Risk, Risk Management Strategies, and Benefits in Cloud Computing SITUATIONAL ANALYSIS

PREMISE STATEMENT

KEY DEFINITIONS

SERVICE AND DEPLOYMENT MODELS

BENEFITS OF CLOUD COMPUTING

SECURITY ASPECTS

Storage

Reliability

Virtualization

Trust

Physical Security

Legal Compliance

CLOUD COMPUTING RISKS

RISK Management STRATEGIES

Vendor Evaluation

Centralized Information Governance

Other Organization-Level Measures

Individual-Level Security Measures

Cloud computing model

Cloud computing service and deployment models

ISO/IEC broad categories

The emergence of cloud computing has tremendously transformed the world of computing. Today, individuals, organizations, and government agencies can access computing resources provided by a vendor on an on-demand basis. This provides convenience, flexibility, and substantial cost savings. It also provides a more efficient way of planning disaster recovery and overcoming fluctuations in the demand for computing resources. In spite of the benefits it offers, cloud computing presents significant security concerns, which users must clearly understand and put strong measures in place to address them. Users are particularly concerned about the privacy and confidentiality of their information as well as the integrity and capacity of the vendor. Cloud computing may increase the risk of data leakage and data loss, which may result in dire consequences for users and the cloud provider. However, with extensive vendor evaluation and centralized governance of confidential information, these concerns can be put to rest. Awareness and training as well as regular audit of risk management procedures are also important for addressing these concerns. If properly governed, cloud computing can deliver considerable benefits to users.

Running head: CLOUD COMPUTING 1

CLOUD COMPUTING 2

1. SITUATIONAL ANALYSIS

The world of information technology (IT) has experienced a rapid evolution in the last one and a half decades (Denning & Frailey, 2011). Cloud computing is an invention that has taken internet-based computing to a level never imagined a few decades ago. As of 2012, the cloud computing market was worth approximately $150 billion, an increase of more than 160% compared to 2009 (Budriene & Zalieckaite, 2012). In today's world, cloud computing provides an unprecedented solution for data storage, data access, data processing, and information sharing. Organizations are increasingly turning to scalable, pay-per-service cloud-based computing applications such as Amazon Web Services (AWS) and Google Cloud Services to process data efficiently while achieving cost savings (Srinivasan, 2012). With cloud computing, organizations may not need to invest in expensive information technology (IT) infrastructure (Alijani et al., 2014). Thus, cloud computing has helped reduce the cost of acquiring and maintaining IT systems substantially. In addition to cost savings, cloud computing provides flexibility and convenience (Srinivasan, 2013). With the emergence of powerful web-enabled mobile devices such as smartphones and tablets, data can now be accessed at the user's convenient time and location (Markovic et al., 2014).

The use of cloud computing has gained popularity not only amongst organizations, but also individuals (Markovic et al., 2014). Today, individuals increasingly rely on cloud-based services to store photos and other personal data such as documents, bill payments, and financial information. Popular cloud storage platforms include Google Drive, Google Docs, Drop Box, iCloud, and Amazon Drive. These platforms enable users to access their data from any geographical location with an internet connection. This avoids or minimizes the necessity of conventional, 'hard' storage media such as compact disks and flash drives.

Whereas cloud computing offers cheaper and convenient data storage and access, it presents significant security concerns. Privacy breach, loss of data, hacking, identity theft, and other forms of cybercrimes have become major concerns in the wake of increased cloud computing applications, acceptance, and usage (Budriene & Zalieckaite, 2012; Gold, 2012; Abiodun, 2013; Srinivasan, 2013; Neumann, 2014; Ismail, Golamdin & Shahzad, 2016; Rittle, Czerwinski & Sullivan, 2016). Hackers and other online criminals have become increasingly intrusive. Without robust security measures, malicious individuals can access crucial and confidential information, resulting in disastrous consequences for individuals and organizations.

On its part, the Department of Defense (DOD) acknowledges the risks and security concerns posed by cloud computing. As per the department's Risk Management Strategy (RMS), cloud computing activities must be conducted in accordance with department-wide and federal-level IT security requirements, notably the Federal Risk and Authorization Management Program (Fedramp) as well as the Cloud Computing Security Requirements Guide (SRG). Adherence to these guidelines is crucial for safeguarding sensitive information as well as guaranteeing operational efficiency and mission success.

2. PREMISE STATEMENT

Though cloud computing offers a powerful tool for DOD, commercial,...

This paper identifies the benefits and risks associated with the use of cloud computing by the government (particularly the DOD), commercial entities, and individuals; as well as the strategies that can be used to manage the risks. The remainder of the paper is organized into six major sections. In section 3, a definition of cloud computing is provided. Section 4 provides a description of cloud computing service and deployment models, while section 5 highlights the benefits of cloud computing. Attention is then paid to the security concerns raised by cloud computing in section 6, with specific consideration to aspects such as access, storage, trust, and legal compliance. Section 7 focuses on the risks associated with cloud computing. Risk management strategies are discussed in section 8.
3. KEY DEFINITIONS

Whereas there is no universally agreed definition, the term cloud computing generally refers to IT infrastructure and services that enable on-demand access to computing resources such as servers, network, operating systems, and applications (Srinivasan, 2013). Typically, the provider owns and controls the computing infrastructure and services. Customers can access the computing infrastructure and services via the internet at their time and location of convenience based on a pay-per-use or pay-as-you-go model (Jiang & Wu, 2016). This eliminates the need to own and maintain costly computing infrastructure, as well as locate data and applications in the user's hardware and servers (Markovic et al., 2014). It is important to note that customers in this case denote users of cloud computing services, who include individuals and organizations (Johnston, Loot & Esterhuyse, 2016).

On-demand access and resource pooling are the two main features that distinguish cloud computing from traditional computing (Alijani et al., 2014). On-demand access essentially means that users pay for the service based on their demand, just as they pay for ordinary utilities such as gas and electricity (Jolfaie et al., 2007). The aspect of resource pooling means that a pool of computing resources owned and controlled by the provider is shared by multiple tenants. These two features ensure a more efficient and cost-effective utilization of computing resources. In simpler terms, cloud computing entails outsourcing IT services (Budriene & Zalieckaite, 2012; Gonzalez & Smith, 2014). It "is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources" (Mitchell & Meggison, 2014, p. 1). Figure 1 below provides a simple representation of cloud computing.

Figure 1: Cloud computing model (CR -- computing resources; DW -- data warehouse)

Source: Budriene & Zalieckaite (2012, p. 123)

Although cloud computing became popular in the beginning of the 21st century, it is not really a new practice. Discourses and practices relating to cloud computing date as early as the mid-20th century (Budriene & Zalieckaite, 2012). For instance, organizations have hosted software and hardware externally as well as outsourced IT services for decades. Nevertheless, with the emergence of broadband internet, virtual solutions, and other powerful supportive technologies in the 1990s and 2000s, the notion of cloud computing has gone a notch higher (Budriene & Zalieckaite, 2012; Alali & Yeh, 2012).

4. SERVICE AND DEPLOYMENT MODELS

Cloud computing services are offered in three basic forms: software as a service (Saas), platform as a service (Paas), and infrastructure as a service (Iaas) (Srinivasan, 2013). Saas is the least complicated and most common of the three (Budriene & Zalieckaite, 2012). It offers hardware and software to the user without the complexities associated with running an IT system. The cloud provider fully controls the computing infrastructure, including servers, network and operating systems. Based on economies of scale, the provider is able to offer shared computing resources to a large number of users, most of whom are small and medium enterprises (SMEs) (Srinivasan, 2013). The users sign up for their desired computing resources -- data storage, memory volume, CPU capacity, and so forth (Budriene & Zalieckaite, 2012). A company email is an ideal example of Saas. Popular Saas products include Amazon's AWS, IBM's Cloudburst, Apple's iCloud, as well as Google's Gmail and Google Docs. In spite of its simplicity, Saas may not be appropriate for applications that require exceptionally fast processing of data (Markovic et al., 2014).

PaaS provides the user a platform with the basic capacity to run the user's applications (Srinivasan, 2013). The platform may involve an operating system, for instance. This service is mostly utilized by programmers and system developers. The service provides all the tools and resources for developing, testing, deploying, and hosting applications (Markovic et al., 2014). Paas has a built-in flexibility; though the cloud provider controls the underlying computing system, the user can control deployed applications as well as configuration settings (Srinivasan, 2013). Simply stated, the user has control over the applications deployed on the platform. Accordingly, the user is responsible for addressing the security concerns presented…