Atlantic International University,

Honolulu, Hawaii 96813

THESIS

CLOUD COMPUTING AND SECURITY,

Case study SECURITY MECHANISM AND PILLARS OF
ERPS ON CLOUD TECHNOLOGY

By MBANZABUGABO Jean Baptiste, ID# UD30956SCO39530

School: Science and Engineering

Program: Doctorate
Major: Computer Science

October , 2015, Kigali - RWANDA

1

DECLARATION
I, MBANZABUGABO Jean Baptiste, ID# UD30956SCO39530 do declare that this research
thesis is my own work. I have to the best of my knowledge acknowledged all authors and/or sources
from where I got information. I further declare that this work has not been submitted to any
University or research institute for the award of a degree or any of its equivalents.

DEDUCTION

To God Almighty,
For his protection, care and who has always been with me during the difficult time in my life.
To my regret father NTAWUSEKANARYO Dominic,
To my mother MUKANKUSI Athanasie,
To the Daddy Pierre Bultez,
To my brothers and sisters: Consulate, Nathalie, Rose, Claver, Samson, Tomas, Lewis and Samuel.
For their love and prayers.
To the family of NTEZIRYAYO Christophe, MUKAMAN Devine, MAHINA N.Jacob
For their moral support.

With love and gratitude, I dedicate this thesis.

ACKNOWLEDGEMENTS

First and foremost, I thank the God our creator for all the good things and life he has given to me
including the success in my studies. You have answered my prayers and desires whenever I have
asked for assistance, you provide to me with strength to go and make everything happen. Therefore
I will praise you.
This thesis would not have been possible without the guidance of AIU academic team and Dr.
Edward Lambert who are well known with the generous help and support.
Special thanks to all respondents for important information which contributed highly and positively
to analyze the scope and all about the research matter and hence the result is found.

I am very grateful to all of the IT consultants, Business Leading companies, Web hosting
companies, IT Managers of Higher Learning Institution in Kigali, cloud computing solution
companies and providers for their time to answer my question and doubt via interview, e-mails,
posts , I will awere all your contributions.

TABLE OF CONTENTS
DECLARATION ..................................................................................................................................................... 2
DEDUCTION......................................................................................................................................................... 3
ACKNOWLEDGEMENTS ....................................................................................................................................... 4
ABSTRACT ........................................................................................................................................................... 6
CHAPTER 1. GENERAL INTRODUCTION AND BACKGOUND OF THE STUDY ........................................................ 7
1.0 Introduction .............................................................................................................................................. 7
1.2. DESCRIPTION AND BACKGROUND OF THE STUDY................................................................................... 7
1.3. GENERAL ANALYSIS AND PROBLEM OF INVESTIGATION ........................................................................ 8
1.4 GENERAL OBJECTIVE OF THE STUDY ...................................................................................................... 10
1.4.1 SPECIFIC OBJECTIVES: ......................................................................................................................... 11
1.5 METHOD OF INVESTIGATION ................................................................................................................. 11
CHAPTER 2. CURRENT INFORMATIONAND REFERENTIAL FRAMEWORK ........................................................ 12
CHAPTER 3. DISCUSSION AND THEORETICAL FRAMEWORK ............................................................................ 15
CHAPTER 4: RESULTS OF THE STUDY ................................................................................................................ 25
MANAGERIAL AND POLICY IMPLICATIONS ................................................................................................... 26
GENERAL CONCLUSION .................................................................................................................................... 30
REFERENCES AND BIBLIOGRAPHY .................................................................................................................... 31

ABSTRACT
Cloud computing is one of the latest innovations of IT which claims to be all capable of driving the
future world of IT within minimum costs. This concept of cloud computing being one side widely
accepted by normal users while on the other hand majority of the Organizations have some serious
security concerns before moving to this form of IT evolution.
Critics have raised concerns about privacy and security associated with unauthorized access and
use of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace
observation is that while cloud providers offer sophisticated services, their performances have been
weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard &
Kshetri 2010).
Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store
high-value data or sensitive information. Due to weak security, the cloud arguably remains a
largely nascent technology (Stewart 2010) and critics have argued that its costs may outweigh the
benefits (Tillery 2010).
This research, would seek to argue that issues related to ERPs security and privacy in the cloud
system and how they can be addressed if and only if there are Security Mechanism and pillars that
will ensure the praiseworthiness of confidentiality to the legitimates users of the service.
It was found that fear has been that intellectual property and other sensitive information stored in
the cloud could be stolen. Worse still, cloud providers may not notify their clients about security
breaches. Evidence indicates that many businesses tend to underreport cybercrimes due to
embarrassment, concerns related to credibility and reputation damages and fears of stock price
drops. The fears can be eradicated via the implementation of authentication pillar with which the
cloud service provider guaranty an asynchronous system with data replication to be looked-in and
data integrity to be bilateral on one eye viewer another.
Keywords
Cloud, ERP on-premises, Cloud ERP, ERP Providers, cloud users, Third-party service provider,
Information Linking, Information Leakage, Intruders, Data in Transit, Data at Rest, Data in Use,
Service Outsourcing and Data Risk Management, on-premise ERP and massive data storage,
Intrusion Detection system, Virtual private network Novel Cloud dependability model, Hadoop Distribution
system and Security Framework.
6

CHAPTER 1. GENERAL INTRODUCTION AND BACKGOUND OF THE STUDY

1.0 Introduction
Cloud computing involves hosting applications on servers and delivering software and services via
the Internet. In the cloud computing model, companies can access computing power and resources
on the cloud and pay for services based on usage. Institutions are the rules of the game and
include formal constraints (rules, laws, constitutions), informal constraints (norms of behavior,
conventions, and self-imposed codes of conduct), and their enforcement characteristics.
This research, would seek to argue that issues related to ERPs security and privacy in the cloud
system and how they can be addressed if and only if there are Security Mechanism and pillars that
will ensure the praiseworthiness of confidentiality to the legitimates users of the service.

1.2. DESCRIPTION AND BACKGROUND OF THE STUDY

Cloud computing is one of the latest innovations of IT which claims to be all capable of driving the
future world of IT within minimum costs. This concept of cloud computing being one side widely
accepted by normal users while on the other hand majority of the Organizations have some serious
security concerns before moving to this form of IT evolution.
Organizations are moving to cloud computing technologies (hereinafter: the cloud) to perform
increasingly strategic and mission critical functions. At the same time, companies are facing
pressures and challenges to protect information assets belonging to their customers and other
sensitive data McCafferty, 2010). Unsurprisingly security, privacy and availability are among the
topmost concerns in their cloud adoption decisions rather than the total cost of ownership (Brodkin
2010). The cloud is a double-edged sword from the security standpoint. For organizations that lack
technological and human resources to focus on security third parties in the cloud can provide lowcost security (Kshetri 2010). Cloud computing users, on the other hand, face several separate but
related security risks (Talbot 2010).
The cloud poses various technological as well as institutional challenges. The cloud-related legal
system and enforcement mechanisms are evolving more slowly compared to the technology
development. Privacy, security and ownership issues related to data stored on cloud currently fall
into legally gray areas (Bradley 2010). Some argue that an organization, rather than the cloud
provider, is likely legally responsible if customer data stored in the cloud are compromised
7

(Zielinski 2009). A second criticism is that there has been arguably a disturbing lack of respect for
essential privacy among major cloud providers (Larkin 2010, p. 44). For instance, in a complaint
filed with the Federal Trade Commission (FTC), the Electronic Privacy Information Center (EPIC)
argued that Google misrepresented the privacy and security of its users data (Wittow & Buller
2010). Cloud providers are also criticized on the ground that they do not conduct adequate
background security investigations for their employees (Wilshusen 2010). This issue is rather
important since significant proportions of cybercrimes are associated with malicious insiders.
Likewise, new bugs and vulnerabilities targeting the cloud are proliferating (Brynjolfsson et al.
2010).
Critics have raised concerns about privacy and security associated with unauthorized access and use
of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace
observation is that while cloud providers offer sophisticated services, their performances have been
weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard &
Kshetri 2010).
Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store
high-value data or sensitive information. Due to weak security, the cloud arguably remains a
largely nascent technology (Stewart 2010) and critics have argued that its costs may outweigh the
benefits (Tillery 2010). According to an IDC report released by the research firm, International Data
Corporation (IDC) in October 2008, security concern was the most serious barrier to cloud adoption
for organizations. Organizations rightfully worry about hidden costs associated with security
breaches or lawsuits tied to data privacy restrictions (Zielinski 2009).

1.3. GENERAL ANALYSIS AND PROBLEM OF INVESTIGATION

Cloud computing and Security is a new buzzword in the business industry today. The idea leading
to cloud computing paradigm is that the computing resources and software are available to the end
user, whether an organisation or an individual, in a virtualized environment (cloud) and the user can
access it on demand and using a pay as you go approach. These services in industry are
respectively referred to as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), and
Software as a Service (SaaS) (Hayes, 2009). One of the issues faced by the organisations in the
world today is need to make the organisational data globally accessible while taking into account the
intra organisational and extra-organisational data and a cloud can be a very enabling medium for
achieving this.
8

Enterprise resource planning software is an enormous piece of software that integrates the entire
organisation into one giant entity while capturing, changing and automating the organizational
processes.
Chances of a successful implementation of an ERP in an organisation are less. Also, it takes sizeable
amount of manpower, cost and effort to deploy and maintain the ERP. An entire ERP application
being outsourced is a relatively new idea and has been under discussion frequently for its
advantages and some latent disadvantages. In todays world with such economic conditions, it
becomes imperative for an organization to reduce its operating costs while increasing overall
efficiency with the same amount of resources and to fulfill consumer demands simultaneously. This
is where a cloud and secured based ERP can really help an organisation, if not for some very
pertinent disadvantages that have to be overcome to make this a more viable option to a best of
breed or an off the shelf ERP solution, globally.
Cloud computing can also help to divert the attention of the dedicated workforce away from
maintenance and development and direct it towards the core processes that actually benefit the
organisation in a much better way.
Barriers to adoption of a cloud computing are organisation specific based on massive data Security.
However, there are some common issues that push organisations towards the adoption of such a
system. These comprise of cost savings, fault tolerance, on demand service, scalability and
flexibility, massive data storage, reliance and compliance of data formats.
The Concerns todays regarding a cloud based system include security, scalability, ease of
migration and licensing issues. There are some notable disadvantages that need to be overcome.
A very pertinent issue is regarding the security of the organizational data. Since the data is stored
in the cloud, an organization does not have a direct control over it. The security of the
organizational data is the responsibility of the service provider and this throws up a lot of issues
for an organization to consider before and after migrating to a cloud based Systems. Another
important issue is of a possible vendor lock in that might disallow the organisation to migrate to
another service provider when it desires it. Another issue is what if cloud service provider
releases the organizations confidential data.
However, there are four different types of Clouds Figure 1-2, according to Huth and Cebula (2011),
users can subscribe to any type of these clouds depending on their needs:

1. Public cloud - A public cloud can be accessed by any subscriber with an internet connection
and access to the cloud space.
2. Private cloud - A private cloud is established for a specific group or organization and limits
access to just that group.
3. Community cloud - A community cloud is shared among two or more organizations that
have similar cloud requirements.
4. Hybrid cloud - a hybrid cloud is essentially a combination of at least two Clouds, where the
Clouds included are a mixture of public, private, or community.

Figure 1-2 Types of Clouds, according to Huth and Cebula (2011)

1.4 GENERAL OBJECTIVE OF THE STUDY

The general objective of this study is to investigate the possible long and short term advantages and
the disadvantages that an organisation can derive from the adoption of a cloud based Systems and/or
Cloud based ERP and the potential security and confidentiality threats associated with the cloud
computing based service.

10

1.4.1 SPECIFIC OBJECTIVES:

To Identify current cloud computing security protocols and framework

To analyse if a cloud systems and ERP could prove to be a suitable alternative to the
traditional on-premise ERP and for local, massive data storage accessibility

To ascertain the merits and demerits of a cloud computing Technology and suggest best
practices as of the security concerns to be implemented as pertinent solution regarding the
security of the organizational data stored in the current world of Cloud systems.

1.4.2 RESEARCH QUESTION

What are the various security techniques being used by the leading Cloud Computing
providers to prevent unauthorized access to data within the Cloud?

How the data is being transferred and retrieved between the Cloud and a local network based
ERPS?

What organizational and Environmental factors impact the adoption of cloud computing?

How can we guaranty Cloud users to fear not about security problems that are expected in
future Cloud Computing?

1.5 METHOD OF INVESTIGATION

Systematic and proactive methods were adopted in collecting data from a population of interest. It
tends to be quantitative in nature and aims to collect information from a sample of the population
such that the results are representative of the population within a certain degree of error fee.
The data collection procedure is based on interviews with IT partners of cloud ERP providers, ERP
seminars, IT consultants and ERP users. IT professional comments from social media blogs are
another source of data to be used in this research. The data collection consists also of interviews
with several companies in the manufacturing field that considers the adoption of cloud ERP. It was
necessary to visit specific institution that implement ERP system and received information from
several Cloud service provider companies.
The interviews was based on open questions and built objectively without interfering or guiding the
respondents to specific answers. The other data sources are collected from the scholar studies and
recent articles that focus on cloud services outsourcing and cloud ERP.
11

CHAPTER 2. CURRENT INFORMATIONAND REFERENTIAL FRAMEWORK

ERP systems are currently the prevailing form of business computing and storage for many large
organisations in the private and public sector (Gable, 1998). An ERP manages and integrates all the
business functions in an organisation and this makes it much more than simple software that take no
thought to acquire (Boykin, 2001; Chen, 2001; Yen, Chou, & Chang, 2002). Organizations view
ERP-enabled standardization as a vital means to integrate dispersed organizational systems and
provide a seamless access to information organization-wide (Osterle et. al, 2000).
ERP stores and processes data and allows it to be accessed in an appropriate format, while stretching
beyond the organisational boundaries (Gupta, 2000) (Al-Mashari & Zairi, 2000) (Gardiner et al,
2002). Because these systems touch so many aspects of a companys it internal and external
operations, their successful deployment and use are critical to organizational performance and
survival (Tanis et. al, 2000).
One of the major challenges in ERP adoption is flexibility with the integration of newly-acquired
business functionalities into its data processing systems with the minimum time possible (Gupta,
2000). The flexibility of ERP systems refers to the extent to which an ERP system may be
dynamically reconfigurable to define new business models and processes (Stedman, 1999).
In the near-term perspective, managers find ERP implementation projects the most difficult systems
development projects (Wilder and Davis, 1998).
The online delivery of the software has been a long standing dream of the software vendors and
distributors, alike. Sato et al. (1999) and Bennett et al. (2000) put forward several areas for future
research, including integrating ERP and other systems on the Internet. Cloud computing is a fairly
established system and has been in the offering since 2000-01 (Bennett et al., 2000). The concept is
deceptively simple and logical. Instead of buying the the license for an application like an ERP
software and then installing it on a machine, it is much cheaper and convinient to lease the
application from a company that created the software (Dubey & Wagle, 2007).
A Cloud is a type of parallel and distributed system consisting of a collection of interconnected and
virtualised computers that are dynamically provisioned and presented as one or more unified
computing resources based on service-level agreements established through negotiation between the
service provider and consumers (Fox, 2009 ; Buyya, et al., 2008). Applications built on cloud
12

architectures run in-the-cloud where the physical location of the infrastructure is determined by the
provider (Varia, 2008) and is abstracted from the organisation, thus allowing the focus to shift from
IT to business innovation. The benefits of cloud computing are widely discussed in practice,
focusing on increased agility, availability, flexibility, cost savings and interoperability (Kim, 2009).
The separation of service provider from infrastructure provider has made it much easier for new
services to be established online quickly and with low financial risk, and to scale those, services as
demand dictates (Murray, 2009 ; Buyya, 2009). Using someone elses infrastructure on a pay-peruse basis converts the fixed costs into a variable cost based on actual consumption , reducing initial
investment and risk (Buyya, et al., 2008) (Fox, 2009). Also the demand for online services can be
very variable and poor response due to overload can risk losing customers (Pandey, et al. , 2009).
Cloud computing provides easy scalability and the flexible creation and dismantling of resources
that customers need only temporarily for special projects or peak workloads (Leavitt, 2009 ; Fox,
2009 ; ECONOMIST, 2009) giving it choice and control over its infrastructure. The ability to scale
the use of cloud power to match the demand also mitigates the risk of failure (ECONOMIST,2009)
while making the organisations more adaptable.
Cloud based ERP has a much smaller time scale for configuration and deployment. This has a
fundamental impact on the agility of a business and the reduction of costs associated with time
delays (ISACA, 2009 ; Hayes, 2009) allowing organisations to realise the competitive advantage at
a much earlier stage than the non adapters. Organisational data is available and accessible globally
through internet improving the overall collaboration in the organsation (Scale, 2009 ; Armbrust, et
al., 2009).
When data is stored beyond the organisation, even with lock-tight security and data management
standards, there are confidentiality and privacy risks associated with this model, not to mention
potential industrial sabotage (Fox, 2009 ; Leavitt, 2009 ; Pandey et al., 2009 ; Das et al.,2009). Also,
with a distributed application architecture, there is no possibility for local customization and
development an you are limited to the interface the service provider gives you (Fox, 2009).
Besides security, there are legal and regulatory issues that need to be taken care of. When moving
applications and data to the Cloud, the providers may choose to locate them anywhere on the planet
(Pandey et al., 2009) which subjects it to the laws of that country. For example, specific
cryptography techniques could not be used because they are not allowed in some countries.
Performance concerns may stop some companies from using cloud computing for transaction
13

oriented and other data-intensive applications (Leavitt, 2009) (Hayes, 2009). Cloud services have
reduced the cost of content storage and delivery, but they can be difficult to use for non-developers,
as each service is best utilised via unique web services, and have their own unique quirks. (Tari, et
al., 2009). A user could also get a nasty surprise if they have not understood what they will be
charged for (Broberg, et al., 2008). Vendor lock-in is another problem that an organisation may have
to face if they want to migrate towrds a new service provider. (Armbrust, et al., 2009).
People are focusing on the core technologies that will lead their business forward over the next five
years and want to know how to manage varying degrees of risk wisely. They are wary of making a
complete jump in computing ideology in one fell swoop (ECONOMIST, 2010)

14

CHAPTER 3. DISCUSSION AND THEORETICAL FRAMEWORK

The learning style assessment was undertaken by the researcher adopted from Kolb and McCarthy
(1984). The results indicated that the researchers style is one of the interpretivist and a diverger.
Research, according to (Smith & Dainty, 1991), is concerned with problem solving investigating
relationships and building on the body of knowledge. It is a plan or design with the view to finding a
solution to the research problem by social workers. Formulating and clarifying the research topic is
the most important aspect of the research project as it is the starting point of the entire process
(Alvesson & Skoldberd, 2000 ; Ghauri & Gronhaug, 2005 ; Mouton & Marais, 1990).
To understand the pros and cons of a cloud based ERP system impacted on security, it is essential,
that the background of the cloud based systems and virtualization of resources is established along
with the factors that may affect the bias of the subject (Denzin & Lincoln, 1998 ; Bogdan & Biklen,
1992).
Qualitative research contributes to discovery and theory-building (Gilles, 2000) which is what is
being attempted by the researcher here with respect to a cloud based ERP with a deep consideration
of security.
Qualitative techniques based on the interpretation of non-numerical data can provide meaning to
human behaviour missing in quantitative data (Rossman & Marshall, 1999 ; Creswell, 1994). It
seeks to develop sensitizing concepts and the meanings of central themes in the life world of the
subjects (Maykut & Morehouse, 1994). Acquisition of an ERP is a major decision which affects the
organisation on multiple levels. The intangible factors related to changes and its adaptability or
competitive advantage, are difficult to quantify and a qualitative approach is a better suited mode of
research here. Qualitative approach is based on the belief that the persons are actors who take an
active role in responding to situations and the realisation that the response is based on a certain
meaning (Strauss & Corbin, 1990 ; Rossman & Rallis, 2003). The understanding of this meaning is
defined and redefined through interaction with sensitivity to conditions and the relationship between
condition, action and the result. Qualitative analysis allows for finer differences to be brought to
light which will allow the researcher to investigate his case thoroughly. Denzin & Lincoln, (1998)
summarise the characteristics of this approach as enabling the researcher to study phenomena in
their natural settings, while attempting to interpret these phenomena in terms of the meanings people
bring to them.
15

Every organisation may have its own reasons to either acquire or shun a cloud based ERP systems
and these factors are unique to each organisation which reflects the disposition of the organisation
lending itself to being subjective.
Issues revolving around privacy, and ownership and access to data raise interesting questions in the
cloud. As a visual aid, Figure 1 schematically represents how privacy and security issues in the
cloud are tightly linked to the institutional and technological environments.
Various characteristics of the cloud affect organizations perceptions of confidentiality, integrity,
and availability of the
cloud (Left part of Figure
1). Formal and informal
institutions, on the other
hand, affect perception of
legitimacy

and

trustworthiness

of

the

cloud (Right part of Figure

1).

Assessment

of

institutional

and

technological
and

facilitators

inhibitors

organizations

affect
adoption

decisions (Figure 1).

Figure

1.

Cloud

Computing Model - Open

Secure Architecture
Institutional

actors

responses lag behind the

technological

changes

(Katyal

Brenner

2004).

2001;

Moreover,

institutional actors vary in their timing of responses. For instance, whereas trade and professional
associations and industry standard organizations are taking measures to respond to security and
16

privacy issues in the cloud, government agencies have been slow to adopt necessary legislative,
regulatory and other measures to monitor users and providers of the cloud.
THE CLOUDS NEWNESS AND UNIQUE VULNERABILITIES
The clouds newness and uniqueness present special problems. With the evolution and popularity of
virtualization technology, new bugs, vulnerabilities and security issues are being found
(Brynjolfsson et al. 2010). The cloud, however, is not a familiar terrain for most IT security
companies. A lack of mechanisms to guarantee security and privacy has been an uncomfortable
reality for many cloud providers.
Virtualization as one of the implementational model of Cloud Technology, it has found that a user
may be able to access to the providers sensitive portions of infrastructure as well as resources of
other client environments that are managed by the same cloud provider
Figure 2. Cloud computing Layers according to Gartner, 2009.
Experts argue that such vulnerabilities
could have more adverse impacts in the
cloud than in an on-premise computing
(Owens 2010).
The cloud is also forensically challenging
in the case of a data breach. For instance,
some public cloud systems may store and
process data in different jurisdictions,
which vary in terms of laws related to
security, privacy, data theft, data loss and
intellectual property theft (McCafferty
2010). Some organizations may encrypt
their data before storing in the cloud.

17

NATURE OF THE ARCHITECTURE

Virtual and dynamic
The virtual and dynamic nature of the cloud computing architecture deserves mention. For one
thing, the shared and dynamic resources of the cloud such as CPU and networking reduce control
for the user and tend to pose new security issues not faced by on-premise computing. A related point
is that these characteristics of the cloud allow data and information to distribute widely across many
jurisdictions. The locations where data are stored may vary in laws regarding security, privacy, data
theft, and protection of intellectual property (McCafferty 2010).
Virtualization is the primary security mechanism in the cloud, despite their insulation from the
customer, run on physical systems; virtualization environments are not necessarily bug-free.
Sophistication and complexity
The clouds security related problems can also be linked to its sophisticated and complex
architecture. In April 2010, U.S. and Canada-based researchers published a report on a sophisticated
cyber-espionage network, which they referred as Shadow network. The targets included the Indian
Ministry of Defense, the United Nations, and the Office of the Dalai Lama. The report noted:
Clouds provide criminals and espionage networks with convenient cover, tiered defenses,
redundancy, cheap hosting and conveniently distributed command and control architectures
(IWMSF 2010).
Another problem concerns the clouds complexity. An important trend facilitated by the cloud is
social media, which are arguably corporate security nightmare (BBW 2010). In the Shadow case
noted above, the cyber-espionage network combined social networking and cloud platforms,
including those of Google, Baidu, Yahoo!, Twitter, Blogspot and blog.com with traditional
command and control servers (IWMSF 2010).

ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME

BULL
Earlier we mentioned that the cloud can provide a low cost security due to economies of scales.
However, an unintended downside of cheap services is more security issues.

18

Value of data in the cloud

Target attractiveness depends on offenders perceptions of victims. Prior research indicates that
crime opportunity is a function of target attractiveness, which is measured in monetary or symbolic
value and portability (Clarke 1995). Target attractiveness is also related to accessibility, visibility,
ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies
networks offer more targets to hackers. Cloud suppliers, which often are bigger than their clients,
are attractive targets. The cloud thus offers a high surface area of attack (Talbot 2010). That is,
information stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late
2009, Google explained that the company discovered a China-originated attack on its
infrastructures. The company further noted that the attack was part of a larger operation, which
infiltrated infrastructures of at least 20 other large companies.
Criminal-controlled clouds
The cloud is potentially most vulnerable, especially when viewed against the backdrop of criminal
owned-clouds operating in parallel. Just like diamond is the only material hard enough to cut
diamond effectively, criminal-owned clouds may be employed to effectively steal data stored in
clouds. The cloud may provide many of the same benefits to criminals as for legitimate businesses.
The well-known Conficker virus, which reportedly controls 7 million computer systems at 230
regional and country top-level domains and has a bandwidth capacity of 28 terabits/second, is
arguably the worlds biggest cloud and probably the most visible example of a criminal-owned
cloud. Just like legitimate clouds, Conficker is available for rent. Cybercriminals can choose a
location they want to rent Conficker and pay according to the bandwidth they want and choose an
operating system (Mullins 2010).

INSTITUTIONAL ENVIRONMENT
Institutional theory is described as a theory of legitimacy seeking (Dickson et al., 2004, p. 81). To
gain legitimacy, organizations adopt behaviors irrespective of the effect on organizational efficiency
(Campbell 2004). Institutional influence on adoption decisions related to the cloud becomes an
admittedly complex process when providers and users of the cloud have to derive legitimacy from
multiple sources such as employees, clients, client customers, professional and trade associations
and governments.
19

Scott (2001) proposed three institutional pillars:

(i) Regulative;
(ii) Normative
(iii) Cognitive.
These pillars relate to legally sanctioned, morally governed and recognizable, taken-forgranted behaviors respectively.
The cloud industry is undergoing a major technological upheaval. In such situations, for various
actors, the institutional context may not provide organizing templates, models for action, and
sources of legitimacy (Greenwood & Hinings 1993). In most cases, such changes create confusion
and uncertainty and produce an environment that lacks norms, templates, and models about
appropriate strategies and structures (Newman 2000). Existing institutions are hopelessly inadequate
and obsolete to deal with the security and privacy problems facing the cloud industry. For instance,
cloud computing has challenged traditional institutional arrangements and notions about auditing
and security.

THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD

INDUSTRY
Regulative institutions consist of explicit regulative processes: rule setting, monitoring, and
sanctioning activities, regulative institutions consist of regulatory bodies adhere to the rules so that
they would not suffer the penalty for noncompliance of the system.
Laws to deal with data on the cloud
The importance of regulative institutions such as laws, contracts and courts in the cloud industry
should be obvious if this industry is viewed against the backdrop of the current state of security
standards. In the absence of radical improvements in security technology, such institutions become
even more important.
The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to
the cloud technology development. Compliance frameworks such as SOX, HIPAA and PCI-DSS
(Payment Card Industry Data Security Standard) do not clearly define the guidelines and
requirements for data stored on the cloud (Bradley 2010). Cloud computing thus poses various
20

challenges and constraints for companies that have responsibilities to meet stringent compliance
related to these frameworks and reporting requirements for their data (McCafferty 2010; NW 2010).
The cloud has several important new and unique features, which create problems in writing
contracts. For instance, an analysis of the contracts between Google and Computer Sciences
Corporation (CSC) with the City of Los Angeles indicated several problems related to data breach
and indemnification of damages. Google was a CSC subcontractor in the arrangement. An attorney
analyzing the case noted that some of the complexity in the case would have been avoided if the
term "lost data" was defined more clearly in the contracts (NW 2010).
While some experts understandably argue that it would not be practical to hold cloud providers
liable for everything, current regulations are heavily biased in favor of cloud providers. For instance,
in the event of a data breach in the cloud, the client, not the vendor, may be legally responsible
(Zielinski 2009). However, cloud providers are required to keep sensitive data belonging to a federal
agency within the country. While Google Apps are FISMA certified for its government cloud,
which is not necessarily the case for the private industry (Brodkin 2010).
Regulatory overreach
There have been concerns about possible overreach by law enforcement agencies. The FBI's audits
indicated the possibility of overreach by the agency in accessing Internet users information
(Zittrain 2009).
For some analysts, the biggest concern has been the governments increased ability to access
business and consumer data and censor and a lack of constitutional protections against these actions
(Talbot 2010). The cloud is likely to make it easier for governments to spy on citizens. Governments
worldwide, however, differ in their approach to and scale of web censorship and surveillance.
Especially, the cloud is likely to provide authoritarian regimes a fertile ground for cyber-control
activities.

THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD

INDUSTRY
Normative components introduce a prescriptive, evaluative, and obligatory dimension into social
life (Scott 1995, p. 37). This component focuses on the values and norms held by individuals and
organizations that influence the functioning of the cloud industry. Practices that are consistent with
21

and take into account the different assumptions and value systems are likely to be successful
(Schneider 1999).
Professional associations measures
Compared to established industrial sectors, in nascent and formative sectors such as cloud
computing, there is no developed network of regulatory agencies. For instance, there are few, if any,
national or international legal precedents for the cloud industry (McCafferty 2010). As a
consequence, there is no stipulated template for organizing, and thus pressures for conformity are
less pronounced (Greenwood & Hinings 1996). In such settings, professional and trade associations
may emerge to play unique and important roles in shaping the industry (Kshetri & Dholakia 2009).
These associations norms, informal rules, and codes of behavior can create order, without the laws
coercive power, by relying on a decentralized enforcement process where noncompliance is
penalized with social and economic sanctions (North 1990).
Various professional and trade associations are also constantly emerging and influencing security
and privacy issues in the cloud in new ways as a result of their expertise and interests in this issue.
A visible example is the Cloud Security Alliance (CSA) (www.cloudsecurityalliance.org), a group
of information security professionals. The CSA is working on a set of best practices as well as
information security standards for cloud providers (Crosman 2010).
Industry standards and certification programs
Some argue that industry standards organizations may address most of the user concerns related to
privacy and security in the cloud industry (Object Management Group 2009). Organizations such as
Object Management Group (OMG), the Distributed Management Task Force (DMTF), the Open
Grid Forum (OGF), and the Storage Networking Industry Association (SNIA) have made efforts to
address security and privacy concerns in the cloud industry (Wittow & Buller 2010).
There are no formal processes for auditing cloud platforms. Analysts argue that auditing standards
to assess a service providers control over data (e.g., SAS 70) or other information security
specifications (e.g., the International Organization for Standardizations ISO 27001) are insufficient
to deal with and address the unique security issues facing the cloud (Brodkin 2010). Note that these
standards and specifications were not developed specifically for the cloud computing.

22

THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY

Cognitive institutions are closely associated with culture (Jepperson, 1991). These components
represent culturally supported habits that influence cloud providers and users behaviors. In most
cases, they are based on subconsciously accepted rules and customs as well as some taken-forgranted cultural account of cloud use (Berger & Luckmann 1967). Scott (1995, p. 40) suggests that
cognitive elements constitute the nature of reality and the frames through which meaning is made.
Cognitive programs are built on the mental maps of individual cloud users and thus function
primarily at the individual level (Huff 1990). Compliance in cognitive legitimacy concerns is due to
habits. Organizations and individuals may not even be aware that they are complying.
Perception of vendors integrity and capability
In particular concern is the users dependency on cloud vendors security assurances and practices.
Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be
protected from one another (Armbrust et al. 2010). After several readings, Inspections have shown
that potential cloud adopters are concerned about the possibility that service providers security
might have ineffective or noncompliant controls, which may lead to vulnerabilities affecting the
confidentiality, integrity, and availability of data (Wilshusen 2010). Organizations are also
concerned that cloud providers may use insecure ways to delete data once services have been
provided (Wilshusen 2010).
Admittedly, data theft, denial-of-service attacks by users, threats from other users, and bugs are not
the only-and not the biggest-problem associated with the cloud. There is also a high degree of
temptation for the cloud providers or their employees to engage in opportunistic behavior (Armbrust
et al. 2010). The cloud thus may also increase exposure to organizational vulnerabilities to insider
risks. Indeed, malicious insider risks are among the most important risks that the cyberspace faces.
According to a report released by the FBI in 2006, over 40% of attacks originate inside an
organization (Regan 2006). Some have raised concerns that service providers do not conduct
adequate background security investigations of their employees (Wilshusen 2010).
One fear has been that intellectual property and other sensitive information stored in the cloud
could be stolen. Worse still, cloud providers may not notify their clients about security breaches.
Evidence indicates that many businesses tend to underreport cybercrimes due to embarrassment,
concerns related to credibility and reputation damages and fears of stock price drops. Many of the

23

cyber-attacks go unnoticed or may go unnoticed for long periods of time. An organizations data in
the cloud may be stolen but it may not ever be aware that such incidents had happened.
Cloud users inertia effects
It is quite possible that organizational inertia1 may affect the lens through which users view security
and privacy issues in the cloud. Organizational inertia may constraint a firm's ability to exploit
emerging opportunities such as cloud computing. An inertia effect is likely to adversely influence an
organizations assessment of the cloud from the security and privacy standpoints.
Reduction in control is an obvious concern. Cloud users dont have access to the hardware and other
resources that store and process their data. There is no physical control over data and information in
the cloud (Wilshusen, 2010). A case in point is Google. The company provides security and privacy
assurances to its Google Docs users unless the users publish them online or invite collaborators.
However, Google service agreements explicitly make it clear that the company provides no
warranty or bears no liability for harm in case of Googles negligence to protect the privacy and
security.
Just as vital is preference for localness. From the standpoint of security, most users prefer
computing to be local. Organizations arguably ask: who would trust their essential data out there
somewhere?.

24

CHAPTER 4: RESULTS OF THE STUDY

Cloud computing is the latest technology revolution in terms of usage and management of IT
resources and services driven largely by marketing and service offerings from the largest IT vendors
including Google, IBM, Microsoft, and HP along with Amazon, VMware and associated thirdparties.
The interpretation of results was mainly based on
Technology awareness
Service Level Agreement (SLA)
Attached Secure Socket Layer (ASSL)
Role Based Access Control
Identity based Authentication
Third party Auditor
Proof of retrievability
Multi tenancy based access control
Intrusion Detection system
Virtual private network infrastructure
A Novel Cloud dependability model
Hadoop Distribution of files to cloud system
Virtual machine Security based model
Trust and Trusted Transactions and data movements
Hypervisor of Viruses
Risk of multiple cloud tenants
Legal Interception
Ensure strong Authentication and Access controls
25

 Increased efforts to mitigate harmful codes and legal responsibility

Data protection at both design and run time
Service Cost and Availability

For instance, barriers associated with newness and inertia effects are likely to decline over time. On
the other hand, as the penetration level, width and depth of cloud increases, it is likely to be a more
attractive cybercrime target.
One implication of the dynamic aspects of the model is that institutions change over time in the
cloud industry. The idea of institutional field can be helpful in understanding this dynamic. A field
is formed around the issues that become important to the interests and objectives of specific
collectives of organizations. For a field formed around privacy and security in the cloud, these
organizations include regulatory authorities, providers and users of the cloud as well as professional
and trade association. The content, rhetoric, and dialogue among these constituents influence the
nature of field formed around the security and privacy issues associated with the cloud.

MANAGERIAL AND POLICY IMPLICATIONS

The model presented in this paper also has implications for management practice and public policy.
Most cloud providers services come with no assurance or promise of a given level of security and
privacy. Cloud providers lack policies and practices related to privacy and security. Nor is that their
only problem. Cloud providers have also demonstrated a tendency to reduce their liability by
proposing contracts with the service provided as is with no warranty (McCafferty 2010).
Perception of ineffectiveness or noncompliance of cloud providers may thus act as a roadblock to
organizations cloud adoption decisions. In this regard, above analysis indicates that security and
privacy measures designed to reduce perceived risk as well as transparency and clear
communication processes would create a competitive advantage for cloud providers.
The newness and uniqueness of the cloud often mean that clients would not know what to ask for in
investment decisions. An understanding of model would also help organizations take technological,
behavioral and perceptual/attitudinal measures. The users of the cloud are functioning on the
assumption that cloud providers take privacy and security issues seriously (Wittow & Buller 2010).
However, against the backdrop of the institutional contexts, this may well be a convenient but
possibly false assumption.

26

The model also leads to useful questions that need to be asked before making cloud related
investments. Given the institutional and technological environment, potential adopters should ask
tough questions to the vendor regarding certification from auditing and professional organizations
(e.g., AICPA), locations of the vendors data centers, and background check of the vendors
employees, etc.
The above analysis suggest that a one size fits all' approach to the cloud cannot work. The model
presented in Figure 1 would also help in making strategic decisions. For instance, organizations may
have to make decisions concerning combinations of public and private clouds. For instance, the
public cloud is effective for an organization handling high-transaction/low-security or low data
value (e.g., sales force automation). Private cloud model, on the other hand, may be appropriate for
enterprises that face significant risk from information exposure such as financial institutions and
health care provider or federal agency. For instance, for medical-practice companies dealing with
sensitive patient data, which are required to comply with the HIPAA rules, private cloud may be
appropriate.

Today, accurately or not, businesses are concerned about issues such as privacy, availability, data
loss (e.g., shutting down of online storage sites), data mobility and ownership (e.g., availability of
data in usable form if the user discontinues the services). Cloud providers are criticized on the
ground that they do not answer questions and fail to give enough evidence to trust them. In this
regard, many of the user concerns can be addressed by becoming more transparent.
Since geographic dispersion of data is an important factor associated with cost and performance of
the cloud, an issue that deserves mention relates to regulatory arbitrage. Experts expect that
countries update their laws individually rather than to act in a multilateral fashion (TR 2010).
Economies worldwide vary greatly in terms of the legal systems related to the cloud. Due to the
newness, jurisdictional arbitrage is higher for the cloud compared to the IT industry in general. In
this regard critics are concerned that cloud providers may store sensitive information in jurisdictions
that have weak laws related to privacy, protection and availability of data (Edwards 2009).
Anecdotal evidence suggests that due to increasingly important roles in national security, many high
technology sectors are characterized by a high degree of protectionism. The atmosphere of suspicion
and distrust among states can lead to such protectionism. To capture the feelings that accompany
intergovernmental distrust, consider the U.S.China trade and investment policy relationship.
27

Chinese leaders are suspicious about possible cyber-attacks from the U.S. There has been a deep
rooted perception among Chinese policy-makers that Microsoft and the U.S. government spy on
Chinese computer users through secret back doors in Microsoft product. Chinese leaders thus may
be uncomfortable with the idea of storing data on clouds provided by foreign multinationals. U.S.
policy makers are equally concerned about Chinese technology firms internationalization. The
above analysis indicates that such concerns are likely to be even more prominent in cloud
computing.
Cyber-espionage has been an obvious application of the cloud. If there is any lesson that recent
major cyber-espionage activities teach, it is that countries with strong cyber-spying and cyberwarfare capabilities such as China will be in a good position to exploit the clouds weaknesses for
such activities.
In view of the technological capabilities of extra-legal and illegal organizations, one area that
deserves attention is the escalation of economic and industrial espionage activities such as
intellectual property theft. There have been reports that U.S. government agencies such as the
Defense Department as well as private companies have been targets and victims of such activities24.
It is thus reasonable to expect that the cloud may enable an upgrade of these activities to industrial
espionage.
Nonetheless, security and privacy issues in the developing world need to be viewed in the context of
weak defense mechanisms of organizations. Information technologys follow diffusion concept can
be helpful in understanding a weak defense. Many companies in developing countries lack
technological and human resources to focus on security. Hollow diffusion can be human-related
(lack of skill and experience) or technology-related (inability and failure to use security products)
(Otis & Evans 2003). Especially for developing-based organizations that do not deal with highvalue and sensitive data the cloud may provide low-cost security to address some of the securityrelated human and technological issues.
Providers and users of the cloud face additional challenges in developing economies. Various
aspects of the institutional environment may weaken the clouds value proposition and discourage
investors. In many developing countries, factors such as corruption, the lack of transparency, and a
weak legal system can exacerbate security risks. The high-profile attacks on Google cloud allegedly
by China-based hackers in 2009 were an eye opener for the cloud industry.

28

A final issue that deserves mention relates to the impacts of clouds controlled by the developing
world players on security issues of industrialized countries. It is tempting for global cloud players to
use cheaper hosting services in developing countries. Cyber-criminals, however, find it more
attractive to target rich economies.

29

GENERAL CONCLUSION

It has been sorely defined cloud computing as management and provision of different resources,
such as, software, applications and information as services over the cloud (internet) on demand.
Cloud computing is based on the assumption that the information can be quickly and easily accessed
via the net. With its ability to provide dynamically scalable access for users, and the ability to share
resources over the Internet, cloud computing has recently emerged as a promising hosting platform
that performs an intelligent usage of a collection of services, applications, information and
infrastructure comprised of pools of computers, networks, information and storage resources. Cloud
computing is a multi-tenant resource sharing platform, which allows different service providers to
deliver software as services and deliver hardware as services in an economical way. However along
with these advantages, storing a large amount of data including critical information on the cloud
motivates highly skilled hackers, thus creating a big constraint to business data owners, therefore
there is a need for the security pillars and confidentially mechanism to be considered and
implemented as one of the top solution of the burning issues while considering Cloud Computing
technology so that Legitimate as well as illegitimate organizations and entities can be ensured to do
not gaining access to data on the cloud through illegal, extralegal, and quasi-legal means.
One fear has been that intellectual property and other sensitive information stored in the cloud could
be stolen. Worse still, cloud providers may not notify their clients about security breaches. Evidence
indicates that many businesses tend to underreport cybercrimes due to embarrassment, concerns
related to credibility and reputation damages and fears of stock price drops.
The fears can be eradicated via the implementation of authentication pillar with which the cloud
service provider guaranty an asynchronous system with data replication to be looked-in and data
integrity to be bilateral on one eye viewer another.
Despite all, Rwandans found cloud technology to be a solution since there is fear of if uncertain
disaster on business big data but also the cost matter of cloud service not limited to service assess
since Internet and infrastructure remain as challenging and barrier to this innovative tech, one way
solution is Internet to be available, rule set to protect online and remote system as well as cost
rational.

30

REFERENCES AND BIBLIOGRAPHY

Dubey, A., & Wagle, D. (2007, May). Delivering software as a service. The McKinsey Quarterly
Web Exclusive .
ISACA. (2009). Cloud Computing: Business Benefits With Security, Governance and Assurance
Perspectives. Rolling Meadows, USA: ISACA Emerging Technology.
Kim, W. (2009). Cloud Computing: Today and Tomorrow. Journal of object technology , 8 (1).
ECONOMIST. (2009, November 10). Cloud Computing : Economist Debate. Retrieved December
13, 2009, from http://www.economist.com: /debate/files/view/CSC_Cloud_Computing_Debate0.pdf
Al-Mashari, M., & Zairi, M. (2000). Supply-chain re-engineering using enterprise-resource planning
(ERP) systems: an analysis of a SAP R/3 implementation case,. International Journal of Physical
Distribution & Logistics Management , 30 (3/4), 296-313.
Alvesson, M., & Skoldberd, K. (2000). Reflexive Methodology. SAGE Publications Ltd.
Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Lee, G., et al. (2009). Above the Clouds: A
Berkeley View of Cloud Computing. University of California at Berkley, USA, Technical Report
No. UCB/EECS-2009-28,.
Babbie, E., & Mouton, J. (2001). The practice of social research. Cape Town: Oxford University
Press.
Bazeley, P. (2004). Issues in Mixing Qualitative and Quantitative Approaches to Research. In R.
Buber, J. Gadner, & L. Richards (Eds.), Applying Qualitative Methods to Marketing Management
Research (pp. 141-56.). Palgrave Macmillan.
Bennett, K., Layzell, P., Budgen, D., Brereton, P., Macaulay, L., & Munro, M. (2000). Servicebased software: the future for flexible software. Seventh Asia-Pacific Software Engineering
Conference (pp. 214-221). APSEC .
Bingi, P., Sharma, M. K., & Godla, J. K. (1999). Critical issues affecting an ERP implementation.
Information Systems Management , 16 (3), 7-14.

31

Bogdan, R., & Biklen, S. K. (1992). Qualitative research for education: An introduction to theory
and methods. Boston: Allyn and Bacon.
Bolender, J. (1998, April). Factual Phenomenalism: a Supervenience Theory. SORITES , pp. 16-31.
Boykin, R. F. (2001). Enterprise resource-planning software: a solution to the return material.
Computers in Industry , 45, 99-109.
Broberg, J., Buyya, R., & Tari, Z. (2008). MetaCDN: Harnessing Storage Clouds for high
performance content delivery. Technical Report GRIDS-TR-2008-11, Grid Computing and
Distributed Systems Laboratory, University of Melbourne, Australia.
Bryman, A., & Bell, E. (2003). Business Research Methods. Oxford: Oxford University Press.
Bulkeley, W. M. (1996). A cautionary network tale: Fox Meyers high-tech gamble. Wall Street
Journal Interactive Edition .
Buyya, R. (2009). Market-Oriented Cloud Computing: Vision, Hype, and Reality of Delivering
Computing as the 5th Utility. 9th IEEE/ACM International Symposium on Cluster Computing and
the Grid.
Buyya, R., Yeo, C. S., & Venugopal, S. (2008). Market-oriented Grids and Utility Computing: The
State-of-the-art and Future Directions. Journal of Grid Computing , 6 (3), 255-276.
Chen, I. J. (2001). Planning for ERP systems: analysis and future trend. Business Process
Management Journal , 7 (5), 374-86.
Creswell, J. (1994). Research Design: Quantitative and Qualitative Approaches. Thousand Oaks,
CA: Sage.
Das, A., Reddy, R., Reddy, S., & Wang, L. (2009). Information Intelligence in Cloud ComputingHow can Vijjana, a Collaborative, Self-organizing, Domain Centric Knowledge Network Model
Help. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence
Research: Cyber Security and Information Intelligence Challenges and Strategies. Oak Ridge,
Tennessee: ACM NewYork.
Davenport, T. (1998). Putting the Enterprise into the Enterprise System. Harvard Business Review ,
121-131.
David, M., & Sutton, C. (2004). Social Research: The Basics . London: Sage Publications Ltd .
32

Denzin, N. K., & Lincoln, Y. S. (1998). The landscape of qualitative research: Theories and issues.
Thousand Oaks: Sage Publications.
Du Plooy, G. M. (2001). Communication Research: Techniques, Methods and Applications,. Juta:
Landsowne.
Dubey, A., & Wagle, D. (2007, May). Delivering software as a service. The McKinsey Quarterly
Web Exclusive .
ECONOMIST. (2009, November 10). Cloud Computing : Economist Debate. Retrieved December
13, 2009, from http://www.economist.com: /debate/files/view/CSC_Cloud_Computing_Debate0.pdf
Elliot, R. (1995). Therapy process research and clinical practice : Practical strategies. Research
foundations for psychotherapy practice , 49-72.
Firestone, W. (1987). Meaning in method: The rhetoric of quantitative and qualitative research.
Educational Researcher , 16 (7), 16-21.
Fox, R. (2009). Library in the clouds. OCLC Systems & Services , 25 (3), 156-161.
Gable, G. (1998). Large package software: a neglected technology. Journal of Global Information
Management , 6, 34.
Gardiner, S. C., Hanna, J. B., & LaTour, M. S. (2002). ERP and the re-engineering of industrial
marketing processes: a prescriptive overview for the new-age marketing manager. Industrial
Marketing Management , 31, 357-365.
Ghauri, P., & Gronhaug, K. (2005). Research methods in business studies: A practical guide. Essex
: England: Pearson Education Limited.
Gilles, L. (2000). Improving the external validity of marketing models: A plea for more qualitative
input. International Journal of Research in Marketing , 17, 177.
Glaser, B. G., & Strauss, A. L. (1967). The Discovery of Grounded Theory: Strategies for
Qualitative Research. New York: Aldine Publishing Company.
Glass, R., & Vessey, I. (1999). Enterprise Resource Planning Systems: Can They Handle the
Enhancement Changes Most Enterprises Required ? Proceedings of First International Workshop
on Enterprise Management and Enterprise Resource Planning Systems: Methods, Tools and
Architectures.
33

Glasser, B. (1992). Basics of Grounded Theory Analysis: Emergence Versus Forcing. Mill Valley,
CA: Sociology Press.
Glasser, B. (1978). Theoretical sensitivity: Advances in the methodology of grounded theory. Mill
Valley: CA: Sociology Press .
Gray, D. E. (2004). Doing Research in the Real World. London: Sage Publications.
Guba, E. G., & Lincoln, Y. S. (1994). Competing paradigms in qualitative research : Handbook of
Qualitative Research. Sage.
Gupta, A. (2000). Enterprise resource planning:the emerging organizational value systems.
Industrial Management & Data Systems , 100 (1).
Hayes, B. (2009). Cloud computing. Communications of the ACM , 51 (7), 9-11.
Hoffer, J. A., Valacich, J. S., & George, J. F. (1999). Modern Systems Analysis and Design.
Reading, MA: Addison Wesley.
Kolb, D. A., & Fry, R. (1975). Toward an applied theory of experiential learning. London, UK:
John Wiley.
Kolb, D. (1984). Experiential Learning experience as a source of learning and development. New
Jersey: Prentice Hal.
Kvale, S. (1996). Interviews: An Introduction to Qualitative Research Interviewing. London: Sage
Publications.
Leavitt, N. (2009). Is cloud computing really ready for prime time? Computer , 42 (1), 15-20.
Leedy, P. D. (1997). Practical Research : Planning and Design. New Jersey: Prentice Hall.
Light, B. (2001). The maintenance implications of the customization of ERP Software. JOURNAL
OF SOFTWARE MAINTENANCE AND EVOLUTION: RESEARCH AND PRACTICE , 13, 415
429.
Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Beverly Hills: Sage Publications.
Lindolf, T. R., & Taylor, B. C. (2002). Qualitative Communication Research Methods, . Thousand
Oaks, California: Sage .
34

Markus, M. L., & Tanis, C. (2000). The enterprise systems experience from adoption to success.
In Framing the Domains of IT Research: Glimpsing the Future Through the Past , 173--207.
Markus, M. L., Axline, S., Petrie, D., & Tanis, C. (2000). Learning from adopters experiences with
ERP: problems encountered and success achieved. Journal of Information Technology , 15, 245
265.
Marshall, M. N. (1996). Sampling for qualitative research (Vol. 13). Fam Pract.
Mason, J. (2002). Qualitative Researching,. London: Sage.
Maxwell, J. A. (1992). Understanding and validity in qualitative research. Harvard Educational
Review , 62 (3), 279-300.
Maykut, P., & Morehouse, R. (1994). Beginning Qualitative Research: A Philosophic and Practical
Guide. London: The Falmer Press.
Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis (2 ed.). London: Sage.
Mouton, J., & Marais, H. J. (1990). Basic Concepts: The Methodology of the Social Sciences . South
Africa: HSRC Press.
Murray, P. (2009). Enterprise Grade Cloud Computing. Hewlett Packard .
Osterle, H., Fleisch, E., & Alt, R. (2000). Business Networking. Berlin: Springer.
Pandey, S., Buyya, R., & Vecchiola, C. (2009). Cloudbus Toolkit for Market-Oriented Cloud
Computing. In Proceeding of the 1st International Conference on Cloud Computing
(CloudCom2009). Beijing, China: Springer: Germany.
Parr, A., & Shanks, G. (2000). A Model of ERP Project Implementation. Journal of Information
Technology , 15 (4), 289-304.
Patton, M. Q. (2001). Qualitative evaluation and research methods. Thousand Oaks: Sage
Publications.
Rossman, C., & Marshall, G. B. (1999). Designing qualitative research. Thousand Oaks: Sage
Publications.
Rossman, G. B., & Rallis, S. F. (2003). Learning in the field: an introduction to qualitative
research. Sage Publications.
35

Saunders, M., Lewis, P., & Thornhill, A. (2003). Research Methods for (3 ed.). Harlow: Prentice
Hall.
Scale, M. S. (2009). Cloud computing and collaboration. Library Hi Tech New , 26 (9), 10-13.
Smith, N. C., & Dainty, P. (1991). Management Research Handbook. London: Routledge.
Spens, K. M., & Kovacs, G. (2006). A content analysis of research approaches in logistics research.
International Journal of Physical Distribution and Logistics Management , 36 (5), 374-390.
Stedman, C. (1999). Tracking changes - a must in ERP projects; business users sometimes fail to
realize importance. Computerworld , pp. 41-2.
Stiles, W. B. (1993). Quality control in qualitative research. Clinical Psychology Review , 13, 593 618.
Strauss, A., & Corbin, J. (1990). Basics of Qualitative Research. Newbury Park, CA: Sage.
Symon, G., & Cassell, C. (1994). Qualitative research in work contexts. Thousand Oaks, CA: Sage
Publications.
Tari, Z., Buyya, R., & Broberg, J. (2009). Creating a Cloud Storage Mashup for High
Performance, Low Cost Content Delivery. Proc. Service-Oriented Computing--ICSOC 2008
Workshops (pp. 178183). Berlin: Springer.
The Economist. (2009, Oct 15). Cloud Computing: Clash of the clouds. Retrieved Dec 10, 2009,
from http://www.economist.com: /displaystory.cfm?story_id=14637206
Varia, J. (2008). Cloud Architectures. Amazon Web Services .
Cloud Computing Explained: Implementation Handbook for Enterprises, Recursive Press, ISBN
0956355609, 2009
Hadoop, the Definitive Guide, OReilly Media, ISBN: 978-0-596-52197-4, 2010
Distributed and Cloud Computing, 1st edition, Morgan Kaufmann, 2011.
Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.), Building
a safer society. Strategic approaches to crime (pp. 91150). University of Chicago Press.
Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1, pp.23.
36

Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture Formations in U.S.
Manufacturing: a Conceptual and Empirical Analysis of Demand Determinations. Journal of
Business Venturing, 11, 107-132.
Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010, available at
http://www.itbusiness.ca/it/client/en/home/News.asp?id=56870.
Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8), 26-29.
ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information security.
IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The Cloud:
Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver
Foundation, JR03-2010, April 6, 2010, available at http://www.utoronto.ca/mcis/pdf/shadows-inthe-cloud-web.pdf.
Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W. Powell & P. J.
DiMaggio (eds.). The new institutionalism in organizational analysis (pp. 143163). Chicago:
University of Chicago Press.
Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4),
10031114.
Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An Institutional
Perspective, Electronic Markets, 17(2), 113-125
Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10),
47-55.
Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and Strategic
Perspectives. New York, Berlin and Heidelberg: Springer-Verlag.
Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational inertia and
capabilities as dynamic accumulation processes. Simulation Model Practice and Theory, 10(5), 271296. Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr 2010,
28(4), 29-30. Martnez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6,
2010, available at http://articles.sfgate.com/2010-03-06/business/18378297_1_cyber-security-czarhoward-schmidt-qualys-rsa.
37

Messmer, E. (2010). Cloud computing providers working in secret. Network World, July
12, 2010, 27(13), 10-11. Messmer, E. (2010). Secrecy of cloud computing providers raises IT
security risks, available at http://www.mis-asia.com/news/articles/secrecy-of-cloud-computingproviders-raises-it-security-risks.
Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says
the

biggest

cloud

providers

are

botnets,

March

22,

2010,

available

at

http://www.networkworld.com/community/node/58829?t51hb.
NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11. Newman, K. L. (2000).
Organizational transformation during institutional upheaval.
Stewart, B. (2010). Apple Keeps iTunes Out of the Cloud. Information Today, Oct 2010, 27(9), 4646.
Sturdevant, C. (2010). Seeding security into the cloud. eWeek, March 15, 2010, 27(6), 38-38.
Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.
Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing
systems. Computer Law & Security Review, May 2010, 26(3), 304-308.
Tillery,

S.

(2010).

How

Safe

Is

the

Cloud?,

available

at

http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226.
Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at
http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloudcomputing/?cs=43712.
Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address Control Issues
with Implementing Cloud Computing. GAO Reports, July 1, 2010, preceding pp. 1-48.
Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for Access to
Data, Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), 1-10.
Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HR Magazine, Nov, 54(11), 63-65.

38

39