This paper explores the growing adoption of cloud computing by businesses of all sizes, arguing that while uploading and downloading data in the cloud is currently well protected when proper precautions are followed, data storage security warrants further research. Drawing on a qualitative review of peer-reviewed and industry literature, the paper surveys definitions of cloud computing, outlines its key benefits — including cost reduction, scalability, and rapid implementation — and identifies significant risks such as data breaches, service interruptions, dependency on third-party providers, and data commingling. The paper also examines NIST security guidelines, AICPA Service Organization Controls reports, and best practices for businesses transitioning to cloud-based environments.
The paper exemplifies a structured qualitative literature review that follows a clear methodological rationale. The author explicitly cites Fraenkel and Wallen, Gratton and Jones, and Wood and Ellis to justify the literature review approach, then applies Noblit and Hare's meta-ethnographic framework to synthesize findings. This transparency about methodology is a hallmark of rigorous academic writing.
The paper opens with a contextualizing introduction that establishes the business case for IT investment and the emerging shift toward cloud computing. A formal literature review section follows, subdivided into a background overview heavy with definitions and trend data, and a dedicated risk analysis section. A brief methodology section justifies the qualitative approach. The conclusion synthesizes findings into a balanced verdict on cloud computing's promise and its security challenges.
Businesses utilize Information Technology (IT) — such as computer hardware and software — to run their operations. Even small companies such as a local gift shop have at least one computer that runs accounting or point-of-service applications. In today's economy, it is not uncommon to find businesses in virtually every industry utilizing complex IT hardware and software. Salespeople use customer relationship management systems to manage interactions with their customers. They may also use applications that identify sales leads to help generate potential new sources of revenue. All of these activities are done with a computer or mobile device. Logistics departments utilize software that helps match open orders ready for shipment with the cheapest available carrier automatically. Plant managers monitor and adjust their production lines using software specifically designed for manufacturing. Analysts uncover important trends and business insights through business intelligence applications, which pull information from company databases stored on locally owned and maintained servers (Slabeva 2010, 47).
Information technology is vital in helping businesses reduce costs and generate more revenue. In today's highly competitive and increasingly globalized economy, IT hardware and software make it possible to reduce costs through automating and increasing the efficiency of tasks, including customer billing and product development. Businesses using IT solutions can increase revenues through business analysis and customer service applications, and may also use marketing options associated with web applications. In many cases, within a given industry, the company with the best IT hardware and software has the advantage over its competitors in efficiency and revenue opportunities. They may have access to technology their competitors do not, or they may utilize shared technology more effectively to create an advantage (Armbrust et al. 2009, 14).
Harnessing the potential benefits of information technology is now important for all businesses. However, it can be expensive when significant hardware is required, and this can be an obstacle for smaller companies (Talbert 2011). For example, both a large and a small shipping company may want to invest in third-party sales forecasting software. That software may require investment in expensive software volume licenses, new servers and computers, or additional IT personnel (Buyya, Yeo & Venugopal 2008, 1). For the large company, financing this investment is less of a problem than it is for the smaller company, which may not have the money available to invest in the software, computers, servers, and IT resources necessary to successfully implement the forecasting software (Slabeva 2010, 50).
Currently, the software and servers a business implements must exist close to its client computers to maximize the efficiency of application execution (Armbrust et al. 2009). This paradigm is what makes investment in information technology expensive for businesses. All of the software on client machines in an organization must be installed and updated individually, requiring investment in IT human resources (Buyya, Yeo & Venugopal 2008, 1). In addition, departments using complex software may need to invest in high-performance, high-cost computers in order for the software to run properly. As this software improves and grows more complex over time, investment in new hardware to replace outdated computers may be necessary. Furthermore, business data must be stored on physical servers that require heavy investment to purchase and maintain (Armbrust et al. 2009, 3).
The current IT paradigm used by most businesses involves having all hardware, software, and data storage close to the place of business. While this paradigm is currently pervasive, it is predicted that in the not-so-distant future, businesses will rapidly shift to cloud computing. Cloud computing can be understood as a model in which computing is viewed as a service instead of a product — one in which information, software, and data storage are provided to computers and other devices as a service. This can be conceptualized as similar to the way electricity is provided to many clients over a grid (Armbrust et al. 2009, 12). These services are most commonly provided over the Internet. In the cloud computing model, software and hardware exist as services shared by many companies. Software in the cloud can be accessed through lightweight front-end applications such as a simple web browser, with the majority of processing occurring on the third-party providers' machines. All of this is predicted to yield reduced costs through increased technology scalability options, cheaper client hardware, and reduced IT labor costs. In addition, the cloud computing model provides for more rapid technology updates and increases software availability across various operating systems and mobile devices (Harding 2011, 38, 42–44).
As cloud computing matures, businesses are more likely to invest in cloud-based technologies such as remote data storage, because of the significant cost reductions and technology advantages associated with storing data on remote servers operated by third parties (Armbrust et al. 2009, 12). Many companies, though, are wary of issues inherent in cloud computing such as data security, auditability, and availability. Notwithstanding these potential constraints and threats, it is the thesis of this paper that the uploading and downloading of information into the cloud are currently well protected and safe from data abuse provided certain steps are followed. Furthermore, data in the cloud is also likely to be safe, and these concerns should not serve as a deterrent for businesses to use the cloud. Additional research needs to be done on the safety level of data storage in the cloud, and this paper puts forth suggestions for possible research in this area as discussed further in the literature review below.
As the inexorable march toward pervasive computing continues, computers and wireless devices are becoming smaller and the number of online services available continues to proliferate. This shift from on-site computing to web-based computing is cited by Smith, who reports: "Pioneers like Google offer a future driven by online services in which the average consumer needs a less powerful personal computer, not a more powerful one. They suggest that all of the computational, storage, and networking power that you need will reside in 'the cloud'" (2009b, 9). Although there is no universally recognized definition for the term "cloud computing" (Brown 2011, 2), some salient examples from the peer-reviewed literature include the following:
1. "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of computing resources, including servers, data storage and applications and services" (Brown 2011, 2).
2. "In essence, [cloud computing] is a means of renting computers, storage and network capacity on an hourly basis from some company that already has these resources in its own data center and can make them available to you and your customers via the Internet" (Smith 2009a, 66).
3. "Cloud computing is an approach that places application processing and storage in network-based data centers, rather than in end-user devices such as personal computers" (Werbach 2011, 1762).
4. "The easiest way to think about cloud computing is as doing business on the Web, therefore eliminating the need for in-house technology infrastructure — servers and software to purchase, run and maintain. Unlike traditional software, which is distributed and deployed on-premise, cloud applications are designed for Web deployment. They are multitenant (delivered by one vendor to many customers), and users share processing power and space that is managed by the vendor" (Defelice 2010, 50).
5. "Cloud computing is maintaining data, applications and programs on a remote server that can be accessed through many devices, such as desktop computers, netbooks or smartphones" (Salow, Meier & Goodwin 2011, 43).
6. "A cloud computing delivery method is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand" (Mauro 2010, 24).
Put more simply, Gozzi offers a more straightforward definition: "Cloud computing involves sending your computing tasks away from your computer, to a cloud of computers that will send back results. Or perhaps the cloud will house applications, so you do not need to have them on your computer" (2010, 119). Irrespective of the precise definition used, it is apparent that the growth and interest in cloud computing has been significant. One industry observer suggests that, "It is pretty much a given that the use of outsourced services delivered over the internet, as opposed to maintaining software and other infrastructure in-house, will grab hold of business. It's a tidal wave that's going to engulf us all within the next five years. Cloud services will be a $160 billion industry by the end of 2011" (Ginovsky 2011, 21).
Although the decision to transition from a traditional approach to cloud computing will depend on each organization's unique circumstances, a number of general benefits have been cited for companies that have made the partial or complete transition, including the following:
1. It reduces cost in the organization.
2. It does not require additional hardware.
3. It does not require additional resources.
4. Time to market is quicker.
5. It is a way to implement cutting-edge technology without the cost typically associated with it (Ginovsky 2011, 21).
Other authorities have also weighed in on the benefits of switching to cloud computing. Table 1 summarizes the potential benefits of switching to a cloud computing environment.
Table 1: Potential Benefits of Switching to a Cloud Computing Environment
Quick implementation process. Most vendors claim their applications can be up and running in a few minutes because there is no software to install. The implementation process is also easier for companies with multiple locations or remote workers, since all users can access the same version of an application simultaneously.
Anytime access from anywhere with an Internet connection. This includes the ability for employees to work remotely.
Lower upfront costs. Rather than paying a license fee and annual maintenance charges, most cloud computing models allow users to pay as they go — usually monthly, though some require annual contracts. They can pay per user and easily add more users. Vendors can offer their products at a lower cost because their systems are built to allow several customers to share infrastructure (both servers and storage) in a way that is transparent to users and does not allow those customers access to each other's data. It may be difficult to conduct a cost comparison of doing business on-premise versus in the cloud unless a company has moved all its business off-premise. Some companies may outsource services such as email and/or infrastructure support while still managing their core applications. Upfront costs include the cost of hardware and IT employees that are no longer required in-house.
Little or no hardware or maintenance costs. The vendor is responsible for maintaining the software and servers. In an on-premise environment, the customer pays for hardware, storage space, and IT personnel to maintain the system in addition to the software. In a cloud environment, the vendor fronts those costs, so a larger percentage of the total cost of ownership shifts away from hardware and people and toward software. Some industry analysts estimate the break-even point of leasing versus buying software at about three years (Defelice 2010, 51).
While the experiences of any given business will likely differ, many industry analysts suggest that a primary benefit of switching to cloud computing is cost savings. Even though it takes about three years for the average enterprise to recoup its initial investment in switching costs, the increased efficiency and other benefits that accrue to cloud computing make the investment worthwhile over the long term (Defelice 2010, 52). The decision to make a partial or complete transition to cloud computing also requires a careful assessment of a company's unique circumstances, with some general factors to consider on a case-by-case basis including:
1. Reduced support costs. Rather than employing in-house experts for product support, the vendor typically provides support directly to the customer.
2. Reallocation of resources. IT staff can be reallocated to more strategic projects rather than spending time on system upgrades and maintenance.
3. Easier and more regular upgrades. Vendors can regularly update their products. In many cases, those enhancements are made automatically in the background without disrupting the customer's work. Most vendors provide advance notice to alert customers about changes and give them the option of when to turn new features on or off.
4. Disaster recovery and backup capabilities. One of the costs incurred by customers who keep their data on-premise is backing up their data, typically via tape or by contracting a third-party backup provider. This is another area covered by the vendor in a cloud environment. Often vendors have redundant backup systems so that customer data is replicated in a separate data center in case of fire, flood, or other disaster. The infrastructure is "self-healing" so that when a failure occurs and the backup becomes the primary source of information, the system launches a new backup instance of the data (Defelice 2010, 52).
Not surprisingly, as more experience is gained with cloud computing, an increasingly wider array of applications is becoming available. In this regard, Werbach reports that, "For example, instead of running local email applications and downloading mail from an ISP to their own hard drives, users can access email through Google's Gmail, a web-based service that stores messages on Google's own Internet-based servers. Instead of running a sales force automation package locally, a salesperson can log into Salesforce.com and access contact and sales pipeline information over the Internet" (2011, 1762).
Other recent trends in cloud computing identified by DeFelice (2010) include the following:
1. An increasing number of applications are available in the cloud, including bill management, enterprise resource planning applications, payroll, sales tax, tax preparation, and workflow.
2. Worldwide, revenue from cloud computing services was forecast to reach $68.3 billion in 2010, according to analyst firm Gartner Inc.
3. The cloud services industry was poised for strong growth through 2014, when worldwide cloud services revenue was projected to reach $148.8 billion, with the financial services and manufacturing industries being the largest early adopters.
4. Benefits of working in the cloud include quick implementation, anytime access, lower upfront and maintenance costs, and easier and more frequent updates.
5. Security and reliability remain top concerns for switching to a cloud environment. Several questions should be considered before making an investment to ensure these concerns are minimized (Defelice 2010, 50).
In fact, the cloud computing industry had already reached the $70 billion mark, representing a substantial 16.6% increase over 2009 revenues, and all signs predict future consistent growth — causing a concomitant increase in concerns over security (Defelice 2010, 50). Although there is no universal definition for cloud computing, there is a growing consensus that its increased use demands increased scrutiny of the potential risks associated with this alternative (Werbach 2011, 1762).
While all cloud computing applications and their specific potential benefits differ, they all share the common issue of risk. In this regard, Ginovsky emphasizes that, "The current hot topic in business technology is software as a service, or some other form of cloud computing. They all represent leaps forward in productivity, capability and profitability. What they all have and continue to require, however, is an acute focus on and control of risks" (2011, 21). Likewise, Brett Wilson, an information technology and compliance officer for Trustwave — a company that provides cloud services for merchant banks — emphasizes that like all technological innovations, there are risks associated with cloud computing that must be taken into account. According to Wilson, "The fortunate thing, though, is that with cloud there are no new risks involved. The worst-case scenario does not change, regardless of infrastructure. The worst-case scenario for any organization around IT security are breaches, the notifications that go along with those, financial loss, reputational damage and regulatory actions that might result" (quoted in Ginovsky 2011, 22).
Based on his analysis of current trends in cloud computing, Ginovsky identified seven of the most significant cloud computing risks that should be considered:
1. Increased dependency on a third-party provider;
2. Loss of control over the physical and/or logical environment affecting data;
3. Loss of availability should the cloud provider have a service interruption;
4. Privacy and legal liability in the event of a security breach;
5. Difficulty defining exact locations of data;
6. Commingling of data; and
7. Difficulty of protecting trade secrets (Ginovsky 2011, 22).
Beyond the foregoing, other specific threats have also been associated with cloud computing, including the following:
1. Abuse and nefarious use;
2. Insecure application programming interfaces;
3. Malicious insiders;
4. Shared technology vulnerabilities;
5. Data loss or leakage;
6. Account, service, and traffic hijacking; and
7. Other, unknown risks (Ginovsky 2011, 22).
Some of the precautions that businesses can take when making the switch to a cloud computing environment have been formalized based on the National Institute of Standards and Technology's (NIST) two working documents — the first of which provides an operationalization of the term, and a second that sets forth guidelines concerning security and privacy issues involved in public cloud computing (Ginovsky 2011, 22). Among the major points of the latter NIST document are the following:
1. Entities, including private businesses, should carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
2. They should understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
3. They should ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
4. They should maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments (Ginovsky 2011, 22).
Beyond the foregoing precautions, there are other factors that must be considered during the implementation of a cloud computing alternative. Although the various permutations that are possible are virtually limitless, cloud computing typically involves five basic actors: (a) consumer, (b) provider, (c) auditor, (d) broker, and (e) carrier (Brown 2011, 2).
Although some of the current NIST security standards were developed for pre-cloud computing technologies such as web-based services and the Internet, the NIST working group is working on formulating security standards specifically designed to support cloud functions and requirements (Brown 2011, 3). According to Brown, "The [NIST] working group identified a number of gaps in available standards ranging from fundamental issues such as security and privacy protection to user interfaces and important business-oriented features. The group also provided definitions for the five 'actors' involved in cloud computing and identified standardization priorities for the federal government, particularly in areas such as security auditing and compliance, and identity and access management" (2011, 3). The NIST working group also solicited support from federal agencies to become more actively involved in developing cloud computing-specific standards that facilitate its implementation and administration (Brown 2011, 3).
One of the major themes to emerge from the review of the literature was that no matter how beneficial the switch to cloud computing might be for a given enterprise, there is a definite trade-off involved in terms of the potential for security breaches and interruptions of service unless certain precautions are taken prior to implementation. On the one hand, providing that companies exercise the due diligence needed with respect to their third-party providers and other actors in the cloud computing environment, the research showed that switching to cloud computing can help reduce IT costs, does not require any additional hardware or other resources, and is a method of implementing the most recent technology without the costs typically associated with the process. In addition, other benefits of cloud computing were shown to include a rapid implementation process, anytime access from anywhere with an Internet connection, and lower upfront costs.
You’re 68% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.