0

Atlantic International University, Honolulu, Hawaii 96813

THESIS PROPOSAL

By MBANZABUGABO Jean Baptiste, ID# UD30956SCO39530

School: Science and Engineering

Program: Doctorate

Major: Computer Science

Kigali - RWANDA

CLOUD COMPUTING AND SECURITY,

Case study SECURITY MECHANISM AND PILLARS OF ERPS ON CLOUD TECHNOLOGY

1

TABLE OF CONTENTS

1. INTRODUCTION ............................................................................................................................................... 2

2. DESCRIPTION ................................................................................................................................................... 2

3. GENERAL ANALYSIS ......................................................................................................................................... 3

3.1 GENERAL OBJECTIVE OF THE STUDY: ............................................................................................................ 5

3.2 SPECIFIC OBJECTIVES: ................................................................................................................................... 5

4. CURRENT INFORMATION ................................................................................................................................ 5

5. DISCUSSION .................................................................................................................................................... 7

6. FURTHER DISCUSSION .................................................................................................................................. 17

7. CONCLUSION ................................................................................................................................................. 21

REFERENCES ...................................................................................................................................................... 22

2

1. INTRODUCTION

Cloud computing involves hosting applications on servers and delivering software and services via

the Internet. In the cloud computing model, companies can access computing power and resources

on the cloud and pay for services based on usage. Institutions are the rules of the game and

include formal constraints (rules, laws, constitutions), informal constraints (norms of behavior,

conventions, and self-imposed codes of conduct), and their enforcement characteristics.

This research proposal, would seek to argue that issues related to ERPs security and privacy in the

cloud system can be addressed if and only if there are Security Mechanism and pillars that will

ensure the praiseworthiness of confidentiality to the legitimates users of the service.

2. DESCRIPTION

Cloud computing is one of the latest innovations of IT which claims to be all capable of driving the

future world of IT within minimum costs. This concept of cloud computing being one side widely

accepted by normal users while on the other hand majority of the Organizations have some serious

security concerns before moving to this form of IT evolution.

Organizations are moving to cloud computing technologies (hereinafter: the cloud) to perform

increasingly strategic and mission critical functions. At the same time, companies are facing

pressures and challenges to protect information assets belonging to their customers and other

sensitive data McCafferty, 2010). Unsurprisingly security, privacy and availability are among the

topmost concerns in their cloud adoption decisions rather than the total cost of ownership (Brodkin

2010). The cloud is a double-edged sword from the security standpoint. For organizations that lack

technological and human resources to focus on security third parties in the cloud can provide low-

cost security (Kshetri 2010). Cloud computing users, on the other hand, face several separate but

related security risks (Talbot 2010).

The cloud poses various technological as well as institutional challenges. The cloud-related legal

system and enforcement mechanisms are evolving more slowly compared to the technology

development. Privacy, security and ownership issues related to data stored on cloud currently fall

into legally gray areas (Bradley 2010). Some argue that an organization, rather than the cloud

provider, is likely legally responsible if customer data stored in the cloud are compromised

3

(Zielinski 2009). A second criticism is that there has been arguably a disturbing lack of respect for

essential privacy among major cloud providers (Larkin 2010, p. 44). For instance, in a complaint

filed with the Federal Trade Commission (FTC), the Electronic Privacy Information Center (EPIC)

argued that Google misrepresented the privacy and security of its users data (Wittow & Buller

2010). Cloud providers are also criticized on the ground that they do not conduct adequate

background security investigations for their employees (Wilshusen 2010). This issue is rather

important since significant proportions of cybercrimes are associated with malicious insiders.

Likewise, new bugs and vulnerabilities targeting the cloud are proliferating (Brynjolfsson et al.

2010).

Critics have raised concerns about privacy and security associated with unauthorized access and use

of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace

observation is that while cloud providers offer sophisticated services, their performances have been

weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard &

Kshetri 2010).

Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store

high-value data or sensitive information. Due to weak security, the cloud arguably remains a

largely nascent technology (Stewart 2010) and critics have argued that its costs may outweigh the

benefits (Tillery 2010)2. According to an IDC report released by the research firm, International

Data Corporation (IDC) in October 2008, security concern was the most serious barrier to cloud

adoption for organizations. Organizations rightfully worry about hidden costs associated with

security breaches or lawsuits tied to data privacy restrictions (Zielinski 2009).

3. GENERAL ANALYSIS

Cloud computing and Security is a new buzzword in the business industry today. The idea leading

to cloud computing paradigm is that the computing resources and software are available to the end

user, whether an organisation or an individual, in a virtualized environment (cloud) and the user can

access it on demand and using a pay as you go approach. These services in industry are

respectively referred to as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), and

Software as a Service (SaaS) (Hayes, 2009). One of the issues faced by the organisations in the

world today is need to make the organisational data globally accessible while taking into account the

intra organisational and extra-organisational data and a cloud can be a very enabling medium for

achieving this.

http://students.aiu.edu/student/CoursePreviewSubmission.aspx?stepNo=4&CourseID=16

4

Enterprise resource planning software is a enormous piece of software that integrates the entire

organisation into one giant entity while capturing, changing and automating the organizational

processes.

Chances of a successful implementation of an ERP in an organisation are less. Also, it takes sizeable

amount of manpower, cost and effort to deploy and maintain the ERP. An entire ERP application

being outsourced is a relatively new idea and has been under discussion frequently for its

advantages and some latent disadvantages. In todays world with such economic conditions, it

becomes imperative for an organization to reduce its operating costs while increasing overall

efficiency with the same amount of resources and to fulfill consumer demands simultaneously. This

is where a cloud and secured based ERP can really help an organisation, if not for some very

pertinent disadvantages that have to be overcome to make this a more viable option to a best of

breed or an off the shelf ERP solution, globally.

Cloud computing can also help to divert the attention of the dedicated workforce away from

maintenance and development and direct it towards the core processes that actually benefit the

organisation in a much better way.

Barriers to adoption of a cloud computing are organisation specific based on massive data Security.

However, there are some common issues that push organisations towards the adoption of such a

system. These comprise of cost savings, fault tolerance, on demand service, scalability and

flexibility, massive data storage, reliance and compliance of data formats.

Concerns regarding a cloud based system include security, scalability, ease of migration and

licensing issues. There are some notable disadvantages that need to be overcome. A very

pertinent issue is regarding the security of the organizational data. Since the data is stored in

the cloud, an organization does not have a direct control over it. The security of the

organizational data is the responsibility of the service provider and this throws up a lot of issues for

an organization to consider before and after migrating to a cloud based Systems. Another important

issue is of a possible vendor lock in that might disallow the organisation to migrate to another

service provider when it desires it.

5

3.1 GENERAL OBJECTIVE OF THE STUDY:

To investigate the possible long and short term advantages and the disadvantages that an

organisation can derive from the adoption of a cloud based Systems and/or Cloud based ERP and

the potential security and confidentiality threats associated with the cloud computing.

3.2 SPECIFIC OBJECTIVES:

To analyse if a cloud systems and ERP could prove to be a suitable alternative to the

traditional on-premise ERP and for local, massive data storage accessibility (mission critical

application).

To identify the merits and demerits of a cloud computing Technology and suggest best

practices as of the security concerns to be implemented as pertinent issue is regarding the

security of the organizational data stored in the cloud.

4. CURRENT INFORMATION

ERP systems are currently the prevailing form of business computing and storage for many large

organisations in the private and public sector (Gable, 1998). An ERP manages and integrates all the

business functions in an organisation and this makes it much more than simple software that take no

thought to acquire (Boykin, 2001; Chen, 2001; Yen, Chou, & Chang, 2002). Organizations view

ERP-enabled standardization as a vital means to integrate dispersed organizational systems and

provide a seamless access to information organization-wide (Osterle et. al, 2000).

ERP stores and processes data and allows it to be accessed in an appropriate format, while stretching

beyond the organisational boundaries (Gupta, 2000) (Al-Mashari & Zairi, 2000) (Gardiner et al,

2002). Because these systems touch so many aspects of a companys it internal and external

operations, their successful deployment and use are critical to organizational performance and

survival (Tanis et. al, 2000).

One of the major challenges in ERP adoption is flexibility with the integration of newly-acquired

business functionalities into its data processing systems with the minimum time possible (Gupta,

2000). The flexibility of ERP systems refers to the extent to which an ERP system may be

dynamically reconfigurable to define new business models and processes (Stedman, 1999).

In the near-term perspective, managers find ERP implementation projects the most difficult systems

development projects (Wilder and Davis, 1998).

http://students.aiu.edu/student/CoursePreviewSubmission.aspx?stepNo=5&CourseID=16

6

The online delivery of the software has been a long standing dream of the software vendors and

distributors, alike. Sato et al. (1999) and Bennett et al. (2000) put forward several areas for future

research, including integrating ERP and other systems on the Internet. Cloud computing is a fairly

established system and has been in the offering since 2000-01 (Bennett et al., 2000). The concept is

deceptively simple and logical. Instead of buying the the license for an application like an ERP

software and then installing it on a machine, it is much cheaper and convinient to lease the

application from a company that created the software (Dubey & Wagle, 2007).

A Cloud is a type of parallel and distributed system consisting of a collection of interconnected and

virtualised computers that are dynamically provisioned and presented as one or more unified

computing resources based on service-level agreements established through negotiation between the

service provider and consumers (Fox, 2009 ; Buyya, et al., 2008). Applications built on cloud

architectures run in-the-cloud where the physical location of the infrastructure is determined by the

provider (Varia, 2008) and is abstracted from the organisation, thus allowing the focus to shift from

IT to business innovation. The benefits of cloud computing are widely discussed in practice,

focusing on increased agility, availability, flexibility, cost savings and interoperability (Kim, 2009).

The separation of service provider from infrastructure provider has made it much easier for new

services to be established online quickly and with low financial risk, and to scale those, services as

demand dictates (Murray, 2009 ; Buyya, 2009). Using someone elses infrastructure on a pay-per-

use basis converts the fixed costs into a variable cost based on actual consumption , reducing initial

investment and risk (Buyya, et al., 2008) (Fox, 2009). Also the demand for online services can be

very variable and poor response due to overload can risk losing customers (Pandey, et al. , 2009).

Cloud computing provides easy scalability and the flexible creation and dismantling of resources

that customers need only temporarily for special projects or peak workloads (Leavitt, 2009 ; Fox,

2009 ; ECONOMIST, 2009) giving it choice and control over its infrastructure. The ability to scale

the use of cloud power to match the demand also mitigates the risk of failure (ECONOMIST,2009)

while making the organisations more adaptable.

Cloud based ERP has a much smaller time scale for configuration and deployment. This has a

fundamental impact on the agility of a business and the reduction of costs associated with time

delays (ISACA, 2009 ; Hayes, 2009) allowing organisations to realise the competitive advantage at

a much earlier stage than the non adapters. Organisational data is available and accessible globally

7

through internet improving the overall collaboration in the organsation (Scale, 2009 ; Armbrust, et

al., 2009).

When data is stored beyond the organisation, even with lock-tight security and data management

standards, there are confidentiality and privacy risks associated with this model, not to mention

potential industrial sabotage (Fox, 2009 ; Leavitt, 2009 ; Pandey et al., 2009 ; Das et al.,2009). Also,

with a distributed application architecture, there is no possibility for local customization and

development an you are limited to the interface the service provider gives you (Fox, 2009).

Besides security, there are legal and regulatory issues that need to be taken care of. When moving

applications and data to the Cloud, the providers may choose to locate them anywhere on the planet

(Pandey et al., 2009) which subjects it to the laws of that country. For example, specific

cryptography techniques could not be used because they are not allowed in some countries.

Performance concerns may stop some companies from using cloud computing for transaction

oriented and other data-intensive applications (Leavitt, 2009) (Hayes, 2009). Cloud services have

reduced the cost of content storage and delivery, but they can be difficult to use for non-developers,

as each service is best utilised via unique web services, and have their own unique quirks. (Tari, et

al., 2009). A user could also get a nasty surprise if they have not understood what they will be

charged for (Broberg, et al., 2008). Vendor lock-in is another problem that an organisation may have

to face if they want to migrate towrds a new service provider. (Armbrust, et al., 2009).

People are focusing on the core technologies that will lead their business forward over the next five

years and want to know how to manage varying degrees of risk wisely. They are wary of making a

complete jump in computing ideology in one fell swoop (ECONOMIST, 2010)

5. DISCUSSION

The learning style assessment was undertaken by the researcher adopted from Kolb and McCarthy

(1984). The results indicated that the researchers style is one of the interpretivist and a diverger.

Research, according to (Smith & Dainty, 1991), is concerned with problem solving investigating

relationships and building on the body of knowledge. It is a plan or design with the view to finding a

solution to the research problem by social workers. Formulating and clarifying the research topic is

the most important aspect of the research project as it is the starting point of the entire process

(Alvesson & Skoldberd, 2000 ; Ghauri & Gronhaug, 2005 ; Mouton & Marais, 1990).

http://students.aiu.edu/student/CoursePreviewSubmission.aspx?stepNo=6&CourseID=16

8

To understand the pros and cons of a cloud based ERP system impacted on security, it is essential,

that the background of the cloud based systems and virtualization of resources is established along

with the factors that may affect the bias of the subject (Denzin & Lincoln, 1998 ; Bogdan & Biklen,

1992).

Qualitative research contributes to discovery and theory-building (Gilles, 2000) which is what is

being attempted by the researcher here with respect to a cloud based ERP with a deep consideration

of security.

Qualitative techniques based on the interpretation of non-numerical data can provide meaning to

human behaviour missing in quantitative data (Rossman & Marshall, 1999 ; Creswell, 1994). It

seeks to develop sensitizing concepts and the meanings of central themes in the life world of the

subjects (Maykut & Morehouse, 1994). Acquisition of an ERP is a major decision which affects the

organisation on multiple levels. The intangible factors related to changes and its adaptability or

competitive advantage, are difficult to quantify and a qualitative approach is a better suited mode of

research here. Qualitative approach is based on the belief that the persons are actors who take an

active role in responding to situations and the realisation that the response is based on a certain

meaning (Strauss & Corbin, 1990 ; Rossman & Rallis, 2003). The understanding of this meaning is

defined and redefined through interaction with sensitivity to conditions and the relationship between

condition, action and the result. Qualitative analysis allows for finer differences to be brought to

light which will allow the researcher to investigate his case thoroughly. Denzin & Lincoln, (1998)

summarise the characteristics of this approach as enabling the researcher to study phenomena in

their natural settings, while attempting to interpret these phenomena in terms of the meanings people

bring to them.

Every organisation may have its own reasons to either acquire or shun a cloud based ERP systems

and these factors are unique to each organisation which reflects the disposition of the organisation

lending itself to being subjective.

Issues revolving around privacy, and ownership and access to data raise interesting questions in the

cloud. As a visual aid, Figure 1 schematically represents how privacy and security issues in the

cloud are tightly linked to the institutional and technological environments.

9

Various characteristics of the cloud affect organizations perceptions of confidentiality, integrity,

and availability of the cloud (Left part of Figure 1). Formal and informal institutions, on the other

hand, affect perception of legitimacy and trustworthiness of the cloud (Right part of Figure 1).

Assessment of institutional and technological facilitators and inhibitors affect organizations

adoption decisions (Figure 1).

Figure 1. Cloud Computing Model - Open Secure Architecture

Institutional actors responses lag behind the technological changes (Katyal 2001; Brenner 2004).

Moreover, institutional

actors vary in their timing

of responses. For instance,

whereas trade and

professional associations

and industry standard

organizations are taking

measures to respond to

security and privacy issues

in the cloud, government

agencies have been slow

to adopt necessary

legislative, regulatory and

other measures to monitor

users and providers of the

cloud.

THE CLOUDS

NEWNESS AND

UNIQUE

VULNERABILITIES

The clouds newness and

uniqueness present special

problems. With the evolution and popularity of virtualization technology, new bugs, vulnerabilities

and security issues are being found (Brynjolfsson et al. 2010). The cloud, however, is not a familiar

10

terrain for most IT security companies. A lack of mechanisms to guarantee security and privacy has

been an uncomfortable reality for many cloud providers.

Virtualization as one of the implementational model of Cloud Technology, it has found that a user

may be able to access to the providers sensitive portions of infrastructure as well as resources of

other client environments that are managed by the same cloud provider

Figure 2. Cloud computing Layers according to Gartner, 2009.

Experts argue that such vulnerabilities

could have more adverse impacts in the

cloud than in an on-premise computing

(Owens 2010).

The cloud is also forensically challenging

in the case of a data breach. For instance,

some public cloud systems may store and

process data in different jurisdictions,

which vary in terms of laws related to

security, privacy, data theft, data loss and

intellectual property theft (McCafferty

2010). Some organizations may encrypt

their data before storing in the cloud.

NATURE OF THE ARCHITECTURE

Virtual and dynamic

The virtual and dynamic nature of the cloud computing architecture deserves mention. For one

thing, the shared and dynamic resources of the cloud such as CPU and networking reduce control

for the user and tend to pose new security issues not faced by on-premise computing. A related point

is that these characteristics of the cloud allow data and information to distribute widely across many

jurisdictions. The locations where data are stored may vary in laws regarding security, privacy, data

theft, and protection of intellectual property (McCafferty 2010).

11

Virtualization is the primary security mechanism in the cloud, despite their insulation from the

customer, run on physical systems; virtualization environments are not necessarily bug-free.

Sophistication and complexity

The clouds security related problems can also be linked to its sophisticated and complex

architecture. In April 2010, U.S. and Canada-based researchers published a report on a sophisticated

cyber-espionage network, which they referred as Shadow network. The targets included the Indian

Ministry of Defense, the United Nations, and the Office of the Dalai Lama. The report noted:

Clouds provide criminals and espionage networks with convenient cover, tiered defenses,

redundancy, cheap hosting and conveniently distributed command and control architectures

(IWMSF 2010).

Another problem concerns the clouds complexity. An important trend facilitated by the cloud is

social media, which are arguably corporate security nightmare (BBW 2010). In the Shadow case

noted above, the cyber-espionage network combined social networking and cloud platforms,

including those of Google, Baidu, Yahoo!, Twitter, Blogspot and blog.com with traditional

command and control servers (IWMSF 2010).

ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME

BULL

Earlier we mentioned that the cloud can provide a low cost security due to economies of scales.

However, an unintended downside of cheap services is more security issues.

Value of data in the cloud

Target attractiveness depends on offenders perceptions of victims. Prior research indicates that

crime opportunity is a function of target attractiveness, which is measured in monetary or symbolic

value and portability (Clarke 1995). Target attractiveness is also related to accessibility, visibility,

ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies

networks offer more targets to hackers. Cloud suppliers, which often are bigger than their clients,

are attractive targets. The cloud thus offers a high surface area of attack (Talbot 2010). That is,

information stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late

2009, Google explained that the company discovered a China-originated attack on its

infrastructures. The company further noted that the attack was part of a larger operation, which

infiltrated infrastructures of at least 20 other large companies.

12

Criminal-controlled clouds

The cloud is potentially most vulnerable, especially when viewed against the backdrop of criminal

owned-clouds operating in parallel. Just like diamond is the only material hard enough to cut

diamond effectively, criminal-owned clouds may be employed to effectively steal data stored in

clouds. The cloud may provide many of the same benefits to criminals as for legitimate businesses.

The well-known Conficker virus, which reportedly controls 7 million computer systems at 230

regional and country top-level domains and has a bandwidth capacity of 28 terabits/second, is

arguably the worlds biggest cloud and probably the most visible example of a criminal-owned

cloud. Just like legitimate clouds, Conficker is available for rent. Cybercriminals can choose a

location they want to rent Conficker and pay according to the bandwidth they want and choose an

operating system (Mullins 2010).

INSTITUTIONAL ENVIRONMENT

Institutional theory is described as a theory of legitimacy seeking (Dickson et al., 2004, p. 81). To

gain legitimacy, organizations adopt behaviors irrespective of the effect on organizational efficiency

(Campbell 2004). Institutional influence on adoption decisions related to the cloud becomes an

admittedly complex process when providers and users of the cloud have to derive legitimacy from

multiple sources such as employees, clients, client customers, professional and trade associations

and governments.

Scott (2001) proposed three institutional pillars:

(i) Regulative;

(ii) Normative

(iii) Cognitive.

These pillars relate to legally sanctioned, morally governed and recognizable, taken-for-

granted behaviors respectively.

The cloud industry is undergoing a major technological upheaval. In such situations, for various

actors, the institutional context may not provide organizing templates, models for action, and

sources of legitimacy (Greenwood & Hinings 1993). In most cases, such changes create confusion

and uncertainty and produce an environment that lacks norms, templates, and models about

13

appropriate strategies and structures (Newman 2000). Existing institutions are hopelessly inadequate

and obsolete to deal with the security and privacy problems facing the cloud industry. For instance,

cloud computing has challenged traditional institutional arrangements and notions about auditing

and security.

THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD

INDUSTRY

Regulative institutions consist of explicit regulative processes: rule setting, monitoring, and

sanctioning activities, regulative institutions consist of regulatory bodies adhere to the rules so that

they would not suffer the penalty for noncompliance of the system.

Laws to deal with data on the cloud

The importance of regulative institutions such as laws, contracts and courts in the cloud industry

should be obvious if this industry is viewed against the backdrop of the current state of security

standards. In the absence of radical improvements in security technology, such institutions become

even more important.

The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to

the cloud technology development. Compliance frameworks such as SOX, HIPAA and PCI-DSS

(Payment Card Industry Data Security Standard) do not clearly define the guidelines and

requirements for data stored on the cloud (Bradley 2010). Cloud computing thus poses various

challenges and constraints for companies that have responsibilities to meet stringent compliance

related to these frameworks and reporting requirements for their data (McCafferty 2010; NW 2010).

The cloud has several important new and unique features, which create problems in writing

contracts. For instance, an analysis of the contracts between Google and Computer Sciences

Corporation (CSC) with the City of Los Angeles indicated several problems related to data breach

and indemnification of damages. Google was a CSC subcontractor in the arrangement. An attorney

analyzing the case noted that some of the complexity in the case would have been avoided if the

term "lost data" was defined more clearly in the contracts (NW 2010).

While some experts understandably argue that it would not be practical to hold cloud providers

liable for everything, current regulations are heavily biased in favor of cloud providers. For instance,

in the event of a data breach in the cloud, the client, not the vendor, may be legally responsible

(Zielinski 2009). However, cloud providers are required to keep sensitive data belonging to a federal

14

agency within the country. While Google Apps are FISMA certified for its government cloud,

which is not necessarily the case for the private industry (Brodkin 2010).

Regulatory overreach

There have been concerns about possible overreach by law enforcement agencies. The FBI's audits

indicated the possibility of overreach by the agency in accessing Internet users information

(Zittrain 2009).

For some analysts, the biggest concern has been the governments increased ability to access

business and consumer data and censor and a lack of constitutional protections against these actions

(Talbot 2010). The cloud is likely to make it easier for governments to spy on citizens. Governments

worldwide, however, differ in their approach to and scale of web censorship and surveillance.

Especially, the cloud is likely to provide authoritarian regimes a fertile ground for cyber-control

activities.

THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD

INDUSTRY

Normative components introduce a prescriptive, evaluative, and obligatory dimension into social

life (Scott 1995, p. 37). This component focuses on the values and norms held by individuals and

organizations that influence the functioning of the cloud industry. Practices that are consistent with

and take into account the different assumptions and value systems are likely to be successful

(Schneider 1999).

Professional associations measures

Compared to established industrial sectors, in nascent and formative sectors such as cloud

computing, there is no developed network of regulatory agencies. For instance, there are few, if any,

national or international legal precedents for the cloud industry (McCafferty 2010). As a

consequence, there is no stipulated template for organizing, and thus pressures for conformity are

less pronounced (Greenwood & Hinings 1996). In such settings, professional and trade associations

may emerge to play unique and important roles in shaping the industry (Kshetri & Dholakia 2009).

These associations norms, informal rules, and codes of behavior can create order, without the laws

coercive power, by relying on a decentralized enforcement process where noncompliance is

penalized with social and economic sanctions (North 1990).

15

Various professional and trade associations are also constantly emerging and influencing security

and privacy issues in the cloud in new ways as a result of their expertise and interests in this issue.

A visible example is the Cloud Security Alliance (CSA) (www.cloudsecurityalliance.org), a group

of information security professionals. The CSA is working on a set of best practices as well as

information security standards for cloud providers (Crosman 2010).

Industry standards and certification programs

Some argue that industry standards organizations may address most of the user concerns related to

privacy and security in the cloud industry (Object Management Group 2009). Organizations such as

Object Management Group (OMG), the Distributed Management Task Force (DMTF), the Open

Grid Forum (OGF), and the Storage Networking Industry Association (SNIA) have made efforts to

address security and privacy concerns in the cloud industry (Wittow & Buller 2010).

There are no formal processes for auditing cloud platforms. Analysts argue that auditing standards

to assess a service providers control over data (e.g., SAS 70) or other information security

specifications (e.g., the International Organization for Standardizations ISO 27001) are insufficient

to deal with and address the unique security issues facing the cloud (Brodkin 2010). Note that these

standards and specifications were not developed specifically for the cloud computing.

THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY

Cognitive institutions are closely associated with culture (Jepperson, 1991). These components

represent culturally supported habits that influence cloud providers and users behaviors. In most

cases, they are based on subconsciously accepted rules and customs as well as some taken-for-

granted cultural account of cloud use (Berger & Luckmann 1967). Scott (1995, p. 40) suggests that

cognitive elements constitute the nature of reality and the frames through which meaning is made.

Cognitive programs are built on the mental maps of individual cloud users and thus function

primarily at the individual level (Huff 1990). Compliance in cognitive legitimacy concerns is due to

habits. Organizations and individuals may not even be aware that they are complying.

Perception of vendors integrity and capability

In particular concern is the users dependency on cloud vendors security assurances and practices.

Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be

protected from one another (Armbrust et al. 2010). After several readings, Inspections have shown

that potential cloud adopters are concerned about the possibility that service providers security

16

might have ineffective or noncompliant controls, which may lead to vulnerabilities affecting the

confidentiality, integrity, and availability of data (Wilshusen 2010). Organizations are also

concerned that cloud providers may use insecure ways to delete data once services have been

provided (Wilshusen 2010).

Admittedly, data theft, denial-of-service attacks by users, threats from other users, and bugs are not

the only-and not the biggest-problem associated with the cloud. There is also a high degree of

temptation for the cloud providers or their employees to engage in opportunistic behavior (Armbrust

et al. 2010). The cloud thus may also increase exposure to organizational vulnerabilities to insider

risks. Indeed, malicious insider risks are among the most important risks that the cyberspace faces.

According to a report released by the FBI in 2006, over 40% of attacks originate inside an

organization (Regan 2006). Some have raised concerns that service providers do not conduct

adequate background security investigations of their employees (Wilshusen 2010).

One fear has been that intellectual property and other sensitive information stored in the cloud

could be stolen. Worse still, cloud providers may not notify their clients about security breaches.

Evidence indicates that many businesses tend to underreport cybercrimes due to embarrassment,

concerns related to credibility and reputation damages and fears of stock price drops. Many of the

cyber-attacks go unnoticed or may go unnoticed for long periods of time. An organizations data in

the cloud may be stolen but it may not ever be aware that such incidents had happened.

Cloud users inertia effects

It is quite possible that organizational inertia1 may affect the lens through which users view security

and privacy issues in the cloud. Organizational inertia may constraint a firm's ability to exploit

emerging opportunities such as cloud computing. An inertia effect is likely to adversely influence an

organizations assessment of the cloud from the security and privacy standpoints.

Reduction in control is an obvious concern. Cloud users dont have access to the hardware and other

resources that store and process their data. There is no physical control over data and information in

the cloud (Wilshusen, 2010). A case in point is Google. The company provides security and privacy

assurances to its Google Docs users unless the users publish them online or invite collaborators.

However, Google service agreements explicitly make it clear that the company provides no

warranty or bears no liability for harm in case of Googles negligence to protect the privacy and

security.

17

Just as vital is preference for localness. From the standpoint of security, most users prefer

computing to be local. Organizations arguably ask: who would trust their essential data out there

somewhere?.

6. FURTHER DISCUSSION

It is important to emphasize that the model presented by figure 1 is dynamic in nature. We anticipate

that the salience of each component of institutional and technological factors will vary across

organizations as well as over time. For instance, barriers associated with newness and inertia effects

are likely to decline over time. On the other hand, as the penetration level, width and depth of cloud

increases, it is likely to be a more attractive cybercrime target.

One implication of the dynamic aspects of the model is that institutions change over time in the

cloud industry. The idea of institutional field can be helpful in understanding this dynamic. A field

is formed around the issues that become important to the interests and objectives of specific

collectives of organizations. For a field formed around privacy and security in the cloud, these

organizations include regulatory authorities, providers and users of the cloud as well as professional

and trade association. The content, rhetoric, and dialogue among these constituents influence the

nature of field formed around the security and privacy issues associated with the cloud.

An understanding of arbiters would provide important insight into the sources of institutional

change in the cloud industry. It has identified three categories of arbiters social, legal, and

economic. Much of the early evidence indicates that institutions in the cloud industry should

rebalance towards a higher power of the users. Experts argue that courts (legal arbiters) are likely to

take a middle ground and make providers liable for breach. The Electronic Privacy Information

Center (EPIC) (a social arbiter) filed a complaint with the Federal Trade Commission (FTC) against

Googles cloud services. EPIC made the point that Google

does not adequately safeguard users confidential information. It requested the FTC to open an

investigation into Googles Cloud services18 (Wittow & Buller 2010). Likewise, experts argue that

market forces and consumer demands (economic arbiters) are likely to drive a lot of privacy changes

in cloud computing (TR 2010).

18

MANAGERIAL AND POLICY IMPLICATIONS

The model presented in this paper also has implications for management practice and public policy.

Most cloud providers services come with no assurance or promise of a given level of security and

privacy. Cloud providers lack policies and practices related to privacy and security. Nor is that their

only problem. Cloud providers have also demonstrated a tendency to reduce their liability by

proposing contracts with the service provided as is with no warranty (McCafferty 2010).

Perception of ineffectiveness or noncompliance of cloud providers may thus act as a roadblock to

organizations cloud adoption decisions. In this regard, above analysis indicates that security and

privacy measures designed to reduce perceived risk as well as transparency and clear

communication processes would create a competitive advantage for cloud providers.

The newness and uniqueness of the cloud often mean that clients would not know what to ask for in

investment decisions. An understanding of model would also help organizations take technological,

behavioral and perceptual/attitudinal measures. The users of the cloud are functioning on the

assumption that cloud providers take privacy and security issues seriously (Wittow & Buller 2010).

However, against the backdrop of the institutional contexts, this may well be a convenient but

possibly false assumption.

The model also leads to useful questions that need to be asked before making cloud related

investments. Given the institutional and technological environment, potential adopters should ask

tough questions to the vendor regarding certification from auditing and professional organizations

(e.g., AICPA), locations of the vendors data centers, and background check of the vendors

employees, etc.

The above analysis suggest that a one size fits all' approach to the cloud cannot work. The model

presented in Figure 1 would also help in making strategic decisions. For instance, organizations may

have to make decisions concerning combinations of public and private clouds. For instance, the

public cloud is effective for an organization handling high-transaction/low-security or low data

value (e.g., sales force automation). Private cloud model, on the other hand, may be appropriate for

enterprises that face significant risk from information exposure such as financial institutions and

health care provider or federal agency. For instance, for medical-practice companies dealing with

sensitive patient data, which are required to comply with the HIPAA rules, private cloud may be

appropriate.

19

In general, legal systems take long time to change (Dempsey 2008). Regulative institutions related

to liability and other issues in the cloud are not well developed. Cloud providers may feel pressures

to obtain endorsements from professional societies.

AICPAs endorsements have driven the diffusion of cloud applications among some CPA firms.

Today, accurately or not, businesses are concerned about issues such as privacy, availability, data

loss (e.g., shutting down of online storage sites), data mobility and ownership (e.g., availability of

data in usable form if the user discontinues the services). Cloud providers are criticized on the

ground that they do not answer questions and fail to give enough evidence to trust them. In this

regard, many of the user concerns can be addressed by becoming more transparent.

Since geographic dispersion of data is an important factor associated with cost and performance of

the cloud, an issue that deserves mention relates to regulatory arbitrage. Experts expect that

countries update their laws individually rather than to act in a multilateral fashion (TR 2010).

Economies worldwide vary greatly in terms of the legal systems related to the cloud. Due to the

newness, jurisdictional arbitrage is higher for the cloud compared to the IT industry in general. In

this regard critics are concerned that cloud providers may store sensitive information in jurisdictions

that have weak laws related to privacy, protection and availability of data (Edwards 2009).

Anecdotal evidence suggests that due to increasingly important roles in national security, many high

technology sectors are characterized by a high degree of protectionism. The atmosphere of suspicion

and distrust among states can lead to such protectionism. To capture the feelings that accompany

intergovernmental distrust, consider the U.S.China trade and investment policy relationship.

Chinese leaders are suspicious about possible cyber-attacks from the U.S. There has been a deep

rooted perception among Chinese policy-makers that Microsoft and the U.S. government spy on

Chinese computer users through secret back doors in Microsoft product. Chinese leaders thus may

be uncomfortable with the idea of storing data on clouds provided by foreign multinationals. U.S.

policy makers are equally concerned about Chinese technology firms internationalization. The

above analysis indicates that such concerns are likely to be even more prominent in cloud

computing.

Cyber-espionage has been an obvious application of the cloud. If there is any lesson that recent

major cyber-espionage activities teach, it is that countries with strong cyber-spying and cyber-

warfare capabilities such as China will be in a good position to exploit the clouds weaknesses for

such activities.

20

In view of the technological capabilities of extra-legal and illegal organizations, one area that

deserves attention is the escalation of economic and industrial espionage activities such as

intellectual property theft. There have been reports that U.S. government agencies such as the

Defense Department as well as private companies have been targets and victims of such activities24.

It is thus reasonable to expect that the cloud may enable an upgrade of these activities to industrial

espionage.

Nonetheless, security and privacy issues in the developing world need to be viewed in the context of

weak defense mechanisms of organizations. Information technologys follow diffusion concept can

be helpful in understanding a weak defense. Many companies in developing countries lack

technological and human resources to focus on security. Hollow diffusion can be human-related

(lack of skill and experience) or technology-related (inability and failure to use security products)

(Otis & Evans 2003). Especially for developing-based organizations that do not deal with high-

value and sensitive data the cloud may provide low-cost security to address some of the security-

related human and technological issues.

Providers and users of the cloud face additional challenges in developing economies. Various

aspects of the institutional environment may weaken the clouds value proposition and discourage

investors. In many developing countries, factors such as corruption, the lack of transparency, and a

weak legal system can exacerbate security risks. The high-profile attacks on Google cloud allegedly

by China-based hackers in 2009 were an eye opener for the cloud industry.

A final issue that deserves mention relates to the impacts of clouds controlled by the developing

world players on security issues of industrialized countries. It is tempting for global cloud players to

use cheaper hosting services in developing countries. Cyber-criminals, however, find it more

attractive to target rich economies.

21

7. CONCLUSION

It has been sorely defined cloud computing as management and provision of different resources,

such as, software, applications and information as services over the cloud (internet) on demand.

Cloud computing is based on the assumption that the information can be quickly and easily accessed

via the net. With its ability to provide dynamically scalable access for users, and the ability to share

resources over the Internet, cloud computing has recently emerged as a promising hosting platform

that performs an intelligent usage of a collection of services, applications, information and

infrastructure comprised of pools of computers, networks, information and storage resources. Cloud

computing is a multi-tenant resource sharing platform, which allows different service providers to

deliver software as services and deliver hardware as services in an economical way. Cloud

computing is the latest technology revolution in terms of usage and management of IT resources and

services driven largely by marketing and service offerings from the largest IT vendors including

Google, IBM, Microsoft, and HP along with Amazon and VMware.

However along with these advantages, storing a large amount of data including critical information

on the cloud motivates highly skilled hackers, thus creating a big constraint to business data owners,

therefore there is a need for the security pillars and confidentially mechanism to be considered and

implemented as one of the top solution of the burning issues while considering Cloud Computing

technology so that Legitimate as well as illegitimate organizations and entities can be ensured to do

not gaining access to data on the cloud through illegal, extralegal, and quasi-legal means.

22

REFERENCES

Dubey, A., & Wagle, D. (2007, May). Delivering software as a service. The McKinsey Quarterly

Web Exclusive .

ISACA. (2009). Cloud Computing: Business Benefits With Security, Governance and Assurance

Perspectives. Rolling Meadows, USA: ISACA Emerging Technology.

Kim, W. (2009). Cloud Computing: Today and Tomorrow. Journal of object technology , 8 (1).

ECONOMIST. (2009, November 10). Cloud Computing : Economist Debate. Retrieved December

13, 2009, from http://www.economist.com: /debate/files/view/CSC_Cloud_Computing_Debate0.pdf

Al-Mashari, M., & Zairi, M. (2000). Supply-chain re-engineering using enterprise-resource planning

(ERP) systems: an analysis of a SAP R/3 implementation case,. International Journal of Physical

Distribution & Logistics Management , 30 (3/4), 296-313.

Alvesson, M., & Skoldberd, K. (2000). Reflexive Methodology. SAGE Publications Ltd.

Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Lee, G., et al. (2009). Above the Clouds: A

Berkeley View of Cloud Computing. University of California at Berkley, USA, Technical Report

No. UCB/EECS-2009-28,.

Babbie, E., & Mouton, J. (2001). The practice of social research. Cape Town: Oxford University

Press.

Bazeley, P. (2004). Issues in Mixing Qualitative and Quantitative Approaches to Research. In R.

Buber, J. Gadner, & L. Richards (Eds.), Applying Qualitative Methods to Marketing Management

Research (pp. 141-56.). Palgrave Macmillan.

Bennett, K., Layzell, P., Budgen, D., Brereton, P., Macaulay, L., & Munro, M. (2000). Service-

based software: the future for flexible software. Seventh Asia-Pacific Software Engineering

Conference (pp. 214-221). APSEC .

Bingi, P., Sharma, M. K., & Godla, J. K. (1999). Critical issues affecting an ERP implementation.

Information Systems Management , 16 (3), 7-14.

23

Bogdan, R., & Biklen, S. K. (1992). Qualitative research for education: An introduction to theory

and methods. Boston: Allyn and Bacon.

Bolender, J. (1998, April). Factual Phenomenalism: a Supervenience Theory. SORITES , pp. 16-31.

Boykin, R. F. (2001). Enterprise resource-planning software: a solution to the return material.

Computers in Industry , 45, 99-109.

Broberg, J., Buyya, R., & Tari, Z. (2008). MetaCDN: Harnessing Storage Clouds for high

performance content delivery. Technical Report GRIDS-TR-2008-11, Grid Computing and

Distributed Systems Laboratory, University of Melbourne, Australia.

Bryman, A., & Bell, E. (2003). Business Research Methods. Oxford: Oxford University Press.

Bulkeley, W. M. (1996). A cautionary network tale: Fox Meyers high-tech gamble. Wall Street

Journal Interactive Edition .

Buyya, R. (2009). Market-Oriented Cloud Computing: Vision, Hype, and Reality of Delivering

Computing as the 5th Utility. 9th IEEE/ACM International Symposium on Cluster Computing and

the Grid.

Buyya, R., Yeo, C. S., & Venugopal, S. (2008). Market-oriented Grids and Utility Computing: The

State-of-the-art and Future Directions. Journal of Grid Computing , 6 (3), 255-276.

Chen, I. J. (2001). Planning for ERP systems: analysis and future trend. Business Process

Management Journal , 7 (5), 374-86.

Creswell, J. (1994). Research Design: Quantitative and Qualitative Approaches. Thousand Oaks,

CA: Sage.

Das, A., Reddy, R., Reddy, S., & Wang, L. (2009). Information Intelligence in Cloud Computing-

How can Vijjana, a Collaborative, Self-organizing, Domain Centric Knowledge Network Model

Help. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence

Research: Cyber Security and Information Intelligence Challenges and Strategies. Oak Ridge,

Tennessee: ACM NewYork.

Davenport, T. (1998). Putting the Enterprise into the Enterprise System. Harvard Business Review ,

121-131.

David, M., & Sutton, C. (2004). Social Research: The Basics . London: Sage Publications Ltd .

24

Denzin, N. K., & Lincoln, Y. S. (1998). The landscape of qualitative research: Theories and issues.

Thousand Oaks: Sage Publications.

Du Plooy, G. M. (2001). Communication Research: Techniques, Methods and Applications,. Juta:

Landsowne.

Dubey, A., & Wagle, D. (2007, May). Delivering software as a service. The McKinsey Quarterly

Web Exclusive .

ECONOMIST. (2009, November 10). Cloud Computing : Economist Debate. Retrieved December

13, 2009, from http://www.economist.com: /debate/files/view/CSC_Cloud_Computing_Debate0.pdf

Elliot, R. (1995). Therapy process research and clinical practice : Practical strategies. Research

foundations for psychotherapy practice , 49-72.

Firestone, W. (1987). Meaning in method: The rhetoric of quantitative and qualitative research.

Educational Researcher , 16 (7), 16-21.

Fox, R. (2009). Library in the clouds. OCLC Systems & Services , 25 (3), 156-161.

Gable, G. (1998). Large package software: a neglected technology. Journal of Global Information

Management , 6, 34.

Gardiner, S. C., Hanna, J. B., & LaTour, M. S. (2002). ERP and the re-engineering of industrial

marketing processes: a prescriptive overview for the new-age marketing manager. Industrial

Marketing Management , 31, 357-365.

Ghauri, P., & Gronhaug, K. (2005). Research methods in business studies: A practical guide. Essex

: England: Pearson Education Limited.

Gilles, L. (2000). Improving the external validity of marketing models: A plea for more qualitative

input. International Journal of Research in Marketing , 17, 177.

Glaser, B. G., & Strauss, A. L. (1967). The Discovery of Grounded Theory: Strategies for

Qualitative Research. New York: Aldine Publishing Company.

Glass, R., & Vessey, I. (1999). Enterprise Resource Planning Systems: Can They Handle the

Enhancement Changes Most Enterprises Required ? Proceedings of First International Workshop

on Enterprise Management and Enterprise Resource Planning Systems: Methods, Tools and

Architectures.

25

Glasser, B. (1992). Basics of Grounded Theory Analysis: Emergence Versus Forcing. Mill Valley,

CA: Sociology Press.

Glasser, B. (1978). Theoretical sensitivity: Advances in the methodology of grounded theory. Mill

Valley: CA: Sociology Press .

Gray, D. E. (2004). Doing Research in the Real World. London: Sage Publications.

Guba, E. G., & Lincoln, Y. S. (1994). Competing paradigms in qualitative research : Handbook of

Qualitative Research. Sage.

Gupta, A. (2000). Enterprise resource planning:the emerging organizational value systems.

Industrial Management & Data Systems , 100 (1).

Hayes, B. (2009). Cloud computing. Communications of the ACM , 51 (7), 9-11.

Hoffer, J. A., Valacich, J. S., & George, J. F. (1999). Modern Systems Analysis and Design.

Reading, MA: Addison Wesley.

Kolb, D. A., & Fry, R. (1975). Toward an applied theory of experiential learning. London, UK:

John Wiley.

Kolb, D. (1984). Experiential Learning experience as a source of learning and development. New

Jersey: Prentice Hal.

Kvale, S. (1996). Interviews: An Introduction to Qualitative Research Interviewing. London: Sage

Publications.

Leavitt, N. (2009). Is cloud computing really ready for prime time? Computer , 42 (1), 15-20.

Leedy, P. D. (1997). Practical Research : Planning and Design. New Jersey: Prentice Hall.

Light, B. (2001). The maintenance implications of the customization of ERP Software. JOURNAL

OF SOFTWARE MAINTENANCE AND EVOLUTION: RESEARCH AND PRACTICE , 13, 415

429.

Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Beverly Hills: Sage Publications.

Lindolf, T. R., & Taylor, B. C. (2002). Qualitative Communication Research Methods, . Thousand

Oaks, California: Sage .

26

Markus, M. L., & Tanis, C. (2000). The enterprise systems experience from adoption to success.

In Framing the Domains of IT Research: Glimpsing the Future Through the Past , 173--207.

Markus, M. L., Axline, S., Petrie, D., & Tanis, C. (2000). Learning from adopters experiences with

ERP: problems encountered and success achieved. Journal of Information Technology , 15, 245

265.

Marshall, M. N. (1996). Sampling for qualitative research (Vol. 13). Fam Pract.

Mason, J. (2002). Qualitative Researching,. London: Sage.

Maxwell, J. A. (1992). Understanding and validity in qualitative research. Harvard Educational

Review , 62 (3), 279-300.

Maykut, P., & Morehouse, R. (1994). Beginning Qualitative Research: A Philosophic and Practical

Guide. London: The Falmer Press.

Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis (2 ed.). London: Sage.

Mouton, J., & Marais, H. J. (1990). Basic Concepts: The Methodology of the Social Sciences . South

Africa: HSRC Press.

Murray, P. (2009). Enterprise Grade Cloud Computing. Hewlett Packard .

Osterle, H., Fleisch, E., & Alt, R. (2000). Business Networking. Berlin: Springer.

Pandey, S., Buyya, R., & Vecchiola, C. (2009). Cloudbus Toolkit for Market-Oriented Cloud

Computing. In Proceeding of the 1st International Conference on Cloud Computing

(CloudCom2009). Beijing, China: Springer: Germany.

Parr, A., & Shanks, G. (2000). A Model of ERP Project Implementation. Journal of Information

Technology , 15 (4), 289-304.

Patton, M. Q. (2001). Qualitative evaluation and research methods. Thousand Oaks: Sage

Publications.

Rossman, C., & Marshall, G. B. (1999). Designing qualitative research. Thousand Oaks: Sage

Publications.

Rossman, G. B., & Rallis, S. F. (2003). Learning in the field: an introduction to qualitative

research. Sage Publications.

27

Saunders, M., Lewis, P., & Thornhill, A. (2003). Research Methods for (3 ed.). Harlow: Prentice

Hall.

Scale, M. S. (2009). Cloud computing and collaboration. Library Hi Tech New , 26 (9), 10-13.

Smith, N. C., & Dainty, P. (1991). Management Research Handbook. London: Routledge.

Spens, K. M., & Kovacs, G. (2006). A content analysis of research approaches in logistics research.

International Journal of Physical Distribution and Logistics Management , 36 (5), 374-390.

Stedman, C. (1999). Tracking changes - a must in ERP projects; business users sometimes fail to

realize importance. Computerworld , pp. 41-2.

Stiles, W. B. (1993). Quality control in qualitative research. Clinical Psychology Review , 13, 593 -

618.

Strauss, A., & Corbin, J. (1990). Basics of Qualitative Research. Newbury Park, CA: Sage.

Symon, G., & Cassell, C. (1994). Qualitative research in work contexts. Thousand Oaks, CA: Sage

Publications.

Tari, Z., Buyya, R., & Broberg, J. (2009). Creating a Cloud Storage Mashup for High

Performance, Low Cost Content Delivery. Proc. Service-Oriented Computing--ICSOC 2008

Workshops (pp. 178183). Berlin: Springer.

The Economist. (2009, Oct 15). Cloud Computing: Clash of the clouds. Retrieved Dec 10, 2009,

from http://www.economist.com: /displaystory.cfm?story_id=14637206

Varia, J. (2008). Cloud Architectures. Amazon Web Services .

Cloud Computing Explained: Implementation Handbook for Enterprises, Recursive Press, ISBN

0956355609, 2009

Hadoop, the Definitive Guide, OReilly Media, ISBN: 978-0-596-52197-4, 2010

Distributed and Cloud Computing, 1st edition, Morgan Kaufmann, 2011.

Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.), Building

a safer society. Strategic approaches to crime (pp. 91150). University of Chicago Press.

Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1, pp.23.

28

Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture Formations in U.S.

Manufacturing: a Conceptual and Empirical Analysis of Demand Determinations. Journal of

Business Venturing, 11, 107-132.

Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010, available at

http://www.itbusiness.ca/it/client/en/home/News.asp?id=56870.

Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8), 26-29.

ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information security.

IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The Cloud:

Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver

Foundation, JR03-2010, April 6, 2010, available at http://www.utoronto.ca/mcis/pdf/shadows-in-

the-cloud-web.pdf.

Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W. Powell & P. J.

DiMaggio (eds.). The new institutionalism in organizational analysis (pp. 143163). Chicago:

University of Chicago Press.

Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4),

10031114.

Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An Institutional

Perspective, Electronic Markets, 17(2), 113-125

Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10),

47-55.

Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and Strategic

Perspectives. New York, Berlin and Heidelberg: Springer-Verlag.

Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational inertia and

capabilities as dynamic accumulation processes. Simulation Model Practice and Theory, 10(5), 271-

296. Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr 2010,

28(4), 29-30. Martnez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6,

2010, available at http://articles.sfgate.com/2010-03-06/business/18378297_1_cyber-security-czar-

howard-schmidt-qualys-rsa.

29

Messmer, E. (2010). Cloud computing providers working in secret. Network World, July

12, 2010, 27(13), 10-11. Messmer, E. (2010). Secrecy of cloud computing providers raises IT

security risks, available at http://www.mis-asia.com/news/articles/secrecy-of-cloud-computing-

providers-raises-it-security-risks.

Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says

the biggest cloud providers are botnets, March 22, 2010, available at

http://www.networkworld.com/community/node/58829?t51hb.

NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11. Newman, K. L. (2000).

Organizational transformation during institutional upheaval.

Stewart, B. (2010). Apple Keeps iTunes Out of the Cloud. Information Today, Oct 2010, 27(9), 46-

46.

Sturdevant, C. (2010). Seeding security into the cloud. eWeek, March 15, 2010, 27(6), 38-38.

Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.

Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing

systems. Computer Law & Security Review, May 2010, 26(3), 304-308.

Tillery, S. (2010). How Safe Is the Cloud?, available at

http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226.

Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at

http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloud-

computing/?cs=43712.

Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address Control Issues

with Implementing Cloud Computing. GAO Reports, July 1, 2010, preceding pp. 1-48.

Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for Access to

Data, Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), 1-10.

Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HR Magazine, Nov, 54(11), 63-65.

http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloud-computing/?cs=43712http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloud-computing/?cs=43712

30

1. INTRODUCTION2. DESCRIPTION3. GENERAL ANALYSIS3.1 GENERAL OBJECTIVE OF THE STUDY:3.2 SPECIFIC OBJECTIVES:4. CURRENT INFORMATION5. DISCUSSIONTHE CLOUDS NEWNESS AND UNIQUE VULNERABILITIESNATURE OF THE ARCHITECTUREATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME BULLINSTITUTIONAL ENVIRONMENTTHE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRYTHE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRYTHE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY6. FURTHER DISCUSSIONMANAGERIAL AND POLICY IMPLICATIONS7. CONCLUSIONREFERENCES