Cloud Computing Security Issues and Challenges

Chapter 1: Introduction

Research Background

Cloud computing is a new and emerging trend in the IT industry that is set to revolutionize the way people approach and use computing. There has been an exponential growth in new technologies that have converged to develop cloud computing services. Cloud computing services offer an innovative and cost effective means of utilizing IT capabilities, and as such are being offered as long term solutions for numerous educational, governmental, defense, and private businesses. Cloud computing can provide business operations with the expenditure of minimal costs with accelerated scalability and improved IT capabilities. It allows users to deploy on-demand services using a shared resource network and therefore encourages the customer to use the service as and when necessary. The cloud computing concept is truly revolutionary as it allows small organizations to scale up their operations to high proportions without buying hardware and software and without hiring a fleet of IT experts. The immense potential of cloud computing is recognized throughout the industry, and yet many organizations are reluctant to adopt it quickly. (Armbrust et al, 2010).

This is because the rapid technology growth is also accompanied by growing security-related concerns. Cloud computing, as an innovative method of using applications and hardware, has to deal with different implementation issues as it requires a shift in perceptions of work ethics, organizational culture and technical skills required by end users. Moreover, there have been several incidences where cloud technology has found itself defenseless in front of hacking attacks like the one against Gmail and the Sony PlayStation gaming network (Paul, 2011)  The explanations for the vulnerabilities vary from the inherent weaknesses of core technologies to the vulnerabilities of the network. (Armbrust et al, 2009). As cloud computing is an emerging technology, so are the concerns about security challenges being discovered and addressed. The current research aims to examine the understanding of end-users about security challenges, their expectations from the service provider and also to make a list of suggestions for improving safety and building confidence in end-users.. Research Rationale

There is very little evidence of any empirical research undertaken to gauge the performance of cloud computing services in organizations or to assess the satisfaction levels or expectations of the end users. Nonetheless, there is plenty of information available on the different cloud computing systems and modes and their associated benefits and drawbacks. ((Rochwergeret al, 2009; Reese, 2009; Armbrust et al, 2009; Rhoton, 2009; and Sosinsky, 2011). This data is in the form of technical knowledge about the theory and implementations of cloud computing services and does not tend to include the opinions of end users or the people who actually use and interact with the services.  There is an increasing sense of doom among some scholars who expect vicious cyber-attacks that can ride on cloud computing services ‘ security loopholes and vulnerabilities (Barroso and Hoelzle, 2009). However, there still remains a lack of research into assessing these security vulnerabilities empirically or using the perception and experience of those who are the end users of the service.

There appears to be a need to conduct an analysis of the possibilities of the security attacks as well as to assess the perceptions of the organizations that are using it about the security sturdiness or vulnerability of the cloud computing environment. This knowledge is expected to provide insight into the potential challenges and opposition that cloud computing service providers face in marketing their products. It will also allow the researcher to develop a comprehensive set of recommendations that can be adapted to better satisfy end-users..

Therefore, the current research aims at developing a comprehensive overview of security-related issues and concerns as they present themselves to cloud computing service users.

Research Questions

Therefore, the research is guided by the following research questions:

• What are the various vulnerabilities that are encountered by end users of cloud computing?
• What is the confidence level of end users about the security related issues of cloud computing?
• What are some of the methods and strategies that can be employed to enhance the performance of cloud computing services on security and privacy aspects of data?

Research Aims and Objectives

The research has selected the following aims and objectives:

• To assess the perceptions of end users of cloud computing on security, privacy and ownership of data related issues.
• To assess the confidence and satisfaction of the cloud computing services among end users.
• To explore the expectations and needs for improvements as envisaged by the end users.
• To develop a list of recommendations for consolidating the security and data integrity performance of cloud computing services.

Research Methods

The above research objectives are achieved using both primary and secondary methods of data collection. The secondary method employed consists of an exhaustive literature review that critically analyses the available literature and research on the subject. The aim of the literature review is to present a detailed analysis of what is already known in the field and also to establish the scope of the current research. The research also employs a primary method of data collection which utilizes qualitative methods. The direct personal interviews of IT managers in six selected organizations from Dhahran/Saudi Arabia are undertaken and the collected data is analyzed using a reflective method. The research uses a phenomenological stance in order to arrive at the answers to the selected research questions, which require an in depth and contextual understanding of the situation under study. The research methodology is presented in detail in chapter 3.

Research Significance

The available literature has revealed that some issues have been highlighted regarding possible failures of performances and issues related to security (Bernstein et al, 2009), but there is little evidence of empirical research that has tried to assess the end users’ experience and opinion on the security challenges. The current research is significant as it aims to explore the perceptions of the end users on the security, privacy, and related issues encountered by them during the course using cloud computing services. It is expected that the findings from the current research will highlight the level of awareness about security issues among the end users and also inform the available literature on the type of security problems and challenges that are frequently encountered by end users and also highlight possible solutions for security problems. The research is significant as it is an initial endeavor to compile the information using the perspective of the end users, rather than from the opinion of technical experts or industry watch-groups. This focus on customer perspective on security issues is expected to bring forth the expectations that the end users have of the cloud computing service providers and also highlight the changes that are needed to build the end user confidence and encourage more organizations to embrace the cloud computing technology. As such the current research is expected to provide recommendations for the service providers and marketers of cloud computing services.

Outline of Dissertation

Chapter 1 Introduction contains an overview of the research background and establishes the rationale for the current research. It presents the research questions, aims, and objectives and gives a brief synopsis of the research methods. Chapter 2 Literature Review discusses the already available literature on debates, research, and opinions of scholars that relate to the current research’s topic. Chapter 3 Research Methodology presents the research approach, research methods, and research design in detail. It discusses the suitability of the chosen methods for the achievement of the current research’s objectives.

Chapter 4 Findings provides a view of the research findings through sub sections that conform to the research aims and objectives and which provide an insight about the perception of end users on the security challenges faced by their organizations.

Chapter 5 Discussion and Analysis presents a detail discussion of the findings using the insights gained from the literature review presented in chapter 2. Chapter 6 Conclusion and Recommendations contains a summary of the research findings and also presents the conclusions drawn from the research. It presents a list of recommendations for the improvement of the security and data safety related performance of cloud computing services. The chapter ends with a discussion on the limitations of the current research and makes recommendations for any future research.

Chapter 2: Literature Review

Introduction

This chapter describes cloud computing’s utility and scope in various fields. It also evaluates different technical formats or cloud computing platforms. Security has become a major focus for most companies in this modern world. This paper also gives a brief outline on the security vulnerabilities and security issues such as impact on data confidentiality, audit ability, data transfer, data protection and security, network security, security issues, and impact on performance, costumer confidence about this service, security issues in large distributed systems and security concerns and software licensing issues.

Cloud Computing – Concepts and Definitions

Cloud Computing is a new technology that is delivered in this modern technology-driven market as a computer service rather than a product. (Bernstein et al, 2009; Davies, 2009).

Several definitions can be derived for the term “Cloud Computing” based on who is using it and where is it being deployed for what purpose. Basically, Cloud Computing is an advanced technology, where software, shared resources, and information are provided to computers or any other devices on the network (Farber, 2009).  The name cloud computing has come from the flowcharts that were used in various presentations to represent the interconnectivity of computers and devices.(Grossman et al, 2009).

Cloud Computing, when used for sharing software becomes cheaper as this software-as-a-service is more affordable to the users than having to buy software for desktops (Reese, 2009). Cloud computing is also a popular term among people who deal with the servers. They define cloud computing as a network of remote servers hosted on internet to store, process, and manage the data rather than on a local server (Foster, 1998).

There are two types of clouds: private cloud and public cloud. A private cloud is owned by a user on a private network or a data-center and a public cloud is a storage area on an internet where anyone can host the applications. Most of the service providers use public cloud resources to create a private cloud (Haff, 2009). Next section gives more details about the scope of cloud computing.

Scope of Cloud Computing

The growth of cloud computing is tremendous, especially in the case of small and medium scale companies in developing countries like India that are planning to deploy ERP applications by using cloud computing core technology – software as a service. Regulations in developing countries vary from developed countries (Ryan et al, 2007). According to experts, the cost of deploying a traditional ERP system is too high when compared to the cloud based software as a service model (Berl et al, 2010).

This makes it easy for organizations to enhance their computing storage and processing capacity without adding vast costs for equipment purchase (Proffitt, 2009). The need for cloud computing has been growing in public sectors. Most government-based organizations have started to create private clouds to ensure data security and minimize the risk of governance (Thomas et al, 2011). This trend is also expected to reach the public sector companies in the near future. Cloud computing technology is being effectively deployed in government agencies as the ministries are often isolated and restricted in terms of storing and sharing the data.

Platforms of using Cloud Computing

Cloud computing services come in three categories. They are Software as a Service, Platform as a Service, and Infrastructure as a Service.

Figure 1: Different Modes of Cloud Computing Services

• Software as a Service (SaaS)

Software as a service is the most popular and commonly deployed service of cloud computing. The software and the associated data are stored at the cloud computing service provider’s end, while the end users can access the software from any remote location using their Internet connections (Lamb, 2009). An example for SaaS is an On-demand ERP Software Application.

• Platform as a Service (PaaS)

Platform as a service is one of the most used models in today’s modern world. In this case, a platform is used as a service, wherein a set of software tools and applications are hosted on the provider’s platform. The example for this kind of service is salesforce.com. PaaS can include development, testing, and deployment as well as application design and web service integration (Mullin, 2009). Cloud computing is majorly used for data hosting services. Unlike traditional hosting, where the customer used to purchase the server to store the data or host the websites, cloud computing gives users an opportunity to purchase the space on the virtual server, which is hosted on the remote network. There are no costs of purchasing and maintaining servers because cloud computing technology offers on-demand services (Schubert, Kipp and Wesner, 2009). If a customer wants to purchase some space on the server for a limited period, he or she will be charged for the space and for the time it is being used.

• Infrastructure as a Service (IaaS)

Infrastructure as a Service is also called utility computing. This service module provides all-encompassing services involving data storage servers, software applications and also data-Centre space and network equipment. This is more expansive service and enables the customers to completely outsource their computing needs (Schubert, Kipp and Wesner, 2009). A service like Amazon Virtual Private Cloud Service is a perfect example for this type of utility computing.

Core Cloud Computing Technologies

Cloud computing is mainly based on three core technologies. They are web applications, virtualization technology, and cryptography.

Figure 2: Cloud Computing Core Technologies

Web application, is the core technology that enables the software as a service models and the platform as a service model where the users can access the software applications and the servers.

Infrastructure as a service is largely based on the virtualization technology. Cryptography is also a core computing technology, which is used for security purposes (Boneh and Waters, 2007). Without cryptography techniques, it is difficult to develop and maintain the services of cloud computing.

Reasons for Cloud Computing Security Vulnerabilities

Companies take measures to ensure the data security is maintained that and data is safeguarded against hacking attempts.

Figure 3: Security Vulnerabilities

• Networking or Shared Space Vulnerabilities

Experts from University of California and Massachusetts Institute of Technology have recently released a report on the dark spots of cloud computing and how the data, which is stored on cloud computing is vulnerable to numerous threats (Johnson, Levine and Smith, 2009). As a cloud environment is a shared environment, there is always a threat of open access to data which is stored on the shared environment, unless clear-cut precautions are not taken (Johnson, Levine and Smith, 2009).

• Authorization and Access Vulnerabilities

For example, the Cross Virtual Machine Attack has become a trend and hackers use this technique to hack the target server (Mills, 2009, Markoff, 2008). (Markoff, 2008).  The apparent vulnerability has been the cause of loss of image as well as revenue for cloud computing service providers (Reese, 2009).

• Core Technology Vulnerabilities

. The problems like session riding and session attacking on web applications are related to cloud computing vulnerabilities only because these attacks are intrinsic to the web application which is hosted on the cloud computing environment (Kwasniewski and Puig, 2011). Another vulnerability of core cloud computing is related to cryptography (Mullin, 2009). Entire data which is stored on cloud computing environment is secured by cryptography. With the advanced technologies in cryptography, it becomes easier to break even the strong encryption which is used by the service providers to store the data on the cloud (Schubert, Kipp and Wesner, 2009).

There is a probability that a unique security vulnerability problem may exist in each of the three platforms of cloud computing (Kwasniewski and Puig, 2011).

• Platform Architecture Vulnerabilities

The cloud reference architecture can be divided into 3 major parts. The first one is cloud-specific infrastructure; the second one is non-cloud or supporting infrastructure; and the third one is cloud service consumer. A cloud-specific infrastructure is a part of a cloud environment. The supporting infrastructure might not be on cloud environment because it covers cloud non-specific environment and may be located at a third party premises. This is an area of vulnerability to the threat of data security, as the support environment may get penetrated by a user in the cloud environment (Haff, 2009).

The end users are not in control of system specific vulnerabilities like location of their data, hacking, and other vulnerabilities that cloud computing inherently has (Gentry, 2009).

Security Vulnerabilities

Most of the service provider companies do not appear to be prepared to meet the security related challenges (Mullin, 2009). However, in the case when things do go wrong, there appears to be a lack of ownership and accountability (Ranjan, Harwood and Buyya, 2008). The service providers blame the entire cloud computing system or the end users while the end users may shy from embracing the new technology (Praveen and Betsy, 2009).

Some of the prominent data protection issues with cloud environments are poor internal IT, hacking, and un-authorized access to the databases and loss of data due to third party cloud environments (Newton, 2009).

• Data Recovery Vulnerabilities

A prominent vulnerability is related to data recovery. This is because resource sharing is one of the prime characteristics of the cloud computing, and hence the resources that are allocated to one system may be reallocated to another system in future(McClure, 2010).

• Unauthorized Access

There is a possibility of unauthorized access to management interface, which can change the administration rules (Berl et al, 2010). Unauthorized access to a management interface on cloud computing, is an acute vulnerability, much more than it is on the traditional computing systems.

• Data Integrity

The prime reasons behind the reluctance to adopt cloud computing are doubts about the availability of the impeccable service, security concerns and performance issues (Krugel, Toth and Kirda, 2000).

• Data Transfer and Data Loss

The availability of the bandwidth as well as the incidence of downtime often leads to loss of data over the transfer protocols (Berl et al, 2010). In addition to the possibility of data loss, there is also reason to worry about the internal sensitive information getting leaked about the forecasted volume of customers, number of expected visitors to the site or the amount of expected e-commerce(McClure, 2010).

• Billing Risks

Manipulation of the bill, metering the bill, data manipulation, and billing evasions are also considered to be cloud computing vulnerabilities (Johnson, Levine and Smith, 2009).

• Availability of the Service

In the initial stages of cloud computing, the major problem with the service is availability because the cloud environment is very complex. The question of service availability comes into picture especially in the event of natural disasters, and where critical governmental and non-governmental services are need (Krugel, Toth and Kirda, 2000; Mach et el, 2005).

It is expected that with an increase in the number of service providers over a period of time, it will become mandatory for service providers to look all the issue that trouble customers (Krugel, Toth and Kirda, 2000).

• Data confidentiality

Interoperability is one of the benefits that a customer gets from the cloud computing environment (Mach et el, 2005).The world Privacy Forum has done a critical analysis on the implications of information privacy and confidentiality of the business information on cloud computing (Kosar and Livny, 2005; Mach et el, 2005).

The location of the information on the cloud also determines the privacy and confidentiality levels of the data (Kosar and Livny, 2005). Sometimes, it is possible to replicate the information from one cloud location to another cloud location if the owner is same for both the clouds.(Kaufman, 2009).

At the moment, it is a practice by the end users that privacy of the personal information and confidentiality of the business information can only be maintained if there is no confidential data put on the cloud (Kaufman, 2009). This is a major barrier for organizations that deal with sensitive information to embrace cloud computing services.

• Auditability

One of the major negative points of cloud computing is lack of audit ability. Though, nearly sixty percent of customers, who use SaaS model services of cloud computing, are happy with the audit and compliance services they are receiving (Mach et el, 2005).Z

Audit issues may vary from the platform to platform. For example, in the case of the Software as a Service platform, the entire system is standard and it needs a minor customization depending on the customer requirement. The audit and assessment of the performance is standardized and fairly accurately undertaken. However, for other platforms like Infrastructure as a Service or the Platform as a Service, there is little standardization and audit protocols vary between different service providers (McClure, 2010). It is therefore considered good practice among the users to first understand the package that their service provider is offering and also to find out beforehand the past performance on audit and security related issues (Kandukuri, Paturi, and Rakshit, 2009).

• Varied Data Protection Laws

Some of the external cloud environment service providers may not comply with the industry best security systems, which ultimately leads to data loss. With the emerging trends in technology, malicious activities like hacking have been increased. Unauthorized access to the database on third party cloud is a major issue these days (Kandukuri, Paturi, and Rakshit, 2009). Most of the hackers try to create a virtual machine in near proximity of the target server so that they can hack data from the target server. Third party cloud services are very much vulnerable because they may not be bound to follow the protocols and compliances mandated by the main service providers’ or the end users’ country (Krugel, Toth and Kirda, 2000;  Jain, Murty, and Flynn, 1999).

There is a growing awareness of the security issues and an improvement with regards to the security and data protection is called for the cloud computing services. In coming days, the security with regards to cloud computing is expected to be increased.

• Network Security

Network security is a problem in the world today because the whole world runs on the networks. With the increased usage of the shared networks and shared resources that cloud computing entails, the problem of network security has come into prominent focus (Armbrust et al, 2010;  Jain, Murty, and Flynn, 1999). If the network security is taken care, data protection and application protection issues will be automatically solved. This is the reason why most of the service providers’ are trying to solve the networking security issues as their primary goal (Davies, 2009).

•  Security Concerns and Software Licensing Issues

As most of the applications are hosted on virtual private clouds, the customer does not need to purchase the hardware that is actually required for traditional application hosting (Iyer and Henderson, 2010). To solve these software licensing issues, most of the service providers have come up with Software as a Service model, which is a on demand software where in users need to pay on monthly or quarterly basis to use the application (Davies, 2009).

Licensing on the cloud can be either based on the user or based on the processer. The per-user license can be divided into concurrent user licenses based on the requirement. Per-device license is issued based on the number of processers (Jain, Murty, and Flynn, 1999).

Cloud is a great environment, which helps customers with great up-time, scalability and flexibility but when it comes to the licensing part, it becomes a nightmare. The best way to do this is use open source options like MySQL and Ruby on Rails. The average cost per licensing these open source options is almost zero (Armbrust et al, 2010).

Security Issues and Impact on Performance

Security issues impact the performance of computing systems and starting from the data security, privacy and business information confidentiality to network security, everything needs to be perfect in order ensure that the performance of systems is of high quality.

Figure 4: Performance Issues due to Security Concerns Related to Cloud Computing

Lack of security may lead others to hack the data from the target server, where the most important data is stored (Iyer and Henderson, 2010).

Another issue that arises due to the security related concerns is that service providers tend not to document the access details of their users.(Barroso and Hoelzle, 2009). In addition, the cloud applications which are not secured may hamper the performance of the entire process. There is a threat of male-ware or malicious attacks that may be targeted towards one or more user of the cloud or may simply be initiated to get the entire cloud affected (Praveena and Betsy, 2009).

In addition, the cloud computing related security concerns have made the end users become wary of who they authorize and provide access to their data at their ends. This has made them enlist independent verification services to obtain background checks on their employees and associates (Ranjan, Harwood and Buyya, 2008).

Customer Confidence about Cloud Computing Service

Users were not happy with the cloud computing a couple of years ago because of several security issues but with the advanced technologies, service providers started responding positively to the customer queries and that is boosting the confidence of the customers (Ranjan, Harwood and Buyya, 2008). There is a growing acceptance of cloud computing, not only as Software as a Service but also as Infrastructure as a Service platforms (Barroso and Hoelzle, 2009).

The best example for the user confidence on cloud computing is that most of the small and medium scale companies have also started using cloud computing services to deploy their on-demand ERP applications. This is the major advancement in building the customer confidence. However, there are still complaints about the security issues of cloud computing services. If cloud computing can build confidence of customers with regards to prevalent security issues, cloud computing would be the future of information technology (Armbrust et al, 2009).

There are several experts who warn organizations against putting all their IT services and data on the cloud, and encourage them to develop their individual IT department capabilities for the sensitive data (Schubert, Kipp and Wesner, 2009). The industry analysts predict that the current state of cloud computing does not warrant that organizations should make a rush to embrace it in totality. Instead there is a need to be vigilant and aware about the security issues and then make an informed decision regarding what data and what resources can be shared on the cloud (Armbrust et al, 2009).

Best Security Practices in Cloud Computing across the World

With the prices for using the cloud computing environment dropping down significantly, majority of people would want to try the cloud environment but they are taking a step back because of the security issues (Praveena and Betsy, 2009).The following section assesses the best security practices that can be implemented to increase the security on cloud computing environment.

Following government compliances, while creating the cloud environment, is very important. Most of the third party service vendors do not follow the government compliances while creating a cloud computing environment (Newton, 2009). The users need to be aware of their service providers past history and compliance strategy(Mullin, 2009). In addition, the development of legislation and ethical practices code is also in its nascent stage. At the moment, if any mishap happens in the future, there are not many investigative laws that help the end user (Mullin, 2009). It is therefore necessary that further studies be undertaken to understand the cloud vulnerabilities and more standards and protocols be developed in order to address these issues.

The type of architecture will also impact the security. It is very important to embrace secure-by design approach to provide the much wanted security to the data on the cloud environment. As per research study, third party servers are easily accessible to unauthorized accounts. With the help of secure-by-design approach, the risk of data loss and data integrity can be reduced. Identifying alternate deploying location may also be considered as one of the best practices in cloud environment. It is the process of replicating the image of the data into other cloud, which is located at other location (Mills, 2009). It also recognizes any unwanted virtual machines in the near proximity of the target server (Kaufman, 2009).

Responding quickly to the threats would also solve the problem. For any software or technology, it takes time to break the encryption. If the owner of the data keeps on changing the encryptions, it would mitigate the risk of losing the data.

Customer Complaints and Feedback

At the onset of cloud computing, the end users appeared not to be happy with the cloud environments because of various issues. The main issues related to the cloud environment’s price and security concerns (Kaufman, 2009). A recent survey found that nearly sixty percent of users who used Software as a Service on cloud model were satisfied with the services and security offered by their service provider (Ranjan, Harwood and Buyya, 2008). Customer complaints have been reduced because customers have been very choosy in selecting the vendors these days (Kaufman, 2009). Initially, as there were not many vendors in the market, customers were forced to accept any vendor, even if the services offered in the cloud environment were not standardized or entailed more security issues. This was the reason for a large number of customer complaints. The complaints appeared to be largely associated with the small service -providers and impacted the credibility of the cloud computing environment (Iyer and Henderson, 2010). However, the trend seems to have been slowly enhanced as the big and acclaimed companies started providing cloud computing services (Bernstein et al, 2009). These big companies changed the perception of the customers, and now, if there is any problem with the cloud computing environment, it is purely assumed due to the fault of the service provider (Boneh and Waters, 2007).End users may not be educated on the security protocols and may be negligent at their end, but owing to the fact that a large or reputable organization is providing the cloud computing services, there are  large number of complaints and compensation claims (Grossman et al, 2009).

The security concerns are tangible and potentially dangerous and do need to be addressed by both the service provider and the end users.

Chapter 3: Research Methodology

Introduction

This chapter discusses the research approach and philosophy that underpins the current research, and describes the research methods and tools and techniques employed for the conduction of the research.

Research Approach

The current research aims to assess the perception of security vulnerabilities and various issues related to managing the cloud computing resources in diverse organizations. It is therefore deemed necessary that the opinions and perspectives of the users, the organizations that subscribe to the cloud computing services, be the target of this current research. It is found suitable to adopt a phenomenological stance in the current case. A phenomenological research is useful as it takes into consideration the contextual information and the perspective of the research participants (Aronowitz and Ausch, 2000). This is in contrast to an experimental research that takes a positivistic stance and develops research methodology that is rigid and exclusive and does not take into account any contextual cues (Cho and Trent, 2006). The current research is descriptive in nature as there is already some literature available that discusses the possible security issues or variables that the researcher wants to explore (Fisher, 2004). The current research aims to assess the opinions of the end users of the Cloud Computing services and their perception about the performance of the Cloud Computing services on these variables.  The aim of the research is therefore not to explore any tangential issues, but to describe and evaluate the current perceptions of the security related issues encountered by end users.

Research Methods

The research employs qualitative methods for the collection of data. Qualitative methods are the best suited methods for developing data collection methods for research that takes a phenomenological stance (Cho and Trent, 2006). This is because, the qualitative methods enable the collection of detailed opinions of the research participants and if chosen judiciously, can also enable the researcher to cross question and obtain additional data by providing contextual cues (Fisher, 2004). The qualitative methods, in contrast to the quantitative methods, are more appropriate when a new or complex situation needs to be studied and where the situational factors are deemed to be important. Quantitative methods furnish information that is restrictive and bound by the need to confine the responses into a mode that is amenable to quantitative analysis (Creswell, 2007). Hence, the survey instruments or the questionnaire scales used for quantitative method contain multiple choice close ended questions or require the respondents to identify codified responses. The quantitative methods therefore are able to furnish very specific and to the point details as there is no scope for the respondent to furnish his or her opinion or to express a doubt about any question. The quantitative methods do have an advantage which is that large number of respondents can be involved in the data collection exercise owing to the minimal time requirement that is needed for the data collection. However, the qualitative methods are time consuming as the time spent with each participant may be considerable, and hence the total number of participants can therefore be relatively smaller (Aronowitz and Ausch, 2000). This disadvantage of the qualitative methods is largely overcome by the vast amount of in depth and qualitative data that the method is able to furnish at the disposal of the researcher.

The current research therefore employs direct personal interviews as the qualitative method of data collection. The data collection method is discussed in further detail in the appropriate heading in the research design section.

Research Design

The research design consists of the practical methods, tools, and techniques that are required to work at the ground level collection and analysis of the data for the research. As such, it consists of making decisions about the sample size, sample selection process, data collection method and instrument and the data analysis methods that could be appropriate for the research.

• Sample

Sample Unit: The sample consists of IT managers from organizations that have used Cloud Computing services for a period of over two years consistently. The organizations that were selected for the current study include:

1. Social Media Organization -2
2. E-Commerce Websites Online Selling Consumer Products – 2
3. Directory Services – 1

The selected social media organizations were involved in providing services to their own end users and these services included – data warehousing, data management, site management, multiple site generation, content development, search engine optimization, articles and content management, link building, referrals etc. These organizations are end customers of cloud computing services that allow them to host and manage their own customer’s enormous data. The details of the type of cloud computing services that these social media organization avail of are mentioned in the Chapter 4 Findings.

Two E-commerce websites were owned by organizations selling online car parts and pet food respectively, and the third website was owned by a local media company that provided directory services to the local population. These organizations are users of cloud computing to facilitate the vast amount of data that they own and to make it available to a large number of visitors to their site. The details of the cloud computing services used are presented in Chapter 4 Findings.

Sample Size: 5

Sample Selection Method: The sample is selected in a non-random sampling method using the convenience and judgment of the researcher. The organizations were selected as the researcher was either acquainted with the IT managers in these organizations, or knew some other senior manager. This allowed the researcher to obtain easy access and permission for the interviews. The non-random method of sample selection is largely considered as less sturdy than the random method of sample selection (Aronowitz and Ausch, 2000). This is because a non-random sample can be a true or a close representation of the actual population under consideration as each member of the population has an equal chance of inclusion in the sample (Creswell, 2007). The non-random sample, based on the convenience of the researcher suffers from the disadvantage of being non-representative of the population, as well as may introduce a further bias owing to the level of acquaintanceship between the researcher and the respondent (Belland Opie, 2002). The non-representativeness of the sample is however underplayed in the current case as the selected organizations closely conform to the end users profile for cloud computing services and hence are deemed to be suitable representation for the purpose of the current research. In addition, the research participants are professionals and hence expected to provide credible and authentic responses. The researcher has also undergone an intense self-reflection where his own perceptions and opinions were objectively analyzed and precautions taken so as not to influence the respondents during the interviews.

• Data Collection Method

The research is conducted using the direct personal interview method where the respondents are interviewed face to face by the researcher. This is the most suitable method for obtaining qualitative data for a phenomenological research as it allows the participants to freely express their opinions and perceptions (Belland Opie, 2002). It also provides additional information in the form of cues from body language and tone of the respondents and hence enables the researcher to pursue a line of conversation or modify the question in a bid to gather better insights. Direct personal interviews are more time consuming and tedious to arrange than telephonic interviews (Creswell, 2007). This is because the direct personal interviews require a more accurate scheduling of the interviews to suit the time and location of the respondent as well as the convenience of the researcher, while telephonic interviews are easier to arrange and require relatively less time (Barker, 2005). However, as the telephonic interviews are impersonal, the researcher may hesitate to cross-question and also misses out on the body language and non-verbal cues offered during a direct personal interview (Belland Opie, 2002).  A direct personal interview if conducted by a trained interviewer can lead to building of confidence between the participant and the researcher and hence encourage the researcher to provide expansive, honest and credible information without hesitation (Aronowitz and Ausch, 2000).
The interview method is also preferred to other forms of data collection methods like email qualitative questionnaires , as such questionnaires suffer from several drawbacks in addition to being impersonal and non-interactive. The email or mail questionnaires may not inspire the respondents to write out their responses in detail owing to the tedious nature of doing the writing job, and also there may be no caveats about the authenticity or the credibility of the responses (Bryant and Charmaz, 2007).

In addition, the interview method, being a qualitative method is also better matched with the current aim of the research as opposed to using surveys or close-ended questionnaires. This is owing to the lack of the surveys to furnish detailed information, lack of authenticity and credibility due to no provision of cross questioning or pursuing a question intimately, and due to the lack of motivation or interest on the part of the respondents to fill out the surveys (Aronowitz and Ausch, 2000).

• Data Collection Instrument

The research uses a questionnaire for supporting the interviews of the selected IT managers. The questionnaire is developed on the basis of the insights gained from the literature review about the possible and probable security related issues concerning cloud computing services and the criteria for customer satisfaction. In addition, as the researcher himself is well educated in the cloud computing and is aware of several issues and challenges inherent in the use of the service, the questionnaire is also enriched by the personal knowledge of the researcher. The research questionnaire contains open ended twelve questions that aim to gauge the perception of the IT managers on issues like privacy, ownership, availability of service, data confidentiality and audit ability, data transfer, data protection and security, network security and performance. These questions encourage the respondents to give their detailed inputs and insights about what they consider is the present performance of the cloud computing service that they are using, and what they would like to improve.The research questionnaire is developed with questions that are simple, short, and straightforward and hence which facilitate easy understanding of what is needed by the respondents to answer them. It is essential that the questionnaires are not too complex or tedious as the participants tend to lose interest or get confused with the questions and hence end up giving non-relevant answers (Bryant and Charmaz, 2007).
A copy of the questionnaire is attached as the Appendix A.

• Data Analysis Method

The data collected from the respondents’ interviews is both hand-written and also taped (with the permission of the respondents). The analysis is conducted in a manual manner using reflective method. The researcher read and segregated the responses from each of the six respondents under each of the questions in the questionnaire (Appendix A). The segregated responses are then read together to highlight themes or commonalities and then these highlights or themes are presented as findings in chapter 4. The analysis of the responses is undertaken using the insights gained from the literature review and researchers own understanding of the cloud computing issues. The analysis is undertaken with the aim of assessing if the perceptions of the respondents corresponded (or contrasted) with the available literature on the issues, and if there were any significant and novel insights attained not present elsewhere in the literature. The analysis is then discussed in the chapter 5, with the focus on answering the research questions.
The reflective method of data analysis suffers from the drawback of it being subjective and hence prone to researcher bias (Aronowitz and Ausch, 2000).

Research Validity and Reliability

The current research aims and objectives are grounded in the exhaustive literature review which revealed the scope and need for the current research. The research used methods that suited the purpose of the research and employed qualitative approach to data collection which helped in gathering accurate and valid information. The research instrument was however not tested for validity or reliability. The instrument’s validity was expected to be established due to the fact that it was based on the insights obtained from the literature review. In addition, the reliability of the instrument, though not tested empirically, was established by using asking a colleague to provide answers twice with an interval of time between the two attempts. This, in lieu of a pilot test, was considered to establish that the instrument was a reliable measure.

In addition, the researcher used several safeguards and best practices that added to the research validity. For example, the selection of the sample, though based on the judgmental technique, was also based on the consideration that the selected managers were experienced and well-versed in the cloud computing that was being deployed in their respective organizations. The selection of these IT managers therefore ensured that the research would obtain the responses that will be valid, accurate, and suited to arrive at the achievement of the research objectives. Next, the research also ensures that the data collection is completely unbiased and objective, even though qualitative method of data collection is employed. The research underwent intense self-evaluation and introspection to confront his own biases and preconceived notions about the security issues inherent in the cloud computing environment; about the average IT managers’ perspectives and understanding of the cloud computing related security issues; about the ability of the respondents to give clear, honest and accurate responses and about his own skills as an interviewer. This introspection and self-reflection enabled the researcher in adopting a neutral stance during the interview sessions and maintaining a non-subjective involvement with the respondents during the interviews and in analyzing the responses at the analysis stage of the research. The researcher also ensured that the reflection method of data analysis was free of bias, by acknowledging his own opinion and then discarding them to obtain a new objective focus on the responses. The researcher also enlisted the help of a colleague to peruse the analysis and to highlight any incidences of subjective evaluation or bias on the part of the researcher. This activity further enhanced the reliability of the research findings.

Ethical Considerations

The research was based on the relevant ethical considerations that are warranted in the case of research undertaken with human participants. The researcher adhered to the protocols of informed consent, confidentiality, and privacy for the research participants. The researcher initially informed the prospective respondents about the nature of the research and the purpose to which the research findings will be put. This ensured that when the participants agreed to get involved in the research, they were fully aware about the scope of the research and the use their responses will be put to, thus fulfilling the ethical consideration of informed consent (Barker, 2005; Bryant and Charmaz, 2007). In addition, the researcher also assured that the responses are analyzed in a manner that the individual responses are not identifiable to the specific respondent, hence maintaining the confidentiality of their responses (Cho and Trent, 2006). The researcher also endeavored to keep the responses as well as all the demographic data related to the respondents private and not furnish it under any circumstances to any third party. Toward this, the researcher intends to destroy the recorded responses and the interview transcripts after the current research is complete and presented for review
and gets the final gradation.

Chapter 4. Findings

Introduction

This chapter gives a presentation of the findings from the interviews of the five IT managers from diverse organizations that have been involved with cloud computing. The findings are presented in the form of tables or charts and also accompanied by explanatory comments from the researcher. The findings are further discussed in the next chapter to highlight the themes that lead to the achievement of the research objectives.

Findings

• Time Duration Spend with Cloud Computing

The 5 interviewed managers from the different organizations reported that they had been working with cloud computing between 2 and 4 years.  See Table 1 below:

Table 1: Experience with using Cloud Computing

Organizations	Number of Years with Cloud Computing
1. Social Media Organization 1	2
2. Social Media Organization 2	3
3. E-Commerce Websites Online Selling Consumer Products 1	2
4. E-Commerce Websites Online Selling Consumer Products 2	2
5. Directory Websites	4

 

• Type of Cloud Computing Services Used

The respondents were asked to discuss what services they used and why. The names of the service providers are not mentioned owing to privacy concerns. However, the respondents’ organizations were found to use cloud computing services mostly on an ad hoc basis, for example, during holidays and Christmas time when the expected visitors for the websites were larger. However, for the type of services subscribed on a more permanent basis, the organizations gave the following details:

Table 2: The Cloud Computing Services used by the respondents

Organizations	Cloud Computing Services
1. Social Media Organization 1	IaaS For servers for storage of data For networking equipment For software for posting content
2. Social Media Organization 2	IaaS For servers for storage of data For networking equipment For software for posting content
3. E-Commerce Website Online Selling Consumer Products 1	PaaS For Managing CRM For Accounting
4. E-Commerce Website Online Selling Consumer Products 2	PasS For Managing CRM For Accounting
5. Directory Website 3 (City Search Website)	PasS Server Space Application Software

It is seen from the above that the organizations use predominantly IaaS and PaaS. The organizations that use e-commerce sites for selling their products online need the cloud computing services for managing data storage and also for software for CRM and accounting. In the case of social media organizations, the need is more for developing networking capabilities and for applications that enable access and posting to social media sites and other networking sites.

Owing to the specific needs of the end customers, the cloud computing services were also reported to be customized. For example, in the case of the e-commerce site that sold car parts, the need was for managing an extensive CRM program that also included keeping the information and data about car sales through various dealers in the region. This was because the e-commerce organization used a strategy of proactively tracking car purchases and following up on the owners with offers of parts depending on the age of their cars. This strategy therefore required the organization to not only track its existing customers, but also develop a data base of prospective customers by obtaining and utilizing the data of the car sales in the vicinity. In order to achieve this objective, the CRM cloud computing services that they obtained from their service provider had included an added application that allowed the car parts organization to feed in information on  car registrations and sales in that region.

The other organization operated through an e-commerce site where the customers could buy pet supplies. This organization supplied packaged food, clothes, toys and other accessories for pets, and also operated a kitchen where the visitors can order freshly made meals for their pets. The organization had links with courier delivery agencies and it operated over a network of 10 cities for its packaged products and within the city for delivery of meals.  This organization did not keep a stock of its products on the premises but operated through a network of suppliers. Earlier, the operations were easily conducted using phones and emails, but the growth in business had placed additional pressure to invest in database management hardware and software, as well as software for keeping track of the orders and deliveries. The organization started using cloud computing resources for storage and for application software that enable them to coordinate supplies and deliveries and manage the business without upgrading its own networking capacity or buying costly equipment.

Similarly, in the case of the social media organization, the organization needed to develop an online marketing campaign for a large client who needed over 2000 websites to be managed for his new product launch. The social media organization was tasked with hosting and maintenance of all these sites, in addition to providing a regular presence for its client on numerous blogs and social networking sites. The social media organization rented server space as well as networking equipment for the peak job and was able to enhance its own capacity to deliver service for the large client without the need to invest in new hardware or networking capacity. The second social media organization that participated in the research stated that it has a regular and almost permanent subscription to applications that enable it to post content for its clients on multiple sites. The organization that managed a local search engine to facilitate the visitors to search for local deals, discounts, places to visit etc. needed storage space as well as hosting support for its content and image intensive website, as well as to cater for a large number of hits that it received and which threatened the site to shut down. It also used cloud computing applications that enabled the visitors to play games or interact with other members.

The above findings indicate that there is flexibility and cost effectiveness offered by the cloud computing services and these are the predominant reasons that encourage the end users to obtain the services.

• Issues and Challenges Encountered by the Organizations with Cloud Computing Services

The respondents were asked to discuss some of the issues and challenges that they may have encountered during their experience with using the cloud computing services. The respondents reported the following prominent incidents that they had encountered:

Figure 5: Problems Encountered by Organizations with Cloud Computing

The above figure highlights some of the problems that were encountered over the past years with cloud computing services.  The most prominent problem that was reported by all the organizations was that of ‘applications not available’. This was seen to have occurred for all the organizations to some degree in the past years. For example, in the case of the Local Search website, the IT manager reported that one of the gaming applications that they have on their site does not load or work at intermittent intervals. The IT manager revealed that there is nothing that they can do but to wait as they get an automated message about there being server issues at the service providers’ end.

Similarly, in the case of the pet supplies website, the IT manager reported that their order and delivery monitoring software has been unavailable for more than five times in the past year. Another issue that was encountered was that of delays in getting the site up and running after maintenance (as stated by the car parts organization) as well as delays in the content getting posted on multiple sites (reported by one of the social media organizations).

Another issue that was highlighted was that there was often a loss of data while migration was undertaken and hence repeated uploads were needed. In addition,  4 of the respondents stated that there was no provision for contacting the service provider and getting the problem rectified in real time. For example, the Local Search site IT manager stated that at one time when the site was getting down repeatedly due to unprecedented number of visitors coming, the organization wanted to upgrade its capacity immediately. According to this respondent, their cloud computing service provider was able to get back to them after a lapse of 24 hours only and they lost further time getting the formalities done and deciding how much capacity is needed for upgrading.

One of the respondents (the IT manager from the car parts sales organization) also reported that there were complaints from their customers that they received cold calls and random messages from telemarketers after they had subscribed to the organization’s newsletter. The IT manager was confident that their organization does not reveal the customers private data, so was of the opinion that the problem may have occurred at the data storage end of the cloud that they were using.

The above responses reveal that the organizations using cloud computing services were largely involved with concerns related to the technical aspects of cloud computing and were not considerably aware or concerned by the security related issues.  The following sections of the chapter deal with specific questions that the researcher asked the IT managers about the security related issues. The aim of these sections was to assess the awareness and concern of the IT managers related to the data security, integrity, and similar issues.

• Perceptions about the Data ownership

The respondents were asked to discuss issues related to the ownership of the data when they place it on a cloud. The responses provided were unanimous in the assumption that the data belongs to the organization and not the cloud computing service provider. For example, in the case of the car parts organization, the IT manager stated that, “we generate the leads and we develop the prospective client lists. Also the data for existing customers is developed through tapping into our own billing department and after sales service reports. So, the ownership of all the data is certainly ours.”

In the case of the social media organizations, the ownership of the data was a more complex issue as the social media organizations operated in the business to business sector. As such, the data that they needed to store or work with related largely to their clients and hence, the ownership was ascribed to the clients. For the local search site, the data was largely in house generated and hence the ownership was claimed exclusively by the organization.

• Perceptions about the Data Confidentiality and Privacy

The above section on perception of data ownership highlights the fact that the organizations consider themselves as the owner or the sole responsible entity for the data that they put on the cloud. This means that the responsibility and accountability in the case of any breach of security needs to fall with the organizations. However, when asked about how the organizations think that their data is kept confidential or secured, the IT managers were not very informative on the issue. The managers stated that they largely perceived the cloud computing services as capable of managing the data confidentiality.

For example, the IT manager from the social media organization stated that his organization signed an agreement of confidentiality with the service provider.

Other managers also stated that their organizations relied on the agreements signed with the service provider to ensure that their clients’ data or their own reports and results and statistics were not revealed to any third parties.

The researcher further asked the respondents to elaborate on any other reasons (other than the MOU agreements) that they derive the reassurance of their data confidentiality.

Figure 6: Rationale for Perception of Data Confidentiality and Privacy

The above figure highlights some of the reasons stated by the respondents that made them trust their service provider for managing data confidentiality.

• Perceptions about Data Integrity

The respondents were asked about their perceptions of their data integrity, or that their data was untouched or changed. It was observed that the respondents on the whole were worried about their data integrity as they revealed they needed to share their passwords as well as internal information in the case when the cloud computing service provider also provides maintenance for their systems. For example, the IT manager from one of the social media organizations stated that their content is easily accessible to their service provider as they constantly need support from them for putting content on a very large number of sites that are either hosted by the cloud or are part of the third party affiliates. In the case of the city search service provider, it was revealed that the IT department had to upload daily content on their own website and then provide scores of back links and referral links with other sites. This was facilitated by using the cloud computing services that enabled them to link to a very large number of sites as well as to take on a large number of visitors at one time. The IT department was aware that while they were in charge of the manual uploading, they often needed the help of the cloud computing service provider to assist them in overcoming glitches and their content was available to the service provider whenever needed. The above findings revealed that there are chances that the employees at the service providers’ end can access or manipulate the data of the end user.

• Perceptions about Audit Ability

The end users who were using PaaS (table 1) service were largely satisfied with the audit and compliance standards as they predominantly used the software; and for data storage they had not encountered much problem in the past. In the case of IaaS, the social media organizations and the city search site had mixed feelings about the audit and standardization. It was reported, by the social media organizations that they did face some confusion and disturbance when using the networking resources as at times they did not read the small print and were not aware of the sharing and ownership related issues that can come up. There were also concerns regarding the storage of data on the third party server, which could go even beyond the jurisdiction of the cloud computing services.

• Perceptions about the Security Issues Related to Data Transfer

Data transfer has been a crucial issue for networking specialists due to the chance of data loss and data theft that is inherent during the transfer (Buyya et al, 2009). When the IT managers were asked to provide their perceptions about the data transfer safety, they were largely of the opinion that the cloud computing service is competent and ensures that the data transfers are safe. In the case of the car sales IT manager, it was found that there was a recent scare about data theft or deliberate malpractice by the cloud computing service provider as the customers’ had complained of receiving sales calls from various car dealers and other accessories parts after they did business with the interviewed company. This incidence was however not followed up so the reality of the issue was never explored.

• Perceptions about Network Security

The IT managers were of the opinion that the cloud computing service provider, being in the Internet and networking business for long, would be prepared for the network security issues as well. The respondents, though aware of the existence of hackers and the challenges faced by the third party servers for data storage, appeared to be comfortable with the cloud’s network security.

• Perceptions about the Overall Performance of Cloud Computing Service

The researcher also asked the respondents to give their opinion on the overall performance and the security issues encountered by them during the past few years of using the cloud computing resources. While the questionnaire contained this as an open-ended question, where the respondents were asked to state whatever they wanted to, the researcher also asked them to give a rating between 1 to 10 on the overall performance, security, ease of operations, and service provider sensitivity and accountability. The following figures reflect the findings:

Table 3: Satisfaction with Cloud Computing Services and Vendors

Rating No. of Respondents	1 (very poor)	2 (poor)	3 (average)	4 (good)	5 (very good)
Overall Performance			Four	One
Security		Three	One	One
Ease of Operations				Four	One
Service Provider Accountability		Four	One

The above table showcases that the respondents had rated the cloud computing services overall performance as an average and only one rated it as above average. On the perception of security, three out of the five interviewed managers stated the services as poor while one each rated their services as average or good. On the ease of operations, the cloud computing services were largely rated as good or very good. Finally, on the accountability of the service provider, four respondents rated it as poor.

The researcher further explored the responses by asking the respondents to give rationale for their choices.

• Performance:

The social media company stated that the performance of the cloud is good as they are able to enhance their scalability and serve large clients which would not be possible without the use of the service. In the case of the pet supplies organization and the car parts organization, it was found that their company used the accounts and logistics software that helped them serve a larger number of clients. For the city search organization, cloud computing made them host content and develop hundreds of backlinks and take thousands of visitors and hits. The interviewed companies appeared satisfied with the overall performance and the business potential that they were able to utilize after starting on the cloud computing services.

• Security:

In terms of security, the perception was largely that the cloud computing services are only secure to a certain extent. Though the interviewed organizations were not involved with sensitive information, they were concerned about keeping their customers’ data as well as their own internal data on the cloud

• Ease of Operations:

The responses indicated that using the cloud is a non-complex practice, especially in the cases where the companies are availing of only limited service components.

• Service Provider Accountability:

In the case of accountability, the interviewed managers did not appear to be satisfied with their service providers. The reasons provided included delays in contacting them and eliciting any information in the case of problems, the lack of openness that the cloud companies exhibited regarding how and where the data was hosted, and the lack of feedback provision that the end users encountered.

• Expectations from the Cloud Computing Services

The respondents provided several inputs about what they expect from their cloud computing vendor. These included the following:

Figure: 7: Expectations of the End-Users from Cloud Computing Service Providers

The respondents wanted the cloud computing services to be more transparent about their operations and about how they manage their network security as well as protect the end users’ data and their own internal systems. In addition, the end users also wanted that the cloud computing companies to become more accountable and come up with back up plans or insurance policies to support the end users in the case of any system breaches or other security problems. Next, the expectations related to more open and frequent communication with the service provider so that emergency and regular issues can be discussed and solved on a regular basis. Finally, the respondents wanted the vendor to ensure that the service availability on a constant basis.

Chapter 5. Discussion and Analysis

Introduction

This chapter presents a critical analysis and discussion of the findings from the interviews of the IT managers from five participating organizations. The findings that were presented in the previous chapters are organized here to reflect the achievement of the research objectives that were outlined in the Chapter 1. The findings are analyzed using the literature review as the backdrop with which the responses are contrasted and compared to understand how the interviewed managers perceive the security related concerns regarding the usage of cloud computing.

Perception of Security Related Issues in the Participant Organizations

The first research objective was to assess the perceptions of the end users of cloud computing on security, privacy, and ownership of data related issues. Toward this, it was deemed essential that the IT managers recall any incidences in the past that they may have encountered as a security challenge.   Figure 5 in Chapter 4 indicates that the organizations had encountered data loss, downtime when the service was unavailable, lack of access to their own data, delays in service supply and lack of any feedback recourses for the end users. These findings indicate that the managers are more concerned about the issues related to the non-availability of the service and not about the security related issues. The loss of data that was cited as one of the reasons for concerns was also linked to the lack of efficiency on the part of the service provider rather than being linked to the security issue. These findings are novel as they highlight that the security related issues are not a focal point as far as the IT departments are concerned. This is in contrast to the literature review findings where it was seen that a large number of organizations seem to be wary of using cloud computing services owing to the security concerns (Bernstein et al, 2009). The reason for this discrepancy in the empirical research findings and that of the literature review could be that the decisions regarding investments in IT or cloud computing are largely made at the top management level in organizations. It is presumably the top management that also deals with the decisions regarding assessing the security challenges related to cloud computing and evaluating if it’s beneficial and safe to work in a cloud (Farber, 2009). This means that the IT managers may not be intimately involved in the security challenges related decisions. It is also possible that the organizations that were involved in the current research were not dealing with highly sensitive information or operations and hence these were not overly concerned about the security related issues.

• Data Ownership:

While the available literature is inconclusive about the ownership issue of the data as the data may be generated by one party while it is managed by the cloud computing service provider and may be stored by the third party servers(Gentry, 2009). These three entities may be located in different regions or even different countries and hence come under diverse jurisdictions and governed by different set of local laws (Krugel, Toth and Kirda,  2010). There is nevertheless a growing emphasis on the consolidation of cyber laws and legislations, though there is much needed to be done in this area (Lamb, 2009). The available literature therefore indicates that the ownership and rights to access or use may be a subject of debate in certain cases, however, the current research found that the respondent organizations believed that they had complete ownership rights to all the information and data that they share on the cloud. This may be problematic in the long run as this conviction is found to be based on the respondents’ inherent belief rather than on the strength of any contracts or legal rights established towards the ownership.

• Data Confidentiality and Privacy:

It can be seen from the findings that there is certain lack of awareness and focus among the end users about the issues related to the security with cloud computing services. A theme that has emerged from the findings is that the end users are largely inspired by the brand name and the overall image of the cloud computing organization and this forms the basis of their trust.  As can be seen from Figure 6 and from the responses of the IT managers on questions related to data confidentiality, it is apparent that they do not understand how the technical aspects of data storage can lead to breach of confidentiality. There is a large amount of research and data available that highlights the vulnerabilities of data confidentiality and privacy through cloud computing (Lamb, 2009). Some of the technical reasons for the breach that have been listed in the available literature include:

-Inability of the cloud to differentiate between sensitive data and non-sensitive data that makes access authorization easy for anyone operating on the cloud (Johnson, Levine and Smith, 2009).

Deliberate malicious attack or hacking of the servers by one of the users of the cloud. (Iyer and Henderson, 2010) It is technically possible for the service providers’ employees to retrieve data and use or sell it.  (Haff, 2009) the service provider using outsourced data servers, hence the physical location of the servers is in the hands of a third party, unknown to the end users (Davies, 2009). It is interesting to note that the IT managers, though theoretically aware of the cloud computing system and how it operates, do not concern themselves with enquiring their service providers in further detail about the security aspects of their data.  Figure 6 in Chapter 2 highlights the fact that the perception of trust is based not on sound technical understanding and confidence, but on the image, reputation and the recommendations for the cloud computing service provider.

• Data integrity:

The concept of data integrity involves having the confidence that the data will not be tampered with or changed in any manner by any third party of the cloud service provider (Bernstein et al, 2009). While data confidentiality means not revealing the information stored on the cloud servers or maintaining strict codes for disclosure and access to data, maintaining data integrity is a much more complex issue (Barroso and Hoelzle, 2009). This is because there are more chances and opportunities for the data to be tampered with consciously or due to accident. The data change or errors can relate to human or technical errors and can occur at the service providers end, third party servers’ location or even at the end users end (Armbrust et al, 2009). The current research highlighted that the respondents did have concerns regarding the data integrity and believed that inefficiencies at the service providers’ end may lead to changes in their data. The findings also revealed that the end users were indulging in non-secure practices by sharing their passwords with the cloud computing service providers in the case of trouble shooting or emergency requirements. Overall, there appears to be considerable confusion about who could access their data and why and the end users had to have faith on the good intentions of the service provider in order to continue using the cloud.

• Audit Ability:

The research findings are in tandem with the available literature review regarding the perception of end users about the audit or compliance standards used especially in the case of outsourced software applications. The literature review has also found compatible findings where a research conducted among the SaaS users had reported that the customers were largely satisfied with the software licensing issues (Mach et al, 2005; Mullin, 2009). Similarly, in the context of IaaS and other platform services, the respondents acknowledged that there was lack of transparency about the legal issues and jurisdictions involved as there could be variable laws governing different stakeholders in the cloud, and this was also found to be the case in the literature where it was reported that there is still much needed to be done to consolidate cyber laws and make them compatible Internationally.

• Data Transfer and Data Loss:

As mentioned in the literature review chapter, data transfers over the Internet are tied in with the availability of the band width, the speed of the connection as well as with the number of users on the network. The cloud computing services often suffer from issues related to downtime, delays in data transfer and also loss of data in transition (Reese, 2009) In addition, there are possible security concerns regarding authorization and access to the data that is being transferred as multiple intermediary points may be involved, hence adding to the vulnerability of the data. The interview responses indicated that the end users were unable to obtain transparency from their service providers regarding the security of the data during transfer. One incident that was highlighted of probable unauthorized access to internal data or probable data theft was reported by the car parts manufacturer, but this organization too was not able to follow up on the suspicion. The findings indicate that though there are vulnerabilities and also reasons to suspect the cloud service providers, the end users find themselves helpless to react or to take a guided course of action.

• Network Security:

Network security is a major issue in the context of cloud operations due to the inherent nature of the technologies that are involved in the cloud – virtualization, encryption and web applications (Schubert, Kipp and Wesner, 2009). The virtualization aspect of the network makes it difficult verify each and every account holder and to authenticate their intentions, thus leading to the network internal insecurities (Ranjan, Harwood and Buyya, 2008). Similarly, there are issues related to the encoding and potency of the encryption that is used as well as the inherent vulnerabilities in the web applications. However, in spite of the potential threat to network security, the respondents were found to have placed their faith on the competency and skill and technological sturdiness of their service providers. This was in contrast to what has been reported by experts and critics in the field of cloud computing, where concerns of network security are being highlighted as the most challenging barriers to the growth of cloud computing.

Confidence and Satisfaction with Cloud Computing

The next objective was to assess the confidence and satisfaction of the cloud computing services among the end users. Table 3 in Chapter 4 highlights the various rating of the overall performance of cloud computing, rating of security related issues, accountability of the service provider and ease of operations. The ratings provided by the respondent reflect the fact that though cloud computing offers large scale performance benefits and helps the end users in obtaining scalability at minimum cost investments, there are several areas in security as well as the accountability and sensitiveness exerted by the service providers. The available literature has highlighted the fact that a large number of organizations hesitate in adopting the cloud computing services due to the lack of transparency about where and how their data is stored and managed (Praveen and Betsy, 2009). There are also industry wise concerns about the legal issues involved regarding data ownership and data integrity (Boneh and Waters, 2007). The current research has highlighted that the end users are largely concerned about the data integrity and data access, while concerns about network security or confidentiality and privacy of the data were secondary. This was due to the fact that network security and other confidentiality issues were largely not encountered or became apparent to the end user in the normal course of the operations, while data integrity was often prone to be compromised during the routine check-ups or maintenance activities involving the service providers’ employees. As such, the end user were not to be focused on these more prominent issues of network security and data confidentiality, that is repeatedly recorded in literature as crucial stumbling  blocks for cloud computing services. Another reason that was cited for this was that the end users were awed by the service provider image and background and presumed that the large corporations providing the cloud services would ensure ethical best practices and will also have the technological expertise to ward off any unauthorized access (see figure 6).

End Customers’ Expectations

The third objective of the research was to explore the expectations and needs for improvements as envisaged by the end users. There is little research available in this context and most of the available literature pertains to the opinion of the experts and related to the inherent and potential security vulnerabilities in cloud computing. The current research was therefore one of the few empirical researches that studied the end users’ perspectives in details and endeavored to obtain a first-hand list of expectations from the customers. It is noted that the end users expect more transparency regarding both the technological and legal issues involved when the contract with the service provider. This is conforming to the available literature which has pointed to widespread confusion and lack of information regarding the data storage practices used by the cloud computing vendors as well as licensing and ownership issues that are inherent due to the virtualization of the entire system (Armbrust et al, 2010). The research participants also wanted the cloud computing services to be more sensitive, forthcoming and interactive with them so that there could be a better resolution of any emerging problems and also so that the customer confidence is maintained. At the moment, the end users have to encounter the call centers or read self-help links and do not receive a more human response from the service providers, which could have boosted their confidence. This need for more contact and communication between the end users and the service providers has not been documented in the literature and hence is an insight worth noticing by the cloud computing service providing companies. Similarly, there is a felt need for the cloud computing services to be more accountable and responsible and provide full support and cooperation in the case of security breaches or other problems encountered by the end users. As per the available literature, the cloud computing environment is an emerging one and there are still several issues related to legislation, cyber laws and jurisdiction, ownership etc. that have not been fully explored (Kosar and Livny, 2005; Grossman et al, 2009). The end customers are least informed and would like to look up to the service providers to not only enlighten them but also to provide some substantial guarantees and insurance cover against security challenges.

The final objective was to develop a list of recommendations for consolidating the security and data integrity performance of cloud computing services. This objective is achieved in the final chapter, conclusions and recommendations.

Chapter 6. Conclusions and Recommendations

Summary of Findings

The research aimed at answering the three research questions related to the perception of vulnerabilities of the cloud, the perception of what problems these vulnerabilities translate to during the operations of the end users, how do the end users assess them and what do they expect from the service provider. The research was able to successfully answer the research questions and also present a set of recommendations for the service providers. The following sections highlight the prominent conclusions drawn from the research findings.

• Security Threats Perceived by the End Users Due to Cloud Vulnerabilities:

There is lack of transparency on issues related to data ownership and what legal recourse is available in case when there is a security breach within a cloud component that falls in the jurisdiction of an external government. Data Integrity is a cause of concern as the end users are not aware of the authorization and access protocols for their data stored on the cloud.

There appears to be a faith based conviction that the data remains confidential and private in a cloud, in spite of the considerable research and expert opinion providing contrary evidence. A similar confidence on the technical capability and good practices of the cloud service provider is shown for network security.

The end customers are found to have limited focus on developing data security and confidentiality practices at their own end. This is a potential problem as there is little empirical research or literature that could be used as a foundation for this belief; instead the confidence appears to be based more on the ‘need to believe and accept’ as the end users do not have any other option.

• Customer Confidence and Satisfaction:

The customers are happy about the capacity of the cloud computing to help them scale up their operations at lower costs, but are also concerned about the lack of clarity on the data security issues as well as cast doubts about the responsibility and accountability of the service provider based on the fact that the service providers are not quick to respond to the end users feedbacks.

Recommendations

The recommendations for the service providers are derived directly from the insights gained from the responses of the research participants about their expectations from the cloud computing services and from the industry wide best practices recommended by the experts and discussed in the literature review.

• Consolidation of Best Practices and Standards of Operations
  

This recommendation is a general recommendation for the cloud computing environment and all the stakeholders involved in its operations, maintenance and usage. At the current stage, there are several stakeholders and entities that are physically located in diverse regions and hence mat be bound by different laws, thus leading to conflicts and delays in resolution of problems. There is therefore an urgent need to develop a uniform system of legislation that is applicable over varied geographical regions. The development of standardized rules and caveats that can provide the much needed confidence boost and respite to the end customers is an exigent need for the growth of cloud computing. The development of best practices and standardization is dependent on developing a sound regulatory system.

• Transparency in Service Level Agreements

While there is lack of uniformity in the current level of legislations, there is also a widespread lack of awareness and vigilance on the part of the end users regarding their contracts with the service providers. There is lot of small print and hidden text that is not understood by the end users though the end users appear to trust the big companies that provide them with cloud computing services. It is therefore expected that the cloud computing service providers be honest and open with their customers and disclose the security challenges and potential loopholes or ownership related legal issues so that the customers can make an informed decision about accepting cloud computing. This recommendation is made predominantly on the basis of the findings from the interview where it was found that the end users make decisions based on the size and the image of the service provider. It is therefore recommended that the service providers be clean and forthright with the end users to continue enjoying their trust.

• Investment in Security Technology

The service providers make large investments in terms of developing cloud computing services and infrastructure Toward this, organizations either tend to develop in house research expertise or try to buy security technology from the competitors’ vendors. The security investments made by the cloud computing service providers are largely kept confidential or revealed as a marketing strategy to the customers. However, it is not sufficient to simply state what security measures are used, but also to ensure that the security protocols are valid, reliable and tested. This can be done by using proper third party audit (for example, using a SAS 70 Type II audit as used by the Google Cloud). It is also recommended that the cloud computing organizations invest in hiring experts and research that could help make a contribution towards removing even the inherent vulnerabilities in the cloud.

• Education of the End Users

There also appears to be a need to develop the end users and educate them on the best security related practices. The cloud computing companies need to work in close coordination with the IT departments and make it mandatory for the organization to obtain a certification for deploying cloud computing resources. This may appear counter to the need to sell cloud computing to as many customers as possible, however, if this strategy is employed carefully, it can lead to a considerable reduction in complaints and problems at the end customers end. It is therefore recommended that training and technical knowledge generation be made a part of the installation process. For this, the cloud computing services can develop training manuals and testing process and protocols and ensure that only the qualifying organizations are inducted in cloud computing. Contracts need to contain the clause related to certification and explicitly spell out the set of best practices that are expected from the end-users IT departments for the successful running of the cloud services. In addition, the service provider can make provisions for testing the IT professionals on their knowledge and security vigilance related to use of cloud computing resources, their understanding of the complaint redressed process and their trouble shooting skills. This will enable the cloud computing services to develop the organizations’ competence to use the best practices in cloud computing.

• Interactive and Communicative

At the moment, the major cloud computing organizations provide the users with help center links and also receive calls at the call center. The process of lodging a complaint and following up on it tedious and complex, and the customers’ often loose revenues while their problems are under processing at the service providers’ ends. In most cases, the end users have to resort to finding answers to their problems using their own resources, IT knowledge or browse through scores of technical forums, blogs and discussion sites in the hope of finding someone with a similar problem and hence obtaining a quicker solution. It is recommended that the service providers develop a system of regular interaction with their end users. Instead of waiting for the user to lodge in a complaint, the service providers need to encourage the end users to provide regular feedback and voice their concerns through a customer platform. In this manner, the service provider can help in curbing and arresting any potential problems from manifesting and leading to customer loss of revenue. In addition, it will also generate novel and innovative ideas for remedying the security loop holes and direct the service provider to improve their strategy or upgrade technology ahead of the market.

Research Limitations and Scope for Future Research

The current research suffered from the limitation that a very small sample size of five respondents was only involved in the primary data collection. A larger sample, even with qualitative research could have yielded more wide perspective on the security related issues and hence, it is recommended that any future research should include a larger sample size. In addition, the research could reach out to only a few sectors and end users business – a pet supplier, a car parts supplier, a local city search guide, and two social media organizations. It is recommended that more diverse business organizations, ranging from governmental departments, security agencies, media companies, medical and research organizations, retail organizations among others should  be included in any future research on cloud computing.

The research also recommends that a large scale research using the quantitative approach to data collection may also be viable in obtaining an industry wide perspective and orientation about the security related concerns of using cloud computing. Further, the current research was restricted to a geographic region of X, and it would be more fruitful to conduct a research that covers a larger region or even expands to numerous countries. Another limitation of the research is that it uses a research instrument which is not statistically or empirically tested for validity and reliability. There is no pilot research undertaken which could have informed the researcher about possible problems that may be encountered during the data collection process. In addition, no statistical testing is undertaken that could determine the content validity of the research instrument. It was presumed that the literature review was exhaustive and that the insights gained from it that are used to formulate the research questionnaire would ensure that the instrument is valid. The research recommends that for future research, it will be useful to develop a research instrument in a more standardized method and form, so that the reliability and the validity of the research are enhanced.

APPENDIX A: Research Questionnaire

1.    Name
2.    Designation
3.    Organizations’ Name
4.    Cloud Computing Subscription Company Name
Q1: How long have you been using the Cloud Computing Services (CCS)?
Q2: What are the CC services that your organization avails of?
Q3: What are some of the issues that have caused problems during using CCS in the past 2 years?
Q4: What can you say about the availability of service?
Q5:  What can you say about the data confidentiality?
Q6: What can you say about the issue of data ownership?
Q7: What can you say about the audit ability?
Q8: What can you say about the ease and security issues related to data transfer?
Q9: What can you say about the data protection and security?
Q10: What can you say about the network security?
Q11: What can you say about the overall performance of CCS?
Q12: What recommendations would you like to make to improve the performance or make CCS more secure for your organization?

References Cited

• Aronowitz, S. and Ausch, R. 2000. A Critique of Methodological Reason’ the Sociological Quarterly . 41 4  : pp. 699-719.
• Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Patterson,D., Rabkin, A., Zaharia, D. 2010. A view of cloud computing. Communication of the ACM, 53 (4): 50–58.
• Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Zaharia, D. 2009. Above the Clouds: A Berkeley View of Cloud  Computing. Berkeley: EECS Department, University of California.
• Barker, C.  2005. Cultural Studies: Theory and Practice. London: Sage.
• Barroso, L. A.; Hoelzle, U. 2009. The Datacenter as a Computer. NY: Morgan and Clay pool Publisher.
• Pauls, I. (2011). Lulz Boat Hacks Sony’s Harbor: FAQ. PC World (Online) available at: https://www.pcworld.com/article/22936/lulz_boat_hacks_sonys_harbor_faq.html (accessed on February 21, 2012).
• Reese, G. (2009). Cloud Application Architectures: Building Applications and Infrastructure in the Cloud (Theory in Practice).NY: O’Reilly Media.
• Rhoton, J. (2009).Cloud Computing Explained: Implementation Handbook for Enterprises. NY: Recursive Press.
• Rochwerger, B., Caceres, J., Montero, R.S., Breitgand, D., Elmroth, E., Galis, A., Levy, E., Llorente, I.M., Nagin, K., Wolfsthal, Y., Elmroth, E., Caceres, J., Ben-Yehuda, M., Emmerich, W., and Galan. F. (2009). The RESERVOIR Model and Architecture for Open Federated Cloud Computing. IBM Journal of Research and Development, 53(4):pp 179.
• Sosinsky, B. (2011). Cloud Computing Bible. NY: Wiley.
• Bell, A. and Opie, P. 2002. Learning from Research – Getting more from your data. UK: Open University Press.
• Berl, A., Gelenbe, E., Di Girolamo, M., Giuliani, G., De Meer, H., Dang, M., and Pentikousis, K.2010. Energy-Efficient Cloud Computing, The Computer Journal,  53(7):22.
• Bernstein, D., Ludvigson, E., Sankar, K., Diamond, S., Morrow, M., 2009. Blueprint for the Inter- cloud – Protocols and Formats for Cloud Computing Interoperability.IEEE Computer Society. pp. 328–336.
• Boneh, D and Waters, B. 2007.Conjunctive, subset, and range queries on encrypted data. In Theory of Cryptography Conference (TCC ’07).Computer Science, 4392: pp. 535- 554.
• Bryant, A and Charmaz, K. 2007.The SAGE Handbook of Grounded Theory.  London: Sage.
• Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J. and Brandic, I. 2009. Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25  (9), pp. 599-616
• Cho J. and A. Trent.2006.Qualitative Research, 1 3, 319–340.
• Creswell J.W. 2007.Qualitative & Research Design.Choosing Among five approaches. Califor nia: Sage Publications, Inc
• Davies, K. 2009. Amylin, Amazon, and the Cloud.BioIT World, 2(1):pp. 35- 42.
• Farber, R. 2009. Cloud Computing: Pie in the Sky?ScientificComputing, 2(2): pp.1
• Fisher, C. 2004. Researching and writing a dissertation for business students, 1^st Edition, Essex: Pearson Education Limited
• Foster, I. 1998. The Grid: Blueprint for a New Computing Infrastructure. NY: Morgan Kaufmann Publisher
• Gentry, C. 2009.Fully Homomorphic Encryption Using Ideal Lattices.ACM.Available at: https://domino.research.ibm.com/comm/research_projects.nsf/pages/security.homoenc.html/$FILE/stocdhe.pdf[Accessed 17 December 2012]
• Grossman, R. L., Gu, Y. H., Sabala, M., & Zhang, W. Z. 2009. Compute and storage clouds using wide area high performance networks. Future Generation Computer Systems–the International Journal of Grid Computing Theory Methods and applications, 25 (2): pp. 179-183.
• Haff, G. 2009. Just don’t call them private clouds. CNET News[Online] 27 January. Avail- able at <https://news.cnet.com/8301-13556_3-10150841-61.html>[Accessed 17 December 2012]
• Iyer, B. and Henderson, J.C. 2010.Preparing for the Future: Understanding the Seven Capabilities of Cloud Computing, MIS Quarterly Executive, 9: pp. 2.
• Jain, A.K., Murty, M.N. and Flynn, P.J.1999. Data clustering: A review. ACM Computing Survey, 31: pp. 264-323.
• Johnson, L., Levine, A., & Smith, R. 2009. The 2009 Horizon Report. One Year or Less: Cloud Computing. Austin, Texas: The New Media
• Kandukuri, B.R., Paturi, V.R. and Rakshit, A. 2009.Cloud security issues. IEEE international conference on services computing, pp. 517–20.
• Kaufman, L.M. 2009.Data security in the world of cloud computing, security and privacy. IEEE, 7 (4), pp. 61–4.
• Kosar, T. and Livny, M. 2005. A framework for reliable and efficient data placement in distributed computing systems. Journal of Parallel and Distributed Computing, 65: pp. 1146-1157.
• Krugel,  C., Toth, T and Kirda, E. 2000.Service specific anomaly detection for network intrusion detection. Proceedings of the 2002 ACM symposium on applied computing, 201–208.
• Kwasniewski, T. J. and Puig, E. J. 2011.Cloud Computing in the Government. NY: Data & Analysis Center for Software.
• Lamb, J.2009. The Greening of IT: How Companies Can Make a Difference for the Environment.  NY: IBM Press
• Mach, R., Lepro-Metz, R., Hamilton, B.A., Jackson, S. and McGinnis, L. 2005.Usage  record format recommendation. WG: Global grid forum
• Markoff, J.  2008. Microsoft Plans ‘Cloud’ Operating System. Nytimes.com. [Online] 27  October. Available at <https://www.nytimes.com/2008/10/28/technology/28soft.html> [Accessed 17 December 2012]
• McClure, D. 2010. Leveraging the Power of Cloud Computing in Government. Brookings: General Services Administration
• Mills, E. 200. Cloud computing security forecast: Clear skies. CNET News. [Online]. 27 January. Available at https://news.cnet.com/8301-1009_3-10150569-83.html [Accessed 17 December 2012]
• Mullin, R. 2009.The New Computing Pioneers. Chemical EngineeringNews 87  21 : pp. 10-14
• Newton, J. 2009. Are SaaS & Cloud Computing Interchangeable Terms? Daniweb.com IT Discussion Community [Blog] 16 February. Available at:  https://www.daniweb.com/blogs/entry3993.html. [Accessed 17 December 2012]
• Praveena, K., & Betsy T. 2009.Application of Cloud Computing in Academia.IUP Journal of Systems Management, 7 (3): pp. 50-54
• Proffitt, A. 2009.Pharma’s Early Cloud Adopters. BioIT World, November/December, pp.31-32
• Ranjan, R. Harwood, A. Buyya, R. 2008. A case for cooperative and incentive-based federation of distributed clusters. Future Generation Computer System, 24 (4): pp. 280-295.
• Reese, G. 2009.Cloud Application Architectures. NY: O’Reilly Media
• Schubert, L., Kipp, A., and Wesner, S. 2009. Above the Clouds: From Grids to Resource
• Fabrics. In Tselentis, G., Domingue, J., Galis, A., Gavras, A., Hausheer, D., and Krco,S., Towards the Future Internet – A European Research Perspectivepp. 238 – 249. Amsterdam: IOS Press