Towards a cloud computing evaluation and governance framework

Maat: px
Weergave met pagina beginnen:

Download "Towards a cloud computing evaluation and governance framework"

Transcriptie

1 Towards a cloud computing evaluation and governance framework Addressing its organizational impact, risks, business case and governance. First supervisor Dr. R. S. Batenburg Institute of Information and Computing Science Utrecht University Second supervisor Dr. M.R. Spruit Institute of Information and Computing Science Utrecht University External supervisor Dr. A. Shahim RE Atos Consulting Nedertherlands Steven Jol Master Thesis Business Informatics

2 Preface This research is part of the Business Informatics Master at Utrecht University. I hope the developed framework will succeed in assisting management with the evaluation and governance of cloud computing. First of all I would like to thank my supervisors, Ronald Batenburg, Marco Spruit and Abbas Shahim, who gave up some of their valuable time for providing feedback on the deliverables. Also, I would like to thank all the experts and managers who provided input for the development of the framework. Finally, I would like to thank my girlfriend, who did most of the housekeeping so I could concentrate on finishing my research. Steven Jol January 25, 2014

3 Abstract This research aims to contribute to the body of knowledge on the topic of cloud computing and thereby assisting organizations with the adoption of this technology, by addressing two concerns for top management which are not yet adequately researched: the evaluation of cloud computing and cloud governance. In order to evaluate cloud solutions effectively, a good understanding of its risks, organizational impact and business case is needed. However, these aspects were not researched in an integrative way. Also, a top management s responsibility is the governance of IT and a concern when adopting cloud solutions. But what does governance mean for cloud computing? Most cloud governance frameworks only address security and do not take into account governance mechanisms, such as processes and structures, to enhance the value of cloud computing applications. Therefore, in this research, a framework is developed which aim to assist higher management with the evaluation and governance of cloud computing by integrating the business case, risks and organizational impact aspects, and providing insights into cloud governance. In order to develop the framework, literature was reviewed in conjunction with additional interviews with six cloud computing experts. This resulted in an initial framework, on which feedback was provided by six potential users and cloud experts. Based on these results, a revised framework was developed, consisting out of two separate models for the evaluation and governance of cloud solutions. After a second round of feedback, a final framework was developed. The main limitations of this research are the limited amount of interviewees that provided feedback on the framework, the possible lack of depth of the cloud evaluation framework and that the focus of the cloud governance model is on reducing risks, despite the objective of approaching cloud governance in a wider perspective. Future research can be done on the topics of cloud security, the organizational impact of cloud computing and cloud governance. The cloud governance framework of this research can also act as input to compare the governance of cloud computing to that of traditional IT outsourcing.

4 Table of contents 1. Introduction & Problem statement Research questions Scientific & Social relevance Thesis structure Research model Background Cloud computing technology Cloud computing defined Definition Characteristics Deployment models Delivery models Differences with traditional IT outsourcing Similar work: existing cloud evaluation and governance frameworks Cloud evaluation frameworks Cloud information security governance frameworks Cloud governance frameworks Conclusion similar frameworks Conclusion A semi-structured literature review on the relevant cloud evaluation aspects and cloud governance Method Results Business case Organizational impact Risks & Risk management Corporate, IT & Cloud governance Conclusion Business case Organizational impact Risks & Risk management Corporate, IT and Cloud governance Expert views on the relevant cloud evaluation aspects and cloud governance Method Results... 55

5 Business case Organizational impact Risks & Risk management Cloud governance Conclusion Synthesis between literature and expert views Business case Organizational impact Risks & Risk management Cloud governance Conclusion Development of the initial framework: version One integrated framework Framework requirements Cloud governance model high-level design Cloud governance model detailed design Corresponding table & cloud evaluation aspects Expert feedback on the initial framework Approach Results Understandability Usefulness Governance activities Information accuracy Additional comments Conclusion Development of the revised framework: version Two separate frameworks Cloud governance framework Cloud governance framework development The revised cloud governance model The corresponding table of the cloud governance model Cloud evaluation framework Cloud evaluation framework development The cloud evaluation model The corresponding table of the cloud evaluation model Relation between the cloud evaluation and governance frameworks... 98

6 10. Expert feedback on the revised framework Approach Results Understandability Usefulness Information accuracy Conclusion Development of the final framework: version Final cloud governance framework Final cloud governance framework development The final cloud governance model The corresponding table of the final cloud governance model Final cloud evaluation framework Final cloud evaluation framework development The final cloud evaluation model The corresponding table of the final cloud evaluation model Relation between the cloud governance and evaluation frameworks Conclusion & Summary Discussion, Limitations & Future research References Appendix A: risk-reducing controls Appendix B: interview protocol (development phase) Appendix C: interview transcripts (development phase) Appendix D: summary expert interviews (development phase) Appendix E: interview protocol (first feedback round) Appendix F: interview transcripts (first feedback round) Appendix G: summary expert interviews (first feedback round) Appendix H: feedback management processes Appendix I: interview transcripts (second feedback round) Appendix J: summary expert interviews (second feedback round) Appendix K: tools, techniques and additional information Appendix L: existing frameworks analysis

7 1. Introduction & Problem statement August , San Jose VS. The IT sector s jargon was changed for good. Eric Schmidt, Google s top man at the time, spoke during the Search Engine Strategies conference and introduced a new concept to describe his company s software: cloud computing. Although this concept was never heard of, the technology behind it already existed for a couple of years. Basically, cloud computing are services provided over the internet. Whether it is Google s Gmail, Microsoft s Hotmail or the social network Facebook, almost everyone will have encountered this kind of software. The success of for instance Gmail is due to its low costs and convenience. Instead of synchronizing s through multiple devices and desktop applications, Gmail allows its users to access mails everywhere and anywhere for free. Cloud computing also promises multiple benefits to organizations, from costs reductions to new strategic possibilities. According to some, it is underhyped (Asay, 2013). The vice president of the data center company Telx even refers to cloud computing as the latest example of Schumpeterian creative destruction: creating wealth for those who exploit it; and leading to the demise of those that don t. (McKendrick, 2013). Success stories of organizations already adopting this kind of software support these statements (Babcock, 2013; Ribeiro, 2013). For example, the entertainment park Six Flags offers occasional promotions for millions of customers on their website, which is hosted on Amazon s Rackspace. This enables them to scale their resources on-demand and deal with the huge peaks in website traffic when the promotions are online. However, while the benefits apparent, many organizations are still reluctant to move to the cloud. This adoption is inhibited by the concerns of senior decision makers regarding cloud computing (Arlotta, 2013; D'Addario, 2013; Savvas, 2011; PwC, n.d.). These concerns are not limited to security related ones, but also include privacy, migration issues, cloud evaluation/value assessment and governance issues. This research aims to contribute to the body of knowledge on the topic of cloud computing and thereby assisting organizations with the adoption of this technology, by addressing two concerns which are not yet adequately researched: aspects relevant to the evaluation of cloud computing and cloud governance. The first element of this research addresses aspects relevant to the evaluation of cloud computing; that is deciding whether to adopt cloud solutions instead of traditional IT. Cloud computing is perceived as a disruptive technology (Dikaiakos, Katsaros, Mehra, Pallis, & Vakali, 2009) and therefore has unique characteristics compared to traditional solutions. First, it fundamentally changes how IT is provisioned and used (Khajeh-Hosseini, Greenwood, Smith, & Sommerville, 2012). The people, processes, culture and structure of the organization may be impacted (Conway & Curry, 2012). For example, the role of IT employees will become different, as certain technical aspects are not managed internally anymore. Second, as data is often stored on external data centers of the cloud providers, security, privacy and compliance issue arise (Bisong, Syed, & Rahman, 2011). 1

8 The decision making process on adopting a cloud solution instead of a more traditional IT service is therefore complicated (Morgan & Conboy, 2013). To deal with these complexities, organizations must prepare a business case which covers these factors (Speed, 2011). However, no existing research approaches these elements in an integrative way. This research will therefor address the business case for cloud solutions, the impact of cloud computing on the organization, the risks are of moving to the cloud and how these elements relate to each other. The second element of this research is governance for cloud computing, which is a concern for higher management when adopting cloud solutions (PwC, n.d.). IT governance is applied to ensure the value of IT investments are maximized and its risks are minimized (IT Governance Institute, 2006). Supposedly, the organization s governance needs to be adapted for cloud solutions (Maches, 2010). But what does this entail? What does governance mean for cloud computing? To the author s knowledge, most research on cloud governance is limited by security issues. Solely focusing on cloud security possibly leaves out other governance mechanisms which contribute to get the most out of cloud solutions and thus maximizing its value. This research will therefore approach governance for cloud computing from a wider perspective than security. The goal is to provide a high-level overview on cloud governance, in order to provide insights into what cloud governance entails. This may take away higher managements concerns regarding cloud governance, fostering cloud adoption. This could also be used as a basis to structure the governance activities. As governance is a concept which is interpreted and used in many different ways (Simonsson & Johnson, 2006), this research will also address governance in general. To fill the gaps in literature, the relevant aspects related to the evaluation of cloud computing and its governance will be addressed in this research. In order to actually assist higher management, a framework is developed which includes the research results. The target organizations are large public and private companies. Small-to-medium sized organizations are already eager to adopt cloud computing, as opposed to larger organizations (Wittenberger, 2013) Research questions The main research question is as follows: How can a framework be designed that assists higher management in their evaluation and governance of cloud computing? The first three sub-questions deal with the mentioned aspects which help higher management with the evaluation of cloud computing. I. How can a business case be developed for cloud computing? II. What is the impact of cloud computing on an organization? III. What are the risks of adopting cloud solutions and how can they be managed? 2

9 The fourth question addresses cloud governance and consists out of three sub-questions. As mentioned in the introduction, governance in general will also be addressed (RQ 4.1). The different perspectives on cloud governance are identified and assessed according to their relevancy, in order to determine which perspective on cloud governance should be included in the framework (RQ 4.1 & 4.2). The content of cloud governance is the subject of last subquestion. IV. How does governance apply to cloud computing? 4.1. What is governance? 4.2. Which perspectives on cloud governance can be identified? 4.3. Which view(s) on cloud governance is (are) the most relevant and therefore the most appropriate perspective(s) for the framework developed in this research? 4.4. What does the relevant perspective(s) on cloud governance entail? The integration of the research aspects into a framework is addressed by the main research question Scientific & Social relevance The main scientific relevance is the construction of a new framework that does not exist yet. It therefore contributes to the body of knowledge on the topic of cloud computing and may be of input for further research. Further, the research presents an integrated overview on the literature of the mentioned aspects, which can be of help to researchers in this field. The expert interviews have also provided new knowledge on the specific aspects which were not covered in literature yet. The social relevance is that the framework aims to help organizations. The framework will help higher management evaluate and govern cloud computing. By taking advantage of the benefits of cloud computing and governing the solutions effectively, organizations can improve its performance. More productive organizations are of benefit to the whole society Thesis structure In the next chapter, the research model is discussed. In chapter three some background is given on cloud computing and related frameworks are discussed. Hereafter the literature review on the relevant subjects for developing the framework is presented. The expert interviews are addressed in chapter five, whereas chapter 6 provides the synthesis between the literature and expert views on the relevant concepts. Chapter seven presents the initial cloud evaluation and governance framework. Chapter 8 presents the results of the feedback on this framework, whereas chapter 9 discusses the feedback on the revised framework. The revised and final frameworks are presented in chapter 9 and 11. Hereafter the research is concluded, the limitations are discussed and future research is presented. 3

10 2. Research model An often applied method in information research is Design Science Research. It entails the construction of an artifact to explain, understand and often improve certain practices relevant to information systems (Peffers, Tuunanen, Rothenbergen, & Chatterjee, 2007). As an artifact is created in order to improve the evaluation and governance practices regarding cloud computing, DSR is the type of research performed in this work. To ensure high quality results are achieved and the research approach is rigor and relevant, the framework of Hevner, March, Park, and Ram (2004) is applied. The framework (adapted for this research) is shown in Figure 1. The environment that is central in this research are higher management of large organizations who want to optimize their cloud computing investments. The business need is some guidance for the evaluation and governance of cloud computing. Another type of input to this research is formed by the knowledge base. This research is based on existing scientific and 'grey' literature and methods are applied for the literature review and the analysis of the interviews. Based on this need and the knowledgebase a framework is developed. Evaluation was done through expert interviews to ensure the provided information in the framework is correct and interviews with possible or potential users gave insights whether the artifact indeed is able to solve the business need. Also Hevner et al. (2004) proposed several guidelines: 1. Design as an Artifact: Design-science research must product a viable artifact in the form of a construct, a model, a method, or an instantiation. 2. Problem Relevance: The objective of design-science research is to develop technology-based solutions to important and relevant business problems. 3. Design Evaluation: The utility, quality and efficacy of a design artifact must be rigorously demonstrated via well-executed evaluation methods. 4. Research Contributions: Effective design-science research must provide clear and verifiable contributions in the areas of the design artifact, design foundations, and/or design methods. 5. Research Rigor: Design-science research relies upon the application of rigorous methods in both the construction and evaluation of the design artifact. 6. Design as a Search Process: The search for an effective artifact requires utilizing available means to reach desired ends while satisfying laws in the problem environment. 7. Communication of Research: Design-science research must be presented effectively both to technology-oriented as well as management-oriented audiences. In this research an artifact is created that can be used by top management, so guideline 1 is met. The framework, based on the technological concept of cloud computing, addresses the problem stated in the problem statement section, is developed in an incremental fashion (guideline 2 & 6) and is of social and scientific relevance (guideline 4). Research rigor is obtained by the usage of well-known research-methods for the literature review and the interviews (guideline 5). The framework that is developed was evaluated by experts and users in order to assess its utility, quality and efficacy (guideline 3). Finally, guideline 7 is met by writing a thesis which includes a detailed description of the research process and how the framework can be applied in practice. 4

11 Higher management Large public and private organizations Cloud evaluation & governance f.w. Literature and related work on evaluation aspects & cloud governance Cloud computing Literature review Expert interviews User & expert feedback Semi-structured literature review approach Content-analysis for interviews Figure 1: information systems research framework applied to this research (Hevner et al., 2004) In Figure 2 the research process is shown. Literature on the cloud business case, risks, organizational impact and governance are used in conjunction with expert interviews to develop an initial, integrated framework. Feedback on this framework was provided by experts and C- suite executives (or people working close to them) leading to a revised framework. Based on another feedback round, a final framework was developed. Chapter 1 Research goal Assist higher management with the evaluation of cloud computing Research goal Assist higher management with the governance of cloud computing Chapter 4 Chapter 5 Literature on business case, risks, organizational impact Literature on cloud governance Expert interviews on business case, risks, organizational impact Expert interviews on cloud governance Chapter 6 Chapter 7 & 9 Chapter 8 & 10 Chapter 11 Synthesis literature and experts view Initial and revised framework 2x Potential user & Expert feeback Final framework Figure 2: research process and corresponding chapters. 5

12 3. Background In this chapter the concept of cloud computing is elaborated and related work is discussed. Cloud computing generally refers to IT resources delivered as services over the internet and the hardware and software that provide these services (Zissis & Lekkas, 2012). First the technology behind cloud computing is described. Hereafter the definition that is used in this research is presented, which includes a description of the characteristics of cloud computing, the deployment models and the different delivery models. Hereafter the differences to traditional IT outsourcing will be discussed. Some forms of cloud computing can be considered as a type of IT outsourcing. For this research and the development of the framework it is interesting to assess whether cloud computing is similar to traditional outsourcing or whether it needs to be approached as a distinct concept. Finally, related evaluation and cloud governance frameworks are discussed and arguments are given why they do not adequately address the research objectives Cloud computing technology Figure 3: technological evolution cloud computing (Klems, Nimis, & Tai, 2009) Cloud computing is based on already existing techniques, but combines them in a new way. It resulted from the convergence of grid computing, utility computing and web services (Zissis & Lekkas, 2012). Some therefore argue that it is not really a technological shift, but more an economic one (Baars & Spruit, 2012). Figure 3 shows the technical evolution of the technologies enabling cloud computing (Klems et al., 2009). Grid computing is a form of distributed computing that emerged in the 90 s. High performance computers were interconnected with the aim of solving or supporting complex 6

13 calculations and scientific applications (Zissis & Lekkas, 2012). It is similar to cloud computing in the sense that it employs distributed computing resources to achieve objectives. On the computational level, cloud computing can be seen as a subset of grid computing (Huang & Hsieh, 2011). However, while Grid Computing achieves a high utilization of resources through the allocation of multiple servers onto a single computational tasks, virtualization in cloud computing allows one server to compute several tasks at the same time. This enables the maximization of computing power (Zissis & Lekkas, 2012). Another difference relies in the economic model of the two concepts. Grid Computing is mostly adopted in the public sector, by data intensive users such as universities, whereas cloud computing originates in the private sector (Rings et al., 2009). Virtualization, multitenancy and web services are the main technological enablers of cloud computing (Marston, Li, Bandyopadhyay, Zhang, & Ghalsasi, 2011). Virtualization dates back from 1967, but for decades it was only applied to main frames. The host computer runs a hypervisor, a software application that creates multiple virtual machines. To the user these virtual machines act like physical hardware, which can run any software. This technology is the main enabler of the cloud characteristics. Multitenancy is a related concept, which refers to the sharing of resources. Memory, programs, networks and data are shared between multiple users or tenants at the network level, host level, and application level. With a multitenant architecture, a software application is virtually partitioned, so that each client works with a virtual application instance. One instance of an application thus serves multiple clients or tenants. Web services: this concept refers to clients and servers that communicate on the web over the HTTP protocol. They help standardize the interfaces between applications, making it easier for a software client, such as a web browser, to access server applications over a network. The delivery model of cloud computing is based on utility computing. This concept represents the model of providing resources on-demand and charging customers based on usage rather than by a fixed price (Zhang, Cheng, & Boutaba, 2010). The technical architecture of cloud computing is shown in Figure 4. At the hardware level, a number of physical devices, including processors, hard drives and network devices, are located in datacenters and are responsible for storage and processing of data. The infrastructure layer consists of hypervisors running on the physical hardware, which are responsible for the virtualization of the resources by creating multiple virtual machines. Software platforms are installed (Platform layer) on these virtual machines which deal with the development, deployment and configuration of the software applications. On these platforms the applications are provided to the user (Application layer). 7

14 Figure 4: architecture of cloud computing (Zhang et al., 2010) 3.2. Cloud computing defined This section will present the definition for cloud computing which is used in this research. This definition includes several characteristics to scope cloud computing and refers to multiple deployment and delivery models Definition Many (diverse) definitions of cloud computing exist in literature (Huang & Hsieh, 2011). One of these definitions is proposed by Vaquero, Rodero-Merino, Caceres, and Lindner (2008): Clouds are a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically re-configured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the Infrastructure Provider by means of customized SLAs. While the authors do mention delivery models in their research, no reference is made to different deployment models. Many researchers that use this definition, seem to scope cloud computing by public cloud solutions. Another definition that is also often used that does take into account different deployment models, is provided by the US National of Standards and Technology (Mell & Grance, 2011): "Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models." The distinction between the deployment models is important, as other options than public cloud computing could be viable options for companies and the benefits and risks differ between these models. Therefore, this definition is chosen as a point of reference to cloud computing in this 8

15 research. The characteristics, delivery models and deployment models will be discussed in the succeeding section. The information is based on two papers from the NIST (Mell & Grance, 2011; Badger, Grance, Patt-Corner, & Voas, 2011) Characteristics The definition for cloud computing used in this research, that of the NIST (Mell & Grance, 2011), includes 4 characteristic to scope cloud computing. These are described below. On-demand self-service. A consumer of cloud services can unilaterally provision computing capabilities, such as network storage, without interacting with the provider. Broad network access. The computing capabilities are available over the network and accessed through mechanisms that promote use by different platforms, such as PC s, mobile phones and laptops. Resource pooling. The computing resources of the service provider are pooled to serve multiple consumers in a multi-tenant fashion, with different resources dynamically assigned and reassigned according to consumer demand. The consumer of the service generally has no control or knowledge over the exact location of the provided resources, but may be able to determine where de data center is resigned. Examples of resources are storage, processing, memory, and network bandwidth. Rapid elasticity. The computing capabilities can elastically and quickly be provisioned. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability. Monitoring of the resource usage provide transparency for both the provider and the cloud consumer Deployment models The 4 cloud deployment models are private, community, public and hybrid cloud. A private cloud is a cloud solution in which the cloud infrastructure is used exclusively by a single operation, managed and operated by the organization itself or by a third party. The owners can control the infrastructure. One aspect that is often neglected by researchers, is that the infrastructure does not need to be located at the organization's site. It can exits on the premise of the subscribing organization, but also off-premise, at the providers site. In the first situation, the users access the private cloud from within the security perimeter, the policies to protect from remote malicious intruders. In the latter, the private cloud is secured from the other computing infrastructure at the cloud provider s site and a connection is established between the boundary controllers (e.g. firewalls) of the provider and the customer through a protected communication link, such as a VPN. 9

16 A community cloud means the infrastructure is shared by several organizations, based on similar interests, like security requirements and compliance considerations. It may be managed by the organizations or a third party and may exist on-premise or off-premise. Within an on-site cloud, each participant may provide services, consume them or provide and consume them both. It is necessary for at least one community member to provide a cloud service. Each organization probably implements a security perimeter. In this case, the participants are connected through protected communication links between the boundary controllers, which allow access through the security perimeters. Optionally, the providers may implement extra security perimeters to isolate the local cloud resources from data centers that are not used for the community cloud. A cloud provider is the one providing the cloud service in the case of an outsourced (offpremise) community cloud. This model is very similar to the outsourced private cloud scenario. The server-side responsibilities are managed by the cloud provider and a security perimeter secures the community cloud resources from other resources. A public cloud is offered to the general public and is owned by an organization providing cloud services. So with this particular model, the infrastructure is always hosted, operated and managed by a third-party vendor from data centers off-premise. The provider's computing and storage resources are potentially large, which serve a diverse pool of clients. The communication links can be assumed to be implemented over the public internet instead of secure connections such as a VPN. Finally, the hybrid cloud is a combination of two or more private, community or public clouds. A hybrid cloud can be extremely complex, but the most adopted configurations are less complex. An example is the combination of a private cloud for routine workloads and public clouds during periods of high demand. Because the communication in the public cloud between the provider and the consumer is in most cases done on the public internet and not through secured communication links, many researchers argue that the public cloud won t be an option for big companies for years to come (Marston et al., 2011). Others are less conservative and argue that the best combination will be a hybrid cloud: non-sensitive data can be processed on public clouds, while more confidential data will be maintained within a private cloud (Xie, 2011) Delivery models Cloud computing services are generally delivered through three main delivery models to the consumer, namely Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a service (IaaS). Software as a Service is based on licensing applications on demand, which are already installed on a cloud platform. It is also known as Web services. Consumers, organizations or users, rent access to an application over a network, typically the internet. SaaS replaces traditional software usage with a rent model, reducing the cost and effort of deploying and managing software. The 10

17 consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems and storage. The usage fees are typically calculated based on the number of users, the time in use, per-execution, per-record-processed, network bandwidth consumed, and quantity of data stored. Examples are Google Apps and SaleForce, a CRM application. IaaS can be best explained by referring it as Hardware as a Service (Jin et al., 2010). Instead of constructing own data centers, a firm could consider paying to use infrastructure provided by a professional enterprise when they don t mind to use outsourced clouds. The main consumers are system administrators, who get access to virtual computers, network-accessible storage, network infrastructure, firewalls and configuration services. They are able to deploy and run software, such as applications and operating systems. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage and deployed applications. Usage fees are typically calculated per CPU hour, data GB stored per hour, network bandwidth consumed, IP addresses per hour and value-added services used. A well-known IaaS application is Amazon EC2, which stands for Amazon Electric Compute Cloud. With PaaS, the consumer has the ability to develop, deploy and test applications on the cloud infrastructure using programming languages and tools provided by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. The consumers can develop their own applications without having to take care of the resource management or allocation problems such as automatic scaling and load balancing (Jin et al., 2010). The usage fees are typically calculated based on the number of subscribers, requested services, the time the platform is in use and the storage, processing, or network resources consumed by the platform. Examples are Google App Engine and Microsoft Azure. This chapter provided some background on the economic and technical concept cloud computing, by providing a definition, describing its characteristics and listing its deployment and delivery models. This is summarized in table 1. Main technological enablers Definition Characteristics Deployment models Virtualization, multitenancy and web services "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models." (Mell & Grance, 2011) On-demand self-service, Broad network access, Resource pooling, Rapid elasticity Private (on- and off-premise), community (on and offpremise), public and hybrid cloud 11

18 Delivery models Software as a Service, Platform as a Service (PaaS) and Infrastructure as a service (IaaS) Table 1: summary on the concept cloud computing Differences with traditional IT outsourcing Off-premise cloud computing is a form of outsourcing (Wang, Ren, & Wang, 2011). A third party is responsible for the infrastructure and the maintenance of soft- and hardware. Outsourcing can be defined as the transfer of services and where applicable, staff and assets to a specialized service provider, and then for the duration of the contract, the receipt of services at an agreed level of quality and an agreed financial compensation structure (Wijers & Verhoef, 2009). The main motives for outsourcing decisions are economic benefits, technological advantages, innovation and strategic advantages, including increased flexibility and service quality (Böhm, Leimeister, Riedl, & Krcmar, 2011). Traditional outsourcing can be seen as the first options available in the market for companies intending to move some part of their information system outside their organization and consist out of three main models of outsourcing (Salleras, 2013). Infrastructure outsourcing: in order to reduce costs, companies transferred partial or total control of their information system infrastructure to a specialized provider. This include networks, hardware, software and user services (e.g. helpdesk). Typically, long-term contracts were used and outsourcing services were customized. The providers adapted its solutions to every customer to fulfill their individual needs. Application outsourcing: entails the licensing and implementation of software applications by service providers. In-house application outsourcing refers to external personal deploying software on the customers infrastructure. The provider develops the application and is responsible of its maintenance. The advances in global internet infrastructure enabled providers to deliver applications to their customers hosted on their own infrastructure. Business process outsourcing: this outsourcing model refers to transferring and delegating technology enabled, non-strategic, business processes to an external service provider. The provider takes care of the information systems hardware and software and is responsible for the management and execution of the processes. While cloud computing is an evolutionary development of various techniques and application outsourcing (Salleras, 2013), there are multiple differences with traditional outsourcing models (Wahlgren & Kowalski, 2013; Benson, & Morgan, 2013; Dhar, 2011; Talukder & Zimmerman, 2010; Hon, Millard & Walden, 2012; Firdhous, Ghazali, & Hassan, 2012; Bradshaw, Millard, & Walden, 2011; Willcocks, Venters & Whitley, 2012; Böhm, Leimeister, Riedl, & Krcmar, 2011). Dhar (2011) provides an overview of the difference between cloud computing and traditional IT outsourcing and is shown in Figure 5. The main difference lies in the degree of flexibility of deploying resources and services (Böhm et al., 2011). The technology behind cloud computing enables elasticity and scalability and services can be procured quickly (Wahlgren & Kowalski, 2013). Because services can be procured easily, cloud computing comes together with a multi-provider environment (Firdhous et al., 2012). Other advantages are lower or no 12

19 upfront investments (Wahlgren & Kowalski, 2013) and consumers are solely charged for consumption, as opposed to a fixed price of most traditional outsourcing models (Firdhous et al., 2012). Figure 5: difference between traditional IT outsourcing and cloud computing (Dhar, 2011). Cloud computing does not solely bring benefits compared to the traditional outsourcing models. Especially regarding security, compliance, governance and data control, multiple disadvantages can be identified (Dhar, 2011; Wahlgren & Kowalski, 2013; Benson, & Morgan, 2013; Hon et al., 2012; Bradshaw et al., 2011). With traditional outsourcing, the customers typically know where their corporate data is hosted, how data is transported and how it is managed. With cloud computing, data is separated from infrastructure through virtualization techniques. Therefore, the precise hardware location of a specific piece of data is difficult to identify (Benson & Morgan, 2013).This leads to a worse legal compliance and a loss in control of the data (Wahlgren & Kowalski, 2013). This difference in control between in-house computing, traditional outsourcing and cloud computing is shown in Figure 6. This level of control does not differ that much between delivery options, but do between deployment models (Wahlgren & Kowalski, 2013). A private, off-premise cloud is more like traditional outsourcing as the customer knows where their data resides (Wahlgren & Kowalski, 2013). 13

20 Figure 6: difference in control between traditional outsourcing and cloud computing (Wahlgren & Kowalski, 2013). The more informal relation between customers and providers and the flexible nature of cloud services also lead to a reduced certainty of appropriate legal clauses in the contract and a higher change of hidden costs and risks (Bradshaw et al., 2011). Further, compliance and security risks can arise because most cloud providers are more reluctant for consumers to investigate security breaches and controls at their site, compared to providers of traditional outsourcing services (Hon et al., 2012). Because of the differences between cloud computing and traditional outsourcing, they serve different purposes. Projects that require both economies of scale as well as flexible skills, are best addressed by cloud solutions (Talukder & Zimmerman, 2010). Summarized, off-premise cloud computing is a form of outsourcing, as infrastructure and maintenance is outsourced to a third party. It is an evolution of traditional application outsourcing, enabled by specific technologies. Compared to the more traditional outsourcing models, it brings multiple benefits, such as scalability, no up-front investment and a quick procurement process. As the relationship between the customer and provider is less formal and virtualization techniques are applied, there is a loss of control on the data and infrastructure, leading to more uncertainties regarding security and compliance. Because cloud computing has multiple characteristics which are different than traditional outsourcing, it is expected the evaluation of cloud computing and its governance will need a different approach. It will therefore be tackled in this research as a distinct concept. Traditional outsourcing is out of the scope of this research and literature regarding outsourcing is not taken into account. The results of this section are summarized in Table 2. The next chapter discusses related cloud evaluation and governance frameworks and their shortcomings in addressing the research objectives of assisting higher management with the evaluation and governance of cloud computing. Traditional IT outsourcing Cloud computing sourcing Benefits of cloud computing compared to traditional IT outsourcing models. Downsides of cloud computing compared to traditional IT outsourcing models. First options in the market for organizations outsourcing elements of information systems. Consist out of infrastructure, application and business process outsourcing. A type of application outsourcing, enabled by specific technologies. Benefits of cloud computing include flexibility, scalability and no up-front investments. Not always clear where data relies, often no option to check security controls at providers site, possible hidden costs and risks in cloud contracts. 14

21 Other differences Cloud computing comes with a multi-vendor environment, shorter contracts and serve different purposes. Table 2: summary of difference between cloud computing and traditional IT outsourcing Similar work: existing cloud evaluation and governance frameworks This section explores existing frameworks for the evaluation and governance of cloud computing in order to underpin why this research needs to be done. First, similar evaluation frameworks are discussed. Hereafter, information security governance frameworks will be explored. As was argued in the introduction, these solely focus on security issues of cloud computing and possibly leave out other mechanisms to enhance the value of cloud solutions. Examples are processes and structures included in the Val IT (ITGI, 2008) framework for IT Governance, which should be implemented to improve the return on investments (ROI) of IT investments, such as portfolio management. Two scientific cloud governance frameworks adhere to a broader view then security, but lack in other areas. These will be discussed as last. The frameworks are identified through a semi-structured approach, as explained in the next chapter on the literature review and the corresponding process Cloud evaluation frameworks One element of this research, next to cloud governance, is assisting higher management with the evaluation of cloud computing by providing information on the risks, organizational impact and business case for cloud computing. While no research has addressed these elements integrative, multiple frameworks are proposed to guide decision makers considering a cloud solution, such as the Cloud Adoption Toolkit (Khajeh-Hosseini et al., 2012). According to this framework, first the suitability of the cloud technology for the proposed solutions should be assessed. If positive, the decision makers proceed with calculating, for different cloud solutions, the costs, the energy consumption, the impact on the stakeholders (including organizational risks) and modeling the responsibility structure. This framework also includes a suitability assessment questionary, a cost modeling tool and a detailed spreadsheet of the benefits and risks as described by Khajeh-Hosseini, Bogaerts, and Teregowda (2011). Another adoption or evaluation framework is presented by Klems et al., (2009). They discuss some business and technical related issues, which are presented as a framework that could be used to compare the costs of using an outsourced cloud solution to in-house IT infrastructure. According to this framework, first the business domain and the business objectives need to be defined. Technical considerations are the demand usage and requirements such as ease of deployment and availability. The second phase entails the comparison between a cloud solution and a conventional approach. Based on the resource usage (i.e. how much storage or processing power is needed?) and the pricing scheme or utility computing model of the provider, the costs between the two approaches can be compared, which includes indirect and direct costs. 15

22 A framework that deals with moving a legacy application to the cloud is proposed by Beserra, Camara, Ximenes, Albuquerque, and Mendonca (2012) and is called CloudStep. While its focus is not on the decision of whether to move to the cloud, it takes into account organizational, security and financial constraints. The framework of Conway and Curry (2012) provides a good overview on the activities that need to be performed for adopting a public cloud service, including the evaluation or Architecting of a cloud solution. It is developed by a consortium of prominent organizations from the IT industry, including Microsoft and the Boston Consulting Group, and academia. The life-cycle model is shown in Figure 7. For each phase the authors describe the activities that need to be performed, the outputs of these activities and the required capabilities, which are based on the IT Capability Maturity Framework. It can be applied for the migration to the cloud as well to the ongoing management of cloud services. While it does contain planning activities, it does not mention a business case, nor does it provide information on the risks or organizational impact. Figure 7: the cloud adoption life cycle (Conway & Curry, 2012). A somehow similar framework as the previous one is proposed by Shimba (2010) as part of his dissertation at the Dublin Institute of Technology. His model, ROCCA (Roadmap For Cloud Computing Adoption) acts as a roadmap for organizations that wants to adopt cloud computing and includes a questionnaire for assessing whether the activities have been performed adequately. Also within this framework, the business case is not included, although it is mentioned in the dissertation. In this section two evaluation frameworks and two adoption frameworks are discussed (see Table 3). Also, one framework deals with the migration of legacy applications. None of them integrated the risks, organizational impact and business case for cloud computing. 16

23 Authors Khajeh-Hosseini et al. (2012) Klems et al. (2009) Beserra et al. (2012) Conway an Curry (2012) Shimba (2010) Name framework Scope Main disadvantage Cloud Adoption Toolkit Evaluate cloud computing. Business case not being referred to. No information on organizational impact. - CloudStep Managing Cloud Computing-A Life Cycle Approach. Evaluate cloud computing. Does not address any of the research aspects. Table 3: similar work: evaluation frameworks. Evaluate whether to move legacy systems to the cloud. Is focused on which legacy systems to deploy on the cloud, not on the overall decision of adopting cloud solutions. No information on business case or organizational impact. Cloud adoption activities Business case not being referred to. No information on organizational impact. ROCCO: Roadmap for Cloud Computing Adoption Cloud adoption activities Business case not being referred to Cloud information security governance frameworks Most of the governance frameworks for cloud computing address security issues. Rebollo, Mellado, and Fernández-Medina (2012) have performed a systematic analysis of available information security governance frameworks. Included frameworks are the security guidelines offered in the whitepapers of CSA (2009) and ENISA (2009), a book written by Mather, Kumaraswamy, and Latif (2009), the Cloud Cube Model (Jericho Forum, 2010) and a Virtual Security Information Management System developed by Julisch and Hall (2010). The first three publications only propose guidelines and do not offer a graphical model. More interesting are the proposals of ISACA (2011), Jericho Forum (2009) and Julish and Hall (2010). These frameworks do all, in their own way, assist in developing a strategy around safeguarding information. ISACA s framework, the COBIT adaptions, will be discussed in the next section, as it is more an overall IT governance framework for cloud computing (Rebollo, Sánchez, Daniel Mellado, & Fernández-Medina, 2011). One interesting note is that according to the authors none of the frameworks addressed all the criteria for an ISG framework they defined. So also in this specific area, more research may be needed. The Cloud Cube Model (Jericho Forum, 2009) helps organizations to discriminate between the available cloud offerings and to choose the formation that best fits the organization s needs. Also, the Cloud Cube Model proposes the implementation of a Collaboration Oriented Architecture (COA) for securing cloud services in de-perimeterised environments (outside firewall). The COA framework includes a set of guidelines for a secure interaction between users and end-systems located in different security domains. The architecture and guidelines can t be implemented by cloud consumers on their own, because all participants are required to 17

24 cooperate in implementing this security architecture. It seems that it would only by viable when all the providers adopt this architecture as a standard. Julisch and Hall (2010) proposed the Virtual Information System Management System (ISMS). ISMS originates from ISO ISO/IEC and includes a set of processes and policies used by an organization to implement, operate and monitor information security in a plan-do-check-act cycle. A Virtual ISMS expands this concept by addressing the transfer of security controls in cloud environments to make it suitable for virtual enterprises where IT services are partially outsourced to providers (Julish & Hall, 2010). Like Julisch and Hall (2011), Ahmad and Janczewski (2011) focus on the responsibilities of the cloud consumer and cloud provider and view these as a central aspect of cloud security governance. The authors introduced a Joint Governance Board, which acts as a bridge between the consumer and provider and consist out of members of both organizations. It will be responsible for the analysis, approval and implementation of the governance functions, such as risk management. Two frameworks were found which were not included in the review of Rebollo et al. (2012). Almorsy, Grundy and Ibrahim (2011) have proposed a collaboration based security framework. It is based on aligning the FISAM security standard with cloud computing and on security standards for automating the security management process. The focus is on improving collaboration between cloud providers, service providers and service consumers in managing the security of cloud computing. The SeCA model (Spruit & Baars, 2012) allows decision makers to analyze cloud services and architectures on their security specifications based on data classifications. It was meant as an upgrade to the Cloud Cube Model (Jericho Forum, 2009), by including eight attributes instead of four. Before using the model, data classifications should be defined and implemented, describing who can and cannot see, use and execute data, and under which circumstances. Based on these classifications, the model outputs guidelines stating the specifications for appropriate cloud services. The model can also be used back-wards. Based on a specific cloud model and the data classifications, a short list of services are the output of the model. Four security governance frameworks propose a certain form of collaboration architecture between providers and consumers to safeguard the assets (see Table 4). Further, one model can be used to classify services based on data classifications. However, they do all only cover security issues and do not approach cloud governance in a broader perspective. Authors Name framework Jericho Forum (2009) Cloud Model Cube Julisch and Hall (2010) Virtual ISMS Ahmad and Janczewski (2011) Governance Life Cycle Framework for Managing Security in Public Cloud: Almorsy al. (2011) et Collaborationbased cloud computing security management framework Spruit and Baars (2012) SeCA Model 18

25 Scope Assist in choosing cloud formation & collaboration architecture Main disadvantage Only security. about ISMS for cloud services Only security. about From User Perspective Joint Governance Board for bridge between consumer and provider. Only about security. Alignment of FISAM security standard with cloud computing Only about security. Assist in choosing cloud service based on data classification. Only security. about Table 4: analysis cloud information security governance frameworks Cloud governance frameworks Two scientific cloud governance framework were found. Both of them adopted Service Oriented Architecture governance techniques. Guo, Song and Song s (2010) governance framework (Figure 8) adheres to the view of cloud governance being similar to that of SOA (Service Oriented Architecture) and is applicable when an organization has to manage and control thousands of services and data elements in the Cloud environment. They define cloud governance as controlling access to services using policies, tracking services using repositories, and logging and monitoring the execution of those Services. Guo et al. (2010) basically translated the governance principles of SOA, outlined by amongst others Linthicum (2009), to cloud computing. They describe the policies that need to be implemented (policy model), operational elements, such as monitoring and interfacing with identity and access systems (operational model) and the core management elements with regards to security, services, risks and policies (management model). The focus is solely on governing policies and services and is therefore not very useful when an organization does not have to manage thousands of services. 19

26 Figure 8: Guo et al. s cloud governance framework (2010). For his Master thesis at the University of Twente, He (2011) has developed a process model for introducing cloud governance and is shown in figure 9. In contrast to Guo et al. s model (2011) it is process-oriented and the strategic goals of the organization and organizational alignment are taken into account. Each phase is described in detail, including the steps that need to be performed and the tools that can be used. It is based on the domains included in the SOA Governance model of Schepers (2007). Schepers (2007) concluded in his paper that the scope of his governance lifecycle is very broad and that it should be aligned with the maturity of SOA. Therefore a maturity model is included which outlines the content of the activities for each maturity level. The model of He (2011) lacks these adjustment for specific maturity levels. When a company does not have a mature Service Oriented Architecture or it is about to introduce only a single service, the governance activities seems overdone. For example, when a company is about to introduce a single CRM application a team of excellence is probably not necessary. Further, the model of Schepers (2007) is not validated, while the model of He (2011) is built on top of it. Figure 9: high level of Cloud governance process model (He, 2011). Further, The Information Systems Audit and Control Association (ISACA) (2011) has produced an extensive report on control objectives for cloud computing. The main contribution of the report is the adaption of COBIT for governing the cloud. Four governance domains are distinguished, which each contain 34 processes. Every process has four to 15 control objectives. For each objective the applicability and the priority for the cloud delivery and deployment models are depicted. While this is an extensive framework, it is considered to be overkill for higher management to get insights on cloud governance. The goal of this research is not only to assist in governing cloud solutions, but also to take away the concerns of higher management on what governance for cloud computing entails by providing a high-level overview. Second, there is no maturity model provided for the controls, while this is supplied with the normal COBIT framework. Many controls seem too excessive for a less-mature cloud environment, such as when adopting a single solution. For example, a control is IT Value Management, which is noted to be critical for all delivery and deployment models. It seems not clear to what extent the organization has to implement or improve this control when adopting a single cloud solution. Also, it is not a scientific framework. The mentioned frameworks addressed cloud governance in a broader perspective than security, but were not perceived as an adequate framework for providing insights into cloud governance. Guo et al. s (2010) framework is only applicable when an organization has to manage thousands of services and the one of He (2011) seems overkill because of the resemblance to Service Oriented Architecture governance mechanisms and is based on a non-validated model. The 20

27 COBIT adaption of ISACA (2011) is too extensive and does not provide a good overview on cloud governance for higher management. Therefore, it is concluded a new governance framework needs to be developed, approaching cloud governance in a wider perspective than security, abstracting away from the level of cloud services and providing a high-level overview. The summary of these frameworks is shown in Table 5. Authors Guo et al. (2010) He (2011) ISACA (2011) Name framework A Governance Model for Cloud Computing The Lifecycle Process Model For Cloud Governance Control Objectives For Cloud Computing. Scope Service and policy management through SOA-related tools Main disadvantage Table 5: analysis cloud governance frameworks. Only applicable for managing thousands of services Conclusion similar frameworks Governing a cloud solution through distinct activities Applies SOA methods to cloud computing, which seem overkill. Controls which need to be implemented to manage a cloud computing environment. Too extensive and complicated for providing an overview on cloud governance. Related evaluation and governance frameworks were discussed. Two evaluation frameworks aim to assist organizations on whether to move to the cloud and two frameworks cover the whole process of adopting cloud solutions. One framework deals with the migration of moving legacy applications. None of them integrated the cloud risks, organizational impact and business case for cloud computing. It is therefore concluded a new cloud evaluation framework must be developed, which integrates and provides information on the business case for cloud solutions, the impact on the organization and the corresponding risks. Multiple information security governance frameworks were found in literature. Most of them focused on the responsibilities between the consumer and provider. Further, the SeCA model (Spruit & Baars, 2012) is a tool to select cloud services based on data classifications. These frameworks were scoped by security issues and did not take into account other governance aspects, such as processes to enhance the value of cloud computing. Three cloud governance frameworks include other elements than security related ones, but were not considered to be adequate. Guo et al. s (2010) framework is only useful when an organization has to manage thousands of services, while He s (2011) seems overkill and it is based on a non-validated framework. The COBIT framework for cloud computing of ISACA (2011) is considered to be too extensive and does not provide a high-level overview on cloud governance. As none of the cloud governance or evaluation framework is considered to be sufficient in assisting higher management evaluating and governing cloud solutions, a new artefact is developed in this research. The results of the similar framework analysis is summarized in Table 6. 21

28 Existing cloud evaluation frameworks Existing cloud information security governance frameworks Existing cloud governance frameworks Table 6: summary existing frameworks. Five frameworks were found which assist organizations with the decision-making process of adopting cloud computing. None of the frameworks integrated the business case, organizational impact and risks aspects of cloud computing. Many publications focus on reducing risks of cloud solutions. Five authors provided a model. Most of them focused on the responsibilities between consumers and the providers. The SeCA model provides risk-reducing requirements or an architecture based on the data classification. These frameworks focused solely on security and were not addressing cloud governance in a broader perspective. Two scientific cloud governance frameworks were found. They both adhered to Service Oriented Architecture governance principles, which seem overkill for governing a small amount of cloud services. The non-scientific adaption of COBIT does not provide a good high level overview and no maturity model is provided, which makes it difficult to determine how important a certain control is for a specific level of cloud adoption Conclusion In this chapter the concept of cloud computing is elaborated, the differences to traditional IT outsourcing were discussed and several cloud evaluation and governance frameworks were analyzed. Cloud computing in this research is defined as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models. (Mell & Grance, 2011). It consists out of three deployment models, namely a private, public, or hybrid cloud, and three delivery models, Software as a Service, Platform as a Service and Infrastructure as a Service. Although off-premise cloud computing is a form of outsourcing, it has multiple differences compared to traditional IT outsourcing models. It brings additional benefits, such as no upfront investments and scalability of resources, but also risks. The risks are mainly caused by the more formal relationship between the cloud provider and the consumer. The providers are more reluctant to let them investigate security controls and breaches at their site. There is also a higher change for unforeseen risks in the contract. As cloud computing is different than traditional IT outsourcing regarding its purpose, risks and benefits, it is approached as a distinct concept. Finally, this chapter provided an overview on related cloud evaluation and governance frameworks. The evaluation frameworks did not integrate the risks, organizational impact and the business case. The cloud governance frameworks solely focused on security or lacked in other areas, such as being only applicable when managing thousands of services. The collection of information through a literature review for the development of the new framework is addressed in the next chapter. 22

29 4. A semi-structured literature review on the relevant cloud evaluation aspects and cloud governance This chapter covers the method and the results of the literature review on the subjects relevant for developing the framework. First a description of the structured literature review process is given, which includes the used keywords and search engines. Hereafter, the results are presented for the literature review on cloud governance and the three aspects relevant for the evaluation of cloud computing, namely the business case, organizational impact and risks. While similar frameworks are part of the literature scan, they were discussed and analyzed in the previous chapter Method In this research the purpose of the literature study is twofold. The results were used as input for the development of the framework. Second, it pointed out certain research gaps, which is of scientific relevance. In order to gain a complete set of studies within the literature study, the guidelines of Watson and Webster (2002) were applied. Two approaches were used for obtaining relevant scientific literature (Watson & Webster, 2002). These are the use of the scholarly search engines and following the references from relevant articles. Google Scholar is used as the search engine as it contains studies from multiple journals and the results are ordered by popularity (citations). Below in Table 7 the keywords are shown which were used in the search for literature. The keywords related to the aspects were used in combination with the keywords related to cloud computing. There are five sets of keywords. With regards to the business case of cloud computing, the benefits and cost calculations methods are also considered to be relevant, based on the concept of a traditional IT business case, which roughly consist out of the benefits, risks and costs (IGIT, 2008). Risks are often seen as security or compliance issues and risk management is relevant for the management of cloud computing risks (ENISA, 2009), hence the selected keywords According to Conway and Curry (2012), cloud computing may impact the organizational people/stakeholders, processes, organizational structure and culture. The research aspect of the impact on the organization by cloud computing is therefore scoped accordingly. To review governance literature, governance was used as a keyword. To find related work regarding the governance part of this research, governance framework and information security governance framework were used. For identifying cloud evaluation frameworks, evaluation, decision and adoption was used, as it is presumed these could all be used to refer to the decision making process whether to adopt cloud computing. The related frameworks were already discussed in the previous chapter. 23

30 The keywords related to cloud computing consist of the different delivery models and 'Cloud', which covers all the deployment models (private, public and hybrid cloud). For each set of keywords, the first 25 pages of results were taken into account. First the papers were selected based on the title and description provided in Google Scholar. Next, their abstract was read. The articles that were deemed relevant were subject of a whole article analysis. Hereafter, the references were followed. The following inclusion criteria were applied: The article discussed a relevant topic regarding the organizational impact, the business case, risks or governance of cloud computing. The following exclusion criteria were used: The article was written in a language other than English or Dutch. The article was not a scientific paper, but a book or whitepaper. The article addressed the perspective of the provider, instead of the consumer. The literature scan was finished when no new concepts were found in the set of articles (Watson & Webster, 2002). Based on the initial Google Scholar search, 253 papers were part of the literature set. After the abstract, article analysis and the following of references, 132 papers were selected for the literature review. 24

31 Research aspects Cloud computing Business case Business case Return on investment Benefits Costs Risks Security Compliance Risks Risk management Risk management frameworks Organizational impact Organizational impact Changes in organization Impact on processes Changes in processes Impact on people Changes for people Impact on stakeholders Changes for Stakeholders Impact on Structure Changes in structure Impact on culture Changes in culture Governance Governance Related work Governance framework Evaluation framework Adoption framework Decision framework Table 7: keywords used for literature search. Cloud IaaS PaaS SaaS Because the academic domain of cloud computing is relative new and in development, not everything is covered in scientific literature. Less scientific sources were therefore also of help. The normal Google search engine was used besides Google Scholar to find scientific papers and whitepapers that were added to the set of articles in a flexible way in order to illustrate concepts that were not covered by the initial set of articles gained through the structured approach. 38 scientific papers, whitepapers and books were added to the set Results The first part of this literature review will be an exploration of the aspects which were deemed important for top management to evaluate cloud computing. That is the development of a solid business case for cloud computing, the impact on the organization and dealing with cloudrelated risks. Hereafter, the results of the literature on the governance of cloud computing is discussed. 25

32 Business case An organization bases its decision of adopting a cloud solution on its business case (Ezzat, Elzanfaly, & Mostafa, 2012). That is, as specific cloud solution, a public or private cloud, instead of another more traditional IT service. As already mentioned in the introduction, this is often a complicated process for organizations. While at least the benefits, risks and the organizational impact should be considered in this decision (Khajeh-Hosseini, Sommerville, & Sriram, 2010), other organizational, social, psychological, political and technological factors as well as market dynamics and other hard to quantify factors could all be relevant in this decision making process (Martens, Benedikt, & Teuteberg, 2012). This section explores several areas that are relevant to building the business case for cloud computing. First, the benefits of cloud computing are discussed. These are the reasons why a business case could be positive. Hereafter, the costs calculation methods are bespoken as these are used to determine the value of cloud computing. Finally, the content of a cloud business case and the process of the development are discussed Benefits Because of the mentioned characteristics of cloud computing (e.g. resource pooling), this paradigm could add value to organizations in multiple ways. The main benefits can be grouped into strategic, technical and economic benefits (Zabalza, Rio-Belver, Cilleruelo, Garechana, & Gavilanes, 2012). The latter category entails cost savings, which is the benefit that is most mentioned in literature (Carroll, Van der Merwe, & Kotze, 2011). Organizations that adopt off-premise cloud computing pay only for the time or amount a service is used, so no upfront investments are needed in infrastructure (Brohi & Bamiah, 2011) and no resources are spoiled for unused server space (Maurya, 2010). Less maintenance of the infrastructure and the applications is needed which reduces labor costs (Carroll et al., 2011). An important note is though, that the economic benefits of outsourcing IT capabilities (off-premise), are expected to lasts 2 years compared to private, on-premise clouds (Géczy, Izumi, & Hasida, 2011). Further, with SaaS the software packages do not need to be bought separately for every desktop in the organization (Aljabre, 2012). An important strategic benefit is flexibility (Zabalza et al., 2012). Cloud applications and infrastructures can be rapidly leveraged and will be scaled according to demand (Maurya, 2010). This enables organization to deploy new business services in a fast way (Bhardwaj, Jain & Jain, 2010) and under-provisioning will be avoided, which prevents amongst others downtime of websites that could cause a loss in customers (Brohi & Bamiah, 2011). The elasticity of resources is bounded though by a fixed amount of resources with private cloud computing, but unlimited with public cloud computing (Badger et al., 2011). SaaS offers the flexibility to find an offering that suits the business needs the best, as they are rent instead of bought with an off-premise solution (Xie, 2011). Further, cloud services can be accessed everywhere and anywhere with all kinds of network enabled devices (Brohi & Baima, 2011), which allows employees to collaborate on projects and documents on the road (Aljabre, 2012). 26

33 Besides flexibility, cloud computing also enables organizations to gain a competitive advantage by being able to focus more on their core competence when managed by a third party (Maurya, 2010) and cloud computing could be an answer for a green IT strategy (Baliga, Ayre, Hinton, & Tucker, 2011). A technical benefit is the up-to-datedness of the provided capabilities (Géczy et al., 2011). When the software and infrastructure is managed by a cloud provider, the consumers have access to up-to-date computing environments and do not need to be concerned with updates or upgrades issues. Even with on-premise cloud computing managed by the organization themselves updating and upgrading is less burdensome, because of the centralization of IT resources. Also, the compatibility is improved between operating systems. A user can share documents with others having a different type of operating systems (Aljabre, 2012). Further, employees can store more data in the cloud than on their own computers (Bhardwaj et al., 2010) and with SaaS there is no need to download anything, saving time and storage space (Bhardwaj et al., 2010). An important benefit which can be considered a technical, as well as a strategic benefit, is improved security. While security issues are still the main reason organizations are reluctant to adopt cloud computing, it also has some security related benefits (Bhardwaj et al., 2010). Security measures are cheaper when implemented on a larger scale. The centralized nature of as well off and on-premise cloud computing means the application of security-related processes is cheaper compared to a non-cloud IT landscape and security updates for the software and infrastructure can be quicker applied (ENISA, 2009). Further, cloud providers can dynamically reallocate resources for defensive measures, which has advantages for resilience (ENISA, 2009). What not always is mentioned, are to which deployment or delivery model the benefit applies. The NIST provides a good overview of the (detailed) benefits for the specific delivery models (Badger et al., 2011). The cloud migration decision support tool planforcloud.com (formerly known as shopforcloud.com) provides an extensive list of benefits for each of the service and deployment models (Khajeh-Hosseini et al., 2011) Cost calculation Relatively many papers discuss the calculation of the costs of cloud computing or determine its value and differ with regards to the used financial metrics, included cost factors and the degree to which soft factors are quantified. Yam, Baldwin, Shiu, and Ioannidis (2011) proposed a real option model to help decide decision makers when to switch to a cloud solution. They use NPV as a financial metric and quantified the benefits received from cloud computing, the costs and the risk uncertainties. Because of the use of the real option theory, companies could choose to adopt cloud computing or wait and monitor until for example an improved financial situation or the uncertainty relating to the business value (i.e. Security incidents) is reduced. Another approach is the use of total cost of ownership (TCO), which addresses the real costs of owning and operating IT infrastructure. Martens, Walterbusch, and Teuteberg (2012) proposed a mathematical model to calculate the TCO of off-premise cloud solutions. The included cost 27

34 factors are based upon a structured literature review. The model only focuses on hard costs and do not include any security or risks costs. Li, Li, Liu, Qiu, and Wang (2009) have proposed a similar cloud cost calculation model. Further, return on investment (Misra & Mondall, 2011; Wu & Gan, 2011) or a cost benefit analysis could also be used to determine the value of cloud computing (Kornevs, Minkevica, & Holm, 2012). In the research of Kornevs et al., (2012) the benefits, such as scalability, were quantified. For calculating the costs of an on-premise cloud solution, literature addressing the TCO of cloud computing from a providers perspective (e.g. maintaining a data center) is insightful, as creating these clouds would probably include similar costs as public cloud providers deal with, but on a smaller scale (Khajeh-Hosseini et al., 2010) Developing the business case A business case can be defined as "a justification for pursuing a course of action in an organizational context to meet stated organizational objectives and goals" (Remenyi & Sherwood-Smith, 2012). In the context of IT investments, it involves assessing the value of these investments in terms of its potential benefits and its costs, while taken into account the associated risks. Most of the literature that explicitly refer to a cloud business case, are books or whitepapers. An ICT innovation program supported by the Dutch government 'Kennisnet' has provided some information about what a business case for cloud computing entails ( De business case, n.d.). The decision about adopting a cloud solution is based on the qualitative and quantitative benefits and costs and the associated risks. A cloud computing investment seems to be not that different than other IT investment with regards to the business case. A more elaborated view on the business case for cloud computing is given by Linthicum (2009) in his book. He defines the exact steps that need to be performed to develop a business case for cloud computing, namely Understand the existing issues, Assign costs, Model as is, Model to be, Define value points, Define hard benefits, Define soft benefits, Create final business case. Because the focus of this book is on public cloud computing, He (2011) has adjusted these steps in his master thesis to be suited for all deployment models. The content of a cloud business case according to He (2011) is as follows: 1. A clear understanding of the current business and IT issues the business is facing. 2. The amount of money lost regarding the business issues. 3. The proposed improvements using cloud computing to address the identified business issues. 4. The amount of money, if any, that can be saved using these improvements. 5. Soft benefits: refer to the value points which are difficult to quantify such as customer satisfaction. 6. Hard benefits: refer to benefits in terms of direct and visible cost reduction and/or business efficiencies that are corrected. 7. Holistic impact on the business: evaluate impact of cloud computing for the business in general such as good or bad; perform risk analysis for the possible occurrences 28

35 which will influence the business case such as legal changes or market changes; articulate chances that the organization will switch cloud In the whitepaper of Raines and Pizette (2010), which is about cloud computing for federal organizations, the content of the business and the context in which it is used are discussed. According to these authors, the business case is part of solution scoping and definition, as shown in Figure 10. Before establishing a business case, the cloud services are clarified. This entails the definition of the exact cloud services the organization intends to consume in order to scope the project. An example is given in the form of this definition: We will establish a means to lease computer storage by the GB using a monthly payment such as a purchase card. The next step is to develop a business case. According to the authors, the focus should be on the business needs and objectives, the expected benefits and whether a cloud solution is an appropriate alternative. Hereafter, the service requirements are established, which include among others security and performance requirements. Based on the business case (is a cloud solution an appropriate and beneficial solution?) and the service requirements, a deployment model and service provider is chosen. Supporting information during these steps are the enterprise architecture, program concept of operations and security policies. How these are of support is not mentioned. Further, what is a notable, is the position of the cloud model in the process. It would seem important to for the development of the business case to already decide which model is addressed in order to determine the benefits and risks, as these differ between the models. The authors argue the business case should be based on organizational goals. Examples that they mention are costs reduction and soft benefits like IT agility, access flexibility and scalability. Further, they mention aspects such as the impact on the support staff, performance risks and mission assurance. They summarize it accordingly: The business case needs to effectively weigh the benefits of cost reduction, scalability, location independence, and other benefits, against the additional exposures or risks added. When costs can be reduced and the mission of the company can be assured (e.g. the risks are not too high), the business case for cloud computing is positive and thus cloud computing is an appropriate choice. 29

36 Figure 10 business case and the scoping and definition phase (Raines & Pizette, 2010). The steps mentioned in the whitepaper of Bruszewski (2011), which discusses the development of a business case for Universities, correspond to the steps mentioned earlier, but also provides some extra insights into how the enterprise architecture could be of support to the business case. The steps in establishing a business case are related to the organizational objectives, the current IT situation, costs and risks and migration issues. Although they do not refer to the concept of enterprise architecture, the second step seems to explain how it could be of use. They argue that a good understanding of the current IT systems is necessary to get an idea of what (which areas or services) are appropriate to migrate to a cloud solution and that the impact on the business processes should be determined for an accurate costs estimation. This is exactly what an enterprise architecture should reveal. The enterprise architecture could also be used to model the As is and the To be state of the IT landscape, what was proposed by Linthicum (2009) and mentioned earlier. This could be an important step, because a strategic direction of the IT architecture is important for getting the most out of cloud computing (Conway & Curry, 2012). While, it is clear that the business case includes costs, benefits, downsides and risks, the previous two articles that were discussed do not provide support in performing the necessary steps. In a whitepaper about COBIT adaptions for cloud computing, ISACA (2011) makes references to their governance frameworks for assisting top management in developing a business case. The steps and references are shown in Figure 11. First the organization agrees on the business objectives for a new cloud program, such as the introduction of a public CRM service. These objectives are then further detailed into a business case for the cloud. This includes the itemization of the specific sought-after cloud business advantages compared with known, but allowing for yet-to-be-determined, cloud risk. 30

37 Figure 11: establishing a business case according to ISACA (2011). The overview of the steps and content of the business case mentioned above by the different authors is shown in Table 8. Authors He (2011) Raines and Pizette Bruszewsi (2011) ISACA (2011) (2010) Scope Business case Business case Business case Goal setting & Business case Steps/co -Current business and -Organizational goals -Organizational objectives -Goal setting ntent IT issues -Cost savings -the current IT situation -Develop business -The proposed -Soft benefits -Costs savings case improvements -Organizational -risks and migration ( -Cost savings impact (risks, issues. -Identify full lifecycle -Soft benefits mission assurance, costs and -Hard benefits -Holistic impact on support staff) benefits. -Develop the detailed the business program business case. -IT value management) Table 8: overview of the content of a cloud business case. It can be concluded that a business case for cloud computing should evolve around the soft and hard benefits (based on business goals) and the risk. The impact on the organization is an important aspect of the evaluation of cloud computing, as it provides a more holistic view of all the benefits, cons and risks of cloud computing and therefore needs to be assessed. Two aspects were not very clear, that is the exact role of the enterprise architecture and the role of the cloud models in the business case development process. The findings of this chapter are shown in Table 9. In the next section, literature about the impact on the organization by cloud computing is discussed. 31

38 Benefits The main benefits can be grouped into strategic, technical and economic benefits. Costs calculation To calculate the costs of deploying a cloud solution, a Total Quality of Ownership method should be applied. To assess the financial benefits, the NPV or ROI metrics can be used. Cloud computing business case Does not seem to differ that much to that of traditional IT investments. It roughly includes the soft and hard benefits (based on business goals) and the risk. The organizational impact analysis should identify the total benefits and risks. Table 9: summary of the benefits, cost calculation methods and the business case for cloud computing Organizational impact As mentioned in the previous section, the impact on the organization of a cloud solution should be taken into account when considering cloud computing. The organizations people, processes and culture will be affected, because cloud computing is not only a technical improvement of the IT infrastructure, but also a fundamental change in how IT is provisioned and used (Khajeh- Hosseini et al., 2010). The aspect of an organization that will be impacted the most seems to be the IT department. Although cloud computing is based on existing technologies, the IT employees need to update their skills when working with cloud applications (Rashmi, Mehfuz, & Sahoo, 2012). Their role is likely to change. Users can consume public cloud services instead of internal services, so cloud computing can turn users into choosers (Yanosky, 2008). An example is provided in a whitepaper of BP. A group bypassed the companies IT department by using Amazon Web Services to host a new customer facing website (Khajeh-Hosseini et al., 2010). As a reaction, the role of the IT employees could change from provider to certifier, consultant and arbitrator of cloud services (Yanosky, 2008). In the case of a large collection of hybrid cloud services, their role will also focus on brokering, integrating and managing public and private cloud services (Erbes, Nezhad, & Graupner, 2012; Sarkar & Young, 2011). The private cloud infrastructure mainly hosts IT management applications, communications tools and business applications such as ERP. , hosting and storage services are often used from a public cloud. While the portfolio of internal and external services differs between enterprises, in most cases the IT department manages a hybrid IT service portfolio. Therefore, they need to understand which types of services are consumed and needed from as well an operational as a financial perspective (Erbes et al., 2012). An important responsibility for IT managers is to identify the risks in using cloud services and negotiate SLA s with the providers of these services, in order to ensure that no security, privacy or intellectual property policies are violated (Sarkar & Young, 2011). Also, system support will change. Because administrators will no longer have complete control of a system s infrastructure anymore in most cases, their work could increasingly involve contacting cloud providers and waiting for them to look into problems (Khajeh-Hosseini et al., 2012). 32

39 There new role comes together with a decrease in authority and control. The IT department can view this change of role as a threat to their corporate culture, in which they had a certain amount of authority, and to the security of their job (Khajeh-Hosseini et al., 2010). However, according to the case study performed by Sarkar and Young (2011) at a University which moved to an external managed and hosted private cloud, this as a gradual transformation, rather than decline. Besides the changes for the IT department, relatively few scientific research is performed on the effects on other stakeholders or the users. Ali Khajeh-Hosseini et al. (2012) mention that the accounting department will be impacted, because hardware and network infrastructure will be consumed according to a utility model in the case of an outsourced cloud, instead of upfront procurement. Khajeh-Hosseini et al., (2010) have performed a case study to identify the organizational implications of external hosted cloud computing, by researching the perception of the stakeholders with regards to the benefits, risks, opportunities and concerns of the organizational changes. The case study entailed the migration of a quality monitoring and data acquisition system to a public IaaS service Amazon EC2. Some of the mentioned benefits and risks were related to the performance of the organization, such as the opportunity to grow and the risk of decreased service quality. A personal benefit for non-it related employees was the improvement in job satisfaction and the opportunity to develop new skills, as the cloud environment enabled the creation of new products and services due to cost effectiveness and scalability. This created new challenges for sales and marketing employees and provided the opportunity for them to develop new skills in developing new products. The ability to create new products and services was also perceived as a concern. According to these employees, their job satisfaction could be decreased when unrealistic sales goals were set for these new cloud based services. Further, Sultan and van de Bunt-Kokhuis (2012) discussed cloud computing adoption from the perspective of a radical innovation and the role of the corporate culture in the adoption and use of cloud computing. The authors conclude that cloud consuming organizations will need to reconsider how they deliver their products and services, view their IT resources and roles, evaluate and calculate their expenditures, value and manage their security, and how they foresee themselves in a, potentially, more environmentally friendly future environment with ethically conscious consumers. However, not much concrete changes of the organizational culture are mentioned. One example is a given of a company which adopted a hybrid cloud that began to see their IT infrastructure as a commodity service, instead of a strategic asset. Whether opting for a private, hybrid, or a public cloud implementation, the move to cloud computing will impact the organization s processes (Rebollo, Mellado, & Fernndez-Medina, 2012). Cloud solutions may alter the way work is done because of the standardized nature of SaaS applications or because of new possibilities, such as the flexibility to work with cloud applications on the road with mobile devices. Also, off-site cloud services need other management than traditional IT infrastructure (Birla & Sinha, 2011). 33

40 Erbes et al., (2012) emphasize the importance of an integrative service management function for the management of a hybrid cloud solutions. This business role involves the governance of the whole life-cycle of the services, including supplier selection, SLA management, and financial management and to ensure the service portfolio is aligned with the business strategy. This implies the responsibility of life cycle of cloud services move to specific life cycle roles within the organization when the cloud environment becomes complex. Further, the management or cloud adoption frameworks of Shimba (2012) and Conway and Curry (2012) present or mention the processes needed for maintaining a cloud solution. They correspond to the ones included in the management or governance framework Information Technology Infrastructure Library (ITIL). This is the most used framework for IT service management (Sahibudin, Sharifi, & Ayat, 2008). Two activities are of a higher monitoring layer though and that is the monitoring of service requirements and metrics, such as costs. Jansen (2010) analyzed the processes of the ITIL framework for applicability to cloud solutions. He concluded all of the processes (from service strategy to service design) are relevant, but need to be adapted. Further, security management processes are required for securing a cloud solution (Mather et al., 2009) and a risk management process is needed to identify, manage and monitor risks (CSA, 2011). The processes are shown in Table 10. Authors Processes Process type Conway and Curry (2012) Issue management Service management Change management Supplier relationship management. Continual service improvement Audit cloud supplier performance and compare to alternatives (vendor management) Service requirements monitoring Monitoring Shimba (2012) Contract management Service management Vendor management Technical support Performance monitoring through Monitoring metrics (e.g. costs) CSA (2011) Risk management Risk management Mather, Kumaraswamy, and Latif (2009) Access control (partial) Monitoring system use and access(partial) Incident response Additional processes for PaaS and IaaS (e.g. configuration management). Table 10: processes needed to be implemented to manage cloud solutions. Security management Further, ISACA s (2011) adaption of COBIT for cloud computing provides some information on structural changes within the organization. While there is no need for a new decision making 34

41 structure, the roles of the employees change towards managing contracts and providers. This corresponds to the processes mentioned in Table 10. The summary of the organizational impact of cloud computing is shown in Table 11. Organizational aspect Impact Processes Service (e.g. SLA management), security (e.g. access control) and risk management processes must be implemented. Non-IT business processes may be impacted because of standardized nature of SaaS services and the new possibilities of cloud services. Structure Roles of IT employees change to managing services and contracts. Culture Decreased authority of IT employees as business can bypass IT for procuring services. Outside IT department Accounting department will procure services differently. New opportunities (and possibly concerns) for employees because of new possibilities enabled by cloud technology. Table 11: summary of organizational impact of cloud computing Risks & Risk management This section deals with the risks of cloud computing. First these risks will be listed. By discussing cloud risk management and appropriate risks responses and controls some light is shed on how these risks can be controlled and managed Risks The security issues of cloud computing is the main reason why organizations are still reluctant to adopt cloud services. As Gartner says, cloud computing has " unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing (Brodkin, 2008). The words risk, threat, vulnerability and exposure are concepts that are often used in literature to point out the security risks of cloud computing, but their exact meaning differ (Dahbur, Mohammad, &, Tarakji, 2011). Vulnerabilities refer to weaknesses in software, hardware or procedures that enables attackers to access resources. This may be a service, unpatched application or an unsecured physical entry. A Threat is any potential danger to information or a system due to someone or something exploiting a vulnerability. A risk is then the likelihood of someone or something exploiting the vulnerability and the impact on the business. It can be defined as the possible impact of an event on an organization s assets and the corresponding expected and unexpected consequences that occur as a result (Troshani, Rampersad, & Wickramasinghe, 2011). 35

42 Many scientific papers discuss the security risks, threats or vulnerabilities of cloud computing (Bhadauria, Chaki, Chaki, & Sanyal, 2011; Bisong, Syed, & Rahman, 2011; Carroll et al., 2011; Chen & Yoon, 2010; Dahbur et al., 2011; Paquette, Jaeger, & Wilson, 2010; Sengupta, Kaulgud, & Sharma, 2011; Shaikh & Haider, Dec.; Srinivasan, Sarukesi, Rodrigues, Manoj, & Revathy, 2012; Subashini & Kavitha, 2011; Tanimoto, Hiramoto, Iwashita, Sato, & Kanai, 2011; Yang & Chen, Dec.; You, Peng, Liu, & Xue, 2012; Zissis & Lekkas, 2012). A very comprehensive description of the associated risks and vulnerabilities of cloud computing is provided in a report of the European Network and Information Security Agency (ENISA) (2009). Many other whitepapers have been published on this topic, including by Gartner (Brodkin, 2008). The popular report of ENISA (2009) groups the risks into organizational, legal and technical risks. These categories are often used by scholars. A categorization provided in a scientific paper is provided by Carroll et al., (2011). They have performed an extensive literature review to identify the main security risks of cloud computing and the results were validated through expert interviews. They grouped the risks into six categories described below. (Confidentiality &) Privacy The storage of data on external data centers with off-premise hosting causes issues regarding the legal status of the storage of personal information and the protection of business information. Further, the data s location could influence the legal requirements for processing and storage and compliance issues could arise due to not knowing where the data is stored. The external storage of data can lead to confidentiality issues too, as it increases the vulnerability of the data being accessed or copied. Also, data leakage can occur due to failures in the networks and authentication mechanisms. Further, a malicious insider of the cloud provider could access the data. Data control When using an outsourced cloud deployment model, the customers have to deal with a loss in governance or data control. As the data is managed outside the organization, it is difficult to protect data and to enforce privacy, identity theft and security policies. Also, as computing resources are shared with other companies, the data could be exposed when one of the sharing companies has violated the law. Availability of data and services The availability of services is threatened by natural disasters and by unclear data backup procedures of the provider. Also, because of lacking standards in tools, procedures and data formats, it is difficult for organizations to migrate from one provider to another or back inhouse. When a cloud provider goes out of business and the customer does not get warned on time, this could have a huge impact on the organization. Further, as cloud services rely on an internet connection, possible bandwidth or connection problems lead to availability issues. 36

43 Data integrity Data integrity could be affected when networks, applications, databases and system software are not patched adequately or not on time. Further, the integrity could be affected by unauthorized changes made by the service provider and when the shared resources are not isolated well enough. Data encryption Adequate data encryption, key management and cryptographic techniques are very important to prevent unauthorized access by the cloud provider and other tenants who share the resources in a public cloud environment and to prevent data leakage or hijacking of data when it is transported over the network. Logical access As administrative and managed access of the cloud services is gained through the internet, the risk to unauthorized access is much higher than with traditional computing where only a few administrators have access to the system. Weak authentication mechanisms (e.g. weak passwords) increases this risk. Network security There is an increased risk of hacking and intrusion in cloud environments, through security threats such as man-in-the-middle attacks, authentication attacks, side channel attacks, social networking attacks, and denial of service (DoS) attacks. Mobile devices are a new emerging risk, as the mobile users can access the data by bypassing the corporate network. Physical access Large distributed threats are expected for public cloud providers, as attackers can gain access to a large amount of data at one virtual location. Compliance Organizations must comply with legal or in-house requirements for securing data and applications. With off-premise cloud computing data is hosted externally. Still the organizations have to comply with the requirements. Most of the risks mentioned in the other scientific and white papers correspond to the risks mentioned above, so the list is pretty exhaustive, but at a certain abstraction level. Other researchers look more at the detailed network and application attacks (Bhadauria et al., 2011) and the vulnerabilities of cloud technologies (Subashini & Kavitha, 2011). A risks that was mentioned by many other authors, but was obsolete in this list, regards the properly deletion of data. With public cloud computing, the customers are isolated at a virtual level and not through the hardware. This concept is called multitenancy. When data is not properly deleted from the hardware, it could be accessed by other (malicious) customers and so affecting data confidentiality (Zissis & Lekkas, 2012). Also, the availability of services are not only affected by natural disasters, but also by man-made mistakes and security problems at the provider s site 37

44 (Badger et al, 2011). Further, some legal risks were not covered by the categories, namely licensing and intellectual property issues (ENISA, 2009). An important note are the security differences between public and private clouds. Most of the mentioned risk do not apply to private cloud computing (Chen & Yoon, 2010). Even in offpremise hosting, a real secure network connection can be established. In comparison to public cloud computing which uses the public internet, the hardware is secured from other resources and the consumer knows where the data is stored. So data leakage, compliance issues and many other threats are less likely to occur with this deployment model. The described risks are relevant to all the delivery models, but the specific threats (e.g. man-in-the-middle attacks) differ between these models (Behl & Behl, 2012) and should be taken into account when adopting cloud computing (Subashini & Kavitha, 2011). The delivery models are built upon each other, so the associated vulnerabilities are inherited from lower layered delivery models (Behl & Behl, 2012). It is therefore argued that SaaS introduces more risks than PaaS and IaaS, because more control over the infrastructure has shifted to the providing organization (Bisong et al., 2011) Risk & Compliance management IT risk management can be defined as the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations' missions (Paquette et al., 2010). In cloud settings, risk management can help deal with the consequences of modification, destruction, theft, or lack of availability of computer assets such as hardware, software data and services that are likely to occur (Troshani ea., 2011). Basically, it entails the identification, assessment and management of risks (Paquette et al., 2010). The management of the risks should be aligned with the risk apatite and tolerance of the data owner (CSA, 2011). Used risks response strategies are often risk transference, risk avoidance, risk acceptance and risk mitigation (Tanimoto et al., 2011). If the services are essential to the functioning of the organization, a risk management approach is advised to include the following (CSA, 2011): Identification of assets Identification of threats, vulnerabilities and their potential impact on assets (risk and incident scenarios) Analysis of the likelihood of the incident scenario s Management-approved risk acceptance levels and criteria The development of risk treatment plans. According to CSA (2011), the risk management process should be a shared responsibility between provider and consumer. They need to develop the risk scenario s together (outcome of risk treatment plan should be part of the SLA) and their risk assessment approaches and assets classification and valuation schemes should be consistent. Julisch and Hall (2010) advise cloud providers to aid their clients in the risk management process by being transparent about the security controls that are implemented. 38

45 Some of the risks associated with cloud computing are related to compliance. While IT compliance can be integrated into the process of risk management by including the risk of noncompliance (Racz, Weippl, & Seufert, 2011), they are often treated as separated concerns within companies (Guo et al., 2011). Compliance can be defined as the awareness and adherence to obligations (e.g. corporate social responsibilities, applicable laws, ethical guidelines), including the assessment and prioritization of corrective actions deemed necessary and appropriate (CSA, 2011). Before moving to the cloud organizations need to understand the relevant legislative and regulatory requirements. For example, if a company processes credit cards, it probably has to adhere to the Payment Card Industry s Data Security Standard (PCI DSS) (Chaput & Ringwood, 2010). Moyle (2011) describes in a whitepaper how information security and compliance are managed within organizations with regards to cloud computing. According to this author, information security professionals focus on technology-related risks and on deploying controls to lower overall technological risks. Compliance professionals, by contrast, need to ensure that the technology controls address regulatory requirements. As the security controls are often supplied by the cloud provider, the compliance department need the technical knowledge of information security professionals to get insights into the implemented security controls at provider s site. So both camps need to work together to validate that the security controls of the provider meets regulatory requirements. One approach often used to secure the appropriate collaboration between the two departments is the introduction of a governance, risk and compliance (GRC) function (Racz et al., 2011). Multiple aspects regarding the management of cloud related risks are covered in scientific literature. Rabai, Jouini, Aissa, and Mili (2013) offered a quantitative risk assessment model that enables as well cloud providers as consumers to quantify the risks in order to make decisions according to a quantitative analysis instead of a qualitative one. The Quirc framework is another quantitative risk assessment model that can be used to assess the robustness of different cloud offerings (Saripalli & Walters, 2010). Kaliski and Pauley (2010) introduced the paradigm of Security as a Service, which involves automated security assessments. An example of such an automation is CloudAudit (CSA, 2011) that provides consumers on-demand information regarding the status of the security controls at supplier s site. Luna Garcia, Langenberg, and Suri (2012) researched the benchmarking of security assurance of cloud providers according to security statements in their SLA s. Further, a lot of research has be done on the automated monitoring of Quality of Service (QoS) and availability in SLA s (Almorsy et al., 2011). Martens, Benedikt, and Teuteberg (2011) have proposed a reference model for the management of risks and compliance issues. Its meta-model is shown in Figure 12. As it is a reference model, it contains all the elements or perspectives that were identified in literature by the authors. One of these elements is the use of key performance indicators. This perspective involves the operationalization of measures and strategic objectives. KPI s monitor the performance of cloud computing services, risk factors and compliance issues. If a risk factor refers to a compliance regulation it is labeled as a regulatory/legal risk. A risk is also always 39

46 specified by a compliance regulation. What this means for risks not related to compliance regulations is not made clear by the authors. Figure 12: meta-model for risk and compliance management in the cloud (Martens et al., 2011). While the assessment and management of risks of cloud computing is covered in literature, no comprehensive process-oriented risk and compliance management framework is proposed. However, existing methodologies can be used in developing a risk management framework (Guo et al., 2010). The much known framework COSO is adapted and described in a whitepaper (Chang et al., 2012) for managing risks of cloud computing. The process steps are as follows: Internal environment The internal environment defines the risk appetite of the organization. This determines how risks and controls are viewed and includes internal policies, such as not outsourcing any of its operations. Objectives setting This component entails the evaluation by management of how cloud computing aligns with the organization s objectives. It may present an opportunity to achieve existing objectives or to gain a competitive advantage, which would require the definition of new objectives. Event identification Opportunities or risks should be identified that can affect the achievement of objectives. External environmental factors (e.g. regulatory, economic, natural, social and technical) as well as the organization s internal factors (e.g. culture, personnel and financial health) should be considered when identifying and assessing risk events. With the use of public or hybrid clouds events should be taken into account affected by the internal and external factors of the cloud service provider. Risk assessment The risks events associated with the organizations cloud strategy should be evaluated to determine the potential impact of the risks associated with each cloud computing option. The risk assessments should be completed before an organization adopts a cloud solution. 40

47 Risk response Once the risks have been identified and assessed in the context of organizational objectives relative to cloud computing, the risk responses need to be determined. Four types of risks responses are included in this framework: avoidance, reduction, sharing and acceptance. Control activities The traditional types of controls also apply to cloud computing. Policies and procedures are established and implemented in order to effectively implement the risk response strategies. The difference introduced by cloud computing is that some control responsibilities will be transferred to the provider. Information and communication To effectively manage the risks, management relies on timely and accurate information and communications from various sources regarding external and internal events. External information related to the service provider should also be monitored, as certain events impacting the service provider or fellow cloud tenants might have an impact on the organization. Monitoring The effectiveness of the enterprise risk management program must be continuously monitored for its effectiveness, as risk responses may become irrelevant, control activities may become less effective and the organizational objectives may change. Compliance is integrated in the risk management process through the organizational objectives. An organizational objective is therefore to be in compliance with regulations and laws. The best-practice situation is when the framework is used to identify the ideal configuration of cloud solution options (i.e., business process, deployment model, and service delivery model) by evaluating different solutions in the context of each of the components. This evaluation will enable management to make adequate risk management and governance decisions in both selecting an ideal set of cloud solution options and creating a cloud governance program (risk management strategies, roles and responsibilities) before the cloud solution is implemented. A tool to support risk identification is developed by the Cloud Security Alliance (2011), called the Cloud Security Reference Model and is shown in Figure 13. An organization conduct a gap analysis of cloud computing service and deployment models by mapping them against a set of required or recommended security controls and corresponding compliance models (E.g., SOX, HIPAA, PCI). The output of this tool are the gaps, the security risks which must be managed. It will also guide organizations to select a cloud offering that suit their specific needs. 41

48 Figure 13: the Cloud Security Reference Model (CSA, 2011) Risk responses and controls What controls should organizations implement as a response to the identified cloud related risks? Carroll et al. (2011) did not only provide a list of risks in their research, which were discussed in the previous section, but also controls that can be applied to manage these risks. Other authors that proposed risk response and controls in scientific papers are Tanimoto et al., Fan, Chiang and Kao (2012) and Bisong et al. (2011). Chen and Yoon (2010) describe for each deployment and delivery model the specific aspects that need to be considered when auditing the security of cloud computing. This also provides insights into mitigating security risks. Further, the publications of Badger et al. (2011), CSA (2011), Brodkin (2008), ENISA (2009) and Chang, Leung, and Pili (2012) provide risk responses and controls. The guidelines of CSA (2011) for securing cloud computing are very detailed and therefore not taken into account in this section. They do provide comprehensive information about amongst others securing applications, incident handling and assurance of cloud providers and should be reviewed when moving to the cloud. Summarized, the controls entail identifying SLA and provider requirements, evaluating of service level agreements and providers, monitoring (including third party audits), developing availability-risk-reducing strategies, implementing security controls at consumer s site and a data classifications scheme (see Appendix A). In this section the controls are described for three broad categories of risks. These differ from the categories used to describe the risks, which were adopted from Caroll et al. (2011), but do cover the same risks. Privacy is a different concern than data confidentiality (Mather et al., 2009), hence the distinct category. The controls for the risks other than compliance and 42

49 availability related ones are overlapping and could therefore be placed in one category concerning data confidentiality, integrity and control. Privacy: To ensure the data processing adheres to privacy laws, the providers have to prove the effectiveness of their data privacy controls (Carroll et al., 2011) and that they obey to local privacy requirements and processing (Chang et al., 2012). It is not recommended to allow sensitive data on the public cloud. Therefore effective data classification policies and processes should be in place to determine which data is appropriate (Chang et al., 2012). Further, the location of the data that will be processed by a cloud provider should be evaluated whether data protection compliance laws will be achieved (Chang et al., 2012). Data confidentiality, integrity and control: Cloud computing often introduces a loss in governance or control on the data and infrastructure (Figure 14). Therefore, it must be assured the service provider provides transparency of security controls (Carroll et al., 2011) and data operations (Badger et al., 2011). The security controls of the provider should be evaluated before adopting the cloud service (Carroll et al., 2011). The level of these controls should fit with the risk appetite of the consuming organization (Chang et al., 2012). Also, the employees of provider should have adequate skills for managing security breaches (Carroll et al., 2011). The provider should inform about people who manage and access the organizations data and who hires administrators and how (Brodkin, 2008). The Cloud Security Alliance offers the GRC stack, which includes a control matrix. This matrix can be used to assess the security controls at the provider s site. Similar assurance tools are also provided by ISACA (2011) and ENISA (2012). Figure 14: level of control for each cloud model (Mather, Kumaraswamy & Latif, 2009). Depending on the selected cloud delivery model, security control responsibilities might be shared and should be made clear in the SLA with regards to patching, control and access over encryption, standards and key management (Carroll et al., 2011) and other issues with regards to implementation, technology operations and user access administration (Chang et al., 2012). ENISA (2011) provides a table with the responsibilities for each delivery model that are typically determined in a service level agreement (SLA). The appropriate security controls the consumer is responsible for should be implemented, including encrypting data hosted on cloud 43

50 solutions to overcome cyber-attacks (Chang et al., 2012) and securing mobile devices that are connected to the services (Carroll et al., 2011). The cloud adapted COBIT framework of ISACA (2011) also provides information about proper security controls at consumer s site. Further, an agreement should be made about the reporting structure of incidents and its control mechanisms all the way to the CIO and CEO (Chen & Yoon, 2010). After adoption, the security controls of the provider should be periodically verified for its effectiveness (Chang et al., 2012). Another issue is data ownership. The consuming organization should ensure that the SLA agreement clearly state the data is owned by the consuming organization (Chen & Yoon, 2010). The consumer needs to research which regulations and laws apply (e.g. patriot acts) to the stored data that can lead to data surrender, what information in this situation will be surrendered and about the options to avoid such surrenders (Chen & Yoon, 2010). To prevent data leakage and unauthorized changes to the data, the SLA should state the cloud provider is obligated to provide auditable records of changes made to cloud data or should provide prove that no unauthorized changes occurred (Carroll et al., 2011). A mechanism should also be offered for reliably deleting subscriber data on request as well as providing evidence that the data was deleted (Badger et al., 2011). The consumer could insure themselves against data leakage (Tanimoto et al., 2011). Third party audits play an important role in assuring that appropriate data security controls are implemented and compliance is achieved. Therefore, the consuming organization has to investigate whether the provider is willing to be subjected to external audits and security certifications (Badger et al., 2011). These audits should be performed on a regular basis to monitor the cloud service provider's compliance to agreed terms, and the effective implementation of and adherence to security policies, procedures and standards (Carroll et al., 2011). Further, after adoption, a third party should check whether the SLA content is filled (Tanimoto et al., 2011) and should be requested to surveillance the movement of data when the provider is asked to remove the data (Tanimoto et al., 2011). Lastly, in order to assure information quality and prevent unauthorized cloud action, the consumer has to implement policies that clarifies the business process and data that is appropriate to be supported by cloud solutions, who procures cloud solutions and how to manage the relationship with cloud providers (Chang et al., 2012) Availability: A big concern regarding availability, is the cloud-provider lock-in. To prevent this from happening, the consuming organization must check whether the cloud provider support adequate interoperability standards (Carroll et al., 2011) and an exit strategy or contingency plan should be developed (Chang et al.,, 2012). Further, when using an IaaS service, a strategy for the migration of Virtual Machines and their associated storage among alternative cloud providers should be formulated (Badger et al., 2011). To mitigate the risk of the cloud provider going out of business, the continuity plan should be evaluated whether the availability goals are supported (Badger et al., 2011). The providers 44

51 should convince customers that their data will remain available when they go out of business (Brodkin, 2008). As a response to natural disasters, the capabilities of providers with regards to the backup of data, archiving and recovery should be examined and whether the provider offers redundancy (placement of data in multiple data centers) (Badger et al., 2011). The consuming organization self should also write a disaster recovery plan (Badger et al., 2011). With cloud computing the services are depended on the network. To ensure there is no latency and that an adequate performance can be achieved, network limitations of the organization should be determined before moving to the cloud (Carroll et al., 2011). The current applications should be benchmarked and key performance score requirements should be established before deploying the applications in the cloud (Chang et al., 2012). The desired performance and availability of the application should be stated in the SLA (Badger et al., 2011). For several reasons outages could occur on the providers site. A fail-over strategy should be developed. Another provider s service solution or an internal solution should be used when services are not available (Chang et al., 2012). One approach is to contact providers that offer the same solution as your primary CSP and maintain copies of your organization s data so it can easily be deployed to the backup provider (Chang et al., 2012). Also tools scan be implemented that provide resources on demand for the cloud solution from another provider (Chang et al., 2012). Further, to mitigate the availability risks, an insurance can be closed for a provider going out of business or the unavailability of services (Tanimoto et al., 2011). After adoption the system availability and performance should be monitored (Chang et al., 2012). Compliance: The controls concerning compliance related risks overlap with these of the security risks that are associated with the loss of data governance, as security controls are as well relevant for securing data as complying to regulations and industry standards. The consuming organization should check whether the appropriate security controls are applied at provider s site. It should also be ensured that the cloud service provider is open to external audits and security certifications and that logs ensuring compliance are available (Carrol et al., 2011). A big issue with regards to compliance is that the data location is not always known to the consuming organization and that specific regulations could apply to the location. Therefore, providers should prove that the data is only stored in the geographic locations specified in the SLA or another contract (Carroll et al., 2011). The consumer should evaluated whether data protection law compliance will be achieved by storing data in this location (Chang et al., 2012). It must be ensured that the providers adhere to requirements specific to the data location, comply with regional laws and regulations and that the laws and regulations are formally incorporated and documented in governance policies (Carroll et al., 2011). The SLA or other contracts should define the providers responsibilities regarding adhering to compliance and regulatory requirements on behalf of the organization (Chang et al., 2012). 45

52 After adoption, regulatory changes that would affect the consumers and the providers operations should be monitored (Chang et al., 2012). Just like the risks differ between service and deployment models, so do the controls. However most researchers do not discriminate between these models and only list generic risks and controls. As mentioned previously, Chen and Yoon (2010) list specific area s that should be investigated when auditing a cloud for each deployment and delivery model. For the private cloud this only entails the establishment of a reporting structure and the development of a disaster recovery and continuity plan. For a community cloud, the tenants should develop an exit strategy and a clear management structure should established. In their research the private and community cloud do not make use of outsourced IT services. In case of an outsourced private and community cloud more risks controls are probably necessary. In this section the risks of cloud computing and how they can be managed were addressed. The summarized results are shown in Table 11. The next section discusses cloud governance. Aspect Results Risks Private cloud has less risks than public clouds. Risks can be grouped into: Confidentiality & Privacy, Data control, Availability of data and services, Data integrity, Data encryption, Logical access, Network security, Physical access and Compliance Risk management The process for identifying and managing risks. The process entails identifying assets in the cloud (processes and information), identifying risks and developing risk mitigation strategies. Risk-reducing controls To manage cloud risks, SLA and provider requirements should be identified, the SLA and provider should be evaluated or negotiated, internal security must be addressed, availability strategies must be developed, a data classification must be implemented and certain aspects must be monitored. Table 11: summary of cloud risks and risk management Corporate, IT & Cloud governance The previous sections explored the aspects relevant for the evaluation of cloud computing. That is, adopting cloud solutions instead of traditional IT applications. This section will discuss cloud governance, the second aspect of this research, and is addressed by the fourth research question. The three sub-questions are all addressed in this section. 46

53 Originally, governance is a term which originated from the Greek, and means to govern, steer, devise, guide and control (Ahmed & Janczewski, 2011). Plato was the first one to use this word to describe a system of rules. Corporate governance is the highest level of governance in an organization. The scope of this concept differs between definitions, because they are dependent on the perspective of the author (Babic, 2010). There should be no debate though, on the goal of corporate governance. Within organizations the managers control the key decisions of the corporation, while not owning the company. The subject of corporate governance is how the shareholders, as external stakeholders, control management. Corporate governance mechanisms entail the solution to this problem of separation of ownership and control (John & Senbet, 1998). These mechanisms together, form the system of corporate governance and can be defined as the manner in which companies are controlled and in which those responsible for the direction of companies are accountable to the stakeholders of these companies. (Babic, 2010). Financial suppliers (i.e. shareholders) use these mechanisms for a maximization of their return on investment and fall in two groups, internal to the organization and those external to the organization (Gillan, 2006). The internal mechanisms include ownership concentration, board of directors, management incentives and a multidivisional organizational structure. The external mechanisms refer to the market for control, such as hostile takeovers for a change of top management (Babic, 2010). The board of directors is an important aspect of corporate governance, as they monitor management and have the mandate to hire and fire the senior management team on behalf of the stakeholders (Gillan, 2006). The actions of this board are considered as enterprise governance and include, besides monitoring management, the overall corporate culture, policy and direction setting (Bird, 2001). While IT governance is commonly seen as a subset of corporate governance (Webb, Pollard, & Ripley, 2006), it is a more ambiguous term, often referring to very different aspects of IT within an organization (Simonsson & Johnson, 2006). What is clear though, is that the goal is different than to that of corporate governance and is mainly focused on optimizing IT (Webb, Pollard, & Ridley, 2006). The ambiguity of this term can be described by elaborating one of the most used definitions of IT governance, that of the IT Governance Institute (2006): IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization s IT sustains and extends. What constitute these structures and processes is not made very clear and often interpreted differently by scholars. Some authors, which use this definition, refer to the processes as strategic decision making processes (Heas & Grembergen, 2005), others to all processes for managing IT within an organization (Ribeiro & Gomez, 2009). The second problem of this definition, is that IT governance is described in the corresponding document as a process performed by the board and executive management of setting objectives and strategy, directing management and monitoring of to what extend the objectives are achieved. This is a step of actions, a process, and not a system or framework of structures and processes. 47

54 ISACA s COBIT version 5 (2012) possibly provides some insights into the difference between the concept of IT governance and the actions performed by a governing body. According to their Evolution of scope (see figure 11), COBIT 4 s processes, which include organizational structures, are combined the system of IT governance. This is for management to gain control on IT through ensuring business objectives will be achieved and that undesired events will be prevented or detected and corrected (Heas, Grembergen, & Derbenceny, 2013). The difference with IT management (COBIT 3), is that IT governance also includes a strategic element like portfolio management (Grembergen & Heas, 2004). Operational IT Governance, such as development processes, is similar to IT management. COBIT 5 adds a governance layer to IT Governance, and is being referred to as Governance of Enterprise IT (GEIT) (Figure 15). The difference between COBIT 4 and 5 is that this version also contains governance processes, which deal with the implementation and monitoring of the management processes (Lew, 2013) (Figure 16). So where the IT Governance Institute (2006) tried to catch both the framework of processes and structures as well as the actions of a governing body under the umbrella of IT governance, ISACA seems to use different terms. Figure 15: ISACA s COBIT evolution of scope (Lew, 2013). Figure 16: The relation between governance and management (ISACA, 2012). 48

55 This Evaluate, Direct and Monitor perspective on IT Governance is adapted from ISO/IEC 38500, an international standard on the Corporate Governance of IT (ISO/IEC, 2008). The relation between business and management processes and these governance practices is shown in Figure 17. According to ISO/IEC (ISO/IEC, 2008) the governors should do the following: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans. (ISO/IEC, 2008). Figure 17: governance activities of directors (ISO/IEC, 2008). To make things even more complicated, the popular definition of Ross and Weill (2004) does not refer to any of these aspects. They argue corporate governance is extended by making use of corporate governance mechanisms for and effective management of IT to achieve organizational goals. They define this concept as: the decision rights and accountability framework for encouraging desirable behaviors in the use of IT (Ross & Weil, 2004). The need for this framework, is to prevent IT managers to handle issues in isolation. By making people accountable for IT, its effectiveness are assumed to be improved. However, they do argue this accountability framework should be used in conjunction with specific IT decision making domains or processes. Their perception of IT governance does therefore not differ that much with the vision of Haes and Grembergen (2005) mentioned above, although they emphasize accountability. So there seems to be three different perspectives on IT governance. At one side, there is the perspective of an organizational framework of structures and processes to optimize IT. Some authors scope the processes by strategic decision making processes, others include all IT 49

56 related processes as are covered by for example the ITIL framework. On the other side, it refers to a process performed by the board and top management who are responsible for this framework and the monitoring thereof, to which ISO/IEC (ISO/IEC, 2008) refers to as Corporate Governance of IT. The relation between the two types of governance and traditional IT management is shown in Figure 18, based on the views of Grembergen and Haes (2004), ISACA (2012) and ISO/IEC (ISO/IEC, 2008). The popular governance frameworks of COBIT and ITIL are placed within the figure to show to which type of governance they belong. Corperate Governance of IT Directors (Board & Top management) Oversight of IT ISO/IEC COBIT 5 Governance processes Evaluates & Directs Monitors IT Governance Committees, Executives & Management Processes & Structures to manage IT COBIT 4 / 5 (Management processes) ITIL Operational Governance = Traditional IT management (E.g. Delivery) Strategic Governance = Additional layer to IT management (E.g. Portfolio management) Figure 18: relation between two types of governance and traditional management (ISACA, 2012; ISO/IEC, 2008, Grembergen & Haes, 2004). Opposing views are not only restricted to IT governance. With regards to cloud governance, multiple schools of thought can be distinguished. The first one is the SOA (Service Oriented Architecture) governance school (Guo et al., 2010; Lithithicum, 2009). SOA governance refer to the controls and processes to enforce and monitor the application of SOA policies (Schepers, 2008). This type of governance mechanisms are to gain control on the cloud services. The authors which support this view assume an organization has many cloud services which are integrated into their Service Oriented Architecture. The second school is that of security. Ahmed and Janczewski (2010) define cloud governance as the processes and structures for reducing security issues, while Halpert (2011) defines cloud governance as the strategic management of cloud security. This actually refers to information security governance (ISG) for cloud computing. ISG is a subset of IT governance and entails the leadership, organizational structures and processes safeguarding information (Rebollo et al., 2011). The identification of risks and the mitigation plans (i.e. risk 50

57 management) are part of information security governance, but also other aspects can be included in an organization s ISG approach or strategy. The third school sees cloud governance as the extension of IT governance; that is all the processes and structures needed to maximize value and minimize risks (Remmé, 2010; ISACA, 2011). As this view also include processes to enforce and manage policies and covers security, it is the most comprehensive one. However, because multiple views on cloud and IT governance exist, the interviews which were held in this research also addressed the views of the experts on cloud governance. The definition for cloud governance which was used in this research will therefore be discussed in the section afterwards. Table 12 provides an overview of the identified perspectives and the corresponding authors. Perspective on cloud governance Author Cloud governance is similar to Service Oriented Guo, 2010; Lithithicum, 2009; Architecture governance Cloud governance is about securing information and Ahmed and Janczewski, 2010; Halpert, 2011 business processes Cloud Governance is the extension of IT Remmé, 2010; ISACA, 2011 Governance: processes and structures. Table 12: the three perspectives on cloud governance and corresponding publications. This section addressed corporate, IT and cloud governance. The summarized results are shown in Table 13. Aspect Result Corporate governance Mechanisms for company owners to control management, such as the board of directors and managing incentives IT Governance Diverse interpretations for IT governance How an organization is structured (processes and structures) to maximize value and minimize risks Some only include strategic processes, such as portfolio management, others all processes as are included in for example the ITIL framework. Accountability framework for IT related decisions Evaluate, Direct and Monitor activities are directing the management processes and structures (IT governance), which is referred to as Corporate Governance of IT. Cloud governance Three schools of perspectives: Addressing security Controlling cloud services through SOA governance principles. Extending IT governance; processes and structures to manage cloud solutions Table 13: results of literature review on corporate, IT and cloud governance. 51

58 4.3. Conclusion In the literature review the topics of the four research questions were researched. The evaluation-aspects and governance of cloud computing were addressed by exploring the business case, the organizational impact, the (management of) risks and corporate, IT and cloud governance through a semi-structured literature review approach Business case The content of the business case for cloud computing or the steps that need to be performed to develop a business case were mentioned in whitepapers. Summarized, the business case should entail the costs, cons, risks and benefits relative to organizational objectives. The business case for cloud computing is therefore not that different than for any other IT investments. The organizational impact is part of the business case. It provides a holistic view on the benefits, costs and risks of cloud computing. Two aspects were not very elaborated. According to Raines and Pizette (2010), the enterprise architecture is important, but they did not explain its role in developing the business case. Also, they argued the cloud model is chosen after the business case is developed. This is particular, as the benefits and risks differ between cloud models. These aspects will therefore be addressed explicitly in the expert interviews Organizational impact The risks, benefits, cons or costs also include the organizational impact of cloud computing. On this topic, most research is performed regarding the IT department. The role of IT employees will change, which include a loss in control and authority. Also, the service management processes, for which ITIL is the de facto standard, security management processes and risk management will be impacted. The amount of research found on the impact on other areas in the organization was small. More research, such as detailed case studies, is necessary to identify the overall changes of cloud computing with regards to the impact on processes, organizational structure, culture and the people Risks & Risk management The area of security is well addressed in scientific literature. Many papers discuss the vulnerabilities, threats and risks of cloud computing including appropriate risk management responses and controls. Risk management is about the identification and assessment of risks and applying the appropriate risks-reducing controls. Many recommend risks responses were found in literature which can be applied by consuming organizations to reduce the risks of cloud computing. There is no comprehensive (enterprise) risk management framework proposed in scientific literature specific for cloud computing consumers, but existing frameworks can be adapted, such as COSO Corporate, IT and Cloud governance IT Governance is still an ambiguous term. Some refer to IT governance as strategic IT related decision making, others to the management of IT or an accountability framework for IT 52

59 decisions. Another aspect of IT governance, which is referred to as Corporate Governance of It by ISO (ISO/IEC, 2008), are the actions of the board and top management regarding directing the IT function, such as the implementation and monitoring of IT management processes. Also multiple views on cloud governance exists. Some opt for a very operational view of enforcing and monitoring of policies for cloud services and basically apply SOA governance principles to the cloud services. Others refer to reducing security risks as the main aspect of cloud governance. Finally, the most comprehensive view, is to see cloud governance as an extension of IT governance: the structures and processes which are implemented in the organization need to be extended for the management of the cloud services. Because as well IT governance as cloud governance are arbitrary concepts, the definition for cloud governance used in this research is also dependent on the views of the experts, which are addressed in the next chapter. 53

60 5. Expert views on the relevant cloud evaluation aspects and cloud governance Next to the literature review, cloud computing experts were interviewed on cloud governance and the three aspects relevant for the evaluation of cloud computing, the business case for cloud computing, risk/risk management and organizational impact. Ambiguities and gaps in literature, which were relevant for the development of the framework, were addressed explicitly. These include the role of enterprise architecture in developing a business case, the precise moment of choosing a cloud model and as some view cloud governance to be similar to Service Oriented Architecture (SOA) governance principles, more research was needed to what extend this is appropriate. This section describes the method that was applied to the interviews, the results and their conclusions Method As the goal in this research is to elicit detailed and complete information on specific topics, holding interviews is the most appropriate data collection method next to the literature review. Five semi-structured interviews were held in this phase with six experts from various companies, as shown in Table 14. The ID s are used to refer to the experts. The experts were selected if they adhered to any of the four criteria: They had knowledge on the development of a business case for cloud computing. They had knowledge on the organizational impact of cloud computing. They had knowledge on the risks of cloud computing and/or how these should be managed. They had knowledge on the governance of cloud computing. Expert profession Two IT strategy consultants IT strategy consultant Cloud infrastructure consultant Cloud manager risk Educational cloud project manager Organization Consultancy company Consultancy company Consultancy company Consultancy company Government agency Expertise area IT / cloud IT / cloud IT / cloud Cloud risk Cloud project strategy strategy strategy and management management cloud infrastructure ID Expert 1 Expert 2 Expert 3 Expert 4 Expert 5 Table 14: cloud computing experts and corresponding ID s. For the interviews a protocol was used. The complete set of questions are shown in Appendix B. First, the background of this research was explained. Hereafter, five sets of questions were asked to the experts. 54

61 1. The experience or work activities of the interviewee regarding cloud computing 2. The content of a business case and the process of building it, including the role of the enterprise architecture and the different service and deployment models. 3. The impact on the organization, including its processes, people, organizational structure, roles and responsibilities and culture. For comprehensiveness, policies were also addressed. 4. The management of cloud related risks. As the risks of cloud computing was profoundly covered in literature, these were not the main focus. 5. Cloud governance: what does it entail? How does SOA (Service Oriented Architecture) governance apply to cloud computing? Some interviewees were discussing the different subjects by themselves and so there was no need to address them explicitly by asking all the questions. Others were more passive and the questions were used to guide the interviewee covering all the subjects. The interviews were recorded by a mobile phone and transcripted afterwards. For the analysis, a qualitative content analysis method was applied (Zhang & Wildemuth, 2009). For each of the categories business case, organizational impact, risks and cloud governance the main message of each interviewee was extracted, which is shown in Appendix D (interview transcripts are presented in Appendix C). Because of the experience of the interviewees regarding the cloud computing subjects differed, not all were addressed in each interview. Also because of limited time, one risk manager was only asked to address the risk aspect and the content of the business case Results This section presents the results of the expert interviews. Hereafter, the results will be concluded by providing a generalized summary of the findings Business case Six of the interviewees addressed the business case aspect of cloud computing, but one of them only addressed the content. Most of the experts commented on the whole process towards building the business case, as this is more differentiating with traditional IT than the business case self [Expert 1, 2 and 4]. The business case is seen as the final step of a whole process, to make the benefits of the cloud solutions explicit compared to traditional IT [Expert 1, 2, and 3]. This starts as a sourcing alternative to a problem (can we do this cheaper?) or cloud computing is taken as a starting point to look at the current strategy (IT push) [Experts 1, 2 and 3]. In both ways, there will be an application or a set of applications for which cloud computing can be a candidate. The candidate applications are based upon an application landscape or enterprise architecture and should fit within the strategy and security policies [Expert 1, 2 and 3]. Some applications cannot be outsourced for example, while others can without a problem. All of the experts commented on the level of standardization of SaaS applications. This should fit the strategic purpose of the application: is a standard application adequate for the business 55

62 process? Summarized, the business case for cloud computing should be based on the IT strategy of the organization and the service should be closely aligned to the organization s needs [Expert 1, 2, 3 and 5]. Most of the experts also agreed upon the phase in which the deployment or service model is chosen. According to them, the security policies and the IT strategy principles already scope the number of optional cloud formations in an early stage [Expert 1, 2, 3 and 5]. If an organization wants to outsource one application, a SaaS solution would be a value choice, but IaaS would be something to be considered when an organization wants to outsource its whole infrastructure. Most of the times the security principles also determine whether a private cloud is necessary or a public cloud is sufficient. However, still, multiple business cases can be developed for different cloud formations [Expert 1, 2, 3 and 5]. Further it is important to start the process with a suitability or readiness assessment to ensure the organization is ready to move to the cloud. This identifies possible change management costs (such as new processes and trainings) or it could reveal the organization is not suitable for off-premise cloud computing [Expert 3]. It can be concluded that the most important aspect of the cloud business case is the costs. Three of the interviewees mentioned companies look especially at the financials of the cloud business case [Expert 1 and 4]. For many organizations it is the cheapest option compared to other outsourcing options and traditional IT. Four interviewees argued the organizational impact is very important to take into account [Expert 1, 2, 3 and 5]. That are the adapted processes, migration issues and the education needs for their employees. Two experts argued that these impacts will be quantified to financial terms, as that is the most decisive factor of the cloud business case [Expert 1 and 4]. Besides the quantitative aspect, also qualitative aspects will be taken into account, such as the strategic benefits, security issues and organizational impacts that are not easy to quantify [Expert 1, 2, 3 and 5]. [Expert 5] argued an important aspect of the business case for him is the flexibility of using applications anywhere and anytime Organizational impact As mentioned in the previous section, the organizational impact is an important factor to take into account in the business case. Most of these aspects are quantified to financial terms, such as new processes that need to be implemented and the new skills the IT department has to develop. Five experts commented on the organizational impact of cloud computing. For the users the changes are neglectable, as for them, only the functionalities may change [Expert 1 and 2]. Most of the impact is on the IT department according to the experts [Expert 1, 2, 3 and 5]. Depended on the maturity of cloud adoption (i.e. the level of applications replaced with cloud solutions) and the level of infrastructural support needed (i.e. IaaS vs. SaaS), the IT department will be downsized. For example, [Expert 5] explained all the data centers in the various educational institutions will be redundant when the applications will be available as 56

63 SaaS services from a central educational community cloud. They do not have a solution yet for what to do with the IT employees. The change in the IT department comes together with new service management processes and new roles and responsibilities [Expert 1, 2 and 3]. The process which all the experts mentioned is the management of SLA s. The appropriate SLA s have to be defined and negotiated with the suppliers, including security issues, and it has be to monitored whether these are fulfilled. Also one interviewee [Expert 3] addressed the processes which can be seen as security controls (i.e. risk mitigation response) such as what to do when a provider goes out of business. Two experts addressed the adaption of ITIL processes, such as the helpdesk and financial, vendor and SLA management [Expert 1 and 2]. The roles and responsibilities should fit these new processes. Important roles are service manager, including SLA manager, and vendor manager [Expert 1]. In a mature SaaS organization the IT role will shift to advising the business in appropriate SaaS applications [Expert 1 and 3]. For some organizations these changes will be enormous, for others who already have a shared service center and are familiar with SLA s, this impact will be less. Most of the experts argued cloud computing fits within the existing organizational structure, especially if cloud adoption is in an immature stage [Expert 1, 2 and 3]. No cloud team of excellence is needed at this moment for most companies. [Expert 5] expected though, when the whole IT is centralized, there will be a central cloud board. The opinions on the necessary policies vary between the experts. According to one expert the policies are in most cases already present in the organization [Expert 2]. The cloud solutions have to comply with these policies, such as the Quality of Service (QoS) and security policies, but they do not need to be developed specifically for cloud computing. Exceptions are the policies for reducing risks, such as audits [Expert 2]. For the educational community cloud, the policy makers are evaluating multiple policies regarding amongst others the procurement of IT services by the institutions [Expert 5]. The other experts did not have explicit ideas for necessary policies. Finally, regarding organizational culture, [Expert 2] thinks the service management will be more formal, as a cloud client-provider relationship demands a more professionalized change management and portfolio management. [Expert 3] mentioned cloud computing comes together with a more innovative organizational culture of working everywhere and anywhere (i.e. the new way of working). Organizations with this kind of culture will be more eager to adopt cloud computing Risks & Risk management Because the risks, vulnerability and security issues of cloud computing were already extensively covered in literature, the focus was on the management of risks and whether a risk management framework, such as COSO, needed to be implemented. Six experts commented on the risks aspects, but most of them were not very familiar with this subject. 57

64 [Expert 1 and 3] mentioned that auditing moves towards monitoring certifications. This leads to a problem though, as they may be inaccurate. It is not always clear which security controls were audited for a specific certification. It is therefore important that the security controls of the provider are evaluated [Expert 1 and 3]. No new risk management framework is needed, except some impacts for cloud related risks need to be adjusted, as they are more intensive than for traditional IT [Expert 1 and 3]. [Expert 4] is a risk manager and very familiar with the management of risks of cloud computing. Also according to him, no new risk management framework is needed and internal audit teams need to trust the certification of the suppliers. A cloud specific certification is in development in the industry. The expert explained the process how cloud risks are managed. An external party goes through the risks identified by the CSA and ENISA together with the provider and the customer. After adoption, the clients depend on external certification or logs, such as produced by ClaudAudit (i.e. on-demand compliance logs). Most organizations do not perform the audits at the supplier s site by themselves, because of the costs and many suppliers are reluctant in allowing them Cloud governance [Expert 2] views cloud governance as the decision making structure around the cloud investments and therefore follows the view of Ross and Weill (2004) of IT governance being an accountability framework. However, according to most of the experts, cloud governance is about ensuring the application fits the business needs, risks are mitigated and the SLA and providers are managed [Experts 1, 3 and 5]. [Expert 3] provided the most detailed description of cloud governance. According to him it is about the business case, a readiness assessment, composing, managing and monitoring the SLA s, evaluating the provider, monitoring whether the service still fits the needs to the organization and ensuring a proper security. [Expert 5] provide a similar, but more abstract opinion. According to him it is about strictly aligning the service to the needs of the organization and institutions, security is ensured and the agreements and policies are complied with. [Expert 1] argued you won t steer the organization in a different way, but that it is important to manage risks and to assess whether the standard SaaS packages fit within the architecture. So summarized, according to the experts the most important aspect of cloud computing is to align the service with the organization s needs and managing the risks through establishing and monitoring the SLA s, although this is not interpreted as cloud governance by all experts. SOA tools and governance mechanisms such as repositories or automatic monitoring of SLA s are not necessary when adopting a cloud solution [Expert 1, 2, 3 and 5]. Cloud computing does fit within a Service Oriented Architecture and it could be governed accordingly, but not the other way around [Expert 2]. Adopting a cloud solution does not mean a Service Oriented Architecture is implemented [Expert 2]. 58

65 5.3. Conclusion Five interviews were held with six experts as input for the development of the framework in this research. The expertise on the subjects varied between the experts and not all of them commented on all the subjects. The opinions between the experts were not always in conformity. However, based on the most common opinions some general conclusion could be made. Regarding the business case, the most decisive aspect seem to be the costs. For an accurate cost calculation, the impact on the organization should be taken into account, such as training of employees. The content of the business case also contains qualitative aspects, such as the risks and strategic benefits. The business case itself should be build according to the IT strategy and business needs. An enterprise architecture or an application landscape should provide insights into the candidate applications for outsourcing to the cloud. An important aspect is whether the level of standardization fits within the IT strategy of the organization. Further, a readiness assessment is done in practice to evaluate whether an organization is ready to move to the cloud. Multiple business cases can be developed for different cloud formations (i.e. deployment and service model), but in an early stage the security and enterprise architecture principles already scope a smaller set of formations. Cloud computing mostly impacts the IT department. Based on the level of cloud maturity, the amount of applications moved to the cloud, the IT department can be downsized. The ITILkind of processes will also be impacted. Especially SLA management will become important. The new roles and responsibilities should fit these adaptions. There is no need for a new organizational decision making structure at this moment when cloud computing is in its initial stage. When the adopted cloud architecture is more complex this could be different. Most of the experts did not have deep knowledge on the topic of cloud risks and risk management. They were consent though that there is no need for a new risk management framework for cloud computing. Existing methodologies used in the company can be applied to identify risks. One expert was a cloud risks manager and pointed out his company identified risks and risk mitigation strategies together with the provider and the consumer. Further, auditing moves towards evaluating and monitoring certificates and compliance logs. Whether called cloud governance or not, the most important things to deal with when adopting cloud is to ensure a proper strategic alignment, establishing and monitoring SLA s and ensure risks are managed. At the moment, in an initial stage of cloud adoption there is no need for SOA kind of governance tools. 59

66 The summary of the generalized conclusions are shown in Table 15. In the next chapter, the information collected through the literature review and the expert interviews is analyzed in order to answer the four research questions. Aspect Business case Risks Organizational impact Generalizable Cost is most result decisive factor. Qualitative factors include strategic benefits, security issues and organizational impact. The need for cloud comes as a sourcing alternative or when the trend of cloud is researched. For a specific application a model is chosen and in the business case the solution is compared to traditional IT. The Enterprise Architecture or application landscape should reveal the appropriate applications. They should conform to strategy and security policies. Cloud models are in most cases predetermined. Table 15: summary results expert interviews. No new risk management framework is needed Risks should be identified and risks mitigation strategies should be developed together with the provider. Auditing moves towards monitoring certifications (compliance logs). Most impact on IT department; can be downsized and roles change ITIL kind of processes need to be adapted or implemented No need for new decision making structure Cloud governance SOA governance tools not needed Cloud governance should involve strategic alignment, establishing and monitoring SLA s and ensuring risks are being managed. 60

67 6. Synthesis between literature and expert views This chapter deals with the analysis of the gathered information out of the literature review and expert interviews. Each of the research questions will be answered, based on the conclusions which have been made regarding the corresponding aspects in literature and the interviews Business case In the literature section the content of the cloud business case was addressed. Also, cost calculation methods and the benefits of cloud solutions were researched. The expert interviews mostly addressed the process of building a business case and its content. Combined, the first research question can be answered. RQ1: How can a business case be developed for cloud computing? From literature it can be concluded the business case includes the hard and soft benefits, the risks, cons and the organizational impact. The views of the experts correspond to this. The interviews also addressed the preceding steps which are performed before the business case is built, as the business case for cloud computing is not that different than for other IT investments [Expert 1 and 2]. First a readiness assessment should determine whether the organization can adopt an offpremise cloud solution, which include evaluating the organizations culture, IT processes and capabilities [Expert 5]. Online questionnaires could be used for this assessment, such as that of EMC ( EMC Readiness, n.d.). Hereafter, the service should be defined. The service should comply with security policies (can the data and the process go into the cloud?) and it should fit in the strategy and architecture. An example is the standardized nature of SaaS applications. Strategic processes which need custom applications are therefore not suitable to be supported by SaaS applications [Expert 1, 2, 3 and 5]. Although not addressed by the experts, it is also important to take into account the network performance of the organization (Carroll et al., 2011). Some critical applications may need a better performance than the organization s network allows. After the service is defined, the model is chosen. These are in most cases predetermined by the strategic intent (infrastructure outsourcing vs. applications) and security policies (private vs. public) [Expert 1, 2, 3 and 5]. Still multiple business cases can be developed to compare the cloud models [Expert 1, 2, 3 and 5]. Based on the business case, an organization decides to adopt a cloud solution instead of using traditional IT or other forms of outsourcing [Expert 1, 2, 3 and 5]. Also in literature, the benefits of cloud computing and cost calculation methods were addressed. The benefits of cloud computing can be grouped into cost reduction, strategic and technical benefits. While costs seem to be in practice the most important benefit, flexibility is at least for [Expert 5] an important benefit. For calculating costs, the Total Quality of Ownership approach should be applied and to assess quantified benefits, a NPV or ROI metric 61

68 may be used. It is important when identifying costs to take into account the migration, training and configuration costs [Experts 1]. The above findings are shown in Table 16. Aspect Literature view Experts view Synthesis Business case content Soft benefits, hard benefits (cost savings), risks, cons and organizational impact. The benefits must be based on business goals or objectives. Costs is most decisive factor, but also included are (strategic) benefits, risks and organizational impact. and drivers. Business case development process Costs calculation method Benefits Only ISACA (2011) input covered the development of the business case: goal setting, identifying benefits, costs, and risks, developing the business case. Network performance of the organization should be adequate for the service. TCO approach must be applied to cover all possible costs, such as migration costs and support staff. Strategic, cost reductions and technical benefits. For assessing the quantified value, a ROI or NPV metric may be used. Table 16: summary synthesis for cloud computing business case Organizational impact Covered a broader scope. It starts with a readiness assessment, then defining the service (which should comply with EA and security policies), and then the model is determined. As a final step a business case is developed in which the cloud solution is compared to traditional IT. Not addressed, but important to take into account are migration, training and configuration costs. Not addressed explicitly, but costs is most important benefit. Flexibility is also a reason to adopt cloud. Business case includes soft and hard benefits, cons, risks and organizational impact. The benefits should be based on business goals It starts with a readiness assessment, then defining the service (which should comply with EA, network performance and security policies), and then the model is determined. As a final step a business case is developed: the benefits, risks, organizational impact and costs are determined. TCO approach must be applied to cover all possible costs, such as migration, configuration and training costs. Strategic, cost reductions and technical benefits. For assessing the quantified value, a ROI or NPV metric may be used. Literature was researched regarding the changes on people, structure, processes and culture. The same aspects were covered by the expert interviews, but policies were also included for comprehensiveness. The second research question can be answered. RQ2: What is the impact of cloud computing on an organization? Most of the literature regarding the organizational impact of cloud computing was about the IT department. Less IT employees are needed as infrastructure moves out of the organization and their roles change to managing services and contracts. As business can bypass IT when procuring services, their authority may be reduced. Not much research was done on changes outside of the IT organization, but cloud computing provides new opportunities for all employees, the accounting department must get used to renting services instead of buying ones and existing non-it business processes may be impacted. 62

69 Cloud adoption frameworks provided some insights into the processes which need to be implemented. These fit in the scope of the ITIL framework (service management), such as continuous service improvement, incident management and provider management. Jansen (2010) concluded all the processes of the ITIL framework can be used for delivering cloud solutions, but they need to be adapted. Also, Mather et al. (2009) presented the security management processes which need to be implemented for cloud solutions and, as covered in the risk-section, a risk management process is important for reducing risks. The views of the experts correspond to the findings in literature that the biggest impact is on the IT department. Less IT employees may be needed, they gain new roles of managing services and providers and ITIL-like processes must be implemented, such as SLA, financial and provider management [Expert 1, 2, 3 and 5]. Further, according to the experts, no changes need to be made regarding the decision making framework [Expert 1, 2 and 3]. [Expert 5] mentioned though, that a central cloud board may be needed when the whole infrastructure is centralized. While some information was found in literature on the impact of cloud computing out-side the IT department, the experts did not have a strong opinion on this subject. [Expert 3] mentioned the functionalities may be different for end-consumers when SaaS is adopted, as it is often a standard product. Further, existing systems may be impacted because of integration requirements [Experts 1]. The culture within the organization does not seem to be impacted by cloud computing, but cloud computing comes together with a culture of work anywhere and everywhere [Expert 3] and it may lead to a more formal provider management [Expert 2]. It can be concluded the actual impact of cloud computing on the culture is neglectable. The same applies to the policies, which were addressed by the expert interviews. In normal public clouds, these seem to be restricted to security related ones, such as for privacy (data movement) and audits [Expert 3]. In a large educational community cloud, policies for procuring services will become critical [Expert 5]. The summary of this analysis is shown in Table 17. Aspect Literature view Experts view Synthesis People IT department Less IT employees needed. New roles and responsibilities. Possible reduction of authority, as business can bypass IT. Most impact. Less are needed and new roles and responsibilities; towards managing contracts and providers. People Out-side IT department Structure Processes New possibilities for doing work and accounting department must get used to rent IT services. New roles and responsibilities. Service & security management processes. Risk management process. Existing non-it Not much differences: cloud is a technical issue. New roles and responsibilities. No new decision making structure, except when everything is centralized. ITIL-like processes must be implemented. Non-IT processes may be impacted because of Less IT employees needed. New roles and responsibilities. Possible reduction of authority, as business can bypass IT. New possibilities for doing work and accounting department must get used to rent IT services. New roles and responsibilities. No new decision making structure. Service & security management processes. Risk management process. Existing non-it 63

70 processes may be impacted. standardized nature of SaaS. Culture - Cloud comes with work everywhere and anywhere and it may lead to a more formal provider management. Policies Not addressed. Are already in place; no new policies for cloud, except for security issues. In an educational community cloud policies are important. Other - Systems may be impacted, because of standardized nature of SaaS. Table 17: summary synthesis organizational impact of cloud computing. processes may be impacted. Insignificant. Neglectable. Systems may be impacted, because of standardized nature of SaaS Risks & Risk management Many literature was found on the risks of cloud computing and some on the management of them. Only one expert was really knowledgeable on this topic, but two others also provided input. The third research question will be answered. RQ3: What are the risks of moving to the cloud and how can they be managed? The risks aspect of cloud computing is extensively covered in scientific literature. Offpremise cloud computing brings additional security risks compared to traditional IT and public cloud computing is more risky than a private cloud (off- and on-premise). The risks can be grouped into the following categories: Confidentiality & Privacy, Data control, Availability of data and services, Data integrity, Data encryption, Logical access, Network security, Physical access and Compliance. Another, less technical, grouping is done by ENSIA (2009). According to them, cloud computing risks can be grouped into Organizational, Technical and Legal risks. Risk management is the process of identifying these risks and developing appropriate strategies to mitigate them. This is based on the assets in the cloud (processes and data) and the cloud model (delivery and deployment). For cloud computing an important part is to evaluate the provider and SLA according to risk-reducing requirements, such as data location and a third-party audit clausal. Further, internal security controls must be implemented, availability risk strategies must be established (e.g. exit-strategy) and certain aspects must be monitored, such as compliance logs of the provider. Further, an organization must establish a data classification scheme to identify appropriate applications to put in the cloud. [Expert 5] commented on the process of managing risks. The cloud provider and consumer both assess the risks of cloud computing and come up with risk management strategies. When the solution is operational, compliance logs are monitored. [Expert 1 and 3] also mentioned that auditing moves towards monitoring logs and certifications. This corresponds to the findings in literature and fits within the high level risk-reducing control monitoring. The summary of the analysis is shown in Table

71 Aspect Literature view Experts view Synthesis Risks Off-premise cloud computing brings additional risks. They can be grouped in Organizational, Technical and Legal risks. Not addressed risks. Risk management Risk reducing controls The process of identifying cloud risks and risks reducing controls. The risks are based on the assets in the cloud and the cloud model. Can be grouped into high level activities of setting SLA and provider requirements, evaluating the SLA and provider, internal security, monitoring and a data classification scheme. Provider and consumer both assess risks and risks mitigation strategies. Auditing moves towards monitoring logs and certifications. Table 18: summary synthesis risks and risks management of cloud computing Cloud governance Off-premise cloud computing brings additional risks. They can be grouped in Organizational, Technical and Legal The process of identifying cloud risks and risks reducing controls, preferable performed together by provider and consumer. The risks are based on the assets in the cloud and the cloud model. Can be grouped into high level activities of setting SLA and provider requirements, evaluating the SLA and provider, internal security, monitoring and a data classification scheme. While the previous elements were relevant in assisting managers evaluating cloud computing, a second aspect of this research is cloud governance. To define this concept, both literature and expert views were taken into account. This leads to the answering of the fourth research question. IV. How does governance apply to cloud computing? 4.1. What is governance? 4.2. Which perspectives on cloud governance can be identified? 4.3. Which view(s) on cloud governance is (are) the most relevant and therefore the most appropriate perspective(s) for the framework developed in this research? 4.4. What does the relevant perspective(s) on cloud governance entail? In literature, the concept of governance was addressed and researched. Governance means to steer. On a corporate level governance entail mechanisms which ensure management acts on behalf of the owners and include the board of directors and management incentives. IT governance is a more ambiguous term. The level of this steering differs between perspectives. A common used definition describes IT governance as leadership, processes and structures. But the interpretation of these processes differ between authors. Some include only strategic decision making processes, others all processes to manage and control IT. Further, IT governance can be explained as an accountability framework and a process performed by directors, which implement and monitor these processes and structures. The latter view is 65

72 referred to as Corporate Governance of IT by ISO/IEC (ISO/IEC, 2008) instead of IT governance. Cloud governance is also a concept which is viewed in multiple ways. One view is of it being similar to Service Oriented Architecture (SOA) governance. Another perspective is cloud governance being all about securing information and business processes. Lastly, it is seen as the processes and structures to manage cloud solutions. The experts were consent on that security is one of the most important aspect of cloud adoption and that SOA governance mechanisms (such as repositories) are overkill [Experts 1, 2, 3, and 5]. The view of cloud governance being an extension of IT Governance (processes and structures) is relevant for this research, as the goal is to approach the governance of cloud solutions in a broader way than solely security. Therefore in this research cloud governance is seen as the processes and structures which need to be implemented and the risk-reducing controls which should be applied to reduce risks. This leads to the following definition: Cloud governance is the framework of processes, structures and risk-reducing controls for maximizing the cloud solutions value and minimizing its risks. The input for cloud governance overlaps with that of the previous research questions. The risk-reducing controls were already identified, so were the processes and structures. In the organizational impact section it was concluded service, security and risks management processes must be implemented and no new decision making structure is needed. This definition refers to cloud governance as being a framework or system and not to the process of governing (Evaluate, Monitor & Direct), as Figure 18 (section 4.2.4) visualizes. Some literature findings and expert comments provided a process-oriented view of cloud governance. These actions fit within the Evaluate, Direct and Monitor activities and are shown in Table 19. Evaluate: before governors direct the organization they evaluate stakeholder needs and the use of IT in the organization (ISO/IEC, 2008). As cloud processes aren t implemented for no cause, it is therefore assumed top management first evaluates whether cloud computing is of value to the organization. [Expert 1, 3 and 5] commented on the governance activity of ensuring cloud solutions are aligned to business needs, including the readiness assessment and evaluating the business case [Expert 1]. Speed (2011) also argued developing and evaluating the business case is a top management governance activity. Direct: the direct phase entails providing management direction and implementing governance mechanisms through policies and plans (ISO/IEC, 2008). [Experts 1, 3 and 5] argued ensuring risks are managed is an important governance activity. Further, other cloud governance mechanisms are the processes which need to be implemented and an adoption project must be started to actually adopt cloud solutions and manage the risks. Monitor: the monitor activity of IT governance ensures the governance mechanisms are effective and performance corresponds to the plans (ISO/IEC, 2008). For cloud computing, top management governance activities are to monitor KPI s, the SLA 66

73 (Chang et al., 2012; Shimba, 2011) and to ensure the business requirements are still fulfilled (Conway & Curry, 2012) [Expert 3]. Corporate Governance of IT Evaluate Description Cloud governance activity Description Before governors direct the organization they evaluate stakeholder needs and the use of IT in the organization (ISO/IEC, 2008) Readiness assessment [Expert 1] Organizational needs (business case, architecture) [Expert 1, 2 and 3] (Speed, 2011) Cloud is evaluated according to organizational needs. This include a readiness assessment and the development and evaluation of a business case. Direct Monitor The direct phase entails providing management direction and implementing governance mechanisms through policies and plans (ISO/IEC, 2008). The monitor activity of IT governance ensures the governance mechanisms are effective and performance corresponds to the plans (ISO/IEC, 2008). Ensure risks are managed and security is ensured [Expert 1, 3 and 5]. Monitor SLA [Expert 1] (Chang et al, 2012). Monitor whether solution fulfills business needs [Expert 1]. Monitor KPI s (Chang et al., 2012); (Shimba, 2011). Table 19: literature and expert findings on Corporate Governance of IT for cloud computing. Implement cloud governance (manage risks and implement processes) and adopt cloud. Monitor the value and performance of the cloud solution. How cloud governance, as defined in this research, fits in IT governance and Corporate Governance of IT is shown in Figure 20. Cloud governance is seen as a subset of IT Governance (processes and structures). Both IT and cloud governance are governed by directors through Monitor, Evaluate and Direct activities, as outlined by ISACA (2012) and ISO (ISO/IEC, 2008). 67

74 Corperate Governance of IT Directors (Board & Top management) Oversight of IT Evaluate: Evaluate cloud computing (Readiness & business case) Direct: Implement cloud governance (Processes and risk-reducing controls) Monitor: Monitor value of cloud (SLA, KPI s, business requirements) IT Governance Committees, Executives & Management Processes & Structures to manage IT Cloud governance Processes & Structures Risk-reducing controls Figure 20: the relation of cloud governance to other types of IT related governance. The summary of the analysis regarding cloud governance is shown in Table 20. Aspect Literature view Experts view Synthesis Cloud governance Cloud governance: Cloud governance Security Decision Processes and structures making framework SOA governance Strategic alignment and Corporate governance of IT directs IT Governance. Table 20: summary synthesis cloud governance. risks reduction SOA governance mechanisms not needed Security most important aspect of cloud adoption. Some comments fit in the process of governing, including evaluating the business case and monitoring business requirements. Cloud governance is security (controls) + IT governance view (processes and structures) Cloud governance consist of service, security and risks management processes and the risk reducing controls which were identified in literature. Evaluate, Direct and Monitor activities govern cloud governance. 68

75 6.5. Conclusion In this chapter the four research questions were answered by synthesizing the findings in literature and the views of the experts. With regards to most aspects, the two views did not contradict, but were complementary. For the cloud business case, the literature review addressed the content of the business case, cost calculation methods and the benefits, whereas the interviews mostly conveyed the activities towards building the business case. General conclusions have been made on the content of the business case, calculating costs, the benefits and the process of building the business case. Both literature and the experts correspond on the finding that the biggest impact of cloud computing is on the IT department. The roles of IT employees shift towards managing contracts and providers, ITIL-like processes must be implemented which correspond to these roles, and as IT infrastructure is outsourced, less employees are needed. General conclusions have been made regarding the impact on processes, people, organizational structure, culture and policies. An interesting finding is that no new decision making structure is needed. The literature review addressed cloud security, privacy and compliance risks and the controls to manage them. The experts were not very knowledgeable on this topic, but their comments did not contradict literature: auditing moves towards monitoring certificates and compliance logs. General conclusions have been made regarding the risks, risk management (the process) and the controls to mitigate risks. Based on the perspectives identified in literature on cloud governance and the views of experts, cloud governance was defined. One notable finding of the expert interviews was that SOA (Service Oriented Architecture) governance is not very relevant to cloud computing. Cloud governance as a framework consist out of security, service and risk management processes and the controls to mitigate risks. A different layer of governance are the activities of top management directing the IT and cloud governance framework, through evaluation (adopt cloud?), directing (implement cloud governance) and monitoring (cloud solution successful?) activities. Based on the findings in this chapter, an initial cloud evaluation and governance framework is developed. The development of this framework is discussed in the next chapter. 69

76 7. Development of the initial framework: version 1.0 Based on the synthesis between the findings in literature and expert interviews a framework was developed. Its aim is to assist higher management with the evaluation and governance of cloud computing. In this version of the artefact, the two research aspects of assisting higher management with the evaluation of cloud computing and providing them an overview on cloud governance, is combined in one framework, consisting out of a model and a corresponding table. This will be elaborated in the next section. Hereafter, the requirements and the development of the framework is discussed and finally the model and table are presented One integrated framework The two research aspects of cloud governance and cloud evaluation overlap. Based on the conclusions made in section 6.4, top management implement processes and manage risks through evaluating, directing and monitoring activities. In the first governance activity, they evaluate cloud computing. For this activity, the other research aspect comes into play. By providing assistance on the business case, organizational impact and risks, this top management activity can be supported. This is visualized by Figure 21. How these two research aspects are integrated into one framework, is discussed in the next section. Cloud Governance aspect Evaluation aspect Evaluate & direct Top management activities: evaluate, direct & monitor Monitor Evaluate cloud computing Supported by Information on the business case, organizational impact & risks Cloud governance: Risk-reducing controls & processes Figure 21: the top management activity Evaluate for governing cloud governance, is supported by the evaluation aspects. 70

77 7.2. Framework requirements The goal of the artifact is to assist higher management with the evaluation of cloud computing, by providing information on the business case, organizational impact and risks aspect of cloud computing and to provide insights into governance for cloud computing. To provide the context for cloud governance and to provide assistance to actually implement it, the corresponding top management activities need to be shown, which were discussed in section 6.4. This leads to the following requirements: Integrate and provide information on the business case, organizational impact and risks aspects of cloud computing. It should provide insights into the necessary processes and risk-reducing controls through a high-level overview. To provide a context for cloud governance, top management / governance activities (Monitor, Evaluate and Direct) must be depicted. The governance element of the framework is considered to be the most suitable for modeling; that is abstracting reality, to provide higher management an understandable, birds-eye view on something complex as cloud governance. The evaluation aspects (business case, organizational impact and risks) are considered to be more of information sources, which can be presented as plain text. The elements of the governance model, must be elaborated though. To prevent information-overload, a one-sheet table should do the trick in elaborating the governance elements and presenting information on the business case, organizational impact and risks. The management of risk are part of cloud governance, which can also be taken into account when evaluating the cloud solutions. The high-level model should be complemented with a one-sheet table containing information about the governance elements of the model and, to assist the evaluation of cloud computing, on the organizational impact, business case and risks. Literature pointed out that a private, on-premise cloud is often perceived by scholars as very similar to traditional IT. Many security controls do not apply to this model. Therefore, a governance framework like COBIT (ISACA, 2011) has scoped cloud computing by off-premise solutions. In this research the same scoping is applied, which leads to the following requirement: The framework and model will focus on off-premise cloud computing and will therefore not take into account the differences in risks for on-premise cloud computing. The goal of the framework is to foster cloud adoption; that is organizations starting a cloud initiative. The framework is therefore also scoped by a single cloud solution; enterprise-wide governance (multiple cloud computing initiatives) is not taken into account. The framework will focus on one cloud initiative cloud computing and will therefore not take into account enterprise-wide governance. 71

78 Finally, a whole new framework is developed, as existing ones are not considered adequate to serves as a foundation or basis. The analysis of the existing frameworks, as discussed in section 3.4 (background chapter), can be found in Appendix L. A whole new cloud governance and evaluation framework needs to be developed, as existing cloud evaluation and cloud governance frameworks are not considered to be an adequate basis. How the elements of the framework relate to each other is shown in Figure 22. Research aspect Artefact Evaluation Assist higher management with the evaluation of cloud Table Providing information on the business case, organizational impact and risks Cloud governance Provide higher management insights into governance for cloud computing Cloud governance model Governance / top management activities implementing cloud governance Elaborating cloud governance model elements Figure 22: how the elements of the framework relate to each other Cloud governance model high-level design As was mentioned in the previous section, the cloud governance aspect is modelled in a graphical overview. This section deals with the high-level overall design. Cloud governance in this research is seen as the processes which need to be implemented for managing cloud solutions and the risk-reducing controls which need to be applied (Section 6.4). Another layer of governance was also identified, which deals with the implementation of cloud governance. These top management activities of Evaluate, Monitor and Direct will be the focus of the model as they provide the context for implementing the processes and managing risks. The four top management activities are shown, as visualized by Figure

79 Evaluate cloud computing Implement processes Monitor value / value assurance Manage risks & adopt cloud Figure 23: depicting the top management / governance activities. These top management activities are responsible for cloud governance: processes and riskreducing controls. The processes are implemented in the second activity and the management of risks are done through the third activity as oversight on the cloud project. To show how the risks are managed, the identified risk-reducing controls are shown in the middle. The controls have a red background, just like the third activity which is responsible for these controls. The adoption project is shown to clarify when the risk-reducing controls should be applied. The high-level design is shown in Figure

80 Evaluate Direct Monitor Figure 24: high-level design of the cloud governance model Cloud governance model detailed design The previous section presented the high-level design of the cloud governance model. The detailed content of these elements are based on the general conclusions which were made in chapter 6. The top management activities consist out of several sub-activities. When evaluating a cloud solution, a readiness assessment must be performed and the business case is developed and evaluated. When cloud solutions are considered to be valuable to the organization, the necessary service, security and risks management processes are implemented. Hereafter, a cloud adoption project must be implemented and cloud risks need to be managed. The management of risks consist out of four high level groupings of controls which each correspond to a certain phase of the cloud adoption project. Appendix A shows to which phase of the adoption project the controls apply. The phases are based on the ones identified by Conway and Curry (2012), who developed a cloud adoption framework (see section 3.4). Some 74

81 phases are adapted for a better fit to the controls or because of space issues of the model. In the Planning phase, service and provider requirements (e.g. data center location, performance metrics, necessary security controls) are identified. Hereafter, when Engaging with a provider, the service and provider are evaluated according to the requirements (e.g. data location) or the SLA is negotiated. When the organization Implements the cloud solution, internal security should be addressed. This includes amongst others network security. Availability-risk reducing strategies need to be developed, some in conjunction with the provider. Controls which are part of this category are amongst others an exit strategy and a plan to deal with provider outages. These activities are performed when engaging with the provider, as some security management processes (e.g. incident management) and risk management strategies (e.g. strategy for outages) should be developed together with the provider (CSA, 2011). Finally, when the service is Adopted or operational, several aspects must be monitored, including the SLA, compliance requirements and data movement. Further, a data classification must be implemented to ensure no privacy sensitive data is put in the cloud and to monitor data movement. This should be implemented before the adoption project is started, as the selection of the cloud candidate applications depends on this control. These high level groupings of controls are shown in the model. In the middle, the sub-controls of Monitoring are depicted. These processes and risk-reducing controls together form cloud governance. When the service is adopted, a top management activity is to ensure the value of the solution is achieved. This includes monitoring whether the service still fulfills business requirements, whether the SLA is complied with and Key Performance Indicators (KPI s), such as costs. Table 21 shows how the information described above is visualized in the model and the references to the corresponding sections in the thesis. The detailed design of the model is shown in Figure

82 Model aspect Description Thesis Visualization in the model section Top management / Responsible for cloud 6.4. Four colored areas. governance activities governance. Evaluate: evaluate cloud computing. Direct: implement processes. Direct: manage risks and adopt cloud solution. Monitor: monitor value of cloud governance and solution. Cloud Governance: processes and riskreducing controls Processes: service management, risks management and security management Risk-reducing controls: Planning phase: determine SLA and vendor requirements. Engage phase: evaluate provider and SLA and negotiate SLA. Implement phase: implement internal security controls and develop availability plans. Adopted: when service is operational several aspects must be monitored. Table 21: elements of the model and references to thesis chapters. 6.2;6.3;6.4; Part of Implement processes and roles and responsibilities area (green) 6.3;6.4;7.3 Part of Adopt and manage risk area (red). The security controls (red controls in the middle) The adoption project is shown to make clear when the controls need to be applied. 76

83 Adopted Monitoring Cloud governance Monitor Cloud value metrics Monitor Governance service requirements Figure 25: the cloud governance model. The risk controls and processes are cloud governance, which need to be implemented through the governance/top management activities. The four colors represent four kind of governance activities. Top managers evaluate cloud computing, direct the organization through implementing processes and ensuring risk-reducing controls are applied during the adoption project and after adoption, the value of the cloud services must be monitored. The central adoption activities (plan, engage, implement and adopted) are not part of the governance, but are displayed to show when the risk-reducing controls should be applied. The next section present the corresponding table which is provided together with the model. It elaborates the elements of the model and it provides the information for the evaluation of cloud computing. 77

84 7.5. Corresponding table & cloud evaluation aspects A one-sheet table accompanies the graphical model to provide an explanation and elaboration on the elements. This table also includes the information for the evaluation of cloud computing (business case, organizational impact and risks). Table 21 lists the elements of the table and the corresponding sections/chapters in the thesis, while Table 22 shows the actual table as part of the framework. The elements are not elaborated in this section, to prevent redundancy. Elements Description Thesis Section Evaluate activity The element 6.4 which correspond to the cloud evaluation governance activity Readiness Readiness 6.1 assessment information. Business case Business case 6.1 information. Additional information Process of building business case Information for building and evaluating the 6.1 Implement processes activity Manage risk activity Value assurance (monitoring) Risk responses Organizational impact Risks Benefits Table 21: elements of the table and corresponding section/chapter thesis. business case The main organizational impact is mentioned to help build the business case. The categories of risks are listed. The categories of benefits are listed. The governance activity concerned with implementing the necessary processes. The governance activity concerned with assuring risks are managed. The risk controls are shown and mapped to adoption-phases. The governance activity concerned with monitoring the cloud s value ; 6.4;

85 Governance aspect Evaluate Readiness Business case Processes Risk management Service management Security management Manage risks Set up adoption project & Apply risks controls Description of elements Assess whether the processes, technology and capabilities are appropriate for cloud computing and the organizational alignment (i.e. implementing necessary processes) is feasible. For a specific scope of services (e.g. ) a business case is built and evaluated and contains the risks, costs, benefits and cons of the cloud service. The impact on the total organization should be assessed for a holistic view. Cloud evaluation information The process of building and evaluating the business case Organizational impact Benefits Risks Define scope of services (e.g. ). The service scope is based on security policies & data classifications (e.g. which data is allowed in the cloud?), organization s network capabilities (which applications can deal with this performance?) and the organizations strategy, enterprise architecture and cloud vision (where are we heading?). Define the cloud model for the service. The delivery model (e.g. SaaS) and deployment model (e.g. public) are in most cases predetermined by security policies (private is more save) or the IT strategy (infrastructure vs. app.), but multiply business cases can be developed and evaluated for comparing multiple models. Assess organizational impact, benefits, cons, costs and risks. The benefits should be based on organizational goals or drivers. A TCO approach can be used for assessing the costs, for which tools can be used. Built and evaluate the business case. The main impact of adopting a cloud solution is on the IT department. As infrastructure moves out of the organization, less IT employees are necessary and their roles will change. Also, processes need to be implemented, risks need to be managed and data needs to be migrated. Further, existing applications and processes may be impacted. The benefits of cloud computing relate to cost reduction and strategic and technical/security advantages. Because the services are delivered over the internet and data is stored on data centers on provider s site, multiple risks occur. Examples are data loss because of hijacking attacks, unavailability because of network limitations and cloud-provider lock-in. Private clouds are less risky than public ones. Ensure a risk management process is established, which identifies the risks when building a business case and provides the proper risk responses for the secure adoption of a cloud service. Ensure required ITIL-like service management processes are in place, such as Service Level, Supplier and Incident management. Some need to be established together with the provider. These processes come together with new roles and responsibilities. IT employees need to be educated and when hiring staff, this should be taken into account. The processes which need to be implemented for security reasons as internal controls when managing risks. Some service level processes may be referred to as security management, such as incident and access management Other security processes are amongst other key & data management. IaaS and PaaS require additional security processes compared to SaaS solutions, such as patch management. A cloud-adoption project should be established. Ensure the appropriate risk-reducing controls are applied during the adoption of the service (s) to manage the risks. The high level risk responses are shown below; the risk management process needs to determine the exact responses or risk-reducing controls. Risk responses Description Cloud adoption Description Requirements of service and vendor Vendor & SLA evaluation and negotiation Internal security & availability plans Monitoring Benchmark current applications for performance requirements Set up service requirements and metrics (e.g. response-time, QoS etc.) for the SLA Identify risk mitigation elements for the SLA, such as third party audit clauses. Identify relevant compliance requirements and the necessary security controls. The cloud providers needs to be evaluated, including its security controls according to compliance requirements. The cloud provider s SLA need to be evaluated for the requirements or it should be negotiated. The internal security controls should be implemented, including network and application security, cryptography, key management and data management policies and proper security management processes (e.g. access control & incident management). Plan for mitigating availability risks, including fail-over strategy (i.e. cloud service fails), exit strategy (prevent CSP lock-in), mitigation strategies for VM s (IaaS) and disaster recovery plans. The following needs to be monitored: The SLA metrics, such as performance The security controls and compliance of the CSP through compliance logs The internal controls, such as network security. Data movement in the cloud; sensitive data should not be put in public clouds and data needs to be encrypted. phase Architect Engage Implement Adopted Planning of the process and requirements for the service are established. Selection of provider. The cloud service is implemented. Cloud service is operating and renewed. 79

86 Events that could lead to new cloud-related risks, including change in compliance requirements. Data Data classifications should be in place. For example, data is classified as privacy sensitive and privacy nonsensitive. Data classifications are not only require red for the monitoring of data in the cloud, but also when classifications defining the cloud service (see business case). Value assurance To assure the cloud service provides the required value, several aspects need to be monitored and evaluated. Key performance indicators, such as the ROI. Service requirements, whether the service still fits the business needs SLA, whether the service delivers the promised performance. Table 22: the additional table elaborating the model s elements and includes the evaluation aspects. 80

87 8. Expert feedback on the initial framework The cloud evaluation and governance framework, as presented in the previous chapter, was evaluated by as well possible users, C-suite managers, as cloud computing experts. The possible users were interviewed to assess the usability and usefulness of the model, but they could also provide expert feedback on the presumed top management activities of the model. Because the cloud computing experts worked closely to C-level executives, they could also provide some insights into the usability of the model. This feedback round addressed four aspects: Is it understandable? It is clear how to use and apply the model? Is it useful and is the information valuable? Does it contain the correct cloud governance/top management activities? Experts, is the model accurate? Is the provided information correct? 8.1. Approach Six interviews were held with six potential users (top managers) or cloud computing experts, as shown in Table 23. They were selected if they adhered to any of the two requirements: The interviewee is a C-suite manager or works closely with C-suite managers. The interviewee is an expert on cloud computing. Expert profession CIO CFO CSO CTO (also cloud expert) Organization University Bank University Software company Main role Potential user Potential Potential user Potential user user / expert Strategic IT advisor Own company Potential user Security project manager (cloud expert) Insurance company Cloud Expert (but feedback was taken into account) ID User 1 User 2 User 3 User 4 User 5 Expert 6 Table 23: overview of the respondents in the feedback phase. The interviews were recorded by a mobile phone and transcripted afterwards. For the analysis, a qualitative content analysis method was applied (Zhang & Wildemuth, 2009). For each of the categories understandability, usefulness, correctness of governance activities and information accuracy the main message of each interviewee was extracted. The results of the content analysis are shown in appendix G, while the interview transcripts are shown in appendix F Results The results of the validation interviews are discussed for each of the categories. 81

88 Understandability All of the interviewees, except one [User 3], did not perceive the model as easy to understand. The adoption project activities, which are displayed together with the risk-reducing controls, were thought to be the main element of the model by almost all interviewees [User 1, 2, 4 and 5; Expert 6]. Also, the lack of clear phases was considered to be a downside of the model [User 1 and 4; Expert 6]. [User 5] needed more time to take a look at the model. This was also considered as a cue that the model is not easy to understand. [User 3] had a different opinion though and thought the model was very clear. [User 1] mentioned the used terms were very confusing and would even be more difficult to understand by non-it top managers which do not have an extensive knowledge on IT, such as CSP, which stands for cloud service provider. So the model would probably be better understandable by IT experts, than by business managers. Further, the table was according to the cloud expert too detailed and leads to informationoverload [Expert 6] Usefulness Because most of the interviewees did not understand the model properly, they did not go into depth on its usefulness. However, [User 1 and 4] mentioned the topic of this research, governance and security of cloud computing, was very interesting. [User 1] said: If you would make a better model which is usable by the board and put it on a website, I do not doubt that many would download it. The other interviewees did not really commented on the usefulness aspect. [User 3] pointed out that nothing was missing, which could be seen as a cue that the model is useful, and one interviewee mentioned that the model is too broad [User 4]. The other ones pointed out that top management will not use this model [User 1] and that management already knows how to handle cloud adoption [User 2]. All the interviewees reflected solely on the model, not on the information provided in the table for the evaluation of cloud computing. When asked explicitly to one interviewee [Expert 6], he pointed out this is because there is too much information in the table Governance activities The governance or top management activities which were assumed to be responsible for cloud governance led to confusion by the interviewees. As was pointed out in literature, multiple perspectives can be distinguished on IT and cloud governance. This was also notable in this feedback phase. [User 3] pointed out these activities are correct. Top management and the board should evaluate cloud, direct management and monitor its value. But the risks controls are more relevant to middle management. [User 4] also agreed the activities were governance, but he had a very broad perspective of governance. When asked whether top management should be involved in these activities, he explained that it should be the case, but in practice it is not often done. The main aspect top 82

89 management should be involved in is the alignment of the cloud solutions to the business goals. They, and the board of directors, are mostly interested in the Value assurance aspect of the model. [User 2] perceived the model as a management/adoption model. According to him, governance is about accountability, which is similar to the view of Ross and Weill (2004) (see section 4.4) on IT governance. According to this interviewee, management is about executing processes, governance on about who makes the decision within these processes and who is accountable. He perceived the activities as part of project management in combination with management oversight. However, he could understand the model is called a cloud governance model, as micro governance is included for the cloud management processes. These processes are too low level though, to be part of the corporate governance framework set out by the governing body. [User 1] thought the model is better usable for the IT manager. Governance is considered to be the framework how things run in an organization, according to this interviewee. But as this model is aimed at top management, he disagreed whether these are the correct governance activities. The board and executive management does not really bother with cloud solutions, as they are not disruptive technologies in his opinion. The model does fit within the level of IT Governance: setting up the IT organization. [User 5] and [Expert 6] thought the activities to be part of project management, for which top management could, ideally, provide some oversight in the steering committee. It depends on the policies and decision making structure whether top management or the CIO is involved or not. It is not that simple that the board or top management is responsible for these particular activities of the model, as many activities are delegated Information accuracy Besides evaluating the understandability and usefulness of the model, the information of the model and table was validated by two interviewees who had expert knowledge on cloud computing [User 4; Expert 6]. According to them, the information was correct. However, [User 6] pointed out the organizational impact is not limited to the IT department. He explained: when applications are replaced by cloud solutions, its functionality could also affect non-it employees. This corresponds to the findings in this research, but this was not seen as an impact of cloud computing, as non-cloud solutions could also have this impact. Further, two non-experts mentioned the service management processes were only relevant when the cloud solution was operational, not during adoption [User 3 and User 5]. It was assumed service management processes could be relevant to the whole cloud lifecycle (see section 4.2) Additional comments The interviewees provided some additional comments for the development of the final model: Circle model implies a continuous set of actions, maybe use different format [Expert 6]. Too many stories are told; develop different models for different audiences [User 1] 83

90 An awareness model is useful for the board and non-it top managers [User 1; User 3] Make a link to enterprise governance, including decision making structure, enterprise goals and policies [User 2] Conclusion It can be concluded the model is not understandable and not very usable. The adoption project activities were misleading and often the center of attention. Also, the lack of clear phases and a beginning was confusing. The table was too detailed and caused information-overload. The provided information for the evaluation of cloud computing was therefore not really addressed by the interviewees; some did not even look at it. The supposed governance / top management (Evaluate, Direct and Monitor), were at least disputable. They were applicable to cloud computing in one organization [User 3], but not in the others. It can therefore be concluded that it depends on the organizational structure of the organization whether top management or a governing body is involved with the governance / top management activities of the model. A positive aspect was the accuracy of the provided information. Most of the interviewees perceived the information as accurate, including the cloud computing experts [Expert 6; User 4]. The somewhat quantified results of this phase are shown in Table 24. The scoring is based on the opinions of the interviewees as perceived by the researcher. The analysis of this feedback, the implications for a revision of the initial framework and the development of the revised framework is discussed in the next chapter. Expert CIO CFO CTO CSO Security project manager Strategic IT advisor Understandability Usefulness -/ Governance Activities Information accuracy Table 24: results feedback potential users and experts (++ is most positive, - - is most negative, +/- is neutral). 84

91 9. Development of the revised framework: version 2.0 The feedback of the potential users and the cloud computing experts was used to alter the initial framework and to develop a new version, which is closer aligned to the practices found in organizations and which is easier to understand. This chapter deals with the analysis of this feedback, the implications for a revised design and the presentation of the revised models Two separate frameworks In the initial cloud evaluation and governance framework, the governance aspect was modelled, whereas the cloud evaluation aspects (business case, organizational impact and risks) were presented as plain text in the corresponding table of the cloud governance model. According to [Expert 6] the table was too detailed. This clarifies why almost none of the interviewees commented on the evaluation aspects. Therefore two different models are developed. One cloud governance model and a separate cloud evaluation model, to ensure information-overload is prevented and to make the evaluation aspects more pronounced. The evaluation part of the framework may also be used at a different level (sourcing level) then the cloud governance aspect. While cloud governance is on the level of the project [User 2 and 5; Expert 6], evaluating cloud computing can be part of the sourcing strategy [User 1]. These findings are summarized in Table 26. Critique area / comment Description Implication Table Too detailed [Expert 6]. The table of the initial framework is too detailed. Separated models for the evaluation and governance of cloud computing are therefore developed. This should also make the evaluation aspect more pronounced, as almost none of the interviewees looked at the information on the business case, organizational impact and risks. Table 25: the rationale behind the design choice of two separate models for the cloud evaluation and governance elements of this research. The new framework therefore exists out of two different sub-frameworks (Table 26), each consisting out of a model and a corresponding table in which the elements of the model are elaborated. Together they form the cloud evaluation and governance framework. How the models and frameworks relate to each other is shown in Figure 26. Framework Scope Cloud governance framework: model and table Processes & risk-reducing controls for a secure and effective adoption and management of a cloud solution. Cloud evaluation framework: model and table Assist in the decision of moving to the cloud. Table 26: the models of the revised framework. 85

92 Cloud evaluation and governance framework Cloud governance framework Cloud evaluation framework Model Model Corresponding Table Corresponding Table Figure 26: the elements of the revised cloud evaluation and governance framework Cloud governance framework Because the table of the initial cloud evaluation and governance framework was too detailed and none of the interviewees looked at the evaluation aspects (business case organizational impact and risks), two different models are developed to reduce information-overload and to make the evaluation aspects more pronounced. This section deals with the development of the cloud governance framework. Hereafter the cloud evaluation framework will be presented Cloud governance framework development The feedback on the initial cloud governance model was not very positive. The two most significant complaints are related to the supposed governance activities (Evaluate, Direct and Monitor) and the adoption project. Most of the interviewees argued the activities of the model are not performed by general top management [User 1, 2, 4, 5 and 6] and should not be called governance [User 1, 2 and 5; Expert 6]. While the CIO is responsible for cloud governance (setting up the organization) [User 1], it is not always responsible for the activities in the model. It depends on the organizational structure whether the business case is evaluated or project success is monitored by a top manager, as this responsibility could also be delegated to other members of the steering committee [Expert 6]. Because it is at least disputable whether the Evaluate, Direct and Monitor activities are in fact relevant to cloud computing, this perspective is omitted in the revised model. The focus is on cloud governance: processes and risk controls. This also leads to a revision of the 86

93 target group of the model. The new framework is targeted at the CIO and others who are involved with planning of the cloud project or strategy, as opposed to general top management. Another significant drawback was the adoption project, which was shown in the model next to the risk-reducing controls to point out when a certain group of controls needs to be applied. This led to confusion and most of the interviewees thought it was the central aspect of the governance model. In the revised model, the role of the project activities are more explicitly indicated. A comment of the cloud expert [Expert 6] was to omit the circle-design and go for a process oriented one. This is the design perspective of the revised model and is seen as a good solution to make the role of the adoption activities clearer. Further, comments were made about the level of granularity of the risks controls, service management processes, the data classification, risk management and the link to corporate governance. The main groups of critiques and its implications are shown in Table 27. Critique area / comment Governance /top management activities Management oversight Adoption project Description Not general top management or governance activities in most organizations [User 1, 2, 4, 5 and 6]. Top management mostly concerned with alignment to business needs in steering committee and monitoring value, not with managing risks or implementing processes [User 4]. CIO responsible for cloud governance [User 1], but not always all the activities in the model, as they could be delegated [Expert 6]. No clear begin or phases [User 1 and 4; expert 6]. Ensuring cloud solutions being aligned to business goals and the monitoring of the business case and KPIs can be seen as management oversight on the level of the steering committee [User 1 and 4; Expert 6]. It is important top management is involved in the project [User 4]. Confusing role in the model. Seems to be the central aspect [User 1, 2 and 4; Expert 6]. Omitting the circle-design is better suitable to distinguish the phases [Expert 6]. Implication As it is as least disputable the Monitor, Evaluate and Direct activities also apply to cloud governance, this perspective is omitted and the focus is on cloud governance (processes & controls). Top management must however be involved in aligning cloud solutions to business need and monitoring its value. While not depicted as governance, the project activities are shown to be monitored by management oversight activities. The role of adoption project was not clear. A process-design is adopted in the revised model to make the role of the adoption project clearer. Controls Too detailed [User 1]. The monitoring controls were too detailed. These controls are grouped in the new version. Data classification Unclear role [User 3]. Unclear role of data classification. More clear role of this control in revised model. Corporate and IT governance Target audience A link should be made with corporate governance structure and implications, such as enterprise objectives and decision making model [User 3]. Top management not involved with (all of) these activities [User 1, 2, 3 and 4; Expert 6]. CIO is responsible for cloud governance [User 1] or others involved in the cloud project as steering committee members [Expert 6]. A link is shown with corporate and IT governance in the revised framework. General top managers, such as the CEO, is not involved with setting up the service management process and with managing risks. Audience of new cloud governance and evaluation model is the CIO and others involved with adopting cloud computing. 87

94 Service Management processes Risk management Need to be implemented in the cloud adoption project, to manage the service when operational [User 3 and 5]. Additional experts were consulted and shown in Appendix H. This corresponded to the opinions of [User 3 and 5]. While depicted properly in the model, the table does not clarify the risks management process must be performed periodical [User 3]. Table 27: main points of critiques and implications for revised cloud governance framework. Service management process are not applicable to the whole cloud adoption project. Service management processes are only applicable to the Adopted phase. It was not mentioned the Risk management process should be performed on a regular basis. This is clarified in the description of Risk management. As the top management activities perspective (Evaluate, Direct and Monitor) is omitted, the revised cloud governance model is a radical change. The focus is solely on cloud governance: processes and risk-reducing controls. The high-level design is depicted in Figure 27. Project activities Processes Risk-reducing controls Figure 27: high level design, based on additional comments and critiques of interviewees The revised cloud governance model The revised governance model shows the processes which need to be implemented, the high level groupings of controls and the project activities to make clear when the risk-reducing controls should be applied. The content of the model and the links to the thesis sections is shown in Table 28, the actual model in Figure 28. Element Description Thesis section Visualization Cloud governance: The management processes which 6.2; 6.4 Light blue rectangles. processes need to be implemented for maximizing the value of the cloud solution and to minimize its risks. Cloud governance: risk- The high level grouping of risk- 6.2; 7.4 Dark blue rounded areas. reducing controls Project activities Management oversight Link to enterprise and IT governance reducing controls. The phases of cloud adoption in order to show when the controls apply. The involvement of top management in the cloud project. The cloud solution is not adopted in isolation but is influenced by internal rules made by directors, such as policies and enterprise goals. 7.4 Green arrows. Table 28: elements of the revised cloud governance model and links to thesis sections Green shade to project activities 8.2.5; Grey rounded line. 88

95 The Cloud Governance Model: management processes & security controls for an effective and secure adoption of an off-premise cloud solution. Corperate & IT governance Plan Management oversight Engage Implement Operate Cloud Risks & Controls SLA & Vendor requirements SLA & Vendor negotiation and evaluation Data classifications Internal security & availability plans Monitoring Risk management process Service management processes Security management processes Project activities Processes & roles and responsibilities High-level, advised risk-reducing controls Figure 28: the revised cloud governance model. This model depicts cloud governance as a system or framework, not anymore as part of the Corporate Governance of IT (Evaluate, Direct and Monitor). The model assists CIO s and others involved with the adoption of cloud computing with depicting the processes needed for an appropriate management of the cloud solution and the high-level advised risk-reducing controls for reducing risks of the cloud solution(s). Risk management is of importance to the whole project, as it provides controls and it identifies the risk of the cloud solutions before adoption. Hereafter, at multiple times this should be redone, including periodic when the solution is operational. Service and security management processes should be implemented within the cloud adoption project and are needed when the solution is live. The cloud project is also dependent on the enterprise and IT governance of an organization, regardless of the exact meaning of this concept. Amongst others, security and outsource policies determine which solutions can be cloud sourced. Management oversight is also depicted, although strictly not part of cloud governance. It is necessary to assure the cloud solution s value will be delivered. 89

96 The corresponding table of the cloud governance model The additional table is made less detailed and only provides the information on the riskreducing controls and the processes; the elements of cloud governance. The project activities are described to get an idea of when the controls are relevant. This should prevent information-overload, while providing an elaboration of the elements in the model. Table 29 shows the elements of the table and the links to the thesis sections. The table as part of the framework is shown in Figure 29. Element Description Thesis section Project activities The project activities are described 7.4 on a high level to provide the context for when the controls should be applied. Processes Examples of the high level 6.2; 6.3; 6.4 management processes are given to give insights into how the management framework needs to be adapted. High level advised risk-reducing The high level groupings of the 6.2; 6.4; 7.4 controls controls are described and examples are provided to get an understanding of how the risks need to be managed. IT and enterprise governance The link to IT and enterprise 8.2.5; governance is described. Table 29: the elements of the additional table and the links to the thesis sections. 90

97 Project activities Plan: The cloud initiative is evaluated and the project is planned. Engage: Cloud provider is selected. Implement: Cloud solution is rolled out and integrated into the existing landscape. The required (service & security) processes and risk-reducing controls are implemented. Operate: Solution is operational and being, managed, monitored and possibly refreshed. Management oversight: Senior management should oversee the project, monitor the business case and its KPI s, the SLA and whether the service still fulfills business needs. Processes Risk management: The identification of risks and risk-reducing controls. These should be taken into account when evaluating the cloud solution, when planning the project (risk management strategy) and periodical after adoption. The identification is based on business and compliance requirements, the assets in the cloud (data & processes), enterprise risk appetite and cloud model (delivery & deployment). Service management: ITIL-like processes need to be implemented or adapted for the management of the cloud service, such as provider, financial and SLA management, to monitor and manage the contracts and providers. The employees must be trained to deal with these new roles. Security management: As part of internal security (see advised risk-reducing controls), processes need to be implemented to secure the service, such as key-management, incident management and access control. High level, advised risk-reducing controls SLA and Vendor requirements: Identifiy SLA risk mitigation requirements (e.g. data ownership), identify relevant compliance and privacy regulations and the corresponding security controls and vendor requirements(e.g. security processes and data center location) and benchmark applications for setting up service metrics (e.g. response time) for SLA. SLA and Vendor negotiation: Evaluation of Vendor and SLA according to requirements or the negotiation of the SLA when it is not fixed. Internal security: Internal security controls, such as security management processes, network and application security, cryptography and data management policies Availability plans: To reduce availability risks, several plans or strategies need to be developed such as fail-over strategies (for outages) and exit-strategies (for provider lock-in). Monitoring: The SLA, compliance logs, internal security controls (e.g. network security), data movement (sensitive data, cryptogtaphy) and events which could lead to new risks, such as change in compliance regulations or provider and tenants actions. Data classification: An data classification scheme should be put in place for the identification of the cloud solution and for monitoring data movement. Sensitive data should not be put in the cloud. Corperate governance The cloud solutions should be aligned to the corperate strategies and policies. IT/cloud Strategy and security policies determine which applications are appropiates to outsource and adoption policies determine who can start the cloud project and who should be inolved. Also, cloud solutions should be based on business drivers to support overall business strategy and risks are identified according to corperate risk appetite and business & compliance requirements. Figure 29: additional table for the revised cloud governance model. 91

98 9.3. Cloud evaluation framework The information to assist higher management with the evaluation of cloud computing, whether it is valuable to move to the cloud, was included in the additional table of the initial cloud governance model. Most of the interviewees did not even look at it and a cloud expert argued this was caused by an information-overload of the table (see section 8.2.2). Therefore, an additional model is created which can be used by managers to evaluate cloud computing solutions as part of a sourcing strategy or cloud project. First the development of the framework is discussed. Hereafter the model and the corresponding table are presented Cloud evaluation framework development The separate cloud evaluation model is developed, to reduce the information-overload for the users and to make it more pronounced. There is no need to alter the information which was provided in the table. The high level design will follow the steps which were mentioned in the corresponding table of the initial cloud governance and evaluation framework, as shown in Figure 30. Figure 30: cloud evaluation aspects in the corresponding table of the initial cloud governance model. However, one step is added: the link to strategy. It was concluded (see section 6.1) the initiative for cloud solutions can come from two ways: a technology push or from business needs. In the first scenario organizations look at their strategy to assess how cloud computing can enhance their IT and business strategy. In the latter way, cloud computing is a possible solution to a problem. In the initial framework, the strategy step (technology push) was omitted, as it was expected the users would already see cloud computing as a viable option for their strategy or as a solution to the problem, as the model was about cloud governance. The revised model is expected to be (also) used by organization that want to do something with the trend cloud computing as part of their sourcing strategy. The additional strategy step provides some context to the model and a clear beginning. 92

99 The high level design is depicted in Figure 31; the revisions to the initial cloud evaluation artefact are shown in Table 30. Business case elements Pre business case activities Business case development Figure 31: abstract version of the revised cloud evaluation model. Element Model/visualization Business case development steps Initial cloud evaluation and governance framework Textual, as part of the corresponding table. Service definition Model selection Business case development Organizational impact Short explanation of the organizational impact. Risks Short description of the risks of cloud computing. Benefits Short explanation of the benefit groups and the link to business drivers. Costs Short description of cost calculation method within the business case development process information. Table 30: changes made to the cloud evaluation artefact. (Revised) Cloud evaluation framework As a graphical model and a corresponding table which elaborates the elements. Strategy Service definition model selection Business case development Same Same Same Same 93

100 The cloud evaluation model The cloud evaluation framework consist out of a graphical presentation and a corresponding table. The model shows the steps for developing the cloud business case as a complete process and provides the content of the business case, including a short elaboration of the elements. The content of the model and the links to the thesis sections are shown in Table 31, the actual model in Figure 32. Element Description Thesis section Strategy Represent the strategic 6.1 activity in the whole process. Readiness Represents the activity 6.1 to assess the organizational readiness. Service definition Represents the phase 6.1 in which the service is defined, including the restricting factors (strategy, network and security). Scope selection Represents the activity 6.1 in which the exact model is selected. Business case Represents the activity 6.1 in which the business case is built and evaluated. Organizational impact Short description of 6.2 the main organizational impact. Benefits Short description of 6.1 the categories of benefits and the necessary link to business goals. Risks Short description of 6.3 the categories of risks and the difference between a private and public cloud. Costs Short description of 6.1 the approach which need to be applied for calculating costs. Table 31: elements of the cloud evaluation model. 94

101 Strategy Need for off premise cloud initiative? Assess the possible fit of cloud computing in the IT and business strategy. Should be based on business drivers. Cost reduction, strategic and technical benefits. Benefits Readiness Ready? The organizational readiness is determined. E.g. IT processes Use TCO approach. Compare current costs against cloud costs. Costs Service definition What in the cloud? Service should comply to security, strategy and network restrictions. E.g. client Risk can be grouped in technical, legal and organizational risks. Private clouds are less risky. Risks Cloud model What kind of cloud? Often scoped by strategic intent and security restrictions. E.g. Private vs. Public Less IT employees, new roles and processes: shifts to managing contracts and providers Organizational impact Business case Adopt cloud? Assess the solution s organizational impact, risks, benefits, cons and costs Figure 32: the cloud evaluation model. The model consists out of 5 steps, which correspond to the steps identified through the expert interviews. The target audience of this model is the CIO or others involved with adoption of cloud computing. In the first phase cloud computing is evaluated in the light of the current IT and business strategy to assess whether there are opportunities to enable this strategy. For example, the strategic objectives of cost reductions of the IT department could be achieved by replacing current, on-premise solutions by off-premise cloud applications. In the next phase the readiness of the organization is researched. This includes the organization s processes (IT processes), capabilities, people and culture. If the organization is suitable for off-premise cloud computing, the existing applications are researched according to three criteria: strategy, security and network restrictions. The cloud solution should fit in the strategy and enterprise architecture. For example, many SaaS solutions are standard packages. Therefore applications which are custom made to enable strategic processes, are not good candidates to be replaced. Further, the application should comply with security policies (is the data and the process allowed in the cloud?) and the network performance (internal and public internet speed) should be good enough for the required performance. Some applications may need a very fast response time which the network does not allow. An example application which is often replaced by organizations (according to the experts; see section 6.1) is the application: from outlook, to for example Google s Gmail. While the cloud model is often scoped by security policies and strategic intent (see section 6.4), still multiple models could be chosen for the cloud solution. For example, an off-premise application can be hosted by a public cloud provider, at which the hardware is shared 95

102 amongst other customers or tenants, or by a private cloud provider, at which the hardware is separated through a firewall. When the service is defined and the model is selected, a business case is built. This contains the organizational impact, the benefits, costs, risks and cons (see section 6.1). The organizational impact should be assessed first, as it identifies amongst other the benefits (e.g. less IT employees). The model shows some information on the aspects of the business case. Summarized, the cloud evaluation model provides the CIO the context for evaluating cloud computing, in order to make a thorough decision on whether to adopt a cloud solution. It can be used together with the cloud governance model, in order to get insights into how risks need to be managed and what processes need to be implemented. The next section presents the corresponding table The corresponding table of the cloud evaluation model A table is provided by the cloud evaluation model to elaborate the elements and to provide some extra information on the elements, including the organizational impact. The elements in the table follow the structure of the model. Table 30, which shows the aspects of the model and the corresponding sections in the thesis, therefore also applies to this part of the framework. The table which is provided as part of the evaluation framework is shown in Table 32. Element Description Relevant factors/elements Strategy In an IT strategy project the strategic role of cloud computing is determined. This could lead to a cloud initiative. For example, assessing how applications can be replaced by SaaS applications to reduce costs. Description Additional information Readiness Service definition Assess whether the processes, culture technology and capabilities are appropriate for cloud computing. Select the services (applications, developing platforms or infrastructures) which could be replaced by cloud solutions. Security The service should comply with security policies and data classifications. Online questionnaires can be used. Data classification provides insights into the sensitivity of the applications data. Security policies determine amongst other what can be outsourced and to what extend sensitive may be put in the public and private off-premise cloud. 96

103 Cloud model Business case Determine the cloud model, which consists of the delivery and deployment model. Develop a business case, which justifies the decision to adopt a cloud solution, or cloud solutions, instead of traditional IT or other forms of outsourcing. Strategy Network Organizational impact The service should fit in the strategy of the organization. This includes the IT strategy, a possible cloud strategy and the Enterprise Architecture. The network capabilities should be adequate for the service. Assess the impact on the organizations processes, people, structure, culture and existing IT landscape. An important consideration is the level of standardization of SaaS applications. As they cannot be customized, they are mostly appropriate for non-strategic business processes. Benchmarking current applications can provide response time requirements. An off-premise cloud can be a community, private or a public cloud (delivery model). The private cloud usage a more secure network connection and hardware resources are within their own security parameter (firewall). The deployment model can be SaaS (complete application), PaaS (development environment) and IaaS (hardware). As elements are outsourced, less IT employees are needed. Also, the role of IT employees change to managing providers and contract. Service, risk and security management processes must be implemented for managing providers and contract, risks and security. Costs Determine the difference in costs of the cloud solution, the traditional solution and possibly other sourcing alternatives, through a Total Cost of Ownership approach (TCO). 97

104 Risks Benefits Business case Table 32: corresponding cloud evaluation table. Determine the risks of the cloud solution. Determine the benefits of the cloud solution. These need to be based on business drivers. A ROI or NPV can be used as a value estimation metric. Develop a business case, containing the benefits, risks, costs, cons and organizational impact. Risks can be grouped into organizational, technical and legal risks. The identification is based on business and compliance requirements (i.e. regulations), assets in the cloud (processes & data), the cloud model (e.g. private cloud) and the corporate risk appetite. The benefits can be grouped into strategic, technical and costreductive benefits. If positive, continue cloud initiative and develop cloud adoption strategy. If not, keep existing IT Relation between the cloud evaluation and governance frameworks The two frameworks represent different activities regarding cloud adoption: one is focused on evaluating cloud computing (adopt cloud?) and the other on governing cloud solutions. Evaluating cloud solutions takes place within the plan-phase of the cloud adoption project, or even before the project has begun, as part of for example the cloud sourcing strategy. The data classification must be implemented though before the service is defined in the Service definition activity, to identify the proper cloud candidate applications. The relationship between the two frameworks is visualized in Figure 33. Cloud evaluation framework Plan Service definition Data classification Figure 33: relationship in time between cloud evaluation framework and the cloud governance framework. 98

105 10. Expert feedback on the revised framework The cloud evaluation and governance models, as presented in the previous chapter, were again evaluated by as well possible users, C-suite managers, as cloud computing experts, in order to develop a final framework. The cloud experts in this validation round did not work close to C- level executives, so they were not asked to provide input on the understandability and usefulness of the model. This feedback round addressed three aspects: Is it understandable? It is clear how to use and apply the model? Is it useful and is the information valuable? Experts, is the model accurate? Is the provided information correct? Approach Five interviews were held with potential users (top managers) or cloud experts for feedback on the cloud governance model (see Table 33). Four interviewees commented on the cloud evaluation model. Two interviewees (User 7 and 8) were part of the previous feedback round, so they also commented on the improvements compared to the previous framework. Although the main audience for the framework are CIO s, other C-suite members could be involved with the cloud project. Therefore, the Chief Security Officer was also considered to be a possible user of the cloud governance model. The interviewees were selected if they were: A C-suite manager or worked closely with them. An expert on cloud computing. Expert profession CIO CSO (Same as last round) Strategic IT advisor (Same as last round) Cloud infrastructure consultant (telephone interview) Information security program director Organization Hospital University Own company Consultancy University of company applied science Role Potential user Potential user Potential user Expert Expert Framework Governance + Governance Governance + Governance + Governance + Evaluation Evaluation Evaluation Evaluation ID User 6 User 7 User 8 Expert 7 Expert 8 Table 33: overview of the respondents in the second feedback phase. The interviews were recorded by a mobile phone and transcripted afterwards. For the analysis, a qualitative content analysis method was applied (Zhang & Wildemuth, 2009). For each of the categories understandability, usefulness, and information accuracy the main message of each interviewee was extracted. The results of the content analysis are shown in Appendix J, while the transcripts are shown in Appendix I. 99

106 10.2. Results The results of the feedback interviews are discussed for each of the categories Understandability All of the respondents understood the cloud governance model. None of them questioned the elements of the model. [User 8] argued the previous model was way too detailed, this one is good and understandable. There were also no significant problems with the understandability of the cloud evaluation model, but [User 8] interpreted Service definition differently, namely as the impact on the service infrastructure. He argued this is because he does not understand the concept of cloud computing very well. A better explanation of a cloud service would be beneficial. [User 6] did not have a clear opinion on the cloud evaluation model as it does not reflect the activities he is involved in Usefulness The three potential users all found the cloud governance model to be usable. [User 8] argued it is very interesting what to do when you lose control, [User 6] mentioned even experienced project managers struggle with this issue and [User 7] found the risk-reducing controls to be very beneficial for IT managers. The risk-reducing controls seem to be found more interesting than the processes that are depicted. [User 1] did not comment on the usefulness of the cloud evaluation model, as cloud adoption takes place on a lower level in his organization. [User 8] found the model very useful for structuring evaluation activities. However, he argued additional methods and tools could make the model also valuable when performing the activities Information accuracy Two experts were consulted to assess the accuracy of the two models. [Expert 7] did not have any comments on the accuracy of the cloud governance model, but argued a governance model should also depict the exact roles and responsibilities. [Expert 8] found the model overall accurate, but argued the internal security should be addressed upfront, the riskreducing controls are not consistent (activities vs. controls), security management is a better term then risk management, auditing is a process not just a control and security management processes are controls. The potential users did not have much criticism on the cloud governance model. [User 6] argued though that auditing is an activity which is performed together with the provider and risk management is a loop. He also mentioned a governance process should monitor the solution as part of a portfolio. Later on, he noticed this is also covered in the model (management oversight). 100

107 The experts found the cloud evaluation model accurate. They did not have any comments. [User 6] did not found the model to be correct, as it does not reflect the activities he is involved in. He does not develop the business case for cloud solutions. Further, when choosing a solution to put in the cloud, integration issues should be taken into account [User 6] Conclusion It can be concluded, the cloud evaluation and governance models are useful, understandable and relatively accurate. The revised cloud governance model is an improvement on the initial framework. [User 8] said the initial one is too detailed and this one is good and understandable. However, in the organization [User 6] is working for, the cloud evaluation model does not reflect the activities of higher management. This can be explained by the level of maturity of this particular organization. Their level of standardization and cloud adoption is very high. On an architectural level cloud adoption is already fostered; the CIO is not involved anymore in the adoption of cloud applications, as this is done by lower IT managers. With regards possible improvements, [Expert 8] commented on the accuracy of the cloud governance model (e.g. activities vs. controls) and [User 8] on the usefulness of the cloud evaluation model, by arguing methods and tools should be added. Further, [user 6] mentioned the choice of cloud applications is also restricted by integration requirements. The somewhat quantified results of this phase are shown in Table 34. The analysis of this feedback and the implications for the development of the final cloud evaluation and governance models are discussed in the next chapter. Cloud evaluation model Expert CIO Strategic IT advisor Cloud infrastructure consultant (expert) (telephone interview) Information security program director (expert) Organization Hospital Own company Consultancy company University of applied science Understandability Usefulness +- + Information accuracy Cloud Governance model Expert CIO Strategic IT advisor Organization Hospital Own company CSO University Cloud infrastructure consultant (telephone interview) Consultancy company Information security program director University of applied science Understandability Usefulness Information accuracy Table 34: results second feedback round potential users and experts (++ is most positive, - - is most negative, +/- is neutral). 101

108 11. Development of the final framework: version 3.0 The feedback on the revised cloud evaluation and governance models was positive. According to some interviewees certain aspects could be improved. In this chapter the feedback on the models are analyzed, its implications for the final frameworks are discussed and the final cloud governance and evaluation frameworks are presented Final cloud governance framework This section describes the development of the final cloud governance framework by analyzing the feedback. Hereafter, the final model and table are presented Final cloud governance framework development With regards to the cloud governance model, most critiques or point of improvements were mentioned by [Expert 8]. He argued different level of abstractions were used for the riskreducing controls. While SLA and Provider requirements and SLA and Vendor evaluation and negotiation are activities, Data classification is an artefact. He was also skeptic about the position of the data classification. As it should be implemented before a cloud solution is selected, it should be placed before the other controls. He also argued the security management processes were more controls, than an adaption of the management framework, while Monitoring audits was considered to be an important process. This is a complicated discussion: what exactly are the processes which need to be implemented to manage cloud solutions and what are risk-reducing controls. Too solve this issue, the processes which were not mentioned as risk-reducing controls are listed. These are the risk management process and the service management processes. The risk-reducing controls are the measures in order to mitigate the identified cloud risks. The service management processes are broader than addressing these cloud risks. For example, financial management ensures the cloud service is cost effective. Further, he mentioned CIA, confidentiality, integrity and availability (data security qualities), should be depicted in the model and the process risk management should be changed to security management, as this is a more broad process which also takes into account the people. The notions of the security qualities CIA will not be depicted, as this will make the model too detailed. With regards to the differences between security and risk management, not much additional literature was found. It seems the terms are used interchangeable. As all of the literature regarding managing cloud risks referred to Risk management, as opposed to Security management, this will not be changed. [User 6] commented on the risk management process. While it is noted the risk management process is a continuous process, there is no loop from Monitoring to setting the requirements of the SLA and Vendor. When the environment changes, such as legal requirements, the requirements are outdated and new negotiations must begin, according to this interviewee. This is changed in the final model. The revisions to the previous cloud governance model depicts an evolutionary change. The perspective and high-level design remains unchanged. The groups of critiques on the cloud governance framework and its implications are shown in Table

109 Critique area / comment Description Implication Type of control Data classification is an artefact, while All controls are listed and others are more activities [Expert 8]. described as activities. Data classification Security management processes Role of the data classification was still not clear [Expert 6]. These processes are risk-reducing controls [Expert 6]. They must be implemented, at least partially, before implementation [Expert 6]. Ideally, the data classification should already be implemented before the other activities, as it is needed to select the cloud solution and thus determining the SLA and provider requirements. This is shown in the final model. Only the processes which are not listed as risk-reducing controls are shown. Service management process. Unclear role of the service management processes and when they must be implemented. The implementation of service management processes is explicitly shown. Risk management CIA, Confidentiality, Integrity and availability Risk management is a continuous activity: after monitoring compliance requirements, new SLA and Vendor requirements can be identified [User 6]. Should be called security management [Expert 8] CIA, Confidentiality, Integrity and availability, should be added to the model [Expert 8]. Loop from Monitoring to first control is depicted in the revised model. Risk management will not be changed to Security management, as most literature referred to cloud Risk management as the process to manage the risks. CIA is not added to the model, as this will make it too detailed. Table 35: changes from revised cloud governance framework to final cloud governance framework The final cloud governance model As the changes to the previous version are not radical, most of the elements remain the same. The content of the final cloud governance model is shown in Table 36, the actual model is shown in Figure 36. Element Description Thesis section Visualization Cloud governance: Processes The management processes which need to be implemented for maximizing the value of the cloud solution and to minimize its risks. 6.2; 6.4 Light blue rectangles. 103

110 Cloud governance: The high level grouping 6.3; 7.4 Dark blue rounded areas. security controls of security controls. Project activities The phases of cloud 7.4 Green arrows. adoption in order to show when the controls apply. Management oversight The involvement of top management in the cloud Green shade to project activities project. Link to enterprise and IT The cloud solution is not 8.2.5; Grey rounded line. governance adopted in isolation but is influenced by internal rules made by directors, such as policies and enterprise goals. Table 36: elements of the final cloud governance model and links to thesis sections. The Cloud Governance Model: risk-reducing activities and management processess for an efective and secure adoption of a public cloud solution. Corperate & IT governance Plan Management oversight Engage Implement Operate Implement data classification Determine SLA & Vendor requirements Implement internal security Negotiate and evaluate Vendor & SLA Develop availabilityrisk reducing strategies Monitor Cloud Risks & Controls Risk management process Implement Service management processes Project activities Processes & roles and responsibilities High-level, advised riskreducing activities Figure 34: the final cloud governance model. Just like the revised cloud governance model, this final version shows the processes which need to be implemented to manage the cloud service(s), the risk-reducing controls which must be applied and the project-activities, in order to show to what phase of the project or cloud life-cycle the controls apply. A notable difference is the position of the data classification control, Implement data classification. This is now placed before the other controls. The cloud solution, with corresponding risks and controls, is selected based on this data classification and should therefore be implemented before any other risk-reducing activity. 104

111 Also, the implementation of the service management process is explicitly shown, the controls are all approached as activities and an arrow from monitoring to the other controls is depicted The corresponding table of the final cloud governance model The additional table has not changed much. Just like in the previous version, the table elaborates the elements of the model and describes the project activities to provide a context for the controls. The elements which are adapted in the cloud governance model are also changed in the table: the controls are changed to activities, security management processes are considered to be controls and it is mentioned there is a loop from the Monitoring controls towards the Determine SLA and Vendor requirements activity. Table 37 shows the elements of the table and the links to the thesis sections. The table as part of the framework is shown in Figure 35. Element Description Thesis section Project activities The project activities are described 7.4 on a high level to provide the context for when the controls should be applied. Processes Examples of the high level 6.2; 6.4 management processes are given to give insights into how the management framework needs to be adapted. High level advises security The high level groupings of the 6.2; 6.4; 7.4 controls controls are described and examples are provided to get an understanding of how the risks need to be managed. IT and enterprise governance The link to IT and enterprise 8.2.5; governance is described. Table 37: the elements of the additional table and the links to the thesis sections. 105

112 Project activities Plan: The cloud initiative is evaluated and the project is planned. Engage: Cloud provider is selected. Implement: Cloud solution is rolled out and integrated into the existing landscape. Operate: Solution is operational and being, managed, monitored and possibly refreshed. Management oversight: Senior management should oversee the project, monitor the business case and its KPI s, the SLA and whether the service still fulfills business needs. Processes Risk management: The identification of risks and risk-reducing controls. These should be taken into account when evaluating the cloud solution, when planning the project (risk management strategy) and periodical after adoption. The identification is based on the assets in the cloud (data & processes), enterprise risk appetite and cloud model (delivery & deployment). Service management: ITIL-like processes need to be implemented or adapted for the management of the cloud service, such as provider, financial and SLA management, to monitor and manage the contracts and providers. The employees must be trained to deal with these new roles. Some of the process can be implemented up front, but some need to be organized together with the provider, such as incident management. High level, advised risk-reducing controls Implement data classification: An data classification scheme should be put in place for the identification of the cloud solution and for monitoring data movement. Sensitive data should not be put in the cloud. Determine SLA and Vendor requirements: Identifiy SLA risk mitigation requirements (e.g. data ownership), identify relevant compliance and privacy regulations and the corresponding security controls and vendor requirements(e.g. security processes and data center location) and benchmark applications for setting up service metrics (e.g. response time) for SLA. Evaluate and negotiate SLA and Vendor : Evaluation of Vendor and SLA according to requirements or the negotiation of the SLA when it is not fixed. Implement Internal security: Internal security controls, such as security management processes (e.g. acces control), network and application security, cryptography and data management policies must be implemented. This can be done during implementation, but it is advised most is done before implementing the service to reduce workload. Develop availability-risk reducing strategies: To reduce availability risks, several plans or strategies need to be developed such as fail-over strategies (for outages) and exit-strategies (for provider lock-in). Monitor: The SLA, compliance logs, internal security controls (e.g. network security), data movement (sensitive data, cryptogtaphy) and events which could lead to new risks, such as change in compliance regulations or provider and tenants actions. When new risk arise, the previous risk-reducing activities should be performed again. Corperate & IT governance The cloud solutions should be aligned to the corperate strategies and policies. IT/cloud Strategy and security policies determine which applications are appropiates to outsource and adoption policies determine who can start the cloud project and who should be involved. Also, cloud solutions should be based on business drivers to support overall business strategy and risks are identified according to corperate risk appetite and business & compliance requirements. Figure 35: additional table for the final cloud governance model. 106

113 11.2. Final cloud evaluation framework This section described the development of the final cloud evaluation framework, consisting of a final model and table Final cloud evaluation framework development In the revised framework of this research, separate models have been developed for the governance and evaluation aspects. Based on the feedback, there is no need to change the high-level design of the cloud evaluation model. However, there were some aspects which could be made clearer and tools en methods should make the model more valuable. [User 6] argued cloud adoption does not start with Strategy, but as a solution to a problem as a sourcing alternative. To make it more explicit that cloud adoption could be triggered by as well a technology as a business push, the starting point of cloud computing being a solution to a specific problem is added in the final model. Further, [User 6] pointed out the cloud solution should comply with integration requirements. Some applications cannot be put in the cloud because of integration issues. [User 8] would find the model better usable if the concept of cloud service is defined: what is the different with a traditional service? Also, he argued, methods and tools should be provided in the table of the model to make it more practical. The concept of a cloud service is elaborated in the final table. Because the additional tools are not all scientific ones, they are not part of the cloud evaluation framework, but are discussed and presented in Appendix K. The groups of critiques on the cloud evaluation framework and its implications are shown in Table 38. Critique area / comment Description Implication Strategy Cloud adoption starts as a problem not with strategy [User 6]. The model starts with cloud computing being as well a strategic enabler as a solution to a problem. Service definition Tools and methods The concept of cloud service could be made more clear [User 8]. Service should also be compatible with integration requirements [User 6]. Tools and methods should be added to make the model more practical [User 8]. The concept of a cloud service is elaborated in the table. The limitation for selecting cloud applications integration is added to the model in the Service definition step. Appendix K covers these tools and techniques, as they are not all scientific ones. Table 38: groups of critiques on the cloud evaluation model. 107

114 The final cloud evaluation model Just like the previous version, the final cloud evaluation model consist of a graphical presentation and a corresponding table. The model shows the steps for developing the cloud business case as a complete process and provides the content of the business case, including a short elaboration of the elements. The content of the model and the links to the thesis sections is shown in Table 39, the actual model in Figure 36. Element Description Thesis section Need for cloud solution Represent the phase in 6.1 which the need is determined for a cloud computing solution. Readiness Represents the 6.1 activity to assess the organizational readiness. Service definition Represents the phase 6.1 in which the service is defined, including the restricting factors (strategy, integration, network and security). Scope selection Represents the 6.1 activity in which the exact model is selected. Business case Represents the 6.1 activity in which the business case is built and evaluated. Organizational impact Short description of 6.2 the main organizational impact. Benefits Short description of 6.1 the categories of benefits and the necessary link to business goals. Risks Short description of 6.3 the categories of risks and the difference between a private and public cloud. Costs Short description of 6.1 the approach which need to be applied for calculating costs. Table 39: elements of the cloud evaluation model. 108

115 Need for cloud solution Need for off premise cloud initiative? Cloud computing is a possible solution to a problem or a strategic enabler. Should be based on business drivers. Cost reduction, strategic and technical benefits. Benefits Readiness Ready? The organizational readiness is determined. E.g. IT processes Use TCO approach. Compare current costs against cloud costs. Costs Service definition What in the cloud? Service should comply to security, integration, strategy and network restrictions. E.g. client Risk can be grouped in technical, legal and organizational risks. Private clouds are less risky. Risks Cloud model What kind of cloud? Often scoped by strategic intent and security restrictions. E.g. Private vs. Public Less IT employees, new roles and processes: shifts to managing contracts and providers Organizational impact Business case Adopt cloud? Assess the solution s organizational impact, risks, benefits, cons and costs Figure 36: the final cloud evaluation model. Like the revised model, the final model consist out of five steps. The target audience of this model is the CIO or others who want to do something with the technological trend cloud computing as part of their sourcing strategy or who have determined cloud computing could be a solution to a problem. In the first phase it is determined cloud computing could be beneficial to the organization. As mentioned above, cloud computing may be actively researched whether it can enhance strategy or it is a possible solution to a problem. In the first case, for example, the strategic objectives of cost reductions of the IT department could be achieved by replacing current, onpremise solutions by off-premise cloud applications. Another option is that cloud computing comes forward as a solution to a problem. For example, the problem of a very expensive system may lead to an assessment whether cloud computing could lead to lower costs. In the next phase the readiness of the organization is researched. This includes the organization s processes (IT processes), capabilities, people and culture. If the organization is suitable for off-premise cloud computing, the existing applications are researched according to four criteria. Based on the feedback on the revised cloud evaluation model, Integration restrictions are added to the list of restrictions which need to be taken into account when selecting cloud candidate applications. Some applications require to be integrated with other systems. SaaS does often not provide this option. The cloud solution should also fit in the strategy and enterprise architecture. For example, many SaaS solutions are standard packages. Therefore applications which are custom made to enable strategic processes, are not good candidates to be replaced. Further, the application should comply with security policies (is the data and the process allowed in the cloud?) and the network performance (internal and public internet speed) should provide adequate performance for the applications. Some applications may need a very fast response time which the network does 109

116 not allow. An example application which are often replaced by organizations (according to the experts; see section 6.1) is the application: from outlook, to for example Google s Gmail. While the cloud model is often scoped by security policies and strategic intent (see section 6.4), still multiple models could be chosen for the cloud solution. For example, an off-premise application can be hosted by a public cloud provider, in which the hardware is shared amongst other customers or tenants, or by a private cloud provider in which the hardware is separated through a firewall. When the service is defined and the model is selected, a business case is built. This contains the organizational impact, the benefits, costs, risks and cons (see section 6.1). The organizational impact should be assessed first, as it identifies amongst other the benefits (e.g. less IT employees). The model shows some information on the aspects of the business case. Summarized, the cloud evaluation model provides the CIO the context for evaluating cloud computing, in order to make a thorough decision on whether to adopt cloud or use traditional, on-premise IT solutions. It can be used together with the cloud governance model, in order to get insights into how risks need to be managed and what processes need to be implemented. The next section presents corresponding table of the final cloud evaluation model The corresponding table of the final cloud evaluation model The corresponding table describes the elements of the model and in this final version, some minor changes have been made. As the activities, Cloud need, and Service definition were adjusted in the model, this is updated in the table. The final corresponding table is shown in Table 40. Element Description Relevant factors/elements Cloud need The need for a cloud solution can come from two ways. Cloud computing may be a solution to a specific problem (a strategic one or for a specific application). Second, it may be concluded cloud computing can enable strategy after actively researching its opportunities. Readiness Assess whether the processes, culture technology and capabilities are appropriate for cloud computing. Service definition Select the services (applications, developing platforms or infrastructures) which could be replaced by cloud solutions. Description Additional information Online questionnaires can be used. Cloud services are services provided over the internet and hosted by a third party organization. It can entail infrastructure/hardware 110

117 Security The service should comply with security policies and data classifications. services (IaaS), platform services (PaaS) and application / software services (SaaS). Data classification provides insights into the sensitivity of the applications data. Security policies determine amongst other what can be outsourced and to what extend sensitive may be put in the public and private off-premise cloud. Cloud model Business case Determine the cloud model, which consists of the delivery and deployment model. Develop a business case, which justifies the decision to adopt a cloud solution, or cloud solutions, instead of traditional IT or other forms of outsourcing. Strategy Network Integration The service should fit in the strategy of the organization. This includes the IT strategy, a possible cloud strategy and the Enterprise Architecture. The network capabilities should be adequate for the service. The service should comply with integration requirements. An important consideration is the level of standardization of SaaS applications. As they cannot be customized, they are mostly appropriate for non-strategic business processes. Benchmarking current applications can provide response time requirements. Some services need a complex integration with other systems, which may not be achievable with cloud solutions. An off-premise cloud can be a community, private or a public cloud (delivery model). The private cloud usage a more secure network connection and hardware resources are within their own security parameter (firewall). The deployment model can be SaaS (complete application), PaaS (development environment) and IaaS (hardware). 111

118 Organizational impact Costs Risks Benefits Business case Table 40: corresponding table to the cloud evaluation model. Assess the impact on the organizations processes, people, structure, culture and existing IT landscape. Determine the difference in costs of the cloud solution, the traditional solution and possibly other sourcing alternatives, through a Total Cost of Ownership approach (TCO). Determine the risks of the cloud solution. Determine the benefits of the cloud solution. These need to be based on business drivers. A ROI or NPV can be used as a value estimation metric. Develop a business case, containing the benefits, risks and costs. As elements are outsourced, less IT employees are needed. Also, the role of IT employees change to managing providers and contract. Service, risk and security management processes must be implemented for managing providers and contract, risks and security. Risks can be grouped into organizational, technical and legal risks. The identification is based on business and compliance requirements (i.e. regulations), assets in the cloud (processes & data), the cloud model (e.g. private cloud) and the corporate risk appetite. The benefits can be grouped into strategic, technical and costreductive benefits. If positive, continue cloud initiative and develop cloud adoption strategy. If not, keep existing IT Relation between the cloud governance and evaluation frameworks The relationship between the two frameworks has not changed (Figure 37). First cloud computing is evaluated, hereafter it is governed. The data classification must be implemented though to select the correct services. 112

119 Cloud evaluation framework Plan Implement data classification Service definition Figure 37: relationship between the two frameworks. 113

Appendix A: List of variables with corresponding questionnaire items (in English) used in chapter 2

Appendix A: List of variables with corresponding questionnaire items (in English) used in chapter 2 167 Appendix A: List of variables with corresponding questionnaire items (in English) used in chapter 2 Task clarity 1. I understand exactly what the task is 2. I understand exactly what is required of

Nadere informatie

Virtual Enterprise Centralized Desktop

Virtual Enterprise Centralized Desktop Virtual Enterprise Centralized Desktop Het gebruik van virtuele desktops en de licensering daarvan Bastiaan de Wilde, Solution Specialist Microsoft Nederland Aanleiding Steeds meer gebruik van Virtuele

Nadere informatie

Process Mining and audit support within financial services. KPMG IT Advisory 18 June 2014

Process Mining and audit support within financial services. KPMG IT Advisory 18 June 2014 Process Mining and audit support within financial services KPMG IT Advisory 18 June 2014 Agenda INTRODUCTION APPROACH 3 CASE STUDIES LEASONS LEARNED 1 APPROACH Process Mining Approach Five step program

Nadere informatie

Rolf Driesen, 15de Overheidscongres, 21 Oktober 2014

Rolf Driesen, 15de Overheidscongres, 21 Oktober 2014 If you have a client logo or other co-branding to include, this should go here. It should never be larger than the Deloitte logo. Waarom kiezen voor een shared services center? Succesfactoren en valkuilen

Nadere informatie

Digital municipal services for entrepreneurs

Digital municipal services for entrepreneurs Digital municipal services for entrepreneurs Smart Cities Meeting Amsterdam October 20th 2009 Business Contact Centres Project frame Mystery Shopper Research 2006: Assessment services and information for

Nadere informatie

Enterprise Portfolio Management

Enterprise Portfolio Management Enterprise Portfolio Management Strategische besluitvorming vanuit integraal overzicht op alle portfolio s 22 Mei 2014 Jan-Willem Boere Vind goud in uw organisatie met Enterprise Portfolio Management 2

Nadere informatie

Intercultural Mediation through the Internet Hans Verrept Intercultural mediation and policy support unit

Intercultural Mediation through the Internet Hans Verrept Intercultural mediation and policy support unit 1 Intercultural Mediation through the Internet Hans Verrept Intercultural mediation and policy support unit 2 Structure of the presentation - What is intercultural mediation through the internet? - Why

Nadere informatie

Opgave 2 Geef een korte uitleg van elk van de volgende concepten: De Yield-to-Maturity of a coupon bond.

Opgave 2 Geef een korte uitleg van elk van de volgende concepten: De Yield-to-Maturity of a coupon bond. Opgaven in Nederlands. Alle opgaven hebben gelijk gewicht. Opgave 1 Gegeven is een kasstroom x = (x 0, x 1,, x n ). Veronderstel dat de contante waarde van deze kasstroom gegeven wordt door P. De bijbehorende

Nadere informatie

Incidenten in de Cloud. De visie van een Cloud-Provider

Incidenten in de Cloud. De visie van een Cloud-Provider Incidenten in de Cloud De visie van een Cloud-Provider Overzicht Cloud Controls Controls in de praktijk Over CloudVPS Cloudhosting avant la lettre Continu in ontwikkeling CloudVPS en de Cloud Wat is Cloud?

Nadere informatie

Ius Commune Training Programme 2015-2016 Amsterdam Masterclass 16 June 2016

Ius Commune Training Programme 2015-2016 Amsterdam Masterclass 16 June 2016 www.iuscommune.eu Dear Ius Commune PhD researchers, You are kindly invited to attend the Ius Commune Amsterdam Masterclass for PhD researchers, which will take place on Thursday 16 June 2016. During this

Nadere informatie

Innovaties in de chronische ziekenzorg 3e voorbeeld van zorginnovatie. Dr. J.J.W. (Hanneke) Molema, Prof. Dr. H.J.M.

Innovaties in de chronische ziekenzorg 3e voorbeeld van zorginnovatie. Dr. J.J.W. (Hanneke) Molema, Prof. Dr. H.J.M. Innovaties in de chronische ziekenzorg 3e voorbeeld van zorginnovatie Dr. J.J.W. (Hanneke) Molema, Prof. Dr. H.J.M. (Bert) Vrijhoef Take home messages: Voor toekomstbestendige chronische zorg zijn innovaties

Nadere informatie

Wat is Interaction Design?

Wat is Interaction Design? Wat is Interaction Design? Wat is interaction design? Designing interactive products to support the way people communicate and interact in their everyday and working lives. Preece, Sharp and Rogers (2015)

Nadere informatie

Interaction Design for the Semantic Web

Interaction Design for the Semantic Web Interaction Design for the Semantic Web Lynda Hardman http://www.cwi.nl/~lynda/courses/usi08/ CWI, Semantic Media Interfaces Presentation of Google results: text 2 1 Presentation of Google results: image

Nadere informatie

Enterprise Architectuur. een duur begrip, maar wat kan het betekenen voor mijn gemeente?

Enterprise Architectuur. een duur begrip, maar wat kan het betekenen voor mijn gemeente? Enterprise Architectuur een duur begrip, maar wat kan het betekenen voor mijn gemeente? Wie zijn we? > Frederik Baert Director Professional Services ICT @frederikbaert feb@ferranti.be Werkt aan een Master

Nadere informatie

Ervaringen met begeleiding FTA cursus Deployment of Free Software Systems

Ervaringen met begeleiding FTA cursus Deployment of Free Software Systems Ervaringen met begeleiding FTA cursus Deployment of Free Software Systems Frans Mofers Nederland cursusmateriaal & CAA's alle cursusmateriaal vrij downloadbaar als PDF betalen voor volgen cursus cursussite

Nadere informatie

Settings for the C100BRS4 MAC Address Spoofing with cable Internet.

Settings for the C100BRS4 MAC Address Spoofing with cable Internet. Settings for the C100BRS4 MAC Address Spoofing with cable Internet. General: Please use the latest firmware for the router. The firmware is available on http://www.conceptronic.net! Use Firmware version

Nadere informatie

STICHTING LIGHTREC NEDERLAND MANAGER LIGHTREC

STICHTING LIGHTREC NEDERLAND MANAGER LIGHTREC STICHTING LIGHTREC NEDERLAND MANAGER LIGHTREC LIGHTREC Energiezuinige lampen zijn goed voor het milieu, maar mogen niet worden afgedankt bij het gewone huisvuil. De materialen uit energiezuinige verlichting

Nadere informatie

Ontwikkelingen binnen Integratie

Ontwikkelingen binnen Integratie Ontwikkelingen binnen Integratie Informatica & Economie Integratie 1 Recap Innovatie Silicon Valley Financiering Engineering Nieuwe methodes Modelleren Outline Cloud Business Intelligence Big Data Internet

Nadere informatie

ETS 4.1 Beveiliging & ETS app concept

ETS 4.1 Beveiliging & ETS app concept ETS 4.1 Beveiliging & ETS app concept 7 juni 2012 KNX Professionals bijeenkomst Nieuwegein Annemieke van Dorland KNX trainingscentrum ABB Ede (in collaboration with KNX Association) 12/06/12 Folie 1 ETS

Nadere informatie

Stephanie van Dijck De integrale aanpak maakt complexiteit hanteerbaar

Stephanie van Dijck De integrale aanpak maakt complexiteit hanteerbaar Titel, samenvatting en biografie Stephanie van Dijck De integrale aanpak maakt complexiteit hanteerbaar Samenvatting: Nieuwe projecten nemen toe in complexiteit: afhankelijkheden tussen software componenten,

Nadere informatie

Uitnodiging Security Intelligence 2014 Dertiende editie: Corporate IAM

Uitnodiging Security Intelligence 2014 Dertiende editie: Corporate IAM Uitnodiging Security Intelligence 2014 Dertiende editie: Corporate IAM 5 maart 2014 De Beukenhof Terweeweg 2-4 2341 CR Oegstgeest 071-517 31 88 Security Intelligence Bijeenkomst Corporate IAM On the Internet,

Nadere informatie

CREATING VALUE THROUGH AN INNOVATIVE HRM DESIGN CONFERENCE 20 NOVEMBER 2012 DE ORGANISATIE VAN DE HRM AFDELING IN WOELIGE TIJDEN

CREATING VALUE THROUGH AN INNOVATIVE HRM DESIGN CONFERENCE 20 NOVEMBER 2012 DE ORGANISATIE VAN DE HRM AFDELING IN WOELIGE TIJDEN CREATING VALUE THROUGH AN INNOVATIVE HRM DESIGN CONFERENCE 20 NOVEMBER 2012 DE ORGANISATIE VAN DE HRM AFDELING IN WOELIGE TIJDEN Mieke Audenaert 2010-2011 1 HISTORY The HRM department or manager was born

Nadere informatie

Invloed van het aantal kinderen op de seksdrive en relatievoorkeur

Invloed van het aantal kinderen op de seksdrive en relatievoorkeur Invloed van het aantal kinderen op de seksdrive en relatievoorkeur M. Zander MSc. Eerste begeleider: Tweede begeleider: dr. W. Waterink drs. J. Eshuis Oktober 2014 Faculteit Psychologie en Onderwijswetenschappen

Nadere informatie

Handleiding Installatie ADS

Handleiding Installatie ADS Handleiding Installatie ADS Versie: 1.0 Versiedatum: 19-03-2014 Inleiding Deze handleiding helpt u met de installatie van Advantage Database Server. Zorg ervoor dat u bij de aanvang van de installatie

Nadere informatie

Business Architectuur vanuit de Business

Business Architectuur vanuit de Business Business Architectuur vanuit de Business CGI GROUP INC. All rights reserved Jaap Schekkerman _experience the commitment TM Organization Facilities Processes Business & Informatie Architectuur, kun je vanuit

Nadere informatie

Mobile Devices, Applications and Data

Mobile Devices, Applications and Data Mobile Devices, Applications and Data 1 Jits Langedijk Senior Consultant Jits.langedijk@pqr.nl Peter Sterk Solution Architect peter.sterk@pqr.nl Onderwerpen - Rol van Mobile IT in Tomorrow s Workspace

Nadere informatie

Creating a marketplace where expertise is made available through videoconferencing. Roland Staring Community Support Manager roland.staring@surfnet.

Creating a marketplace where expertise is made available through videoconferencing. Roland Staring Community Support Manager roland.staring@surfnet. Expert at a distance Creating a marketplace where expertise is made available through videoconferencing Roland Staring Community Support Manager roland.staring@surfnet.nl Working together for education

Nadere informatie

SURFnet User Survey 2006

SURFnet User Survey 2006 SURFnet User Survey 2006 Walter van Dijk Madrid, 21 September 2006 Agenda A few facts General picture resulting from the survey Consequences for the service portfolio Consequences for the yearly innovation

Nadere informatie

Contract- en Service Management in de CLOUD. 29 September 2011

Contract- en Service Management in de CLOUD. 29 September 2011 Contract- en Service Management in de CLOUD 2011 29 September 2011 Agenda Opening CLOUD Service Management in de cloud (de praktijk) Vragen / discussie Opening Opening Jos Beeloo Service Manager Gerard

Nadere informatie

Pesten onder Leerlingen met Autisme Spectrum Stoornissen op de Middelbare School: de Participantrollen en het Verband met de Theory of Mind.

Pesten onder Leerlingen met Autisme Spectrum Stoornissen op de Middelbare School: de Participantrollen en het Verband met de Theory of Mind. Pesten onder Leerlingen met Autisme Spectrum Stoornissen op de Middelbare School: de Participantrollen en het Verband met de Theory of Mind. Bullying among Students with Autism Spectrum Disorders in Secondary

Nadere informatie

Consumer billing Best practices

Consumer billing Best practices Consumer billing Best practices Jaap Jan Nienhuis 20 March 2013 tomorrow s transactions today Welcome 2 Titel subtitel. Auteur(s) datum voluit. Innopay BV. Alle rechten voorbehouden. Jaap Jan Nienhuis

Nadere informatie

Cisco Cloud. Collaboration. Ronald Zondervan David Betlem September, 2011. Presentation_ID 2010 Cisco Systems, Inc. All rights reserved.

Cisco Cloud. Collaboration. Ronald Zondervan David Betlem September, 2011. Presentation_ID 2010 Cisco Systems, Inc. All rights reserved. Cisco Cloud Collaboration Ronald Zondervan David Betlem September, 2011 1 E Open architectuur Uitgangspunten Gebaseerd op Open Standaarden telefonie, video, desktop integratie, beschikbaarheidsstatus (presence)

Nadere informatie

Media en creativiteit. Winter jaar vier Werkcollege 7

Media en creativiteit. Winter jaar vier Werkcollege 7 Media en creativiteit Winter jaar vier Werkcollege 7 Kwartaaloverzicht winter Les 1 Les 2 Les 3 Les 4 Les 5 Les 6 Les 7 Les 8 Opbouw scriptie Keuze onderwerp Onderzoeksvraag en deelvragen Bespreken onderzoeksvragen

Nadere informatie

Introduction to KM. Kampala CIKM Workshop 2013 Joost Lieshout

Introduction to KM. Kampala CIKM Workshop 2013 Joost Lieshout Introduction to KM Kampala CIKM Workshop 2013 Joost Lieshout Good to know Introductions Your CIKM experience Outline CIKM Sessions Tuesday Introduction to KM & Groupwork Introduction to (CI)KM Strategy

Nadere informatie

Tester, hoe word jij geschikt voor de toekomst?

Tester, hoe word jij geschikt voor de toekomst? Tester, hoe word jij geschikt voor de toekomst? Testnet voorjaarsevent Marieke Brinkman en Marieke Mouwe Wie zijn wij Marieke B Marieke M 2010 Capgemini. All rights reserved. 1 Insert "Title, Author, Date"

Nadere informatie

Informatiebeveiliging & ISO/IEC 27001:2013

Informatiebeveiliging & ISO/IEC 27001:2013 Informatiebeveiliging & ISO/IEC 27001:2013 Aart Bitter Haarlem, 18 maart 2014 Kwaliteitskring Noord-Holland www.information-security-governance.com Agenda 13:45-14:15 - Informatiebeveiliging Introductie

Nadere informatie

Session Educa-on. 14-15 October 2013

Session Educa-on. 14-15 October 2013 Session Educa-on 14-15 October 2013 FIRE facilities in education: Networking courses (fixed and wireless) IP fixed networks ComNet Labs Build your own network [Lab router] Calculate IP ranges According

Nadere informatie

Assessing writing through objectively scored tests: a study on validity. Hiske Feenstra Cito, The Netherlands

Assessing writing through objectively scored tests: a study on validity. Hiske Feenstra Cito, The Netherlands Assessing writing through objectively scored tests: a study on validity Hiske Feenstra Cito, The Netherlands Outline Research project Objective writing tests Evaluation of objective writing tests Research

Nadere informatie

ISO/IEC 20000, van standaardkwaliteit naar kwaliteitsstandaard. NGI Limburg 30 mei 2007

ISO/IEC 20000, van standaardkwaliteit naar kwaliteitsstandaard. NGI Limburg 30 mei 2007 ISO/IEC 20000, van standaardkwaliteit naar kwaliteitsstandaard NGI Limburg 30 mei 2007 1 Tijdlijn 80-er jaren: ITIL versie 1 2000: BS 15000 2001: ITIL versie 2 2002: Aangepaste versie BS 15000 2005: BS

Nadere informatie

ARTIST. Petten 24 September 2012. www.ecn.nl More info: schoots@ecn.nl

ARTIST. Petten 24 September 2012. www.ecn.nl More info: schoots@ecn.nl ARTIST Assessment and Review Tool for Innovation Systems of Technologies Koen Schoots, Michiel Hekkenberg, Bert Daniëls, Ton van Dril Agentschap NL: Joost Koch, Dick Both Petten 24 September 2012 www.ecn.nl

Nadere informatie

Het beheren van mijn Tungsten Network Portal account NL 1 Manage my Tungsten Network Portal account EN 14

Het beheren van mijn Tungsten Network Portal account NL 1 Manage my Tungsten Network Portal account EN 14 QUICK GUIDE C Het beheren van mijn Tungsten Network Portal account NL 1 Manage my Tungsten Network Portal account EN 14 Version 0.9 (June 2014) Per May 2014 OB10 has changed its name to Tungsten Network

Nadere informatie

Verschillen in het Gebruik van Geheugenstrategieën en Leerstijlen. Differences in the Use of Memory Strategies and Learning Styles

Verschillen in het Gebruik van Geheugenstrategieën en Leerstijlen. Differences in the Use of Memory Strategies and Learning Styles Verschillen in het Gebruik van Geheugenstrategieën en Leerstijlen tussen Leeftijdsgroepen Differences in the Use of Memory Strategies and Learning Styles between Age Groups Rik Hazeu Eerste begeleider:

Nadere informatie

Expertise seminar SURFfederatie and Identity Management

Expertise seminar SURFfederatie and Identity Management Expertise seminar SURFfederatie and Identity Management Project : GigaPort3 Project Year : 2010 Project Manager : Albert Hankel Author(s) : Eefje van der Harst Completion Date : 24-06-2010 Version : 1.0

Nadere informatie

Researchcentrum voor Onderwijs en Arbeidsmarkt The role of mobility in higher education for future employability

Researchcentrum voor Onderwijs en Arbeidsmarkt The role of mobility in higher education for future employability The role of mobility in higher education for future employability Jim Allen Overview Results of REFLEX/HEGESCO surveys, supplemented by Dutch HBO-Monitor Study migration Mobility during and after HE Effects

Nadere informatie

Talentmanagement in tijden van crisis

Talentmanagement in tijden van crisis Talentmanagement in tijden van crisis Drs. Bas Puts Page 1 Copyright Siemens 2009. All rights reserved Mission: Achieving the perfect fit Organisatie Finance Sales Customer Engineering Project management

Nadere informatie

Voorkom pijnlijke verrassingen Nieuwe Controleaanpak Belastingdienst. Presentator: Remko Geveke

Voorkom pijnlijke verrassingen Nieuwe Controleaanpak Belastingdienst. Presentator: Remko Geveke Voorkom pijnlijke verrassingen Nieuwe Controleaanpak Belastingdienst Presentator: Remko Geveke Start webinar: 08:30 uur Agenda Nieuwe Controleaanpak Belastingdienst Verticaal Toezicht vs. Horizontaal Toezicht

Nadere informatie

vrijdag 8 juni 12 DRIMPY BRENGT ZORG SAMEN

vrijdag 8 juni 12 DRIMPY BRENGT ZORG SAMEN DRIMPY BRENGT ZORG SAMEN DE CONSUMENT IN DE ZORG? Fragmentatie ehealth initiatieven zorgen weer voor eilandjes in de zorg: ICT leveranciers, Regio s, Ziekenhuizen, Klinieken, Patiënt Verenigingen, Verzekeraars,

Nadere informatie

Cloud Computing: de juridische aspecten. wie zijn wij? Alan Steele Nicholson. Jeroen van der Lee. Cloud en Grid Computing Symposium

Cloud Computing: de juridische aspecten. wie zijn wij? Alan Steele Nicholson. Jeroen van der Lee. Cloud en Grid Computing Symposium Cloud Computing: Een bliksembezoek be aan de juridische aspecten Alan Steele Nicholson Jeroen van der Lee Cloud en Grid Computing Symposium ONAFHANKELIJK IT ADVIESBUREAU VANUIT DISCIPLINES: bedrijfskundig

Nadere informatie

Innovative SUMP-Process in Northeast-Brabant

Innovative SUMP-Process in Northeast-Brabant Innovative SUMP-Process in Northeast-Brabant #polis14 Northeast-Brabant: a region in the Province of Noord-Brabant Innovative Poly SUMP 20 Municipalities Province Rijkswaterstaat Several companies Schools

Nadere informatie

Ctrl Ketenoptimalisatie Slimme automatisering en kostenreductie

Ctrl Ketenoptimalisatie Slimme automatisering en kostenreductie Ctrl Ketenoptimalisatie Slimme automatisering en kostenreductie 1 Ctrl - Ketenoptimalisatie Technische hype cycles 2 Ctrl - Ketenoptimalisatie Technologische trends en veranderingen Big data & internet

Nadere informatie

Risk & Requirements Based Testing

Risk & Requirements Based Testing Risk & Requirements Based Testing Tycho Schmidt PreSales Consultant, HP 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Agenda Introductie

Nadere informatie

De Relatie tussen Werkdruk, Pesten op het Werk, Gezondheidsklachten en Verzuim

De Relatie tussen Werkdruk, Pesten op het Werk, Gezondheidsklachten en Verzuim De Relatie tussen Werkdruk, Pesten op het Werk, Gezondheidsklachten en Verzuim The Relationship between Work Pressure, Mobbing at Work, Health Complaints and Absenteeism Agnes van der Schuur Eerste begeleider:

Nadere informatie

European frameworks for VET

European frameworks for VET European frameworks for VET VLOR Brussels, 4 June 2014 Carlo Scatoli Vocational Training and Adult Learning 2002 The Copenhagen Declaration 30 November 2002 Strengthen the European dimension Improve transparency,

Nadere informatie

Onderwerp: Toelichting op Toetsingskader Informatiebeveiliging 2014

Onderwerp: Toelichting op Toetsingskader Informatiebeveiliging 2014 Confidentieel 1 van 5 Onderwerp: Toelichting op Toetsingskader Informatiebeveiliging 2014 1. INLEIDING Sinds 2010 onderzoekt DNB de kwaliteit van informatiebeveiliging als thema binnen de financiële sector.

Nadere informatie

Offshore Outsourcing van Infrastructure Management

Offshore Outsourcing van Infrastructure Management Offshore Outsourcing van Infrastructure Management an emerging opportunity dr. Erik Beulen Atos Origin/Tilburg University 1 Agenda Introductie Ontwikkelingen Risicovergelijking Best practices Conclusies

Nadere informatie

Van Virtualisatie naar Cloud Computing De roadmap voor de toekomst?

Van Virtualisatie naar Cloud Computing De roadmap voor de toekomst? Van Virtualisatie naar Cloud Computing De roadmap voor de toekomst? Louis Joosse Principal Consultant Alle intellectuele eigendomsrechten met betrekking tot de inhoud van of voortvloeiende uit dit document

Nadere informatie

Welke functies moeten ingevuld worden?

Welke functies moeten ingevuld worden? Welke functies moeten ingevuld worden? De herziene Wod van papier naar praktijk! Jan-Bas Prins 17 juni 2014 Relevante documenten Europa 2010/63/EU EC Implementation, interpretation and terminology of Directive

Nadere informatie

Open source VoIP Networks

Open source VoIP Networks Open source VoIP Networks Standard PC hardware inexpensive add-in vs. embedded designs Ing. Bruno Impens Overview History Comparison PC - Embedded More on VoIP VoIP Hardware VoIP more than talk More...

Nadere informatie

Running head: BREAKFAST, CONSCIENTIOUSNESS AND MENTAL HEALTH 1. The Role of Breakfast Diversity and Conscientiousness in Depression and Anxiety

Running head: BREAKFAST, CONSCIENTIOUSNESS AND MENTAL HEALTH 1. The Role of Breakfast Diversity and Conscientiousness in Depression and Anxiety Running head: BREAKFAST, CONSCIENTIOUSNESS AND MENTAL HEALTH 1 The Role of Breakfast Diversity and Conscientiousness in Depression and Anxiety De Rol van Gevarieerd Ontbijten en Consciëntieusheid in Angst

Nadere informatie

Overview of the presentation

Overview of the presentation 1 Intercultural mediation in health care in the EU: theory and practice Hans Verrept Intercultural mediation and policy support unit 2 Overview of the presentation 1. Policy issues 2. Why do we need medical

Nadere informatie

Instruction project completion report

Instruction project completion report Instruction project completion report The project completion report is in fact a final progress report providing a comparison between the start of the project and the situation at the end of the project.

Nadere informatie

Melding Loonbelasting en premies Aanmelding werkgever. Registration for loonbelasting en premies Registration as an employer

Melding Loonbelasting en premies Aanmelding werkgever. Registration for loonbelasting en premies Registration as an employer Melding Loonbelasting en premies Aanmelding werkgever Registration for loonbelasting en premies Registration as an employer Over dit formulier About this form Waarom dit formulier? Dit formulier is bestemd

Nadere informatie

Enterprisearchitectuur

Enterprisearchitectuur Les 2 Enterprisearchitectuur Enterprisearchitectuur ITarchitectuur Servicegeoriënteerde architectuur Conceptuele basis Organisatiebrede scope Gericht op strategie en communicatie Individuele systeemscope

Nadere informatie

Knelpunten in Zelfstandig Leren: Zelfregulerend leren, Stress en Uitstelgedrag bij HRM- Studenten van Avans Hogeschool s-hertogenbosch

Knelpunten in Zelfstandig Leren: Zelfregulerend leren, Stress en Uitstelgedrag bij HRM- Studenten van Avans Hogeschool s-hertogenbosch Knelpunten in Zelfstandig Leren: Zelfregulerend leren, Stress en Uitstelgedrag bij HRM- Studenten van Avans Hogeschool s-hertogenbosch Bottlenecks in Independent Learning: Self-Regulated Learning, Stress

Nadere informatie

WWW.EMINENT-ONLINE.COM

WWW.EMINENT-ONLINE.COM WWW.EMINENT-OINE.COM HNDLEIDING USERS MNUL EM1016 HNDLEIDING EM1016 USB NR SERIEEL CONVERTER INHOUDSOPGVE: PGIN 1.0 Introductie.... 2 1.1 Functies en kenmerken.... 2 1.2 Inhoud van de verpakking.... 2

Nadere informatie

HEGRID EIT ICT LABS HEGRID 2013-2014 TNO. Hybrid Energy GRID Management. TNO, Siemens, KIT, Deutsche Telekom, UT, TU/e, VTT, CWI

HEGRID EIT ICT LABS HEGRID 2013-2014 TNO. Hybrid Energy GRID Management. TNO, Siemens, KIT, Deutsche Telekom, UT, TU/e, VTT, CWI HEGRID Hybrid Energy GRID Management EIT ICT LABS HEGRID 2013-2014 TNO TNO, Siemens, KIT, Deutsche Telekom, UT, TU/e, VTT, CWI 1 Doel en verwachte resultaten Doel: realiseren van een Open HybridEnergy

Nadere informatie

Auteurs: Jan van Bon, Wim Hoving Datum: 9 maart 2009. Cross reference ISM - COBIT

Auteurs: Jan van Bon, Wim Hoving Datum: 9 maart 2009. Cross reference ISM - COBIT Auteurs: Jan van Bon, Wim Hoving Datum: 9 maart 2009 Cross reference ISM - COBIT ME: Monitor & Evaluate Cross reference ISM - COBIT Management summary Organisaties gebruiken doorgaans twee soorten instrumenten

Nadere informatie

Windows Server 2003 EoS. GGZ Nederland

Windows Server 2003 EoS. GGZ Nederland Windows Server 2003 EoS GGZ Nederland Inleiding Inleiding Op 14 juli 2015 gaat Windows Server 2003 uit Extended Support. Dat betekent dat er geen nieuwe updates, patches of security releases worden uitgebracht.

Nadere informatie

Over cloud-computing en Europese privacywetgeving: nu en straks

Over cloud-computing en Europese privacywetgeving: nu en straks SURFNET SEMINAR PRIVACY & DE CLOUD: DE STAND VAN ZAKEN Over cloud-computing en Europese privacywetgeving: nu en straks Gerrit-Jan Zwenne Utrecht 26 juni 2012 roadmap privacyrichtlijn 95/46/EG - verantwoordelijke

Nadere informatie

Understanding and being understood begins with speaking Dutch

Understanding and being understood begins with speaking Dutch Understanding and being understood begins with speaking Dutch Begrijpen en begrepen worden begint met het spreken van de Nederlandse taal The Dutch language links us all Wat leest u in deze folder? 1.

Nadere informatie

liniled Cast Joint liniled Gietmof liniled Castjoint

liniled Cast Joint liniled Gietmof liniled Castjoint liniled Cast Joint liniled Gietmof liniled is een hoogwaardige, flexibele LED strip. Deze flexibiliteit zorgt voor een zeer brede toepasbaarheid. liniled kan zowel binnen als buiten in functionele en decoratieve

Nadere informatie

Support Center GIS-Flanders

Support Center GIS-Flanders Support Center GIS-Flanders Our mission: Ensuring the optimal use of geographic information in Flanders Het Ondersteunend Centrum GIS-Vlaanderen is

Nadere informatie

Organizational Change Driven by Vision & Courage

Organizational Change Driven by Vision & Courage Organizational Change Driven by Vision & Courage Breda, 26 Maart 2013 12 Juni 2006 H R U P D A T E H O T L I N E : ++ 4 1 2 1 6 1 8 6 1 1 8 2 Why do we need to change? All affiliates have full fledged

Nadere informatie

Aim of this presentation. Give inside information about our commercial comparison website and our role in the Dutch and Spanish energy market

Aim of this presentation. Give inside information about our commercial comparison website and our role in the Dutch and Spanish energy market Aim of this presentation Give inside information about our commercial comparison website and our role in the Dutch and Spanish energy market Energieleveranciers.nl (Energysuppliers.nl) Founded in 2004

Nadere informatie

Contents. Introduction Problem Definition The Application Co-operation operation and User friendliness Design Implementation

Contents. Introduction Problem Definition The Application Co-operation operation and User friendliness Design Implementation TeleBank Contents Introduction Problem Definition The Application Co-operation operation and User friendliness Design Implementation Introduction - TeleBank Automatic bank services Initiates a Dialog with

Nadere informatie

Fidelity of a Strengths-based method for Homeless Youth

Fidelity of a Strengths-based method for Homeless Youth Fidelity of a Strengths-based method for Homeless Youth Manon krabbenborg, Sandra Boersma, Marielle Beijersbergen & Judith Wolf s.boersma@elg.umcn.nl Homeless youth in the Netherlands Latest estimate:

Nadere informatie

Maturity van security architectuur

Maturity van security architectuur Renato Kuiper Principal Consultant LogicaCMG renato.kuiper@logicacmg.com LogicaCMG 2006. All rights reserved Over de spreker Renato Kuiper Principal consultant Information Security bij LogicaCMG Hoofdredacteur

Nadere informatie

IT risk management voor Pensioenfondsen

IT risk management voor Pensioenfondsen IT risk management voor Pensioenfondsen Cyber Security Event Marc van Luijk Wikash Bansi Rotterdam, 11 Maart 2014 Beheersing IT risico s Het pensioenfonds is verantwoordelijk voor de hele procesketen,

Nadere informatie

CSRQ Center Rapport over onderwijsondersteunende organisaties: Samenvatting voor onderwijsgevenden

CSRQ Center Rapport over onderwijsondersteunende organisaties: Samenvatting voor onderwijsgevenden CSRQ Center Rapport over onderwijsondersteunende organisaties: Samenvatting voor onderwijsgevenden Laatst bijgewerkt op 25 november 2008 Nederlandse samenvatting door TIER op 5 juli 2011 Onderwijsondersteunende

Nadere informatie

Future Driven Value Creation 02-12-2013

Future Driven Value Creation 02-12-2013 Future Driven Value Creation 02-12-2013 Programma 16:30 Introductie en toelichting op het thema 17.15 Vraagstelling en individueel bezinnen 17:45 Break en broodjes 18:15 Break out sessies (2 groepen) en

Nadere informatie

Introduction Henk Schwietert

Introduction Henk Schwietert Introduction Henk Schwietert Evalan develops, markets and sells services that use remote monitoring and telemetry solutions. Our Company Evalan develops hard- and software to support these services: mobile

Nadere informatie

Verwachtingen rapport

Verwachtingen rapport Het proces van aanwerving en selectie van de kandidaten voor de functie: Project: Exemplary recruitment process 17.04.2014 14:11 1. INTRODUCTIE Dit rapport vertegenwoordigd de verwachtingen van de toekomstige

Nadere informatie

Business as an engine for change.

Business as an engine for change. Business as an engine for change. In the end, the success of our efforts will be measured against how we answered what we have found to be the fundamental question: how do we love all the children, of

Nadere informatie

Alcohol policy in Belgium: recent developments

Alcohol policy in Belgium: recent developments 1 Alcohol policy in Belgium: recent developments Kurt Doms, Head Drug Unit DG Health Care FPS Health, Food Chain Safety and Environment www.health.belgium.be/drugs Meeting Alcohol Policy Network 26th November

Nadere informatie

Firewall van de Speedtouch 789wl volledig uitschakelen?

Firewall van de Speedtouch 789wl volledig uitschakelen? Firewall van de Speedtouch 789wl volledig uitschakelen? De firewall van de Speedtouch 789 (wl) kan niet volledig uitgeschakeld worden via de Web interface: De firewall blijft namelijk op stateful staan

Nadere informatie

De Samenhang tussen Dagelijkse Stress en Depressieve Symptomen en de Mediërende Invloed van Controle en Zelfwaardering

De Samenhang tussen Dagelijkse Stress en Depressieve Symptomen en de Mediërende Invloed van Controle en Zelfwaardering De Samenhang tussen Dagelijkse Stress en Depressieve Symptomen en de Mediërende Invloed van Controle en Zelfwaardering The Relationship between Daily Hassles and Depressive Symptoms and the Mediating Influence

Nadere informatie

Introduction to IBM Cognos Express = BA 4 ALL

Introduction to IBM Cognos Express = BA 4 ALL Introduction to IBM Cognos Express = BA 4 ALL Wilma Fokker, IBM account manager BA Ton Rijkers, Business Project Manager EMI Music IBM Cognos Express Think big. Smart small. Easy to install pre-configured

Nadere informatie

KLANT = AGENT AGENT = KLANT

KLANT = AGENT AGENT = KLANT KLANT = AGENT AGENT = KLANT KENNISMANAGEMENT BIJ T-MOBILE INHOUD 1. Visie 2. Nieuwe kennisbank 3. Aanpak 4. Lessons learned 5. Stand van zaken na 1 jaar 6. Wij doen het zo! 1 VISIE OP KENNISMANAGEMENT

Nadere informatie

De bijsluiter in beeld

De bijsluiter in beeld De bijsluiter in beeld Een onderzoek naar de inhoud van een visuele bijsluiter voor zelfzorggeneesmiddelen Oktober 2011 Mariëtte van der Velde De bijsluiter in beeld Een onderzoek naar de inhoud van een

Nadere informatie

Synergia - Individueel rapport

Synergia - Individueel rapport DOELSTELLING : Ensuring sufficient funding for projects in cost-generating departments of 16.04.2014 16.04.2014 13:53 1. Inleiding Deze inleiding is vrij te bepalen bij de aanmaak van het rapport. 16.04.2014

Nadere informatie

INFORMATIEBIJEENKOMST ESFRI ROADMAP 2016 HANS CHANG (KNAW) EN LEO LE DUC (OCW)

INFORMATIEBIJEENKOMST ESFRI ROADMAP 2016 HANS CHANG (KNAW) EN LEO LE DUC (OCW) INFORMATIEBIJEENKOMST ESFRI ROADMAP 2016 HANS CHANG (KNAW) EN LEO LE DUC (OCW) 14 november 2014 2 PROGRAMMA ESFRI Roadmap, wat is het en waar doen we het voor? Roadmap 2016 Verschillen met vorige Schets

Nadere informatie

Hoe start ik een test competence center of excellence? Thomas Veltman 1-5-2012

Hoe start ik een test competence center of excellence? Thomas Veltman 1-5-2012 Hoe start ik een test competence center of excellence? Thomas Veltman 1-5-2012 10 jaar ervaring met TCoE 2 Iedereen heeft zijn eigen verhaal Opdracht Gever Development Leverancier Tester Manager TCoE Test

Nadere informatie

Resultaten Derde Kwartaal 2015. 27 oktober 2015

Resultaten Derde Kwartaal 2015. 27 oktober 2015 Resultaten Derde Kwartaal 2015 27 oktober 2015 Kernpunten derde kwartaal 2015 2 Groeiend aantal klanten 3 Stijgende klanttevredenheid Bron: TNS NIPO. Consumenten Thuis (alle merken), Consumenten Mobiel

Nadere informatie

Advanced Instrumentation. Hans van Gageldonk, Henk Hoevers, Gerard Cornet. 10 Oktober 2012

Advanced Instrumentation. Hans van Gageldonk, Henk Hoevers, Gerard Cornet. 10 Oktober 2012 Advanced Instrumentation Hans van Gageldonk, Henk Hoevers, Gerard Cornet 10 Oktober 2012 Agenda Wat is Advanced Instrumentation? Hoe past Advanced Instrumentation in de keten van fundamenteel onderzoek

Nadere informatie

Uitwegen voor de moeilijke situatie van NL (industriële) WKK

Uitwegen voor de moeilijke situatie van NL (industriële) WKK Uitwegen voor de moeilijke situatie van NL (industriële) WKK Kees den Blanken Cogen Nederland Driebergen, Dinsdag 3 juni 2014 Kees.denblanken@cogen.nl Renewables genereren alle stroom (in Nederland in

Nadere informatie

The downside up? A study of factors associated with a successful course of treatment for adolescents in secure residential care

The downside up? A study of factors associated with a successful course of treatment for adolescents in secure residential care The downside up? A study of factors associated with a successful course of treatment for adolescents in secure residential care Annemiek T. Harder Studies presented in this thesis and the printing of this

Nadere informatie

Enterprise Open Source. Business case. Power to Innovate 2015 1

Enterprise Open Source. Business case. Power to Innovate 2015 1 Enterprise Open Source. Business case. Power to Innovate 2015 1 Agenda 1 Mooie belofte 2 Business doelen 3 Alternatieve oplossingen 4 Voorkeur uitwerken 5 Business Case Power to Innovate 2015 2 1 Mooie

Nadere informatie

Competencies atlas. Self service instrument to support jobsearch. Naam auteur 19-9-2008

Competencies atlas. Self service instrument to support jobsearch. Naam auteur 19-9-2008 Competencies atlas Self service instrument to support jobsearch Naam auteur 19-9-2008 Definitie competency The aggregate of knowledge, skills, qualities and personal characteristics needed to successfully

Nadere informatie

Continuous testing in DevOps met Test Automation

Continuous testing in DevOps met Test Automation Continuous ing in met Continuous testing in met Marco Jansen van Doorn Tool Consultant 1 is a software development method that emphasizes communication, collaboration, integration, automation, and measurement

Nadere informatie