Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Cloud Computing Adoption and the Impact of Information Security
1. Running Head: Cloud Computing and the Impact of Information Security on its Adoption
Cloud Computing Adoption and the Impact of Information Security
Term Paper
Belinda Edwards
IMAT 670: Contemporary Topics in Informatics
University of Maryland University College
7 November 2011
2. Cloud Computing and the Impact of Information Security on its Adoption 2
Table of Contents
Abstract ........................................................................................................................................... 4
Introduction ..................................................................................................................................... 5
Cloud Computing ........................................................................................................................ 5
Competitive Industry Structure ....................................................................................................... 6
Threat of New Entrants ............................................................................................................... 6
Intensity of Rivalry ..................................................................................................................... 6
Bargaining Power of Buyers ....................................................................................................... 7
Bargaining Power of Suppliers ................................................................................................... 7
Threat of Substitutes ................................................................................................................... 7
Dominate Characteristics ............................................................................................................ 8
Internal Factors ............................................................................................................................... 8
Internal Strengths ........................................................................................................................ 8
Economic Considerations. ...................................................................................................... 8
Brand. ...................................................................................................................................... 9
Centralized Infrastructure. .................................................................................................... 10
Internal Weaknesses.................................................................................................................. 11
Uniform Measurements ........................................................................................................ 11
Regulations ........................................................................................................................... 11
Network Dependence ............................................................................................................ 12
Loss of Technical Talent ....................................................................................................... 12
External Factors ............................................................................................................................ 13
External Opportunities .............................................................................................................. 13
Collaboration towards Cloud Standards. .............................................................................. 13
Improved Governance ........................................................................................................... 13
Uniform Performance Metrics .............................................................................................. 14
External Threats ........................................................................................................................ 14
Economic crisis ..................................................................................................................... 14
Centralization ........................................................................................................................ 15
Strategic Analysis ......................................................................................................................... 16
Internal Audit ............................................................................................................................ 16
Strengths ............................................................................................................................... 16
3. Cloud Computing and the Impact of Information Security on its Adoption 3
Weaknesses ........................................................................................................................... 16
External Audit ........................................................................................................................... 17
Opportunities......................................................................................................................... 17
Threats................................................................................................................................... 17
Recommendation .......................................................................................................................... 18
Specific Annual Objectives and Policies .................................................................................. 18
Policy Development .............................................................................................................. 18
Conclusion .................................................................................................................................... 19
References ..................................................................................................................................... 20
Figure 1: Cloud Deployment Models ........................................................................................... 10
Figure 2: Information Security Adoption Cycle ........................................................................... 19
4. Cloud Computing and the Impact of Information Security on its Adoption 4
Abstract
The National Institute of Standards and Technology (NIST) defines cloud computing as a
“model for enabling convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal management effort or service provider
interaction” (NIST SP 800-145). The combination of the demand for increased bandwidth along
with the mandate to reduce information technology (IT) costs has led most businesses to look
towards cloud computing as a means to provide the flexibility and responsiveness required to
meet business and customer needs.
Cloud computing, however, does not come without its detractors. Most barriers towards
cloud adoption include concerns over information security, access management, the lack of
vendor compatibility, and most importantly trust. Various, distinct security regulations exist for
which businesses are responsible. A consistentstandards and governance approach, along with
flexible acquisition procedures, and a comprehensive certification and accreditation methodology
is requiredforglobal adaptation. Financial incentives may also aid cloud adherencein developing
countries.
This case study was based on the analysis of information that was collected from
academic and industry articles and journals. Using this information, the author was able to
recommend strategies for theconsistent application of information security standards within the
cloud computingenvironment.
5. Cloud Computing and the Impact of Information Security on its Adoption 5
Introduction
Cloud Computing
Cloud computing was initially introduced as a method towards cost effectiveness by
sharing software and hardware resources within an enterprise or an industry. Cloud computing is
considered a utility; available for use without requiring knowledge of its source location. The
perspective is that of a centralized location from which a customer can dynamically manage
resources (or services) that are reliable, scalable, and agile. The terms cloud computing and
virtualization are interchangeable.
Cloud computing provides a centralized delivery mechanism that consists of multiple,
independent layers, from which the customer can choose. Those layers are commonly
considered: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a
service (SaaS), respectively. IaaS provides the lowest level of support, specifically network and
storage access. PaaS delivers the operating system (i.e. Windows 7) to the customer. Lastly,
SaaS provides software applications (i.e. Word) to the customer. All these services are
accessible at a minimal cost to the user.
Concerns over cloud security continue to grow. The centralization of services and more
importantly, the transition of control over to service providers has created unease in the technical
community and has limited adoption. The public and private sectors must collaborate on
industry standards and governance policies specific to data access, identity management,
encryption tools for data transport and storage, as well as privacy and compliance.
6. Cloud Computing and the Impact of Information Security on its Adoption 6
Competitive Industry Structure
Threat of New Entrants
Cloud computing limits entrance barriers, thereby increasing the threat new entrants have
on a market. The global economic downturn has caused corporations to focus on information
technology (IT) fiscal responsibility and cost containment. Cloud providers present a solution
which can be utilized by the hour or the event, thus eliminating the significant IT investment
previously necessary for entrance into the industry. Entrants with limited cash reserves, but
knowledgeable of business, industry, and technology can make a positive impact on anybusiness.
Cloud computing offers new entrants the ability to connect and collaborate with sponsors to
obtain enterprise certification, thus reducing time to market. It is no longer necessary for new
entrants to be experienced players, but rather they require an innovative solution that is platform
and industry agnostic. Cloud computing places the threat of new entrants very high.
Intensity of Rivalry
The intensity of rivalry is very medium. Although cloud computing offers a centralized
environment from which to access platform, infrastructure, and software services, the lack of
trust of cloud service providers initially limits the intensity of rivalry. Cloud standards and
governance must be refined to address the security risks presented by cloud computing. Once
global consensus is obtained, rivalry will increase to the benefit of the consumer. Cloud
computing participants are primarily focused on acquisition, evaluation, and access controls
which limit unauthorized access and data loss.
7. Cloud Computing and the Impact of Information Security on its Adoption 7
Bargaining Power of Buyers
The bargaining power of buyers remains high. Cloud providers can offer solutions for as
little as $0.10 to $1.00 an hour to rent additional servers (Choo, 2010). Federal customers can
utilize economies of scale to negotiate dynamic allocation of resourcing. It is estimated that the
cloud computing market will grow to $160B by years’ end (Chow, R., Golle, P., Jakobsson, M.,
Masuoka, R., Molina, J., Shi, E., & Staddon, J., 2009).
Bargaining Power of Suppliers
The bargaining power of suppliers is currently low, but will increase over time. Cloud
providers understand the existence of an untapped market just ripe for expansion, but are also
aware of customers’ concerns over security. Cloud providers have volunteered to submit to
extensive testing and evaluation to become initial members of a list of government-vetted
solution providers. This strategic move could offer access to an anticipated US government
market worth $15 million (Kundra, 2010). Suppliers will benefit from agency sponsorship. This
collaboration will illustrate provider ability to rapidly adjust to customer demand and could
extend collaborative efforts beyond the federal government into state and local and possibly the
international market.
Threat of Substitutes
The threat of substitutes is currently low. Customers are concerned over the security
risks vendor lock-in may present. As cloud computing industry standards continue to evolve,
customers are concerned there may be a lack of backward compatibility with regards to cloud
access, data encryption, transportation, and storage. The lack of industry maturity significantly
reduces the threat of substitutes; however, this will change as best practices are applied.
8. Cloud Computing and the Impact of Information Security on its Adoption 8
Dominate Characteristics
The analysis below provides a detailed evaluation of internal and external factors
affecting cloud computing; information security is an overarching aspect. The subsequent
Strengths – Weaknesses – Opportunities – Threats (SWOT) analysis illustrates key internal
strengths and weaknesses as well as external opportunities and threats (David, 2009, p. 192).
This analysis was used to address cloud computing strategic planning of product development
and improved customer engagement which will hopefully lead to increased competitive
advantage. Information for this SWOT matrix was derived from both academic and industry
periodicals found on the topic.
Internal Factors
Internal Strengths
Economic Considerations.
Service demand, improving customer engagement, and varying regulations impact
business IT infrastructure. The juxtaposition of financial reduction and improved technical
efficiencies has led organizations to embrace the potentials of cloud computing. Cloud
computing proposes a “fee for service” approach that presents businesses and developing
countries with the services, software, and tools necessary for market entrance into a new industry
or the equipment necessary to sustain threats from rivals, suppliers, or substitutes.
Cloud computing is seen as offering significant economic savings. The first federal CIO
anticipated a 30% or $20 billion reduction in federal IT data center infrastructure expenditures by
2015, and projects those funds would be “reinvested in agency missions, including citizen-facing
services and inventing and deploying new innovations” (Kundra, 2011, p. 7). As with any
outsourcing contract, economic improvements are garnered by the thorough analysis of business
9. Cloud Computing and the Impact of Information Security on its Adoption 9
need and service availability. Cloud computing does reduce large infrastructure investments,
provides emphasis on agility and allows for hardware and software efficiency (pay for use).
Brand.
The National Institute of Standards and Technology (NIST) “has identified five essential
characteristics of cloud computing: on-demand service, broad network access, resource pooling,
rapid elasticity, and measured service” (NIST, 2011). As global competition increases,
organizations will escalate cloud adoption as a method of quickly bringing products to their
niche and developing customer bases. Cloud providers offer their customers the ability to
rapidly adjust their IT infrastructure to changes in consumer demand without the financial as
well as operations and maintenance responsibilities. Cloud computing is becoming synonymous
with IT financial efficiencies; however businesses must perform an internal assessment of their
processes and needs to best obtain the efficiencies cloud brings to bear. The NIST service model
below illustrates the breath of cloud service offerings available.
Table 1: Cloud Service Models
Service Models Description
Capability provided to the consumer is to provision
processing, storage, networks, and other fundamental
computing resources where the consumer is able to
Infrastructure as a deploy and run arbitrary software, which can include
Service (IaaS) operating systems and applications.
Capability provided to the consumer is the ability to
deploy onto the cloud infrastructure consumer-
created or acquired applications created using
Platform as a programming languages and tools supported by the
Service (PaaS) provider
Capability provided to the consumer is to use the
Software as a provider’s applications running on a cloud
Service (SaaS) infrastructure
10. Cloud Computing and the Impact of Information Security on its Adoption 10
Centralized Infrastructure.
Cloud computing provides a central area from which the customer can access platforms
and software services. These models provide a centralized foundation from which security risks
and software version controls will be managed, and information access and regulation
compliance will be monitored, all while providing customers uniform product offerings at a
reduced financial cost. Most importantly, increased innovation is had through centralization, as
it reduces IT investment costs that serve as barriers to market entry. Lastly, business continuity
planning (BCP) programs benefit from centralization, as mission critical applications and data
are maintained in a single location.
There are four deployment models used to facilitate cloud services, the NIST description
for these models are listed below.
Figure 1: Cloud Deployment Models
11. Cloud Computing and the Impact of Information Security on its Adoption 11
Internal Weaknesses
Uniform Measurements
Metrics used to evaluate cloud providers are not consist throughout the industry and vary
depending upon country and business regulations. Unfortunately, expectations are dependent
upon business need and vary accordingly. Initiatives such as the Carnegie Mellon University
Cloud Services Measurement Initiative Consortium (CSMIC), the Distributed Management Task
Force’s (DMTF) Cloud Management working group, and the Cloud Security Alliance (CSA)
will serve as the basis to address standard cloud performance metrics (TechAmerica, CLOUD2,
2011).
Service level agreements (SLA) must also be established between the customer and cloud
provider as a technique to define procedures to be taken during service unavailability. The SLA
can also be used to establish metrics to aid cloud providers in securing the environment. These
metrics should outline how data is transmitted; the encryption methods used during data
transport, storage, and access; regulatory compliance activities; disaster recovery procedures, and
an outline detailing steps to recollect data should something happen (bankruptcy, acquisition).
Regulations
Cloud computing allows for access mobility, meaning the customer does not require
knowledge of the location of stored services and information to utilize the information.
However, cloud providers have established data centers in various global locations to address
regulations specific to that region. Businesses may have separate security controls to address
individual regulations and expect cloud providers to segment data accordingly. Global standards
such as Control Objectives for Information and Related Technology (COBIT), International
Organization for Standardization (ISO) 27001, and Information Technology Infrastructure
Library (ITIL), have been used to meet multiple regulatory and governance requirements with a
12. Cloud Computing and the Impact of Information Security on its Adoption 12
single set of controls and to lower costs (Wagner, 2011). Combined with cloud services, costs are
further reduced as the enterprise can take advantage of finalized products, thus lessening the
compliance cycle.
Network Dependence
The largest weakness to cloud computing is its dependence upon a robust network to
connect providers and customers. Little can be done should the network be unavailable.
Increased dependence upon mobile products has stretched the current IP network. Globally, the
adoption of IPv6 is underway to address current network limitations; however this will not
address the needs of individuals and organizations within disparate lands. Wagner quotes
Naughton as saying, “If we are betting our futures on the network being thecomputer, we ought
to be sure that it can stand thestrain” (Wagner, 2009). Customers may utilize the private cloud,
at an increased cost, as a method to sustain network reliability; another option may be
“disconnected use” of services to continue processing (NIST, 800-146).
Loss of Technical Talent
As businesses embrace cloud computing, some have also outsourced their technical staff;
this is a mistake. Technical expertise is required to properly analyze vendor contracts and assess
cloud performance. Business must invest in its talent pool to maintain the expertise and
knowledge in preparation for the next innovative solution. Skilled program managers are
necessary to “establishingintegrated, multi-disciplinary program teams” with key skills before
beginning major IT programs, (Kundra, 2010).
13. Cloud Computing and the Impact of Information Security on its Adoption 13
External Factors
External Opportunities
Collaboration towards Cloud Standards.
Cloud computing services are designed to reduce cost and promote reuse. Industry and
government must collaborate to define best practices necessary for international and domestic
cloud adoption. Standards must address concerns towards information security, privacy,
transparency, and accountability with respect todelivering trusted cloud computing services”
(TechAmerica, 2011). They should also address metrics for vendor accreditation and systems
interoperability, all while fostering vendor competition for increased efficiency.
Cloud computing standards will continue to be refined over time, to address industry
uniqueness and modified regulations. This refinement will (1) produce a global approach to
cybersecurity that recognizes the global nature ofinterconnected systems, (2) provide for data
protection regardless of location,and (3) evade fragmented, unpredictablenational requirements
(SIIA, 2011).
Improved Governance
Governance encompasses risk management, legal discovery, auditing, compliance,
information lifecycle management, data portability and systems interoperability (CSA, 2009).
Governance is applicable regardless of service or deployment model and should be flexible to
address specific industry requirements. The government structure, aligned with cloud industry
standards, should combat current gaps in security. CIO Magazine held a survey of industry
leaders to illustrate concerns over information security; only 48 percent actuallybelieved
information security has improved” (Brenner, 2009).
Established governance should define roles and responsibilities necessary for compliance
with domestic and international regulations; address success metrics (i.e. performance and
14. Cloud Computing and the Impact of Information Security on its Adoption 14
service availability); outline access controls and identity management methods; detail incident
management and business continuity procedures; and offer testing guidelines. Cloud security is
pertinent to its success; it provides a foundation for collaboration and is forecast to provide
exponentialbenefits to everyone involved. A combined approach to governance will glean
lessons learned throughout the country and industry thus aiding in the development of effective
centralized services.
Uniform Performance Metrics
The development of key performance indicator (KPI)metrics will aid in building trust
between cloud customers and providers. Customers require measurements to consistently rate
network confidentiality, integrity, and availability (CIA) to assess whether the cloud solution is
applicable to their needs and adaptable to future requirements. Metrics are also necessary to
clearly define cost savings and demonstrate program efficiencies, network consumption, and
vulnerabilities.More importantly, metrics emphasize security risks presented by the dependence
upon the cloud provider.
External Threats
Economic crisis
Although some do not consider the continued global economic downturn as a reasonfor
required financial IT efficiency, nonetheless, it has contributed to the push toward the cloud.
Industries accustomed to a large portion of the enterprise budget must discover the benefits cloud
computing provides. Continued reduction in IT budgets may drive customers to unproven
solutions, to the detriment of their business. Compliance with industry standards must be
enforced to reduce cloud vulnerabilities; however until overarching industry standards are
ratified, customer must mandate that their cloud provider outline methods for data security and
access controls.
15. Cloud Computing and the Impact of Information Security on its Adoption 15
Centralization
Cloud computing is thought of as providing a centralized data store from which
individuals and businesses can access innovative applications and services for their environment.
It allows customers the ability to go to a single area to access software and hardware, utilize
frameworks for service accreditation, and limits duplication of efforts, thus saving time and
money.This concept is aimed at consumer mobility and retention providing the ability to access
data anywhere from any device.
The converse however, is that centralization provides a single point of failure that is the
target of cybercriminals. Centralization drives the need for standards and governance on
everything from user credential (access controls) to business continuity management.
Centralization does offer a uniform approach for systems management, (i.e. applying security
updates, diminishing holes), but presents security risks that could result in unauthorized access to
data. Cybercriminals have begun how to “impactthe operations of other cloud customersand
have been focused on diskpartitions, CPU caches, and othershared elements which were never
designedfor strong compartmentalization” (Choo, 2010). Cloud providers must devise a
centralized approach to audit the network forintegrity, evaluate vulnerabilities and close gaps.
16. Cloud Computing and the Impact of Information Security on its Adoption 16
Strategic Analysis
Strengths – Weaknesses – Opportunities – Threats (SWOT)
Internal Audit
Strengths
1. The first Federal CIO instituted the “Cloud First” initiative as a method for federal
agencies to rapidly deploy technical solutions at cost savings, and allows for reuse
2. Aligns with 2010 Federal Data Center Consolidation initiative and could reduce the
number of managed applications and hardware (Kundra, 2011)
3. Reduces initial IT investment costs for new businesses, thus lessening their barriers for
market entry
4. Provides “elasticity”, allowing for quick scalability or downsizing of resources depending
on demand (Dlodlo, 2011)
5. Allows for innovation and entrepreneurship, and promises substantial efficiency gain
(Murray & Zysman, 2011)
6. Limits software piracy and unauthorized use
7. Provides a consistent and centralized mechanism for organizations to protect
confidential/regulated data
8. Can provide an environment where corporations can test and experiment without a
negative impact on production
9. Allows customers to take advantage of vendor products and services without expensive
investment costs
10. Provides broad network access regardless of size (i.e. individuals, businesses large and
small, as well as emerging markets)
Weaknesses
1. Consistent metrics from which to assess cloud service providers is non-existent, but are
being developed
2. Contradictory federal regulations limit government agency cloud adoption
3. Industry standards are evolving, resulting in a lack of compatibility, contributing to
“vendor lock-in” which has limited adoption
4. Lack of consistent, stringent access controls could lead, at a minimum, to inappropriate
disclosure, or at a maximum, the loss or destruction of sensitive information
5. Centralization leads to a single point of failure that demonstrate network vulnerabilities
of which cybercriminals will take advantage
6. Dependence upon the network results in disproportionate service offerings within austere
lands
7. Global standards on data privacy measures are not consistent
8. Sole reliance on browser security has contributed to cloud breaches (NIST 800-146)
9. Lack of information sharing agreements amongst federal agencies limit the efficiencies
cloud offers the community
10. The industry is in its infancy, constantly evolving to address issues, restricting adoption
17. Cloud Computing and the Impact of Information Security on its Adoption 17
External Audit
Opportunities
1. International acceptance of cloud computing services continues to expand; its economies
of scale will prove effective when developing governance and regulations to address
security risks
2. The Federal Risk and Authorization Management Program is being implemented to
create a standard, centralized approach to certify and accredit cloud computing products
and services.
3. Trust will be cultivated through legislation, as well as the development of approved,
uniform methods for cloud certification
4. Existing regulations (i.e. Electronic Communications Privacy Act, the Gramm-Leach-
Bliley Act, European Union Data Protection Directive) are being reviewed to modernize
their approaches to address security concerns within the cloud environment
5. Access management frameworks are being developed and implemented to enhance
multination collaboration, with uniform access controls and authentication procedures
(CIO Council, 2011)
6. Focus on improved customer engagement is driving cloud competition within the mobile
market (i.e. tablet vs. phone) leading to innovative product offerings within their
subsequent platforms (Kushida, Murray, Zysman, 2011)
7. Cloud customers will still require onsite technical expertise to evaluate cloud provider
performance and effectiveness, resulting in improved training opportunities
8. Added flexibility in budget and acquisition regulations would provide incentives for
cloud adoption
9. Centralized federal certification and accreditation can be utilized by state and local
organizations which will enable cost efficiencies and drive innovation
10. Focus on component delivery will result in refined services independent of the platform
Threats
1. The cloud service providers control facilities and server access, thus creating possible
security vulnerabilities the cloud customer must address and manage from afar
2. Compatible international regulations are non-existent to combat cloud issues (i.e.
provider bankruptcy or liquidation, data security, privacy, identity management)
3. Cloud service providers offer a centralized location where cybercriminals have and will
attack
4. Disruption within the public, hybrid, and/or community cloud environment (i.e. network
unavailability, physical server removal) may cause unintended consequences to
customers peripheral to the affected party
5. The shared cloud environment provides cyber criminals a unique area to cause massive
disruption (i.e. denial of service, malware, botnet attacks, zombies)
6. Contracts do not clearly delineate roles and responsibilities for data storage, access, and
management
18. Cloud Computing and the Impact of Information Security on its Adoption 18
7. Cybercriminals have taken advantage of the lack of data encryption techniques while data
is at rest, resulting in unauthorized exposures of information
8. Criticism within social media could negatively impact the reputation of cloud service
providers and limit growth and innovation
9. Lack of trained acquisition personnel limits the posture cloud customers have when
negotiating contracts
10. Single entry points to the cloud and the lack of stringent password management allow
cybercriminals the ability to attack these vulnerabilities and limit cloud effectiveness
Recommendation
My recommendations would be to continue support of ongoing community efforts to
develop and sustain (1) an annual review of government regulations to address changes in
industry practices and devise measurements that offer minimum compliance with said
government regulations; (2) standard security requirements to which cloud solution providers
must adhere; (3) denote service level agreement roles and responsibilities that will be maintained
throughout the contract; (4) portal(s) from which cloud participants can contribute and access;
and (5) procedures to enlist uniform adoption of user authentication procedures for auditing and
control purposes.
Specific Annual Objectives and Policies
The objective of cloud computing is to provide access to dynamically scalable resources
and storage, without the massive financial investment. .
Policy Development
1. Governments must collaborate to define minimal, overarching regulations which will
be acceptable in each jurisdiction.
2. Cloud providers must develop a unilateral strategy to effectively manage remote
access and user authentication.
3. Cloud providers must team with security industry leaders (i.e. SANS) to outline a plan
to combat zero-day and denial of service (DOS) attacks. An example of a consistent
approach would be to apply security patches within 48 hours of receipt, regardless of
platform (i.e. PaaS, IaaS, and SaaS).
4. Cloud providers and consumers must collaborate to define minimal SLA stipulationsof
roles and responsibilities on information management. Providers must notify
19. Cloud Computing and the Impact of Information Security on its Adoption 19
customers within 48 hours of their acquisition, and the acquiring company must
assemble with its new customers within 30 days.
5. Support for continued government and industry development of a cloud acquisition
strategy. Metrics should be developed to provide organizations with financial
incentives should they successfully adopt a new, innovative, cutting-edge solution.
Conclusion
Cloud computing adoption is hampered by security concerns. These concerns can be
managed by implementing a cycle, similar to the figure below that continually evaluates changes
in government regulations for its impact on acquisition methodology, data transport and storage,
and access controls.
Figure 2: Information Security Adoption Cycle
Emphasize
continued industry
and government
participation in
cloud security
working groups Comprehend required changes to
domestic and international
regulations specific to information
security in cloud computing
Sponsor IT expertise to
integrate the latest
technologies
Define success criteria to
Collaborate with designate changes in
cloud providers on governance structures
testing and
accreditation
activities
20. Cloud Computing and the Impact of Information Security on its Adoption 20
References
Badger, L, Grance, T., Patt-Corner, R., & Voas, J. (2011). Draft cloud computing synopsis and
recommendations. Retrieved from http://csrc.nist.gov/publications/drafts/800-146/Draft-
NIST-SP800-146.pdf.
Bisong, A., & Rahman, S. M. (2011). An overview of the security concerns in enterprise cloud
computing. International Journal of Network Security & Its Applications, 3(1), 30-45.
doi:10.5121/ijnsa.2011.3103.
Brenner, B. (2009 October 15). Why security matters now. www.cio.com. Retrieved from
http://www.cio.com/article/504837/Why_Security_Matters_Now.
Bublitz, E. (2010). Catching the cloud: managing risk when utilizing cloud computing.
National Underwriter / P&C, 114(39), 12. Retrieved from EBSCOhost.
Chakraborty, R., Ramireddy, S., Raghu, T., & Rao, H. (2010). The information assurance
practices of cloud computing vendors. IT Professional Magazine, 12(4), 29-37.
Retrieved from ABI/INFORM Global. (Document ID: 2081450441).
Choo, K. (2010). Cloud computing: Challenges and future directions. (cover
story). Trends & Issues in Crime & Criminal Justice, (400), 1-6. Retrieved from
EBSCOhost.
Chow,R., Golle, P, Jakobsson, M., Masuoka, R, & Molina, J. (2009). Controlling data in the
cloud: Outsourcing computation without outsourcing control. Retrieved from
http://markus-jakobsson.com/papers/jakobsson-ccsw09.pdf
CIO Council. (2011). Identity, credential, and access management segment architecture.
Retrieved from http://www.idmanagement.gov
CIO Council. (2 November 2010). Proposed security assessment and authorization for U.S.
government cloud computing. Retrieved from
https://info.apps.gov/sites/default/files/Proposed-Security-Assessment-and-
Authorization-for-Cloud-Computing.pdf.
Cloud Security Alliance. (2011). Cloud controls matrix. Retrieved from
https://cloudsecurityalliance.org/research/initiatives/cloud-controls-matrix.
Cloud Security Alliance. (2011). Defined categories of service 2011. Retrieved from
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf.
Cloud Security Alliance. (2011). Private security cloud security best practices. Retrieved from
https://cloudsecurityalliance.org.
21. Cloud Computing and the Impact of Information Security on its Adoption 21
Cloud Security Alliance. (2009). Security guidance for critical areas of focus in cloud
computing v2.1. Retrieved from https://cloudsecurityalliance.org/wp-
content/uploads/2011/07/csaguide.v2.1.pdf.
Cummer, L. (2011 February 25). Are you using cloud computing?. Backbone, 33-36. Retrieved
from EBSCOhost.
Cunningham, P. (2009). Three cloud computing risks to consider. Retrieved from
http://www.arma.org/press/ARMAnews/Infosecurity.pdf
David, F. R. (2009). Strategic management: Concepts and cases. Upper Saddle River, New
Jersey: Pearson Prentice Hall.
DHS. (2011). DHS cyber security resources catalog. Retrieved from
https://www.infosecisland.com/blogview/4291-DHS-Cyber-Security-Resources-
Catalog.html.
Dlodlo, N. (2011). Legal, privacy, security, access and regulatory issues in cloud computing.
Proceedings of the European Conference on Information Management & Evaluation,
161-168. Retrieved from EBSCOhost.
GAO. (2010). Information security government-wide guidance needed to assist agencies in
implementing cloud computing. GAO Reports, 1. Retrieved from EBSCOhost.
GAO. (2011 October 6). Information security: Additional guidance needed to address cloud
computing concerns. Retrieved from http://www.gao.gov/new.items/d12130t.pdf.
Ghosh, S., & Miroslaw J., S. (2010). Enterprise resource planning systems implementation as a
complex project: A conceptual framework. Journal of Business Economics &
Management, 11(4), 533-549. doi:10.3846/jbem.2010.26.
GSA. (2011). Apps.gov. Retrieved from https://www.apps.gov/cloud/main/start_page.do.
Greengard, S. (2010). Cloud computing and developing nations. Communications of the ACM,
53(5), 18-20. Retrieved from EBSCOhost.
Hall, G. (16 July 2009). Cloud computing and ITIL: Service delivery and cloud SLAs. Retrieved
from http://cloudstoragestrategy.com/2009/07/cloud-computing-and-itil-measuring-the-
quality-of-service-delivery.html.
Ivanov, D. (2010). An adaptive framework for aligning (re)planning decisions on supply chain
strategy, design, tactics, and operations. International Journal of Production Research,
48(13), 3999-4017. doi:10.1080/00207540902893417.
Iyengar,G. B. (2011 October 17). Cloudcomputing – Maze in the haze. Retrieved from
http://www.sans.org/reading_room/whitepapers/country/cloud-computing-maze-
haze_33819.
22. Cloud Computing and the Impact of Information Security on its Adoption 22
Jackson, K. L. (2011). Implementation of cloud computing solutions in federal agencies.
Jaeger, J. (2011). Cloud Computing Poses New Risks, Opportunities. (cover story). Compliance
Week, 8(86), 1-47. Retrieved from EBSCOhost.
Jansen, W. & Grance, T. (2011). Guidelines on security and privacy in public cloud computing.
Retrieved from http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-
computing.pdf.
Jukic, B., & Jukic, N. (2010). Information System Planning and Decision Making Framework: A
Case Study. Information Systems Management, 27(1), 61-71.
doi:10.1080/10580530903455221.
Kolakowski, N. (2011). Remote access presents complexity, security issues. eWeek, 28(6), 18.
Retrieved from EBSCOhost.
Kontzer, T. (2010). Cloud forecast 2015. CIO Insight, (114), 8-10. Retrieved from EBSCOhost.
Kundra, V. (2010). 25 point implementation plan to reform federal information technology
management. Retrieved from http://www.cio.gov/documents/25-Point-Implementation-
Plan-to-Reform-Federal%20IT.pdf.
Kundra, V. (8 February 2011). Federal cloud computing strategy. Retrieved from
http://www.techamerica.org/content/wp-content/uploads/2011/02/Federal-Cloud-
Computing-Strategy.pdf
Kushida, K. E., Murray, J., & Zysman, J. (2011 January 20). Diffusing the cloud: Cloud
computing and implications for public policy. Retrieved from
http://brie.berkeley.edu/publications/WP_197%20update%206.13.11.pdf
Mell, P., & Grance, T. (2011). NIST definition of cloud computing Retrieved from
http://www.nist.gov/itl/cloud.
Owens, D. (2010). Securing elasticity in the cloud. Communications of the ACM, 53(6), 46-51.
doi:10.1145/1743546.1743565
Pant, S. & Ravichandran, T. (2001). A framework for information systems planning for e-
business. Logistics Information Management. Vol. 14.1/2. pp85-98. Retrieved from
http://w3.msi.vxu.se/~per/IVC743/LM/p85.pdf.
Purser, S. (2004). Practical guide to managing information security. p. 109-129. Artech House,
Inc. Retrieved from EBSCOhost.
Raines, G. (2009). Cloud computing and SOA. Retrieved from
http://www.mitre.org/work/tech_papers/tech_papers_09/09_0743/09_0743.pdf.
23. Cloud Computing and the Impact of Information Security on its Adoption 23
Ryan, M. D. (2011). Cloud computing privacy concerns on our doorstep. Communications of the
ACM, 54(1), 36-38. doi:10.1145/1866739.1866751.
Schiller, K.. (2011, October). Legislating the cloud. Information Today, 28(9), 1,35-36.
Retrieved from ABI/INFORM Global. (Document ID: 2483177641).
Software & Information Industry Association. (2011). SIIA comments: EU public consultation
oncloud computing. Retrieved from
http://www.spa.org/index.php?option=com_docman&task=doc_download&gid=3074&It
emid=318
TechAmerica. (2011). CLOUD2 report cloud first cloud fast recommendations for innovation
leadership and job creation. Retrieved from
http://www.techamericafoundation.org/content/wp-
content/uploads/2011/02/CLOUD2_Report_Cloud_First_Cloud_Fast_Recommendations
_for_Innovation_Leadership_and_Job_Creation.pdf.
TechAmerica. (2011). CLOUD2 summary. Retrieved from
http://www.techamericafoundation.org/content/wpcontent/uploads/2011/07/CLOUD2_Su
mmary.pdf.
Wagner, R. (1 September 2011). A guide to security, privacy, compliance and risk-related hype
cycles, 2011. www.gartner.com. Retrieved from
http://www.gartner.com/DisplayDocument?id=1781315