Editor’s Note: Asad Imam is a graduate student in the United Kingdom studying E-Business and Information Systems. He recently wrote a study about the cloud computing market that we are publishing over the next three days. In part one, Asad explores the traditional challenges that cloud computing brings. Footnotes appear in the text. Following the three part series, we will publish the full study with the footnote references.
The extensive use of information and communication technology has transformed manufacturing organizations and economies into information centric and customer focused. In present times, the information about a product or customer has become as valuable to the company (in some cases even more) as the product or service [Feng Li, 2007]. However gaining information is an evolutionary process which begins with collection and storage of data to analysis and processing which is transformed into knowledge. It is this knowledge that is mission critical for organizations and their success.
It is extremely vital for an organization to ensure that at no point of operation, the data which enables it with this knowledge is compromised. To ensure this the organizations invest a significant volume of their capital to set up an IT infrastructure to Preserve, Process and Protect this most valuable asset to an organization in present paradigm, its data. However for a small and medium sized company it is extremely demanding to implement the fundamentals of this new information based economy as it requires a significant investment upfront.
For such organizations choosing cloud computing is a cost effective alternative but with obvious concerns. The most apparent concern raised is why would a company give access to all of its sensitive data to a third company [Brooks, 2008]. This is expressed by Daniel Flax (CIO, Cowen and Co.) where he states “it’s a scary concept when you just hand all of your important confidential data over to a third party” [Edwards, J. 2009]. Foster (1999) further argues that since in case of cloud computing one company will process and store data on behalf of another hence proper mechanisms must be devised to include concepts of authentication, authorization, assurance, accounting and audit so that data security, integrity and availability is not compromised.
In addition since every activity of cloud computing would be dependent on the Internet; therefore data would be sent and stored just about anywhere (data dispersion). This very fact makes the whole concept vulnerable as the data could end up in storage systems in locations where privacy and data protection laws are not robust [Edwards, 2009]; for a small Internet based company this could be catastrophic. Hence it is critical to examine and create a robust mechanism to ensure data integrity, confidentiality and availability [Brynko, 2008].
The phenomenon of cloud computing is envisaged to repeat the economic viability of the Power Grids which segregated the production, distribution and consumption of electricity as a Utility. The term ‘Utility’ and ‘Grid’ is significant to ‘cloud computing’ because these were the names of its ‘predecessor technologies’. However for cloud computing to attain such an ‘elementary’ position in the computing domain it has to overcome various traditional, legal, financial, technical and security challenges.
Challenges: The Storm in the Cloud
In the following sections attempts will be made to present these ‘challenges’ and the solutions currently employed to address them. This would be used to prepare a ground work to present how this technology has succeeded so far and its prospective future as ‘opportunities’.
The basic challenge for cloud computing is that many organizations are not even aware if such a technology exists. A recent survey in the UK made evident that more than half of UK SME’s were not even aware of cloud technologies [Moorman, 2009].
In addition it was found that for the organizations’ that were aware of the technology, for them ‘control’ was most critical. Traditionally it is considered that it is the organizations sole responsibility to preserve process and protect its data. The idea of data being remotely stored and processed is beyond imagination for many organizations. It is viewed as a compromise in ‘data control’. The concerns of such organizations is that the world of data computing will end up in hands of massive distributed computing companies such as Google, Amazon, IBM etc, and they will have exclusive control of data processing which would enable the manipulation of prices by them.
In a similar argument, Malcolm Carrie  suggests that adoption of cloud computing will directly challenge the core cultural and behavioral nature of an organization’s IT and security department. It is easily understandable that these departments are comfortable with the existing system which allows them to remain in the vicinity of their data centers, giving them a notion of better control and protection.
In other criticisms, the basic concept of cloud computing is challenged. Many organizations do not consider ‘cloud computing’ as a revolutionary technology at all; for them it is similar to travel in a vicious circle. In their opinion the term ‘cloud computing’ is a marketing ‘gimmick’ to create a hype to serve the same purpose served by centralization which was fragmented after the introduction and proliferation ofPCs and servers [ Malagrino,D ;Cisco].
Concerns are raised from a different set of critiques as well, the developers. Their perspective is that cloud computing would reduce the number of computer professional and their employment prospects.
However all the above concerns can be counter argued by the harmony Microsoft has achieved through its domination of the operating systems market or Intel’s domination of the processor market and their acceptance in general. It has to be realized that cloud computing will not proliferate overnight. Adoption of cloud computing will remain a gradual process and companies would prefer to continue with current practices and add new dimensions to their existing technical backbones until all robust mechanisms are developed to ensure utmost effectiveness and efficiency.
The concept of the data residing at a remote location over the Internet with a possibility of data centers being located across different nations triggers a set of legal confrontations. In countries such as the United Kingdom ‘Data Protection Act’ have to be taken into consideration. If a company, being a client to a ‘cloud vendor’, in its attempts for cost cutting, decides to store its customer’s information on remote data centers could end up with a potential breach of the ‘Data Protection Act’.
In addition, Angela Mari  in her article quoted Alex Hamer (partner at RPC) stating that there is a risk for a cloud user if the data about its customers is accidentally lost, damaged or stolen at a remote data storage centre. It could lead to severe claims against it by the customers or vice-versa the company would lose its ability to claim against its customers. As well as, Mr. Hamer suggested that most cloud computing vendors fail to provide a guaranteed level of data security and for the cloud ‘users’ this compromises a basic requirement they are obligated to fulfill under the DPA i.e. failure to ensure an appropriate level of security.
Yet another perspective that has to be taken into consideration that many times there are clouds within the cloud. These sub-clouds are subcontracted by the primary cloud vendor to various providers for various services such as one for storage and another for processing etc. As the user you may never be aware of their geographical location and know whether the data protection privacy laws are being honored in regards to your data, thus leaving a clear opportunity for security breaches. [Sarrel,D M,2009]. Further, one has to consider how the ownership and legal circumstances will changed should one of these subcontracted cloud vendors are acquired by another organization or in worst case by the rival company of the original client.
The legal challenges thus limits a potential cloud users choice of data that it could export to the cloud especially in case of government services who are some of the early adopters of the cloud. This is exemplified through California Public Utility commission (PUC) case in which its CIO Carolyn Lawson states that “Anything that has your name, address, Social Security number or driver’s license, we can’t put that in a cloud for privacy concerns”[Raths,D 2008].
In particular the legal challenges pose a much severe threat to the concept of cloud computing as organizations may not even consider adopting cloud computing let alone set methods to use it effectively. Thus it is extremely necessary that a cloud vendor addresses the key legal issues and provides a complete transparency in its dealings through use of comprehensive Service Level agreements. The methods to address these legal challenges are explained later in the case.
Tomorrow: The security challenges of cloud computing.