Upload
craig-ellis
View
125
Download
1
Tags:
Embed Size (px)
Citation preview
1
MBA Dissertation
A Detailed Analysis of Cloud Computing in Relation to Value-Added versus Security and Risk-Management
Craig Ellis
Masters in Business Administration
Robert Kennedy College – 2011
2
Table of Contents
Statement of Originality .................................................................................................................................... 3
Acknowledgement ............................................................................................................................................ 3
Abbreviation Overview ...................................................................................................................................... 3
Executive Summary ........................................................................................................................................... 4
1. Introduction ................................................................................................................................................... 5
2. Literature Review ........................................................................................................................................ 10
Value-‐Added of CC ...................................................................................................................................... 12
Security and Risk ......................................................................................................................................... 23
3. Data Collection Methodology ...................................................................................................................... 36
3.1. Data Analysis Methodology ...................................................................................................................... 39
4. Data Analysis ............................................................................................................................................... 42
4.1. Review of Responses ............................................................................................................................ 42
Knowledge of Cloud Computing .................................................................................................................. 44
Value-‐Added of Cloud Computing ............................................................................................................... 46
Security and Risk-‐Assessment of Cloud Computing .................................................................................... 49
Cloud Computing Business Model ............................................................................................................... 52
Future of Cloud Computing ......................................................................................................................... 54
5. Conclusion and Recommendations ............................................................................................................. 58
6. References ................................................................................................................................................... 63
7. Appendix ..................................................................................................................................................... 68
Appendix A: Amended Pre-‐Screening Survey Questions ............................................................................. 68
Appendix B: Cloud Computing Survey 2011 (Ellis) ...................................................................................... 68
3
Statement of Originality
In presenting this dissertation for assessment, I declare that it is a final copy including any last revisions. I
also declare that it is entirely the result of my own work other than where sources are explicitly
acknowledged and referenced within the body of the text. [Or: in footnotes, endnotes, as appropriate]. This
dissertation has not been previously submitted for any degree at this or any other institution.
Name: Craig Ellis
Signature: Date: 04.12.2011
Acknowledgement
I would like to acknowledge those who made this dissertation possible such as my immediate family and
close friend’s for their understanding, patience and involvement within this dissertation. I would also like to
thank the participants’ of the relevant survey for their time and effort, and importantly to acknowledge the
support of the Robert Kennedy College during my work, with special recognition to Professor Barry Ip for
his guidance and assistance in the dissertation process.
Finally I would like to thank my fiancé for her help, support, and patience during this time – without you I
could not have achieved this goal.
Abbreviation Overview
API Application Programming Interface PaaS Platform as a Service CaaS Communication as a Service QoS Quality-of-service CC Cloud Computing SeraaS Services as a Service CSP Cloud Service Providers SaaS Software as a Service D&M DeLone and McLean IS Success Model SecaaS Security as a Service DaaS Data as a Service SLA Service-level agreements ERP Enterprise Resource Planning StoaaS Storage as a Service EUCS End User Computing Satisfaction TAM Technology Acceptance Model IaaS Infrastructure as a Service UD&M DeLone and McLean IS Success Model Updated IS Information Systems UIS User Information Satisfaction ISP Internet Service Providers VaaS Video as a Service
4
Executive Summary
The objective of the dissertation is to provide a detailed analysis of a new form of IT service known as cloud
computing (CC), with specific research on the associated security and risk-management issues and the
beneficial value-added delivered from such a deployment. The paper will look to establish the value-added
of cloud computing by researching the benefits, identifying and acknowledging the associated risk, and
outlining the strategic gains. The research will further examine cloud computing as a technological product
especially in relation to the associated security and risk-management issues for purchasing customers’, and
will conclude by forming a set of recommendations around the business benefits of adopting a cloud
computing strategy.
We will highlight the most frequently documented problems, detailing the advantages and disadvantages of
cloud deployments and concluding with the future of CC. The concluding recommendations will discuss
potential mitigation of the main security and risk issues, the required legal and process frameworks that will
need to be established, and how customers can successfully deploy cloud services into their existing
business. A set of research questions for this dissertation as outlined below will act as the framework for this
investigation, enabling points of reference to reach the objective of the research undertaken:
1. What are the value-added benefits associated with the implementation of a cloud computing strategy
for companies in the short and long-term?
2. What are the associated risks in the adoption/non-adoption of a cloud computing IT strategy?
3. What are the main security and risk-management issues associated with the implementation of a
cloud computing strategy for companies in relation to their existing business and customer base, and
how can these risks be mitigated?
The dissertation will also undertake an empirical review of a newly-performed survey which will outline key
statistical highlights, followed by a detailed qualitative summarisation on how the cloud is currently
perceived by IT professionals in 2011. The paper will conclude by a formal review of the dissertation
questions, reaching a final conclusion on the long-term future of cloud computing.
5
1. Introduction
“A new idea comes suddenly and in a rather intuitive way. But intuition is nothing but
the outcome of earlier intellectual experience” - Einstein, 1949 (Isaacson, 2007)
Since its commercial release in the early 1990s - the World Wide Web otherwise commonly referred to as
the internet has undertaken dramatic growth and evolution from both a social and business aspect, and is
today a multi-billion dollar industry operating at the centre of today’s business world. The internet has
revolutionised industries, economies and global companies creating a new wave of multi-billion dollar
organisations such as Google, Yahoo and Facebook whose primary business models are centred on internet
search, social-interaction, advertising and e-commerce. In recent years the industry has seen the
introduction of a new form of IT service known as Cloud Computing (CC) which appears to be reshaping the
fundamental principles of today’s IT business world, and the internet platform itself (Goodburn and Hill,
2010).
The actual definition of CC is an evolving paradigm, however leading research agency Gartner (2008) states
CC is “A style of computing where scalable and elastic IT capabilities are provided as a service to multiple
customers using Internet technologies”. The National Institute of Standards and Technology (Mell and
Grance, 2009) takes a more detailed approach and defines CC as “A model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service providers’ interaction”.
Despite its infantile stage, the CC market has grown significantly within a limited number of years and is
now at the forefront of corporate IT strategy (Goodburn and Hill, 2010). In 2008, Gartner estimated the CC
market to be worth around $34 billion, with high growth expected to occur in a short period of time with
forecasted revenues of around $110 billion in 2011, rising to a $140 billion industry by the end of 2013. CC
is now seen as an essential IT strategic option for companies today (Iyer and Henderson, 2010), and allows
them to create substantial competitive advantages in a number of areas as outlined below:
6
• Incorporation of utility-based billing based around on-demand utilisation and scalability as per the
needed requirements, and as such shifting heavily-laden capital expenditure into on-going
operational expenditure.
• Allowing the rapid deployment of new start-up organisations, technologies and services within a
shortened timeframe and with minimal capital expenditure costs onto established IT platforms
currently utilised by leading global companies.
• Significant time and cost reductions in areas such as the product development and time to market
lifecycle of newly-developed products or services.
• Allowing companies to focus on their core business competencies by the outsourcing of IT and data
management, shifting unproductive resource into revenue-driven areas.
CC services are fundamentally grouped around the acronym “aaS” which refers to “as a Service”. aaS
appears to derive from the online retailer Amazon, and one of their newly formed IT services known as AWS
(Amazon Web Services). Whilst examining new ways to reduce its operational costs during off-peak
trading times, Amazon’s management team felt that it was not fully utilising its physical hardware
computing capability effectively, and that it should be able to purchase such computing capability needs on a
usage-basis similar to utility billing. As a result Amazon began to develop its own CC product (AWS)
which allowed companies to rent computing processes and services from Amazon on a usage-basis, and as
such pioneered CC services.
Amazon as a firm is recognised to display “Dynamic Capability” which is the ability to adjust to new and
unfounded markets ahead of competitors (Teece, 2000), and this is clearly displayed in the development of
AWS. Within today’s CC market a number of service models have been developed and deployed, leading
to the creation of the commonly-known SPI-Model which defines three services known as SaaS (Software as
a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a service). Below is a summarised
description of each service offering as per the official NIST definition (2009).
7
• Software-as-a-service (SaaS): The capability provided to the customer is to use the providers’
applications running on a cloud infrastructure. The applications are accessible from various client
devices through a thin client interface such as a web browser (NIST, 2009). The customer does not
manage or control the underlying cloud infrastructure including network, servers, operating
systems’, storage, or even individual application capabilities, with the possible exception of limited
user-specific application configuration setting.
• Platform as a Service (PaaS): The capability provided to the customer is to deploy onto the cloud
infrastructure customer-created or acquired applications created using programming languages and
tools supported by the providers’. The customer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems’, or storage, but has control over the
deployed applications and possibly application hosting environment configurations.
• Infrastructure as a Service (IaaS): The capability provided to the customer is to provision
processing, storage, networks, and other fundamental computing resources where the customer is
able to deploy and run arbitrary software, which can include operating systems’ and applications.
The customer does not manage or control the underlying cloud infrastructure but has control over
operating systems’; storage, deployed applications, and possibly limited control of select networking
components (e.g., host firewalls).
In addition to the above service models, CC providers’ also offer a range of deployment models using
differing types of cloud-network designs. There are four main deployment models available which are
classified as Private, Public, Community and Hybrid and are defined below as per NIST (2009)
• Private cloud: The cloud infrastructure is operated solely for an organisation. It may be managed by
the organisation or a third party and may exist on premise or off premise.
• Public cloud: The cloud infrastructure is made available to the general public or a large industry
group and is owned by an organisation selling cloud services.
8
• Community cloud: The cloud infrastructure is shared by several organisations and supports a specific
community that has shared concerns (e.g., mission, security, policy, and compliance considerations).
It may be managed by the organisations or a third party and may exist on premise or off premise.
• Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community,
or public) that remain unique entities but are bound together by standardised or proprietary
technology that enables data and application portability.
As global companies, established SME’s and fledging start-ups look to migrate to a cloud-orientated world
in order to create competitive advantage and gain immediate market-share (Roth, 2008), detailed strategic
analysis around areas such as usability, accessibility, proprietary frameworks, security and risk (ENISA,
2009) appear to have been disregarded in the rush to develop an online presence and begin to utilise
virtualisation. Established IT giants such as IBM, Apple and Microsoft have been caught standing still as a
number of new start-up companies have developed mass-audiences and growing revenue streams, resulting
in billion dollar market valuations (Reuters, 2011). As CC, virtualisation and social/business cloud service
markets develop, the potential financial gains for such companies appears to be of unprecedented size with
access to new markets, regions, customers and revenue streams all becoming available.
The dissertation will be composed of a number of core sections based around an in-depth literature review,
detailed data-collection and analysis methodology and ending with a set of conclusions and
recommendations. Some of the key questions that will be explored in the dissertation will be around the
potential cost to the company’s core business strategy in the implementation of a cloud strategy, and what
are the potential security and risk-management issues associated. At the present time, literature and research
material related to CC security and risk and the value-added of such deployments is sparse due to the
infantile age of the product and its market. The research undertaken will utilise the work of leading business
scholars in order to focus on the three dissertation questions and to draw relevant conclusions. The
dissertation will begin with an in-depth literature review based around the value-added of CC detailing the
known features and advantages of CC, and the perceived competitive advantage gained by its incorporation
utilising established frameworks known such as the DeLone and McLean IS Success Model framework
(1992).
9
We will examine the model in detail, outline the related literature reviews and associated research from a
critical perspective of various scholars, whilst also attempting to theoretically model a typical CC
deployment to see the associated indicators of success.
Moving forward into the key area of CC security, the literature review will focus on the work and research of
a number of leading IT authorities such as ENISA (European Network and Security Agency), ISACA (
(Information Systems’ Audit and Control Association), (ADODI&S) Australian Department of Defence
Intelligence and Security and the CSA (Cloud Security Alliance). Quantitative and qualitative research will
be used to explore cloud security, detailing the issues currently restricting firms from undertaking full cloud
utilisation, including a detailed examination of service-level agreements, customer lock-in agreements, data-
protection and recovery whilst examining the publicly recognised risks such as denial-of-service attacks,
malicious software implementation or data/site-hacking (CSA, 2009). The future of CC security will be
examined focusing on legal and political processes and legislation, fundamental security issues of the current
product-ranges, and a summarisation of the main security questions for companies to consider when
implement CC services. The area of risk-management will also be examined with particular focus on how an
organisation would need to review/amend their existing data security policies and practices. We will look at
a range of the currently applicable standards (ISO 27002, ISMS) and examine what areas could be impacted,
and how to limit potential litigation or legal misdemeanours in the future.
The dissertation will move onto its data-capture chapters which will initial detail the reasoning behind the
design and implementation of the undertaken empirical survey. The initial section will outline the theoretical
methodology behind the chosen instrument outlining a set of pro/cons from a number of available options,
whilst further detailing the available data-capture methods and our chosen selection. In closing we will
outline the target audience and the criteria used in the purchasing of our survey instrument. Moving onto the
data-analysis methodology, a high-level objective of the survey will be produced followed by an overview of
the survey design which will detail the chosen questions/answers and their specific objectives. We will then
outline the performed beta-testing and pre-screening exercises, followed by a brief summarisation on the
formal release.
10
In closing – the data analysis section will highlight the overall success of the survey displaying the achieved
response-rates; highlighting the emerging trends and key-indicators for cloud computing in 2011, and how
the obtained data relates to existing publication findings and undertaken surveys. Survey participation and
feedback comments will then be detailed where we will highlight some of the perceived limitations of the
survey, and a set of recommendations as given by the participants.
A detailed data analysis review will then follow which will examine each of the survey question and the
selected answers from a theoretical and practical perspective. This section will look to utilise the highlighted
theories within the Literature Review and to provide conclusive arguments for/against the obtained empirical
data. We will highlight the high-level conclusions gathered and look to display a set of new findings around
cloud computing. The dissertation will move into its conclusion section and will look to provide answers to
the outlined dissertation questions, detailing a high-level summarisation of our main findings and the
relevant recommendations towards CC. The future of CC will also be discussed closing with a set of
potential future research questions.
2. Literature Review
The main objective of the literature review is to develop a detailed body of research that can be used to
conclude on the associated dissertation questions outlined. It is our aim to produce qualitative research-data
that could be utilised in future research undertaken within the chosen topical area. Literature reviews are
commonly defined as “A critical summary and assessment of the current state of knowledge or current state
of the art in a particular field” (Bell, 1993) and can undertake a range of forms. Cooper (1982) outlined five
main stages built around “Problem formulation, data collection, data evaluation, analysis and interpretation
and public presentation”, with Guzzo, Jackson and Katzell (1987) categorising data-collection techniques as
either “Narrative reviews, descriptive reviews, vote counting, and meta-analysis across a horizontal scale of
qualitative to quantitative”. King and He (2005) stated that “ Narrative review are normally performed by
verbally describing the past studies, focusing on theories and frameworks, elementary factors and their
research outcomes, with regard to a hypothesized relationship.
11
Descriptive reviews look to locate a pattern from a wide range of reviewed material and to identify particular
patterns or anomalies as a result of the analysis and research, whilst vote-counting is essential a tally-count
method of particular patterns and repeated results in the same direction across multiple studies, even if some
of them are non-significant, may be more powerful evidence than a single significant result”. In closing
meta-analysis is a fully quantitative methodology which will only utilise empirical quantitative studies (Yang
and Tate, 2009), and as such aims at statistically providing supports to a research topic by synthesizing and
analysing the quantitative results of many empirical studies (King and He, 2005).
Given the scarce amount of literature material available for CC within the traditional IT journals such as
IEEE, SIGCOMM or IT professional (Levy and Ellis, 2006) and a lack of quantitative empirical studies in
relation to the cloud, vote-counting and meta-analysis were rejected as viable review options. It was also felt
that given the wide-range of articles and the differing definitions and agreements on CC and cloud services,
that no clearly emerging patterns would be located in its current infantile form, and that as current literature
would be subjective and inconclusive at the present time, a narrative review was most applicable even if at
the risk that reviewers frequently arrive at differing conclusion from the same general body of literature
(Guzzo et al., 1987).
The main source of the reviewed literature was via electronic search using the internet as our main
instrument, and a range of traditional text books based around the MBA program. A number of academic
databases and search websites were utilised during the dissertation process including Google Scholar, IEEE
Explore, UoW Library, HBR, and McKinsey with an initial search performed using “Cloud Computing” as
the search criteria. The initial search located over 300 articles which was too large a review-base for the
paper’s requirements. As such an additional filter was created using the following sections of “Cloud
computing overview”, “Value-added and benefits of cloud computing”, and “Security and risk for cloud
computing” which reduced the number of related article to below 100. A scan reading exercise was then
performed; resulting in 51 dedicated articles that were selected for full reading comprehensive review:
12
Sub-Section Total Articles General 15 Value-Added of CC 25 Security and Risk-Management 11 TOTAL 51
Table 1: Overview of dedicated literature articles (Ellis, 2011)
Value-Added of CC
As an emerging technology, the creation of value-added and the associated competitive advantage by
adoption of CC are of critical importance for the customer. The topic of value-added is a key part of any
businesses strategy, and it is critically important to understand added value on a continual basis within your
services. Michael Porter (1980) defines value as “The amount buyers are willing to pay for what a firm
provides them. Value is measured by total revenue.....a firm is profitable if the value it commands exceeds
the costs involved in creating the product”, however this definition appears closely tied into Porters value-
chain model which according to Stabell and Fjeldstat (1998) is “More suitable for the analysis of production
and manufacturing firms than for service firms where the resulting chain does not capture the essence of the
value creation mechanism of the firms”. Competitive advantage is a reoccurring theme within Information
System journals (Gupta and McDaniel, 2000) and is described as “Obtaining superior performance outcomes
and superiority in production resources reflects competitive advantage” (Day and Wensley, 1988). Barney
(1991) however states that "A firm is said to have a sustained competitive advantage when it is implementing
a value creating strategy not simultaneously being implemented by any current or potential competitors, and
when these other firms are unable to duplicate the benefits of this strategy".
In order to examine the value-added associated with a CC deployment, it is important to utilise an
established framework as a reference. Bowman and Ambrosini (2000) differentiate value at an
organisational level as “Use-value and Exchange-value”; whilst Stabell and Fjeldstat (1998) developed a
three-way value-configuration model of the “Value chain, the value shop and the value network” which was
predominantly based around Michael Porter’s value-chain framework (1985).
13
Porter’s value-chain framework is widely accepted by academics and scholars alike as a definitive model to
establish a firm’s ability to create and sustain value, and its relevant strengths and weaknesses. It is my
opinion that the model is built as a representative of the manufacturing sector as opposed to the IT service-
sector, which is a view also reflected by Stabell and Fjeldstat (1998) and Elisante (2006).
During the research, an established framework for modelling IS deployment success was located which is
commonly known as the DeLone and McLean IS Success Model (D&M Model) which was created in 1992
by Professor W.H DeLone and Professor E.R McLean. The primary aim of the D&M model was to
synthesize previous research involving IS success into a more coherent body of knowledge, and to provide
guidance to future researchers (DeLone and McLean, 1992). DeLone and McLean researched over 100
leading IS journals and articles published during the period 1981–1987, and created a taxonomy of IS
success based upon this review (Petters, DeLone and McLean., 2008).
Figure 1: DeLone and McLean IS Success Model - DeLone and McLean (2003)
DeLone and McLean states that “System Quality and Information Quality singularly and jointly affect both
Use and User Satisfaction”. Additionally, the amount of Use can affect the degree of User Satisfaction
positively or negatively - as well as the reverse being true. Use and User Satisfaction are direct antecedents
of Individual Impact; and lastly this impact on individual performance should eventually have some
Organisational Impact (DeLone and McLean, 1992). During the following decade the D&M model was
tested, interpreted and critiqued by a number of scholars including Seddon (1997), Rai, Lang and Welker
(2002), Goodhue and Thompson (1995) and Jiang, Klein and Carr (2002). As a result the model was
updated incorporating Service Quality, Intention to Use and the amendment of the impact outputs into a
singular category named “Net Benefits” as per below:
14
Figure 2: Updated DeLone and McLean IS Success Model – DeLone and McLean (2003)
In relation to CC, there appears at the present time to have been no undertaken theoretical or empirical
research into evaluating the value-added of a cloud deployment utilising the updated D&M (UD&M). A
number of researchers have however undertaken research to understand the correlation between the UD&M
and e-commerce resulting in a range of inconclusive evidence and additional questioning (Molla and Licker,
2001; D’Ambra and Rice, 2001). As a result DeLone and McLean in 2003 outlined additional clarification
into how e-commerce can be analysed and critiqued using the UD&M model, and determined how the six
dimensions can be used as a parsimonious framework to organise the various success metrics identified in
the IS and e-commerce literature (DeLone and McLean, 2003).
• System Quality: in the internet environment, measures the desired characteristics of an e-commerce
system. Usability, availability, reliability, adaptability, and response time (e.g., download time) are
examples of qualities that are valued by users of an e-commerce system.
- Adaptability
- Availability
- Reliability
- Response time
- Usability
15
• Information Quality: captures the e-commerce content issue. Web content should be personalized,
complete, relevant, easy to understand, and secure if we expect prospective buyers or suppliers to
initiate transactions via the Internet and return to our site on a regular basis.
- Completeness
- Ease of understanding
- Personalisation
- Relevance
- Security
• Service Quality: is the overall support delivered by the service providers’, which applies regardless
of whether this support is delivered by the IS department, a new organisational unit, or outsourced to
an ISP. Its importance is most likely greater than previously since the users are now our customers
and poor user support will translate into lost customers and lost sales.
- Assurance
- Empathy
- Responsiveness
• Use: measures everything from a visit to a web-site, to navigation within the site, to information
retrieval, to execution of a transaction.
- Nature of use
- Navigation patterns
- Number of site visits
- Number of transactions executed
• User Satisfaction: remains an important means of measuring our customer’s opinions of our e-
commerce system and should cover the entire customer experience cycle from information retrieval
through purchase, payment, receipt, and service.
16
- Repeat purchases
- Repeat visits
- User surveys
• Net Benefits: are the most important success measures as they capture the balance of positive and
negative impacts of the e-commerce on our customers, suppliers, employees, organisations, markets,
industries, economies, and even our societies.
- Cost savings
- Expanded markets
- Incremental additional sales
- Reduced search costs
- Time savings
Figure 3: E-commerce Classification - DeLone and McLean (2003)
Although specifically designed for e-commerce, the above metrics are relevant and applicable for the
analysis of CC value-added with Zwass (1996) defining e-commerce as “The sharing of business
information, maintaining business relationships and conducting business transactions by means of
telecommunications networks” whilst Payne (2003) states “Any use of information and communications
technology by a business that helps it improve its interactions with customers or suppliers”. Both
definitions clearly resemble CC and its associated characteristics, and as such the UD&M model was deemed
relevant for the narrative review.
System Quality looks to define the characteristics of the physical and logical system as per the outlined
metrics, and so we began to investigate if CC brings advantageous value-added over traditional grid system-
computing. CC appears to bring increased adaptability due to its source independent nature with Iyer and
Henderson (2010) stating “The capability of CC enables a company to control access to services, and switch
CSP’s easily and at low cost” whilst significant improvement is also seen in availability, reliability and
response times (CSA, 2009b).
17
Usability is a common measure of System Quality due mainly to the work of Davis (1989), however
Armbrust et al., (2009) outlined that “Usability is compromised due to proprietary data-lock in and potential
data-bottlenecks within the cloud” whilst Rimal, Choi and Lumb (2009) outlining a number of risks associate
with “Interoperability user issues and the opaque nature to their users”. The nature of CC appears to derive
additional benefits around availability, reliability and ability to adapt, however it is not conclusive evidence
of value-added with Kositanurit et al (2006) determining that “The reliability of any new system does not
have an effect on utilisation of the system by individual users”. Premkumar, Ramamurthy and Nilakanta
(1994) stated that “The complexity of a system affects the initial use and adoption of an e-commerce system;
however, the technical compatibility of the system with existing hardware and software did affect initial use
and adoption of an EDI system”. Further empirical research is warranted at the present time into usability of
CC systems’ in order to warrant if CC System Quality is more rigorous compared to traditional systems’.
Informational Quality within the UD&M model is correlated to the relevant content and its applicable
metrics however CC does not primarily affect content and is merely acting as a storage location.
Information Quality has however proven to be strongly associated with System Use and Net Benefits in
studies conducted by Weill and Vitale (1999) and Rai and Chukwuma (2002) and the areas of security and
completeness of data are relevant and provoking of discussion. CSA (2009b) states that “CC represents
virtualisation, economies of scale, flexibility and cost-effective solutions”, however Catteddu and Hogden
(2009) states that “Inhibitors to the adoption of CC include security, business continuity, control and
reliability concerns, fears of vendor lock-in, migration costs, reduced customisability, integration difficulties,
as well as uncertainties about data-content legal implications”. One of the key benefits of CC is location
independence allowing developers open logical-access across physical data-location lowering application
development time; however Iyer and Henderson (2010) warns about legal data-compliancy and the
additional workload on IT departments related to data frameworks and legislation of utilising the cloud.
CSA (2009a) undertook detailed research into CC security risks highlighting seven critical threats to cloud
deployment including data loss, leakage and malicious insiders, and at the present time no conclusive
research is available to disprove the aforementioned threats.
18
Molla and Licker (2001) states that “Although information has long been considered as an important asset to
modern business, e-commerce has elevated content, i.e. information to a higher level of significance fiscally
and proprietary”. Given the above, there are currently no relevant arguments or available research to
conclude that CC has introduced additional value-added to Informational Quality at the present time, and
further research needs undertaking to provide conclusive, empirical-based arguments.
Service Quality has attracted vast research and analysis in recent years as the size and scope of today’s IT
service-industry has grown global. Parasuraman, Berry and Zeithaml (1988) developed the critically
acclaimed SERVQUAL service quality framework which has become the de facto industry standard.
SERVQUAL is based on the proposition that service quality can be measured as the gap between the service
that customer expects and the performance they perceive to have received. Participants rate their
expectations of service from an excellent organisation, and then rate the performance they perceive they
received from a specific organisation. Service Quality is calculated as the difference in the two scores where
better service quality results in a smaller gap (Landrum et al. 2008). Various scholars have challenged the
metrics applicable within SERVQUAL and its relevance (Van Dyke, Kappelman and Prybutok., 1997; Jiang
et al., 2002), with DeLone and McLean (2003) stating that “SERVQUAL displays high validity; however the
metrics need continued development and validation”. DeLone and McLean’s IS model places Service
Quality predominantly around a providers’ customer-service focus and ability to deliver assurance, empathy
and responsiveness.
Our determinate is that a providers’ customer service proposition is structured organisational and not product
specific, and that a given providers’ would execute the same service levels for a traditional system as
compared to a cloud solution. CC however brings varying levels of Service Quality metrics, and
organisations must approach CC with the understanding that they may have to switch providers’ at some
point. Portability, interoperability and quality-of-service (QoS) service-level agreements (SLA) must be
considered up front as part of the risk management and security assurance of any cloud program (CSA;
2009a).
19
As CC offers “Infinite computing resource, and the elimination of up-front commitment and short-term
utility billing” (Armbrust et al., 2009), the validity of the relevant QoS metrics associated become of critical
importance, and it is the recommendation of the author that the related QoS associated to the cloud
deployments are investigated from both a legal and contractual framework to determine future validity and
applicability. Detailed empirical research has been undertaken into CC service performance metrics such as
response time, throughput and network utilisation (Karlapudi and Martin, 2004; Lu and Wang, 2005;
Meeuwissen, Mei and Phillipson, 2006), whilst Siripogwutikorn and Banerjee (2006) correlated the
difference of an average delay and percentile delaying per-flow network traffic analysis. Xiong and Perros
(2009) also stated that “Cloud service providers’ match and exceed contractual SLA’s”, however heed
caution that their modelling utilised numerical approximate method in these propositions and corollaries.
Hochstein, Zarnekow and Brenner (2005) concluded that “The concept of defining and measuring service
level agreements (SLAs) is a widespread method to determine IT service quality. Nevertheless, SLAs are
contracts and are not able and not meant to provide indications of IT service quality as actually perceived by
the customer”.
The central component of the model displays the input mechanisms and the relevant outputs, and measures
the Use and User Satisfaction associated to the IS system. DeLone and McLean (2003) revisited the
definition of “Use” in the UD&M based around criticism from a number of scholars including Seddon and
Kiew (1996) who states that “Usefulness is equivalent to the idea of perceived usefulness in TAM by Davis
(1989) and that for voluntary systems’, Use is an appropriate measure; however if System Use is mandatory,
Usefulness is a better measure of IS success than Use”. DeLone and McLean (2003) added Intention to Use
into the model as it displays a users “attitude”, whereas “Use” is behavioural, and also states the many
difficulties in interpreting the multi-dimensional aspects of “Use” including mandatory versus voluntary,
informed versus uninformed, effective versus ineffective. They do however note with caution that linkage
of attitude to behaviour is notoriously difficult to measure and to quantify.
20
Use and User Satisfaction for CC is related to the perceived value-added highlighted in the aforementioned
investigation into System, Informational and Service Quality within the UD&M model. Iivari (2005)
located a positive relationship between System Quality and Use, whilst Venkatesh et al (2003) found a
relationship between effort expectancy and the Intentions to Use the system in both voluntary and mandatory
settings when measured one month after implementation of a new information system. However, this
relationship became non-significant after three months or more. Utilising Iivari’s research, the significant
improvement seen in availability, reliability and response times (CSA, 2009b) would lead to increase Use
and outputting increased User-Satisfaction, however Kositanurit et al., (2007) identified no relationship
between reliability and performance for individual users of systems’, but did identify a significant
relationship between perceived ease of use and performance.
In terms of User Satisfaction, a number of scholars including Ives, Olson and Baroudi (1983) and Doll and
Torkzadeh (1988) developed an instrument to capture the perceived user satisfaction gained from the
applicable systems’. Ives et al., (1983) developed the UIS (User information Satisfaction), whilst Doll and
Torkzadeh (1988) developed the acclaimed EUCS (End user computing satisfaction) instrument. Doll and
Torkzadeh (1988) define User Satisfaction as “The opinion of the user about a specific computer application,
which they use” and base the EUCS instrument around five core components of Content, Accuracy, Format,
Ease of use, and Timeliness and States. Numerous detailed empirical studies into User Satisfaction related
to IS and web-based systems’ have occurred with Kim et al (2002) and Palmer (2002) both noting that
“System Quality when measured as reliability and download time, is significantly related to User
Satisfaction”, whilst Seddon and Yip (1992) and Seddon and Kiew (1996) detailing strong relationship
between System Quality and User Satisfaction using a variety of measures and information systems’.
However it is important to note that at the present time there is no available detailed empirical study related
to a large-scale CC deployment, and as such the relevant User Satisfaction. Theorisation around the work of
aforementioned scholars (Kim et al., 2002; Palmer, 2002; Seddon and Yip, 1992; Seddon and Kiew, 1996)
does however suggest that enhanced System and Service Quality gained from a cloud deployment, would
have a positive effect on User Satisfaction, with Tan and Gallupe (2006) taking a prior-usage view and
stating that “User Satisfaction is based on the memories of the past use of a system”.
21
If Tan and Gallupe’s research is valid and relevant, than a newly deployed cloud systems’ potential change
in User Satisfaction could be based on the perceived User Satisfaction of the previous system, and not the
improved System Information or Service Quality gained from the new deployment. In conclusion it is our
view that additional empirical research is required in the area of User Satisfaction from a CC deployment,
including the correlation between the previous and current system satisfaction, and the conducting of a
EUCS survey for a large-scale cloud deployment in order to fully understand the potential gains of a cloud
deployment on Use and User Satisfaction.
Net Benefits are the output measures resulting from the implemented IS deployment with DeLone and
McLean (2003) stating that “Net benefits are the most important success measure as they capture the balance
of positive and negative impacts of the e-commerce on our customers, suppliers, employees, organisations,
markets, industries, economies, and even our societies”. In the original D&M model, DeLone and McLean
(1993) detailed the benefits under individual impact and organisational impact, however numerous scholars
stated that “IS success affects a number of groups including, workgroups, industries and societies” (Petter et
al., 2008), and as such DeLone and McLean replaced individual impact and organisational impact in the
UD&M with a singular output of Net Benefits. A significant amount of resource has been conducted into
the Net Benefits of a CC deployment (ISACA, 2009; CSA, 2009; Iyer and Henderson, 2010; Rimal et al.,
2009; Armbrust et al., 2009) with the main benefits of CC stated as:
• Rapid elasticity and deployment capability
• Utility-based billing model
• Financial Accounting gains (Capex to Opex shift, Limited asset-holdings, short-term contracts)
• Sourcing independency and Flexibility
• Ease of maintenance and outsourcing of complexity
It is important to clarify who is benefiting and to which extent. DeLone and McLean (2003) states that
“When investigating the Net Benefits of an IS model, it is critical to take into account (1) What qualifies as a
benefit (2) For whom is the benefit (3) To what level of analysis”.
22
Seddon (1997) also discusses the consequences of the relevant outcomes, and details the need for additional
research in this area. In context to the outlined benefits of a CC deployment and the examined research, it is
our opinion that the benefit qualifies if it is seen as an improvement over the currently deployed system
(CSA, 2009b), and the high-level organisation is the intended beneficiary (Iyer and Henderson, 2010;
Armbrust et al., 2009). However no clear conclusion from the researched material could be drawn on the
level of analysis required and to whom is the analysis relevant (individual, department, employer, industry
etc). The D&M model (1993) provided a clear and concise framework for the analysis of the perceived
success of an IS deployment, whilst the UD&M (2003) developed and expanded the model to fit into a
changing internet/e-commerce world with the additions of Service Quality and output amendments to Net
Benefits.
DeLone and McLean (2003) caution that the model details in a process sense over causal, and that “The
challenge for researchers is to define clearly and carefully the stakeholders and context in which Net Benefits
are to be measured, and Net Benefits measures must be determined by context and objectives for each
investment”. This paper concludes that the UD&M model places too little emphasis on financial capital
employed and the perceived financial Net Benefits of IS systems’ given today’s financial business climate.
The model does highlight potential cost-savings under the outputted Net Benefits; however it pays little
attention to detailed financial outputs and their relevance to perceived success. Given that the primary aim
of today’s companies is to gain financial benefits from the implementing new IT deployments, further
research should be undertaken around this area in relation to the DeLone and McLean model, and an attempt
to bring the model up to date to incorporate key financial measurements.
From the analysis and literature reviews undertaken however, it is with a sense of authority that we can state
that a CC deployment brings substantial Net Benefits when compared to a traditional IS deployment.
Multiple acclaimed scholars and journals identified similar core benefits achieved from such deployments,
and under closer examination utilising the UD&M (2003), theoretically we can conclude that there would be
improved User Satisfaction, Use and identifiable Net Benefits.
23
The model is however still unclear in relation to the value-added of a IS deployment when specifically
related to the areas of System, Information and Service Quality, and despite the currently available research –
no clear conclusions could be drawn. This paper hereby recommends that the following questions have
additional research undertaken in the future.
1. Research and update the acclaimed EUCS instrument (Doll and Torkzadeh, 1988) to bring renewed
relevance to specific IT and CC deployments.
2. Research and update the UD&M IS Success Model (DeLone and McLean, 2003) to incorporate
detailed evaluation of the preceded IS deployment in relation to the perceived Net Benefits of the
evaluated successor, and to highlight financial input/outputs in a more detailed manner given the
relevant of financial accountability today.
Security and Risk
“Eliminating threats is impossible, so protecting against them without disrupting business innovation and
growth is a top management issue” – Kaplan, Sharma and Weinberg (2011)
IT Security and Risk have always been considered critical factors in regard to typical IT deployments (CSA,
2009a), and in recent years their importance has risen strongly to become a primary concern when customers
are looking to select a service, product or provider especially in relation to CC. Numerous benefits have
been identified and examined in terms of CC, however cloud security is a key-factor for consideration in a
cloud deployment for many enterprises, with 76% of participants in a cloud computing survey identified
security as their main concern in the use of CC (KPMG, 2010). In the last couple of years, a range of
articles have been published related to cloud security, and a number of agencies have produced
recommendations and detailed surveys such as ENISA (European Network and Information Security
Agency), CSA (Cloud Security Alliance) and KPMG.
24
ENISA (2009) states that “Cloud security is a priority concern for many potential cloud customers, and that
customers will make buying choices on the basis of the providers’ reputation for confidentiality, integrity,
resiliency, and the security services offered by the providers’ more so than in a traditional environment”,
whilst KPMG (2010) expanded that “Security is the main obstacle that is encountered when implementing
CC, followed by issues regarding compliance, privacy and legal matters. Organisations are worried about
security and privacy concerning the use of CC services as the market provides marginal assurance”.
Given that security covers a wide topical area, we needed to first clarify the key areas that would be
reviewed. CSA (2009b) states that “Cloud computing security is about gracefully losing control, whilst
maintaining accountability even if the operational responsibility falls upon one or more third parties” and
identified the two key areas of the cloud as (1) Data (2) Applications, Functions and Processes. They state
that it is not mandatory to hold Data and AFP (Applications, Functions, Processes) with the same model,
deployment or providers’, and that a mixture of cloud networks can be used as needed to providers’ greater
diversity and security (Public and Private deployment models for example). As a result of further research,
they also categorise cloud security into four main categories as below:
1. Physical Security
2. Network Security
3. System Security
4. Application Security
Performing a detailed literature review into all of the above categories would require the undertaking of a
dedicated thesis, and as such a decision was made to focus on the following sub-categories:
1. Cloud versus Traditional network deployment.
2. An overview of high-level security concerns.
3. Security and Risk-aversion recommendations.
25
Cloud deployments have brought about a range of key benefits for customers; however such benefits appear
to have also added additional security risks. CSA (2009b) states that “The defining characteristic of a
classic IT outsourcing solution is that the providers’ offers a customised and unique service that does
exactly what the client requested at the client’s terms, in a well-controlled and discrete-environment,
whereas cloud computing by contrast offers highly standardised services that are provided cheaply by
serving multiple customers from a shared IT infrastructure”, however Kaplan et al., (2010) states that
“Traditional IT networks in recent years have additional security concerns due to four common trends
identified as continual migration of digital data online, open and ubiquitous access requirements from users,
interconnected supply-chains and increased malevolent activity”.
A number of scholars and organisations have produced similar articles in which they clarified the added risk
of CC, and the available forms of mitigation and business practices that can be applied to minimise impact
(ADODI&S, 2011; CSA, 2009; Julisch and Hall; 2010); whilst a leading white-paper from ISACA in 2010
relating to the associated business benefits of CC stated that “The promise of cloud computing is arguably
revolutionising the IT services world....however CC brings potential higher-risk with the introduction of a
level of abstract between the physical infrastructure and the owner of the information. Traditionally the data-
owner has had direct or indirect control of the physical environment affecting his/her data, and in the cloud
that is no longer the case”.
ISACA (2010) continued by establishing a set of demands based around transparency, robustness, control
and inventorisation and highlighting a number of recommendations. CSA (2009) and McCarthy and Hill
(2011) clarified that “It is not CC that has not brought additional security risks, but rather e-commerce
growth, internet user-base expansion and increased competitiveness in the market-place that has developed
additional risk. CC however brings additional security and risk-management issues in that the Data and
Applications, Functions and Processes that were previously stored and managed in-house are now remotely
managed via third-parties”. However there seems inconclusive quantitative evidence that a CC deployment
actually brings high-criticality risk over a traditional deployment performing the same tasks (ecommerce,
data-storage, remote-user access), and there is no data available for researching into the topic of live outages
or security incidents, and as such further detailed research is sought within this area.
26
As such, the following review will look to provide a high-level summarisation of the commonly associated
high-level concerns towards CC security, and will close with a set of recommendations for this area. A
number of organisations have discussed and detailed associated security concerns with CC deployment
including CSA (2009b), ENISA, (2009), ISACA (2009) and ADODI&S (2011) who highlighted the
following:
1. Providers’ Suitability and Sustainability
2. Contractual Coverage and Obligations
3. Third-Party Interoperability and Access
4. Data-Loss/Leakage and Disaster Recovery
A key component of any outsourced security measure is the providers’ with ISACA (2009) stating
“Providers’ need to display Transparency, Privacy, Compliance, Trans-border Information Flow and
Certification [...] Providers’ must demonstrate the existence of effective and robust security controls,
assuring customers that their information is properly secured against unauthorized access, change and
destruction [...] Providers’ will need to provide their customers assurance that they are doing the “right”
thing in terms of independent certification assurance from third-party audits and/or service auditor reports”.
Rai and Chukwuma (2009) goes further in the analysis of providers’ and suitability stating that customers
should “Periodically request and review the providers’ SAS-70 report to gain a fresh perspective on the risks
associated with the providers’ IT environment”. Within our survey – 22 percent stated that a Lack of
Auditing Standards and Regulations was one of the critical issues to be overcome before they would consider
a CC deployment, and it is clearly a key area for both providers’ and customer to be addressed. In direct
relationship to the previous paragraph, customers are however warned to take considerable time and effort in
the contractual coverage and relevant SLA obligations of their chosen providers’. Julisch and Hall (2010)
states “SLA’s offered by cloud providers’ tend to be conservative in the sense that they offer only small
penalty payments, and their commitments are focused on availability rather than data integrity or
confidentiality.
27
Furthermore, SLA’s should be seen as an intrinsically imperfect risk treatment strategy in that in theory they
transfer the risk to the providers’, however in practice the providers’ responsibility ends with a penalty
payment and the potential loss of the customer(s) affected by a control failure. The customer by contrast can
remain accountable towards its own customers, regulators, and directors for any failures”. It is important to
note that such statements are relevant to traditional networks, however the nature of cloud computing has
placed highly-critical data into the hands of providers’, and as such compensation should be accordingly
calculated into the underwritten SLA’s.
ADODI&S (2011) goes explicit into detail stating that “Customers should be confirming a range of SLA
agreements related to guarantee of availability, inclusions of scheduled outage windows and differing SLA
compensation agreements”. It is our view that at the given time, there is limited information and available
contractual examples for customers to use in able to dictate improved contractual conditions with providers’.
Cloud computing deliver lower-cost, on-demand capacity it is our opinion that customers will simply sign
the terms and conditions without a full understanding of risk or compensation.
Companies undertaking large-scale deployments/migrations should perform thorough and extensive reviews
of the providers’ SLA’s and contractual agreement, and they should be looking to add applicable addendums
for cloud computing based around the specific and relevant SLA for data, applications, functions and process
failures. Third-party interconnectivity, CC management interfaces and the rise of API (Application
programming interfaces) have created a range of security issues which providers’ and customers need to
address. CSA (2009a) states that “It is critical for customers of these services to understand the security
implications associated with the usage, management, orchestration and monitoring of cloud services.
Reliance on a weak set of interfaces and APIs exposes organisations to a variety of security issues related to
confidentiality, integrity, availability and accountability”, with ENISA (2009) outlining the risk of CC
management interfaces in that “Customer Management Interfaces of a public cloud providers’ are accessible
through the Internet and mediate access to larger sets of resources (than traditional hosting providers’) and
therefore pose an increased risk, especially when combined with remote access and web browser
vulnerabilities”.
28
The most important area however for customers is that of data-loss/leakage and data-recovery with over 55
percent of participants stating data-loss as their number-one concern (Ellis, 2011), a statistic backed up by
KPMG (2011) with 70 percent stating that security was still their number-one concern to be addressed.
CSA (2009b) outlines “The threat of data compromise increases in the cloud, due to the number of
interactions between risks and challenges which are either unique to cloud, or more dangerous because of the
architectural or operational characteristics of the cloud environment”, with ADODI&S (2011) stating that
“Explicit and detailed questioning for customers should occur in terms of the vendors’ business continuity
and disaster recovery plans, their data integrity and availability, and specific details on data-recovery”.
Numerous additional articles provide additional research and understanding on data-loss within the cloud,
and it is identified as the number-one biggest security issue of a cloud computing deployment.
It is of interest that ENISA (2009) takes a somewhat opposing view to cloud computing security risks in that
“Put simply, all kinds of security measures are cheaper when implemented on a larger scale. Therefore the
same amount of investment in security buys better protection including all kinds of defensive measures such
as patch management, filtering, hardening of virtual machine instances and hypervisors, etc. Other benefits
of scale include: multiple locations, edge networks (content delivered or processed closer to its destination),
timeliness of response, to incidents, threat management”. ENISA further states that as compared to a
traditional solution – CC providers’ are using security as a market differentiator in that “Security is a
priority concern for many cloud customers; many of them will make buying choices on the basis of the
reputation for confidentiality, integrity and resilience of, and the security services offered by, a providers’.
This is a very strong driver for cloud providers’ to improve security practices”.
It is important to note however that ENISA later defines numerous risks around cloud computing, and in
closing states “Ultimately, you can outsource responsibility but you cannot outsource accountability”......in
that any given solution has risks and benefits, and that a deployment of a CC solution brings both benefits
and risks to the customer. Within the review, a range of security risks associated with CC have been
clearly identified, investigated and a set of recommendations.
29
ADODI&S in 2011 outlined 50 preliminary questions that customers considering or deploying a CC
solution should review and answer, and also outlined four main categories around cloud security
whilst CSA (2009a) outlined seven security recommendations within their applicable security
paper. For continuity within the literature review, we took the ADODI&S (2011) high-level
categories and outlined a set of recommendations for each one.
Providers’ Suitability and Sustainability data refers to the chosen vendor and product of the chosen
vendor. At the present time – no empirical study into the process for choosing a specific providers’
appears to be available, or which factors are classified as more critical than others.
CSA (2009b) recommends that customers should “Model providers’ services into a formal
framework such as ISO/IEC 27002, and further onwards into a compliance framework such as PCI
DSS” and makes a set of specific recommendations around the vendor selection process as below:
1. Verification of certifications held, and permission to conduct customer or external audits.
2. Understand the main characteristics of the providers’ offering, and how their technology architecture
and infrastructure impacts their ability to meet SLA’s.
3. Demonstration of comprehensive compartmentalisation of systems, networks, management,
provisioning and personnel.
4. Full understanding of the providers’ resource democratisation in predicting system availability and
performance during traffic fluctuations. Identify the providers’ main customers, and how their
fluctuations could impact your traffic if at all.
5. Understand the providers’ patch-management policy and procedure for implementation. Ensure this
is reflected in the contractual language.
6. Identify the providers’ continual improvement program and outage window agreements.
7. Compare and verify the providers’ service-desk operation against your own as a customer, and
ensure matching operational standards.
30
8. Review the providers’ business continuity plan and disaster recovery plan, especially related to
people and process.
Source: CSA (2009b. PG53*)
* Citation is edited for summarisation
Additionally provided research has also been undertaken with ISACA (2010) stating that “Reputation,
history and sustainability are the key factors to consider in choosing the providers’”, whilst Rai and
Chukwuma (2009) states that “Providers’ of IT operations have a major impact on the client, especially
change, release, backup, restore and patch-management processes, and as such should be one of the key
considerations”. The view held by the authors of this paper is similar to that of ENISA, in that providers’
should not specifically focus on the technology in the providers’ selection process, but that they should
review using similar methods/frameworks previously deployed in their tender selection processes, and detail
with a set of high-level questioning/auditing around a providers’ operational practices, process and
procedure, financial sustainability, and ability to deliver on contractual obligations. Frameworks models
such as ISO 27002 allow providers’ to display their controls and capabilities; however in reality providers’
will simply present limited or pre-fabricated information and only a legally water-tight contract with specific
service-level agreements will offer the needed protection.
Contractual Coverage and Obligations has limited research or empirical data also available at the present
time available for a literature review. Providers’ appear to court such contractual agreements in
confidentiality with the customer, who also appears unwilling to publish their details. CSA (2009b) does
highlight a number of key areas that they recommended are contractually documented stating that
“Collaborative governance structures and processes [...] and incorporated into service agreements” and that
“The Corporation Security department should be engaged during the establishment of SLA’s and contractual
obligations; to ensure that security requirements are contractually enforceable”. Within a section on
operational performance they also state that “Performance metrics and standards for measuring performance
and effectiveness of information security management should be established prior to moving into the cloud
[...] Organisations should document their current metrics and how they will change when operations are
moved into the cloud, where a providers’ may use different (potentially incompatible) metrics”.
31
They further noted that “Wherever possible, security metrics and standards (particularly those relating to
legal and compliance requirements) should be included in any Service Level Agreements and contracts”.
Additional research around Contractual Coverage and Obligations repeats previous statements in so much as
ensuring performance metric compliancy; ensure robust compensation for outages/loss of data etc; and the
need for in-depth analysis. Julisch and Hill (2010) investigated the area of responsibility and accountability
in which they define responsibility as “An obligation to do something according to a certain parameter,
whilst accountability is “ultimate responsibility – it is a state of being where the bucket stops”. The article
defines “Although cloud computing is a paradigm shift, it does not change the assignment of accountability:
as hitherto, companies are accountable for their assets, including any assets outsourced to providers’”.
It is the opinion of this paper however that the decision-making methodology for responsibility is based upon
(1) The SPI-Model product chosen (2) The extent to which the customer is allowed to configure the
providers’ controls and (3) Documented legislation that may dictate the assignment of responsibilities and
thereby overrides the above. From the available resource – it is this viewpoint that we believe is most
relevant for cloud computing security and risk going forward, and is an area that needs additional research
and modelling. It is our recommendation that a “Responsibility-Matrix Model” is developed that would assist
customers in the decision-making process around the area of responsibility and accountability. This could
later result in a formal legal framework that can be agreed between both parties - however the model should
be actionable against each of the four key areas of security (physical, network, system and application).
A number of recommendations are currently available in relation to Third-Party Interoperability and Access.
CSA (2009a) states that customer should perform “Full analysis of the security model of cloud providers’
interfaces [...] Ensure strong authentication and access controls are implemented in concert with encrypted
transmission [...] and understand the dependency chain associated with the API model”. ENISA (2010)
details actual concerns about the use of API’s (Application Platform Interfaces) with Third-Parties as a
potential security breach, and highlights customers to “Investigate the utilised API’s for the export of data
from the cloud” and that vulnerabilities could be open in that the “Hypervisor security model may lead to
unauthorized access to these shared resources...As hypervisors used in IaaS clouds offer rich APIs and full
access”.
32
McKinsey (2011) however moved away from technical vulnerabilities and warns about the “Potential
reselling of information and data via providers’, and that customers need to ensure that their data is locked
within the cloud” whilst ISACA (2009) talked about third-party risk in relation to intellectual property (IP)
stating that with “Third-party access to sensitive information creates a risk of compromise to confidential
information, and that in cloud computing, this can pose a significant threat to ensuring the protection of
intellectual property (IP) and trade secrets”.
In closing - ENISA (2010) makes a number of security recommendations in relation to the “Outsourcing of
services” by providers’. Given the high-level of specialisation around cloud computing components,
software and application, ENISA warns “Providers’ outsourcing complex work to third-party’s, potentially
opening the customers data/network to people/persons unknown or unverified” and states that customer need
to be aware of “Third-Party outsourcing clauses, change in control clauses, or termination of agreement
clauses”. This is a view endorsed by this paper, and it is clear to see that the openness of CC brings forward
a number of Third-Party Operability security issues that will have to be addressed by customers and
providers’ alike. Key recommendations are to ensure the full transparency of Third-Party agreements used
by the providers’, control and secure mechanisms within the API world of the cloud, full clarification on
role/responsibility and the potential outsourcing of services, and that customers should be performing regular
auditing/testing of risk open to their network from outside influences raising the issues with their providers’
immediately to resolve.
A critical area for security recommendation is that related to Data-Loss, Leakage and Disaster Recovery
processes. In the past, customers had full-operational responsibility to their data, back-up processes and
disaster recovery procedures, however with CC all Data and Functions, Applications and Processes fall
under the providers’ responsibility for IaaS, moving up to Data responsibility for SaaS. CSA (2009a) states
that “The threat of data compromise increases in the cloud, due to the number of and interactions between
risks and challenges which are either unique to cloud, or more dangerous because of the architectural or
operational characteristics of the cloud environment” and outlines a set of recommendations including:
33
1. Implement strong API access control
2. Encrypt and protect integrity of data in transit
3. Analyses data protection at both design and run time
4. Implement strong key generation, storage and management, and destruction practices
5. Contractually demand providers’ wipe persistent media before it is released into the pool
6. Contractually specify providers’ backup and retention strategies”.
It is critical to note that data is a valuable financial asset, and a company’s value and reputation is
intrinsically linked to its data and intellectual property assets. An example was highlighted with a security
breach for the Sony Corporation (Sony, 2010) who suffered a devastating outage in 2010 when the data of its
online membership clubs PSN and SOE was hijacked, ending with the release of the private data of over
70m+ users. Sony was forced to temporarily close down its online presence for a period of time, and
suffered large financial losses, and more importantly losing reputation with its customer base and wider
audience.
Related to the benefits of data – a research paper by McKinsey (2011) states that corporations could
“Maximise up to 60 percent increase in operating margins, and decrease by up to 50 percent product
development and assembly costs with big data” and that “A company’s access to, and ability to hold and
analyse data, could confer more value than their existing brand”. A key framework related to data-security is
the potential implementation of a “Data Security Lifecycle” framework (CSA, 2009). The Data Security
Lifecycle is built around six key phases as displayed below:
Figure 4: Data Security Lifecycle Model -‐ CSA (2009b, Pg40)
34
CSA (2009b) highlights that “The Data Security Lifecycle is fundamentally different from Information
Lifecycle Management as it is directly affecting the needs of a security audience”. As such there are a
number of issues around the Data Security Lifecycle which are outlined as per CSA (2009b, Pg41).
1. Data Security: Confidentiality, Integrity, Availability, Authenticity, Authorisation, Authentication,
and Non-Repudiation.
2. Location of the Data: Assurance that the data, including all of its copies and backups, is stored only
in geographic locations permitted by contract, SLA, and/or regulation. e.g. Use of “Compliant
storage” as mandated by the European Union for storing electronic health records can be an added
challenge to the data owner and cloud service providers’.
3. Data Remanance or Persistence: Data must be effectively and completely removed to be deemed
‘destroyed.’ Therefore, techniques for completely and effectively locating data in the cloud,
erasing/destroying data, and assuring the data has been completely removed or rendered
unrecoverable must be available and used when required.
4. Commingling Data with other cloud customers: Data – especially classified / sensitive data – must
not be commingled with other customer data without compensating controls while in use, storage, or
transit. Mixing or commingling the data will be a challenge when concerns are raised about data
security and geo-location.
5. Data Backup and Recovery Schemes: Data must be available and data backup and recovery schemes
for the cloud must be in place and effective in order to prevent data loss, unwanted data overwrite,
and destruction. Don’t assume cloud-based data is backed up and recoverable.
6. Data Discovery: As the legal system continues to focus on electronic discovery, cloud service
providers’ and data owners will need to focus on discovering data and assuring legal and regulatory
authorities that all data requested has been retrieved.
7. Data Aggregation and Inference: With data in the cloud, there are added concerns of data
aggregation and inference that could result in breaching the confidentiality of sensitive and
confidential information. Hence practices must be in play to assure the data owner and data
stakeholders that the data is still protected from subtle “breach” when data is commingled and/or
aggregated, thus revealing protected information.
35
CSA also highlights a set of detailed recommendations around data-security (2009b, Pg42-45) - with the
most critical outlined as “(1) Understanding how providers’ integrity, security practices and procedures and
transparency to data is within the SLA (2) Understanding of the geographical location of your data, and
appropriate in-control restrictions are defined and addressed (3) Determine access-to-data rights with an
explicit “Default Deny All” and build out access (4) Full encryption, backup and recover of all required data,
at required time-stamps. In our opinion, CSA covers and outlines in-detail the high-level requirements and
best-practices in relation to data- handling. The Data Security Lifecycle provides a framework for actual
application and alongside a formal framework for providers’ selection – both models would provide the
needed starting point and tracking mechanism to ensure the right level of compliancy.
It is also critical to ensure that any such programs or models are used to construct the contractual SLA’s
especially in regards to data with ISACA (2010) stating that “Data-storage/recovery and disaster recovery
should be the main components of the SLA, and clear expectations regarding the handling, usage, storage
and availability of information must be articulated within the SLA”. In terms of risk-management,
ADODI&S (2011) states that “Risk management must be used to balance the benefits of CC with the
security risks associated with the agency handing over control to a vendor. A risk assessment should
consider whether the agency is willing to trust their reputation, business continuity, and data to a vendor that
may insecurely transmit, store and process the agency’s data”.
Julisch and Hall (2010) detail a different view in that “Risk-management should be wrapped into a formal
framework”, and as such recommends the use of the ISMS (Information Security Management System).
ISMS is hereby defined as “The set of processes, policies, and mechanisms that an organisation uses to
establish, implement, operate, monitor and improve information security” (ISO/IEC, 2005), with Julisch and
Hall (2010) stating that such a framework offers a “Structured way for managing risk and protecting
corporate assets that are outsource to cloud providers’, and the use of a ISMS will assist the providers’ in the
long-term as it offers a Scalable and standardised method to manage security [...] and draw value from
differentiation within the marketplace”. Risk-management at the present time has limited research available
and only limited recommendations or data is available.
36
ISMS as a formal, recognised framework should be implemented when deploying CC, however we could not
locate any actual research on strategic or financial risks related to CC security and a number of questions
remain unanswered. As a CC customer, it is still unclear if additional redundancy or parallel network
capacity should always be purchased? Do Customers need to take out additional insurance coverage to
mitigate the associated risks? What are the worse-case scenarios for a long service outage in terms of
financial compensation, and what about their own customer perceptions? How should a customer’s business
strategy be connected into its IT system strategy and what are the potential outages/impacts? These
questions at the present time remain unanswered and additional research is required within the area of risk-
management.
As cloud security covers a wide area of available research, recommendations and outlined proposals, the
above summarisation can only serve as a starter to the topic. Leading organisations such as the CSA, ENISA
and ISACA have produced detailed overviews and recommendations, and our concluding recommendation is
that customers should aim to undertake full, detailed reviews of their potential cloud computing security
issues and its capabilities by utilising a set of frameworks and formal process model questioning before
activating or approving any CC product, providers’ or deployment.
3. Data Collection Methodology
Data collection represents a fundamental component of this research, and one of the key aims of the
dissertation was to produce a new set of data related to CC with specific relevance to its value-added and
security and risk-management issues. Various surveys have been undertaken in recent years (Koffi et al,
2008; Amit and Zott, 2001; KPMG, 2010; F5, 2009), however with only minimal referencing to the
specialist areas in the dissertation. Initial discussion centred on the reasoning behind the research, and a set
of questions were poised for discussion and answered as per Aaker, et al (2001).
1. Why should we undertake the research? At the present time, limited research into CC security and
value-added has been performed or is available. Our study would present new and relevant material
on the topic for wider usage.
37
2. What type of research should be performed? An ordinal questionnaire survey based around a set of
relevant questions, poised to gather the feedback of today’s IT professional within the market-sector.
The data would provide input into the conclusions of our original aims.
3. Is it worth performing doing the research? The value of data gathered will be greater than the
required effort and cost, and will provide insight into the topic for scholars and researchers if
applicable.
4. How should the research be designed to achieve the objectives? The research will be conducted over
a primary questionnaire, at a set-target group of professionals within the chosen market.
5. What will we do with the research? Once the data has been collected, it will be analysed, reported
and concluded. The research will also be opened for public scrutiny and citation.
A number of options for research gathering were discussed with the main options being (1) interview
research (2) case-study research (3) questionnaire survey. A critical factor for the selection of the research
method was to understand if the exercise was to gather quantitative or qualitative evidence. Given that cloud
is an open, emerging and opinionated product – a qualitative exercise was deemed more appropriate,
however it was deemed critical to gather statistical evidence for concluding and future research usage, and
such a hybrid solution was used. A wide-range of advantages and disadvantages were evident for each
method with the conduction of interviews posing severe limitations on audience size, representation and an
increased risk of bias or misrepresented opinions. Interviews can be difficult for interpreting the information
obtained because of the social desirability bias, complex interactional processes, and the self-fulfilling
prophecy of participants (Psychology Press Ltd., 2004). A case-study analysis although beneficial in its
ability to portray a true representation of a cloud deployment and associated issues and benefits was rejected
due a lack of available participant* and the lengthy time-frame requirements of analysis required. (*For
this purpose, the author’s previous and present employer were approached for participation in the
research, but however declined citing multiple reasons.)
It was also noted that with a case-study analysis, previously held views of the traditional network deployed
would be difficult to quantify, and prone to bias if the new cloud deployment was in an infantile stage of
installation.
38
As such, a questionnaire survey was selected, and a range of options for data-collection were examined
alongside their relevant advantages and disadvantages. Mail surveys are typically associated with low-
response rates, limited assistance aids once posted and an old-fashioned stigma would be attached given that
the topic is web-based IT. The use of face-to-face surveys was also ruled out given the high-amount of
interaction and effort required, and can be open to a lack of specialisation or relevant viewpoint unless
specific members are selected.
Participants of face to face interviews can also display bias towards positive or negative answers based
around a number of factors highlighted in undertaken research. As such an internet-based survey appeared to
be applicable for our needs, however Gosling et al (2004) cites a study undertaken by Turner et al (1998)
who noted “An increase in reported stigmatised behaviour among adolescents when participating in such
surveys”, whilst Cha (2005) states that “There are four major areas of concern when conducting internet-
based research, namely Sampling Error and Generalisation, Subject fraud, Measurement errors resulting
from extraneous factors, and the Ethics of Conducting Research over an open internet”.
Ahern (2005) however found that “The gained advantages of web-based surveys far outweighed the
disadvantages”. In closing Truell, Bartlett II, and Alexander (2002) in their research states that “The
response speed of internet-based survey was also about seven days faster than the mail survey, and it was
more thoroughly completed than the traditional counterparts”. In conclusion, an internet-based questionnaire
method was selected as the most appropriate for the outlined objective.
In regards to the survey an anonymous open-participation invite was dismissed based around a range of
negative drawbacks including a generalisation of data, and a lack of control over participant screening
(Ahern, 2005). The survey would require a pre-requisite that participants had a basic knowledge of cloud
services to answer the applicable questions, and as such a closed-entry pre-screened participation method
was selected. Target audiences selection was restricted to IT professionals of management responsibilities:
Team Manager up to C-class level (CEO, CTO, and CIO), and also that they had a direct relationship to the
author as so to gain an increased frequency of participation. Participants would come from differing
backgrounds and a mixture of professionals working as cloud providers’, and those who are current or are
potential cloud service customers.
39
The targeted audience was initially notified pre-survey via email about the request for participation with a
brief summarisation of the required input, timeframe and an option to opt-out, and from the initially selected
50 participants, 3 were unable to participate and as such the targeted group was 47.
We began to investigate the survey types at our disposal, with Albrecht and Jones (2009) stating that “Web-
based survey tools can be summarised into three categories of (1) Web-Hosted Survey Wizard (2) Web-
Survey Wizards and (3) Custom-designed survey”, and that each category has a range of advantages and
disadvantages. They further stated that Web-Hosted Survey Wizards are the most popular selection for
dissertation research in that they can be “rented for a period of time, are relatively inexpensive and are fully-
customisable and flexible”.
Upon investigate, a range of companies were identified as offering such services (hostedsurvey.com,
raosoft.com, supersurvey.com), however the current market-leader is surveymonkey.com who offers a range
of dedicated, professional-based surveys, albeit at a higher-end price point. A fully-customisable online
survey for up to 1000 participants with a host of required features was available for a months rent of $25, and
as such was purchased in September 2011. Below is a summarisation of the available survey features.
• Fully online participation with anonymous responses (no personal details documented)
• Ability to split survey into categories (5 categories selected)
• Ability to amend presentation (fonts, colour, layout)
• Ability to setup a range of security features (survey restricted to one-participation only based on IP-
address, secure SSH connectivity, secure management interface for data-collection)
• Ability to open/close survey as required.
• Ability to download results in a range of formats (word, pdf, excel) with summary or full-data
collections.
3.1. Data Analysis Methodology
During the establishment of the survey, a number of questions were asked leading to the final design. The
first step was to outline the objective of the survey as below:
40
“To gather statistical feedback of an ordinal nature around the chosen topic of cloud
computing, specifically related to the perceived value-added and associated security and
risk-management issues. Participants would be from a limited subset of established IT
professionals working currently within CC related industries”
Given the hectic schedules of our participants, the survey was constructed to be completed within a time-
period of 30mins. This was a key issue as surveys that require longer participation naturally incur lower
response-rates (Siah, 2005). If the survey was to provide statistical evidence to assist in the conclusions of
the dissertation questions, a set of sub-categories was needed to detail specific responses within that area. As
a result of the time-restriction and the overall aim of the survey, we decided that 25 questions would be
created within five sub-categories. Below is a summarisation of the categories and the key objectives:
1. Knowledge of CC: A set of questions to determine the audience’s knowledge of CC, definition and
knowledge of the CC product suite, and their current status of deployment if at all. The objective
was to determine the current knowledge of CC and also their current deployment status.
2. Value-Added of CC: A set of questions to determine the reasoning behind CC adoption, perceived
value-added gains, the preferential product and the strategic reasoning. The objective was to outline
the perceived benefits of CC and the given reasons for adoption. We also looked to determine which
current product range was perceived as most-beneficial.
3. Security & Risk Assessment of CC: A set of questions to determine the perceived security risks of
CC adoption as a customer and/or providers’ highlight the top 3 security risks and confirm the
currently available information on cloud security. The objective was to gather the top security risks,
identify the perceived most secure product, and determine the top security requirements for
customers.
4. CC Business Model: A set of questions based around the current market-leaders of CC services,
Cloud strategy related to Michael Porters Five-Forces model, and the strategic business importance
of adopting a CC solution. The objective was to understand the strategic reasoning behind
deployments, influencing factors of competitiveness, and strategic advantage related to Porters work.
41
5. Future of CC: A set of questions based around the forecasted future CC leaders, the main drivers for
CC deployment, and predicted future of CC. The objective was to determine the future product
leader, the leading companies to drive CC forward, and understand the long-term plans of companies
in relation to CC.
The designing of the questions was performed using the researched literature material, with a number of
available answers cited from previously documented surveys (KPMG, 2010; F5, 2009). Sub-categories
“Value-Added of CC” and “Security & Risk Assessment of CC” were however researched in greater detail
given their relevance to the paper and the closing conclusions. A number of options were available when
designing the actual questions – and initially our aim was to use open-ended questions, however a study on
survey behaviour by Michael Bosnjak’s (2001) noted that “Non-responsiveness increased in the number of
open-ended questions answered, but not the number of close-ended questions answered”. He further noted
that “Answering close-ended questions is considered to be ‘low cost’ behaviour, as opposed to answering
open-ended questions”. Additional research by Knapp and Heidingsfelder (2001) also highlighted an
“Increased drop-out rate when using open-ended questions and that more accurate result of a user’s opinion
are reflected in closed-questions”. In addition – available answers would be ordinal-polytomous (4 or more),
with a maximum of twelve available answers on the questions related to preferred products (3 service-
models x 4 deployment methods). Participants would be asked to select their singular most appropriate
answer from a list of multiple choice answers, apart from two questions where they would be asked to select
their Top 3 applicable answers.
The question generation process is well researched by a number of academics (Ahern, 2005; Walonick,
2010) and as such, we sought to ensure that questions were non-descriptive, short, and one-dimensional in
understanding. A key aim was to remove variability in response (Walonick, 2010) and as such a beta-test
was performed by the author at the end of the initial design phase before the scheduled pre-screening
exercise. The pre-screening exercise was performed on the 11th September, 2011 via a pre-selected
participant. This was initially due to be performed via a face-to-face interview; however this was amended
to web-survey as to replicate the actual chosen environment of the main survey.
42
The pre-screening participant was asked to rate the questions on a scale of 1-5 with (1) In comprehendible
(2) irrelevant and in comprehendible (3) Comprehendible (4) Relevant and comprehendible and (5) Highly
Relevant and Comprehendible. Appendix A displays the amended pre-screening results – in which a total of
four questions received a score of 1 or 2, and as such were reworded.
The custom-made survey was built during the period of August - September, 2011, with a pre-screening
exercise performed on the 11th September. This was then followed by the formal survey release to
participants on the 18th September, with a close-off date of the 9th October allowing a 3-week participation
time-window.
4. Data Analysis
4.1. Review of Responses
Upon closure on the 9th October – the survey had gathered 44 responses from a possible 47 giving a response
rate of 93.6 percent. From the forty-four responses – forty participants had fully completed all survey
questions (Appendix B), with four entering incomplete responses. Upon examination – the following
incomplete responses were located, and as such exempted from the final data.
• Respondent A stopped participation in the survey at question four.
• Respondent B stopped participation in the survey at question eleven.
• Respondent C stopped participation in the survey at question nineteen.
• Respondent D completed the survey, however left questions five, eighteen and nineteen blank.
The surveys responses appeared logical, grouped and a number of identifiable trends are outlined in detail in
the succeeding section. A number of key findings of the 2011 Cloud Computing survey include:
• A clear understanding of the definition and meaning of cloud computing
• An intermediate level of cloud computer understanding at the present time
• IaaS is currently perceived as the product of choice from the SPI-Model
• Influences for deployment commonly around Scalability, Flexibility and Long-term cost efficiencies.
43
• Concerns of deployment based around Security process & policies, Data-Loss/Leakage or Outages.
When correlated to previously performed cloud surveys (KPMG, 2010; F5, 2009) – similar trends and
percentile ranges were located, with all three surveys displaying that the biggest singular concern of a cloud
deployment at over 50 percent is that of Security and Data-Loss issues, whilst Scalability and Long-term
Cost Gains are perceived as the main benefits at over 45 percent respectively.
A number of questions asked in the early-phase of the survey were repeated in a differing manner in the later
phases of the survey, with the differing responses highlighting the concerns of Granello & Wheaton (2004)
who highlighted “Measurement errors and inaccuracies of web-based surveys”. An example of such
inaccuracies is seen in Q6 where only 5 percent of participants outlined Short-Term Cost Efficiency as
relevant to a cloud adoption, whilst in Q22, 35 percent cited Short-Term Cost Efficiencies as a main driver of
adoption. The same question also displayed further inaccuracy around Innovation Capability of CC with
only 7.5 percent stating it as a relevant factor in Q6, whereas 17.5 percent stated it as a main driver of CC
within Q22. At the end of the survey participants were able to provide feedback and to highlight any issues
or recommendations related to the survey, its content or design. Below are the main recommendations that
were received.
• Seventeen participants stated that the lack of an “Other” box meant that they had to select
inappropriate answers for certain questions.
• Five participants stated that a lack of a “Comments” field per question limited their ability to provide
appropriate feedback on the subject topic.
• Four participants stated that the questions related to the Five-Force model were irrelevant and
difficult to comprehend.
• Three participants stated that they were unsure of their role when answering certain questions, as
they are both providers’ and customer of cloud services, and that the needed clarification was
missing.
• Two participants stated that a Likert-Scale would have been more appropriate to a number of
questions to gather an actual scale as just opposed to an opinion.
44
The survey although limited in audience-size, provided an accurate sample of the current perceptions of IT
professionals related to CC. More importantly it provided a numerical set of data to support the theoretical
questions of security and risk issues of CC, and the perceived value-added benefits gained, and the available
statistical data also provided empirical support for our closing conclusions and future research. A number of
issues were identified post-survey and additional planning and preparation into the data methodology,
feasibility and sampling would be undertaken in a future survey.
4.2. Questionnaire Findings
As outlined in the data methodology section, the key purpose of the survey was to examine a set of topics
related to CC utilising a specific target audience. The categories were centred around gaining an insight into
the current level of understanding of CC for IT executives, perceived value-added, security and risk
concerns and the business model/future of CC. Below are a detailed summarisation of the main findings
from the survey, and an outline of their relevance within the dissertation and future research.
Knowledge of Cloud Computing
CC is an emerging solution within IT enterprise, however there is a perception that executives and
companies are still in an infantile stage of theoretical or working knowledge, and suffers from a lack of
definition on the actual product. The survey sought to confirm this perception with participants asked to rate
their current level of knowledge of CC. As indicated below 40 percent selected Intermediate Understanding,
with 37.5 percent selecting Advanced Knowledge while no participants stated they have No Knowledge of
CC.
Table 2 (Q1 of 25)
Response Percent Response Count0.0% 0
12.5% 540.0% 1637.5% 1510.0% 4
Source: Ellis (2011) 100.0% 40
Intermediate Understanding
Answer Options
Expert Understanding
Limited Understanding
How would you rate your current level of knowledge in regards to Cloud Computing?
Advanced Understanding
No knowledge
45
Participants were then asked about the current level of working experience of CC within their organisations
as either a product-release or a purchased solution, with over 70 percent stating they had Intermediate or
Advanced Working Experience. This correlates with a 2011 survey by network equipment supplier F5 who
stated that over 82 percent of their participants had trial or limited working experience of CC (F5, 2011).
Only 7 percent of our participants stated that they have no working experience, which indicates that CC is
beyond the conception stage and is becoming a widely deployed IT solution.
The following two questions then focused around the type of CC solution which our participants had utilised
or were selling, and the current level of deployment of CC within their own organisations. Participants
stated that from the SPI-Model over 25 percent are deploying all three services (IaaS, PaaS and SaaS);
whilst 35 percent stated they were utilising only IaaS as a solution at the present time. IaaS offers customers
the most flexibility in management from the SPI-Model (Rimal et al., 2009) and places full control of the
application and software with the customer, which highlights that users are more competent in their ability to
manage and deploy CC than perceived in past research surveys (KPMG, 2010; F5, 2009). Question four
questioned the actual deployment stage of CC within their organisations with 10 percent stating No Actual
Deployment at the present time which correlates to question one’s finding of 7 percent have No Working
Experience. The highest response was for Resilient Deployment in Parallel to Existing at 40 percent which
underlines the perceived outstanding risks of CC and the need for parallel rollouts, whilst Limited
Deployment defined as a singular department or users gained 30 percent.
Critically the participants’ deployment strategy mirrors that of ENISA (2009) who recommendation is to “To
deploy CC within a singular or test-environment initially, whilst establishing the required processes and
service-level agreements with the providers’ before scaling to wider deployment”, whilst Goodburn and Hill
(2010) stated that “A small shift to the cloud is the beginning of a large strategic change for the
organisation...and that utilising the cloud invariably bring a large scale change-management dimension that
needs to understood and planned”.
46
Table 3 (Q4 of 25)
Question five looked to clarify the working definition of CC by asking participants to select the most
applicable definition. Four options were presented consisting of three formal definitions from Gartner
(2009), Iyer and Henderson (2010), NIST (2009), with a newly defined definition by Ellis (2011).
Institutional standardisation prevailed with 52.5 percent of participants selecting the NIST (2009) definition,
followed by 25 percent selecting Iyer and Henderson (2010). Gartner’s definition is vague and compact and
stated “A style of computing where scalable and elastic IT capabilities are provided as a service to multiple
customers using internet technologies” whereas both NIST (2009) and Iyer and Henderson (2002) outline in
detail actual CC features and services.
Value-Added of Cloud Computing
The survey then outlined the participants understanding of CC benefits and proposition a set of questions
based around the perceived value-added of adopting a CC strategy and its deployment. As outlined in the
prior literature review, value-added is vague without defined benefits and as such is open to interpretation.
DeLone and McLean UD&M Model (2003) concluded that Net Benefits need to be established to
theoretically display the achieved value-added from a specific IS deployment, and as such question’s six and
seven asked participants to indicate which benefits are most/least relevant for the adoption of a CC strategy.
Scalability/Flexibility was displayed as most relevant at 42.5 percent, followed by Long-term cost-efficiency,
and Time to Market-place with a joint 17.5 percent. Scalability/Flexibility of IT will directly improve cost-
efficiency as CC offers utility-based billing and asset-maximisation (Armbrust et al., 2009), whilst the Time
to Market-place advantage of CC brings significant value-added with Porter (1980) stating
Response Percent Response Count10.0% 42.5% 1
30.0% 1240.0% 1617.5% 7
Source: Ellis (2011) 100.0% 40Full Deployment
Testing Deployment
Which of the below most accurately describe the implementation of Cloud Computing within your organisation?
Resilient Deployment (rolling-out in parallel)
No actual Deployment
Limited Deployment (singular dept or users)
Answer Options
47
“It is normally more expensive for late entrants into a strategic group to establish their position...thus
difference in timing of entry may translate into differences in sustainable profitability amongst members of
the same group.
Table 4 (Q6 of 25)
Reversing the question as outlined in Table 4 – the least relevant strategic benefit was Fear of non-adoption
at 62.5 percent of participants selecting as their choice. This correlates with question four (Table 2) in that
CC deployment is still in an infantile product stage for many customers, with a number of pre-outlined
obstacles still holding back en-mass deployment. Question seven does however display the inaccuracy of
nominal web-survey deployment in that question six highlighted that 17.5 percent stated Time to Market-
place as a relevant factor for a CC strategy, whilst in the succeeding question, 10 percent stated that
Increased Market-place was the least relevant of the applicable. Given that the survey was anonymous, we
are unable to determine the correlation between the participants answer, and the inaccuracy remains.
Table 5 (Q7 of 25)
Response Percent Response Count42.5% 175.0% 220.0% 82.5% 17.5% 32.5% 117.5% 70.0% 00.0% 0
Source: Ellis (2011) 97.5% 40
Long-Term Cost Efficiency
Increased Marketplace
Answer Options
Innovation Capability
Short-Term Cost Efficiency
Time to Marketplace
Which of the following factors is most relevant for the adoption of a Cloud Computing strategy?
Open-interface Capability (ability to utilise 3rd-party applications/programs)
Fear of Non-Adoption
Scalability/Flexibility of IT
Increased Product Competitiveness
Response Percent Response Count0.0% 0
10.0% 42.5% 17.5% 35.0% 22.5% 10.0% 0
10.0% 462.5% 250.0% 0
Source: Ellis (2011) 100.0% 40
Long-Term Cost Efficiency
Increased Marketplace
Answer O ptions
Innovation Capability
Short-Term Cost Efficiency
Time to Marketplace
Which of the following factors is the least relevant for the adopting of a Cloud Computing strategy?
Open-interface Capability (ability to utilise 3rd-party applications/programs)
Fear of Non-Adoption
Scalability/Flexibility of IT
Increased Product Competitiveness
Other
48
The following two questions related around which CC product is perceived to give the most value-added and
its associated capabilities. Participants were asked to select in a similar manner as question two stating
which “aaS” product (SaaS, PaaS or IaaS) would deliver the most value-added in the short-term with 45
percent selecting IaaS, and 42.5 percent SaaS. SaaS products are typically low-involvement applications
with minimal input required from the customer offering fully managed solutions, whereas IaaS is a fully-
managed service offering customers complete control and responsibility over all aspects of the solution.
Relevant is that PaaS appears to be currently overlooked by enterprise executives who appear to favour
either full accountability or adopting a fully unmanaged solution with no current requirement for both
capabilities as offered by the PaaS product.
Question nine asked which CC capability is of most importance when considering deployment and offered
six capabilities as noted by current organisations and scholars (ISACA, 2009; CSA, 2009; Iyer and
Henderson, 2010). The responses were of an even-distribution ranging from 22.5 percent selecting Open-
Interface (API) down to Ubiquitous Access at 10 percent, which displayed that no singular capability is
dominant within CC and that customers are looking for different capabilities to suit their specific needs.
Such behaviour is consistent with an infantile product as dedicated solutions are not yet available as per
specific user-requirements, and a general set of product capabilities need to be established (Kotler and
Keller, 2006).
Closing the value-added section, the survey asked which business factor would be of most concern if their
company decided to adopt a non-CC IT strategy in the short-term. Participants were able to select from a
range of strategic benefits associated with CC (ISACA, 2009; CSA, 2009; Iyer and Henderson, 2010; Rimal
et al., 2009; Armbrust et al., 2009), and three benefits gained a total of over 90 percent of the votes with Loss
of Cost Efficiency Gains top at 38 percent, Loss of Innovation/Agility in Product-line at 32 percent and
Increased Competitiveness of Rivals third at 23 percent A continual theme around Reduced Time to Market
and Product-Line Innovation can be identified and relates to question six in terms of Time to Market place;
however Product Competitiveness gained only 2.5 percent. Importantly changes in Financial Accounting
Advantages (Capex to Opex) received no votes - with Inability to Reduce Headcount gaining just 2 percent,
clearly showing that in the short-term enterprises are focused on product benefits and not the financial
benefits of a CC deployment.
49
Table 6 (Q10 of 25)
Security and Risk-Assessment of Cloud Computing
Security is a critical concern of any IT deployment and is one of the key issues in a CC adoption as outlined
in the literature review. Given its importance a full category was allocated in the survey to gather
quantitative evidence to support the literature review findings. Participants were asked from a customer’s
perspective to select the three most important security aspects to be overcome before considering a CC
solution using concerns outlined by CSA (2009).
Security and Compliance of Data came top with 70 percent, followed by Data-loss and Leakage at 55
percent reconfirming our findings that data-protection is of critical importance to companies. Data related to
such as Financial, Customer, HR or Knowledge is critical for firms to protect and to remain competitive with
Teese (2002) stating that “The competitive advantage of firms depends on their ability to create, transfer,
utilise and protect difficult to imitate knowledge assets”. Companies who are housing personal information
or e-commerce have additional legal and security needs and will need to conform to the relevant in-country
Data Protection Acts, and look to ensure that their providers’ have acquired the relevant standard
certification (ISO-27001, SAS-70). In third place was Malicious Attacks/Denial of Service gaining 40
percent followed by Vendor Outages, clearly displaying the need for redundancy in the cloud, and the need
for strong contractual SLA’s to protect customers in the event of such outages. KPMG (2010) also gathered
similar responses with 76percent of participants stating Security Issues as their main concern, followed by
Legal Issues and Compliancy Issues at 50 percent.
Response Percent Response Count38.0% 150.0% 0
32.0% 135.0% 2
23.0% 92.0% 1
Source: Ellis (2011) 100.0% 40
Loss of Cost Efficiency Gains
Inability to Reduce Headcount
Loss of Innovation/Agility in Product Range
Answer Options
Increased Competitiveness of Rivals
Loss of Financial Accounting Advantages (Capex to Opex shift)
From a strategic perspective – which of the below factors would be of most concern for you if your company decided not to adopt a Cloud Computing IT Strategy in the short-term?
Loss of Market-Share
50
Table 7 (Q11 of 25)
Question twelve was a repeat of eleven, however asking participants to state from a Providers’ Perspective
what security issues customers required to be resolved. The responses mirrored closely those of the
preceding question, with 65 percent stating Security and Compliance of Data however Vendor Outages came
second at 55 percent, followed by Data-loss and Leakage at 52 percent notable difference was that from a
providers’ perspective 25 percent stated Financial SLA Compensation as a key issue as compared to just 10
percent when answering from a customer perspective.
CC providers’ will need to install rigorous and stringent SLA terms into their contracts for their own
protection in case of major service interruptions, and yet still offer the relevant protection and pricing to their
customers in comparison to fellow competitors
Table 8 (Q12 of 25)
Response Percent
Response Count40.0% 1637.5% 1522.5% 915.0% 670.0% 2810.0% 455.0% 2210.0% 420.0% 820.0% 8
Source: Ellis (2011) 300.0% 120
Lack of Auditing Standards and Regulations
Financial SLA Compensation
Answer O ptions
Security and Compliance of data-holding
Cloud-provider Closure/Merger
Vendor Outage
Data-loss and Leakage
As a consumer - which of the below three factors represent the most important security issues to be overcome before you would consider a Cloud Computing solution?
Vendor Lock-in
Malicious Insiders/Personal checks
Malicious Attacks/Denial-of-Service
Lack of Transparency in Hardware/Infrastructure.
Response Percent Response Count42.5% 1750.0% 2022.5% 912.5% 562.5% 257.5% 3
52.5% 2125.0% 1015.0% 610.0% 4
Source: Ellis (2011) 300.0% 120
As a cloud service-provider which of the below three factors represent the most important security issues to be overcome before you would consider a Cloud Computing solution?Answer O ptionsMalicious Attacks/Denial-of-ServiceVendor OutageLack of Auditing Standards and RegulationsVendor Lock-inSecurity and Compliance of data-holdingLack of Transparency in Hardware/Infrastructure.Data-loss and LeakageFinancial SLA CompensationMalicious Insiders/Personal checksCloud-provider Closure/Merger
51
Question thirteen asked which of the current aaS product represents the highest level of security available at
the present time. Given the varying range of security risk associated with the cloud deployment models
available as outlined by NIST (2009), the aaS SPI-Model was made available on all four deployment models.
IaaS Private-cloud came first with 52.5 followed by SaaS Private-cloud at 27.5 percent representing a view
that a private-cloud deployment with full user ownership gives customers the most secure environment,
whilst participants ranked Public and Community Cloud as offering the lowest form of security. Question
fourteen asked participants about their views on the current level of information available on CC security
specifically in regards to standards, with 77.5 percent stating at the present time there is a Limited Level of
available data followed by 20 percent stating a Good Level. Providers’, Organisations, Governments,
Institutes and Governing bodies are currently defining and determining such standards as outlined by ENISA
(2009) and CSA (2009), and a range of journals as noted within this dissertation are providing
recommendations and standards for cloud deployment and security.
The closing question asked participants to select the top three areas that providers’ will need to address to
become the market leader in the short-term within their given markets. The results gave conclusive
evidence that security is the key factor for providers’ to resolve in order to win customers business with 85
percent stating Security in the Cloud, and 57.5 percent stating Privacy/Data-Storage Concerns.
Transparency of Billing was bottom with only 17.5 percent, reaffirming the view that customers are clearly
putting service offering as a priority over financial costs in their relevant priorities. Customers are still
clearly concerned about a range of security issues, and as such providers’ need to ensure they are clearly
addressing issues within their service-offering, operational support and applicable SLA, and clearly
identifying the associated risks and gains of their given services openly.
Table 9 (Q15 of 25)
Response Percent Response Count26.7% 329.2% 11
19.2% 237.5% 95.8% 7
10.8% 138.3% 10
12.5% 15Source: Ellis (2011) 100.0% 120
Transparency of Architecture
Security of the Cloud
Availability/Uptime
Privacy/Data-Storage Concerns
Performance
Answer Options
Transparency of Billing
Integration with Existing IT/API’s
Functionality/Customisation
Please select the Top-3 areas that in your opinion companies should address in the short-term future to become the market leader within Cloud Computing?
52
Cloud Computing Business Model
Section Four looked at the CC business model and the current major providers’, and looked to determine
who will be best-positioned in the future to become the industry leader. Question sixteen and seventeen
asked similar questions around which companies our participants felt would achieve the largest growth due
to the foreseen mass adoption of CC. Question sixteen was related to revenues with seventeen related to
profitability with both questions offering participants four industry markets to select as per below.
Table 10 (IT Market Leaders)
Traditional Software Providers’ came top in both surveys at 37.5 and 45 percent respectively with
participants stating that this is the market that will see the largest increase in revenues and profitability.
Traditional Software Providers’ typical operate within the SaaS environment with Gartner (2010)
forecasting SaaS revenue within the enterprise application software market will total $10.7 billion in 2011, a
16.2 percent increase from 2010 revenues.
Traditional Hardware Providers’ came second in both surveys with 30 and 22 percent respectively, which
relates to the mass expansion of CC data centres and physical equipment that will be needed. Leading
Social Service Providers’ such as Facebook or Twitter surprisingly scored low on both surveys indicating
that participants see such services as not directly related to CC, and merely acting as enablers for cloud
growth.
Table 11 (Q16 of 25)
Response Percent Response CountTraditional Hardware Providers (IBM / HP / Dell / Cisco / Juniper ) 30.0% 12Traditional Software Providers (Oracle / SAP / Microsoft / Apple ) 37.5% 15Social-Service Providers (Facebook / Twitter / LinkedIn / MySpace) 15.0% 6Telco Providers (OBS / BT / Telefonica / Interoute / Verizon) 17.5% 7Source: Ellis (2011) 100.0% 40
Which type of company in your opinion will see the largest increase in revenues due to the mass adoption of Cloud Computing?Answer Options
53
Table 12 (Q17 of 25)
Question eighteen utilised Michael Porter’s Five-Force model (1980) and involved the topic of competitive
advantage. The question asked participants which of the Five-Forces would be most relevant in lowering
the prices of CC for customers over time. Bargaining power of the Buyer came first with 40 percent,
followed by Rivalry amongst Existing Customers with 35 percent. Porter (1980) stated that “Buyers gain
value in their own chain by the supplier creating value via two mechanisms by (1) Lowering the buyers costs
(2) Raising the buyer performance”.
As such the value-chain of the cloud providers’ will be passed onto the customers only when his value-chain
is reduced, and as such hardware providers’ will typically be forced to lower costs and increase performance.
Cloud providers’ will also embark on pricing differentiation to attract market share given that the CC product
are on-demand, scalable and transferable (Iyer and Henderson, 2010), and as such it is the opinion of our
participants that Bargaining power of the Buyer and Rivalry amongst Existing Customers will result in a
lowering of costs to the customer.
Question nineteen undertook a similar topic around Porters Five-Forces model with participants asked to
select which of the Five-Forces was most relevant for firms adopting a CC strategy to remain competitive.
Similar to question eighteen, an even-distribution was displayed with 30 percent stating Rivalry amongst
Existing Competitors as the most relevant, going down to 10 percent stating Threat of new Entrants.
As per the previous response, Rivalry amongst Existing Competitors appears a main driver for CC adoption
from an executive perspective, however given the even-distribution within the responses, there is now
quantitative evidence to supplement the literature reviews opinion in regard to Porters model that each force
is relevant, critical and should be of equal weighting in any strategic decision making.
Response Percent Response CountTraditional Hardware Providers (IBM / HP / Dell / Cisco / Juniper ) 22.5% 9Traditional Software Providers (Oracle / SAP / Microsoft / Apple ) 45.0% 18Social-Service Providers (Facebook / Twitter / LinkedIn / MySpace) 10.0% 4Telco Providers (OBS / BT / Telefonica / Interoute / Verizon) 22.5% 9Source: Ellis (2011) 100.0% 40
Which type of company in your opinion will see the largest increase in profitability due to the mass adoption of Cloud Computing?Answer Options
54
Question twenty asked participants which primary factor of CC could potentially hold-back the forecasted
mass deployment of CC solutions in the future and projected double-digit growth (Gartner, 2010).
Participants were able to select from a selection of five high-level answers of Security and Risk, Legal
Legislation, Global Recession, Lack of Innovation/Benefits and Over-diluted Marketplace. As identified
previously in the literature review, Security and Risk came out an overwhelming concern of CC with 50
percent of participants selecting as their primary factor, followed by Global Recession and Lack of Cutting
Edge at 20 percent respectively. Legal Legislation gained the lowest number of votes; however our opinion
is that as customers begin to embrace CC and place personal data into the cloud, a number of legislative
issues will occur around data-integrity and ownership that will need to be resolved. This view is reinforced
by Goodburn and Hill (2010) who stated that “Companies will need to focus on regulatory and compliancy
data issues...resulting in the need for data security and privacy protocols, policies and legal models”.
Table 13 (Q20 of 25)
Future of Cloud Computing
Closing out the survey was a set of questions in regards to the future of CC, specific deployment needs and
which providers’ which will be best positioned to capture the forecasted market growth. Participants were
asked which timeline is most applicable for companies today deploying CC with the top response tied
between Immediate and a 1-3yr Deployment at 32.5 percent each, followed by 6-12 months at 25 percent.
Executives clearly see CC as a strategy to be implemented in the short-term; however as reported in question
four this appears to be by a Parallel or Limited Deployment. Executives clearly see CC as beyond the trial
phase and an available option within their IT strategies with only 5 percent stated that they see deployment
within 3yr or longer.
Response Percent Response Count47.5% 197.5% 3
10.0% 417.5% 717.5% 7
Source: Ellis (2011) 100.0% 40
Over-diluted Marketplace
Answer Options
Global Recession
Legal Legislation
Which primary factor in your opinion could affect the forecasted double-digit growth within the Cloud Computing market?
Lack of Innovation/Benefits
Security and Risk
55
The following question continued around the theme of timeline deployment by asking participants what are
the main-drivers forcing companies to adopt a CC strategy immediately. The question was positioned as an
intentional repeat of a previous question (six), but in an immediate timeframe. Short-term Cost Efficiency
came out top with 35 percent, followed by Scalability/Flexibility of IT at 20 percent, which contradicts the
question six results which had Scalability/Flexibility most relevant with 42.5 percent of participants. Both
questions do however highlight the same outcomes that cost and scalability are the main drivers for
deployment, which is a view represented in our literature review (Iyer and Henderson, 2010; Rimal et al.,
2009; Armbrust et al., 2009).
Table 14 (Q22 of 25)
Question twenty-three asked participants which “aaS” product and deployment model will become the
market-leader by the end of 2012. Available options for participants were as per question thirteen based
around the SPI-Model and the four available deployment models with SaaS Private-cloud first at 27.5
percent, followed by SaaS Public-cloud at 22.5 percent and IaaS Private-cloud with 17.5 percent.
Community deployments were rated low with only 10 percent of votes across all three models, which
indicate that users appear unable at the present time to distinguish the applicable benefits as against using a
public or hybrid deployment model. Quantitative or Qualitative research into the currently available
deployment models is sparse at the present time, and additional research is necessary to provide further
evidence and to reach a theoretical conclusion.
Response Percent Response Count20.0% 835.0% 1417.5% 70.0% 07.5% 32.5% 1
10.0% 40.0% 07.5% 3
Source: Ellis (2011) 100.0% 40
Long-Term Cost Efficiency
Increased Market-place
Answer Options
Innovation Capability
Short-Term Cost Efficiency
Time to Market-place
What will be the main driver forcing corporations into adopting a Cloud Computing strategy in the immediate future?
Open-interface Capability (Ability to utilise 3rd-party apps/programs)
Fear of Non-Adoption
Scalability/Flexibility of IT
Increased Product Competitiveness
56
Within the SPI-Model, SaaS appears to be the future choice for enterprises at 57.5 percent in total, followed
by IaaS at 30 percent and PaaS with 12.5 percent; however it should be noted that the question was open-
ended in that it did not explicitly state the needed requirements of the solution, and as such should only serve
as an informational indicator.
Question twenty-four asked participants to select which providers’ will gain the most market share in the
next eighteen months within the CC market. Participants were available to select from four options based
around question sixteen with the new additions of Traditional Cloud-service Providers’ and Application-
software Providers’. Surprisingly the results were correlated around three main groups representing
Traditional Cloud-service Providers’ at 40 percent, Application-software Providers’ at 30 percent, and
Traditional Hardware/Software Providers’ with 22.5 percent.
Existing cloud computing providers’ currently have the advantages of first to market, a stable product-line
and operational maintenance experience, however given the close results; it is interesting to note how IT
professional within the enterprise are still unclear on the future of CC, and which providers’/market-place is
most competent to take full advantage.
Table 15 (Q24 of 25)
Lastly, question twenty-five asked participants about which new cloud product services will develop within
the next 18 months, with four new “aaS” products available as answers based on industry research along
with “other” as an option. Top was StoaaS (Storage as a Service) with 40 percent, closely followed by
SecaaS (Security as a Service) with 30 percent, and VaaS (Video as a Service) at 17.5 percent.
Response Percent Response Count40.0% 1622.5% 97.5% 3
30.0% 12Source: Ellis (2011) 100.0% 40
Social-Service Providers (Facebook / Twitter / LinkedIn / MySpace)
Answer Options
Traditional Hardware/Software Providers (Microsoft / IBM / Apple / HP)
Which of the below providers will gain the most market share during the next eighteen months within CC?
Application-Software Providers (VMware/Oracle/SAP)
Traditional Cloud-Service Providers (Amazon / Salesforce / Google)
57
Table 16 (Q25 of 25)
Limited information is available on these services at the present time; however it appears that some service-
providers’ are currently marketing existing services under the “aaS” acronym with no clear product
differentiation. At the present time the future of cloud services is still evolving and a highly innovative
product line is been displayed, and additional research is warranted into the associated benefits of the
products in the future.
Response Percent Response CountCaaS Communication as a Service 7.5% 3StoaaS Storage as a Service 40.0% 16SecaaS Security as a Service 30.0% 12VaaS Video as a Service 17.5% 7Other DaaS (Data as a Service) 2.5% 1
SaaS (Services as a Service) 2.5% 1Source: Ellis (2011) 100.0% 40
Answer Options
Which of the below newly-innovated cloud product services will gain the most market share during the next eighteen months?
58
5. Conclusion and Recommendations
Cloud computing has brought about a rapid change in the way today’s leading companies are viewing their
short and long-term IT strategies. Despite its infantile stage - a wide host of journals, scholars and fellow
students have investigated the basic aspects of the cloud and its associated benefits. However there has been
a limited amount of empirical data-collection or independent specialist research into specific aspects of cloud
deployments. In light of this, the purpose of the study was to investigate two specific areas of cloud
computing related to the perceived value-added benefits, whilst outlining the given security and risk-
management issues associated as such. The main focuses of the paper was to understanding and answer the
opening dissertation questions, and this has occupied much of the detailed literature review.
Drawing on a wide range of examined literature around cloud computing, strategic and competitive
advantage, and a host of security journals– we have been able to utilise available research models and
explore potential advantages and concerns with conclusion. This analysis and theoretical reasoning
attempted to link lab theoretical concepts into the deployed product, and a detailed survey was undertaken to
provide new and relevant empirical data for our conclusions and to provide explanation on the value creation
of cloud computing. Key findings to the research questions are hereby summarised:
1. What are the value-added benefits associated with the implement of a cloud computing strategy
for companies in the short and long-term? A number of value-added benefits were highlighted
from our research including gains in scalability, flexibility and adaptability over existing IT
systems’. Other key findings of our paper and external research noted an increased ability to
perform mass or scaled deployments within a flexible cost-effective manner, whilst noted research
mentioned the positives of utility billing within the IT service industry as a key gain for customers.
Unclear evidence could however be obtained using of the UD&M model and although noted gains
could be identified within Use, User Satisfaction and Net Benefits, limited findings were drawn on
System, Information and Service Quality with the need for additional research. The UD&M model
also displayed limited clarity around the financial outputs of IT deployment success, and it is our
recommendation that DeLone and McLean investigated this specific area going forward.
59
2. What are the associated risks in the adoption/non-adoption of a cloud computing IT strategy? At
the present time, there is an element of uncertainty and clarity over the strategic gains of cloud
computing, and existing competitors are awaiting mass adoption. Given the highlights benefits and
risks, C-class management need to consider both the short and long-term cost-efficiencies gained,
whilst understanding the increased risk of financial compensation or loss of company reputation in
case of attacks or outages. Cloud deployments shift the agreed contractual responsibilities away from
the customer to the providers, and as such additional security and risk-management issue appear
which need specific attention or process frameworks. Financial obligation and compliancy to
service-level agreements (SLAs) is also crucial and highlighted recommendations should be applied.
In terms of benefits - mass scalability, utility billing, long-term cost-efficiencies and peak-
optimisation all deliver to the customers value-chain, which in turn gives them increased competitive
advantage and first-to-market positioning in certain situations. A cloud strategy needs to be
extensively detailed and examined from both a strategic and financial perspective, and a detailed
deployment program established for rollout. It is also critical that a balance between the added
value-creation and the increased risk-creation is struck in reality.
3. What are the main security and risk-management issues associated with the implementation of a
cloud computing strategy for companies in relation to their existing business and customer base?
How can these risks be mitigated? A range of associated issues were highlighted within cloud
security and risk-management. Noted areas included detailed recommendation around a companies
handling of its data and the relevant responsibility/accountability scenarios for loss, leakage or
damaged-data with a noted reference to the data security lifecycle model. Key concerns are noted
around SLA and contractual issues associated with cloud providers, and a range of recommendations
were outlined on potential mitigation and best-practice methodology to be implemented. A leading
recommendation was the full use of redundancy, and to ensure the mitigation of risk by utilising
multiple providers or deployment models. A range of frameworks were also recommended for use
such as ISMS or ISO27002, and a number of risk-management best practices were reviewed and
detailed including the use of process frameworks, auditing standards and creating a detailed project
management plan for deployment.
60
The undertaken survey was a success gaining 93.6% participation and provided a fresh set of empirical data
that was utilised within the dissertation. A number of limitations/findings were identified within the survey
and recommendations include that any future survey would be of a wider participation (200+) and across a
more diverse spectrum of roles (Start-ups, Software, Non-IT dedicated customers). A number a small design
issues were also identified, and a more in-depth design process and pre-screening methodology would be
undertaken in any future survey. A number of key highlights were obtained from the survey including:
• Cloud services are in live deployment stages for customers, albeit in parallel with traditional
networks (42.5 percent) or in limited capacity (30 percent) (Q4) - In conclusion, providers need to
be entering/deploying viable CC services with immediate affect – and in particular offering
resilient/parallel deployment models to customers, whilst customers should be ensuring that any first
step into CC is via a parallel deployment model at the present time , and to ensure that risk is
mitigated in relation to the highlighted security and providers’ concerns discussed.
• From within the SPI-Model, PaaS is currently of the least demand and appears not to be fulfilling
any specific product-requirement or required deployment benefit (10 percent, 12.5 percent) (Q8,
Q23) – In conclusion, providers need to reiterate the given benefits of PaaS, and to establish their
product-set in relation to the needs of either a SPI or a SI suite of service offerings. Customers
should firstly understand their requirements, perform and security and risk-assessment and then
understand the given benefits around the service offerings and deployment models available.
• Key issues holding back full-scale deployments at the present time are based around Security (70
percent), Data-loss/leakage (55 percent) and Attacks/Outage Concerns (40 percent) (Q11) – It is our
conclusion that successful providers will be the ones able to provide detailed technical and
contractual documentation into their available services and networks, and exemplify their financial
obligations and “responsibilities” into real outage scenarios. Customers should in parallel be
pushing providers’’ into obtaining the relevant compliancy to industry standards such as SAS-70,
ISO-27002, and utilising recommendatory questioning frameworks from organisations such as CSA
(2009), ENISA (2009) and ADODI&S (2011).
61
A number of limitations were also identified within the undertaken literature review. The UD&M model
(2003) was utilised as a theoretical framework for IS Success modelling – however it should be noted that
the original relationship was relevant to e-commerce and not CC. Despite their similarities – it is our view
that the theoretical analysis using the UD&M model was not wholly accurate, and that ideally the model will
be updated to reflect CC in the future. There was also limited research or empirical data available for an in-
depth review around the areas of System and Information Quality in order to quantify valid concluding. It is
important to note that no research was performed relating to a real-life case study analysis of a customer
cloud computing deployment which may have provided relevant data or viewpoint.
The dissertation offered an initial insight into two specific areas related to CC deployments, and attempted to
bridge the available theoretical concepts with deployment realities. Looking to the future of CC, the paper
below highlights a set of key questions that will warrant additional research including:
1. Is the current SPI-model fit for purpose in terms of the required customer needs, or could newly
established services or deployment models offer advantageous benefits?
2. Will the perceived increased Security and Risk-management issues come to fruition holding back
deployment, or can competitive business behaviour overcome such issues and deliver the required
solutions?
3. Will Use and User-Satisfaction increase in relation to cloud computing deployment for users in the
future?
4. Will cloud computing deliver improved System, Information and Service Quality in the long term,
increasing the gained Net Benefits for the customers?
It is further our prediction that the areas of SecaaS (Security as a Service) and StoaaS (Storage as a Service)
will see upward revenue growths in the next two years based around our applicable data-finding and
performed literature review. Customer demands will evolve as their own customer, strategic and financial
needs change, and providers’’ will be required to deliver more specific contractual requirements, industry
standards certification and highly-customised service management.
62
Customers will continue to consume the cloud and “aaS” outsourcing will grow as predicted by industry
analysts, but it is our opinion that a providers’ relevant “bility” offering will become the key factor in
winning market share. Providers will need to display that they can deliver full financial/operational
accountability and responsibility, whilst also been able to provide the needed Scalability and Flexibility”
which creates the “aaS xBility Model” (Ellis, 2011):
“Accountability + Responsibility + Scalability and Flexibility = aaS Market Share”
Based on the findings of this research, CC will continue to open up new sources of innovation and value-
added service offering to customers and for those companies who fully embrace and deliver using a range of
traditional processes, quality and strategic frameworks, and a more specialised customer service model –
competitive advantage within their chosen market will be gained. A note of caution is however needed in
that numerous minefields will need to be navigated by providers before beneficial gains will be released,
with ill-prepared companies at risk of suffering catastrophic financial and reputable losses in certain
situations. It is also important to note that that CC infrastructure also requires very large capital expenditure
up-front for providers, with short-term profitability difficult to obtain given the utility billing model of CC.
Taking the results from this research as a whole, it is our view that this paper should serve as a starting point
for future empirical, theoretical and practical research into the chosen topic, and that the areas outlined for
future research are explored through further extensive investigation.
63
6. References
Aaker, D.A., Kumar, V. and Day, G., 2001. Marketing Research. John Wiley & Sons, Inc. New York.
ADODI&S., 2011. Cloud Computing Security Considerations, Cyber Security Operations Centre Initial Guidance. Australian Department of Defence Intelligence and Security. Ahern, N. R., 2005. Using the Internet to conduct research. Nurse Researcher. 13(2). Albrecht, A.C. and Jones, D.G., 2007. Web-based research tools and techniques. In G.r. Walz, J.C. Bleuer, & R.K Yep (Eds.), Compelling counselling interventions: Vistas 2009. Alexandria, VA: American Counselling Association. 337-347. Amit, R. and Zott, C., 2001. Value creation in E-business. Strategic Management Journal, 22. 493-520. Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia 2009. “Above the Clouds: A Berkeley View of CC” Technical Report EECS-2009-28, EECS Department, University of California, Berkeley. Barney, J., 1991. Firm Resources and Sustained Competitive Advantage, Journal of Management. 17(1). 99-120. Bell, J., 1993. Doing Your Research Project: A Guide for First-time Researchers in Education and Social Science 2nd Edition, Milton Keynes: Open University Press. Bosnjak, M., 2001. Participation in non-restricted Web-surveys. A typology and explanatory model for item-non response. In U.-D. Reips and M. Bosnjak (Eds.): Dimensions of Internet Science. Lengerich: Pabst Science Publishers. 193-208. Bowman, C. and Ambrosini, V., 2000. Value creation versus value capture: Towards a coherent definition of value in strategy. British Journal of Management. 11. 1-15. Cha, Y.S., 2005. All that glitters is not gold: Examining the perils of collecting data on the Internet. International Negotiation: A journal of theory and practice. 10(1). 115-13. Cloud Security Alliance, CSA., 2009a. Top Threats to Cloud Computing. (Brunette, G. and Mogull, R). Cloud Security Alliance, CSA., 2009b. Security Guidance for Critical Areas of Focus in Cloud Computing. (Brunette, G. and Mogull, R). Cooper, H.M., 1982. Scientific Guidelines for Conducting Integrative Research Reviews Review of Educational Research Summer. 52(2). 291-302. D’Ambra, J. and Rice, R.E., 2001. Emerging factors in user evaluation of the World Wide Web. Information and Management. 38. 374-384. Davis, F. D., 1989. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly. 13(3). 319–340. Day, G.S. and Wensley, R., 1988. Assessing Advantage: A Framework for Diagnosing Competitive Superiority. Journal of Marketing. 52. 1-20. DeLone, W.H. and McLean, E.R., 1992. ‘Information Systems success: the quest for the dependent variable’, Information System Research. 3. 60-95.
64
DeLone, W.H. and McLean, E.R., 2003. "The DeLone and Mclean Model of Information Systems Success: A Ten-Year Update". Journal of Management Information Systems. 19(4) . 9-30. Doll, W.J .G. and Torkzadeh, G., 1988. The measurement of end-user computing satisfaction. MIS Quarterly. 12(2). 258-274. Elisante, G., 2006. A new dimension of Porter’s Value Chain. IMS International Journal. ENISA, 2009. Benefits, Risks and Recommendations for Information Security (Catteddu, D. and Hogben, G) F5., 2009. Cloud Computing Survey Results. Retrieved in November 2011. http://www.f5.com/pdf/reports/cloud-computing-survey-results-2009.pdf Gartner, Inc., 2008. “Cloud Computing: Defining and describing an emerging phenomenon”. IDC.51(6). 1-9. Gartner, Inc., 2010. SaaS revenues within the Enterprise Application. Retrieved in October 2011. http://www.gartner.com/it/page.jsp?id=1492814 Goodburn, M.A. and Hill, S., 2010. The Cloud transforms business. Retrieved in October 2011. http://www.financialexecutive.org Goodhue, D.L. and Thompson, R.L., 1995. Task technology fit and individual performance. MIS Quarterly. 19(2). 213-236. Google Scholar., 2011. Google Scholar Search. Retrieved in September-November 2011. http://scholar.google.com Gosling, S.D., Vazire, S., Srivastava, S. & John, O.P., 2004. Should we trust web-based studies? A comparative analysis of six preconceptions about Internet questionnaires. American Psychologist. 59(2). 93-104. Granello, D.H. & Wheaton, J.E., 2004. Using web-based surveys to conduct counselling research. In J. W. Bloom & G. R. Walz (Eds.), Cybercounseling and Cyberlearning: An Encore. Greensboro, NC: CAPS Press. Gupta, A. and McDaniel, J., 2002. Creating Competitive Advantage By Effectively Managing Knowledge: A Framework for Knowledge Management. Journal of Knowledge Management Practice. 9(2). Guzzo, R.A., Jackson, S.E and Katzell, R.A. 1987. “Meta-Analysis Analysis”. Research in Organisational behaviour. 9. 407-442. HBR., 2011. Harvard Business Review. Retrieved in September-November 2011. http://hbr.org/ Hill, W.L., 2009. International Business. Seventh Edition. McGraw Hill. Hochstein, A., Zarnekow, R. and Brenner, W., 2005. Evaluation of service-oriented IT management in practice. In Proceedings of the International Conference on Services Systems and Services Management ICSSSM. 1. 80-84. IEEE Explorer., 2011. IEEE: Advancing Technology for Humanity. Retrieved in September-November 2011. http://www.ieee.org/index.html Iivari, J., 2005. An empirical test of DeLone-McLean model of information systems success. The DATA BASE for Advances in Information Systems. 36(2) Isaacson, W., 2007. His Life and Universe. New York. Simon and Schuster. ISACA., 2009. Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. Retrieved in October to November 2011. http://www.isaca.org/Knowledge-
65
Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Business-Benefits-With-Security-Governance-and-Assurance-Perspective.aspx ISO/IEC., 2005. Information Technology – Security Techniques – Information Security Management Systems – Requirements, ISO/IEC 27001. Ives, B., Olson, M. H. and Baroudi, J.J., 1983. The Measurement of User Information Satisfaction. Communications of the ACM. 26(10). 785-793. Iyer, B. and Henderson, J.C., 2010. Preparing for the Future: Understanding the Seven Capabilities of CC. MIS Quarterly Executive. 9(2). 117-131. Jiang, J.J., Klein, G. and Carr, C.L., 2002. Measuring information Systems service quality: SERVQUAL from the other side. MIS Quarterly. 38(8). 499-506. Julisch, K. and Hall, M., 2010. “Security and Control in the Cloud”. Informational Security Journal: A Global Perspective. 19. 299-309. Kaplan, J., Sharma, S. and Weinberg, A., 2011. “Meeting the Cyber Security Challenge”. McKinsey Quarterly. Business Technology Office. 6. 1-6. Karlapudi, H. and Martin, J., 2004. Web application performance Prediction. In Proceedings of the IASTED International Conference on Communication and Computer Networks. 11. 281-286. Kim, J, Lee, J. Han, K. and Lee, M., 2002, Business as buildings: metrics for the architectural quality of internet businesses. Information Systems Research. 13-3. 239-254. King, W.R. and He, J., 2005. "Understanding the Role and Methods of Meta-Analysis in Is Research". Communications of the Association for Information Systems. 16. 665-686. Knapp, F. and Heidingsfelder, M., 2001. Drop-out analysis: Effects of the survey design. In U.-D. Reips, and M. Bosnjak (Eds.): Dimensions of Internet Science. Pabst Science Publishers, Lengerich. 221-230. Koffi, N'Da. Bergeron, B. And Raymond, L. 2008. Achieving advantages from business-to-business electronic commerce: an empirical validation of an integrative framework. International Journal of Electronic Business. 6(5). 516-549. Kositanurit, B., Ositanurit, B., Ngwenyama, O and Osei-Bryson, K., 2006. An exploration of factors that impact individual performance in an ERP environment: an analysis using multiple analytical techniques. European Journal of Information Systems. 15. 556-568. Kotler, P. and Keller,K.L., 2006. Marketing Management. Twelfth Edition. Pearson Prentice Hall.
KPMG., 2010. From Hype to Future: KPMG’s 2010 Cloud Computing Survey. Retrieved in October-November 2011. http://www.kpmg.com/NL/nl/IssuesAndInsights/ArticlesPublications/Documents/PDF/IT%20Performance/From_Hype_to_Future.pdf Landrum, H., Prybutok, V.R., Zhang, X. and Peak, D., 2009. “Measuring IS System Service Quality with SERVQUAL: Users’ Perceptions of Relative Importance of the Five SERVPERF Dimensions”. Informing Science: the International Journal of an Emerging Trans discipline. 12. 17-35. Levy, Y. and Ellis, T.J., 2006. A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research. Informing Science Journal. 9. 181-212. Lu, J. and Wang, J., 2005. Performance modelling and analysis of Web Switch. In Proceedings of the 31st Annual International Conference on Computer Measurement. 6-10. 693-700.
66
McKinsey., 2011. McKinsey Quarterly. Retrieved in October-November 2011. http://www.mckinseyquarterly.com/home.aspx Meeuwissen, R.D., Mei, H.B. and Phillipson, F., 2006. User perceived Quality-of-Service for voice-over-IP in a heterogeneous multi-domain network environment. In proceedings of ICWS. (Eds. X.J. Liang, Z.H. Xin, V.B. Iversen and G.S. Kuo), Proc. 19th International Teletraffic Congress (ITC19), Beijing, China, Aug. 29 – Sep. 2, 2005. 1109-1121. Molla, A. and Licker, P.S., 2001. E-commerce Systems success: An attempt to extend and respecify the DeLone and McLean model of IS success. Journal of Electronic Commerce Research. 2(4). 131-141. NIST., 2009. The NIST definition on Cloud Computing. National Institute of Standards and Technology. US Department of Commerce (Mell, P. and Grance, T). Palmer, J. 2002. Web site usability, design and performance metrics. Information Systems Research. 13(2). 151-167. Parasuraman, A., Berry, L.L. and Zeithaml, V.A., 1988. SERVQUAL: A Multiple-Item Scale for Measuring Customer Perceptions of Service Quality, Journal of Retailing. 64(1). 12-40. Parasuraman, A., Berry, L.L. and Zeithaml, V.A., 1994. Alternative Scales for Measuring Service Quality: A Comparative Assessment Based on Psychometric and Diagnostic Criteria, Journal of Retailing. 58(1). 111-124. Payne, J.E., 2003. E-Commerce Readiness for SMEs in Developing Countries: A Guide for Development Professionals. Retrieved in October 2011. http://learnlink.aed.org/Publications/Concept_Papers/ecommerce_readiness.pdf Petter, S., DeLone, W.H. and McLean, E.R., 2008. Measuring information Systems success: models, dimensions, measures, and interrelationships. European Journal of Informational Systems. 17(3). 236-263. Porter, M.E., 1980. Competitive Strategy, Free Press, New York. Porter, M.E., 1985. Competitive Advantage: Creating and Sustaining Superior Performance, Free Press, New York. Premkumar, G., Ramamurthy, K. and Nilakanta, S., 1994. Implementation of electronic data interchange: an innovation diffusion perspective; Journal of Management Information Systems. 11(2). 157-186. Psychology Press Ltd., 2004. Research Methods: Data Analysis. Retrieved in November 2011. http://onlineclassroom.tv/files/posts/research_methods_chapter/document00/psych%20methods.pdf Rai, S. and Chukwuma, P., 2009. Security in a Cloud. Internal Auditor. 66(4). 21-23. Rai, A., Lang, S.S. and Welker, R.B., 2002. Assessing the validity of IS Success Models: An empirical test and theoretical analysis. Information Systems Research. 13(1). 50-69. Reuters., 2011. Retrieved in September 2011. http://www.reuters.com/ Rimal, B.P. Choi, E. and Lumb, I., 2009. A Taxonomy and Survey of CC Systems. 2009 Fifth International Joint Conference on INC, IMS and IDC. 44-51. Robbins, S.P., 2005. Organisational Behaviour, Eleventh Edition, Pearson Prentice Hall Roth, C., 2008. SaaS Implementation Survey: Where, When, and How to use SaaS. Burton Group. Seddon, P.B., 1997. A re-specification and extension of the DeLone and McLean model of IS success. Information Systems Research. 8(3). 240-253.
67
Seddon, P.B., and Kiew, M.Y., 1996. A partial test and development of the DeLone and McLean model of IS success. Australian Journal of Information Systems. 4(1). 90-109. Seddon, P.B., and Yip, S.K., 1992. An Empirical Evaluation of User Information Satisfaction (UIS) Measures for Use with General Ledger Accounting Software. Journal of Information Systems. 6(1). 75-98. Siah, C.Y., 2005. All that glitters is not gold: Examining the perils and obstacles in collecting data on the Internet. International Negotiation. 10(1). 115-130. Siripogwutikorn, P. and Banerjee, S., 2006. Per-flow delay performance in traffic aggregates, In Proceedings of the IEEE GLOBECOM. 6(10). 693-700. Sony., 2010. How Does Sony Breach Affect Customers. Retrieved in October 2011, http://www.bbc.co.uk/news/technology-13206687 Stabell, C.B and Fjeldstad, O.D., 1998. Configuring value for competitive advantage: On Chains, Shops and Networks. Strategic Management Journal. 19. 413–437 Supersurvey., 2009. Online Survey Response Rates and Times. Retrieved in November 2011. http://www.supersurvey.com/papers/supersurvey_white_paper_response_rates.pdf Swatman, D. and Swatman, R., 2000. Writing Your Dissertation: The Bestselling Guide to Planning, Preparing and Presenting First-Class Work. How To Books; 3rd Revised edition. Tan, F.B. and Gallupe, R.B., 2006. Aligning business and information Systems thinking: A cognitive approach. IEEE Transactions on Engineering Management. 53(2). 223-237. Teese, D., 2000. Strategies for Managing Knowledge Assets: the Role of Firm Structure and Industrial Context". Long Range Planning. 33(1). 35-54. Truell, A.D., Bartlett, J.E., II, & Alexander, M.W., 2002. Response rate, speed, and completeness: A comparison of Internet-based and mail surveys. Behaviour research methods Instruments and Computer. 34. 46-49. UoW Library., 2011. University of Wales Online Library. Retrieved in September to November 2011. http://www.wales.ac.uk/en/OnlineLibrary/OnlineLibrary.aspx Van Dyke, T.P., Kappelman, L.A. and Prybutok, V.R., 1997. Measuring information Systems service quality: Concerns on the use of the SERVQUAL questionnaire. MIS Quarterly. 21(2). 195-208. Venkatesh, V., Morris, M., Davis, G., and Davis, F., 2003. User Acceptance of Information Technology - Toward a Unified View. MIS Quarterly. 27(3). 425-478. Walonick, D.S., 2010. A Selection from Survival Statistics. Retrieved November 2011. http://www.statpac.com/surveys/surveys.pdf Weill, P., and Vitale, M., 1999. Assessing the health of an information system portfolio: An example from process engineering. MIS Quarterly. 23(4). 601-624. Xiong, K. and Perros, H., 2009. Service Performance and Analysis in CC. IEEE. 6(10). 693-700. Yang, H. and Tate, M., 2009. Where are we at with CC: 20th Australasian Conference on Information Systems. Melbourne. Zwass, V., 1996. Electronic commerce: structures and issues. International Journal of Electronic Commerce. 1(1). 3-23
68
7. Appendix
Appendix A: Amended Pre-Screening Survey Questions
a. Question Five i. Original: Which definition best describes Cloud Computing?
ii. Amended: Which of the below definitions in your opinion is the most accurate summary of Cloud Computing?
b. Question Eight i. Original: Which “aaS” product brings the most value-added?
ii. Amended: Which of the “aaS” cloud computing products do you feel will bring your company the most value-added in the short-term adoption?
c. Question Ten i. Original: Which of the below factors would be most missed if your company does not deploy a
Cloud Computing Strategy? ii. Amended: From a strategic perspective – which of the below factors would be of most concern
for you if your company decided not to adopt a Cloud Computing IT Strategy?
d. Question i. Original: Using Michael Porters Five-Force model for Competitive Advantage – which force is
most relevant? ii. Amended: Utilising Michael Porter’s Five-Force model for Competitive Advantage – which
“Force” is the most relevant in adopting a Cloud Computing strategy to remain truly competitive?
Appendix B: Cloud Computing Survey 2011 (Ellis) Question 1
How would you rate your current level of knowledge in regards to Cloud Computing?
Answer Options Response Percent Response Count
No knowledge 0.0% 0
Limited Understanding 12.5% 5
Intermediate Understanding 40.0% 16
Advanced Understanding 37.5% 15
Expert Understanding 10.0% 4
Source: Ellis (2011) 100.0% 40
Question 2
What is your current level of working experience with Cloud Computing within your organisation either as a product-release or as a purchased service? Answer Options Response Percent Response Count No working experience 7.5% 3 Limited working experience (user only) 22.5% 9 Intermediate working experience (day-2-day user) 45.0% 18 Advanced working experience (Decision-maker, Technical-tester) 25.0% 10 Source: Ellis (2011) 100.0% 40
69
Question 3
Which of the “aaS” Cloud Computing products are you most familiar with or utilising/offering within your organisation?
Answer Options Response Percent Response Count
PaaS (Platform as a Service) 12.5% 5
IaaS (Infrastructure as a Service) 35.0% 14
SaaS (Software as a Service) 27.5% 11
All of the above 25.0% 10
Source: Ellis (2011) 100.0% 40
Question4
Which of the below most accurately describe the implementation of Cloud Computing within your organisation?
Answer Options Response Percent Response Count
No actual Deployment 10.0% 4
Testing Deployment 2.5% 1
Limited Deployment (singular dept or users) 30.0% 12
Resilient Deployment (rolling-out in parallel) 40.0% 16
Full Deployment 17.5% 7
Source: Ellis (2011) 100.0% 40
Question 5
Which of the below definitions in your opinion is the most accurate summary of Cloud Computing?
Answer Options Response Percent Response Count
A style of computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies 17.5% 7
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service providers’ interaction
52.5% 21
Cloud Computing is an evolution of both computer technology and a business model for delivering IT-based solutions. With cloud-computing an enterprises product-centric/firm-based model for applications and systems’ can be transformed to a global, distribution, service-centric model
25.0% 10
Cloud Computing is the use of both private and public computers to allow users to share data and documents across the WWW. Cloud Computing is predominantly based around media and data.
5.0% 2
Source: Ellis (2011) 100.0% 40
70
Question 6
Which of the following factors is most relevant for the adoption of a Cloud Computing strategy?
Answer Options Response Percent Response Count Scalability/Flexibility of IT 42.5% 17 Short-Term Cost Efficiency 5.0% 2 Long-Term Cost Efficiency 20.0% 8 Open-interface Capability (ability to utilise 3rd-party applications/programs) 2.5% 1 Innovation Capability 7.5% 3 Increased Product Competitiveness 2.5% 1 Time to Marketplace 17.5% 7 Increased Marketplace 0.0% 0 Fear of Non-Adoption 0.0% 0
Source: Ellis (2011) 97.5% 40
Question 7
Which of the following factors is the least relevant for the adopting of a Cloud Computing strategy?
Answer Options Response Percent Response Count
Scalability/Flexibility of IT 0.0% 0
Short-Term Cost Efficiency 10.0% 4
Long-Term Cost Efficiency 2.5% 1
Open-interface Capability (ability to utilise 3rd-party applications/programs) 7.5% 3
Innovation Capability 5.0% 2
Increased Product Competitiveness 2.5% 1
Time to Marketplace 0.0% 0
Increased Marketplace 10.0% 4
Fear of Non-Adoption 62.5% 25
Other 0.0% 0
Source: Ellis (2011) 100.0% 40
Question 8
Which of the “aaS” cloud computing products do you feel will bring your company the most value-added in the short-term adoption?
Answer Options Response Percent Response Count
PaaS (Platform as a Service) 10.0% 4
IaaS (Infrastructure as a Service) 42.5% 17
SaaS (Software as a Service) 45.0% 18
Other (please specify) 2.5% 1
Source: Ellis (2011) 100.0% 40
71
Question 9
Which of the below capabilities is of most importance when considering a Cloud Computing deployment?
Answer Options Response Percent Response Count
Open-Interface Capability (Allows connectivity of application programs easily) 22.5% 9
Location Independent Capability (No geographically restrictions) 20.0% 8
Sourcing Independent Capability (No vendor-specific restrictions) 17.5% 7
Ubiquitous Access Capability (Generic Web Interface Access) 10.0% 4
Limited Contractual Capability (Billable usage modelling) 12.5% 5
Rapid Deployment Capability (Mass rollout en-mass in limited timeframe) 17.5% 7
Source: Ellis (2011) 100.0% 40
Question 10
From a strategic perspective – which of the below factors would be of most concern for you if your company decided not to adopt a Cloud Computing IT Strategy in the short-term?
Answer Options Response Percent Response Count
Loss of Cost Efficiency Gains 38.0% 15
Loss of Financial Accounting Advantages (Capex to Opex shift) 0.0% 0
Loss of Innovation/Agility in Product Range 32.0% 13
Loss of Market-Share 5.0% 2
Increased Competitiveness of Rivals 23.0% 9
Inability to Reduce Headcount 2.0% 1
Source: Ellis (2011) 100.0% 40
Question 11
As a consumer - which of the below three factors represent the most important security issues to be overcome before you would consider a Cloud Computing solution?
Answer Options Response Percent Response Count
Malicious Attacks/Denial-of-Service 40.0% 16
Vendor Outage 37.5% 15
Lack of Auditing Standards and Regulations 22.5% 9
Vendor Lock-in 15.0% 6
Security and Compliance of data-holding 70.0% 28
Lack of Transparency in Hardware/Infrastructure. 10.0% 4
Data-loss and Leakage 55.0% 22
Financial SLA Compensation 10.0% 4
Malicious Insiders/Personal checks 20.0% 8
Cloud-providers’ Closure/Merger 20.0% 8
Source: Ellis (2011) 300.0% 120
72
Question 12
As a cloud service-providers’ which of the below three factors represent the most important security issues to be overcome before you would consider a Cloud Computing solution?
Answer Options Response Percent Response Count
Malicious Attacks/Denial-of-Service 42.5% 17 Vendor Outage 50.0% 20 Lack of Auditing Standards and Regulations 22.5% 9
Vendor Lock-in 12.5% 5 Security and Compliance of data-holding 62.5% 25
Lack of Transparency in Hardware/Infrastructure. 7.5% 3
Data-loss and Leakage 52.5% 21 Financial SLA Compensation 25.0% 10 Malicious Insiders/Personal checks 15.0% 6 Cloud-providers’ Closure/Merger 10.0% 4
Source: Ellis (2011) 300.0% 120
Question 13
Which of the below "Cloud Computing" product-offerings represents the highest-level of security available?
Answer Options Response Percent Response Count
Private-Cloud, IaaS Solution 52.5% 21
Private-Cloud, PaaS Solution 10.0% 4
Private-Cloud, SaaS Solution 27.5% 11
Public-Cloud, IaaS Solution 0.0% 0
Public-Cloud, PaaS Solution 0.0% 0
Public-Cloud, SaaS Solution 2.5% 1
Community-Cloud, IaaS Solution 0.0% 0
Community-Cloud, PaaS Solution 0.0% 0
Community-Cloud, SaaS Solution 5.0% 2
Hybrid-Cloud, IaaS Solution 0.0% 0
Hybrid-Cloud, PaaS Solution 2.5% 1
Hybrid-Cloud, SaaS Solution 0.0% 0
Source: Ellis (2011) 100.0% 40
Question 14
What is the current level of security information openly available in regards to recommended "Cloud Computing" ISO Standards/Recommendations?
Answer Options Response Percent Response Count
No level of information/guidelines available 2.5% 1 Limited level of information/guidelines available 77.5% 31 Good level of information/guidelines available 20.0% 8 Excellent level of information/guidelines available 0.0% 0
Source: Ellis (2011) 100.0% 40
73
Question 15
Please select the Top-3 areas that in your opinion companies should address in the short-term future to become the market leader within Cloud Computing?
Answer Options Response Percent Response Count
Security of the Cloud 26.7% 32
Integration with Existing IT/API’s 9.2% 11
Privacy/Data-Storage Concerns 19.2% 23
Transparency of Architecture 7.5% 9
Transparency of Billing 5.8% 7
Availability/Uptime 10.8% 13
Functionality/Customisation 8.3% 10
Performance 12.5% 15
Source: Ellis (2011) 100.0% 120
Question 16
Which type of company in your opinion will see the largest increase in revenues due to the mass adoption of Cloud Computing?
Answer Options Response Percent Response Count
Traditional Hardware Providers’ (IBM / HP / Dell / Cisco / Juniper ) 30.0% 12
Traditional Software Providers’ (Oracle / SAP / Microsoft / Apple ) 37.5% 15
Social-Service Providers’ (Facebook / Twitter / LinkedIn / MySpace) 15.0% 6
Telco Providers’ (OBS / BT / Telefonica / Interoute / Verizon) 17.5% 7
Source: Ellis (2011) 100.0% 40
Question 17
Which type of company in your opinion will see the largest increase in profitability due to the mass adoption of Cloud Computing?
Answer Options Response Percent Response Count
Traditional Hardware Providers’ (IBM / HP / Dell / Cisco / Juniper ) 22.5% 9
Traditional Software Providers’ (Oracle / SAP / Microsoft / Apple ) 45.0% 18
Social-Service Providers’ (Facebook / Twitter / LinkedIn / MySpace) 10.0% 4
Telco Providers’ (OBS / BT / Telefonica / Interoute / Verizon) 22.5% 9
Source: Ellis (2011) 100.0% 40
Question 18
Utilising Michael Porter’s Five-Force model for Competitive Advantage – which “Force” will become most relevant in the lowering of cloud-computing prices for consumers?
Answer Options Response Percent Response Count
Threat of new entrants 5.0% 2
Bargaining power of buyers 37.5% 15
Threat of Substitute product or services 15.0% 6
Bargaining power of suppliers 7.5% 3
Rivalry amongst existing competitors 35.0% 14
Source: Ellis (2011) 100.0% 40
74
Question 19
Utilising Michael Porter’s Five-Force model for Competitive Advantage – which “Force” is the most relevant in adopting a Cloud Computing strategy to remain truly competitive?
Answer Options Response Percent Response Count
Threat of new entrants 10.0% 4
Bargaining power of buyers 25.0% 10
Threat of Substitute product or services 22.5% 9
Bargaining power of suppliers 12.5% 5
Rivalry amongst existing competitors 30.0% 12
Source: Ellis (2011) 100.0% 40
Question 20
Which primary factor in your opinion could affect the forecasted double-digit growth within the Cloud Computing market?
Answer Options Response Percent Response Count
Security and Risk 47.5% 19
Legal Legislation 7.5% 3
Over-diluted Marketplace 10.0% 4
Lack of Innovation/Benefits 17.5% 7
Global Recession 17.5% 7
Source: Ellis (2011) 100.0% 40
Question 21
Which timeline is most applicable for the deployment of a Cloud Computing strategy for today’s global corporations?
Answer Options Response Percent Response Count
Immediate rollout 32.5% 13
<6 months 5.0% 2
6-12 months 25.0% 10
1-3 years 32.5% 13
3 years+ 5.0% 2
Source: Ellis (2011) 100.0% 40
Question 22
What will be the main driver forcing corporations into adopting a Cloud Computing strategy in the immediate future?
Answer Options Response Percent Response Count
Scalability/Flexibility of IT 20.0% 8
Short-Term Cost Efficiency 35.0% 14
Long-Term Cost Efficiency 17.5% 7
Open-interface Capability (Ability to utilise 3rd-party apps/programs) 0.0% 0
Innovation Capability 7.5% 3
Increased Product Competitiveness 2.5% 1
Time to Market-place 10.0% 4
Increased Market-place 0.0% 0
Fear of Non-Adoption 7.5% 3
Source: Ellis (2011) 100.0% 40
75
Question 23
Which of the below Cloud Computing products in your opinion will be the market-leader by the end of 2012?
Answer Options Response Percent Response Count
Private-Cloud, IaaS Solution 12.5% 5
Private-Cloud, PaaS Solution 10.0% 4
Private-Cloud, SaaS Solution 25.0% 10
Public-Cloud, IaaS Solution 7.5% 3
Public-Cloud, PaaS Solution 0.0% 0
Public-Cloud, SaaS Solution 17.5% 7
Community-Cloud, IaaS Solution 2.5% 1
Community-Cloud, PaaS Solution 0.0% 0
Community-Cloud, SaaS Solution 7.5% 3
Hybrid-Cloud, IaaS Solution 7.5% 3
Hybrid-Cloud, PaaS Solution 2.5% 1
Hybrid-Cloud, SaaS Solution 7.5% 3
Source: Ellis (2011) 100.0% 40
Question 24
Which of the below new cloud product services will grow during the next eighteen months?
Answer Options Response Percent Response Count CaaS Communication as a Service 7.5% 3
StoaaS Storage as a Service 40.0% 16
SecaaS Security as a Service 30.0% 12
VaaS Video as a Service 17.5% 7
Other DaaS (Data as a Service) 2.5% 1
SaaS (Services as a Service) 2.5% 1
Source: Ellis (2011) 100.0% 40
Question 25
Which of the below providers’ are currently perceived as the market-leaders for Cloud Computing services?
Answer Options Response Percent Response Count
Traditional Cloud-Service Providers’ (Amazon / Salesforce / Google) 40.0% 16
Traditional Hardware/Software Providers’ (Microsoft / IBM / Apple / HP) 22.5% 9
Social-Service Providers’ (Facebook / Twitter / LinkedIn / MySpace) 7.5% 3
Application-Software Providers’ (VMware/Oracle/SAP) 30.0% 12
Source: Ellis (2011) 100.0% 40