant benefits, it also harbours some substantial dangers. So charities should think carefully about how they plan their use of and reliance on cloud based services. Charities should also consider the additional IT resources which may be required when implementing cloud based solutions.
User account provisioning, for example, is generally not tied to the charity's internal directory services and access control lists, and must be maintained separately. Similarly, IT will likely need to field support requests related to the use of cloud solutions. As a result, implementing cloud based services can result in additional IT overhead that must be accounted for. However, perhaps the most essential consideration is security, primarily because of the resultant damage that can be caused if it's found wanting.
SECURITY IS PARAMOUNT. Personal information, such as donor and supporter lists, all have a value to criminals and therefore is a target for thieves. Charities have a responsibility to protect personal data and consideration has to be given to regulatory compliance, such as the Data Protection and Freedom of Information Acts, which are relevant whether data is processed and/or harboured on a physical or virtual server. To complicate the situation some cloud storage providers may transport data overseas, where it may be subject to foreign laws that could contravene the UK or EU Data Protection regulations.
Literature from the Information Commissioner's Office, detailing data protection good practice guidance, dictates that organisations must "take appropriate technical and organisational measures to protect the personal information you process, whether you process it yourself or whether someone else does it for you".
This would mean that if something went wrong and the data were breached then it is the charity which will be held accountable, and that can be expensive! In addition to any legal or financial liability, the ICO can impose a financial penalty of up to £500,000 for Data Protection Act breaches. Given their evolving security standards, added user/group administration, and auditing concerns, charities need to be very careful about entrusting their data to the cloud.
TAKE PRECAUTIONS. Charities need to ensure that any cloud service provider they're contemplating using meets the ICO's standards for security (e.g. authentication, authorisation, auditing, disaster recovery, etc). It is inevitable that unstructured data (e.g. documents, emails, spreadsheets and presentations, images, audio files, etc) – stored on file shares, NAS (network attached storage) devices, email, and in the cloud – will continue to grow exponentially.
Charities are realising that the only way to ensure compliance is to leverage data governance automation, which provides repeatable and measurable automated processes for ongoing management, tracking, compliance reporting and protection of private data. That way you know what you've got, where it is and who's looking at it.
Managing the risks of cloud computing
MIKE SMALL of security analysts KUPPINGER COLE, and a member of information security association ISACA, comments: Adopting aloud computing can save money but good governance is needed to manage the risks. Charities depend upon IT services for fundraising and administration but how can they best procure these services? One alternative which offers flexibility as well as low cost is Cloud computing. For example to support a fundraising event like Red Nose Day needs a massive amount of IT capacity for a short period. The cloud is able to provide that capacity in an economic manner.
However, many charities are reluctant to adopt the cloud because of concerns over information assurance and a loss of control over the way IT service is delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon and the 3 day loss of Blackberry services from RIM. Adopting cloud computing can save money but good governance is needed to manage the risks.
The cloud embraces a wide spectrum of services and delivery models ranging from IaaS (Infrastructure as a Service) delivered through in-house virtual servers, to SaaS (Software as a Service) delivered over the internet to multiple organisations. The risks of adopting the cloud depend upon both the service model and the delivery model adopted. Taking a good governance approach, such as the international control and security standard COBIT, is the key to safely embracing the cloud.
The common information security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the cloud environment. In addition, particular issues which need attention include ensuring compliance and avoiding becoming locked in to a particular cloud service provider. To manage these risks a charity adopting cloud services should make a risk assessment using one of the several methodologies available. When the risks important to your charity have been identified you need to ask the cloud provider how these will be managed.
MIKE SMALL of KUPPINGER COLE and ISACA continues: Here are ten questions to ask yourself and the cloud provider:
1. How is legal and regulatory compliance assured? Identify the charity's requirements for compliance with laws and regulations and ensure that the cloud provider is able to answer how they will meet these needs.
2. Where will my data be geographically located? Identify the legal constraints on the geographic location of the cloud provider, the service and the data, and ensure that service contracts address these.
3. How securely is my charity's data handled? Identify and classify the data which is being moved to the cloud and specify the security requirements for this data in terms of confidentiality, integrity and availability.
4. How easily can I get my charity's data back at termination of contract? The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow.
5. How is service availability assured? Identify the service availability requirements and assure that the provider is capable of meeting these.
6. How is identity and access managed? Specify the needs for identity management and access control and assure that it will be delivered securely.
7. How is my data protected against privileged user abuse? Confirm that the cloud service provider has processes and technology to properly control.
8. How are the systems protected against internet threats? Ensure that the steps taken both by the cloud provider and within the charity are adequate.
9. How are activities monitored and logged? Ensure that the requirements are met while separating the data relating to different cloud clients. access by their administrators.
10. What certification does your service have? Cloud service providers may offer reports and certifications. Ensure these satisfy the needs of service you require.
Cloud computing offers an alternative way to procure IT services with more flexibility and at a lower cost than through traditional outsourcing. However these benefits come with certain risks that depend upon the Cloud service and delivery model adopted. The common risks are maintaining the confidentiality, integrity and availability of data. In addition, particular issues that need attention include ensuring compliance and avoiding lock-in. The best approach to managing risk in the Cloud is one of good IT governance.
Enhancing security by using the cloud
OLIVER MOAZZEZI of IT company Cobweb Solutions comments: Charities are under pressure to slash costs and stretch budgets. Central and local government cuts are biting hard and the unstable economy is weakening donations. But when it comes to communication infrastructure, charities need to be able to reduce costs while preserving reliability. That's where cloud technology comes into play. Among other advantages, you can actually enhance your data security by using the cloud.
Cloud based technology infrastructures are much less expensive than using the services of traditional hosting companies. They are also significantly more economical than in-house exchange servers. This is because with cloud based solutions, charities only have to pay for each "seat" rather than a licensing and hosting cost. Not only this, but as charities commonly have a mobile workforce, the ability to access email anywhere that has an internet access is a huge plus.
SECURITY THREATS. But while charities are wholeheartedly embracing cloud computing, data security remains a major cause for concern. Hosted cloud service providers often store customers' data in external locations and as such IT managers are solely relying on the hosted providers' security capabilities to protect their data. Concerns about data security are more prevalent when dealing with high volumes of data or sensitive customer contact information – both of which are abundant in charities.
Additionally, many charities which are considering cloud IT services are concerned with the possibility of data theft. However, when analysing security risk, they should also consider data availability. If a company's data should suddenly become corrupted or otherwise unavailable, how can it possibly continue to operate? Charities need to look at ways to minimise data risk and should consider the hosted cloud service provider's layers of security protection, as well as the manner in which they guarantee the application and data is restored in the event of a security issue.
OLIVER MOAZZEZI of COBWEB SOLUTIONS comments: Cast your mind back to the Sony attack and other high profile cases of data theft and it's clear that cloud based services have been on the receiving end of intensive hacking campaigns. However, organisations which have not deployed private or public cloud services and infrastructure are also coming under attack.
Consequently IT managers are now looking at hosted cloud solutions in order to actually enhance their data security. In a recent 2011 Cloud Survey from Symantec 87% of organisations adopting cloud infrastructure did so to improve security as they did not have the in-house staff, skills or knowledge to navigate their journey to the cloud.
COMBATING CYBER THREATS. The charity sector can adopt a plethora of strategies to capitalise on the benefits of cloud-based infrastructure, whilst also maximising data security. By deploying a private cloud environment charities will rely exclusively on in-house security solutions. This would include their staff's knowledge of security tools and the reliability of their existing IT infrastructure to defend against data theft.
Deploying a public cloud environment usually means employing a hosted cloud service and infrastructure provider. In this case, a charity would rely on the security capabilities, knowledge, industry longevity and insight that the hosted cloud provider brings to the table. Finally, the deployment of a hybrid cloud environment is a combination of the two: applications, data and IT infrastructure reside both in-house and also within a public cloud environment.
CLOUD BENEFITS. So, with budgets in the charity and not for profit sector squeezed, cloud computing is a highly attractive option. It enables organisations to both cut costs while, contrary to popular option, actually improve security. Couple this with its ability to enable the charity and not for profit sector's increasingly mobile employees to work on the move, and it's not surprising that cloud computing is quickly gaining traction.
Data management for charities in the cloud
MARC VAEL of international security association ISACA (previously known as the Information Systems Audit and Control Association) comments: Charities have all kind of responsibilities when it comes to handling data in the cloud. Also, requirements by the charity come into play when selecting and operating solutions within a cloud environment. When a charity uses a cloud solution this is what it should be benefiting from:
ON-DEMAND SELF-SERVICE. A charity can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.
BROAD NETWORK ACCESS. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops and PDAs – personal digital assistants).
RESOURCE POOLING. The provider's computing resources are pooled to serve multiple charities using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to charity demand. There is a sense of location independence in that the charity generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country or data centre). Examples of resources include storage, processing, memory, network bandwidth and virtual machines.
RAPID ELASTICITY. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and can be rapidly released to quickly scale in. To the charity, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
MEASURED SERVICE. Cloud systems automatically control and optimise resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and charity of the utilised service.
MARC VAEL of ISACA continues: Charities can immediately use the PRIVATE or COMMUNITY CLOUD deployment model without too much changes in their governance model. More caution must be taken when using a PUBLIC or HYBRID CLOUD deployment model. Have a look at how these models can work for charities.
PRIVATE CLOUD. The cloud infrastructure is operated solely for a charity. It may be managed by the charity or a third party and may exist on premise or off premise.
COMMUNITY CLOUD. The cloud infrastructure is shared by several charities and supports a specific community which has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the charities or a third party and may exist on premise or off premise.
PUBLIC CLOUD. The cloud infrastructure is made available to the general public or a large industry group and is owned by a charity selling cloud services.
HYBRID CLOUD. The cloud infrastructure is a composition of two or more clouds (private, community, or public) which remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
For their data management, charities must be aware of the following 15 elements around cloud solutions (similar to any IT outsourcing solution for charities). These are all issues which they must address. They consist of either consequences, implications, tasks, responsibilities, or requirements which they should insist upon.
1. Psychological impact.
2. IT governance model.
3. Integration with internal IT systems.
4. Network connectivity / bandwidth.
5. Data location.
6. Shared tenancy.
7. Lock in with vendor.
8. Cloud Service Provider (CSP) stability, reliability and viability.
9. Service portability.
10. Legal and regulatory compliance aspects (including licensing, contractual arrangements).
11. Information security management (including identity and access management).
12. Incident response and crisis management.
13. Business continuity management and disaster recovery planning.
14. Data archiving and removal.
15. (Right to) Audit (penetration testing, screening, monitoring, etc).
MARC VAEL of ISACA says: For effective data management, charities must make sure they identify data requirements (including the establishment of effective procedures to manage the media library, backup and recovery of data, and proper disposal of media). Effective data management at charities helps ensure the quality, timeliness and availability of business data:
OPERATIONAL REQUIREMENTS FOR DATA MANAGEMENT. Verify that all charities data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs.
Charities must establish SLAs (Service Level Agreements) defining expectations and requirements. Charities must establish data management policy and procedures for interfacing data that remains within the confines of the charity's IT infrastructure. Charities may also need to establish transaction control mechanisms to ensure completeness of processing.
DISPOSAL. Define and implement procedures to ensure that business requirements for protection of sensitive charities data and software are met when data and hardware are disposed or transferred. The CSP (Cloud Service Provider) will physically destroy any remaining charity's data upon the expiration/termination of the contract.
BACKUP AND RESTORATION. Define and implement procedures for backup and restoration of charities systems, applications, data and documentation in line with charities requirements and the continuity plan. A contract must define SLAs relevant to the backup and restoration of the charity's data.
SECURITY REQUIREMENTS FOR DATA MANAGEMENT. Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of the charity's data to meet the charity's objectives, the charity's security policy and regulatory requirements.
