Cloud Computing and Computing

Risk, Risk Management Strategies, and Benefits in Cloud Computing

SITUATIONAL ANALYSIS

PREMISE STATEMENT

KEY DEFINITIONS

SERVICE AND DEPLOYMENT MODELS

BENEFITS OF CLOUD COMPUTING

SECURITY ASPECTS

Storage

Reliability

Virtualization

Trust

Physical Security

Legal Compliance

CLOUD COMPUTING RISKS

RISK Management STRATEGIES

Vendor Evaluation

Centralized Information Governance

Other Organization-Level Measures

Individual-Level Security Measures

Cloud computing model

Cloud computing service and deployment models

ISO/IEC broad categories

The emergence of cloud computing has tremendously transformed the world of computing. Today, individuals, organizations, and government agencies can access computing resources provided by a vendor on an on-demand basis. This provides convenience, flexibility, and substantial cost savings. It also provides a more efficient way of planning disaster recovery and overcoming fluctuations in the demand for computing resources. In spite of the benefits it offers, cloud computing presents significant security concerns, which users must clearly understand and put strong measures in place to address them. Users are particularly concerned about the privacy and confidentiality of their information as well as the integrity and capacity of the vendor. Cloud computing may increase the risk of data leakage and data loss, which may result in dire consequences for users and the cloud provider. However, with extensive vendor evaluation and centralized governance of confidential information, these concerns can be put to rest. Awareness and training as well as regular audit of risk management procedures are also important for addressing these concerns. If properly governed, cloud computing can deliver considerable benefits to users.

Running head: CLOUD COMPUTING 1

CLOUD COMPUTING 2

1. SITUATIONAL ANALYSIS

The world of information technology (IT) has experienced a rapid evolution in the last one and a half decades (Denning & Frailey, 2011). Cloud computing is an invention that has taken internet-based computing to a level never imagined a few decades ago. As of 2012, the cloud computing market was worth approximately $150 billion, an increase of more than 160% compared to 2009 (Budriene & Zalieckaite, 2012). In today's world, cloud computing provides an unprecedented solution for data storage, data access, data processing, and information sharing. Organizations are increasingly turning to scalable, pay-per-service cloud-based computing applications such as Amazon Web Services (AWS) and Google Cloud Services to process data efficiently while achieving cost savings (Srinivasan, 2012). With cloud computing, organizations may not need to invest in expensive information technology (IT) infrastructure (Alijani et al., 2014). Thus, cloud computing has helped reduce the cost of acquiring and maintaining IT systems substantially. In addition to cost savings, cloud computing provides flexibility and convenience (Srinivasan, 2013). With the emergence of powerful web-enabled mobile devices such as smartphones and tablets, data can now be accessed at the user's convenient time and location (Markovic et al., 2014).

The use of cloud computing has gained popularity not only amongst organizations, but also individuals (Markovic et al., 2014). Today, individuals increasingly rely on cloud-based services to store photos and other personal data such as documents, bill payments, and financial information. Popular cloud storage platforms include Google Drive, Google Docs, Drop Box, iCloud, and Amazon Drive. These platforms enable users to access their data from any geographical location with an internet connection. This avoids or minimizes the necessity of conventional, 'hard' storage media such as compact disks and flash drives.

Whereas cloud computing offers cheaper and convenient data storage and access, it presents significant security concerns. Privacy breach, loss of data, hacking, identity theft, and other forms of cybercrimes have become major concerns in the wake of increased cloud computing applications, acceptance, and usage (Budriene & Zalieckaite, 2012; Gold, 2012; Abiodun, 2013; Srinivasan, 2013; Neumann, 2014; Ismail, Golamdin & Shahzad, 2016; Rittle, Czerwinski & Sullivan, 2016). Hackers and other online criminals have become increasingly intrusive. Without robust security measures, malicious individuals can access crucial and confidential information, resulting in disastrous consequences for individuals and organizations.

On its part, the Department of Defense (DOD) acknowledges the risks and security concerns posed by cloud computing. As per the department's Risk Management Strategy (RMS), cloud computing activities must be conducted in accordance with department-wide and federal-level IT security requirements, notably the Federal Risk and Authorization Management Program (Fedramp) as well as the Cloud Computing Security Requirements Guide (SRG). Adherence to these guidelines is crucial for safeguarding sensitive information as well as guaranteeing operational efficiency and mission success.

2. PREMISE STATEMENT

Though cloud computing offers a powerful tool for DOD, commercial, and public use, it carries substantial security risks that all users must understand, and which must be addressed via a comprehensive risk management strategy. This paper identifies the benefits and risks associated with the use of cloud computing by the government (particularly the DOD), commercial entities, and individuals; as well as the strategies that can be used to manage the risks. The remainder of the paper is organized into six major sections. In section 3, a definition of cloud computing is provided. Section 4 provides a description of cloud computing service and deployment models, while section 5 highlights the benefits of cloud computing. Attention is then paid to the security concerns raised by cloud computing in section 6, with specific consideration to aspects such as access, storage, trust, and legal compliance. Section 7 focuses on the risks associated with cloud computing. Risk management strategies are discussed in section 8.

3. KEY DEFINITIONS

Whereas there is no universally agreed definition, the term cloud computing generally refers to IT infrastructure and services that enable on-demand access to computing resources such as servers, network, operating systems, and applications (Srinivasan, 2013). Typically, the provider owns and controls the computing infrastructure and services. Customers can access the computing infrastructure and services via the internet at their time and location of convenience based on a pay-per-use or pay-as-you-go model (Jiang & Wu, 2016). This eliminates the need to own and maintain costly computing infrastructure, as well as locate data and applications in the user's hardware and servers (Markovic et al., 2014). It is important to note that customers in this case denote users of cloud computing services, who include individuals and organizations (Johnston, Loot & Esterhuyse, 2016).

On-demand access and resource pooling are the two main features that distinguish cloud computing from traditional computing (Alijani et al., 2014). On-demand access essentially means that users pay for the service based on their demand, just as they pay for ordinary utilities such as gas and electricity (Jolfaie et al., 2007). The aspect of resource pooling means that a pool of computing resources owned and controlled by the provider is shared by multiple tenants. These two features ensure a more efficient and cost-effective utilization of computing resources. In simpler terms, cloud computing entails outsourcing IT services (Budriene & Zalieckaite, 2012; Gonzalez & Smith, 2014). It "is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources" (Mitchell & Meggison, 2014, p. 1). Figure 1 below provides a simple representation of cloud computing.

Figure 1: Cloud computing model (CR -- computing resources; DW -- data warehouse)

Source: Budriene & Zalieckaite (2012, p. 123)

Although cloud computing became popular in the beginning of the 21st century, it is not really a new practice. Discourses and practices relating to cloud computing date as early as the mid-20th century (Budriene & Zalieckaite, 2012). For instance, organizations have hosted software and hardware externally as well as outsourced IT services for decades. Nevertheless, with the emergence of broadband internet, virtual solutions, and other powerful supportive technologies in the 1990s and 2000s, the notion of cloud computing has gone a notch higher (Budriene & Zalieckaite, 2012; Alali & Yeh, 2012).

4. SERVICE AND DEPLOYMENT MODELS

Cloud computing services are offered in three basic forms: software as a service (Saas), platform as a service (Paas), and infrastructure as a service (Iaas) (Srinivasan, 2013). Saas is the least complicated and most common of the three (Budriene & Zalieckaite, 2012). It offers hardware and software to the user without the complexities associated with running an IT system. The cloud provider fully controls the computing infrastructure, including servers, network and operating systems. Based on economies of scale, the provider is able to offer shared computing resources to a large number of users, most of whom are small and medium enterprises (SMEs) (Srinivasan, 2013). The users sign up for their desired computing resources -- data storage, memory volume, CPU capacity, and so forth (Budriene & Zalieckaite, 2012). A company email is an ideal example of Saas. Popular Saas products include Amazon's AWS, IBM's Cloudburst, Apple's iCloud, as well as Google's Gmail and Google Docs. In spite of its simplicity, Saas may not be appropriate for applications that require exceptionally fast processing of data (Markovic et al., 2014).

PaaS provides the user a platform with the basic capacity to run the user's applications (Srinivasan, 2013). The platform may involve an operating system, for instance. This service is mostly utilized by programmers and system developers. The service provides all the tools and resources for developing, testing, deploying, and hosting applications (Markovic et al., 2014). Paas has a built-in flexibility; though the cloud provider controls the underlying computing system, the user can control deployed applications as well as configuration settings (Srinivasan, 2013). Simply stated, the user has control over the applications deployed on the platform. Accordingly, the user is responsible for addressing the security concerns presented by the deployed applications. Having control over deployed applications provides an important benefit to the user. Whenever a hardware or software change is needed, provisioning takes just a few days rather than weeks. Nonetheless, the utility of Paas is mainly limited to applications without high portability requirements (Markovic et al., 2014). Popular Paas platforms include Google's App Engine, Microsoft's Azure, and Rackspace's Rackspace Cloud.

IaaS, which is the highest service level in cloud computing, is virtually similar to Paas in terms of features (Srinivasan, 2013). However, the difference is that, the user has full control over not only deployed applications, but also the computing infrastructure. In this computing system, the users have full control, though they do not own it. This extended control means that the user has to contend with more security challenges. Simply stated, the user is responsible for all aspects of security relating to the underlying computing infrastructure as well as deployed applications. This model tends to be appropriate in situations characterized by volatile demand and for new organizations without adequate capital to acquire hardware (Markovic et al., 2014). Popular Iaas platforms include Amazon's EC2 and S3, IBM's Blue Cloud, and EMC's Atmos.

In addition to the three service models, cloud computing services fall under four deployment models: public cloud (customers share the computing infrastructure with other customers); private cloud (the computing system is used by only one customer); hybrid cloud (a combination of the public and private cloud); and community cloud (utilized by organizations in the same industry or with a shared focus such as financial services and health care (Srinivasan, 2013). The public cloud is the most common deployment model, with approximately two thirds of cloud computing customers using it (Srinivasan, 2013). Nonetheless, the public cloud offers less security compared to the private cloud, whose usage is widespread amongst large organizations (Budriene & Zalieckaite, 2012). In essence, each deployment model addresses the needs of customers at varying levels (Rawal, 2011). For instance, SMEs normally prefer the public cloud while large organizations prefer the private cloud. In addition, a community cloud enables organizations in the same industry to use computing resources in a more cost-effective manner. Figure 2 below depicts the three service models and the four deployment models.

Figure 2: Service and deployment models

Source: Srinivasan (2013, p. 54)

5. BENEFITS OF CLOUD COMPUTING

The core of cloud computing is to exploit economies of scale in the provision of IT services by offering them on demand in a decentralized manner (Srinivasan, 2013). As technology has evolved significantly over the years, organizations -- whether large or small -- now require more computing resources to more efficiently carry out their everyday activities. Further, it is expected that computing demands will be even greater in the future as technology advances and as organizations seek to fully digitize their operations (Budriene & Zalieckaite, 2012; Gonzalez & Smith, 2014; Ismail, Golamdin & Shahzad, 2016).

Keeping up with the elastic nature of computing demands can be a daunting challenge for most organizations -- small, medium and large. An organization typically requires a substantial amount of resources to acquire and maintain IT infrastructure as well as the associated human resources. With cloud computing, IT resources can be shared and accessed on an on-demand basis (Srinivasan, 2013). It eliminates or reduces the burden of hardware and software acquisition and maintenance. Cloud computing also provides unlimited space for storage, which can be a major challenge in today's world. Organizations now process, generate or handle increasingly large amounts of data. With unlimited space in the cloud, users can contend the burden and limitations of traditional storage. Cloud computing, therefore, delivers significant cost savings for organizations. Indeed, cloud computing costs have been estimated to be three to five times less than traditional computing costs (Alijani et al., 2014). Cost savings are particularly meaningful for SMEs, which tend to be financially constrained (Budriene & Zalieckaite, 2012; Gonzalez & Smith, 2014).

Cost savings can also be particularly valuable for public sector organizations (Rawal, 2011). This is specifically true for the DOD. According to Research Information Limited (2010b), modernizing IT functions at the agency can deliver substantial costs savings. This is specifically true in the wake of reduced government spending on defense. Since the withdrawal of the military from Iraq and Afghanistan, there have been reduced budget allocations to the DOD, with the government seeking to have a smaller workforce and a leaner agency. By adopting cloud computing, the DOD can more readily sail through the budget cuts. The agency is the largest employer in not only the U.S., but also worldwide, with over 2.5 million employees. A significant proportion of this number is involved in activities that require extensive movement within the country and to other countries in an effort to gather intelligence. With such a mobile workforce, cloud computing can offer substantial cost advantages.

Another benefit of cloud computing is that it enables organizations to more easily overcome fluctuations in the demand for computing resources (Srinivasan, 2013). At times, the demand for computing resources may be greater than other times. This is particularly true for organizations with peak or seasonal demand such as those in the sports and entertainment industries. Providers of tax services also tend to have excess workloads during certain months. An organization may not have the financial strength to invest in more computing resources during peak demand. With cloud computing, however, the organization can easily keep up with demand elasticity without bearing substantial costs (Gonzalez & Smith, 2014).

Cloud computing also offers a valuable way of backing up data and planning for disaster recovery (Srinivasan, 2013). The loss of data due to events such as hardware and software failures as well as natural disasters can be extremely daunting for an organization. Recovering from such events may consume a substantial amount of time, effort, and resources. With cloud computing, however, the process of recovering from a disaster can be much easier as the recurring nature of recovery in the traditional computing environment is avoided. Cloud computing also makes the backing up of data a less costly, time consuming, and involving undertaking (Srinivasan, 2013). In the conventional environment, backing up data is usually done on a daily and weekly basis. With cloud computing, data can be backed up automatically, eliminating the need for periodic backups. This not only minimizes the time and effort involved in backing up data, but also avoids the duplication of data. Other important benefits of cloud computing include facilitation of technological agility and acceleration of organizational growth (Mitchell & Meggison, 2014; Johnston, Loot & Esterhuyse, 2016; Ismail, Golamdin & Shahzad, 2016).

Overall, as put by Schmidt, Wood & Grabski (2016), cloud computing can be a crucial source of competitive advantage for organizations in an increasingly competitive and dynamic environment. Owing to resource limitations, organizations are constantly under pressure to deliver more with less. In addition, the global economy has increasingly become knowledge-based, compelling organizations to rely on huge amounts and variety of information in their decision-making processes. Cloud computing provides a convenient and valuable way through which organizations can take of advantage of modern computing technologies without substantial investments in IT infrastructure and personnel. In fact, cloud computing has been termed as not only a computing platform, but also a business model (Budriene & Zalieckaite, 2012; Markovic et al., 2014). It enables new business models, drives value and revenue, offers strategic support, and enhances operational efficiency.

For individuals, cloud computing offers flexibility, convenient data storage and access, as well as cost savings (Rawal, 2011). With data stored in a cloud such as Drop Box, an individual can access the data wherever they are and whenever they want as long as they have internet access. This means that it is no longer necessary for one to travel around with flash drives and other forms of traditional storage, which are often vulnerable to loss, theft, and failure. Storing data in the cloud also means reduced need for purchasing conventional storage media as well as more secure backup. As explained by Neumann (2014), most individuals do not backup their data frequently or at all. For such individuals, cheap and automatic backup enabled by cloud computing platforms comes as a respite and convenience. Cloud computing also enables individual users to easily share information and content online. Thus, cloud computing offers limitless possibilities for individuals as well as organizations in both the public and the private sector.

6. SECURITY ASPECTS

Notwithstanding the benefits it provides, cloud computing presents significant security concerns for users. Security is indeed the top concern inhibiting the adoption of cloud computing amongst both individuals and organizations (Kalyvas, Overly & Karlyn, 2013). Users often worry about privacy, confidentiality, access, availability, and provider integrity (Abiodun, 2013). Security concerns in the cloud computing environment can generally be examined from the perspective of the following aspects: storage, access, reliability, virtualization, trust, physical security, and legal compliance.

Storage

Data storage is one of the major applications for which individuals and organizations use cloud computing platforms. Cloud computing provides users with a cheaper way of storing large volumes of data. This is important for data backup, recovery and continuity in the event of unanticipated situations such as data loss (Srinivasan, 2013). The storage aspect, however, presents a number of challenges for the user. First, lack of control over the computing infrastructure and applications is a risk on its own. Users may be concerned about the provider's capacity to safeguard the system from attack and prevent the leakage or loss of data. Though Paas users are responsible for the security of their applications, they still rely on the provider to protect the underlying computing infrastructure from attack and intrusion (Johnston, Loot & Esterhuyse, 2016). For Iaas users, the major concern relates to privacy, especially with regard to data leakage (Srinivasan, 2013). System attacks and data leakage would significantly affect both the user and the provider.

Access

Closely related to storage is the aspect of access. Customers store data in a cloud primarily to facilitate convenient access (Rawal, 2011). Nonetheless, the question of who can access data stored in a cloud remains a highly contentious issue. Information stored in a cloud may be more accessible compared to information held by its creator (Srinivasan, 2013). Indeed, it is often easier for the government to acquire information from a central source like a cloud provider rather than several individuals and/or organizations. This raises significant privacy concerns for users of cloud computing services. Cloud computing users usually want assurance that they are protected against government surveillance (Neumann, 2014).

Concerns may emanate from not only access to information, but also access to software as well as physical access to hardware (Srinivasan, 2013). Generally, users of cloud computing services want to know the extent to which access to information, software, and hardware is controlled (Srinivasan, 2013). They demand to know aspects such as who can access hardware and software, privileged users, authentication mechanisms, encryption measures, firewall configurations, system up time, as well as access logs. In the absence of these controls, access to confidential information may be compromised.

Concerns relating to access may also stem from malicious attacks. Malicious attacks represent one of the biggest threats to confidential information in the online environment (Research Information Limited, 2010a). Without strong security controls, hackers and other cyber criminals can easily gain access to confidential information stored in the cloud to the disadvantage of the both the user and the vendor. In 2011, for instance, a successful hacking attempt significantly affected an entertainment firm, with approximately 100 million customer files being compromised (Gold, 2012). This incident is a just one of the numerous instances of cloud computing breaches.

Outsourcing data to third parties also poses a significant risk for individuals and organizations (Research Information Limited, 2010a). It could even be the biggest threat to confidential information. It is common for organizations to outsource external parties to do some work on their behalf. This is often informed by the need to cut down costs or take advantage of expertise the organization may not have. Nonetheless, despite the presence of explicit contract terms and conditions, the risk of losing confidential information cannot be overlooked. Outsourcing to third parties usually means that the client has to give the outsourced party access to critical information such as customer records.

Threats to confidential information may emanate from not only outside, but also within the organization. Insider threats are particularly important, though they are often overlooked. According to Neumann (2014), insider misuse is a major concern as far as access to information in the cloud computing environment is concerned. Essentially, cloud computing raises important concerns about data access that must be carefully considered prior to adoption.

Further concerns about data accessibility emanate from uncertainty on the part of the user over the extent to which data deleted from storage can be accessed (Srinivasan, 2013). In the traditional computing environment, the user has control over information creation, storage, maintenance and deletion. With cloud computing, however, the burden of maintenance is removed from the user. Whereas this is beneficial to the user, the user may not be entirely certain whether deleted data can be accessible. The challenge of deletion and data recoverability is actually a major concern for users of cloud computing services (Alali & Yeh, 2012; Neumann, 2014). A flexible, dispersed method may be helpful in addressing this problem (Srinivasan, 2013). This method ensures storage precision and facilitates dynamic activities such as data update and deletion.

Reliability

The issue of access brings forth the issue of reliability. Users of cloud computing services desire uninterrupted access to their data -- they want information to be available whenever needed (Rawal, 2011). In a survey of 370 small firms in New Orleans, U.S., it was found that availability is a major concern as far as the adoption of cloud computing is concerned (Alijani et al., 2014). Nonetheless, some unexpected events may hinder access to information, notably cloud outages and raids by law enforcement authorities. Major cloud providers, especially Microsoft, Google and Amazon, have experienced outages in the past. Key among these includes the 2011 failure of Amazon's AWS and the 2007 failure of Rackspace due to power supply interruption (Srinivasan, 2013). In some instances, the failure may result in permanent loss of data, like in the case Amazon (Kalyvas, Overly & Karlyn, 2013). The ramifications of cloud failure may be substantial even for minor failures like in September 2011 when a three-hour failure of Microsoft's Hotmail and Office 365 turned out to be extremely costly for enterprise users (Kalyvas, Overly & Karlyn, 2013).

Cloud providers may also be required by law enforcement authorities to remove or shut down a portion of their storage system for purposes of investigation. An example of such a scenario occurred in 2009 when law enforcement personnel raided a provider's data center in Dallas (Srinivasan, 2013). The raid affected several other customers as they could not access their data for some time. Such events often raise considerable reliability concerns amongst customers. Reliability may be an even greater concern for customers that rely on a single provider, or those without backup outside the cloud service provider. In the case of Amazon, for instance, the permanent loss of data is likely to have been a huge loss for users that did not have an alternative backup plan.

Concerns about reliability may cause customers to shift to a different provider. Nonetheless, this may not be a straightforward undertaking. Despite greater compatibility between different cloud computing platforms, most storage Application Program Interfaces (APIs) are proprietary in character (Srinivasan, 2013). This makes it quite difficult for a customer to shift to another service provider. Indeed, switching difficulty is one of the major factors that hinder the adoption of cloud computing (Srinivasan, 2013). As explained by Rawal (2011), users concerned about vendor lock-in may be reluctant to adopt cloud computing.

Virtualization

As mentioned earlier, an important advantage of cloud computing is the cost effectiveness provided by taking advantage of economies of scale. With cloud computing, a provider is able to offer virtual devices and applications to several users on a single computing system (Srinivasan, 2013). Additionally, users are able to view the position of their virtual devices within the cloud. This increases server utilization, which remains undesirably low in most organizations (Srinivasan, 2013). Nonetheless, hackers can rely on virtualization to attack the cloud. This is particularly true for a public cloud, which is usually characterized by multiple tenants. Hackers can cunningly bypass encryption keys, which provide the major defense for data, resulting in data leakage. Virtualization can also result in data co-mingling, which can in return increase the possibility of data leakage and hence privacy violations (Srinivasan, 2013).

Trust

Lack of control over the underlying computing systems and applications raises important questions about trust. This is particularly true for Saas and Paas. With full control of the computing infrastructure, the provider may steal confidential data or leak it to accomplices. The likelihood of system administrators unintentionally or intentionally disclosing confidential information they are privy to, cannot be ignored (Abiodun, 2013). The importance of trust in the cloud computing environment cannot be overemphasized (Rawal, 2011). Typically, customers use a cloud computing platform when they can trust the cloud provider. They want assurance that the provider adheres to proper information security practices with a view to protecting both the customer and the provider. In addition, users want transparency in the disclosure of those practices (Srinivasan, 2013). They want the provider to truthfully reveal information about critical aspects such as physical security, legal compliance, encryption measures, data backup and recovery, incident management, as well as records of security attacks.

Some commentators have recommended the use of a trustworthy third party predominantly focused on guaranteeing cloud security (Srinivasan, 2013; Abiodun, 2013). This would enhance trust in the cloud computing environment as well as confidentiality and integrity. Nevertheless, whereas third parties may bridge the trust gap between the user and the provider, the possibility of data leakage may not be ignored altogether. Administrators of the third party may as well as leak data to unauthorized persons, accidentally or maliciously. Instances of untrustworthy third parties are not uncommon (Neumann, 2014).

Physical Security

Physical security also raises significant security concerns as far as cloud computing is concerned. Cloud computing is powered by expensive computing infrastructure, notably servers. In most cases, the user has no control over the underlying computing infrastructure. The user may also not know the physical location of the infrastructure (Alijani et al., 2014). Accordingly, the burden of securing the infrastructure is borne by the provider. While the provider may have robust measures in place to guarantee infrastructure security, the possibility of security compromises cannot be disregarded. In the event of a compromise in physical security, it may not be clear who to bear liability for the resultant losses (Srinivasan, 2013). Though major cloud providers such as Google, Amazon and Microsoft guarantee physical security, this is an issue that should be on the agenda during information security planning.

Legal Compliance

The data held in cloud computing platforms is generally of a confidential character. Accordingly, cloud providers are subject to a number of legal frameworks relating to information privacy and confidentiality, such as the Electronic Communications Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) (Holbrook, 2010; Srinivasan, 2013). Without adherence to these regulations, a provider may lose the trust of users, which is vital in the cloud computing environment. The provider may also be subject to expensive lawsuits, which may further diminish the confidence of the public in the provider. In addition to privacy, there could be concerns relating to copyright and intellectual property infringement (Srinivasan, 2013). For instance, there have been instances of users suing cloud providers for permitting unlawful redistribution of copyrighted content.

Legal compliance concerns are further compounded by the lack of comprehensive, clear, universally acceptable standards for cloud computing. This is despite the fact that cloud computing is a rapidly evolving phenomenon (Srinivasan, 2013). Even so, there are a few international frameworks that stipulate guidelines cloud computing security, notably ISO 17799 (Srinivasan, 2012). The framework was jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the 1990s. It was updated to ISO/IEC 27002 in 2005 (Srinivasan, 2012). Despite the existence of this framework, cloud computing security remains a major challenge.

7. CLOUD COMPUTING RISKS

Cloud computing potentially increases users' vulnerability to the risk of data breach and data loss. Data breach and loss can have disastrous consequences on individuals and organizations. According to a study conducted by Ponemon Institute in 2009, data loss incidents cost public and private sector organizations an average of €1.9 million, the cost being quite higher in private sector organizations (Research Information Limited, 2010a). The study involved 17 French public and private sector organizations in different industries. The costs generally arise from activities such as investigation, forensics, advisory fees and legal representation, which are often time and resource consuming. The cost of data breach may also come in the form of reduced customer confidence, which may often result in customer turnover, revenue loss, and reputational damage (Gold, 2012). Loss of customer confidence is perhaps the most significant impact to any organization. With increased online transactions, consumers want assurance that the confidential information they provide to organizations is always safe. Access of confidential information by unauthorized persons often sends a message to consumers that the information held by the organization concerning them is unsafe, which reduces their trust in the organization, and to a varied extent, to the industry (dealing in cloud computing services).

The consequences of data loss or breach may be even more disastrous for the DOD. As a military organization, the agency handles extremely classified information relating to aspects such as enemy characteristics, surveillance, and warfare tactics (Holbrook, 2010). Access to or loss of such information can significantly affect national security. It may cause classified information to find its way in the hands of adversarial states and organizations, which would in turn use the information to plan attacks against the country or evade counterattacks. Cloud computing security is, therefore, a matter of not only individual and organizational importance, but also national importance.

8. RISK Management STRATEGIES

In spite of the awareness of the immense risks posed by cloud computing and the vulnerability of confidential information to cyber-attacks, majority of users lack a comprehensive, proactive risk management strategy -- they usually react when an incident occurs (Research Information Limited, 2010a). This is particularly true for public sector organizations. A proper risk management strategy is crucial if cloud computing risks are to be avoided or minimized.

Vendor Evaluation

The first step in managing cloud computing risks is determining the information to be entrusted with the cloud vendor (Gold, 2012). Users possess sensitive information which they want safeguarded all the time. The information may relate to aspects such as trade secrets, highly classified operations, as well as personal details of employees and customers. Such information obviously requires high-level protection if the owner elects to entrust it to a cloud vendor.

Identifying the degree of sensitivity inherent in the information to be entrusted to the vendor enables the user to determine the diligence to which the vendor can be subjected. Organizations must clearly understand the cloud provider they are dealing with, particularly with respect to their security policies and practices. The policies and practices should be clearly defined in the service level agreement (SLA). As explained by Mitchell & Meggison (2014), users must be concerned with the ethical behavior of cloud providers if they have to guarantee the privacy, confidentiality, and integrity of their information. In addition, users must conduct the necessary due diligence prior to entering into a service agreement with a vendor (Kalyvas, Overly & Karlyn, 2013). This entails a comprehensive evaluation of the vendor's ability to meet their promises with respect to protecting information. Techniques such as attestations, onsite audits, questionnaires, and third-party assessment can be useful in evaluating vendor capacity and reliability (Gold, 2012). It is, however, important to note that some vendors may not allow audits of their processes and infrastructure (Rittle, Czerwinski & Sullivan, 2016).

The ISO/IEC 27002 framework provides useful guidelines that users can use to evaluate vendors. The model identifies three broad areas that need attention: organizational infrastructure, technical infrastructure, and information protection (figure 3) (Srinivasan, 2012, p. 130).

Figure 3: ISO/IEC broad categories

Source: Srinivasan (2012, p. 130)

Each category carries a number of measures for ensuring cloud computing security. Organizational infrastructure includes three aspects: organizational security, asset classification and control, as well as information security and policy (Srinivasan, 2012). Organizational security means that the cloud provider must have the necessary procedures for governing the information system. Asset classification and control involves defining the enterprise's assets as well as measures for protecting them. Assets in this case may include data, files, applications, and so on. Consideration should also be made to the vendor's security policy, especially with respect to security guidelines and standards.

Technical infrastructure includes four elements: access control, systems development and maintenance, communications and operations management, as well as physical and environmental security (Srinivasan, 2012). The vendor must have measures in place for noticing unauthorized access. Controlled access to networks, applications, operating systems, and other components of the computing infrastructure is particularly important for preventing unauthorized access to the cloud. Also, there should be measures for guaranteeing network security and confidentiality as well as preventing damage to assets. More importantly, the vendor must ensure that the physical computing infrastructure is located in secure facilities. Since most users do not have control over the underlying computing infrastructure, they must be certain that the vendor takes the necessary precautions to safeguard the infrastructure.

Information protection entails four aspects: human resources security, business continuity management, compliance, and risk management (Srinivasan, 2012). The aspect of human security means that the vendor must adhere to sound procedures in hiring and training system administrators. In addition, the vendor must provide users with the necessary training to ensure security guidelines are properly followed and security incidents are effectively addressed. Business continuity management means putting measures in place to ensure the continuity of operations in the event of unanticipated disasters such as outages, telecommunication failures, natural disasters, and bankruptcy. Such measures may include backup and data migration plans. Attention should also be paid to compliance with the relevant legal requirements as well as continuous identification and evaluation of risks. Other aspects that may be considered relate to data ownership, withholding of services in case of circumstances such as fee disputes, service responsiveness, as well as user simultaneity (Kalyvas, Overly & Karlyn, 2013).