1. 1
MBA Dissertation
A Detailed Analysis of Cloud Computing in Relation to
Value-Added versus Security and Risk-Management
Craig Ellis
Masters in Business Administration
Robert Kennedy College – 2011
2. 2
Table of Contents
Statement
of
Originality
....................................................................................................................................
3
Acknowledgement
............................................................................................................................................
3
Abbreviation
Overview
......................................................................................................................................
3
Executive
Summary
...........................................................................................................................................
4
1.
Introduction
...................................................................................................................................................
5
2.
Literature
Review
........................................................................................................................................
10
Value-‐Added
of
CC
......................................................................................................................................
12
Security
and
Risk
.........................................................................................................................................
23
3.
Data
Collection
Methodology
......................................................................................................................
36
3.1.
Data
Analysis
Methodology
......................................................................................................................
39
4.
Data
Analysis
...............................................................................................................................................
42
4.1.
Review
of
Responses
............................................................................................................................
42
Knowledge
of
Cloud
Computing
..................................................................................................................
44
Value-‐Added
of
Cloud
Computing
...............................................................................................................
46
Security
and
Risk-‐Assessment
of
Cloud
Computing
....................................................................................
49
Cloud
Computing
Business
Model
...............................................................................................................
52
Future
of
Cloud
Computing
.........................................................................................................................
54
5.
Conclusion
and
Recommendations
.............................................................................................................
58
6.
References
...................................................................................................................................................
63
7.
Appendix
.....................................................................................................................................................
68
Appendix
A:
Amended
Pre-‐Screening
Survey
Questions
.............................................................................
68
Appendix
B:
Cloud
Computing
Survey
2011
(Ellis)
......................................................................................
68
3. 3
Statement of Originality
In presenting this dissertation for assessment, I declare that it is a final copy including any last revisions. I
also declare that it is entirely the result of my own work other than where sources are explicitly
acknowledged and referenced within the body of the text. [Or: in footnotes, endnotes, as appropriate]. This
dissertation has not been previously submitted for any degree at this or any other institution.
Name: Craig Ellis
Signature: Date: 04.12.2011
Acknowledgement
I would like to acknowledge those who made this dissertation possible such as my immediate family and
close friend’s for their understanding, patience and involvement within this dissertation. I would also like to
thank the participants’ of the relevant survey for their time and effort, and importantly to acknowledge the
support of the Robert Kennedy College during my work, with special recognition to Professor Barry Ip for
his guidance and assistance in the dissertation process.
Finally I would like to thank my fiancé for her help, support, and patience during this time – without you I
could not have achieved this goal.
Abbreviation Overview
API Application Programming Interface PaaS Platform as a Service
CaaS Communication as a Service QoS Quality-of-service
CC Cloud Computing SeraaS Services as a Service
CSP Cloud Service Providers SaaS Software as a Service
D&M DeLone and McLean IS Success Model SecaaS Security as a Service
DaaS Data as a Service SLA Service-level agreements
ERP Enterprise Resource Planning StoaaS Storage as a Service
EUCS End User Computing Satisfaction TAM Technology Acceptance Model
IaaS Infrastructure as a Service UD&M DeLone and McLean IS Success Model Updated
IS Information Systems UIS User Information Satisfaction
ISP Internet Service Providers VaaS Video as a Service
4. 4
Executive Summary
The objective of the dissertation is to provide a detailed analysis of a new form of IT service known as cloud
computing (CC), with specific research on the associated security and risk-management issues and the
beneficial value-added delivered from such a deployment. The paper will look to establish the value-added
of cloud computing by researching the benefits, identifying and acknowledging the associated risk, and
outlining the strategic gains. The research will further examine cloud computing as a technological product
especially in relation to the associated security and risk-management issues for purchasing customers’, and
will conclude by forming a set of recommendations around the business benefits of adopting a cloud
computing strategy.
We will highlight the most frequently documented problems, detailing the advantages and disadvantages of
cloud deployments and concluding with the future of CC. The concluding recommendations will discuss
potential mitigation of the main security and risk issues, the required legal and process frameworks that will
need to be established, and how customers can successfully deploy cloud services into their existing
business. A set of research questions for this dissertation as outlined below will act as the framework for this
investigation, enabling points of reference to reach the objective of the research undertaken:
1. What are the value-added benefits associated with the implementation of a cloud computing strategy
for companies in the short and long-term?
2. What are the associated risks in the adoption/non-adoption of a cloud computing IT strategy?
3. What are the main security and risk-management issues associated with the implementation of a
cloud computing strategy for companies in relation to their existing business and customer base, and
how can these risks be mitigated?
The dissertation will also undertake an empirical review of a newly-performed survey which will outline key
statistical highlights, followed by a detailed qualitative summarisation on how the cloud is currently
perceived by IT professionals in 2011. The paper will conclude by a formal review of the dissertation
questions, reaching a final conclusion on the long-term future of cloud computing.
5. 5
1. Introduction
“A new idea comes suddenly and in a rather intuitive way. But intuition is nothing but
the outcome of earlier intellectual experience” - Einstein, 1949 (Isaacson, 2007)
Since its commercial release in the early 1990s - the World Wide Web otherwise commonly referred to as
the internet has undertaken dramatic growth and evolution from both a social and business aspect, and is
today a multi-billion dollar industry operating at the centre of today’s business world. The internet has
revolutionised industries, economies and global companies creating a new wave of multi-billion dollar
organisations such as Google, Yahoo and Facebook whose primary business models are centred on internet
search, social-interaction, advertising and e-commerce. In recent years the industry has seen the
introduction of a new form of IT service known as Cloud Computing (CC) which appears to be reshaping the
fundamental principles of today’s IT business world, and the internet platform itself (Goodburn and Hill,
2010).
The actual definition of CC is an evolving paradigm, however leading research agency Gartner (2008) states
CC is “A style of computing where scalable and elastic IT capabilities are provided as a service to multiple
customers using Internet technologies”. The National Institute of Standards and Technology (Mell and
Grance, 2009) takes a more detailed approach and defines CC as “A model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service providers’ interaction”.
Despite its infantile stage, the CC market has grown significantly within a limited number of years and is
now at the forefront of corporate IT strategy (Goodburn and Hill, 2010). In 2008, Gartner estimated the CC
market to be worth around $34 billion, with high growth expected to occur in a short period of time with
forecasted revenues of around $110 billion in 2011, rising to a $140 billion industry by the end of 2013. CC
is now seen as an essential IT strategic option for companies today (Iyer and Henderson, 2010), and allows
them to create substantial competitive advantages in a number of areas as outlined below:
6. 6
• Incorporation of utility-based billing based around on-demand utilisation and scalability as per the
needed requirements, and as such shifting heavily-laden capital expenditure into on-going
operational expenditure.
• Allowing the rapid deployment of new start-up organisations, technologies and services within a
shortened timeframe and with minimal capital expenditure costs onto established IT platforms
currently utilised by leading global companies.
• Significant time and cost reductions in areas such as the product development and time to market
lifecycle of newly-developed products or services.
• Allowing companies to focus on their core business competencies by the outsourcing of IT and data
management, shifting unproductive resource into revenue-driven areas.
CC services are fundamentally grouped around the acronym “aaS” which refers to “as a Service”. aaS
appears to derive from the online retailer Amazon, and one of their newly formed IT services known as AWS
(Amazon Web Services). Whilst examining new ways to reduce its operational costs during off-peak
trading times, Amazon’s management team felt that it was not fully utilising its physical hardware
computing capability effectively, and that it should be able to purchase such computing capability needs on a
usage-basis similar to utility billing. As a result Amazon began to develop its own CC product (AWS)
which allowed companies to rent computing processes and services from Amazon on a usage-basis, and as
such pioneered CC services.
Amazon as a firm is recognised to display “Dynamic Capability” which is the ability to adjust to new and
unfounded markets ahead of competitors (Teece, 2000), and this is clearly displayed in the development of
AWS. Within today’s CC market a number of service models have been developed and deployed, leading
to the creation of the commonly-known SPI-Model which defines three services known as SaaS (Software as
a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a service). Below is a summarised
description of each service offering as per the official NIST definition (2009).
7. 7
• Software-as-a-service (SaaS): The capability provided to the customer is to use the providers’
applications running on a cloud infrastructure. The applications are accessible from various client
devices through a thin client interface such as a web browser (NIST, 2009). The customer does not
manage or control the underlying cloud infrastructure including network, servers, operating
systems’, storage, or even individual application capabilities, with the possible exception of limited
user-specific application configuration setting.
• Platform as a Service (PaaS): The capability provided to the customer is to deploy onto the cloud
infrastructure customer-created or acquired applications created using programming languages and
tools supported by the providers’. The customer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems’, or storage, but has control over the
deployed applications and possibly application hosting environment configurations.
• Infrastructure as a Service (IaaS): The capability provided to the customer is to provision
processing, storage, networks, and other fundamental computing resources where the customer is
able to deploy and run arbitrary software, which can include operating systems’ and applications.
The customer does not manage or control the underlying cloud infrastructure but has control over
operating systems’; storage, deployed applications, and possibly limited control of select networking
components (e.g., host firewalls).
In addition to the above service models, CC providers’ also offer a range of deployment models using
differing types of cloud-network designs. There are four main deployment models available which are
classified as Private, Public, Community and Hybrid and are defined below as per NIST (2009)
• Private cloud: The cloud infrastructure is operated solely for an organisation. It may be managed by
the organisation or a third party and may exist on premise or off premise.
• Public cloud: The cloud infrastructure is made available to the general public or a large industry
group and is owned by an organisation selling cloud services.
8. 8
• Community cloud: The cloud infrastructure is shared by several organisations and supports a specific
community that has shared concerns (e.g., mission, security, policy, and compliance considerations).
It may be managed by the organisations or a third party and may exist on premise or off premise.
• Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community,
or public) that remain unique entities but are bound together by standardised or proprietary
technology that enables data and application portability.
As global companies, established SME’s and fledging start-ups look to migrate to a cloud-orientated world
in order to create competitive advantage and gain immediate market-share (Roth, 2008), detailed strategic
analysis around areas such as usability, accessibility, proprietary frameworks, security and risk (ENISA,
2009) appear to have been disregarded in the rush to develop an online presence and begin to utilise
virtualisation. Established IT giants such as IBM, Apple and Microsoft have been caught standing still as a
number of new start-up companies have developed mass-audiences and growing revenue streams, resulting
in billion dollar market valuations (Reuters, 2011). As CC, virtualisation and social/business cloud service
markets develop, the potential financial gains for such companies appears to be of unprecedented size with
access to new markets, regions, customers and revenue streams all becoming available.
The dissertation will be composed of a number of core sections based around an in-depth literature review,
detailed data-collection and analysis methodology and ending with a set of conclusions and
recommendations. Some of the key questions that will be explored in the dissertation will be around the
potential cost to the company’s core business strategy in the implementation of a cloud strategy, and what
are the potential security and risk-management issues associated. At the present time, literature and research
material related to CC security and risk and the value-added of such deployments is sparse due to the
infantile age of the product and its market. The research undertaken will utilise the work of leading business
scholars in order to focus on the three dissertation questions and to draw relevant conclusions. The
dissertation will begin with an in-depth literature review based around the value-added of CC detailing the
known features and advantages of CC, and the perceived competitive advantage gained by its incorporation
utilising established frameworks known such as the DeLone and McLean IS Success Model framework
(1992).
9. 9
We will examine the model in detail, outline the related literature reviews and associated research from a
critical perspective of various scholars, whilst also attempting to theoretically model a typical CC
deployment to see the associated indicators of success.
Moving forward into the key area of CC security, the literature review will focus on the work and research of
a number of leading IT authorities such as ENISA (European Network and Security Agency), ISACA (
(Information Systems’ Audit and Control Association), (ADODI&S) Australian Department of Defence
Intelligence and Security and the CSA (Cloud Security Alliance). Quantitative and qualitative research will
be used to explore cloud security, detailing the issues currently restricting firms from undertaking full cloud
utilisation, including a detailed examination of service-level agreements, customer lock-in agreements, data-
protection and recovery whilst examining the publicly recognised risks such as denial-of-service attacks,
malicious software implementation or data/site-hacking (CSA, 2009). The future of CC security will be
examined focusing on legal and political processes and legislation, fundamental security issues of the current
product-ranges, and a summarisation of the main security questions for companies to consider when
implement CC services. The area of risk-management will also be examined with particular focus on how an
organisation would need to review/amend their existing data security policies and practices. We will look at
a range of the currently applicable standards (ISO 27002, ISMS) and examine what areas could be impacted,
and how to limit potential litigation or legal misdemeanours in the future.
The dissertation will move onto its data-capture chapters which will initial detail the reasoning behind the
design and implementation of the undertaken empirical survey. The initial section will outline the theoretical
methodology behind the chosen instrument outlining a set of pro/cons from a number of available options,
whilst further detailing the available data-capture methods and our chosen selection. In closing we will
outline the target audience and the criteria used in the purchasing of our survey instrument. Moving onto the
data-analysis methodology, a high-level objective of the survey will be produced followed by an overview of
the survey design which will detail the chosen questions/answers and their specific objectives. We will then
outline the performed beta-testing and pre-screening exercises, followed by a brief summarisation on the
formal release.
10. 10
In closing – the data analysis section will highlight the overall success of the survey displaying the achieved
response-rates; highlighting the emerging trends and key-indicators for cloud computing in 2011, and how
the obtained data relates to existing publication findings and undertaken surveys. Survey participation and
feedback comments will then be detailed where we will highlight some of the perceived limitations of the
survey, and a set of recommendations as given by the participants.
A detailed data analysis review will then follow which will examine each of the survey question and the
selected answers from a theoretical and practical perspective. This section will look to utilise the highlighted
theories within the Literature Review and to provide conclusive arguments for/against the obtained empirical
data. We will highlight the high-level conclusions gathered and look to display a set of new findings around
cloud computing. The dissertation will move into its conclusion section and will look to provide answers to
the outlined dissertation questions, detailing a high-level summarisation of our main findings and the
relevant recommendations towards CC. The future of CC will also be discussed closing with a set of
potential future research questions.
2. Literature Review
The main objective of the literature review is to develop a detailed body of research that can be used to
conclude on the associated dissertation questions outlined. It is our aim to produce qualitative research-data
that could be utilised in future research undertaken within the chosen topical area. Literature reviews are
commonly defined as “A critical summary and assessment of the current state of knowledge or current state
of the art in a particular field” (Bell, 1993) and can undertake a range of forms. Cooper (1982) outlined five
main stages built around “Problem formulation, data collection, data evaluation, analysis and interpretation
and public presentation”, with Guzzo, Jackson and Katzell (1987) categorising data-collection techniques as
either “Narrative reviews, descriptive reviews, vote counting, and meta-analysis across a horizontal scale of
qualitative to quantitative”. King and He (2005) stated that “ Narrative review are normally performed by
verbally describing the past studies, focusing on theories and frameworks, elementary factors and their
research outcomes, with regard to a hypothesized relationship.
11. 11
Descriptive reviews look to locate a pattern from a wide range of reviewed material and to identify particular
patterns or anomalies as a result of the analysis and research, whilst vote-counting is essential a tally-count
method of particular patterns and repeated results in the same direction across multiple studies, even if some
of them are non-significant, may be more powerful evidence than a single significant result”. In closing
meta-analysis is a fully quantitative methodology which will only utilise empirical quantitative studies (Yang
and Tate, 2009), and as such aims at statistically providing supports to a research topic by synthesizing and
analysing the quantitative results of many empirical studies (King and He, 2005).
Given the scarce amount of literature material available for CC within the traditional IT journals such as
IEEE, SIGCOMM or IT professional (Levy and Ellis, 2006) and a lack of quantitative empirical studies in
relation to the cloud, vote-counting and meta-analysis were rejected as viable review options. It was also felt
that given the wide-range of articles and the differing definitions and agreements on CC and cloud services,
that no clearly emerging patterns would be located in its current infantile form, and that as current literature
would be subjective and inconclusive at the present time, a narrative review was most applicable even if at
the risk that reviewers frequently arrive at differing conclusion from the same general body of literature
(Guzzo et al., 1987).
The main source of the reviewed literature was via electronic search using the internet as our main
instrument, and a range of traditional text books based around the MBA program. A number of academic
databases and search websites were utilised during the dissertation process including Google Scholar, IEEE
Explore, UoW Library, HBR, and McKinsey with an initial search performed using “Cloud Computing” as
the search criteria. The initial search located over 300 articles which was too large a review-base for the
paper’s requirements. As such an additional filter was created using the following sections of “Cloud
computing overview”, “Value-added and benefits of cloud computing”, and “Security and risk for cloud
computing” which reduced the number of related article to below 100. A scan reading exercise was then
performed; resulting in 51 dedicated articles that were selected for full reading comprehensive review:
12. 12
Sub-Section Total Articles
General 15
Value-Added of CC 25
Security and Risk-Management 11
TOTAL 51
Table 1: Overview of dedicated literature articles (Ellis, 2011)
Value-Added of CC
As an emerging technology, the creation of value-added and the associated competitive advantage by
adoption of CC are of critical importance for the customer. The topic of value-added is a key part of any
businesses strategy, and it is critically important to understand added value on a continual basis within your
services. Michael Porter (1980) defines value as “The amount buyers are willing to pay for what a firm
provides them. Value is measured by total revenue.....a firm is profitable if the value it commands exceeds
the costs involved in creating the product”, however this definition appears closely tied into Porters value-
chain model which according to Stabell and Fjeldstat (1998) is “More suitable for the analysis of production
and manufacturing firms than for service firms where the resulting chain does not capture the essence of the
value creation mechanism of the firms”. Competitive advantage is a reoccurring theme within Information
System journals (Gupta and McDaniel, 2000) and is described as “Obtaining superior performance outcomes
and superiority in production resources reflects competitive advantage” (Day and Wensley, 1988). Barney
(1991) however states that "A firm is said to have a sustained competitive advantage when it is implementing
a value creating strategy not simultaneously being implemented by any current or potential competitors, and
when these other firms are unable to duplicate the benefits of this strategy".
In order to examine the value-added associated with a CC deployment, it is important to utilise an
established framework as a reference. Bowman and Ambrosini (2000) differentiate value at an
organisational level as “Use-value and Exchange-value”; whilst Stabell and Fjeldstat (1998) developed a
three-way value-configuration model of the “Value chain, the value shop and the value network” which was
predominantly based around Michael Porter’s value-chain framework (1985).
13. 13
Porter’s value-chain framework is widely accepted by academics and scholars alike as a definitive model to
establish a firm’s ability to create and sustain value, and its relevant strengths and weaknesses. It is my
opinion that the model is built as a representative of the manufacturing sector as opposed to the IT service-
sector, which is a view also reflected by Stabell and Fjeldstat (1998) and Elisante (2006).
During the research, an established framework for modelling IS deployment success was located which is
commonly known as the DeLone and McLean IS Success Model (D&M Model) which was created in 1992
by Professor W.H DeLone and Professor E.R McLean. The primary aim of the D&M model was to
synthesize previous research involving IS success into a more coherent body of knowledge, and to provide
guidance to future researchers (DeLone and McLean, 1992). DeLone and McLean researched over 100
leading IS journals and articles published during the period 1981–1987, and created a taxonomy of IS
success based upon this review (Petters, DeLone and McLean., 2008).
Figure 1: DeLone and McLean IS Success Model - DeLone and McLean (2003)
DeLone and McLean states that “System Quality and Information Quality singularly and jointly affect both
Use and User Satisfaction”. Additionally, the amount of Use can affect the degree of User Satisfaction
positively or negatively - as well as the reverse being true. Use and User Satisfaction are direct antecedents
of Individual Impact; and lastly this impact on individual performance should eventually have some
Organisational Impact (DeLone and McLean, 1992). During the following decade the D&M model was
tested, interpreted and critiqued by a number of scholars including Seddon (1997), Rai, Lang and Welker
(2002), Goodhue and Thompson (1995) and Jiang, Klein and Carr (2002). As a result the model was
updated incorporating Service Quality, Intention to Use and the amendment of the impact outputs into a
singular category named “Net Benefits” as per below:
14. 14
Figure 2: Updated DeLone and McLean IS Success Model – DeLone and McLean (2003)
In relation to CC, there appears at the present time to have been no undertaken theoretical or empirical
research into evaluating the value-added of a cloud deployment utilising the updated D&M (UD&M). A
number of researchers have however undertaken research to understand the correlation between the UD&M
and e-commerce resulting in a range of inconclusive evidence and additional questioning (Molla and Licker,
2001; D’Ambra and Rice, 2001). As a result DeLone and McLean in 2003 outlined additional clarification
into how e-commerce can be analysed and critiqued using the UD&M model, and determined how the six
dimensions can be used as a parsimonious framework to organise the various success metrics identified in
the IS and e-commerce literature (DeLone and McLean, 2003).
• System Quality: in the internet environment, measures the desired characteristics of an e-commerce
system. Usability, availability, reliability, adaptability, and response time (e.g., download time) are
examples of qualities that are valued by users of an e-commerce system.
- Adaptability
- Availability
- Reliability
- Response time
- Usability
15. 15
• Information Quality: captures the e-commerce content issue. Web content should be personalized,
complete, relevant, easy to understand, and secure if we expect prospective buyers or suppliers to
initiate transactions via the Internet and return to our site on a regular basis.
- Completeness
- Ease of understanding
- Personalisation
- Relevance
- Security
• Service Quality: is the overall support delivered by the service providers’, which applies regardless
of whether this support is delivered by the IS department, a new organisational unit, or outsourced to
an ISP. Its importance is most likely greater than previously since the users are now our customers
and poor user support will translate into lost customers and lost sales.
- Assurance
- Empathy
- Responsiveness
• Use: measures everything from a visit to a web-site, to navigation within the site, to information
retrieval, to execution of a transaction.
- Nature of use
- Navigation patterns
- Number of site visits
- Number of transactions executed
• User Satisfaction: remains an important means of measuring our customer’s opinions of our e-
commerce system and should cover the entire customer experience cycle from information retrieval
through purchase, payment, receipt, and service.
16. 16
- Repeat purchases
- Repeat visits
- User surveys
• Net Benefits: are the most important success measures as they capture the balance of positive and
negative impacts of the e-commerce on our customers, suppliers, employees, organisations, markets,
industries, economies, and even our societies.
- Cost savings
- Expanded markets
- Incremental additional sales
- Reduced search costs
- Time savings
Figure 3: E-commerce Classification - DeLone and McLean (2003)
Although specifically designed for e-commerce, the above metrics are relevant and applicable for the
analysis of CC value-added with Zwass (1996) defining e-commerce as “The sharing of business
information, maintaining business relationships and conducting business transactions by means of
telecommunications networks” whilst Payne (2003) states “Any use of information and communications
technology by a business that helps it improve its interactions with customers or suppliers”. Both
definitions clearly resemble CC and its associated characteristics, and as such the UD&M model was deemed
relevant for the narrative review.
System Quality looks to define the characteristics of the physical and logical system as per the outlined
metrics, and so we began to investigate if CC brings advantageous value-added over traditional grid system-
computing. CC appears to bring increased adaptability due to its source independent nature with Iyer and
Henderson (2010) stating “The capability of CC enables a company to control access to services, and switch
CSP’s easily and at low cost” whilst significant improvement is also seen in availability, reliability and
response times (CSA, 2009b).
17. 17
Usability is a common measure of System Quality due mainly to the work of Davis (1989), however
Armbrust et al., (2009) outlined that “Usability is compromised due to proprietary data-lock in and potential
data-bottlenecks within the cloud” whilst Rimal, Choi and Lumb (2009) outlining a number of risks associate
with “Interoperability user issues and the opaque nature to their users”. The nature of CC appears to derive
additional benefits around availability, reliability and ability to adapt, however it is not conclusive evidence
of value-added with Kositanurit et al (2006) determining that “The reliability of any new system does not
have an effect on utilisation of the system by individual users”. Premkumar, Ramamurthy and Nilakanta
(1994) stated that “The complexity of a system affects the initial use and adoption of an e-commerce system;
however, the technical compatibility of the system with existing hardware and software did affect initial use
and adoption of an EDI system”. Further empirical research is warranted at the present time into usability of
CC systems’ in order to warrant if CC System Quality is more rigorous compared to traditional systems’.
Informational Quality within the UD&M model is correlated to the relevant content and its applicable
metrics however CC does not primarily affect content and is merely acting as a storage location.
Information Quality has however proven to be strongly associated with System Use and Net Benefits in
studies conducted by Weill and Vitale (1999) and Rai and Chukwuma (2002) and the areas of security and
completeness of data are relevant and provoking of discussion. CSA (2009b) states that “CC represents
virtualisation, economies of scale, flexibility and cost-effective solutions”, however Catteddu and Hogden
(2009) states that “Inhibitors to the adoption of CC include security, business continuity, control and
reliability concerns, fears of vendor lock-in, migration costs, reduced customisability, integration difficulties,
as well as uncertainties about data-content legal implications”. One of the key benefits of CC is location
independence allowing developers open logical-access across physical data-location lowering application
development time; however Iyer and Henderson (2010) warns about legal data-compliancy and the
additional workload on IT departments related to data frameworks and legislation of utilising the cloud.
CSA (2009a) undertook detailed research into CC security risks highlighting seven critical threats to cloud
deployment including data loss, leakage and malicious insiders, and at the present time no conclusive
research is available to disprove the aforementioned threats.
18. 18
Molla and Licker (2001) states that “Although information has long been considered as an important asset to
modern business, e-commerce has elevated content, i.e. information to a higher level of significance fiscally
and proprietary”. Given the above, there are currently no relevant arguments or available research to
conclude that CC has introduced additional value-added to Informational Quality at the present time, and
further research needs undertaking to provide conclusive, empirical-based arguments.
Service Quality has attracted vast research and analysis in recent years as the size and scope of today’s IT
service-industry has grown global. Parasuraman, Berry and Zeithaml (1988) developed the critically
acclaimed SERVQUAL service quality framework which has become the de facto industry standard.
SERVQUAL is based on the proposition that service quality can be measured as the gap between the service
that customer expects and the performance they perceive to have received. Participants rate their
expectations of service from an excellent organisation, and then rate the performance they perceive they
received from a specific organisation. Service Quality is calculated as the difference in the two scores where
better service quality results in a smaller gap (Landrum et al. 2008). Various scholars have challenged the
metrics applicable within SERVQUAL and its relevance (Van Dyke, Kappelman and Prybutok., 1997; Jiang
et al., 2002), with DeLone and McLean (2003) stating that “SERVQUAL displays high validity; however the
metrics need continued development and validation”. DeLone and McLean’s IS model places Service
Quality predominantly around a providers’ customer-service focus and ability to deliver assurance, empathy
and responsiveness.
Our determinate is that a providers’ customer service proposition is structured organisational and not product
specific, and that a given providers’ would execute the same service levels for a traditional system as
compared to a cloud solution. CC however brings varying levels of Service Quality metrics, and
organisations must approach CC with the understanding that they may have to switch providers’ at some
point. Portability, interoperability and quality-of-service (QoS) service-level agreements (SLA) must be
considered up front as part of the risk management and security assurance of any cloud program (CSA;
2009a).
19. 19
As CC offers “Infinite computing resource, and the elimination of up-front commitment and short-term
utility billing” (Armbrust et al., 2009), the validity of the relevant QoS metrics associated become of critical
importance, and it is the recommendation of the author that the related QoS associated to the cloud
deployments are investigated from both a legal and contractual framework to determine future validity and
applicability. Detailed empirical research has been undertaken into CC service performance metrics such as
response time, throughput and network utilisation (Karlapudi and Martin, 2004; Lu and Wang, 2005;
Meeuwissen, Mei and Phillipson, 2006), whilst Siripogwutikorn and Banerjee (2006) correlated the
difference of an average delay and percentile delaying per-flow network traffic analysis. Xiong and Perros
(2009) also stated that “Cloud service providers’ match and exceed contractual SLA’s”, however heed
caution that their modelling utilised numerical approximate method in these propositions and corollaries.
Hochstein, Zarnekow and Brenner (2005) concluded that “The concept of defining and measuring service
level agreements (SLAs) is a widespread method to determine IT service quality. Nevertheless, SLAs are
contracts and are not able and not meant to provide indications of IT service quality as actually perceived by
the customer”.
The central component of the model displays the input mechanisms and the relevant outputs, and measures
the Use and User Satisfaction associated to the IS system. DeLone and McLean (2003) revisited the
definition of “Use” in the UD&M based around criticism from a number of scholars including Seddon and
Kiew (1996) who states that “Usefulness is equivalent to the idea of perceived usefulness in TAM by Davis
(1989) and that for voluntary systems’, Use is an appropriate measure; however if System Use is mandatory,
Usefulness is a better measure of IS success than Use”. DeLone and McLean (2003) added Intention to Use
into the model as it displays a users “attitude”, whereas “Use” is behavioural, and also states the many
difficulties in interpreting the multi-dimensional aspects of “Use” including mandatory versus voluntary,
informed versus uninformed, effective versus ineffective. They do however note with caution that linkage
of attitude to behaviour is notoriously difficult to measure and to quantify.
20. 20
Use and User Satisfaction for CC is related to the perceived value-added highlighted in the aforementioned
investigation into System, Informational and Service Quality within the UD&M model. Iivari (2005)
located a positive relationship between System Quality and Use, whilst Venkatesh et al (2003) found a
relationship between effort expectancy and the Intentions to Use the system in both voluntary and mandatory
settings when measured one month after implementation of a new information system. However, this
relationship became non-significant after three months or more. Utilising Iivari’s research, the significant
improvement seen in availability, reliability and response times (CSA, 2009b) would lead to increase Use
and outputting increased User-Satisfaction, however Kositanurit et al., (2007) identified no relationship
between reliability and performance for individual users of systems’, but did identify a significant
relationship between perceived ease of use and performance.
In terms of User Satisfaction, a number of scholars including Ives, Olson and Baroudi (1983) and Doll and
Torkzadeh (1988) developed an instrument to capture the perceived user satisfaction gained from the
applicable systems’. Ives et al., (1983) developed the UIS (User information Satisfaction), whilst Doll and
Torkzadeh (1988) developed the acclaimed EUCS (End user computing satisfaction) instrument. Doll and
Torkzadeh (1988) define User Satisfaction as “The opinion of the user about a specific computer application,
which they use” and base the EUCS instrument around five core components of Content, Accuracy, Format,
Ease of use, and Timeliness and States. Numerous detailed empirical studies into User Satisfaction related
to IS and web-based systems’ have occurred with Kim et al (2002) and Palmer (2002) both noting that
“System Quality when measured as reliability and download time, is significantly related to User
Satisfaction”, whilst Seddon and Yip (1992) and Seddon and Kiew (1996) detailing strong relationship
between System Quality and User Satisfaction using a variety of measures and information systems’.
However it is important to note that at the present time there is no available detailed empirical study related
to a large-scale CC deployment, and as such the relevant User Satisfaction. Theorisation around the work of
aforementioned scholars (Kim et al., 2002; Palmer, 2002; Seddon and Yip, 1992; Seddon and Kiew, 1996)
does however suggest that enhanced System and Service Quality gained from a cloud deployment, would
have a positive effect on User Satisfaction, with Tan and Gallupe (2006) taking a prior-usage view and
stating that “User Satisfaction is based on the memories of the past use of a system”.
21. 21
If Tan and Gallupe’s research is valid and relevant, than a newly deployed cloud systems’ potential change
in User Satisfaction could be based on the perceived User Satisfaction of the previous system, and not the
improved System Information or Service Quality gained from the new deployment. In conclusion it is our
view that additional empirical research is required in the area of User Satisfaction from a CC deployment,
including the correlation between the previous and current system satisfaction, and the conducting of a
EUCS survey for a large-scale cloud deployment in order to fully understand the potential gains of a cloud
deployment on Use and User Satisfaction.
Net Benefits are the output measures resulting from the implemented IS deployment with DeLone and
McLean (2003) stating that “Net benefits are the most important success measure as they capture the balance
of positive and negative impacts of the e-commerce on our customers, suppliers, employees, organisations,
markets, industries, economies, and even our societies”. In the original D&M model, DeLone and McLean
(1993) detailed the benefits under individual impact and organisational impact, however numerous scholars
stated that “IS success affects a number of groups including, workgroups, industries and societies” (Petter et
al., 2008), and as such DeLone and McLean replaced individual impact and organisational impact in the
UD&M with a singular output of Net Benefits. A significant amount of resource has been conducted into
the Net Benefits of a CC deployment (ISACA, 2009; CSA, 2009; Iyer and Henderson, 2010; Rimal et al.,
2009; Armbrust et al., 2009) with the main benefits of CC stated as:
• Rapid elasticity and deployment capability
• Utility-based billing model
• Financial Accounting gains (Capex to Opex shift, Limited asset-holdings, short-term contracts)
• Sourcing independency and Flexibility
• Ease of maintenance and outsourcing of complexity
It is important to clarify who is benefiting and to which extent. DeLone and McLean (2003) states that
“When investigating the Net Benefits of an IS model, it is critical to take into account (1) What qualifies as a
benefit (2) For whom is the benefit (3) To what level of analysis”.
22. 22
Seddon (1997) also discusses the consequences of the relevant outcomes, and details the need for additional
research in this area. In context to the outlined benefits of a CC deployment and the examined research, it is
our opinion that the benefit qualifies if it is seen as an improvement over the currently deployed system
(CSA, 2009b), and the high-level organisation is the intended beneficiary (Iyer and Henderson, 2010;
Armbrust et al., 2009). However no clear conclusion from the researched material could be drawn on the
level of analysis required and to whom is the analysis relevant (individual, department, employer, industry
etc). The D&M model (1993) provided a clear and concise framework for the analysis of the perceived
success of an IS deployment, whilst the UD&M (2003) developed and expanded the model to fit into a
changing internet/e-commerce world with the additions of Service Quality and output amendments to Net
Benefits.
DeLone and McLean (2003) caution that the model details in a process sense over causal, and that “The
challenge for researchers is to define clearly and carefully the stakeholders and context in which Net Benefits
are to be measured, and Net Benefits measures must be determined by context and objectives for each
investment”. This paper concludes that the UD&M model places too little emphasis on financial capital
employed and the perceived financial Net Benefits of IS systems’ given today’s financial business climate.
The model does highlight potential cost-savings under the outputted Net Benefits; however it pays little
attention to detailed financial outputs and their relevance to perceived success. Given that the primary aim
of today’s companies is to gain financial benefits from the implementing new IT deployments, further
research should be undertaken around this area in relation to the DeLone and McLean model, and an attempt
to bring the model up to date to incorporate key financial measurements.
From the analysis and literature reviews undertaken however, it is with a sense of authority that we can state
that a CC deployment brings substantial Net Benefits when compared to a traditional IS deployment.
Multiple acclaimed scholars and journals identified similar core benefits achieved from such deployments,
and under closer examination utilising the UD&M (2003), theoretically we can conclude that there would be
improved User Satisfaction, Use and identifiable Net Benefits.
23. 23
The model is however still unclear in relation to the value-added of a IS deployment when specifically
related to the areas of System, Information and Service Quality, and despite the currently available research –
no clear conclusions could be drawn. This paper hereby recommends that the following questions have
additional research undertaken in the future.
1. Research and update the acclaimed EUCS instrument (Doll and Torkzadeh, 1988) to bring renewed
relevance to specific IT and CC deployments.
2. Research and update the UD&M IS Success Model (DeLone and McLean, 2003) to incorporate
detailed evaluation of the preceded IS deployment in relation to the perceived Net Benefits of the
evaluated successor, and to highlight financial input/outputs in a more detailed manner given the
relevant of financial accountability today.
Security and Risk
“Eliminating threats is impossible, so protecting against them without disrupting business innovation and
growth is a top management issue” – Kaplan, Sharma and Weinberg (2011)
IT Security and Risk have always been considered critical factors in regard to typical IT deployments (CSA,
2009a), and in recent years their importance has risen strongly to become a primary concern when customers
are looking to select a service, product or provider especially in relation to CC. Numerous benefits have
been identified and examined in terms of CC, however cloud security is a key-factor for consideration in a
cloud deployment for many enterprises, with 76% of participants in a cloud computing survey identified
security as their main concern in the use of CC (KPMG, 2010). In the last couple of years, a range of
articles have been published related to cloud security, and a number of agencies have produced
recommendations and detailed surveys such as ENISA (European Network and Information Security
Agency), CSA (Cloud Security Alliance) and KPMG.
24. 24
ENISA (2009) states that “Cloud security is a priority concern for many potential cloud customers, and that
customers will make buying choices on the basis of the providers’ reputation for confidentiality, integrity,
resiliency, and the security services offered by the providers’ more so than in a traditional environment”,
whilst KPMG (2010) expanded that “Security is the main obstacle that is encountered when implementing
CC, followed by issues regarding compliance, privacy and legal matters. Organisations are worried about
security and privacy concerning the use of CC services as the market provides marginal assurance”.
Given that security covers a wide topical area, we needed to first clarify the key areas that would be
reviewed. CSA (2009b) states that “Cloud computing security is about gracefully losing control, whilst
maintaining accountability even if the operational responsibility falls upon one or more third parties” and
identified the two key areas of the cloud as (1) Data (2) Applications, Functions and Processes. They state
that it is not mandatory to hold Data and AFP (Applications, Functions, Processes) with the same model,
deployment or providers’, and that a mixture of cloud networks can be used as needed to providers’ greater
diversity and security (Public and Private deployment models for example). As a result of further research,
they also categorise cloud security into four main categories as below:
1. Physical Security
2. Network Security
3. System Security
4. Application Security
Performing a detailed literature review into all of the above categories would require the undertaking of a
dedicated thesis, and as such a decision was made to focus on the following sub-categories:
1. Cloud versus Traditional network deployment.
2. An overview of high-level security concerns.
3. Security and Risk-aversion recommendations.
25. 25
Cloud deployments have brought about a range of key benefits for customers; however such benefits appear
to have also added additional security risks. CSA (2009b) states that “The defining characteristic of a
classic IT outsourcing solution is that the providers’ offers a customised and unique service that does
exactly what the client requested at the client’s terms, in a well-controlled and discrete-environment,
whereas cloud computing by contrast offers highly standardised services that are provided cheaply by
serving multiple customers from a shared IT infrastructure”, however Kaplan et al., (2010) states that
“Traditional IT networks in recent years have additional security concerns due to four common trends
identified as continual migration of digital data online, open and ubiquitous access requirements from users,
interconnected supply-chains and increased malevolent activity”.
A number of scholars and organisations have produced similar articles in which they clarified the added risk
of CC, and the available forms of mitigation and business practices that can be applied to minimise impact
(ADODI&S, 2011; CSA, 2009; Julisch and Hall; 2010); whilst a leading white-paper from ISACA in 2010
relating to the associated business benefits of CC stated that “The promise of cloud computing is arguably
revolutionising the IT services world....however CC brings potential higher-risk with the introduction of a
level of abstract between the physical infrastructure and the owner of the information. Traditionally the data-
owner has had direct or indirect control of the physical environment affecting his/her data, and in the cloud
that is no longer the case”.
ISACA (2010) continued by establishing a set of demands based around transparency, robustness, control
and inventorisation and highlighting a number of recommendations. CSA (2009) and McCarthy and Hill
(2011) clarified that “It is not CC that has not brought additional security risks, but rather e-commerce
growth, internet user-base expansion and increased competitiveness in the market-place that has developed
additional risk. CC however brings additional security and risk-management issues in that the Data and
Applications, Functions and Processes that were previously stored and managed in-house are now remotely
managed via third-parties”. However there seems inconclusive quantitative evidence that a CC deployment
actually brings high-criticality risk over a traditional deployment performing the same tasks (ecommerce,
data-storage, remote-user access), and there is no data available for researching into the topic of live outages
or security incidents, and as such further detailed research is sought within this area.
26. 26
As such, the following review will look to provide a high-level summarisation of the commonly associated
high-level concerns towards CC security, and will close with a set of recommendations for this area. A
number of organisations have discussed and detailed associated security concerns with CC deployment
including CSA (2009b), ENISA, (2009), ISACA (2009) and ADODI&S (2011) who highlighted the
following:
1. Providers’ Suitability and Sustainability
2. Contractual Coverage and Obligations
3. Third-Party Interoperability and Access
4. Data-Loss/Leakage and Disaster Recovery
A key component of any outsourced security measure is the providers’ with ISACA (2009) stating
“Providers’ need to display Transparency, Privacy, Compliance, Trans-border Information Flow and
Certification [...] Providers’ must demonstrate the existence of effective and robust security controls,
assuring customers that their information is properly secured against unauthorized access, change and
destruction [...] Providers’ will need to provide their customers assurance that they are doing the “right”
thing in terms of independent certification assurance from third-party audits and/or service auditor reports”.
Rai and Chukwuma (2009) goes further in the analysis of providers’ and suitability stating that customers
should “Periodically request and review the providers’ SAS-70 report to gain a fresh perspective on the risks
associated with the providers’ IT environment”. Within our survey – 22 percent stated that a Lack of
Auditing Standards and Regulations was one of the critical issues to be overcome before they would consider
a CC deployment, and it is clearly a key area for both providers’ and customer to be addressed. In direct
relationship to the previous paragraph, customers are however warned to take considerable time and effort in
the contractual coverage and relevant SLA obligations of their chosen providers’. Julisch and Hall (2010)
states “SLA’s offered by cloud providers’ tend to be conservative in the sense that they offer only small
penalty payments, and their commitments are focused on availability rather than data integrity or
confidentiality.
27. 27
Furthermore, SLA’s should be seen as an intrinsically imperfect risk treatment strategy in that in theory they
transfer the risk to the providers’, however in practice the providers’ responsibility ends with a penalty
payment and the potential loss of the customer(s) affected by a control failure. The customer by contrast can
remain accountable towards its own customers, regulators, and directors for any failures”. It is important to
note that such statements are relevant to traditional networks, however the nature of cloud computing has
placed highly-critical data into the hands of providers’, and as such compensation should be accordingly
calculated into the underwritten SLA’s.
ADODI&S (2011) goes explicit into detail stating that “Customers should be confirming a range of SLA
agreements related to guarantee of availability, inclusions of scheduled outage windows and differing SLA
compensation agreements”. It is our view that at the given time, there is limited information and available
contractual examples for customers to use in able to dictate improved contractual conditions with providers’.
Cloud computing deliver lower-cost, on-demand capacity it is our opinion that customers will simply sign
the terms and conditions without a full understanding of risk or compensation.
Companies undertaking large-scale deployments/migrations should perform thorough and extensive reviews
of the providers’ SLA’s and contractual agreement, and they should be looking to add applicable addendums
for cloud computing based around the specific and relevant SLA for data, applications, functions and process
failures. Third-party interconnectivity, CC management interfaces and the rise of API (Application
programming interfaces) have created a range of security issues which providers’ and customers need to
address. CSA (2009a) states that “It is critical for customers of these services to understand the security
implications associated with the usage, management, orchestration and monitoring of cloud services.
Reliance on a weak set of interfaces and APIs exposes organisations to a variety of security issues related to
confidentiality, integrity, availability and accountability”, with ENISA (2009) outlining the risk of CC
management interfaces in that “Customer Management Interfaces of a public cloud providers’ are accessible
through the Internet and mediate access to larger sets of resources (than traditional hosting providers’) and
therefore pose an increased risk, especially when combined with remote access and web browser
vulnerabilities”.
28. 28
The most important area however for customers is that of data-loss/leakage and data-recovery with over 55
percent of participants stating data-loss as their number-one concern (Ellis, 2011), a statistic backed up by
KPMG (2011) with 70 percent stating that security was still their number-one concern to be addressed.
CSA (2009b) outlines “The threat of data compromise increases in the cloud, due to the number of
interactions between risks and challenges which are either unique to cloud, or more dangerous because of the
architectural or operational characteristics of the cloud environment”, with ADODI&S (2011) stating that
“Explicit and detailed questioning for customers should occur in terms of the vendors’ business continuity
and disaster recovery plans, their data integrity and availability, and specific details on data-recovery”.
Numerous additional articles provide additional research and understanding on data-loss within the cloud,
and it is identified as the number-one biggest security issue of a cloud computing deployment.
It is of interest that ENISA (2009) takes a somewhat opposing view to cloud computing security risks in that
“Put simply, all kinds of security measures are cheaper when implemented on a larger scale. Therefore the
same amount of investment in security buys better protection including all kinds of defensive measures such
as patch management, filtering, hardening of virtual machine instances and hypervisors, etc. Other benefits
of scale include: multiple locations, edge networks (content delivered or processed closer to its destination),
timeliness of response, to incidents, threat management”. ENISA further states that as compared to a
traditional solution – CC providers’ are using security as a market differentiator in that “Security is a
priority concern for many cloud customers; many of them will make buying choices on the basis of the
reputation for confidentiality, integrity and resilience of, and the security services offered by, a providers’.
This is a very strong driver for cloud providers’ to improve security practices”.
It is important to note however that ENISA later defines numerous risks around cloud computing, and in
closing states “Ultimately, you can outsource responsibility but you cannot outsource accountability”......in
that any given solution has risks and benefits, and that a deployment of a CC solution brings both benefits
and risks to the customer. Within the review, a range of security risks associated with CC have been
clearly identified, investigated and a set of recommendations.
29. 29
ADODI&S in 2011 outlined 50 preliminary questions that customers considering or deploying a CC
solution should review and answer, and also outlined four main categories around cloud security
whilst CSA (2009a) outlined seven security recommendations within their applicable security
paper. For continuity within the literature review, we took the ADODI&S (2011) high-level
categories and outlined a set of recommendations for each one.
Providers’ Suitability and Sustainability data refers to the chosen vendor and product of the chosen
vendor. At the present time – no empirical study into the process for choosing a specific providers’
appears to be available, or which factors are classified as more critical than others.
CSA (2009b) recommends that customers should “Model providers’ services into a formal
framework such as ISO/IEC 27002, and further onwards into a compliance framework such as PCI
DSS” and makes a set of specific recommendations around the vendor selection process as below:
1. Verification of certifications held, and permission to conduct customer or external audits.
2. Understand the main characteristics of the providers’ offering, and how their technology architecture
and infrastructure impacts their ability to meet SLA’s.
3. Demonstration of comprehensive compartmentalisation of systems, networks, management,
provisioning and personnel.
4. Full understanding of the providers’ resource democratisation in predicting system availability and
performance during traffic fluctuations. Identify the providers’ main customers, and how their
fluctuations could impact your traffic if at all.
5. Understand the providers’ patch-management policy and procedure for implementation. Ensure this
is reflected in the contractual language.
6. Identify the providers’ continual improvement program and outage window agreements.
7. Compare and verify the providers’ service-desk operation against your own as a customer, and
ensure matching operational standards.
30. 30
8. Review the providers’ business continuity plan and disaster recovery plan, especially related to
people and process.
Source: CSA (2009b. PG53*)
* Citation is edited for summarisation
Additionally provided research has also been undertaken with ISACA (2010) stating that “Reputation,
history and sustainability are the key factors to consider in choosing the providers’”, whilst Rai and
Chukwuma (2009) states that “Providers’ of IT operations have a major impact on the client, especially
change, release, backup, restore and patch-management processes, and as such should be one of the key
considerations”. The view held by the authors of this paper is similar to that of ENISA, in that providers’
should not specifically focus on the technology in the providers’ selection process, but that they should
review using similar methods/frameworks previously deployed in their tender selection processes, and detail
with a set of high-level questioning/auditing around a providers’ operational practices, process and
procedure, financial sustainability, and ability to deliver on contractual obligations. Frameworks models
such as ISO 27002 allow providers’ to display their controls and capabilities; however in reality providers’
will simply present limited or pre-fabricated information and only a legally water-tight contract with specific
service-level agreements will offer the needed protection.
Contractual Coverage and Obligations has limited research or empirical data also available at the present
time available for a literature review. Providers’ appear to court such contractual agreements in
confidentiality with the customer, who also appears unwilling to publish their details. CSA (2009b) does
highlight a number of key areas that they recommended are contractually documented stating that
“Collaborative governance structures and processes [...] and incorporated into service agreements” and that
“The Corporation Security department should be engaged during the establishment of SLA’s and contractual
obligations; to ensure that security requirements are contractually enforceable”. Within a section on
operational performance they also state that “Performance metrics and standards for measuring performance
and effectiveness of information security management should be established prior to moving into the cloud
[...] Organisations should document their current metrics and how they will change when operations are
moved into the cloud, where a providers’ may use different (potentially incompatible) metrics”.
31. 31
They further noted that “Wherever possible, security metrics and standards (particularly those relating to
legal and compliance requirements) should be included in any Service Level Agreements and contracts”.
Additional research around Contractual Coverage and Obligations repeats previous statements in so much as
ensuring performance metric compliancy; ensure robust compensation for outages/loss of data etc; and the
need for in-depth analysis. Julisch and Hill (2010) investigated the area of responsibility and accountability
in which they define responsibility as “An obligation to do something according to a certain parameter,
whilst accountability is “ultimate responsibility – it is a state of being where the bucket stops”. The article
defines “Although cloud computing is a paradigm shift, it does not change the assignment of accountability:
as hitherto, companies are accountable for their assets, including any assets outsourced to providers’”.
It is the opinion of this paper however that the decision-making methodology for responsibility is based upon
(1) The SPI-Model product chosen (2) The extent to which the customer is allowed to configure the
providers’ controls and (3) Documented legislation that may dictate the assignment of responsibilities and
thereby overrides the above. From the available resource – it is this viewpoint that we believe is most
relevant for cloud computing security and risk going forward, and is an area that needs additional research
and modelling. It is our recommendation that a “Responsibility-Matrix Model” is developed that would assist
customers in the decision-making process around the area of responsibility and accountability. This could
later result in a formal legal framework that can be agreed between both parties - however the model should
be actionable against each of the four key areas of security (physical, network, system and application).
A number of recommendations are currently available in relation to Third-Party Interoperability and Access.
CSA (2009a) states that customer should perform “Full analysis of the security model of cloud providers’
interfaces [...] Ensure strong authentication and access controls are implemented in concert with encrypted
transmission [...] and understand the dependency chain associated with the API model”. ENISA (2010)
details actual concerns about the use of API’s (Application Platform Interfaces) with Third-Parties as a
potential security breach, and highlights customers to “Investigate the utilised API’s for the export of data
from the cloud” and that vulnerabilities could be open in that the “Hypervisor security model may lead to
unauthorized access to these shared resources...As hypervisors used in IaaS clouds offer rich APIs and full
access”.
32. 32
McKinsey (2011) however moved away from technical vulnerabilities and warns about the “Potential
reselling of information and data via providers’, and that customers need to ensure that their data is locked
within the cloud” whilst ISACA (2009) talked about third-party risk in relation to intellectual property (IP)
stating that with “Third-party access to sensitive information creates a risk of compromise to confidential
information, and that in cloud computing, this can pose a significant threat to ensuring the protection of
intellectual property (IP) and trade secrets”.
In closing - ENISA (2010) makes a number of security recommendations in relation to the “Outsourcing of
services” by providers’. Given the high-level of specialisation around cloud computing components,
software and application, ENISA warns “Providers’ outsourcing complex work to third-party’s, potentially
opening the customers data/network to people/persons unknown or unverified” and states that customer need
to be aware of “Third-Party outsourcing clauses, change in control clauses, or termination of agreement
clauses”. This is a view endorsed by this paper, and it is clear to see that the openness of CC brings forward
a number of Third-Party Operability security issues that will have to be addressed by customers and
providers’ alike. Key recommendations are to ensure the full transparency of Third-Party agreements used
by the providers’, control and secure mechanisms within the API world of the cloud, full clarification on
role/responsibility and the potential outsourcing of services, and that customers should be performing regular
auditing/testing of risk open to their network from outside influences raising the issues with their providers’
immediately to resolve.
A critical area for security recommendation is that related to Data-Loss, Leakage and Disaster Recovery
processes. In the past, customers had full-operational responsibility to their data, back-up processes and
disaster recovery procedures, however with CC all Data and Functions, Applications and Processes fall
under the providers’ responsibility for IaaS, moving up to Data responsibility for SaaS. CSA (2009a) states
that “The threat of data compromise increases in the cloud, due to the number of and interactions between
risks and challenges which are either unique to cloud, or more dangerous because of the architectural or
operational characteristics of the cloud environment” and outlines a set of recommendations including:
33. 33
1. Implement strong API access control
2. Encrypt and protect integrity of data in transit
3. Analyses data protection at both design and run time
4. Implement strong key generation, storage and management, and destruction practices
5. Contractually demand providers’ wipe persistent media before it is released into the pool
6. Contractually specify providers’ backup and retention strategies”.
It is critical to note that data is a valuable financial asset, and a company’s value and reputation is
intrinsically linked to its data and intellectual property assets. An example was highlighted with a security
breach for the Sony Corporation (Sony, 2010) who suffered a devastating outage in 2010 when the data of its
online membership clubs PSN and SOE was hijacked, ending with the release of the private data of over
70m+ users. Sony was forced to temporarily close down its online presence for a period of time, and
suffered large financial losses, and more importantly losing reputation with its customer base and wider
audience.
Related to the benefits of data – a research paper by McKinsey (2011) states that corporations could
“Maximise up to 60 percent increase in operating margins, and decrease by up to 50 percent product
development and assembly costs with big data” and that “A company’s access to, and ability to hold and
analyse data, could confer more value than their existing brand”. A key framework related to data-security is
the potential implementation of a “Data Security Lifecycle” framework (CSA, 2009). The Data Security
Lifecycle is built around six key phases as displayed below:
Figure
4:
Data
Security
Lifecycle
Model -‐
CSA
(2009b,
Pg40)
34. 34
CSA (2009b) highlights that “The Data Security Lifecycle is fundamentally different from Information
Lifecycle Management as it is directly affecting the needs of a security audience”. As such there are a
number of issues around the Data Security Lifecycle which are outlined as per CSA (2009b, Pg41).
1. Data Security: Confidentiality, Integrity, Availability, Authenticity, Authorisation, Authentication,
and Non-Repudiation.
2. Location of the Data: Assurance that the data, including all of its copies and backups, is stored only
in geographic locations permitted by contract, SLA, and/or regulation. e.g. Use of “Compliant
storage” as mandated by the European Union for storing electronic health records can be an added
challenge to the data owner and cloud service providers’.
3. Data Remanance or Persistence: Data must be effectively and completely removed to be deemed
‘destroyed.’ Therefore, techniques for completely and effectively locating data in the cloud,
erasing/destroying data, and assuring the data has been completely removed or rendered
unrecoverable must be available and used when required.
4. Commingling Data with other cloud customers: Data – especially classified / sensitive data – must
not be commingled with other customer data without compensating controls while in use, storage, or
transit. Mixing or commingling the data will be a challenge when concerns are raised about data
security and geo-location.
5. Data Backup and Recovery Schemes: Data must be available and data backup and recovery schemes
for the cloud must be in place and effective in order to prevent data loss, unwanted data overwrite,
and destruction. Don’t assume cloud-based data is backed up and recoverable.
6. Data Discovery: As the legal system continues to focus on electronic discovery, cloud service
providers’ and data owners will need to focus on discovering data and assuring legal and regulatory
authorities that all data requested has been retrieved.
7. Data Aggregation and Inference: With data in the cloud, there are added concerns of data
aggregation and inference that could result in breaching the confidentiality of sensitive and
confidential information. Hence practices must be in play to assure the data owner and data
stakeholders that the data is still protected from subtle “breach” when data is commingled and/or
aggregated, thus revealing protected information.
35. 35
CSA also highlights a set of detailed recommendations around data-security (2009b, Pg42-45) - with the
most critical outlined as “(1) Understanding how providers’ integrity, security practices and procedures and
transparency to data is within the SLA (2) Understanding of the geographical location of your data, and
appropriate in-control restrictions are defined and addressed (3) Determine access-to-data rights with an
explicit “Default Deny All” and build out access (4) Full encryption, backup and recover of all required data,
at required time-stamps. In our opinion, CSA covers and outlines in-detail the high-level requirements and
best-practices in relation to data- handling. The Data Security Lifecycle provides a framework for actual
application and alongside a formal framework for providers’ selection – both models would provide the
needed starting point and tracking mechanism to ensure the right level of compliancy.
It is also critical to ensure that any such programs or models are used to construct the contractual SLA’s
especially in regards to data with ISACA (2010) stating that “Data-storage/recovery and disaster recovery
should be the main components of the SLA, and clear expectations regarding the handling, usage, storage
and availability of information must be articulated within the SLA”. In terms of risk-management,
ADODI&S (2011) states that “Risk management must be used to balance the benefits of CC with the
security risks associated with the agency handing over control to a vendor. A risk assessment should
consider whether the agency is willing to trust their reputation, business continuity, and data to a vendor that
may insecurely transmit, store and process the agency’s data”.
Julisch and Hall (2010) detail a different view in that “Risk-management should be wrapped into a formal
framework”, and as such recommends the use of the ISMS (Information Security Management System).
ISMS is hereby defined as “The set of processes, policies, and mechanisms that an organisation uses to
establish, implement, operate, monitor and improve information security” (ISO/IEC, 2005), with Julisch and
Hall (2010) stating that such a framework offers a “Structured way for managing risk and protecting
corporate assets that are outsource to cloud providers’, and the use of a ISMS will assist the providers’ in the
long-term as it offers a Scalable and standardised method to manage security [...] and draw value from
differentiation within the marketplace”. Risk-management at the present time has limited research available
and only limited recommendations or data is available.
36. 36
ISMS as a formal, recognised framework should be implemented when deploying CC, however we could not
locate any actual research on strategic or financial risks related to CC security and a number of questions
remain unanswered. As a CC customer, it is still unclear if additional redundancy or parallel network
capacity should always be purchased? Do Customers need to take out additional insurance coverage to
mitigate the associated risks? What are the worse-case scenarios for a long service outage in terms of
financial compensation, and what about their own customer perceptions? How should a customer’s business
strategy be connected into its IT system strategy and what are the potential outages/impacts? These
questions at the present time remain unanswered and additional research is required within the area of risk-
management.
As cloud security covers a wide area of available research, recommendations and outlined proposals, the
above summarisation can only serve as a starter to the topic. Leading organisations such as the CSA, ENISA
and ISACA have produced detailed overviews and recommendations, and our concluding recommendation is
that customers should aim to undertake full, detailed reviews of their potential cloud computing security
issues and its capabilities by utilising a set of frameworks and formal process model questioning before
activating or approving any CC product, providers’ or deployment.
3. Data Collection Methodology
Data collection represents a fundamental component of this research, and one of the key aims of the
dissertation was to produce a new set of data related to CC with specific relevance to its value-added and
security and risk-management issues. Various surveys have been undertaken in recent years (Koffi et al,
2008; Amit and Zott, 2001; KPMG, 2010; F5, 2009), however with only minimal referencing to the
specialist areas in the dissertation. Initial discussion centred on the reasoning behind the research, and a set
of questions were poised for discussion and answered as per Aaker, et al (2001).
1. Why should we undertake the research? At the present time, limited research into CC security and
value-added has been performed or is available. Our study would present new and relevant material
on the topic for wider usage.
37. 37
2. What type of research should be performed? An ordinal questionnaire survey based around a set of
relevant questions, poised to gather the feedback of today’s IT professional within the market-sector.
The data would provide input into the conclusions of our original aims.
3. Is it worth performing doing the research? The value of data gathered will be greater than the
required effort and cost, and will provide insight into the topic for scholars and researchers if
applicable.
4. How should the research be designed to achieve the objectives? The research will be conducted over
a primary questionnaire, at a set-target group of professionals within the chosen market.
5. What will we do with the research? Once the data has been collected, it will be analysed, reported
and concluded. The research will also be opened for public scrutiny and citation.
A number of options for research gathering were discussed with the main options being (1) interview
research (2) case-study research (3) questionnaire survey. A critical factor for the selection of the research
method was to understand if the exercise was to gather quantitative or qualitative evidence. Given that cloud
is an open, emerging and opinionated product – a qualitative exercise was deemed more appropriate,
however it was deemed critical to gather statistical evidence for concluding and future research usage, and
such a hybrid solution was used. A wide-range of advantages and disadvantages were evident for each
method with the conduction of interviews posing severe limitations on audience size, representation and an
increased risk of bias or misrepresented opinions. Interviews can be difficult for interpreting the information
obtained because of the social desirability bias, complex interactional processes, and the self-fulfilling
prophecy of participants (Psychology Press Ltd., 2004). A case-study analysis although beneficial in its
ability to portray a true representation of a cloud deployment and associated issues and benefits was rejected
due a lack of available participant* and the lengthy time-frame requirements of analysis required. (*For
this purpose, the author’s previous and present employer were approached for participation in the
research, but however declined citing multiple reasons.)
It was also noted that with a case-study analysis, previously held views of the traditional network deployed
would be difficult to quantify, and prone to bias if the new cloud deployment was in an infantile stage of
installation.
38. 38
As such, a questionnaire survey was selected, and a range of options for data-collection were examined
alongside their relevant advantages and disadvantages. Mail surveys are typically associated with low-
response rates, limited assistance aids once posted and an old-fashioned stigma would be attached given that
the topic is web-based IT. The use of face-to-face surveys was also ruled out given the high-amount of
interaction and effort required, and can be open to a lack of specialisation or relevant viewpoint unless
specific members are selected.
Participants of face to face interviews can also display bias towards positive or negative answers based
around a number of factors highlighted in undertaken research. As such an internet-based survey appeared to
be applicable for our needs, however Gosling et al (2004) cites a study undertaken by Turner et al (1998)
who noted “An increase in reported stigmatised behaviour among adolescents when participating in such
surveys”, whilst Cha (2005) states that “There are four major areas of concern when conducting internet-
based research, namely Sampling Error and Generalisation, Subject fraud, Measurement errors resulting
from extraneous factors, and the Ethics of Conducting Research over an open internet”.
Ahern (2005) however found that “The gained advantages of web-based surveys far outweighed the
disadvantages”. In closing Truell, Bartlett II, and Alexander (2002) in their research states that “The
response speed of internet-based survey was also about seven days faster than the mail survey, and it was
more thoroughly completed than the traditional counterparts”. In conclusion, an internet-based questionnaire
method was selected as the most appropriate for the outlined objective.
In regards to the survey an anonymous open-participation invite was dismissed based around a range of
negative drawbacks including a generalisation of data, and a lack of control over participant screening
(Ahern, 2005). The survey would require a pre-requisite that participants had a basic knowledge of cloud
services to answer the applicable questions, and as such a closed-entry pre-screened participation method
was selected. Target audiences selection was restricted to IT professionals of management responsibilities:
Team Manager up to C-class level (CEO, CTO, and CIO), and also that they had a direct relationship to the
author as so to gain an increased frequency of participation. Participants would come from differing
backgrounds and a mixture of professionals working as cloud providers’, and those who are current or are
potential cloud service customers.
39. 39
The targeted audience was initially notified pre-survey via email about the request for participation with a
brief summarisation of the required input, timeframe and an option to opt-out, and from the initially selected
50 participants, 3 were unable to participate and as such the targeted group was 47.
We began to investigate the survey types at our disposal, with Albrecht and Jones (2009) stating that “Web-
based survey tools can be summarised into three categories of (1) Web-Hosted Survey Wizard (2) Web-
Survey Wizards and (3) Custom-designed survey”, and that each category has a range of advantages and
disadvantages. They further stated that Web-Hosted Survey Wizards are the most popular selection for
dissertation research in that they can be “rented for a period of time, are relatively inexpensive and are fully-
customisable and flexible”.
Upon investigate, a range of companies were identified as offering such services (hostedsurvey.com,
raosoft.com, supersurvey.com), however the current market-leader is surveymonkey.com who offers a range
of dedicated, professional-based surveys, albeit at a higher-end price point. A fully-customisable online
survey for up to 1000 participants with a host of required features was available for a months rent of $25, and
as such was purchased in September 2011. Below is a summarisation of the available survey features.
• Fully online participation with anonymous responses (no personal details documented)
• Ability to split survey into categories (5 categories selected)
• Ability to amend presentation (fonts, colour, layout)
• Ability to setup a range of security features (survey restricted to one-participation only based on IP-
address, secure SSH connectivity, secure management interface for data-collection)
• Ability to open/close survey as required.
• Ability to download results in a range of formats (word, pdf, excel) with summary or full-data
collections.
3.1. Data Analysis Methodology
During the establishment of the survey, a number of questions were asked leading to the final design. The
first step was to outline the objective of the survey as below:
40. 40
“To gather statistical feedback of an ordinal nature around the chosen topic of cloud
computing, specifically related to the perceived value-added and associated security and
risk-management issues. Participants would be from a limited subset of established IT
professionals working currently within CC related industries”
Given the hectic schedules of our participants, the survey was constructed to be completed within a time-
period of 30mins. This was a key issue as surveys that require longer participation naturally incur lower
response-rates (Siah, 2005). If the survey was to provide statistical evidence to assist in the conclusions of
the dissertation questions, a set of sub-categories was needed to detail specific responses within that area. As
a result of the time-restriction and the overall aim of the survey, we decided that 25 questions would be
created within five sub-categories. Below is a summarisation of the categories and the key objectives:
1. Knowledge of CC: A set of questions to determine the audience’s knowledge of CC, definition and
knowledge of the CC product suite, and their current status of deployment if at all. The objective
was to determine the current knowledge of CC and also their current deployment status.
2. Value-Added of CC: A set of questions to determine the reasoning behind CC adoption, perceived
value-added gains, the preferential product and the strategic reasoning. The objective was to outline
the perceived benefits of CC and the given reasons for adoption. We also looked to determine which
current product range was perceived as most-beneficial.
3. Security & Risk Assessment of CC: A set of questions to determine the perceived security risks of
CC adoption as a customer and/or providers’ highlight the top 3 security risks and confirm the
currently available information on cloud security. The objective was to gather the top security risks,
identify the perceived most secure product, and determine the top security requirements for
customers.
4. CC Business Model: A set of questions based around the current market-leaders of CC services,
Cloud strategy related to Michael Porters Five-Forces model, and the strategic business importance
of adopting a CC solution. The objective was to understand the strategic reasoning behind
deployments, influencing factors of competitiveness, and strategic advantage related to Porters work.
41. 41
5. Future of CC: A set of questions based around the forecasted future CC leaders, the main drivers for
CC deployment, and predicted future of CC. The objective was to determine the future product
leader, the leading companies to drive CC forward, and understand the long-term plans of companies
in relation to CC.
The designing of the questions was performed using the researched literature material, with a number of
available answers cited from previously documented surveys (KPMG, 2010; F5, 2009). Sub-categories
“Value-Added of CC” and “Security & Risk Assessment of CC” were however researched in greater detail
given their relevance to the paper and the closing conclusions. A number of options were available when
designing the actual questions – and initially our aim was to use open-ended questions, however a study on
survey behaviour by Michael Bosnjak’s (2001) noted that “Non-responsiveness increased in the number of
open-ended questions answered, but not the number of close-ended questions answered”. He further noted
that “Answering close-ended questions is considered to be ‘low cost’ behaviour, as opposed to answering
open-ended questions”. Additional research by Knapp and Heidingsfelder (2001) also highlighted an
“Increased drop-out rate when using open-ended questions and that more accurate result of a user’s opinion
are reflected in closed-questions”. In addition – available answers would be ordinal-polytomous (4 or more),
with a maximum of twelve available answers on the questions related to preferred products (3 service-
models x 4 deployment methods). Participants would be asked to select their singular most appropriate
answer from a list of multiple choice answers, apart from two questions where they would be asked to select
their Top 3 applicable answers.
The question generation process is well researched by a number of academics (Ahern, 2005; Walonick,
2010) and as such, we sought to ensure that questions were non-descriptive, short, and one-dimensional in
understanding. A key aim was to remove variability in response (Walonick, 2010) and as such a beta-test
was performed by the author at the end of the initial design phase before the scheduled pre-screening
exercise. The pre-screening exercise was performed on the 11th
September, 2011 via a pre-selected
participant. This was initially due to be performed via a face-to-face interview; however this was amended
to web-survey as to replicate the actual chosen environment of the main survey.
42. 42
The pre-screening participant was asked to rate the questions on a scale of 1-5 with (1) In comprehendible
(2) irrelevant and in comprehendible (3) Comprehendible (4) Relevant and comprehendible and (5) Highly
Relevant and Comprehendible. Appendix A displays the amended pre-screening results – in which a total of
four questions received a score of 1 or 2, and as such were reworded.
The custom-made survey was built during the period of August - September, 2011, with a pre-screening
exercise performed on the 11th
September. This was then followed by the formal survey release to
participants on the 18th
September, with a close-off date of the 9th
October allowing a 3-week participation
time-window.
4. Data Analysis
4.1. Review of Responses
Upon closure on the 9th
October – the survey had gathered 44 responses from a possible 47 giving a response
rate of 93.6 percent. From the forty-four responses – forty participants had fully completed all survey
questions (Appendix B), with four entering incomplete responses. Upon examination – the following
incomplete responses were located, and as such exempted from the final data.
• Respondent A stopped participation in the survey at question four.
• Respondent B stopped participation in the survey at question eleven.
• Respondent C stopped participation in the survey at question nineteen.
• Respondent D completed the survey, however left questions five, eighteen and nineteen blank.
The surveys responses appeared logical, grouped and a number of identifiable trends are outlined in detail in
the succeeding section. A number of key findings of the 2011 Cloud Computing survey include:
• A clear understanding of the definition and meaning of cloud computing
• An intermediate level of cloud computer understanding at the present time
• IaaS is currently perceived as the product of choice from the SPI-Model
• Influences for deployment commonly around Scalability, Flexibility and Long-term cost efficiencies.
43. 43
• Concerns of deployment based around Security process & policies, Data-Loss/Leakage or Outages.
When correlated to previously performed cloud surveys (KPMG, 2010; F5, 2009) – similar trends and
percentile ranges were located, with all three surveys displaying that the biggest singular concern of a cloud
deployment at over 50 percent is that of Security and Data-Loss issues, whilst Scalability and Long-term
Cost Gains are perceived as the main benefits at over 45 percent respectively.
A number of questions asked in the early-phase of the survey were repeated in a differing manner in the later
phases of the survey, with the differing responses highlighting the concerns of Granello & Wheaton (2004)
who highlighted “Measurement errors and inaccuracies of web-based surveys”. An example of such
inaccuracies is seen in Q6 where only 5 percent of participants outlined Short-Term Cost Efficiency as
relevant to a cloud adoption, whilst in Q22, 35 percent cited Short-Term Cost Efficiencies as a main driver of
adoption. The same question also displayed further inaccuracy around Innovation Capability of CC with
only 7.5 percent stating it as a relevant factor in Q6, whereas 17.5 percent stated it as a main driver of CC
within Q22. At the end of the survey participants were able to provide feedback and to highlight any issues
or recommendations related to the survey, its content or design. Below are the main recommendations that
were received.
• Seventeen participants stated that the lack of an “Other” box meant that they had to select
inappropriate answers for certain questions.
• Five participants stated that a lack of a “Comments” field per question limited their ability to provide
appropriate feedback on the subject topic.
• Four participants stated that the questions related to the Five-Force model were irrelevant and
difficult to comprehend.
• Three participants stated that they were unsure of their role when answering certain questions, as
they are both providers’ and customer of cloud services, and that the needed clarification was
missing.
• Two participants stated that a Likert-Scale would have been more appropriate to a number of
questions to gather an actual scale as just opposed to an opinion.
44. 44
The survey although limited in audience-size, provided an accurate sample of the current perceptions of IT
professionals related to CC. More importantly it provided a numerical set of data to support the theoretical
questions of security and risk issues of CC, and the perceived value-added benefits gained, and the available
statistical data also provided empirical support for our closing conclusions and future research. A number of
issues were identified post-survey and additional planning and preparation into the data methodology,
feasibility and sampling would be undertaken in a future survey.
4.2. Questionnaire Findings
As outlined in the data methodology section, the key purpose of the survey was to examine a set of topics
related to CC utilising a specific target audience. The categories were centred around gaining an insight into
the current level of understanding of CC for IT executives, perceived value-added, security and risk
concerns and the business model/future of CC. Below are a detailed summarisation of the main findings
from the survey, and an outline of their relevance within the dissertation and future research.
Knowledge of Cloud Computing
CC is an emerging solution within IT enterprise, however there is a perception that executives and
companies are still in an infantile stage of theoretical or working knowledge, and suffers from a lack of
definition on the actual product. The survey sought to confirm this perception with participants asked to rate
their current level of knowledge of CC. As indicated below 40 percent selected Intermediate Understanding,
with 37.5 percent selecting Advanced Knowledge while no participants stated they have No Knowledge of
CC.
Table 2 (Q1 of 25)
Response Percent Response Count
0.0% 0
12.5% 5
40.0% 16
37.5% 15
10.0% 4
Source: Ellis (2011) 100.0% 40
Intermediate Understanding
Answer Options
Expert Understanding
Limited Understanding
How would you rate your current level of knowledge in regards to Cloud Computing?
Advanced Understanding
No knowledge
