In recent years many people have come to believe cloud computing is the most notable paradigm shift in information technology since the appearance of the Internet. According to industry analysts at Gartner Research, cloud technologies are now at the top of most CIOs' priority list and organizations are expediting their implementations of cloud services. Current estimates indicate that organizations are beginning to make the transition to this new model of computing and will collectively spend $148.8 billion worldwide on cloud services through 2016 (Gartner Research, 2010). As cloud computing quickly transforms the IT landscape, discussions regarding its adoption have progressed from if to when. Organizations of all sizes are now showing keen interest in cloud services that increase business agility and reduce technology infrastructure costs. Many cloud offerings provide both economic and strategic advantages, however they also present notable security risks for organizations that must defend against their intellectual property and corporate information assets, all while adhering to a variety of industry and government regulations (GeoTrust, 2011).
In spite of the economic rewards of using cloud computing, concerns about security risks and data privacy have slowed its adoption in many organizations (Gens, 2009). With so many different cloud deployment options, software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS); public vs. private deployments, internal vs. external hosting, and various hybrid configurations, all including virtualization, organizations need guidance and a framework that help them evaluate initial cloud risks and shape their security decisions. Additionally, over time as organizations expand from just one cloud service to using several from disparate providers, they must effectively manage these multiple cloud-service providers, with different infrastructures, operational practices, and security expertise. These levels of complexity require a pervasive and highly trustworthy method of securing organizational data as it is transported to and from cloud service providers.
The idea of cloud computing mystifies many managers and organizations. Similar terms are often used to describe cloud computing, such as: grid, distributed, on-demand, cluster, utility, virtualization, and software-as-a-service. More directly, cloud computing refers to end-users connecting with applications running on sets of shared servers, often hosted and virtualized, instead of a traditional dedicated server. For over thirty years client-server computing has provided applications that were assigned to specific hardware, often residing in on-premise data centers. On-demand cloud computing empowers its end-users by allowing them to use their choice of Internet-connected device, on any day or at any time (Knorr & Gruman, 2009).
The U.S. National Institute of Standards and Technology (NIST) describes cloud computing in their publication NIST 800-145, "The NIST Working Definition of Cloud Computing." NIST's definition describes five crucial characteristics (broad network access, rapid elasticity, measured service, on-demand self service, and resource pooling), three cloud service models (SaaS, PaaS, and IaaS), and four cloud deployment models (public, private, hybrid, and community), as seen in Figure 1 below (Cloud Security Alliance, 2011b).
[FIGURE 1 OMITTED]
Software-as-a-Service (SaaS), often referred to as on-demand software, is a software deployment and subscription-pricing model that delivers an enterprise application as a managed service by a software vendor. SaaS systems are accessible via the Internet, or a network, and are charged on a subscription service basis, often based on the number of users. SaaS solutions transfer the responsibility and liability of implementing and maintaining a system from the customer to the SaaS provider; thus eliminating additional costs and complexities when installing additional hardware, or hiring more support staff to fuel expansion and growth. …