FAQ

Q: What is CloudPay?
Q: What if I made a mistake and incurred charges beyond what I planned?
Q: Are there any differences in standard pricing vs what UCSF is getting? 
Q: Are the contract prices locked-in or are they variable? 
Q: Who (what organization) is handling the contract for UCSF? 
Q: What happens to the data if/when funding is lost? 
Q: If UCSF were to choose not to renew a contract with a provider, how much of a grace period (if any) would we have to move our data out? 
Q: Are any of the providers offering data backup included in the agreement with UCSF or is there a separate agreement for backups? 
Q: How is UCSF utilizing Cloud services (VMs, Storage, Backup)? 
Q: What are the current cloud projects in the pipeline (and timeline) that are close to being available for the general UC user base? 
Q: What providers offer storage directly on-premise without the need of a VM or surrogate container? 
Q: We are also interested in hybrid storage access with on-prem/off-prem, having the infrequent data stored on the off-prem cloud storage (a starter), potentially transition fully to cloud.  Does the provider offer this kind of service? 
Q: Are there any architecture diagrams we could look at for current implementations? 
Q: Are there any on-premise storage implementations, and what are the challenges that you faced or are facing? 
Q: Where are these servers located? 
Q: What redundancy strategy (LRS, ZRS, etc) is UCSF considering? 
Q: Are the services HIPAA compliant at the colo level or through a third-party service provider? 
Q: What providers offer both end-to-end socket encryption and on-disk encryption? 
Q: Why do researchers need the approval of their Department Head to open an AWS account? 

 


 
Q: What is CloudPay?

A: CloudPay is the centralized service provided by UCSF IT that consolidates the billing of from public cloud providers under a single PO. IT can recharge a cost center for all the costs associated with the cloud account or subscription. IT maintains a master PO, receives the aggregated bill, separates the charges for each cost center and submits the appropriate recharge amounts to finance. An individual authorized to incur charges against the cost center needs to approve the agreement and all costs in the cloud account will be passed to the cost center.

Q: What if I made a mistake and incurred charges beyond what I planned?

A: All charges incurred will be passed back to the cost center which must pay for the charges. If a mistake was made please submit a support ticket directly to the cloud vendor and request for a refund or credit. They are often willing to accommodate some or all of the mistake. However, if they do not credit the account the cost center is still responsible for the charges.

Q: Are there any differences in standard pricing vs what UCSF is getting?

A: The University of California has a agreements with different cloud providers and in many cases does have a pre-negotiated discount. Our current enterprise discount with AWS is 11% until 2025. This is taken directly off of the charges on the account and the amount that will be submitted to the cost center for recharge will be the discounted amount.

Q: Are the contract prices locked-in or are they variable?

A: Discounts are negotiated for a period of time, usually multi-year. At the renewal time we will continue to seek the same or deeper discounts based on the level of spend from the University at that time. We are constantly seeking ways to save and optimize prices and will pass additional savings on to the member accounts as we are able to do so; however, additional savings beyond the enterprise discount are not guaranteed.

Q: Who (what organization) is handling the contract for UCSF?

A: The University of California (UCOP) handles contract issues that affect the entire UC. This included BAA agreements, the master UC agreements, enterprise discount programs, etc. The office of CIO at UCSF handles agreements relative to UCSF and UCSF Health which can include private pricing, reservations, savings plans, etc.

Q: What happens to the data if/when funding is lost?

A: If funding is disappearing the account should be emptied and closed. It is the responsibility of the cost center to pay for services incurred in the account. Some data may be eligible for long term storage with the Archivist at the Library.

Q: If UCSF were to choose not to renew a contract with a provider, how much of a grace period (if any) would we have to move our data out?

A: As long as there is a need and the member accounts can fund their own activities UCSF is committed providing the appropriate level of service needed to operate.

Q: Are any of the providers offering data backup included in the agreement with UCSF or is there a separate agreement for backups?

A: Depending on the need UCSF IT can provide a backup service. If you need your cloud resources backed up to a separate region that can be accommodated within your account using the service provided by the cloud provider. There are costs for the storage.

Q: How is UCSF utilizing Cloud services (VMs, Storage, Backup)?

A: UCSF IT and various departments and research labs all use cloud services for different things. This includes: Network services, Security, Storage, Backup, Web hosting, AI/ML, high performance computing, analytics, basic compute, database hosting. Some of the use cases include enterprise services, genomics, virology, cancer research, neurology, etc.

Q: What are the current cloud projects in the pipeline (and timeline) that are close to being available for the general UC user base?

A: We always have storage projects in the pipeline. Research is very common too. If you are looking for something specific to see if there is someone who can advise you on your own project please ask at: [email protected]

Q: What providers offer storage directly on-premise without the need of a VM or surrogate container?

A: On prem storage needs can be obtained from UCSF IT by contacting the storage team: https://datacenter.ucsf.edu/services/storage-services

Q: We are also interested in hybrid storage access with on-prem/off-prem, having the infrequent data stored on the off-prem cloud storage (a starter), potentially transition fully to cloud.  Does the provider offer this kind of service?

A: UCSF IT is developing a Hybrid storage service. If you are interested in this please contact us at: [email protected]

Q: Are there any architecture diagrams we could look at for current implementations?

A: The community tends to be very open and supportive. The Cloud Services team is happy to broker introductions to other teams that might have done something similar to the project you are considering. The vendor themselves are also great and often free resources for advice.

Q: Are there any on-premise storage implementations, and what are the challenges that you faced or are facing?

A: Please contact the UCSF IT storage team directly for details on the options available. [email protected]

Q: Where are these servers located?

A: Public cloud providers do not disclose their location.

Q: What redundancy strategy (LRS, ZRS, etc) is UCSF considering?

A: Each account holder is responsible for implementing their own strategy. If they need assistance UCSF IT can provide basic advice and provide oversight for 3rd party service providers contracted to implement the computing resources in the account.

Q: Are the services HIPAA compliant at the colo level or through a third-party service provider?

A: UCSF IT has hardened a number of AWS services and provides a HIPAA eligible platform for member accounts to utilize. It is the responsibility of individual account holders to ensure their architectures and computing workloads comply with UCSF security standards and that they do not engage in activities that violate our policies. Individual account holders are the stewards of their data and are the end point accountability for the data they store in the account. While many services can be implemented without an individual security assessment, member accounts are encouraged to take advantage of UCSF IT Security as advisors on the workloads they wish to implement.

Q: What providers offer both end-to-end socket encryption and on-disk encryption?

A: Both AWS and Azure are able to support this. Currently only AWS has an approved environment at UCSF. To be placed on the waiting list for Azure please contact: [email protected]

Q: Why do researchers need the approval of their Department Head to open an AWS account? 

A: It might seem odd that UCSF IT needs the approval of the Department Head for the cost center against which the AWS account will be billed when a researcher is the final authority on funds being spent for their grants. 

An AWS account is essentially an unlimited line of credit for compute resources.  

This means that services used in the account may exceed those of any one grant or external funding source.  

UCSF Central IT holds the Purchase Order for what is called the Master Payer Account (MPA). Every account that is opened under the MPA is its own unlimited credit line that rolls up to a consolidated bill which IT pays out of its Cost Center. 

Under this agreement, USCF is accountable for all costs incurred in any AWS account associated with the services provided. The office of the CIO captures all these costs in the single cost center under the single PO and then recharges all the costs associated with each account to the appropriate cost center. 

This allow IT to negotiate discounts and ensure data security. 

Finance staff in any given department are able to cross check the delegation of authority for a cost center at the Department Head level and not below. This means that our Cloud Business Office is unable to validate through system access whether or not an individual researcher is able to officially charge against that cost center. Authorization to do so is a record internal to the department under which the research is being conducted, and is not visible to all UCSF.  

IT validates authorization at the level for which there is cross departmental visibility in the fiscal delegation of authority chain in order to standardize the process for recording account authorizations. 

Even though a researcher might have full authority to spend the funds from the grants they receive, when they open an AWS account there is no way to arbitrarily terminate cloud services to force an account to stay within a certain budget and within the constraints of the grant allowances. Doing so would have catastrophic and nonreversible impact to any research being conducted. 

Individual researchers need to plan for the termination of their own computing resources and the archival of their data in a cost sustainable way. 

The approval from the Department Head of the cost center submitted to the Cloud Business Offices is indicating their agreement to allow the office of CIO to recharge their Cost Center for any and all costs incurred in that account regardless of whether there are enough funds from grants to cover those services. 

This is a real risk, with repeated precedent here at UCSF.  There have been accounts that have either become compromised or which had resources excessively provisioned that resulted in substantial charges to the account. In some cases AWS was able to credit the account for full or partial offset to the bill.  

In cases where those credits do not cover the full amount of the excess, the department head and the grant owner must agree between themselves how to cover the costs. IT must receive the recharge from the department to be able to pay the AWS invoices, and the Department Head approval is critical in that process. 

If approval from the Department Head is not possible an unlimited AWS account may not be the right option. There are other options available and IT can help guide you in the path that is most appropriate for your needs. Please contact [email protected] for help and guidance.