• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Computing Adoption and the Impact of Information Security
 

Cloud Computing Adoption and the Impact of Information Security

on

  • 2,049 views

 

Statistics

Views

Total Views
2,049
Views on SlideShare
2,049
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Computing Adoption and the Impact of Information Security Cloud Computing Adoption and the Impact of Information Security Document Transcript

    • Running Head: Cloud Computing and the Impact of Information Security on its Adoption Cloud Computing Adoption and the Impact of Information Security Term Paper Belinda Edwards IMAT 670: Contemporary Topics in Informatics University of Maryland University College 7 November 2011
    • Cloud Computing and the Impact of Information Security on its Adoption 2Table of ContentsAbstract ........................................................................................................................................... 4Introduction ..................................................................................................................................... 5 Cloud Computing ........................................................................................................................ 5Competitive Industry Structure ....................................................................................................... 6 Threat of New Entrants ............................................................................................................... 6 Intensity of Rivalry ..................................................................................................................... 6 Bargaining Power of Buyers ....................................................................................................... 7 Bargaining Power of Suppliers ................................................................................................... 7 Threat of Substitutes ................................................................................................................... 7 Dominate Characteristics ............................................................................................................ 8Internal Factors ............................................................................................................................... 8 Internal Strengths ........................................................................................................................ 8 Economic Considerations. ...................................................................................................... 8 Brand. ...................................................................................................................................... 9 Centralized Infrastructure. .................................................................................................... 10 Internal Weaknesses.................................................................................................................. 11 Uniform Measurements ........................................................................................................ 11 Regulations ........................................................................................................................... 11 Network Dependence ............................................................................................................ 12 Loss of Technical Talent ....................................................................................................... 12External Factors ............................................................................................................................ 13 External Opportunities .............................................................................................................. 13 Collaboration towards Cloud Standards. .............................................................................. 13 Improved Governance ........................................................................................................... 13 Uniform Performance Metrics .............................................................................................. 14 External Threats ........................................................................................................................ 14 Economic crisis ..................................................................................................................... 14 Centralization ........................................................................................................................ 15Strategic Analysis ......................................................................................................................... 16 Internal Audit ............................................................................................................................ 16 Strengths ............................................................................................................................... 16
    • Cloud Computing and the Impact of Information Security on its Adoption 3 Weaknesses ........................................................................................................................... 16 External Audit ........................................................................................................................... 17 Opportunities......................................................................................................................... 17 Threats................................................................................................................................... 17Recommendation .......................................................................................................................... 18 Specific Annual Objectives and Policies .................................................................................. 18 Policy Development .............................................................................................................. 18Conclusion .................................................................................................................................... 19References ..................................................................................................................................... 20Figure 1: Cloud Deployment Models ........................................................................................... 10Figure 2: Information Security Adoption Cycle ........................................................................... 19
    • Cloud Computing and the Impact of Information Security on its Adoption 4 Abstract The National Institute of Standards and Technology (NIST) defines cloud computing as a“model for enabling convenient, on-demand network access to a shared pool of configurablecomputing resources (e.g., networks, servers, storage, applications, and services) that can berapidly provisioned and released with minimal management effort or service providerinteraction” (NIST SP 800-145). The combination of the demand for increased bandwidth alongwith the mandate to reduce information technology (IT) costs has led most businesses to looktowards cloud computing as a means to provide the flexibility and responsiveness required tomeet business and customer needs. Cloud computing, however, does not come without its detractors. Most barriers towardscloud adoption include concerns over information security, access management, the lack ofvendor compatibility, and most importantly trust. Various, distinct security regulations exist forwhich businesses are responsible. A consistentstandards and governance approach, along withflexible acquisition procedures, and a comprehensive certification and accreditation methodologyis requiredforglobal adaptation. Financial incentives may also aid cloud adherencein developingcountries. This case study was based on the analysis of information that was collected fromacademic and industry articles and journals. Using this information, the author was able torecommend strategies for theconsistent application of information security standards within thecloud computingenvironment.
    • Cloud Computing and the Impact of Information Security on its Adoption 5 IntroductionCloud Computing Cloud computing was initially introduced as a method towards cost effectiveness bysharing software and hardware resources within an enterprise or an industry. Cloud computing isconsidered a utility; available for use without requiring knowledge of its source location. Theperspective is that of a centralized location from which a customer can dynamically manageresources (or services) that are reliable, scalable, and agile. The terms cloud computing andvirtualization are interchangeable. Cloud computing provides a centralized delivery mechanism that consists of multiple,independent layers, from which the customer can choose. Those layers are commonlyconsidered: infrastructure as a service (IaaS), platform as a service (PaaS), and software as aservice (SaaS), respectively. IaaS provides the lowest level of support, specifically network andstorage access. PaaS delivers the operating system (i.e. Windows 7) to the customer. Lastly,SaaS provides software applications (i.e. Word) to the customer. All these services areaccessible at a minimal cost to the user. Concerns over cloud security continue to grow. The centralization of services and moreimportantly, the transition of control over to service providers has created unease in the technicalcommunity and has limited adoption. The public and private sectors must collaborate onindustry standards and governance policies specific to data access, identity management,encryption tools for data transport and storage, as well as privacy and compliance.
    • Cloud Computing and the Impact of Information Security on its Adoption 6 Competitive Industry StructureThreat of New Entrants Cloud computing limits entrance barriers, thereby increasing the threat new entrants haveon a market. The global economic downturn has caused corporations to focus on informationtechnology (IT) fiscal responsibility and cost containment. Cloud providers present a solutionwhich can be utilized by the hour or the event, thus eliminating the significant IT investmentpreviously necessary for entrance into the industry. Entrants with limited cash reserves, butknowledgeable of business, industry, and technology can make a positive impact on anybusiness.Cloud computing offers new entrants the ability to connect and collaborate with sponsors toobtain enterprise certification, thus reducing time to market. It is no longer necessary for newentrants to be experienced players, but rather they require an innovative solution that is platformand industry agnostic. Cloud computing places the threat of new entrants very high.Intensity of Rivalry The intensity of rivalry is very medium. Although cloud computing offers a centralizedenvironment from which to access platform, infrastructure, and software services, the lack oftrust of cloud service providers initially limits the intensity of rivalry. Cloud standards andgovernance must be refined to address the security risks presented by cloud computing. Onceglobal consensus is obtained, rivalry will increase to the benefit of the consumer. Cloudcomputing participants are primarily focused on acquisition, evaluation, and access controlswhich limit unauthorized access and data loss.
    • Cloud Computing and the Impact of Information Security on its Adoption 7Bargaining Power of Buyers The bargaining power of buyers remains high. Cloud providers can offer solutions for aslittle as $0.10 to $1.00 an hour to rent additional servers (Choo, 2010). Federal customers canutilize economies of scale to negotiate dynamic allocation of resourcing. It is estimated that thecloud computing market will grow to $160B by years’ end (Chow, R., Golle, P., Jakobsson, M.,Masuoka, R., Molina, J., Shi, E., & Staddon, J., 2009).Bargaining Power of Suppliers The bargaining power of suppliers is currently low, but will increase over time. Cloudproviders understand the existence of an untapped market just ripe for expansion, but are alsoaware of customers’ concerns over security. Cloud providers have volunteered to submit toextensive testing and evaluation to become initial members of a list of government-vettedsolution providers. This strategic move could offer access to an anticipated US governmentmarket worth $15 million (Kundra, 2010). Suppliers will benefit from agency sponsorship. Thiscollaboration will illustrate provider ability to rapidly adjust to customer demand and couldextend collaborative efforts beyond the federal government into state and local and possibly theinternational market.Threat of Substitutes The threat of substitutes is currently low. Customers are concerned over the securityrisks vendor lock-in may present. As cloud computing industry standards continue to evolve,customers are concerned there may be a lack of backward compatibility with regards to cloudaccess, data encryption, transportation, and storage. The lack of industry maturity significantlyreduces the threat of substitutes; however, this will change as best practices are applied.
    • Cloud Computing and the Impact of Information Security on its Adoption 8Dominate Characteristics The analysis below provides a detailed evaluation of internal and external factorsaffecting cloud computing; information security is an overarching aspect. The subsequentStrengths – Weaknesses – Opportunities – Threats (SWOT) analysis illustrates key internalstrengths and weaknesses as well as external opportunities and threats (David, 2009, p. 192).This analysis was used to address cloud computing strategic planning of product developmentand improved customer engagement which will hopefully lead to increased competitiveadvantage. Information for this SWOT matrix was derived from both academic and industryperiodicals found on the topic. Internal FactorsInternal Strengths Economic Considerations. Service demand, improving customer engagement, and varying regulations impactbusiness IT infrastructure. The juxtaposition of financial reduction and improved technicalefficiencies has led organizations to embrace the potentials of cloud computing. Cloudcomputing proposes a “fee for service” approach that presents businesses and developingcountries with the services, software, and tools necessary for market entrance into a new industryor the equipment necessary to sustain threats from rivals, suppliers, or substitutes. Cloud computing is seen as offering significant economic savings. The first federal CIOanticipated a 30% or $20 billion reduction in federal IT data center infrastructure expenditures by2015, and projects those funds would be “reinvested in agency missions, including citizen-facingservices and inventing and deploying new innovations” (Kundra, 2011, p. 7). As with anyoutsourcing contract, economic improvements are garnered by the thorough analysis of business
    • Cloud Computing and the Impact of Information Security on its Adoption 9need and service availability. Cloud computing does reduce large infrastructure investments,provides emphasis on agility and allows for hardware and software efficiency (pay for use). Brand. The National Institute of Standards and Technology (NIST) “has identified five essentialcharacteristics of cloud computing: on-demand service, broad network access, resource pooling,rapid elasticity, and measured service” (NIST, 2011). As global competition increases,organizations will escalate cloud adoption as a method of quickly bringing products to theirniche and developing customer bases. Cloud providers offer their customers the ability torapidly adjust their IT infrastructure to changes in consumer demand without the financial aswell as operations and maintenance responsibilities. Cloud computing is becoming synonymouswith IT financial efficiencies; however businesses must perform an internal assessment of theirprocesses and needs to best obtain the efficiencies cloud brings to bear. The NIST service modelbelow illustrates the breath of cloud service offerings available.Table 1: Cloud Service Models Service Models Description Capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to Infrastructure as a deploy and run arbitrary software, which can include Service (IaaS) operating systems and applications. Capability provided to the consumer is the ability to deploy onto the cloud infrastructure consumer- created or acquired applications created using Platform as a programming languages and tools supported by the Service (PaaS) provider Capability provided to the consumer is to use the Software as a provider’s applications running on a cloud Service (SaaS) infrastructure
    • Cloud Computing and the Impact of Information Security on its Adoption 10 Centralized Infrastructure. Cloud computing provides a central area from which the customer can access platformsand software services. These models provide a centralized foundation from which security risksand software version controls will be managed, and information access and regulationcompliance will be monitored, all while providing customers uniform product offerings at areduced financial cost. Most importantly, increased innovation is had through centralization, asit reduces IT investment costs that serve as barriers to market entry. Lastly, business continuityplanning (BCP) programs benefit from centralization, as mission critical applications and dataare maintained in a single location. There are four deployment models used to facilitate cloud services, the NIST descriptionfor these models are listed below.Figure 1: Cloud Deployment Models
    • Cloud Computing and the Impact of Information Security on its Adoption 11Internal Weaknesses Uniform Measurements Metrics used to evaluate cloud providers are not consist throughout the industry and varydepending upon country and business regulations. Unfortunately, expectations are dependentupon business need and vary accordingly. Initiatives such as the Carnegie Mellon UniversityCloud Services Measurement Initiative Consortium (CSMIC), the Distributed Management TaskForce’s (DMTF) Cloud Management working group, and the Cloud Security Alliance (CSA)will serve as the basis to address standard cloud performance metrics (TechAmerica, CLOUD2,2011). Service level agreements (SLA) must also be established between the customer and cloudprovider as a technique to define procedures to be taken during service unavailability. The SLAcan also be used to establish metrics to aid cloud providers in securing the environment. Thesemetrics should outline how data is transmitted; the encryption methods used during datatransport, storage, and access; regulatory compliance activities; disaster recovery procedures, andan outline detailing steps to recollect data should something happen (bankruptcy, acquisition). Regulations Cloud computing allows for access mobility, meaning the customer does not requireknowledge of the location of stored services and information to utilize the information.However, cloud providers have established data centers in various global locations to addressregulations specific to that region. Businesses may have separate security controls to addressindividual regulations and expect cloud providers to segment data accordingly. Global standardssuch as Control Objectives for Information and Related Technology (COBIT), InternationalOrganization for Standardization (ISO) 27001, and Information Technology InfrastructureLibrary (ITIL), have been used to meet multiple regulatory and governance requirements with a
    • Cloud Computing and the Impact of Information Security on its Adoption 12single set of controls and to lower costs (Wagner, 2011). Combined with cloud services, costs arefurther reduced as the enterprise can take advantage of finalized products, thus lessening thecompliance cycle. Network Dependence The largest weakness to cloud computing is its dependence upon a robust network toconnect providers and customers. Little can be done should the network be unavailable.Increased dependence upon mobile products has stretched the current IP network. Globally, theadoption of IPv6 is underway to address current network limitations; however this will notaddress the needs of individuals and organizations within disparate lands. Wagner quotesNaughton as saying, “If we are betting our futures on the network being thecomputer, we oughtto be sure that it can stand thestrain” (Wagner, 2009). Customers may utilize the private cloud,at an increased cost, as a method to sustain network reliability; another option may be“disconnected use” of services to continue processing (NIST, 800-146). Loss of Technical Talent As businesses embrace cloud computing, some have also outsourced their technical staff;this is a mistake. Technical expertise is required to properly analyze vendor contracts and assesscloud performance. Business must invest in its talent pool to maintain the expertise andknowledge in preparation for the next innovative solution. Skilled program managers arenecessary to “establishingintegrated, multi-disciplinary program teams” with key skills beforebeginning major IT programs, (Kundra, 2010).
    • Cloud Computing and the Impact of Information Security on its Adoption 13 External FactorsExternal Opportunities Collaboration towards Cloud Standards. Cloud computing services are designed to reduce cost and promote reuse. Industry andgovernment must collaborate to define best practices necessary for international and domesticcloud adoption. Standards must address concerns towards information security, privacy,transparency, and accountability with respect todelivering trusted cloud computing services”(TechAmerica, 2011). They should also address metrics for vendor accreditation and systemsinteroperability, all while fostering vendor competition for increased efficiency. Cloud computing standards will continue to be refined over time, to address industryuniqueness and modified regulations. This refinement will (1) produce a global approach tocybersecurity that recognizes the global nature ofinterconnected systems, (2) provide for dataprotection regardless of location,and (3) evade fragmented, unpredictablenational requirements(SIIA, 2011). Improved Governance Governance encompasses risk management, legal discovery, auditing, compliance,information lifecycle management, data portability and systems interoperability (CSA, 2009).Governance is applicable regardless of service or deployment model and should be flexible toaddress specific industry requirements. The government structure, aligned with cloud industrystandards, should combat current gaps in security. CIO Magazine held a survey of industryleaders to illustrate concerns over information security; only 48 percent actuallybelievedinformation security has improved” (Brenner, 2009). Established governance should define roles and responsibilities necessary for compliancewith domestic and international regulations; address success metrics (i.e. performance and
    • Cloud Computing and the Impact of Information Security on its Adoption 14service availability); outline access controls and identity management methods; detail incidentmanagement and business continuity procedures; and offer testing guidelines. Cloud security ispertinent to its success; it provides a foundation for collaboration and is forecast to provideexponentialbenefits to everyone involved. A combined approach to governance will gleanlessons learned throughout the country and industry thus aiding in the development of effectivecentralized services. Uniform Performance Metrics The development of key performance indicator (KPI)metrics will aid in building trustbetween cloud customers and providers. Customers require measurements to consistently ratenetwork confidentiality, integrity, and availability (CIA) to assess whether the cloud solution isapplicable to their needs and adaptable to future requirements. Metrics are also necessary toclearly define cost savings and demonstrate program efficiencies, network consumption, andvulnerabilities.More importantly, metrics emphasize security risks presented by the dependenceupon the cloud provider.External Threats Economic crisis Although some do not consider the continued global economic downturn as a reasonforrequired financial IT efficiency, nonetheless, it has contributed to the push toward the cloud.Industries accustomed to a large portion of the enterprise budget must discover the benefits cloudcomputing provides. Continued reduction in IT budgets may drive customers to unprovensolutions, to the detriment of their business. Compliance with industry standards must beenforced to reduce cloud vulnerabilities; however until overarching industry standards areratified, customer must mandate that their cloud provider outline methods for data security andaccess controls.
    • Cloud Computing and the Impact of Information Security on its Adoption 15 Centralization Cloud computing is thought of as providing a centralized data store from whichindividuals and businesses can access innovative applications and services for their environment.It allows customers the ability to go to a single area to access software and hardware, utilizeframeworks for service accreditation, and limits duplication of efforts, thus saving time andmoney.This concept is aimed at consumer mobility and retention providing the ability to accessdata anywhere from any device. The converse however, is that centralization provides a single point of failure that is thetarget of cybercriminals. Centralization drives the need for standards and governance oneverything from user credential (access controls) to business continuity management.Centralization does offer a uniform approach for systems management, (i.e. applying securityupdates, diminishing holes), but presents security risks that could result in unauthorized access todata. Cybercriminals have begun how to “impactthe operations of other cloud customersandhave been focused on diskpartitions, CPU caches, and othershared elements which were neverdesignedfor strong compartmentalization” (Choo, 2010). Cloud providers must devise acentralized approach to audit the network forintegrity, evaluate vulnerabilities and close gaps.
    • Cloud Computing and the Impact of Information Security on its Adoption 16 Strategic Analysis Strengths – Weaknesses – Opportunities – Threats (SWOT)Internal Audit Strengths 1. The first Federal CIO instituted the “Cloud First” initiative as a method for federal agencies to rapidly deploy technical solutions at cost savings, and allows for reuse 2. Aligns with 2010 Federal Data Center Consolidation initiative and could reduce the number of managed applications and hardware (Kundra, 2011) 3. Reduces initial IT investment costs for new businesses, thus lessening their barriers for market entry 4. Provides “elasticity”, allowing for quick scalability or downsizing of resources depending on demand (Dlodlo, 2011) 5. Allows for innovation and entrepreneurship, and promises substantial efficiency gain (Murray & Zysman, 2011) 6. Limits software piracy and unauthorized use 7. Provides a consistent and centralized mechanism for organizations to protect confidential/regulated data 8. Can provide an environment where corporations can test and experiment without a negative impact on production 9. Allows customers to take advantage of vendor products and services without expensive investment costs 10. Provides broad network access regardless of size (i.e. individuals, businesses large and small, as well as emerging markets) Weaknesses 1. Consistent metrics from which to assess cloud service providers is non-existent, but are being developed 2. Contradictory federal regulations limit government agency cloud adoption 3. Industry standards are evolving, resulting in a lack of compatibility, contributing to “vendor lock-in” which has limited adoption 4. Lack of consistent, stringent access controls could lead, at a minimum, to inappropriate disclosure, or at a maximum, the loss or destruction of sensitive information 5. Centralization leads to a single point of failure that demonstrate network vulnerabilities of which cybercriminals will take advantage 6. Dependence upon the network results in disproportionate service offerings within austere lands 7. Global standards on data privacy measures are not consistent 8. Sole reliance on browser security has contributed to cloud breaches (NIST 800-146) 9. Lack of information sharing agreements amongst federal agencies limit the efficiencies cloud offers the community 10. The industry is in its infancy, constantly evolving to address issues, restricting adoption
    • Cloud Computing and the Impact of Information Security on its Adoption 17External Audit Opportunities 1. International acceptance of cloud computing services continues to expand; its economies of scale will prove effective when developing governance and regulations to address security risks 2. The Federal Risk and Authorization Management Program is being implemented to create a standard, centralized approach to certify and accredit cloud computing products and services. 3. Trust will be cultivated through legislation, as well as the development of approved, uniform methods for cloud certification 4. Existing regulations (i.e. Electronic Communications Privacy Act, the Gramm-Leach- Bliley Act, European Union Data Protection Directive) are being reviewed to modernize their approaches to address security concerns within the cloud environment 5. Access management frameworks are being developed and implemented to enhance multination collaboration, with uniform access controls and authentication procedures (CIO Council, 2011) 6. Focus on improved customer engagement is driving cloud competition within the mobile market (i.e. tablet vs. phone) leading to innovative product offerings within their subsequent platforms (Kushida, Murray, Zysman, 2011) 7. Cloud customers will still require onsite technical expertise to evaluate cloud provider performance and effectiveness, resulting in improved training opportunities 8. Added flexibility in budget and acquisition regulations would provide incentives for cloud adoption 9. Centralized federal certification and accreditation can be utilized by state and local organizations which will enable cost efficiencies and drive innovation 10. Focus on component delivery will result in refined services independent of the platform Threats 1. The cloud service providers control facilities and server access, thus creating possible security vulnerabilities the cloud customer must address and manage from afar 2. Compatible international regulations are non-existent to combat cloud issues (i.e. provider bankruptcy or liquidation, data security, privacy, identity management) 3. Cloud service providers offer a centralized location where cybercriminals have and will attack 4. Disruption within the public, hybrid, and/or community cloud environment (i.e. network unavailability, physical server removal) may cause unintended consequences to customers peripheral to the affected party 5. The shared cloud environment provides cyber criminals a unique area to cause massive disruption (i.e. denial of service, malware, botnet attacks, zombies) 6. Contracts do not clearly delineate roles and responsibilities for data storage, access, and management
    • Cloud Computing and the Impact of Information Security on its Adoption 18 7. Cybercriminals have taken advantage of the lack of data encryption techniques while data is at rest, resulting in unauthorized exposures of information 8. Criticism within social media could negatively impact the reputation of cloud service providers and limit growth and innovation 9. Lack of trained acquisition personnel limits the posture cloud customers have when negotiating contracts 10. Single entry points to the cloud and the lack of stringent password management allow cybercriminals the ability to attack these vulnerabilities and limit cloud effectiveness Recommendation My recommendations would be to continue support of ongoing community efforts todevelop and sustain (1) an annual review of government regulations to address changes inindustry practices and devise measurements that offer minimum compliance with saidgovernment regulations; (2) standard security requirements to which cloud solution providersmust adhere; (3) denote service level agreement roles and responsibilities that will be maintainedthroughout the contract; (4) portal(s) from which cloud participants can contribute and access;and (5) procedures to enlist uniform adoption of user authentication procedures for auditing andcontrol purposes.Specific Annual Objectives and Policies The objective of cloud computing is to provide access to dynamically scalable resourcesand storage, without the massive financial investment. .Policy Development 1. Governments must collaborate to define minimal, overarching regulations which will be acceptable in each jurisdiction. 2. Cloud providers must develop a unilateral strategy to effectively manage remote access and user authentication. 3. Cloud providers must team with security industry leaders (i.e. SANS) to outline a plan to combat zero-day and denial of service (DOS) attacks. An example of a consistent approach would be to apply security patches within 48 hours of receipt, regardless of platform (i.e. PaaS, IaaS, and SaaS). 4. Cloud providers and consumers must collaborate to define minimal SLA stipulationsof roles and responsibilities on information management. Providers must notify
    • Cloud Computing and the Impact of Information Security on its Adoption 19 customers within 48 hours of their acquisition, and the acquiring company must assemble with its new customers within 30 days. 5. Support for continued government and industry development of a cloud acquisition strategy. Metrics should be developed to provide organizations with financial incentives should they successfully adopt a new, innovative, cutting-edge solution. Conclusion Cloud computing adoption is hampered by security concerns. These concerns can bemanaged by implementing a cycle, similar to the figure below that continually evaluates changesin government regulations for its impact on acquisition methodology, data transport and storage,and access controls.Figure 2: Information Security Adoption Cycle Emphasize continued industry and government participation in cloud security working groups Comprehend required changes to domestic and international regulations specific to information security in cloud computing Sponsor IT expertise to integrate the latest technologies Define success criteria to Collaborate with designate changes in cloud providers on governance structures testing and accreditation activities
    • Cloud Computing and the Impact of Information Security on its Adoption 20 ReferencesBadger, L, Grance, T., Patt-Corner, R., & Voas, J. (2011). Draft cloud computing synopsis and recommendations. Retrieved from http://csrc.nist.gov/publications/drafts/800-146/Draft- NIST-SP800-146.pdf.Bisong, A., & Rahman, S. M. (2011). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & Its Applications, 3(1), 30-45. doi:10.5121/ijnsa.2011.3103.Brenner, B. (2009 October 15). Why security matters now. www.cio.com. Retrieved from http://www.cio.com/article/504837/Why_Security_Matters_Now.Bublitz, E. (2010). Catching the cloud: managing risk when utilizing cloud computing. National Underwriter / P&C, 114(39), 12. Retrieved from EBSCOhost.Chakraborty, R., Ramireddy, S., Raghu, T., & Rao, H. (2010). The information assurance practices of cloud computing vendors. IT Professional Magazine, 12(4), 29-37. Retrieved from ABI/INFORM Global. (Document ID: 2081450441).Choo, K. (2010). Cloud computing: Challenges and future directions. (cover story). Trends & Issues in Crime & Criminal Justice, (400), 1-6. Retrieved from EBSCOhost.Chow,R., Golle, P, Jakobsson, M., Masuoka, R, & Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. Retrieved from http://markus-jakobsson.com/papers/jakobsson-ccsw09.pdfCIO Council. (2011). Identity, credential, and access management segment architecture. Retrieved from http://www.idmanagement.govCIO Council. (2 November 2010). Proposed security assessment and authorization for U.S. government cloud computing. Retrieved from https://info.apps.gov/sites/default/files/Proposed-Security-Assessment-and- Authorization-for-Cloud-Computing.pdf.Cloud Security Alliance. (2011). Cloud controls matrix. Retrieved from https://cloudsecurityalliance.org/research/initiatives/cloud-controls-matrix.Cloud Security Alliance. (2011). Defined categories of service 2011. Retrieved from https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf.Cloud Security Alliance. (2011). Private security cloud security best practices. Retrieved from https://cloudsecurityalliance.org.
    • Cloud Computing and the Impact of Information Security on its Adoption 21Cloud Security Alliance. (2009). Security guidance for critical areas of focus in cloud computing v2.1. Retrieved from https://cloudsecurityalliance.org/wp- content/uploads/2011/07/csaguide.v2.1.pdf.Cummer, L. (2011 February 25). Are you using cloud computing?. Backbone, 33-36. Retrieved from EBSCOhost.Cunningham, P. (2009). Three cloud computing risks to consider. Retrieved from http://www.arma.org/press/ARMAnews/Infosecurity.pdfDavid, F. R. (2009). Strategic management: Concepts and cases. Upper Saddle River, New Jersey: Pearson Prentice Hall.DHS. (2011). DHS cyber security resources catalog. Retrieved from https://www.infosecisland.com/blogview/4291-DHS-Cyber-Security-Resources- Catalog.html.Dlodlo, N. (2011). Legal, privacy, security, access and regulatory issues in cloud computing. Proceedings of the European Conference on Information Management & Evaluation, 161-168. Retrieved from EBSCOhost.GAO. (2010). Information security government-wide guidance needed to assist agencies in implementing cloud computing. GAO Reports, 1. Retrieved from EBSCOhost.GAO. (2011 October 6). Information security: Additional guidance needed to address cloud computing concerns. Retrieved from http://www.gao.gov/new.items/d12130t.pdf.Ghosh, S., & Miroslaw J., S. (2010). Enterprise resource planning systems implementation as a complex project: A conceptual framework. Journal of Business Economics & Management, 11(4), 533-549. doi:10.3846/jbem.2010.26.GSA. (2011). Apps.gov. Retrieved from https://www.apps.gov/cloud/main/start_page.do.Greengard, S. (2010). Cloud computing and developing nations. Communications of the ACM, 53(5), 18-20. Retrieved from EBSCOhost.Hall, G. (16 July 2009). Cloud computing and ITIL: Service delivery and cloud SLAs. Retrieved from http://cloudstoragestrategy.com/2009/07/cloud-computing-and-itil-measuring-the- quality-of-service-delivery.html.Ivanov, D. (2010). An adaptive framework for aligning (re)planning decisions on supply chain strategy, design, tactics, and operations. International Journal of Production Research, 48(13), 3999-4017. doi:10.1080/00207540902893417.Iyengar,G. B. (2011 October 17). Cloudcomputing – Maze in the haze. Retrieved from http://www.sans.org/reading_room/whitepapers/country/cloud-computing-maze- haze_33819.
    • Cloud Computing and the Impact of Information Security on its Adoption 22Jackson, K. L. (2011). Implementation of cloud computing solutions in federal agencies.Jaeger, J. (2011). Cloud Computing Poses New Risks, Opportunities. (cover story). Compliance Week, 8(86), 1-47. Retrieved from EBSCOhost.Jansen, W. & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. Retrieved from http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud- computing.pdf.Jukic, B., & Jukic, N. (2010). Information System Planning and Decision Making Framework: A Case Study. Information Systems Management, 27(1), 61-71. doi:10.1080/10580530903455221.Kolakowski, N. (2011). Remote access presents complexity, security issues. eWeek, 28(6), 18. Retrieved from EBSCOhost.Kontzer, T. (2010). Cloud forecast 2015. CIO Insight, (114), 8-10. Retrieved from EBSCOhost.Kundra, V. (2010). 25 point implementation plan to reform federal information technology management. Retrieved from http://www.cio.gov/documents/25-Point-Implementation- Plan-to-Reform-Federal%20IT.pdf.Kundra, V. (8 February 2011). Federal cloud computing strategy. Retrieved from http://www.techamerica.org/content/wp-content/uploads/2011/02/Federal-Cloud- Computing-Strategy.pdfKushida, K. E., Murray, J., & Zysman, J. (2011 January 20). Diffusing the cloud: Cloud computing and implications for public policy. Retrieved from http://brie.berkeley.edu/publications/WP_197%20update%206.13.11.pdfMell, P., & Grance, T. (2011). NIST definition of cloud computing Retrieved fromhttp://www.nist.gov/itl/cloud.Owens, D. (2010). Securing elasticity in the cloud. Communications of the ACM, 53(6), 46-51. doi:10.1145/1743546.1743565Pant, S. & Ravichandran, T. (2001). A framework for information systems planning for e- business. Logistics Information Management. Vol. 14.1/2. pp85-98. Retrieved from http://w3.msi.vxu.se/~per/IVC743/LM/p85.pdf.Purser, S. (2004). Practical guide to managing information security. p. 109-129. Artech House, Inc. Retrieved from EBSCOhost.Raines, G. (2009). Cloud computing and SOA. Retrieved from http://www.mitre.org/work/tech_papers/tech_papers_09/09_0743/09_0743.pdf.
    • Cloud Computing and the Impact of Information Security on its Adoption 23Ryan, M. D. (2011). Cloud computing privacy concerns on our doorstep. Communications of the ACM, 54(1), 36-38. doi:10.1145/1866739.1866751.Schiller, K.. (2011, October). Legislating the cloud. Information Today, 28(9), 1,35-36. Retrieved from ABI/INFORM Global. (Document ID: 2483177641).Software & Information Industry Association. (2011). SIIA comments: EU public consultation oncloud computing. Retrieved from http://www.spa.org/index.php?option=com_docman&task=doc_download&gid=3074&It emid=318TechAmerica. (2011). CLOUD2 report cloud first cloud fast recommendations for innovation leadership and job creation. Retrieved from http://www.techamericafoundation.org/content/wp- content/uploads/2011/02/CLOUD2_Report_Cloud_First_Cloud_Fast_Recommendations _for_Innovation_Leadership_and_Job_Creation.pdf.TechAmerica. (2011). CLOUD2 summary. Retrieved from http://www.techamericafoundation.org/content/wpcontent/uploads/2011/07/CLOUD2_Su mmary.pdf.Wagner, R. (1 September 2011). A guide to security, privacy, compliance and risk-related hype cycles, 2011. www.gartner.com. Retrieved from http://www.gartner.com/DisplayDocument?id=1781315