Literature Review for icloud

Case Study and the newly revise SLP 1 you have done.

During Module 2, your project assignment is to develop a strategy for searching out key sources within the literature that will meet the needs you identified in your Module 1 SLP. By “strategy,” we mean a list of steps that you will take to identify the sources that you need. These sources may include professional writing such as journal articles or conference presentations, technical reports or other sources of technical data, analyses and opinions presented by knowledgeable experts regarding your problem, or any other kinds of information that you identified a need for in module 1. Hopefully, you will be able to identify a way of gathering information about everything that you identified as a need earlier.

Specifically, you are to prepare a short paper describing your information sources and the steps you will undertake to obtain what information you need. This might involve library research, consultation with other experts, online searching using a variety of tools, or other mechanisms. For each kind of information you seek, you should present here a set of steps by which you can obtain it and incorporated into your project.

This strategy description should be accompanied by two or three specific sources that you have been able to obtain thus far. These might be copies of journal articles or other sources. The point is to show that your strategy has at least begun to pay off in terms of providing the kind of source material you will need to develop your literature review overall.

A Case Study Exploration of Strategies to Avoid Cloud Computing Data Breaches
Submitted by
Michael Osei-Amanfi
A Dissertation Presented in Partial Fulfillment
of the Requirements for the Degree
Doctorate of Business Administration
Grand Canyon University
Phoenix, Arizona
December 11, 2018





ProQuest Number: 13423232



All rights reserved


INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.







ProQuest 13423232
Published by ProQuest LLC (2018 ). Copyright of the Dissertation is held by the Author.

All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.


ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 – 1346
© by Michael Osei-Amanfi, 2018
All rights reserved.
GRAND CANYON UNIVERSITY
A Case Study Exploration of Strategies to Avoid Cloud Computing Data Breaches
I verify that my dissertation represents original research, is not falsified or plagiarized,
and that I accurately reported, cited, and referenced all sources within this manuscript in
strict compliance with APA and Grand Canyon University (GCU) guidelines. I also
verify my dissertation complies with the approval(s) granted for this research
investigation by GCU Institutional Review Board (IRB).
_____________________________________________
Michael Osei-Amanfi
November 5, 2018
______________________
Date
Abstract
The purpose of this qualitative single case study was to explore the available strategies IT
leaders at ABC, a Managed IT Services company in the SME sector in Columbus, Ohio, may
use to avoid data breaches in the cloud environment. The security framework established by
the Cloud Security Alliance (CSA) provided the conceptual framework for this study. A
purposeful sampling strategy was used to select 10 IT leaders to participate in the study. Data
were gathered through open-ended, semi-structured individual face-to-face interviews,
asynchronous discussions through e-mails, and reviews of company-provided documents.
An inductive thematic analysis was used to analyze all the data collected in the study. The
following six major themes emerged from the data relating to descriptions of the data security
threats and vulnerabilities facing IT leaders in the cloud, and the strategies they may use to
avoid a breach of their data: (1) managing the human factor, (2) managing the network
environment, (3) types of data security threats, (4) people pose the most significant risk, (5)
elements of an effective strategy, and (6) addressing password issues. The results indicated
that IT leaders face multifaceted data security threats in the cloud and these could be
addressed through a combination of strategies including user education, securing the
network, limiting user access to IT resources, and addressing password issues.
Keywords: cloud computing, data breaches, effective strategies, IT leaders
vi
Dedication
I dedicate this Dissertation to all my children, upon whom I wish to impress upon
the following: Grow up, then get a doctorate!
vii
Acknowledgments
A heartfelt thank you to my Dissertation Committee, Alen Badal, Ph.D., Heather
Miller, Ph.D., and Zeeshan (Shawn) Khan, DBA, for providing the assistance I needed to
complete this once in a lifetime project. You mentored, coached, and guided me every
step of the way, I am exceedingly grateful to every one of you. I also want to thank
Stephanie Zywicki, Ph.D., my first Academic Quality Reviewer, and Luis Zayas, Ph.D.,
my second Academic Quality Reviewer, for their extensive feedback and guidance. A
special thank you to the individuals who willingly participated in this study and the senior
management of ABC; I cannot identify you or your company, but you know yourselves!
This project could not have been possible without your participation – thank you so
much! A big shout-out to my fellow doctoral learner and friend, Patsy Wilson! I remain
truly inspired by the beauty of your character. Kellie Rice, you were my support team all
by yourself, thank you! Vanessa Gattis, Ph.D., Antoinette James, Ed.D., Isaac Nortey
Darko, Ph.D., and Rae Elvis Daniel, Ed.D., thank you for going out of your way to
provide guidance, feedback, and inspiration. Former professors, Milan Frankl, Ph.D., and
Michele Vincenti, Ph.D., of the University Canada West, thank you for encouraging me
to pursue higher education. Finally, a much deserved thank you to Patrick H. Parker of
Dublin, Ohio, the man who truly inspired my journey. He said to me “you explain things
like someone with a doctorate!” And he said it with such complete belief, I had to prove
him right!
viii
Table of Contents
List of Tables ……………………………………………………………………………………………………. xiii
List of Figures …………………………………………………………………………………………………… xiv
Chapter 1: Introduction to the Study…………………………………………………………………………1
Introduction ……………………………………………………………………………………………………..1
Background of the Study …………………………………………………………………………………..2
Problem Statement ……………………………………………………………………………………………4
Purpose of the Study …………………………………………………………………………………………5
Research Questions …………………………………………………………………………………………..6
Advancing Scientific Knowledge and Significance of the Study …………………………….8
Rationale for Methodology ………………………………………………………………………………10
Nature of the Research Design for the Study………………………………………………………11
Definition of Terms…………………………………………………………………………………………14
Assumptions, Limitations, Delimitations …………………………………………………………..16
Assumptions…………………………………………………………………………………………..16
Limitations and delimitations. ………………………………………………………………….17
Summary and Organization of the Remainder of the Study ………………………………….20
Chapter 2: Literature Review …………………………………………………………………………………25
Introduction to the Chapter and Background to the Problem ………………………………..25
Historical background. …………………………………………………………………………….27
Identification of the Gap ………………………………………………………………………………….31
Conceptual Framework ……………………………………………………………………………………33
Review of the Literature ………………………………………………………………………………….37
IT outsourcing. ……………………………………………………………………………………….37
ix
Cloud computing technology. …………………………………………………………………..42
Threats to data security in the cloud. …………………………………………………………56
Methodology and instrumentation. ……………………………………………………………65
Summary ……………………………………………………………………………………………………….68
Chapter 3: Methodology ……………………………………………………………………………………….73
Introduction ……………………………………………………………………………………………………73
Statement of the Problem …………………………………………………………………………………74
Research Questions …………………………………………………………………………………………75
Research Methodology ……………………………………………………………………………………78
Research Design……………………………………………………………………………………………..81
Population and Sample Selection………………………………………………………………………86
Sources of Data ………………………………………………………………………………………………89
Trustworthiness ………………………………………………………………………………………………95
Credibility. …………………………………………………………………………………………….95
Transferability. ……………………………………………………………………………………….96
Dependability. ………………………………………………………………………………………..97
Confirmability. ……………………………………………………………………………………….97
Data Collection and Management ……………………………………………………………………..99
Permissions and informed consent. …………………………………………………………..99
Subject selection. ………………………………………………………………………………….100
Data collection. …………………………………………………………………………………….100
Data protection. …………………………………………………………………………………….104
Ethical consideration……………………………………………………………………………..105
Data Analysis Procedures ………………………………………………………………………………107
x
Data saturation. …………………………………………………………………………………….110
Ethical Considerations …………………………………………………………………………………..111
Limitations and Delimitations…………………………………………………………………………113
Summary ……………………………………………………………………………………………………..116
Chapter 4: Data Analysis and Results ……………………………………………………………………120
Introduction ………………………………………………………………………………………………….120
Descriptive Findings ……………………………………………………………………………………..122
Setting. ………………………………………………………………………………………………..123
Participant profiles. ……………………………………………………………………………….124
Data sources. ………………………………………………………………………………………..125
Data Analysis Procedures ………………………………………………………………………………133
Preparing the data. ………………………………………………………………………………..133
Analyzing the data. ……………………………………………………………………………….134
Data triangulation. ………………………………………………………………………………..145
Trustworthiness. ……………………………………………………………………………………147
Possible sources of errors. ……………………………………………………………………..150
Results …………………………………………………………………………………………………………151
Research question 1. ……………………………………………………………………………..153
Research question 2. ……………………………………………………………………………..163
Research question 3. ……………………………………………………………………………..175
Summary ……………………………………………………………………………………………………..184
Chapter 5: Summary, Conclusions, and Recommendations ……………………………………..188
Introduction ………………………………………………………………………………………………….188
Summary of the Study …………………………………………………………………………………..191
xi
Summary of Findings and Conclusion……………………………………………………………..195
Research question 1. ……………………………………………………………………………..196
Research question 2. ……………………………………………………………………………..200
Research question 3. ……………………………………………………………………………..205
Summary. …………………………………………………………………………………………….210
Implications………………………………………………………………………………………………….214
Theoretical implications. ……………………………………………………………………….214
Practical implications. ……………………………………………………………………………217
Future implications. ………………………………………………………………………………219
Strengths and weaknesses of the study. ……………………………………………………220
Recommendations …………………………………………………………………………………………223
Recommendations for future research. …………………………………………………….223
Recommendations for future practice. ……………………………………………………..224
References…………………………………………………………………………………………………………227
Appendix A. Site Authorization Letter(s) ………………………………………………………………274
Appendix B. IRB Approval Letter ………………………………………………………………………..275
Appendix C. Informed Consent ……………………………………………………………………………276
Appendix D. Copy of Instruments and Permissions Letters to Use the Instruments …….280
Appendix E. Face-to-Face Interview Protocol………………………………………………………..285
Appendix F. E-mail Interview Protocol …………………………………………………………………288
Appendix G. Participant Recruitment E-mail Letter ……………………………………………….291
Appendix H. Expert Panel Review ……………………………………………………………………….293
Appendix I. List of Codes ……………………………………………………………………………………295
Appendix J. Categories and Related Codes ……………………………………………………………301
Appendix K. Emerged Themes …………………………………………………………………………….305
xii
Appendix L. Matrix Display of Themes ………………………………………………………………..309
Appendix M. Sample Interview Transcripts …………………………………………………………..315
xiii
List of Tables
Table 1. Research Questions With Related Interview and Asynchronous Discussion
Questions …………………………………………………………………………………………….. 93
Table 2. Research Questions With Related Data Sources ……………………………………… 108
Table 3. Job Profile and Gender of Participants …………………………………………………… 125
Table 4. Face-to-Face Interviews of Study Participants ………………………………………… 127
Table 5. Documents Reviewed ………………………………………………………………………….. 132
Table 6. Step 3: Themes With Related High-level Categories ……………………………….. 144
Table 7. Step 4: Research Questions With Related Themes …………………………………… 145
Table 8. Research Questions With Related Themes and High-Level Categories………. 153
Table 9. Participants’ Comments on Managing the Network Environment ……………… 162
Table 10. Participants’ Comments on Types of Data Security Threats ……………………. 169
Table 11. Participants’ Comments on Addressing Password Issues………………………… 182
Table I12. Step 1: List of Codes ………………………………………………………………………… 295
Table J13. Step 2: Categories With Related Codes ………………………………………………. 301
Table K14. Generating Themes Through Analytic Memoing ………………………………… 305
Table L15. Relating Themes to the Research Questions ……………………………………….. 309
xiv
List of Figures
Figure 1: An illustration of the three critical areas of cloud computing security. ………… 36
Figure 2: A simplified illustration of Saldaña’s thematic analysis approach for
recognizing themes in qualitative data (adapted from Saldaña, 2015,
Figure 1.1). ………………………………………………………………………………………… 136
Figure 3: An illustration of the four-step process followed in the thematic analysis
of the data used in the study. ………………………………………………………………… 140
1
Chapter 1: Introduction to the Study
Introduction
Cloud computing is a term for doing business over the Internet with on-demand
and shared access to computing resources on a pay-per-use basis (Oredo & Njihia, 2015).
This profound shift in the way companies consume computing resources allows for the
allocation of information technology (IT) resources and capacity based on actual needs
(Yeboah-Boateng & Essandoh, 2014). Gupta, Seetharaman, and Raj (2013) argued that
the cloud offers small and medium enterprises (SMEs) high-performance computing and
that the current pay-as-you-go pricing model is particularly beneficial for such
companies. Cloud computing holds considerable promise for SMEs through the
expectation of radically reduced IT costs (Carcary, Doherty, & Conway, 2014). However,
uncertainty around data security complicates firms’ adoption of cloud computing (Nicho
& Hendy, 2013). Business executives and IT leaders continue to struggle with the
decision to adopt cloud computing, and thus outsource sensitive corporate data and IT
resources to third-party cloud vendors (Dutta, Peng, & Choudhary, 2013). Nicho and
Hendy stated that data breaches in the cloud environment pose a critical risk for
businesses that use cloud computing. Further research was thus needed to overcome
cloud data security risks and to address concerns of adoption specific to the SME context.
Cloud computing allows firms to outsource IT operations to third-party cloud
computing vendors. The literature identifies various managerial concerns about data
security risks associated with this new IT model (Dutta et al., 2013; Lampe, Wenge,
Müller, & Schaarschmidt, 2013; Nicho & Hendy, 2013; Rieger, Gewald, & Schumacher,
2013; Uchenna, Godwin, Oliver, & Eze, 2015). However, it was not known how IT
2
leaders at ABC, a pseudonym for a Managed IT Services company in the SME sector in
Columbus, Ohio, avoided data breaches in the cloud environment. The intent of this
qualitative single case study was to explore the available strategies IT leaders at ABC
may use to avoid data breaches in the cloud environment. This study offered significant
suggestions for researchers and practitioners in cloud security assessment, as well as in
the approach used to manage cloud adoption. The results of this study contributed to the
existing body of literature by addressing the gap in the current understanding of data
security factors affecting adoption and effective use of cloud computing within the SME
sector.
Chapter 1 introduces the study and provides information on the background of the
study. The chapter presents the problem statement, the study’s purpose, and the research
questions that guided the study. The chapter also explains how the study advanced
scientific knowledge. The rationale for the methodology and the research design,
definition of terms, and clarification of assumptions, limitations, and delimitations
relevant to the study round out the chapter.
Background of the Study
The cloud is an Internet-based technology; therefore, it is vulnerable to data
security threats, risks, and vulnerabilities from computer hackers, viruses, malware, and
worms. The physical location of firms’ data raises confidentiality concerns as cloud
computing adoption implies that firms’ information systems and data will exist outside of
the firms’ premises (Nicho & Hendy, 2013). Gupta et al. (2013) documented that data
security risks present the greatest barrier to companies considering cloud computing
technology. Cloud computing service providers could accidentally expose firms’ private
3
and confidential data to the public (Nicho & Hendy, 2013). Even ethical companies can
unwittingly employ malicious individuals who could compromise firms’ confidential
information (Lampe et al., 2013). Arguably, in-house IT deployments face a similar risk
of insider threats to firms’ confidential information; however, Loske, Widjaja, Benlian,
and Buxmann (2014) pointed out that cloud user organizations have no control over
providers’ employees; therefore, the risk of compromise may be more elevated in the
cloud environment. Although large firms with access to large pools of financial resources
may be able to acquire a hybrid or private cloud to improve the security of confidential
information, SMEs typically lack the resources to do so.
Dutta et al. (2013), Lampe et al. (2013), and Nicho and Hendy (2013) maintained
that the potential breach of an organization’s data in the cloud environment is a likely and
significant risk to cloud user organizations. The Internet offers anonymity for computer
hackers who are willing to attack systems connected to the cloud (Marcum, Higgins,
Ricketts, & Wolfe, 2014). Unlike in-house IT systems, some of which may not require
access to the Internet, cloud computing operates over the Internet (Oredo & Njihia, 2015)
and thus is more at risk of being hacked. Ristov, Gusev, and Donevski (2013) argued that
the cloud also limits security assessments by user organizations due to limited access to
vendors’ internal policies and procedures. A study by the Ponemon Institute (2016) found
that cloud user organizations relied on contract negotiations and legal reviews to evaluate
cloud providers’ data security protections instead of IT security experts and auditors. The
Ponemon Institute’s study further found that cloud providers’ data security protection
capabilities were not a major factor in the decision to adopt cloud services because
4
business units and corporate IT, who were not responsible for IT security, made cloud
service adoption decisions.
According to Somani, Gaur, Sanghi, Conti, and Buyya (2017), many firms have
suffered financial losses because of data breaches in the cloud environment. Holtfreter
and Harrington (2015) reported similar losses among some firms including Zappos due to
online hacking activities by computer hackers. Chou (2013) documented damage to
reputations and loss of confidence among investors from such breaches. Lampe et al.
(2013) documented a deficit of scientific research addressing data security risks facing
organizations in the cloud environment. Lampe et al. suggested that future research
should consider strategies to address data breaches in the cloud environment.
Firms in the SME sector have been slow to embrace the cloud despite the costsaving benefits it offers (Carcary et al., 2014). Studies have identified various data
security risks in cloud computing adoption (Dutta et al., 2013; Lampe et al., 2013; Nicho
& Hendy, 2013; Rieger et al., 2013; Uchenna et al., 2015). A study of managers in the
SME sector revealed they are very concerned about data security and the privacy risks of
cloud adoption (Uchenna et al., 2015). The aim of the qualitative single case study
presented here was to explore the available strategies IT leaders at ABC may use to avoid
data breaches in the cloud environment.
Problem Statement
It was not known how IT leaders at ABC, a Managed IT Services company in the
SME sector in Columbus, Ohio, avoided data breaches in the cloud environment. The
general business problem was that data breaches in the cloud environment are costing
companies huge financial losses along with damaged reputations and a loss of
5
shareholder confidence (Chou, 2013; Somani et al., 2017). The specific business problem
was that ABC has experienced data breaches in the cloud environment and has lost time
and money as a result.
Cloud computing offers SMEs the crucial advantage of freeing up IT
administrative time to focus on other tasks (Gupta et al., 2013). However, the loss of total
control over IT infrastructure and the relocation of precious corporate data into the cloud
present data security risks to firms (Loske et al., 2014). Some IT leaders have simply
avoided the cloud to avoid such risks (Senarathna, Yeoh, Warren, & Salzman, 2016).
Other IT leaders who have adopted cloud computing worry about a possible breach of
their data (Nicho & Hendy, 2013). The potential loss of valuable company assets and
information, along with the possible disruption to service, add to IT leaders’ concerns
(Loske et al., 2014). For a firm in the SME sector, disruption to service or loss of critical
technology assets could end all aspirations to remain a viable business.
This case study explored the available strategies IT leaders at ABC may use to
avoid data breaches in the cloud environment. The strategies to avoid data breaches in the
cloud environment presented in this study could help ABC and other companies in the
SME sector avoid potential financial losses. The problem of data breaches in the cloud
environment affects all organizations that use the cloud (Nicho & Hendy, 2013). The
strategies to avoid data breaches in the cloud environment uncovered in this study could
reduce barriers to adoption and increase use of the technology among businesses.
Purpose of the Study
The purpose of this qualitative single case study was to explore the available
strategies IT leaders at ABC, a Managed IT Services company in the SME sector in
6
Columbus, Ohio, may use to avoid data breaches in the cloud environment. The
phenomena under study in this research were data breaches in the cloud environment.
This study applied a qualitative single case study design to study a single organization in
detail. The general population for this research consisted of IT leaders from organizations
that use cloud computing. The original envisioned sample size was 12 IT leaders
purposefully selected from a single firm in the SME sector in Columbus, Ohio; of these,
10 agreed to participate. The study was conducted within the headquarters of ABC in
Columbus, Ohio in the United States.
Abdollahzadegan, Hussin, Razak, Moshfegh Gohary, and Amini (2013), and
Bharadwaj and Lal (2012) argued that cloud computing appeals to SMEs because of its
revolutionary promise of pay-per-use for computing resources. However, AlJahdali et al.
(2014) stated that unauthorized access to firms’ sensitive information and threats of data
breaches present challenges to the cloud model. The availability of multiple cloud
deployment models could also imply that no one security control may be sufficient to
protect against all circumstances, which adds to IT leaders’ anxieties (Cloud Security
Alliance [CSA], 2017). By advancing strategies to avoid data breaches in the cloud
environment, this study helped SMEs avoid potential financial losses.
Research Questions
The overarching research question that guided this qualitative study was intended
to address the problem statement that it was not known how IT leaders at ABC, a
Managed IT Services company in the SME sector in Columbus, Ohio, avoided data
breaches in the cloud environment. Additional research questions supporting the
overarching research question aligned with (a) understanding the data security threats and
7
vulnerabilities facing IT leaders at ABC in the cloud environment, and (b) understanding
the available strategies IT leaders at ABC may use to address data security threats and
vulnerabilities in the cloud environment. Below is the list of research questions in this
study, where RQ1 specifies the overarching research question, and RQ2 and RQ3 specify
the supporting research questions.
RQ1: How do IT leaders at ABC avoid data breaches in the cloud environment,
which have cost their organization time and money?
RQ2: How do IT leaders at ABC describe data security threats and vulnerabilities in
the cloud environment?
RQ3: What are the perspectives of IT leaders at ABC regarding the available
strategies they may use to address data security threats and vulnerabilities in
the cloud environment?
The research questions were derived from the literature regarding data security
risks implied in cloud adoption. The questions provided the framework for developing
the interview protocols in this study (see Appendices E and F). The research questions
were intended to provide specific data to develop intimate insights into cloud data
security and the privacy threats and vulnerabilities facing IT leaders at ABC. Such
intimate insights helped this research identify, explain, and recommend strategies IT
leaders could employ to avoid data breaches in the cloud.
The decision to transfer sensitive business data to cloud computing providers may
be difficult for firms’ executives and IT leaders. According to Zhang, Zhang, and Ou
(2014), cloud computing attackers can compromise cloud infrastructure and services at
little or no cost. Computer hackers have stolen massive amounts of sensitive information,
8
levying painful costs on some businesses by attacking them (Romanosky, Hoffman, &
Acquisti, 2014). The U.S. Department of Justice (2015) reported that individuals and
corporations have suffered privacy invasions and financial losses due to malicious online
hacker activities. For ABC, strategies to avoid data breaches in the cloud environment
could prevent future financial losses as well as lessen cloud fears among IT leaders, thus
enabling the company to utilize and reap the economic benefits of the cloud.
Advancing Scientific Knowledge and Significance of the Study
The emergence of cloud computing provides firms, especially those in the SME
sector, opportunities to use computing resources in innovative ways. Unlike the
traditional in-house IT model, the cloud enables firms to utilize computing resources
more efficiently while increasing their IT capabilities cost-effectively (Ouahman, 2014).
Using the cloud minimizes organizations’ concerns about software licenses and hardware
maintenance (Ouahman, 2014). Yet the literature suggests that the potential risk of data
breaches remains (Carcary et al., 2014; Dutta et al., 2013; Uchenna et al., 2015). Data
breaches in the cloud environment are costing companies huge financial losses (Somani
et al., 2017). Abdollahzadegan et al. (2013) noted that SMEs may not have the necessary
financial flexibility to hire top cyber security expert personnel to manage data security
risks. The findings from this study were intended to advance the body of knowledge by
addressing the gap in current research regarding effective strategies that IT leaders and
their organizations may use to avoid data breaches in the cloud environment.
This research investigated how IT leaders at ABC, a Managed IT Services
company in the SME sector in Columbus, Ohio, avoided data breaches in the cloud
environment. This research was necessary to contribute knowledge to strategies IT
9
leaders in the SME sector may use to avoid data breaches in the cloud environment.
Advancing strategies to avoid data breaches in the cloud environment protected ABC
from potential future financial losses due to these issues. Furthermore, specific strategies
addressing data breaches in the cloud environment uncovered in this study removed key
barriers to cloud computing adoption within the SME sector. Given the scarcity of
empirical research on the influence of data security risk factors on cloud computing
adoption in organizations, this study provided valuable insight.
This study utilized the security framework the Cloud Security Alliance (CSA,
2011; CSA, 2017), established to illuminate the phenomenon of data breaches in the
cloud environment at ABC. The CSA security framework was selected because it helped
explain the cloud data security threats facing IT leaders at ABC in three critical areas: (a)
cloud architecture, (b) governing in the cloud, and (c) operating in the cloud (CSA,
2011). Using this framework facilitated the examination of potential gaps between IT
leaders at ABC’s cloud information security approaches and the CSA’s cloud security
guidelines. AlJahdali et al. (2014) argued that cloud user organizations give up the
personal, logistical, and physical security, as well as the privacy of their data, by adopting
cloud computing technology. This study advanced the CSA security framework by
identifying specific strategies to augment the data security protections cloud vendors
offer.
By being testable, the strategies this study uncovered provided the opportunity to
gather empirical evidence of the effectiveness of the CSA security framework. The
results highlighted the effectiveness of the CSA security framework in relation to
companies in the SME sector. The results of this case study could be the basis for a
10
practical cloud security self-assessment tool for IT leaders. Such a tool could provide
ABC and other firms in the SME sector with the extra confidence necessary to proceed
with cloud computing initiatives.
Given that data security risks in cloud adoption are a major concern among firms
in the SME sector (Carcary et al., 2014; Uchenna et al., 2015), adopting industry best
practices to mitigate those risks and address cloud security challenges may alleviate those
concerns. This study contributed to industry best practices of cloud computing risk
management and risk mitigation planning. The results of this case study also provided
cloud computing providers with crucial insights into the pertinent concerns that could
undermine their key value proposition.
Rationale for Methodology
This study used a qualitative methodology to investigate how IT leaders at ABC
avoided data breaches in the cloud environment. The use of a qualitative methodology
was necessary to understand the phenomenon of data breaches in the cloud environment
as it appeared in participants’ lives (Polkinghorne, 2005). Hale, Treharne, and Kitas
(2007) stated that the qualitative approach is particularly suitable for a research study
when it is necessary to understand the personal accounts of individuals’ experiences.
Personal accounts can, in fact, reveal hidden fears and concerns (Hale et al., 2007), which
were important to this study. Moreover, Payne and Payne (2004) maintained that the
qualitative research approach is necessary to understand the human experience.
This study did not establish relationships between variables, compared variables,
or tested hypotheses. Given that the quantitative methodology focuses on numerical
quantification, the quantitative approach was not appropriate for this study (McCusker &
11
Gunaydin, 2015). The qualitative approach allowed for nondirective questions that
revealed deep insights into participants’ experiences (Romand, Donovan, Hsinchun, &
Nunamaker, 2003). Furthermore, many past research studies employed the qualitative
approach to examine cloud data security issues and risks (Alshamaila, Papagiannidis, &
Li, 2013; Bharadwaj & Lal, 2012; Sobragi, Gastaud Maçada, & Oliveira, 2014), further
justifying this study’s choice of using the qualitative method.
Nature of the Research Design for the Study
The design of this qualitative study was a single case study. The case study unit of
analysis or the major entity that was analyzed in this study was the social phenomena of
data breaches in the cloud environment; the units of observation were IT leaders, who
had firsthand experience of the phenomena. This qualitative single case study viewed IT
leaders at ABC as a single bounded system and studied them in-depth as a single unit
(Gerring, 2004). This approach aligned with the study’s aim of understanding how IT
leaders at ABC avoided data breaches in the cloud environment.
The phenomenon under study in this research had no single set of outcomes;
therefore, the research was exploratory and suited to a case study (Yin, 2014). The case
study is well recognized and accepted as an effective tool for collecting qualitative
information (Breslin & Buchanan, 2008). The method offers advantages for a researcher
seeking, as in this study, to thoroughly examine a phenomenon in its original context
through qualitative strategies (Baxter & Jack, 2008; Ridder, 2012; Yin, 2014). Yin stated
that a case study research is most appropriate for examining the how and why of some
social phenomenon, as is the case in this study. Furthermore, single and multi-case
studies share the same methodological framework; however, a single case study requires
12
less time and fewer resources (Yin, 2014). Consequently, a single case study design
seemed appropriate to this study.
Other qualitative methods include the grounded theory design, the narrative
inquiry design, ethnography, and phenomenology; none of these were appropriate for this
study. Grounded theory involves building a theory from qualitative data (Foley &
Timonen, 2015), which was not the intent of this study. Narrative inquiry design focuses
on the story of experience with the purpose of sharing information and learning from it
(Hamilton, Smith, & Worthington, 2008). The focus of this study was not to tell the
stories of people’s lives. Ethnography focuses on human society and culture (Merriam &
Tisdell, 2016); human behavior and people’s belief systems were not the focus of this
study. According to scholars Merriam and Tisdell, phenomenology is more appropriate
for discovering intense human experiences, such as love, anger, and betrayal. This study
was not intended to focus on the emotions and affective states of participants.
Members of the IT leadership team at ABC, a Managed IT Services company in
the SME sector in Columbus, Ohio, were the target population of this study. The sample
consisted of 10 IT leaders purposefully selected from among ABC’s IT leadership.
Initially, the researcher planned to recruit 12 IT leaders to participate in the study; of
these, 10 agreed to participate. IT leaders at ABC were experts in the field of cloud
computing. They were familiar with the processes and the implementation of cloud
computing and possessed the expert capabilities to answer questions pertaining to cloud
data security issues.
Data were gathered from three different data sources, analyzed, and reported in
aggregate to answer all the research questions in the study. The first data source was
13
open-ended, semi-structured individual face-to-face interviews of 10 IT leaders at ABC.
The second data source was asynchronous discussions through emails with individual
participants also using an open-ended, semi-structured format. The third data source was
company-provided documents related to ABC’s data security practices, policies, and
procedures.
The individual face-to-face interviews focused on understanding IT leaders’
individual experiences of the phenomenon of data breaches in the cloud environment in
their own contextual situations. Asynchronous discussions through emails focused on
exploring the consensus and differences in participants’ experiences to those of their coparticipants. The researcher used data gathered through individual face-to-face interviews
to develop the asynchronous discussion questions in this study. Deriving asynchronous
discussion questions from individual face-to-face interview responses facilitated data
completeness and contributed to a more detailed understanding of the phenomenon in the
study (Kazmer & Xie, 2008; Ratislavová & Ratislav, 2014). Originating asynchronous
discussion questions from individual face-to-face interview responses also helped
generate new data to enhance the accuracy of findings in the study.
During asynchronous discussions through emails, participants were able to
provide their responses in private. Participants were asked to specifically respond to
follow-up questions derived from individual face-to-face interview data. This helped
uncover additional information that did not surface during the individual face-to-face
interviews of participants. Data gathered through face-to-face interviews and
asynchronous discussions through emails provided a holistic view of IT leaders’
perspectives on the phenomenon of data breaches in the cloud environment.
14
Asynchronous discussions took place one week after the face-to-face interviews
of participants. Initially, the researcher assumed that asynchronous discussions would
take place two weeks after the face-to-face interviews. However, because face-to-face
interviews of participants took place over an extended period, much of the data collected
were transcribed and examined concurrently with the data collection process.
Consequently, asynchronous discussions took place sooner than expected. The researcher
audio-recorded and transcribed the face-to-face interviews and, together with the
asynchronous discussion transcripts, the researcher thoroughly analyzed the data to
answer the research questions in the study. An additional data source was companyprovided documents related to ABC’s data security practices, policies, and procedures.
The researcher reviewed these documents and thoroughly analyzed them for additional
information about the phenomenon in the study. This provided the researcher with
additional rich details and insights into the phenomenon of data breaches in the cloud
environment.
Definition of Terms
The terms listed here were used throughout this study. The definitions are
provided to enhance readers’ understanding of the study.
Back source. The reversal of IT outsourcing or offshoring to return the delivery
of IT inside an organization (Solli-Sæther & Gottschalk, 2015).
Cloud computing. A new computing paradigm that allows IT resources, including
hardware and software, to be pooled, shared, and consumed on demand over the Internet
(Gupta et al., 2013).
15
Cloud computing provider. A company that provides IT infrastructure and
application services to companies and individuals on a subscription or pay-per-use basis
(Garg, Versteeg, & Buyya, 2013).
Cloud service. Computing service designed to deliver IT infrastructure, platform,
software, and other IT resources on demand over the Internet for a fee (Garg et al., 2013).
Cloud user organization. A company that subscribes to or uses cloud computing
services (Qu, Wang, & Orgun, 2013).
Community cloud. A type of cloud service model which allows two or more firms
to set up a communal cloud and share the cost (Sumit Goyal, 2014).
Computer hacker. An individual who obtains remote access to any computer
system without its owner’s permission (Marcum et al., 2014).
Computer hacking. Accessing a computer system without its owner’s permission
to, for example, install a virus, destroy or alter files, steal information, or infiltrate
software (Marcum et al., 2014).
Data breach. The unauthorized access, transfer, change, or deletion of sensitive
or proprietary information (National Institute of Standards and Technology [NIST],
2012).
Data security. Practices and process to protect against unauthorized access,
transfer, change, or deletion of sensitive or proprietary information (NIST, 2012).
E-government. The electronic means by which governments and citizens interact
and, in some cases, transact online (Ivanus & Iovan, 2014).
Hybrid cloud. A combination of public and private clouds to support data and
applications as an organization’s needs dictate (Isaila, 2013).
16
Infrastructure-as-a-service (IaaS). A cloud service delivery model that gives
user organizations the ability to provision computing resources such as equipment,
software, and servers on demand (Jackson, 2014).
IT outsourcing. A firm’s decision to contract out its IT assets and operations to
third-party vendors for a period of time (Silvius, Turkiewicz, Keratsinov, & Spoor,
2013).
Multi-tenancy. Sharing of IT resources by multiple users within a cloud
infrastructure (AlJahdali et al., 2014).
Platform-as-a-service (PaaS). A cloud service delivery model that makes
available both the hardware infrastructure and the servers to support cloud applications
over the Internet (Jackson, 2014).
Private cloud. An exclusive cloud infrastructure that serves a single user
organization. Offers greater control and reconfigurability (Sen, 2013).
Public cloud. A cloud infrastructure accessible to the general public and user
organizations (Isaila, 2013).
Service-level agreement (SLA). An agreement that establishes the relationship
between a cloud user and a cloud vendor (Saravanan & Rajaram, 2015).
Software-as-a-service (SaaS). A cloud service delivery model that makes
software applications available and accessible over the Internet (Jackson, 2014).
Assumptions, Limitations, Delimitations
Assumptions. Assumptions are beliefs that cannot necessarily be proven (Simon
& Goes, 2013). Awareness and understanding of assumptions are important in a study
because assumptions can restrict a research study (Orlikowski & Baroudi, 1991). In this
17
study, several assumptions were made related to ABC; they included that the company
provided the best SME context to conduct the study, that data breaches in the cloud
environment were among the company’s top IT concerns, that participants in this study
spoke honestly and in relation to their own experiences, that ABC’s IT leaders were
involved in the planning and strategizing of the company’s approach to the cloud, and
that IT leaders worked together to draw up the company’s IT data security practices and
guidelines. The use of qualitative methodology and a single case study research design
consistent with the works of Yin (2014), as well as the security framework established by
the CSA, implied additional assumptions as to the appropriateness of these choices for
the current study.
Limitations and delimitations. Limitations refer to factors that are beyond the
control of a researcher and could impact the outcome of a research study (Simon & Goes,
2013). There were methodological limitations in this study. A possible limitation related
to the use of the qualitative methodology in the study. Lietz and Zayas (2010) argued that
in seeking to understand study participants’ experiences, qualitative researchers may have
preconceived ideas about the information participants provide. Personal assumptions the
researcher may have brought to the present study may make it difficult to convince some
readers that the conclusions in the study were free of bias. A potential methodological
limitation also related to the case study research design. Readers of this study may argue
that a single case study design of 10 IT leaders in a single firm was not large enough to
thoroughly examine the phenomenon under inquiry.
Doing a single case study limited the amount of data collected in the study; this
limited the extent of the study’s findings and the conclusions drawn from those findings.
18
Similarly, the selection of 10 participants for individual face-to-face interviews and
asynchronous discussions also limited the range of data collected. The deliberate
selection of participants limited the spectrum of participants and the diversity of their
backgrounds. The use of purposeful sampling to select the study participants may raise
questions as to whether greater understanding of the phenomenon in the inquiry was
achieved. Despite this potential limitation, purposeful sampling helped to find
participants who were particularly well-informed on the research topic and the
phenomenon under inquiry.
This study had data collection instrument limitations. Although the face-to-face
individual interview questions were reviewed and approved by a panel of three
qualitative research experts, the asynchronous discussion questions were not reviewed or
approved by experts. Readers of this study may argue that the lack of systematic
assessment by experts of the asynchronous discussion questions could limit the suitability
of the questions in relations to the data sought. Readers may question the objectivity of
the data collection using an instrument that was not piloted or approved by experts in the
field.
To maximize the time available for interviews, the researcher used online
collaboration software to conduct interviews whenever circumstances did not allow for
in-person face-to-face interviews. This option exposed the data collection procedure to
impersonal interactions, which limited the researcher’s ability to interact with
interviewees and gain their trust. The researcher did not generalize the findings of this
study beyond the organization that was studied due to the limited extent of the data that
were collected from the small sample.
19
Delimitations refer to limitations resulting from the deliberate choices made by a
researcher during the planning of a research study (Simon & Goes, 2013). The cloud
computing model is associated with multiple risks and disadvantages beyond those of
data breaches (Kesan, Hayes, & Bashir, 2013). It is possible that the cost of service
disruption, due to cloud service availability issues not necessarily related to security
incidents, could exceed those of data breaches. This study did not consider these
disadvantages and issues; this study was delimited to factors pertaining to data breaches.
The data sources in this study were delimited to interviews, asynchronous
discussions, and company-provided documents, although alternative data sources existed.
A focus group could have provided more solidified data reflective of the group rather
than an individual. However, facilitating round table discussions among participants
could have presented challenges to a single and novice researcher. The researcher’s
inexperience in qualitative research was therefore a factor in the choice of the data
sources used in the study.
Although data breaches in the cloud environment remain a concern of firms both
large and small (Dutta et al., 2013), this study was delimited to one firm in the SME
sector for the purpose of examining a critical case. A single critical case study was most
manageable for a single researcher and required less time and fewer resources. Given the
proliferation of Internet technology in modern society and the computing threats facing
businesses, firms of any size can benefit from strategies to avoid data breaches in the
cloud environment. However, delimiting the study to the SME sector allowed this study
to identify strategies most likely to benefit SMEs.
20
Summary and Organization of the Remainder of the Study
As a relatively new concept, both practitioners and researchers describe cloud
computing as a profound shift in the way companies consume IT resources (YeboahBoateng & Essandoh, 2014). The cloud’s pay-as-you-go pricing model promises to help
SMEs reduce IT operations costs while achieving their high-performance computing
objectives (Gupta et al., 2013). Cloud computing is, however, an Internet-based
technology; therefore, the security threats, risks, and vulnerabilities of computer hackers,
viruses, malware, and worms apply to the cloud environment. Nicho and Hendy (2013)
stated that data breaches in the cloud environment pose critical risks for both past and
future adopters of the cloud technology; Uchenna et al. (2015) documented that managers
are aware of these risks. Loske et al. (2014) pointed out that researchers have yet to
address the lingering skepticism of the risks of data breaches in the cloud environment.
The purpose of this qualitative single case study was to explore the available
strategies IT leaders at ABC, a Managed IT Services company in the SME sector in
Columbus, Ohio, may use to avoid data breaches in the cloud environment. Strategies to
avoid data breaches in the cloud environment were intended to help the company avoid
costly breach incidents and improve its bottom line. In addition, such strategies were
designed to help firms in the SME sector remove key barriers to cloud computing
adoption. This study had significant implications for practitioners through cloud security
assessment and the approach used to manage cloud adoption. The results of this study
added to the existing body of literature by addressing the gap in the current understanding
of cloud data security factors affecting cloud adoption within the SME sector. This study
21
also advanced the CSA security framework by identifying specific strategies to augment
the data security protections cloud vendors offer.
Below is the list of research questions in this study, where RQ1 specifies the
overarching research question, and RQ2 and RQ3 specify the supporting research
questions.
RQ1: How do IT leaders at ABC avoid data breaches in the cloud environment,
which have cost their organization time and money?
RQ2: How do IT leaders at ABC describe data security threats and vulnerabilities in
the cloud environment?
RQ3: What are the perspectives of IT leaders at ABC regarding the available
strategies they may use to address data security threats and vulnerabilities in
the cloud environment?
Due to the nature of the study, this study used a qualitative methodology and a
single case study design. The qualitative method is especially appropriate for ascertaining
an in-depth understanding of phenomena under study, and as a result, it is suitable for
answering how and why questions (Carson, Gilmore, & Perry, 2001). The goal of this
research was to explore the available strategies IT leaders at ABC may use to avoid data
breaches in the cloud environment. This study was not intended to establish relationships
between variables, compare variables, or test hypotheses, but rather to establish an
understanding of the phenomena of data breaches in the cloud environment from the
perspectives of those experiencing it. Thus, the quantitative methodology was not
appropriate for this study (McCusker & Gunaydin, 2015).
22
Breslin and Buchanan (2008) described case study as a well-recognized method
of collecting qualitative information. Building a theory was not the focus of this study;
therefore, the grounded theory research design was not suitable for this study (Foley &
Timonen, 2015). The focus of this study was not to tell the stories of peoples’ lives;
hence, the narrative inquiry design was also not appropriate for this study (Hamilton et
al., 2008). Understanding human behavior and peoples’ belief systems were not the focus
of this study so, the ethnography research design was not appropriate (Merriam &
Tisdell, 2016). Similarly, this study did not focus on the emotions and affective states of
participants. As such, the phenomenological research design was not suitable for this
study (Merriam & Tisdell, 2016).
Data in this study were gathered from three different sources. The first data source
was open-ended, semi-structured individual face-to-face interviews of 10 IT leaders at
ABC. The second data source was asynchronous discussions through emails with
individual participants also using an open-ended, semi-structured format. Data gathered
through individual face-to-face interviews and asynchronous discussions provided a
holistic view of IT leaders’ perspectives on the phenomenon of data breaches in the cloud
environment. The third data source was company-provided documents related to ABC’s
data security practices, policies, and procedures.
The researcher audio-recorded and transcribed the face-to-face interviews; and
together with the asynchronous discussion transcripts, the researcher thoroughly analyzed
the data to answer the research questions in the study. The researcher coded the interview
transcripts to identify themes representing participants’ experiences related to data
breaches in the cloud environment. The researcher examined relevant documents related
23
to ABC’s data security practices, policies, and procedures for additional information
about the phenomenon in the study. These documents provided the researcher with
additional rich details and insights into the phenomenon of data breaches in the cloud
environment.
An underlying assumption of this research was that ABC provided the best SME
context to conduct the study and that data breaches in the cloud environment were among
the company’s top IT concerns. Further, the researcher assumed that IT leaders’
discussions of their experiences of using cloud security frameworks such as the CSA
security framework would help explore the available strategies they may use to address
data breaches in the cloud environment. The researcher further assumed that all
participants provided truthful and honest information. The researcher acknowledged that
the study was limited because it did not address other cloud computing risks, which may
be equally or even more costly than that of a data breach. The researcher also recognized
that the small sample size and the lack of generalizability presented limitations to the
study. Delimitations in this study included the plan to pursue a single critical case study,
which was more manageable for a single researcher.
The remaining chapters in this dissertation are Chapter 2, Chapter 3, Chapter 4,
and Chapter 5. Chapter 2 contains an explanation of the conceptual framework that was
the basis of this study and a review of the literature that demonstrated the researcher’s
understanding of the key topics relevant to the study. Chapter 3 contains discussions,
explanations, and justification of the research methodology and the research design that
was used to conduct the study. Chapter 4 includes the data analysis and results of the
study. Chapter 5 offers the researcher’s analysis of the findings in the study,
24
recommendations for future study, and a suggestion of strategies to address data breaches
in the cloud environment.
25
Chapter 2: Literature Review
Introduction to the Chapter and Background to the Problem
As cloud computing has emerged as a popular paradigm of IT, a significant
amount of research has been completed regarding multiple interdependent factors,
including risks of data breaches affecting adopters of the technology. However, as this
chapter describes, the literature includes no definitive studies on how firms in the SME
sector can avoid data breaches in the cloud environment. This literature review addresses
themes and subthemes relevant to the topic of data breaches in the cloud environment as
they affect the adoption and usage of cloud computing among SMEs. The literature
review was organized thematically to present the requisite topics for understanding the
study. The themes were organized and designed to draw from broad concepts to specific
studies upon which this study was based. This enabled the synthesis, comparison, and
contrast of cutting-edge and up-to-date research on the topic, to highlight the need for the
study and to develop a complete understanding of the research topic.
The purpose of this qualitative single case study was to explore the available
strategies IT leaders at ABC, a Managed IT Services company in the SME sector in
Columbus, Ohio, may use to avoid data breaches in the cloud environment. The
overarching research question, “How do IT leaders at ABC avoid data breaches in the
cloud environment, which have cost their organization time and money?” centered on
two key themes: (a) understanding the data security threats and vulnerabilities IT facing
leaders at ABC in the cloud environment, and (b) understanding the available strategies
IT leaders at ABC may use to address data security threats and vulnerabilities in the
cloud environment.
26
This literature review consists of eight sections, each dedicated to addressing a
major theme relevant to the study. The first section discusses the history and background
of cloud computing and how its evolution has led to the current problem focused on in
this research. The second section identifies the gap in the literature and explains the
unmet need that is the basis for this study. The third section focuses on the study’s
conceptual framework, the CSA security framework, which underlies this study and
provides the lens through which to view this study.
The fourth section, IT outsourcing, discusses cloud computing as the latest trend
in IT outsourcing, an important practice in making SMEs competitive (Willcocks,
Venters, & Whitley, 2013). This will provide a deep understanding of the evolution of IT
outsourcing into cloud computing and substantiate the need to address the problem of
data breaches associated with this critical technology. The fifth section, Cloud computing
technology, explains cloud computing, its key features, and its benefits. The sixth section
also discusses the factors of adoption of the cloud and delves into the challenges and
barriers associated with adopting the cloud technology. The seventh section, Threats to
data security in the cloud, discusses the factors that expose cloud user organizations to
the risks of data breaches in the cloud environment. The section also explores approaches
to mitigating threats to firms’ data security identified in prior research.
Finally, the last section, Methodology and instrumentation, discusses the
similarities and differences of the methodological frameworks used in prior research
studies cited in the literature review. This discussion helps to explain and justify the
selection of the qualitative methodology in this study. The section also discusses how
27
proven instruments used in previous research inform the data collection instruments that
this study implemented.
In surveying the literature for this review, the researcher conducted searches of
EBSCOhost, ProQuest, ResearchGate, Ulrichsweb, Taylor & Francis, Web of Science,
and Google Scholar. The researcher used multiple combinations of search terms. These
included terms such as SMEs, outsourcing, cloud computing, data breaches, adoption,
qualitative, data security, and privacy risks, and identified peer-reviewed empirical
articles, journal articles, conference papers, presentations, news articles, and e-books in
these databases.
Historical background. In the early 1960s, John McCarthy, an American
scientist, suggested that in the future, computing would eventually become a public utility
(Rajaraman, 2014). Indeed, accessing computing facilities over the Internet is the basis of
the World Wide Web. The Internet thus represents a utility; the cloud, more broadly, does
as well. Eric Schmidt, the former CEO of Google Inc., coined the term “cloud”
(Rajaraman, 2014) to refer to a third-party vendor hosting and managing computing
infrastructure and software outside of users’ premises (Cito, Leitner, Fritz, & Gall, 2015).
Many companies now use the concept of cloud computing to access computing resources
and services over the Internet (Etinger & Cingula, 2014).
Mathew and Varia (2014) described the 2006 launch of Amazon Web Services
(AWS) as a key development in modern cloud computing. Other companies including
Google, IBM, Microsoft, and Apple followed with their own cloud offerings. In 2007,
Google launched Google Apps using the cloud paradigm to provide online access to email, spreadsheet, word processing, and presentation software (Jeong, Kim, & Yoo,
28
2013). In the same year, IBM launched the Blue Cloud to help enterprises expand their
data center operations (Peiris, Balachandran, & Sharma, 2014; Ullah & Xuefeng, 2013).
In 2008, Microsoft launched the Azure Services Platform, a cloud infrastructure designed
to deliver software as a service from the cloud (Ullah & Xuefeng, 2013). Apple also
entered the fray with its iCloud service, which enabled ordinary Internet users to store
everything from photos to music in the cloud while also synchronizing them to all of their
Apple devices.
Arguably, cloud computing is both a business concept and a technology concept
(Gangwar, Date, & Ramaswamy, 2015); consequently, the meaning of cloud computing
may be different depending on a user’s needs. For managers, cloud computing represents
an economically efficient way of managing modern IT; for users, cloud computing is IT
as a service (Khanagha, Volberda, Sidhu, & Oshri, 2013). In the view of the National
Institute of Standards and Technology,
Cloud computing is a model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider
interaction. (NIST, 2013, p. 8)
Etinger and Cingula (2014) defined cloud computing as the on-demand provisioning,
delivery, and real-time consumption of IT service over the Internet. Experts define cloud
computing as a highly scalable IT infrastructure for hosting customer-ready applications
that are accessed, consumed, and paid for on an as-needed basis (Fan, Wu, Chen, & Fang,
2015; Yang, Sun, Zhang, & Wang, 2015). Nowadays, cloud computing is a business
29
imperative and an important means of accessing technology as a utility (Bharadwaj &
Lal, 2012; Fan et al., 2015; Lawler, Joseph, & Howell-Barber, 2012).
Cloud computing is a simple yet powerful arrangement of infrastructure and
software that allows for access to IT services anytime, anywhere, and on any device; it is
arguably a game changer for businesses (Sobragi et al., 2014). After years in the making,
cloud computing has evolved into a model for accessing computing resources on demand
(Yang & Lin, 2015). Yeboah-Boateng and Essandoh (2014) described cloud computing
as a key area of IT innovation for many enterprises. The convenience and the on-demand
access to IT resources on a pay-per-use basis have contributed to new and affordable
options for firms to create efficiency and effectiveness in IT operations.
Arguably, the attractiveness of the cloud has contributed to the growth of the
outsourcing of IT to cloud vendors and has facilitated the cloud’s emergence as a key
driving force behind many firms’ IT and business strategies. The cloud provides a
strategic technology option for many firms, especially given that 80% of the IT budget in
many firms goes to IT operations and maintenance (Alshamaila et al., 2013). For firms in
the SME sector, the cost-saving aspect of cloud computing could deliver tangible and
direct business benefits. However, SMEs have been slow to embrace the cloud (Carcary
et al., 2014; Mohlameane & Ruxwana, 2013). Adopting cloud computing implies that a
firm will outsource sensitive corporate data and IT resources to third-party cloud vendors.
Some managers remain skeptical of data security risks in the cloud, especially given the
high probability of a breach of their companies’ data security when compared to in-house
IT not associated with the Internet (Fan et al., 2015; Uchenna et al., 2015).
30
The National Institute of Standards and Technology reported that data breach
incidents have become numerous and diverse (NIST, 2016). The Director of National
Intelligence’s assessment that computer hackers sponsored by the Government of the
Russian Federation hacked into systems of the Democratic National Committee (Office
of The Director of National Intelligence, 2017) highlighted the danger of data breaches
affecting both public and private organizations. Wikina (2014) stated that data breaches
resulting from theft or hacking incidents compromised the private information of millions
of individuals, including sensitive personal health information. To take one high-profile
example, Holtfreter and Harrington (2015) reported that a data breach at Zappos in 2012
resulted in the compromise of 24 million customers’ e-mail addresses, passwords, and
phone numbers.
The literature suggests that cloud computing offers advantages far greater than
those of traditional in-house IT models. However, data breaches in the cloud environment
pose significant problems for many firms. Data breaches in the cloud environment have
contributed to financial losses and damaged reputations among some firms (Somani et al.,
2017). More specifically, ABC, a thriving Managed IT Services company in Columbus,
Ohio, has experienced data breaches in the cloud environment and has lost time and
money as a result. IT leaders at ABC, therefore, possessed a wealth of knowledge and
experience regarding data breaches in the cloud environment. A qualitative single case
study based on the synthesis of their knowledge and experiences regarding data breaches
in the cloud environment helped advance potential strategies to address the problem. The
pervasiveness and the costly impact of the phenomenon of data breaches in the cloud
environment thus provided the pressing need for this study.
31
Identification of the Gap
Companies use the concept of cloud computing to access computing resources
and services (Etinger & Cingula, 2014). This ability allows companies to purchase IT
services and consume computing resources on an as needed basis. Cloud computing
separates data and applications from PCs to centralized computing facilities managed by
third-party cloud vendors (Mathew & Varia, 2014). Companies do not have to concern
themselves with managing and maintaining IT infrastructure (Mathew & Varia, 2014;
Repschlaeger, Erek, & Zarnekow, 2013). Companies also do not have to concern
themselves with renewal fees for software licenses or to purchase and maintain
equipment to support new versions of software (Isaila, 2013). Given that 80% of most
firms’ IT budget goes to IT operations and maintenance, cloud computing offers user
organizations significant cost-saving over in-house IT (Alshamaila et al., 2013).
However, cloud vendors own the underlying technology assets and are responsible for
their physical maintenance (Barker, 2013). This implies that organizations that use cloud
computing services do not have complete control of the security and privacy of their data
(Al-Saiyd & Sail, 2013; Trigueros-Preciado, Pérez-González, & Solana-González, 2013).
Dutta et al. (2013) assessed data security risks in cloud computing and found that
data in the cloud may be breached. Nanavati, Colp, Aiello, and Warfield (2014) stated
that virtual machines, the key underlying technology of cloud computing, are susceptible
to compromise. Zhang et al. (2014) performed penetration testing of Amazon Elastic
Cloud 2 (EC2) and identified multiple vulnerabilities. Chiang, Rajasekaran, Zhang, and
Huang (2015) in a separate study found that even when they are offline, virtual machines
were susceptible to malicious exploits. Marcum et al. (2014) argued that the Internet
32
offers anonymity for computer hackers who are willing to attack systems connected to
the cloud. Baskerville, Spagnoletti, and Kim (2014) examined online data security breach
prevention and firms’ responses to them and concluded that hackers and cyber criminals
pose significant data security risks to organizations. Companies operating in the cloud
environment face malicious attacks from hackers and cyber criminals (Chen, Desmet, &
Huygens, 2014; Das, Mukhopadhyay, & Shukla, 2013). Lampe et al. (2013) examined
the risks of cloud data security in the financial sector and noted that even cloud vendors’
own employees acting as malicious insiders could compromise firms’ confidential
information stored in the cloud.
Recent research showed that reputable organizations including Citibank and
Carphone Warehouse have had their confidential information compromised as a direct
result of a data breach that occurred over the Internet (Das et al., 2013; Evans, Maglaras,
He, & Janicke, 2016). Romanosky et al. (2014) reported that such data breaches have
compromised millions of confidential customer records. Chouhan and Singh (2016)
explained that cloud vendors and user organizations can employ intrusion detection
systems to detect malicious activities and to prevent a data breach. Parsons, McCormac,
Butavicius, Pattinson, and Jerram (2014) emphasized user education, training, and
employees’ compliance with IT security policies as also necessary to address data
security vulnerability gaps. Despite these suggestions, studies have shown that data
breaches remain a persistent problem in the cloud environment (Holtfreter & Harrington,
2015; Ristov et al., 2013; Schatz & Bashroush, 2016; Yunchuan, Junsheng Zhang,
Yongping, & Guangyu, 2014). Thus, the current research to explore the available
33
strategies IT leaders at ABC may use to avoid data breaches in the cloud environment
addressed an unmet need and a crucial gap in the literature.
This study was intended to address the problem that it was not known how IT
leaders at ABC, a Managed IT Services company in the SME sector in Columbus, Ohio,
avoided data breaches in the cloud environment. Chou (2013) stated that a data breach in
the cloud environment costs an organization on average $222 per stolen record. This
research was necessary to contribute knowledge to strategies IT leaders in the SME
sector may use to avoid data breaches in the cloud environment. The findings from this
study advanced the body of knowledge by addressing the gap in research regarding
effective strategies that IT leaders and their organizations may use to avoid data breaches
in the cloud environment.
Conceptual Framework
The security framework established by the Cloud Security Alliance (CSA, 2011;
CSA, 2017) provided the conceptual framework for this study. The CSA security
framework provides a method for evaluating cloud computing risk tolerance and offers
guidance in three critical areas relevant to addressing data security threats in the cloud
environment (CSA, 2011). The three critical areas the CSA identified as relevant to cloud
data security threats are (a) cloud architecture, (b) governing in the cloud, and (c)
operating in the cloud (CSA, 2011).
Cloud architecture involves relationships and dependencies within cloud
computing models that can create vulnerabilities (CSA, 2011). The key cloud computing
models are IaaS, PaaS, and SaaS. Every model allows users to shift specific
responsibilities to cloud vendors and to choose which operations to manage themselves,
34
but all involve vulnerabilities. The IaaS model provides the infrastructure and data center
capabilities to provision computing resources such as equipment, software, and servers
on demand (Jackson, 2014). The PaaS model provides operations systems, application
servers, and databases to support cloud applications (Jackson, 2014). The SaaS model
depends on either a simple web browser or an application programming interface (API)
for access to cloud-based applications (Repschlaeger et al., 2013). According to the
CSA’s cloud reference model, the SaaS model depends on the PaaS model which in turn
depends on the IaaS model, with each model inheriting not just the capabilities of the
model below it but also all associated data security issues and risks.
The second critical area, governing in the cloud, refers to the role of governance
and enterprise risk management in the effectiveness of security processes and control in
any cloud deployment (CSA, 2011; CSA, 2017). Some cloud vendors operate beyond
user organizations’ national borders, which potentially exposes firms to a set of data
security risk implications that would not apply to homegrown service and can give rise to
serious governance and enterprise risk management issues (Yunchuan et al., 2014). Legal
issues and standards for compliance and audit, information management, data security,
and interoperability all stem from governing in the cloud and all influence information
security in the cloud environment (CSA, 2011; CSA, 2017).
Operating in the cloud refers to traditional security, business continuity, disaster
recovery, application security, and identity and access management strategies that user
organizations and cloud vendors could employ (CSA, 2011; CSA, 2017). It addresses
data center operations, incident response, encryption, virtualization, and security-as-aservice in cloud security (CSA, 2011; CSA, 2017). The outsourcing of IT to cloud
35
computing vendors does not necessarily absolve user organizations from cloud data
security protection responsibilities (CSA, 2017). Cloud user organizations face varied
vulnerabilities as well as technical and generic threats (Nicho & Hendy, 2013). The CSA
pointed out that user organizations need to take measures to protect themselves from data
security risks associated with information, products, and personnel (CSA, 2011). Some
risks are beyond user organizations’ control, for example, natural disasters and cloud
network failures. But risks associated with personnel, data theft, and espionage can and
should be managed (CSA, 2011). The operating in the cloud area refers to the risks that
cloud user organizations should evaluate and address to protect their own interests (CSA,
2011; CSA, 2017).
Figure 1 depicts the three critical areas of cloud computing security that user
organizations should evaluate carefully to minimize risk exposure. According to the CSA
(2011), the three critical areas represent the key avenues of data security vulnerabilities to
user organizations. Consequently, the effectiveness of an organization’s data security
processes in the cloud environment depends on addressing the data security threats and
vulnerabilities in these three critical areas (CSA, 2011).
36
Cloud
architecture
Governing in
the cloud
Operating in the
cloud
Figure 1: An illustration of the three critical areas of cloud computing security.
Arguably, cloud vendors may be better positioned to detect an intrusion than
cloud user organizations (Nanavati et al., 2014). However, Duncan, Zhao, and
Whittington (2017) explained that the solid corporate firewall some user organizations
may have meticulously put in place to protect their in-house systems may not extend to
cloud-based systems. Given the cost advantage of cloud computing use, it is worth it for
SMEs to protect themselves from data breaches in the cloud environment. However, IT
security in the cloud is a shared responsibility between cloud vendors and cloud user
organizations (Menard, Gatlin, & Warkentin, 2014). The findings of this study, which
supported recommendations in the CSA security framework, yielded information to close
the gap between the cloud security measures IT leaders at ABC pursued and those offered
by vendors. This research used the CSA security framework to better explore IT leaders’
experiences of data security threats in the cloud and the available strategies to address
them.
37
Review of the Literature
IT outsourcing. As some firms have been hard pressed to achieve reliable and
scalable IT infrastructure and to deliver more business value, the outsourcing of IT
functions to third-party vendors has gained popularity (Duhamel, Gutiérrez-Martínez,
Picazo-Vela, & Luna-Reyes, 2014). This section focuses on the evolution of IT
outsourcing into cloud computing to help clarify the origins of the cloud computing
paradigm. The discussion begins by explaining IT outsourcing and the reasons why some
firms pursue IT outsourcing. The discussion highlights the reasons some firms may be
wary of IT outsourcing. The aim of this section is to establish an understanding of the
evolution of IT outsourcing and the emergence of cloud computing as the new and
predominant model of IT outsourcing.
The literature lists several definitions of IT outsourcing. Silvius et al. (2013)
defined IT outsourcing as the contracting out of IT assets and operations to third-party
vendors for a period of time. Schneider and Sunyaev (2016) defined IT outsourcing as the
practice of using IT services provided by external vendors. Alderete (2013) defined IT
outsourcing as the delegation of specific IT functions and non-core activities to vendors
outside the firm. Thus, IT outsourcing reflects the use of third-party vendors in an
organization’s IT operations. Outsourcing itself is not new; IT outsourcing, however, has
recently gained attention as a means to enhance a firm’s competitiveness.
The pace of technological change complicates IT leaders’ ability to develop and
maintain IT capabilities in-house (Duhamel et al., 2014). IT leaders also face the need to
justify all costs related to the delivery of IT, in addition to maintaining flexibility and
scalability while operating around the clock globally (Barker, 2013). Cost reduction,
38
flexibility, and operations scalability may offer IT leaders compelling reasons to pursue
outsourcing of IT to third-party vendors.
Maintaining IT resources and capabilities in-house entails costs such as electricity
consumption, data center, and personnel costs. Additional costs relate to hardware,
networking components, and software licensing fees. Operating IT in-house requires
employees who are focused on IT activities instead of on a firm’s core business activities
(Silvius et al., 2013). Silvius et al. noted that outsourcing IT to third-party vendors allows
firms to shift the responsibilities of managing IT resources and support staff to those
vendors. They also insisted that third-party IT vendors can achieve a level of service
similar to that of in-house IT at a much lower cost. For firms in the SME sector
struggling due to financial hardship and obsolete technology, the outsourcing of IT may
provide a viable solution to cost reduction and, potentially, access to new IT innovations
they could not obtain on their own.
Companies both large and small face shrinking budgets; therefore, a focus on a
firm’s core competencies may be necessary to gain competitive advantage (Silvius et al.,
2013). Silvius et al. argued that firms cannot achieve competitive advantage through the
mere acquisition or possession of sophisticated IT; effective utilization of human
resources must also be present. When a firm adopts IT outsourcing, it may be more likely
to focus on its core competencies and delegate activities in which it is less competent to
outside vendors (Schneider & Sunyaev, 2016). Outsourcing IT functions to vendors
outside of the firm can also incur a risk of contracting vendors that cannot meet a firm’s
needs. Therefore, making a strong business case regarding the need to outsource IT
functions may be more paramount.
39
Reasons for IT outsourcing. Like other firms, SMEs may face limited growth
due to operational, technical, and financial challenges. For many firms in this sector,
outsourcing IT to third-party vendors may seem like an attractive option. Advances in IT
have made it possible to outsource IT operations to vendors virtually anywhere in the
world (Silvius et al., 2013). IT outsourcing can drastically reduce costs. Silvius et al.
noted as well that IT outsourcing can transform fixed costs into variable costs. This may
allow firms to modulate their use of IT outsourcing according to market conditions.
IT is one of the most important and expensive parts of many modern firms;
however, not all firms, especially those in the SME sector, possess the in-house expertise
to utilize IT fully (Silvius et al., 2013). Third-party outsourcing vendors offer economies
of scale and specialization as well as expertise (Nordigården, Rehme, Brege, Chicksand,
& Walker, 2014). Firms often use IT outsourcing to capitalize on an external party’s
capabilities to augment those in-house (Silvius et al., 2013). Economies of scale allow for
lower costs (Nordigården et al., 2014; Silvius et al., 2013). Silvius et al. noted that by
outsourcing non-core activities to outside vendors while focusing core competencies on
core activities in-house, a firm may achieve a competitive advantage.
Firms generally weigh several factors in deciding whether to outsource IT
operations. These factors might include improving process performance as well as
lowering process cost (Han & Mithas, 2014). Han and Mithas suggested that IT
outsourcing can introduce the efficient allocation of resources through improvements and
optimization of existing processes. Brcar and Bukovec (2013) stated that IT outsourcing
may improve a firm’s ability to maintain its competitiveness by improving its overall
efficiency and effectiveness. Furthermore, IT outsourcing enables firms to share project
40
risks and thereby reduce their own exposure to losses (Hodosi & Rusu, 2013). Although
firms may have good reasons to outsource IT to outside vendors, IT outsourcing entails
possible disadvantages as well.
Disadvantages of IT outsourcing. Although IT outsourcing is noted for helping
companies reduce IT costs, the activities required to properly vet a vendor could be costly
(Han & Mithas, 2014). IT outsourcing may also contribute to a firm’s loss of valuable
and intangible employee knowledge (Hodosi & Rusu, 2013). Bhagwatwar, Bala, and
Ramesh (2014) argued that IT outsourcing may result in the reduction of responsibilities
for in-house IT personnel. Loss of direct control of IT and technology assets is also a
possibility (Hodosi & Rusu, 2013). The decision to delegate an organization’s IT
infrastructure to outside vendors could be costly if something goes wrong (Dutta et al.,
2013).
IT outsourcing may entail a heightened risk of not meeting a firm’s objectives (Qi
& Chau, 2013). IT outsourcing does not always provide a competitive advantage
(Agrawal & Haleem, 2013). Agrawal and Haleem posited that culture and language
barriers could complicate international IT outsourcing arrangements. Bahl and Wali
(2014) found that inadequate security and protection of critical technology assets carries
risk and that some firms have suffered terrible losses because of this risk of IT
outsourcing.
Evolution of IT outsourcing into cloud computing. Bahl and Wali (2014)
explained that IT outsourcing began as a way to supplement in-house application
development. Over time, IT outsourcing vendors have evolved their offerings to include
data center and support operations (Schneider & Sunyaev, 2016). Whereas traditional IT
41
outsourcing may have been focused on efficiency and productivity through the
outsourcing of non-essential business processes, cloud computing services focus on the
provision of computing resources (Willcocks et al., 2013). Willcocks et al. explained that
cloud computing emphasizes a service-based approach to the provisioning of IT
resources through modern technical innovations. They noted that the service-based
perspectives of cloud computing have shifted IT outsourcing away from managing
technology assets to a focus on IT services used and customer value.
As Dabbagh, Hamdaoui, Guizani, and Rayes (2015) described the industry, cloud
computing service vendors own the underlying technology assets and are responsible for
their physical maintenance, although user organizations may have control of operating
systems and applications. Willcocks et al. (2013) predicted that cloud computing will
bring benefits beyond cost savings in the form of innovations in business practices. The
broad range of evidence suggests that cloud computing services may have the potential to
transform IT outsourcing and the approach firms use to outsource their IT operations.
The above review of IT outsourcing indicates that cloud computing is the newest
model of IT outsourcing. Duhamel et al. (2014) noted that the need to achieve a reliable
and scalable IT infrastructure and to deliver more business value has given rise to the
practice of IT outsourcing. By outsourcing in-house IT infrastructure to the cloud, a firm
may reduce costs related to electricity consumption, data center, and personnel. However,
a data breach of an organization’s technology assets in the cloud could be costly. For
companies in the SME sector particularly, which often lack resources (Choudrie &
Culkin, 2013), a data breach could have a catastrophic consequence. Therefore, the
answer to the overarching research question in this study “How do IT leaders at ABC
42
avoid data breaches in the cloud environment, which have cost their organization time
and money?” offered valuable insights that could help companies in the SME sector
avoid potential losses.
Cloud computing technology. This section describes cloud computing and
explains the key features of cloud computing technology. The discussion describes the
benefits, the factors of adoption, and challenges and barriers to cloud adoption. This
discussion establishes a thorough understanding of cloud computing technology and its
overall impact on SMEs and other areas of the economy.
The advantages of cloud computing have contributed to the growth of the
outsourcing of IT to cloud vendors, which in turn has facilitated the growth of the cloud
computing industry (Alshamaila et al., 2013). Qian and Palvia (2013) described a
fundamental shift toward cloud computing dominating in industries. CIOs and IT leaders
increasingly see cloud computing as an important element of their companies’ IT
strategies (Gonzalez & Smith, 2014). Alshamaila et al.’s work suggested that cloud
computing adoption is advantageous. They pointed out that 80% of most firms’ IT budget
goes to IT operations and maintenance, which they claim make wide cloud adoption
likely. For firms in the SME sector, the cost-saving aspect of cloud computing could
deliver tangible and direct business benefits. Alshamaila et al. noted that the cloud
provides a strategic technology option for many firms.
By allowing organizations to consume computing as a service, cloud computing
has enabled an on-demand model of IT services with great flexibility and cost
efficiencies that appeal to many firms (Repschlaeger et al., 2013). Cloud computing gives
user organizations the ability to use computing power on demand (Dabbagh et al., 2015).
43
The ability to purchase IT services and consume computing resources on demand allows
companies to forego building and maintaining their own IT infrastructure. Mathew and
Varia (2014) explained that cloud computing separates data and applications from PCs to
centralized computing facilities managed by third-party cloud vendors. This implies that
cloud user organizations do not have to concern themselves with managing storage,
installing hardware and software, and hiring IT operations staff to manage and maintain
IT infrastructure (Mathew & Varia, 2014; Repschlaeger et al., 2013). Mathew and Varia
further explained that cloud user organizations do not have to install cloud-based
applications on individual business users’ desktops and portable PCs, which have
historically been a source of many IT-related issues.
The basic concept of cloud computing may appear much more attractive to firms.
Cloud computing eliminates the need to pay renewal fees for software licenses or to
purchase and maintain equipment to support new versions of software (Isaila, 2013). The
dynamic allocation of computing capacity allows cloud user organizations to pay only for
the services they need and the quality of service they require at a particular time (Oredo
& Njihia, 2015). It likewise eliminates the need to hire skilled IT technicians to support
cloud-based applications. One significant aspect of cloud computing is that it provides
user organizations the ability to select fine-grained services, such as databases, storage,
and integration, according to the needs of their business, and in bundles or separately
(Catinean & Cândea, 2013). This quality potentially allows cloud user organizations to
control the level of complexity and sophistication they must have to accomplish their IT
objectives (Catinean & Cândea, 2013).
44
Cloud computing allows the concealing of physical hardware and all detailed
characteristics from cloud user organizations (Muhammad, 2015). Hardware
virtualization technology underpinning this new model permits cloud user organizations
to use multiple instances of computing resources and to run multiple software programs
at a relatively reduced cost (Dabbagh et al., 2015). The availability of company data and
applications through the cloud also enables quick and easy access to organizational
resources and productivity tools anytime and anywhere (Aharony, 2014). Moreover,
cloud computing has been shown to minimize data losses (Menard et al., 2014). As
Menard et al. found, cloud backup is a powerful way to avoid data loss; they found that a
majority of cloud users prefer to use cloud-based data backups. Furthermore, cloud
vendors often perform automatic software updates, which may relieve user organizations
of IT duties to focus on their core business (Ivanus & Iovan, 2014). If a firm’s customers
rely heavily on the constant availability of its services, cloud computing can offer
significant benefits.
Cloud computing deployment models. Cloud computing provides firms with
different models of approach to IT service delivery according to their needs (YeboahBoateng & Essandoh, 2014). Multiple cloud computing deployment models allow user
organizations to differentiate and target classes of consumers with IT service delivery
(Kalloniatis, Mouratidis, & Islam, 2013). According to Uchenna et al. (2015), there are
four cloud computing deployment models: public cloud, private cloud, hybrid cloud, and
community cloud.
Public cloud. The public cloud is generally accessible to individuals and
organizations over the public Internet (Botta, De Donato, Persico, & Pescapé, 2016).
45
Companies like Amazon, Microsoft, and Google offer cloud computing services such as
storage and applications to the general public through the public cloud (Kalloniatis et al.,
2013). In the public cloud model, individuals and companies access computing resources
over the public Internet on a pay-as-you-go basis. Individuals can also access public
cloud services for free in cases such as Google Drive, Gmail, OneDrive, and Dropbox.
Paid public cloud services include Office 365, Salesforce, and Dropbox for Business
(Kalloniatis et al., 2013). Although it may not be common to think of the services of
Twitter, Facebook, and LinkedIn as cloud services, they also provide cloud computing
services for free (Kalloniatis et al., 2013). In the public cloud model, cloud vendors
manage the shared cloud infrastructure; vendors are also responsible for costs related to
hardware, software, network bandwidth, and operations (Isaila, 2013).
The benefit of the public cloud to SMEs lies not only in cost savings related to
foregoing in-house IT infrastructure but also in reductions in energy consumption. In
addition to reducing costs related to the physical cooling of servers and facility lighting,
cloud computing may also contribute to reduced emissions (Prakash, 2013). Prakash
argued that public clouds may also help reduce vehicle emissions, such as by permitting
employees of user organizations to use cloud services to work from anywhere over the
Internet. The public cloud model allows cloud user organizations to lessen disposal of
servers, storage devices, and associated peripherals. Given that electronic components
often contain toxic materials, reduction in the disposal of such waste could have a
positive impact on the environment (Prakash, 2013). Arguably, the public cloud may
allow cloud vendors to manage the proper disposal of electronic waste and alleviate
environmental concerns.
46
Private cloud. The private cloud model follows a model similar to that of the
public cloud with a proprietary architecture (Sen, 2013). Whereas the public cloud model
provides easy and inexpensive access to vendor provided computing resources to both
individuals and companies, the private cloud model tends to be operated for a single user
organization (Prasad, Green, Heales, & Finau, 2014; Sen, 2013). Sen stated that the
private cloud deployment model allows enterprises to forego savings in capital IT
expenditure and own or lease the entire cloud infrastructure. In the private cloud model,
computing resources are not shared and are accessible only to the firm that owns or leases
the cloud (Prasad et al., 2014). Garrison, Wakefield, and Kim (2015) argued that the
private cloud model follows the traditional model of deploying IT resources on the
premise that it provides superior control over hardware, software, network components,
and greater security control.
Hybrid cloud. The hybrid cloud model provides firms with a flexible IT
infrastructure that combines some of the advantages of both the private and public cloud
models (Garrison et al., 2015). In this model, a user organization maintains some cloud
infrastructure and IT resources in-house while outsourcing some functions to a thirdparty cloud vendor (Sumit Goyal, 2014). For example, a user organization could maintain
its sensitive and confidential payroll data in its own private cloud and outsource its
employees’ portal needs to the cloud using the Microsoft Office 365 platform. Isaila
(2013) argued that the hybrid cloud model allows firms to select the aspects of private
and public clouds that make sense for their own needs. Sumit Goyal (2014) reported that
the hybrid cloud model offers the cost effectiveness and scalability associated with the
47
public cloud and the security associated with the private cloud. Isaila noted that the
hybrid cloud model may be a bit more complex and costlier than the public cloud model.
Community cloud. The community cloud model allows two or more firms to set
up a communal cloud and share the cost among participants (Sumit Goyal, 2014). For
example, wholesalers and suppliers may improve their purchasing operation flow through
a joint community cloud (Jinn-Shing, Feng-Chia, Ts…