RHEDcloud Project Proposal

Name

Emory's Library & IT Services (LITS) team working on the AWS@Emory service selected a neutral name RHEDcloud, which stands for Research, Healthcare and Higher EDucation Cloud. The team has already worked this into a number aspects of the code where it made sense not to make the code Emory-specific.

General Principles

None of the structures, frameworks, or processes proposed below are intended to diminish or restrict the fundamental nature of the RHEDcloud project as a public open source project. Any person would be able to access the public documentation and code, clone the project's public repositories, and submit contributions of code, documentation, and analysis to the project. Any person can download and use the products of the project. The structures below are intended to provide an organizational framework for managing the on-going maintenance of the RHEDcloud framework and applications for AWS and expand them to Google Cloud and Microsoft Azure.

Emory University has invested approximately $1 million in contracted development and 24 months of internal work on the design and development of these frameworks, applications, risk assessments, and controls. Emory estimates that it will cost approximately $250,000 per year to maintain and extend the service for AWS as new services are released and services and use cases for AWS evolve. Emory estimates it would cost between $1.5 million and $2 million to extend these frameworks to Google Cloud and Microsoft Azure. Emory University and its initial collaborators believe that there is significant overlap in requirements for security, compliance, and integrating enterprise systems such that organizations could share requirements, implementation, and testing. These organizations could thereby improve these frameworks through broader input, share the costs of development and support, and cultivate commercial support for these frameworks from both cloud infrastructure providers and cloud infrastructure consultants.

Potential Areas of Collaboration

There are many potential area of collaboration for participants and members of the RHEDcloud Project. Not all participants will be interested in all aspects of the project. For example, some participants may only be interested in discussing and specifying security measures for specific compliance regimens with peer organizations. Others may which to leverage a common, extensible framework for implementing these controls. Some participants may be more interested in integrating cloud platforms with their on-prem networks and enterprise systems. There are a lot of different topics on which to collaborate and a lot of problems to solve together.

Cloud Security Measures for Various Compliance Requirements

Performing risk assessments of the services that comprise cloud platforms is detailed work and project participants can benefit by sharing this work and increasing the number of security and cloud experts that look perform these assessments and specify countermeasures. The project collaboration will improve the results and reduce the cost for all participants to maintain excellent risk assessments and countermeasures.

Common implementation of Cloud Security Measures in an Extensible Framework

Implementing security measures in a common, extensible framework further reduces the cost and improves efficiency of deploying and maintaining the measures specified in the security risk assessments. Project participants that choose to deploy a common framework an implementation for these security measures will be able to control new services more quickly and adapt to remedy newly detected risks in existing services. There is considerable benefit in performing the assessments and specifying controls with peer organizations, but agility comes from using a common framework.

Provisioning, Integration, and Administration

Some project participants will have requirements to integrate there cloud presence into their on-prem network, identity management, authentication, authorization, customer service, and other enterprise systems. Project participants can share their experience, patterns, and specific frameworks and implementations of these integrations.

Initial Assignment of Intellectual Property

Emory University would assign the intellectual property that comprises the AWS@Emory service to a new open source software foundation called the RHEDcloud Software Foundation. The purpose of this foundation it to ensure the intellectual property is continually releases and available under appropriate open source licenses and promote the future development of the software. The AWS@Emory service is described in the master service description and the intellectual property is described in the Emory Technology Transfer Background Materials.

Foundation Start-up Procedure

The RHEDcloud Software Foundation would need to finalize a list of founding institutional members, incorporate the foundation as a non-profit, charitable research organization within an appropriate jurisdiction. As part of this process the Foundation would establish its charter, bylaws, initial officers, apply for an hopefully obtain its tax-exempt status and other initiation tasks. These activities typically take several months and cost $20,000 - $30,000.

RHEDcloud Software Foundation

Charge

The RHEDcloud Software Foundation would exist to provide an organizational, legal, and financial framework for the RHEDcloud software and the collaboration to maintain and advance its development and adoption. The Foundation would assert its ownership and rights with copyright and release the software under one or more open source licenses, which both promote collaboration and allow participants to create derivative works and hold them proprietary. To initiate the project Emory University would assign the contributed intellectual property to the newly created RHEDcloud Software Foundation in an assignment agreement that would require that the Foundation implement many of the specifics below.

Membership

The RHEDcloud Software Foundation would have two types of membership, institutional and individual.

Institutional Membership

Academic institutions, companies, and any other organization interested in developing or promoting the RHEDcloud project could join the RHEDcloud Foundation as a member with the consent of the other members. An annual fee of $10,000 is assessed for institutional membership due on July 1 of each year. These fees fund the following aspects of the Foundation's operations:

  1. Releasing the products of the RHEDcloud project
  2. Providing quick-start deployment support and on-demand training for new institution and individual members
  3. Organizing and managing the project requirements, planning, and effort estimation processes
  4. Cloud infrastructure to support the project
  5. Promoting the RHEDcloud project
  6. Legal fees, accounting fees, and filing fees to acquire and maintain non-profit status as a charitable research organization
  7. Modest stipends for the three Foundation officers that require significant work, President, Treasurer, and Secretary. Note: experience with these collaborations demonstrates that relying on volunteer effort for these three key positions is inadequate

Individual Membership

Any individual interested in contributing code, analysis, or other effort to the project may join as an individual member with the consent of the other individual members. Individuals must fill out a brief application pay a $100 application fee. Upon their approval, individuals pay an annual membership fee of $100 per year due on July 1. The first year's fee is waived, because applicants pay an application fee. These fees fund the following aspects of the Foundation's operation:

  1. Per-user cost of version control and DevOps infrastructure
  2. Per-user cost of collaboration platforms

Note that as described above under General Principles, neither institutional nor individual membership is required to get access to project artifacts or contribute artifacts. Membership is only required to drive and guide the project or become a committer. Many projects use an opaque system of merit to elect or nominate individual members to be committers and have direct access to implement project processes like code reviews, merges, and releases. That process can work well, but it can also be viewed as elitist and exclusive. The RHEDcloud project proposes a more inclusive stance toward individual members in which anyone can apply and be accepted to be an individual member if they pay their annual fee and work responsibly.

Advancing the Software

The RHEDcloud Foundation's primary activities are releasing the products of the RHEDcloud project on a sound, independent legal basis and managing the roadmap and accession of contributions from all institutional and individual members to maintain and advance the software.

Strategic Plan

The institutional and individual members of the RHEDcloud Software Foundation will maintain a high-level, long-term strategic roadmap and plan for the software that looks at least three-years into the future. This vision statement and high-level plan would be reviewed and updated at each Board of Director's meeting for potential modification and improvement. This strategic plan helps guide and prioritize development and maintenance projects that are funded on an annual basis.

Annual Priorities

Each year in July, August, and September the RHEDcloud Software Foundation will manage a process to solicit requirements, draft statements of work, estimate cost, and prioritize work for the coming year. These priorities will be discussed and voted on by the individual members and the institutional members using a precise method to be determined by the Board of Directors that includes all institutional and individual members in some way. Any prioritization issues that cannot be settled by the membership are decided by the Board of Directors.

Annual Assessments

Once the annual development and maintenance projects have been defined, estimated, and selected by the membership, all institutional members are assessed for their portion of the development costs based on a proportional formula specified by the Board of Directors. For example, the formula might be all institutional members pay an equal share. So, if the membership has prioritized five projects that will cost $250,000, then if the institutional membership consists of 10 institutional, each institution would pay $25,000 to implement the annual priorities. Contributions could be made in cash or in kind. Resources contributed in kind must coordinate closely with the project. The Board of Directors might instead implement a formula that considers that institutions with a larger annual budget might be able to afford a larger portion of the costs. The precise formula will be specified and maintained by the board with input from all institutional members.

Board of Directors

The RHEDcloud Software Foundation Board of Directors would consist of one representative from each institutional member unless and until such time as the number of institutions made this impractical. If this becomes impractical, an annual election for Directors would be held at an annual meeting and Directors with terms and replacement policies established by the board. Given the practice of assessing all member institutions annually for maintenance and development priorities, it is critical that 100% representation from participating institutions be maintain as long as possible. It may be possible to do this indefinitely.

Officers

Several corporate officers of charitable, non-profit research organizations are specified by law in most jurisdictions. Those are typically the President, Treasurer, and Secretary, who prepare annual reports and corporate filings as well as organize the work that leads to them to ensure that the Foundation maintains its legal status and provides a framework for project work. Experience dictates that these positions should be paid with at least a modest stipend to ensure that officers commit the time and energy to perform these functions adequately. These functions must be overseen by the board and officers replaced if these functions are not performed adequately.

Software Licenses

Presumably the RHEDcloud Software Foundation and Emory University as the initial grantor of intellectual property would decide upon the specific open source license(s) to use in consultation with the founding organizational members. Some candidate licenses are:

Several potential founding institutional members have expressed a desire that the license allow users to make derivative works and hold them proprietary. Both of these proposed licenses accommodate that desire. However, to be successful, the project also need to organize around maintaining and developing common products.

Accession of Intellectual Property Contributions

Works for Hire

Most prioritized work will be contracted works for hire between the RHEDcloud Software Foundation and its preferred software development vendors, so much of the on-going development and maintenance work will originate as intellectual property of the RHEDcloud Software Foundation.

Contributed Works

In-kind contributions and contributed works will be accepted by the project using the project's standard disclosure and IP assignment agreement. These agreements can be completed in advance of creation for prioritized in-kind contributions just as statements of work and contracts are prepared with the Foundation's preferred consultants.

RHEDcloud Project Evolution

Over 2019 and 2020 the RHEDcloud Software Foundation (https://www.rhedcloud.org) will recruit at least 20 institutional members and 50 individual members. The RHEDcloud project will have deployed its evaluation and demo platform in the cloud at https://rhed.cloud for prospective users to sign-up, try the solution, and read through a quick-start guide to integrate the solution with their infrastructure and deploy it for their organization. The RHEDcloud project will have structured collaboration forums for cloud compliance and security requirements, and this group will perform security risk assessments and specify controls for many Amazon Web Service, Google Cloud Platform, and Microsoft Azure. The project will also have structured a collaboration forum to establish development priorities for all components of the service. The project will solicit SOWs from preferred vendors for all development priorities, select development projects for funding, and assess the institutional membership for costs to implement these development priorities.