The Road to Effectively Governing Cloud Computing
Organizations have witnessed the emergence of numerous new technologies. Cloud computing, for instance, is a new technology that appeared in the beginning of the 21st century and has been a part of the revolution of today’s society. Cloud Computing can be traced back to utility computing, a concept promoted by Carr (2003, 2005). Along with the title of his highly read articles, Carr (2003) claims that the traditional corporate computing is coming to an end; it will be replaced by a simple utility model. He states, “As information technology’s power and ubiquity have grown, its strategic importance has diminished. The way you approach IT investment and management will need to change dramatically” (2003, p. 41), and continues “After pouring millions of dollars into in-house data centers, companies may soon find that it’s time to start shutting them down. IT is shifting from being an asset companies own to a service they purchase” (2005, p. 67). These statements highlight the changes affecting organizations when dealing with IT and their need to shift towards cloud services. Several researchers emphasize the transformations brought when implementing cloud technology; for example, challenging the organization’s traditional IT governance approaches, managing its IT landscape, adjusting its processes (Yanosky and Caruso, 2008; Armbrust et al., 2010; Winkler and Brown, 2014; Ragowsky et al., 2014; Schneider and Sunyaev, 2016). In addition to these internal transformations, cloud services have challenged organizations into developing their employees’ skills (Rajendran, 2013; Dutta et al., 2013; Oredo and Njihia, 2014). Deploying new services, such as the cloud, requires new capabilities in order to understand the functionality of the adopted services.
Nevertheless, the transformations generated by cloud technology should not be taken for granted as usages are increasing daily. In accordance with a report presented by Ried et al. (2011), the cloud computing market is expected to reach $241 billion in 2020, compared to $40.7 billion in 2010; a 600% increase in a span of 10 years. Cloud services have been gaining popularity due to their large list of benefits. The literature has broadly studied cloud benefits along various categories—the most frequently cited are related to economics (e.g. low costs, pay-per-use, low electrical consumption), scalability (e.g. dynamically scaling resources up and down), agility (e.g. agile processes and lower time-to-market), and ubiquity (e.g. ubiquitous cloud usage) (e.g. Chebrolu, 2011; Rajendran, 2013; Zhang et al., 2010). Adopting cloud services has facilitated tasks for numerous organizations. To illustrate the large set of benefits available to various facets of today’s society, The New York Times has been using public cloud solutions provided by Amazon (the Elastic Compute Cloud3 and the Simple Storage Service4) to transform 11 million scanned archived newspapers from the year 1851 till the year 1980, into PDF files available for the public and free of charge. Moreover, according to a survey conducted by Gartner (2015), they forecast an increase in cloud services adoption to $312 billion by 2019, with a yearly growth of 15%. It is important to notice that the higher the intensity level of cloud services adopted, the more the organization can benefit from the different opportunities. However, adopting cloud services would be ‘too good to be true’ if it were risk-free. The literature also identifies most commonly mentioned risks, which are related to security (e.g. insider and outsider attacks, data loss, data confidentiality), compliance (e.g. integrity and regulation laws), and reliability (e.g. downtime, availability of servers, congestion) (e.g. Dutta et al., 2013; Onwubiko, 2010; Srinivasan, 2013). This also leads to the fact that the higher the intensity level of cloud services adopted, the more the organization is faced with risks.
For illustration purposes, the Sky High survey claimed that in 2016, an organization adopts on average 37 file sharing (cloud) services, such as, OneDrive, WeTransfer, Dropbox, Google Drive, etc. First, this large amount of services increases the organization’s costs as each service possesses many small licenses, which add up to a larger amount. In addition, collaboration between departments becomes harder when each one uses a different platform to share their files. Moreover, while these services are not always secure, they increase the risks in the organization. It is important to be aware that not every cloud service offered is actually risk-free. For instance, the Sky High survey (2016) identifies the top 10 most approved cloud services: OneDrive, Salesforce, SharePoint Online, Exchange Online, Cisco Webex, Skype for Business, Concur, Box, Oracle Taleo, and ADP. These services vary in functionalities, including file sharing, customer relationship management (CRM), video calls, etc. On the other side, the survey also pinpoints the top 10 most outlawed cloud services; the Pirate Bay, PDF split, PicResize, KickTorrent, PDFUnlock, DocSlide, 4Shared, Pastebin, WebICQ, and PDF to Doc. The functionalities of these services also vary; illegal downloads, splitting PDF files, unlocking PDF files, sharing files, converting PDF files into Microsoft Word files, etc. It is important to identify these services for organizations to become aware of the high risk associated with each cloud service they desire to adopt. However, many employees remain unaware of the high risks engendered by such outlawed services. For instance, some might need to split their PDF files into several documents using the PDF split online service. Had the files possessed sensitive and critical information, the simplest task of splitting them would have been highly dangerous and the files would have been potentially hacked. Organizations must be aware that security controls vary from one cloud service provider to the other, making every cloud service differently secured. Therefore, before the adoption phase, organizations need to ensure the security of the desired services through the contracts signed with their cloud service providers.
As business departments are blindsided by the benefits generated by cloud services, they generally use them without the help of their IT department. Based on the previously illustrated examples, employees think they can safely upload a corporate file to the Internet and use such services, risk-free. Without any expectation, their ignorance and lack of awareness of all possible risks increase the level of threats hitting the organization. Therefore, governing cloud solutions is a critical mission for organizations today, during the fast-growing and overwhelming digital wave. Governing cloud computing is not an easy task to accomplish, due to the diverse transformations it engenders. Many analogies compare the governance of cloud services to several concepts. One interesting analogy is comparing it to a cat, where cloud users think they are in control until the cat decides it’s playtime, food time, or simply ‘leave me alone, I want to sleep’ time. Cloud services are known for being hard to control, where providers have the power to do as they please. This exaggeration illustrates the difficulty that organizations go through when adopting cloud services. Therefore, to avoid such high risks and increase their security level, it is imperative that they control and monitor their departments as long as they are adopting cloud services.
As important as monitoring cloud services seems, the academic literature tackling cloud governance models is still scarce. While only few research works present a governance model for cloud computing, they do not address all of its different angles, and do not present the different steps leading to effective governance of cloud services.
Meanwhile, cloud services are part of the organization’s IT. Thus, to simplify the tasks on organizations, it might be possible to govern them through their IT governance. However, due to the diverse transformations engendered by cloud services, and the numerous risks generated, we surmise that an organization’s IT governance needs to be adapted to cloud computing. Therefore, the research question of this thesis is: “Does the adoption of cloud services require a specific governance model?”
The following sections are devoted to elucidate the research aim and objectives, and then present the thesis structure from the introduction to its conclusion, in order to find answers to the stated research question.
Research Aim and Objectives
This research work is motivated by the primordial need for governance. Several previous cases of ineffective governance emphasized the importance of effectively governing organizations’ IT. Based on these numerous incidents, IT governance appears to be critical for the success of organizations. In addition, the emergence of cloud services propagates various transformations within the organization. In spite of the large set of benefits promised by cloud computing, it also generates numerous risks. These engendered risks hamper the adoption of cloud services for organizations. Therefore, in order to increase cloud adoption, the importance of governance is accentuated today.
The objective of this research work is to first explore whether cloud services can simply be governed through the organization’s IT governance or if they require specific governance. In the latter case, this research aims at studying the different aspects needed to effectively govern cloud services.
We started the research presented in this thesis with an introduction (Chapter 1). This chapter introduced the rise of IT governance in organizations throughout the last decades. Along with the rise of IT governance, organizations witnessed the emergence of new technologies, such as cloud computing, leading to a large number of transformations for organizations as well as for employees. These transformations prompted organizations to seek different ways to address them, thus highlighting the need to govern cloud services. Therefore, we questioned whether deploying cloud technologies in an organization required a specific governance model.
In order to introduce and explain the context of this thesis (IT governance and the deployment of cloud services by organizations), Chapter 2 is devoted to presenting the literature review under three sections. The first section offers an introduction to Information Technology and its different aspects, with a special focus on IT governance. The following section of the literature review covers the cloud computing concept as an emerging technology, while focusing on the transformations it engenders and the governance models proposed by other researchers. The third section presents the existent maturity models in the literature while emphasizing the benefits generated through assessing the maturity of organizations. Chapter 2 also identifies the different research problems of this thesis that emerged through exploring the Information Systems literature.
The aim of Chapter 3 is to identify and develop the research design of this thesis. It first provides the foundations regarding the methodological approach, the philosophical epistemology, and the research methods used by authors in the IS field. The second part of this chapter explains our choices required to conduct the research presented in this thesis; a qualitative methodological approach, an interpretivist philosophical epistemology, and interviews and documentation as the methods adopted. It then provides the reader with a detailed explanation of these methods, where two rounds of interviews were conducted (Part I and Part II). Finally, the chapter discusses the methods adopted to analyze the two rounds of interviews.
In Chapter 4, we introduce the results from our analysis, which is divided into two parts. The first part (Part I) mainly identifies the need for specific governance when adopting cloud services. While participants mention the various benefits and threats generated by cloud technologies, they also highlight the different transformations engendered by their adoption. The second part (Part II) is devoted to unveil the possible correlation between organizations’ IT governance and their intensity level of cloud adoption. This correlation is studied through the application of the Cloud Maturity Model proposed by the Open Data Center Alliance (ODCA, 2013). Based on this model, we calculate the cloud maturity of each interviewed organization. Then, this chapter presents different governance models for organizations showing different cloud adoption intensity levels. An in-depth analysis of this correlation follows.
Chapter 5 displays an overall representation of the results emerging from Part I and Part II, while comparing our findings to the current literature review (Chapter 2). Following this comparison, we outline the contributions regarding the main constructs of this thesis; the need for specific governance when adopting cloud services and its correlation with the intensity level of adoption. We, then, discuss the key limitations of this work and bring out the originality and novelty of our contribution, while providing directions for future research.
The last chapter (Chapter 6) summarizes this work while stating concluding remarks.
Figure 1 represents the detailed outline of this thesis.
Table of contents :
I. The Road to Effective IT Governance
II. The Road to Effectively Governing Cloud Computing
III. Research Aim and Objectives
IV. Thesis Structure
First Section: IT Governance Background
I. Information Systems
1. What are Information Systems?
2. What is Information Technology?
3. Why is IT Important for Organizations?
1. What is Governance?
2. The Need for Governance in Organizations
3. Levels of Governance
3.1 Corporate Governance
3.2 IT Governance
3.2.1 What is IT Governance?
3.2.2 Why is IT Governance Important?
3.2.3 Domains Covered by IT Governance
i. Strategic Governance
a. Strategic Alignment
b. Value Delivery
ii. Management Governance
a. Risk Management
b. Resource Management
iii. Operational Governance
a. Performance Measurement
3.2.4 IT Governance Types and Contingency Factors
i. Contingency Factors
ii. Effect of Contingency Factors
iii. Interaction and Effect of Multiple Contingency Factors
3.2.5 Implementing IT Governance
3.2.6 IT Governance Components
i. IT Governance Decisions
ii. IT Governance Decision Making
a. Types of Decision Rights
b. Decision Making Criteria
c. Decision Makers Allocation
iii. IT Governance Mechanisms
a. Decision-Making Structures
b. Business Processes
c. Relational Mechanisms
3.2.7 IT Governance in the Digital Age
Second Section: Cloud Computing
I. History of Cloud Computing
1. Evolution towards Cloud Computing
2. Emergence of the Cloud Computing Market
II. What is Cloud Computing?
1. Cloud Computing Definition
2. Cloud Computing Characteristics
III. Cloud Ecosystem
1. Components of the Ecosystem
2. Users and Providers Relationship
IV. Cloud Service Models
4. Cloud Services Examples
5. Cloud Deployment Models
V. Cloud Computing Statistics
VI. Traditional Outsourcing vs Cloud Computing
1. IT Outsourcing vs Cloud Computing
2. Traditional Datacenters vs Cloud Services
VII. Cloud Computing a fifth utility?
VIII. Cloud Computing Benefits vs Risks
1. Cloud Computing Benefits
2. Cloud Computing Risks
IX. Cloud Computing Contracts
1. Standardized Contracts
2. List of Possible Clauses
3. Contracts Documents
X. Impact of Cloud Computing on Organizations
1. Organizational Transformations
2. Development of New Skills in Organizations
3. Shadow IT
XI. Governance of Cloud Computing
1. New Governance Mechanisms
2. Existing Cloud Governance Models
Third Section: Maturity Models
I. Maturity Model Definition
II. Existing Maturity Models
1. COBIT Framework®
2. Capability Maturity Model®
3. IT Capability Maturity Framework®
4. Maturity Models Descendants
5. The Cloud Maturity Model®
5.1 Cloud Capabilities
5.2 Maturity Levels
5.3 Cloud Maturity Evaluation
I. Methodological Approach
II. Philosophical Epistemology
III. Methods for Data Collection
4. Methods Used
4.1 Phase I – First Round of Interviews
4.1.1 Data Collection
4.1.2 Data Analysis
4.2 Phase II – Second Round of Interviews
4.2.1 Data Collection
4.2.2 Data Analysis
Part I: Phase I of Interviews
I. Cloud Computing and its Impact on Organizations
1. Towards a more Business Oriented Approach
2. Emergence of New Skills in IT Functions
3. New IT Processes, Methodologies and Infrastructure
4. New Approaches of Security and Data Privacy
5. CSPs: New Stakeholders in Organizations
6. The Development of Shadow IT Practices
6.1 Organizations with No Sign of Shadow IT practices
6.2 Organizations with Shadow IT Practices
6.2.1 Reasons behind Shadow IT Practices
6.2.2 Which Service Models are Mostly Concerned?
6.2.3 Shadow IT Impacts on IT Departments and Organizations
II. Corporate Strategy behind the CC Adoption
1. The Highly Competitive Market
2. The Urge for Innovative Solutions
3. Reduction of Costs
III. Benefits of Cloud Computing
1. Economic Benefits
2. Scalability Benefits
3. Performance Benefits and Improved Quality of Service
4. Agility Benefits and Decreased Time-to-Market
5. Ubiquity Benefits
6.2 Standardized Solutions and Competition
IV. Risks of Cloud Computing
1. Security Risks
2. Reversibility Risks
3. Compliance Risks
4. Societal Risks
5. Dependency on Suppliers
6. How would French Organizations Mitigate their Risks?
V. Adopting Cloud Solutions: a Long Decision Process
1. Cloud Decisions
2. Cloud Decision Makers
3. Cloud Governance Mechanisms
3.1 Decision-making Structures
3.2 Business Processes
3.3 Relational Mechanisms
VI. Cloud Contracts
Part II: Phase II of Interviews
I. Group Classification
II. Group Analysis
III. Cloud Maturity Model Levels Verification
IV. Spider Charts Illustrations
V. In-depth Analysis
VI. Cloud Governance Framework
VII. Governance Models