Startup in The Cloud

Startup In The Cloud
Information Systems For Startup Companies Based On Cloud Computing
Hans Martin Galliker
FH BKO-C06
Startup In The Cloud
Information Systems For Startup Companies Based On Cloud Computing
Bachelor Thesis – Individual Work
Bachelor Of Arts In Business Communication
University Of Applied Sciences In Business Administration Zurich
Submitted To:
Beat Hofer, Executive MBA
General Manager, PanOptimum GmbH
Submitted By:
FH BKO-C06
Maihusen, 6215 Beromuenster, Switzerland
Zurich, February 26, 2010

Management Summary
Cloud computing is a technology that enables to use software as a service. Cloud computing service
providers assure to deliver the software at less cost than ever. The services are promised to run without
downtime and require solely an internet connection and a browser. Some services are completely free, such
as Google Mail, whereas others like Salesforce are paid according to the effective usage. Cloud computing
promises flexible business processes in order to keep up with constantly changing markets, shorter lead times
and better connectivity by using the intelligence of social networks.
These promises are not unheard, the business press is constantly giving an account of cloud computing.
But what does it mean for startups, entrepreneurs and small companies? This thesis Startup in the Cloud
examined whether cloud computing is secure, affordable, simple, lawful, available to all industries and
whether it is encouraging innovation.
The research results have shown that startups and small companies are able to benefit from the cloud
computing services the most. The absence of capital expenditure is excellent news for startup companies and
they also have a leveraged advantage out of the flexibility that cloud computing offers. Simply because
smaller organisations can capitalize faster on new market opportunities in comparison to larger companies.
The downside is the dependency on the service provider, the reason being that data is stored in a data
center and depending on the contract and technical hurdles can it prove to be difficult to move to another
service provider. However, by seriously assessing the business requirements and analyzing the risks, it is
possible to compare offerings from different service providers in order to avoid being locked. Furthermore,
supranational organizations, public institutions, non-profit organizations, private communities and even the
IT industry aim towards an open cloud with compatible, public standards.
Cloud computing has been given the potential to democratize global business opportunities, as
principally anyone with internet access has the chance to use sophisticated information systems. This seems
to be an interesting prospect for startups, entrepreneurs and small companies from all over the world. The
author of this thesis recommends strongly to assess the opportunities that cloud computing offers to them.
i
Table of Contents
Management Summary........................................................................................................................ I
Declaration........................................................................................................................................... V
Methodological Approach ............................................................................................................... Vi
Initial Position ..................................................................................................................................... 1
Defining Cloud Computing ................................................................................................................ 2
Definition ................................................................................................................................................ 2
Essential Characteristics ........................................................................................................................... 3
Service Models ........................................................................................................................................ 6
Deployment Models.................................................................................................................................. 8
Cloud Computing Security..................................................................................................................... 10
Cloud Computing Enablers And Trends ................................................................................................. 11
Connecting Clouds............................................................................................................................. 11
Open Standards And Open Source Community ................................................................................ 12
Service Orientation ........................................................................................................................... 13
Grid Computing ................................................................................................................................ 13
Significance: Defining Cloud Computing ............................................................................................. 14
Political Implications And Standardization .................................................................................... 15
Understanding Global Governance To Enable Global Business Opportunities .....................................15

Activities On Continental Level ............................................................................................................. 19
United States...................................................................................................................................... 20
Asia.................................................................................................................................................... 22
Europe................................................................................................................................................ 23
Standardization....................................................................................................................................... 25
ISO Standard For Cloud Computing ................................................................................................ 25
Overlapping Competencies ............................................................................................................... 26
Bottom-up Standardization ............................................................................................................... 26
Significance: Political Implications And Standardization ...................................................................... 27
Market, Economics And Trends ...................................................................................................... 30
Business Benefits In General .................................................................................................................. 31

Benefits For Startups And Small Companies In Particular .................................................................... 32
ii
Fundamental Business Economics .......................................................................................................... 34
Cloud Computing In Large Enterprises ................................................................................................. 35
Variations And Industries ........................................................................................................................ 36
Ever Changing Business Requirements .................................................................................................. 38
Relationships As A Driver ................................................................................................................. 38
Buyers Become Sellers...................................................................................................................... 40
Human Interaction Management ...................................................................................................... 41
Trends..................................................................................................................................................... 44
Encouraging Innovation By Simplicity ............................................................................................. 44
Software Paradigm Shift Away From Conventional To Pay As You Go ..........................................45
Freemium - Cloud Computing As A Potential Cost Trap .................................................................. 46
Hosted Open Source Business Opportunities .................................................................................... 46
Paradigm Shift Of Change – From Push To Pull And From Mass To Micro Markets ...................... 47
Mega Data Centers............................................................................................................................ 47
Brokering Cloud Services ................................................................................................................. 48
Significance: Market, Economics And Trends ....................................................................................... 49
Evaluation Guide............................................................................................................................... 50
How To Approach A Cloud Computing Evaluation? ............................................................................. 50

Who Is Initiating And Attending The Evaluation? ................................................................................ 51
Introduction To CSA Guidance For Cloud Security Assessment ........................................................... 52
CSA Guidance: Section 1. Cloud Architecture ...................................................................................... 56
Domain 1: Cloud Computing Architectural Framework ................................................................... 56
Domain 2: Governance And Enterprise Risk Management .............................................................. 60
Domain 3: Legal And Electronic Discovery ..................................................................................... 61
Domain 4: Compliance And Audit.................................................................................................... 61
Domain 5: Information Lifecycle Management ................................................................................ 62
Domain 6: Portability And Interoperability ....................................................................................... 62
Domain 7: Traditional Security, Business Continuity And Disaster Recovery ................................. 62
Domain 8: Data Center Operations.................................................................................................... 62
Domain 9: Incident Response, Notification And Remediation ......................................................... 62
Domain 10: Application Security ...................................................................................................... 63
Domain 11: Encryption And Key Management ................................................................................ 63
Domain 12: Identity And Access Management ................................................................................. 63
Domain 13: Virtualization................................................................................................................. 64
Orientation In The Cloud Computing Jungle ........................................................................................ 64
Significance: Evaluation Guide .............................................................................................................. 65
iii
Conclusion: Cloud Computing Information Systems For Startups .............................................. 67
Table Of Tables................................................................................................................................... 68
Table Of Illustrations......................................................................................................................... 69
Bibliography....................................................................................................................................... 70
Annex: Consulting Experts............................................................................................................... 79
iv
Declaration
I certify that:
! the thesis being submitted for examination is my own account of my own research
! the data and results presented are the genuine data and results actually obtained by myself during the
conduct of the research
! this thesis in identical or similar form has not yet been submitted to any other board of examiners
Zurich, February 26, 2010
…..........................................
v
Methodological Approach
The following methodologies have been applied:
! Literature research
! Consulting experts
Experts have been consulted in order to get answers on specific questions of interest:
! Both, experts with a distinct academical background and experts with rather practical background
have participated
! A questionnaire with results can be found in the annex
The following table shall give an overview of how the methodological approaches have been applied:
Theoretical only * Mixed theoretical and Rather practical *** Own assumptions &
practical ** conclusions ****
Initial Position x
Problem Analysis x (H)
Defining Cloud Computing x
Political Implications and
Standardization
x
Markets, Economics and
Trends
x
Evaluation Guide x
Conclusion x
Table a: Application of methodological approaches. Annotations: (H) main questions and
assumptions hypothesized / * Without results from “Consulting Experts” and completely derived and
supported by literature / ** Includes results from “Consulting Experts” and extensively derived and
supported by literature / *** Includes results from “Consulting Experts” and enhanced with derived opinions
from the author of this thesis / **** Setting in context Assumptions & Findings with own experiences
The citations within text, footnotes and bibliography have generally been made on the base of Chicago
Manual of Style (Note with Bibliography). This style has been introduced in 1906 and is now in its 15 th
edition. It is widely used in the Angle-Saxon area for scientific publications and books and is the base for
several other styles. 1
The following list reflects the accredited value of the source types that have been used. In general, the
sequence gives an account of the importance given, the exception proves the rule. The designations in the
1 cf. University of Chicago, “The Chicago Manual of Style Online - 15th Edition: Chicago-Style Citation Quick Guide.”
vi
brackets specify the citation type due to the Chicago Manual of Style (Note with Bibliography) according to
which the citation elements are structured:
! Documents from standardization bodies with widely recognized acceptance from the business and the
academic world (Book or Report or Document)
! Scientific books (Book)
! Scientific publications ( Report)
! Scientific journals (Journal)
! Online articles from “serious” newspapers ( Newspaper Article)
! Videos (Video)
! Conference presentations ( Presentation)
! Blogosphere (Blog Post)
! An online database application filled with survey replies from consulted experts ( Interview)
! Emails (Email)
! PDF's from commercial companies ( Document)
! Informal websites (Web Page)
vii
Startup in the Cloud 1
Initial Position
Founding a global operating, sustainable company is the dream of many young people. In order
to fulfill this dream, fresh ideas, drive, innovation, reliable partners and efficient information
handling, amongst many other points, are required. Inspiration and creativity knows no boundaries
and many, somewhat challenging, ideas may at first have been scorned, only to be finally
acknowledged as something which truly adds value to our society.
There is a new wave of technology; some call it a new business philosophy, which could help
young entrepreneurs to make their dream come true. It is called cloud computing. Cloud computing
promises to provide highly-scalable information systems over the internet. All that is required is an
internet browser. No investment capital is needed as it follows the pay-as-you-use principle. If what
the business press and cloud computing pioneers say is true, then cloud computing could offer
unforeseen opportunities to broad levels of the population, no matter where, as long as internet access
is granted. It could, in a manner of speaking, enable young people to “Startup in the Cloud”.
But is cloud computing secure, affordable, simple to implement and in line with national laws?
Does it foster innovation and is it available to all industries?
Is it possible to cover the information system needs of multinational

startup companies based on cloud computing?
This bachelor thesis will answer these questions in a neutral and comprehensible way. It
highlights the needs of startup companies who probably have the highest demand for smart but
affordable information systems. The thesis is divided into four main parts:
! Defining cloud computing: Describes the characteristics of cloud computing
! Political implications and standardization: Highlights possibilities and opportunities for

those who could benefit most from cloud computing
! Market, economics and trends: How cloud computing can be used and the most important
trends
! Evaluation guide: How to approach an evaluation of cloud computing
The intended readers are startup companies, entrepreneurs who want to make a change, executive
management level from smaller companies and chief information officers, but also everyone else
who is interested in technology and in doing business.
Defining Cloud Computing
“Cloud Computing is a new term for a long-held dream of computing as a utility, which has
recently emerged as a commercial reality.” 2 University of California
Cloud computing does not have a birthday and it was not formally invented. Some underlying
technologies have been used since the beginning of computing. Cloud computing is basically a new
way of delivering computer resources as a service. According to IDC's analysis, this emerging market
for cloud services is estimated to grow from $17.4bn in 2009 to $44.2bn in 2013. In spite of these
numbers, cloud computing is not yet clearly defined and is still in an early, but dynamic development
process. 3 4 5
Definition
There is no universal definition for cloud computing, as it is a highly controversial topic. The
most heard criticism is that cloud computing is nothing new and therefore does not need a definition.
To complicate matters further, no cloud computing standard work has been published yet with an
acceptance analogue like for example Kotler's “bible” in the field of marketing. 6 7 8
However, the most used definition source is a two-pages word document which was initially
written in 2008 by the Computer Security Division of the US National Institute of Standards and
Technology (NIST) and since then has continuously evolved under the auspices of NIST after
extensive consultation between IT governance institutions, industry and academia.The European
Network and Information Security Agency (ENISA), which also gained authority in the cloud
computing area, has leveraged the NIST definition by accepting it in November 2009 as the leading
cloud computing definition. 9 10 11
2 in dependence on Parkhill, 1966, "The Challenge of the Computer Utility", cited by Armbrust et al., Above the Clouds:
A Berkeley View of Cloud Computing , 2.
3 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21.
4 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 7.
5 cf. Gens, Mahowald, and Villars, 2009, "IDC Cloud Computing 2010 - An IDC Update", cited by Catteddu and
Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 4.
6 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 1.
7 cf. Chen, Paxson, and Katz, What’s new about Cloud Computing Security? , chap. 2.
8 cf. Balachandran, “The Messiah of marketing.”
9 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 2.
10 cf. Object Management Group et al., “Cloud Standards Coordination.”
11 cf. Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 14; 93.
Illustration a: Visual Model of the NIST Working Definition of Cloud Computing. Source: Reproduced according
original source by NIST, 2009.
The following sub-chapters are structured according to the NIST definition and quote in each
case at the beginning the appropriate definition followed by further considerations.
“Cloud computing is a model for enabling convenient, on-demand network access to a

shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This cloud model promotes availability
and is composed of five essential characteristics , three service models, and four deployment
models.”12
Essential Characteristics
Many attributes can be accredited to cloud computing, but according to NIST these five essential
characteristics can be named: First, on-demand self-service, second, broad network access, third,
resource pooling, forth, rapid elasticity and fifth, measured service. With one of them missing, cloud
computing can in the strict sense not be called as such, or at least the usage value will be limited if
one is missing. To improve the reader friendliness, are the conclusive literally quotes set in grey tone.
1. On-demand self-service: “A consumer can unilaterally provision computing

capabilities, such as server time and network storage, as needed automatically
without requiring human interaction with each service’s provider.” 13
12 Mell and Grance, “The NIST Definition of Cloud Computing v15.”

13 Ibid.
This can help smaller companies to overcome the obstacles for sophisticated e-business
cooperations. For example, with the latest generation of cloud-based payment services is it possible
to easily include payment systems into web applications. Specialized service providers such as
PayPal make such cloud web services available to their customers (from end-users up to
multinational companies) and require no more extensive contracts and long-term commitments. It is
just pay-as-you-go via credit card. Small companies or even micro businesses such as startups now
have online commerce opportunities that go beyond traditional online shopping. 14 15 16 17
2. Broad network access: “Capabilities are available over the network and
accessed through standard mechanisms that promote use by heterogeneous thin
or thick client platforms (e.g., mobile phones, laptops, and PDAs).” 18
While platform independence has released applications from proprietary hardware, can cloud
computing applications be used from anywhere, anytime with any type of device, as long as it has
a browser. 19
3. Resource pooling: “The provider’s computing resources are pooled to serve

multiple consumers using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to consumer
demand. There is a sense of location independence in that the customer generally
has no control or knowledge over the exact location of the provided resources but
may be able to specify location at a higher level of abstraction (e.g., country,
state, or datacenter). Examples of resources include storage, processing,
memory, network bandwidth, and virtual machines.” 20
The Cloud Security Alliance (CSA), an often cited non-profit organisation with individual
members from science and industry, has chosen to align with the NIST definition but argues the
undervaluation of virtualization by subordinating it to resource pooling, the same applies to multi-
tenancy. 21
In fact, virtualization is both; a strong enabler for the upraise of cloud computing and at the same
time not necessarily a requirement. Cloud services can for example be deployed directly on a server
without (hardware) virtualization layer. However, virtualization is usually deployed because the
virtualization can adjust better to changing performance requirements and uses the resources more
14 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 6.
15 cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance
and Social Interaction, 71-72.
16 cf. Reese, Cloud application architectures , 174.
17 cf. Lawson, “PayPal opens door to developers.”
19 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 92.
21 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 15.
efficiently. Widely known are enterprise hardware virtualization technologies such as VMware or the
open-source Xen hypervisor, which for example is used by Amazon Web Services (AWS), a well-
established cloud service from the cloud computing provider pioneer Amazon. Virtualization can also
happen on the software layer, as for example SaaS is using it to offer different users, different,
decoupled services while running only one software. 22 23
Many other definitions than the one from NIST define the multi-tenancy model as an integral
characteristic of cloud computing. CSA describes its role as follows: “Multi-tenancy in cloud
service models implies a need for policy-driven enforcement, segmentation, isolation, governance,
service levels, and chargeback/billing models for different consumer constituencies. Consumers
might utilize a public cloud provider’s service offerings or actually be from the same organization,
such as different business units rather than distinct organizational entities, but would still share
infrastructure.” 24 The architectural approach of multi-tenancy can lead to improved operational
efficiency because the shared infrastructure, data, metadata, services, and can be shared across
many different consumers. 25 26
4. Rapid elasticity: “Capabilities can be rapidly and elastically provisioned, in

some cases automatically, to quickly scale out and rapidly released to quickly
scale in. To the consumer, the capabilities available for provisioning often appear
to be unlimited and can be purchased in any quantity at any time.” 27
Some conditions must be met to profit from rapid elasticity. Not every application can simply
be put in a cloud environment, it needs to be“architected for seamless scale-up and scale-
down in a linear fashion in response to load or declarative policy […] automatic scaling
requires additional levels of management of the basic cloud system infrastructure, and it may
not be consistently available across cloud system infrastructure providers.” 28
5. Measured Service: “Cloud systems automatically control and optimize

resource use by leveraging a metering capability at some level of abstraction
appropriate to the type of service (e.g., storage, processing, bandwidth, and
active user accounts).” 29
22 cf. Reese, Cloud application architectures , 6.

23 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 186.
25 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 42-43.
26 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 17-18.
28 Knipp et al., Creating Cloud Solutions: A Decision Framework , 41.
29 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 1-2.
The measured service characteristic distinguishes the usage-based cloud computing pricing from
hosting (rent) and common outsourcings which are to a greater or lesser extent inflexible contracts. 30
Service Models
Cloud computing consists of three distinctive service models which are Software as a Service
(SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Additionally, several
other secondary variations exist. 31
1. SaaS - Cloud Software as a Service: “The capability provided to the consumer

is to use the provider’s applications running on a cloud infrastructure. The
applications are accessible from various client devices through a thin client
interface such as a web browser (e.g., web-based email). The consumer does not
manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities,
with the possible exception of limited user-specifi c application confi guration
settings.” 32
SaaS is sometimes described as the user level of cloud computing because SaaS applications are
ready to use and just need to be logged in via a browser. Basically, no administrative hassle occurs, at
least as long as no change to the SaaS provider is planned. 33
SaaS can often be adjusted to company processes and user-specific look-and-feel but usually lack
the possibilities to customize it on a deeper level. Some application providers are addressing this
problem by offering Application as a Service (APaaS). They open up the hood to their customers by
letting them configure, customize and extend the application thanks to integrated development,
deployment and management services. These services are optimized for cloud computing by
supporting the delivery of the end application as a multi-tenant cloud service without losing the fine-
grained elasticity of the cloud computing infrastructure. Typical APaaS offerings are the online
database application Zoho Creator and Salesforce's Force.com platform service. 34
The development does not happen on a low level; it applies the metadata-driven programming of
the model-driven architecture. However, compared with pure SaaS leads APaaS to additional
complexity – this is something that startup companies usually try to avoid. Rather than looking for
precise adjustments they look for elasticity and seamless integration to other information systems. 35
31 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 15.
32 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.
33 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7; 29.
34 cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 8.
35 cf. Ibid., 2; 8-10.
2. PaaS - Cloud Platform as a Service: “The capability provided to the consumer

is to deploy onto the cloud infrastructure consumer-created or acquired
applications created using programming languages and tools supported by the
provider. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, or storage, but has
control over the deployed applications and possibly application hosting
environment configurations.” 36
PaaS is sometimes described as the developer level of cloud computing, as it is the developers
and tech-savvy users who make the infrastructure layer available to the (end-)user. A difference is
made between the sub-categories Programming Environments and Execution Environments . Cloud
programming environments (for example Django Framework) depend on “conventional”
programming languages and selectively complement them with additional functionalities. Parts of the
software are decoupled which eases the adaption of “conventional” environments atop cloud
computing environments. By contrast cloud executing environments (for example Google Apps) rely
usually on their own programming environment. However, the borderline between cloud
programming environments and cloud execution environments has become more blurred. 37 38
3. IaaS - Cloud Infrastructure as a Service: “The capability provided to the

consumer is to provision processing, storage, networks, and other fundamental
computing resources where the consumer is able to deploy and run arbitrary
software, which can include operating systems and applications. The consumer
does not manage or control the underlying cloud infrastructure but has control
over operating systems, storage, deployed applications, and possibly limited
control of selected networking components (e.g., host fi rewalls).” 39
IaaS is sometimes described as the IT level of cloud computing because IaaS is close to the
hardware that is commonly operated by so-called “typical” IT personnel such as infrastructure
system engineers. IaaS providers (for example IBM Blue Cloud) isolate the hardware from the upper
development and application layers in order to maintain a high flexibility to scale-up/out and
protection against hardware failures. This abstraction is usually done with the already mentioned
hardware virtualization. The aspect of deploying complex existing applications and its middleware to
IaaS is probably less relevant for non-IT startups, because they usually start on the greenfield and are
therefore more likely candidates for ready to use SaaS applications. 40 41 42

37 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7.
38 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 33-35.
40 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7.
41 cf. Buyya et al., “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the
5th utility,” 600.
42 cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 7.
Deployment Models
According to NIST, cloud computing instances can be operated according to four different
deployment models: Private Cloud, Community Cloud, Public Cloud and Hybrid Cloud . However, it
cannot be assumed that every cloud provider support all of these deployment models. 43
1. Private cloud: “The cloud infrastructure is operated solely for an organization. It

may be managed by the organization or a third party and may exist on premise or
off premise.” 44
Private clouds and efficient on the premises installations can have many common characteristics
such as virtualization or the same programming models and tools. The difference is the ability of
private clouds to move workloads into their own infrastructure and outside sets of infrastructure at
the same time. However, as the structure is already reasonably in the public cloud and has gained
some independence, it can offer unforeseen opportunities because of the ability to turn the tables by
opening their (private) cloud services to external partners to collaborate or to run it like a profit
centre. 45 46
In the strict sense can private clouds not be categorized as cloud computing because “it lacks
the freedom from capital investment and the virtually unlimited flexibility of cloud
computing.”47 Nonetheless, the fact that private clouds can be run behind the organization's
firewall can make it a feasible entry point to the world of cloud computing “for companies
that either have significant existing IT investments or feel they absolutely must have total
control over every aspect of their infrastructure.” 48 49
2. Community cloud: “The cloud infrastructure is shared by several organizations

and supports a specifi c community that has shared concerns (e.g., mission, security
requirements, policy, and compliance considerations). It may be managed by the
organizations or a third party and may exist on premise or off premise.” 50
Enterprises, groups or individuals who have a common purpose share their collective distributed
computing power in order to accumulate many community cloud subsets that are all connected within
trusted Virtual Private Networks.51
43 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 1.
45 cf. MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.”
46 cf. Bittmann, “Building a Private Cloud: Are We There Yet?.”
47 Reese, Cloud application architectures , 19.
48 Ibid.
49 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 3.2.
51 cf. Cloud Computing Use Case Discussion Group, “Cloud Computing Use Cases White paper - Version 3.0,” 30-31.
“There are growing concerns over the control ceded to large cloud vendors, especially the
lack of information privacy […] the distributed resource provision from Grid Computing,
distributed control from Digital Ecosystems, and sustainability from Grid Computing, can
remedy these concerns […] Replacing vendor clouds with nodes potentially fulfilling all
roles, consumer, producer, and most importantly coordinator [...] by utilizing the spare
resources of networked personal computers collectively to provide the facilities of a virtual
data centre and form a Community Cloud.” 52 The concept of a community cloud is
challenging because of its technical complexity and issues related with distributed
computing, the heterogeneity of the nodes, varying quality of service and other security
constraints. 53
3. Public cloud: “The cloud infrastructure is made available to the general public or
a large industry group and is owned by an organization selling cloud services.” 54
The University of California, Berkeley (UC Berkeley) expands the NIST definition of a
public cloud as follows: “When a Cloud is made available in a pay-as-you-go manner to the
general public, we call it a Public Cloud; the service being sold is Utility Computing.” 55
Utility computing means that only the current needed amount of resources is being provided.
Due to technical and commercial developments, utility computing has finally made its
commercial breakthrough in the form of cloud computing because it is now possible to
consume these resources in the simple manner of Apple's App Store for the iPhone -
marketed off the shelf, automatically deployed and deducted. 56 57 58
52 Briscoe and Marinos, “Community Cloud Computing,” chap. 1.

53 cf. Ibid., chap. 5. b).
55 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 4.
56 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 25-26.
58 cf. Buyya, Pandey and Vecchiola, 2009, in a collected edition of Jaatun, Zhao, and Chunming, Cloud Computing: First
International Conference, CloudCom 2009, Beijing, China, December 1-4, 2009, Proceedings , 42.
4. Hybrid cloud: “The cloud infrastructure is a composition of two or more clouds

(private, community, or public) that remain unique entities but are bound together
by standardized or proprietary technology that enables data and application
portability (e.g., cloud bursting for load-balancing between clouds).” 59
Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case

Discussion Group, 2010.
Hybrid clouds are often used to swap specific functionalities or peak performance requirements
to third party cloud providers. 60
Cloud Computing Security
“It seems that having your data in the cloud on machines you do not control is very
emotionally challenging to people.” 61 George Reese, enStratus
A restrained point of view regarding moving its data into the cloud can certainly not only be
accredited to the natural disposition of IT decision makers. In fact, cloud computing has not yet
grown up, critical voices about the insufficient security are unmistakeable. The different aspects need
to be considered according the specific requirements, a serious assessment may help to identify
potential issues.

60 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 27.
“We believe that there are no fundamental obstacles to making a cloud-computing

environment as secure as the vast majority of in-house IT environments, and that many of the
obstacles can be overcome immediately with well- understood technologies such as
encrypted storage, Virtual Local Area Networks, and network middleboxes (e.g. firewalls,
packet filters).” 62 UC Berkeley
There are three main fields that cover most security aspects of cloud computing: First, legal
aspects, second, regulatory compliance and third, standards compliance . Each of these main fields is
connected with political questions regarding global governance of the information society. These,
several other issues and additionally a guiding model will be introduced later on in this thesis. 63 64 65
“An important point to keep in mind is that the cloud does not introduce any new security
threats or issues. To put security in perspective, cloud computing as a whole can be
considered the ideal use case to highlight the need for a consistent, transparent, standards-
based security framework regardless of cloud deployment model.” 66
Cloud Computing Use Case Discussion Group
To put it in a nutshell: A safe car does not necessarily mean a safe drive!
Cloud Computing Enablers And Trends
Besides the already mentioned key technologies and concepts of which cloud computing is based
on, other aspects should be mentioned. The ability to connect clouds, virtualization, open source
software & community and additionally technologies from which cloud computing has borrowed its
flexible, modular, interconnected nature; service orientation and grid computing.
Connecting Clouds
The connecting of clouds can bring the benefits of easily connection applications. It requires
suitable Application Programming Interfaces (API). API's enables the cloud applications and
services to communicate in the background whilst remaining invisible for the user. For example is it
possible to connect to a SaaS address database application with an SaaS accounting database in order
to implement a seamless workflow between the two programs. API's exist not exclusively in the
63 cf. Zittrain, The future of the Internet and how to stop it , 1.
64 cf. Reese, Cloud application architectures , 63-64.
65 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 10.
66 Cloud Computing Use Case Discussion Group, “Cloud Computing Use Cases White paper - Version 3.0,” 43.
cloud computing world but an industry consensus in favour of common, open, standardized API's
becomes apparent. 67 68
Open standards are also important for the “emerging service model definitions associated with
cloud service brokers, those providers that offer intermediation, monitoring,
transformation/portability, governance, provisioning, and integration services and negotiate
relationships between various cloud providers and consumers.” 69
Open Standards and Open Source Community

The call for open standards concerns all areas where closed, proprietary solutions can cause
incompatible capabilities and interfaces on behalf of consumers. Utility computing and proprietary
software are not a good match. The fundamental call for open standards is also justified due to the
fact that dominant software stacks used in cloud environments are free open source software. 70 71
“Open source software is defined as computer software that is governed by a software

license in the public domain, or that meets the definition of open source , which allows users
to use, change, and improve the software. The flexibility to alter the source code is essential
to allow for continued growth in the cloud solution. Open source software is the foundation
of the cloud solution and is critical to its continues growth.” 72
George Reese, enStratus
In the meantime, open standards are becoming crucial for enterprise solutions and to a certain
point important for enterprise customers in order to maintain their employer credibility and
competitiveness on the human resources market.
The reason is thus that “open source technologies tend to attract large and vibrant
communities and ecosystems around them, with one result being a variety of products and
services tailored for enterprise use. So if an enterprise is not happy with the service or
support it is receiving from one vendor, it can turn to a different vendor for that service and
support – and if all else fails, it has ready access to the source code and the communities that
created and maintain it.” 73 74
67 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 120-122.
68 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 19.
71 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 16.
73 Sun Microsystems, Inc., “Open Source & Cloud Computing: On-Demand, Innovative IT On A Massive Scale,” 5-6.
74 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 6-8.
Service Orientation
Generally, regarding all the five essential characteristics , three service models, and four
deployment models NIST also adds: “Cloud software takes full advantage of the cloud
paradigm by being service-oriented with a focus on statelessness, low coupling, modularity,
and semantic interoperability.” 75
In this context, service-oriented means that the cloud applications are composed on independent,
interoperable, loosely coupled, discrete services that are connected via standardized interfaces. Such
services are stateless if a parallel running service from the same source can be reused, without
interrupting the other service. Statelessness as well as low coupling and modularity are embodied in
cloud software if Service-oriented Architecture (SOA) is used, what is commonly the case. The
semantic interoperability extends compatibility by intelligent, contextually selective allocation of and
in between services. The affirmation of NIST for the total structured architecture of SOA or similar
service-oriented architectures or web services to enables an almost borderless freedom of the service
execution. 76 77
This freedom of service execution was exactly for what reason SOA was intended for. Its
emergence was technically influenced by Object-oriented Programming (OOP) which already came
along with characteristics like abstraction, encapsulation, modularity and by the Object Engineering
Process (OEP) which models (for example with Unified Modeling Language ) business requirements
into a blueprint for software developers. This combination has been an important step towards
bridging the gap between business and technology and corresponds with the nature of SOA and as a
consequence of cloud computing. 78 79
Grid Computing
There would be no cloud computing without the world wide web. The word web is an
abbreviation of network. Sun Microsystems (SUN) has been one of the companies that pushed the
development of linking networks the most. Its chief researcher John Gage mentioned 1984 that the
network is the computer. Back then, he did not foresee the internet or cloud computing, but he already
realized then that computer infrastructure and data does not necessarily need to be tied together and
that comprehensive networks can lead to better collective results. Some years later, in the early
1990s, was the term grid computing introduced in dependence to the power grid. The idea was
simply that computing becomes a utility, same as electricity, consumable at every place where there
76 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 43.
77 cf. Ibid., 55-57.
78 Stantchev and Schroepfer, 2009, in a collected edition of Abdennadher, Advances in Grid and Pervasive Computing:
4th International Conference, GPC 2009 , 25.
79 cf. Oestereich, Analyse und Design mit UML 2: Objektorientierte Softwareentwicklung , 21-24.
is a network. Such distributed computing calls for the decoupling of location, data, network
connection and processing power hardware. Several computers can share one task, it does not matter
where they stand, they just need to be connected with a network. Comparably, the virtualization
follows a similar approach; the hardware layer is abstracted from the software layer. The concept is
just the other way around. In grid computing share many computers the execution of one software,
while the virtualization enables to run several software on one or more hardware devices. Cloud
computing would not have made such a strong impact without virtualization and is also inseparable
from the distributed network approach of grid computing. 80 81 82
Significance: Defining Cloud Computing
For startups, entrepreneurs and small companies, the following aspects of cloud computing
regarding its characteristics and technology may be of special interest:
! Cloud computing as utility computing facilitates the use of sophisticated information systems
! Ready to use applications without the need for infrastructure
! Rapid provisioning lowers go-to-market lead time
! Possibility to inter-connect (via API) different SaaS applications in order to establish

comprehensive workflows
80 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21-22.
81 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 25-27.
82 cf. Stanoevska-Slabeva, Grid and Cloud Computing: A Business Perspective on Technology and Applications , 5.
Political Implications And Standardization
The internet is a global phenomenon – the information society is becoming reality. Global
solutions are needed to address issues which the information society is facing and open standards are
what cloud computing is in need of. Global solutions may offer new markets and significant
opportunities for startups and young entrepreneurs on all continents. However, the political
conditions and global standardization efforts must be understood in order to get an indication of the
future of the information society and its most important “tools”, such as cloud computing.
Understanding Global Governance To Enable Global Business Opportunities
In the field of Information and Communication Technology (ICT) is the executive United
Nations (UN) agency International Telecommunication Union (ITU) having the paramount
responsibility. Its vision is to bring the ICT benefits to all the citizens of the world by assisting the
governments and the private sector of UN member countries in mobilizing the necessary technical,
financial and human resources.. 83
In 2002 initiated the former UN general-secretary Kofi Annan the World Summit on the
Information Society (WSIS) to involve all stakeholders, individual privacy activists as well
as business organisations and mentioned later on: “What do we mean by an information
society? We mean one in which human capacity is expanded, built up, nourished and
liberated, by giving people access to the tools and technologies they need, with the education
and training to use them effectively.” 84
WSIS has been created to find multinational answers to the challenges of the information society.
A focus point of its work is bridging the digital division between western countries and developing
countries. WSIS measures indicators of its UN member countries regarding their development state
of the ICT infrastructure and how the population is ready to use it. WSIS is deducts implications
about the design of action plans, about how to govern the internet and about the usage of which
financial mechanisms to create a sustainable incentive system. WSIS has created in 2006 two
executive institutions that should help them to reach the goals. First, the UN Group on the
Information Society (UNGIS) that coordinates with the relevant UN bodies and organizations such as
the World Bank, the International Monetary Fund (IMF) or the World Trade Organization (WTO)
83 Lips, 2006, in a collected edition of Koops et al., Starting points for ICT regulation: Deconstructing prevalent policy
one-liners, 41-46.
84 Annan, 2005, cited by Hayden, Thompson, and Levy, The SAGE handbook of research in international education, 206.
and second, the Internet Governance Forum (IGF) which should solve substantive and policy
issues. 85 86
The findings of WSIS give a consolidated overview about the status quo of the global
information society. They are valid for developed and developing countries alike, whereas the bigger
parts of the programs are conducted in developing countries. Developing countries offer relatively
higher growth opportunities than developed countries – a convenient initial position in the eyes of
startups and entrepreneurs from all over the world. 87
Subsequently, listed below are itemized excerpts which resulted from the efforts of WSIS and its
affiliated organisations. They were chosen by the author of this thesis according to characteristics that
may be of interest for small and startup companies. As cloud computing is a relatively new generic
term that contains existing technologies and challenges of the information society with its underlying
ICT, cloud computing was introduced in the terminology of WSIS not earlier than in 2009.
The main topics are firstly, ICT access and use, secondly, The broadband divide, thirdly,
Availability of local content and fourthly, Data privacy. Each main topic is followed by a critical
acclaim regarding the information systems perspective with particular notice towards cloud
computing:88
1. ICT access and use: “In many respects, the digital divide continued to narrow in
2008. An important milestone in the progress towards a global information society
has now been reached: over half the world’s population has obtained at least some
level of connectivity. In addition, 80–90 per cent of the world’s population now lives
within range of a cellular network, double the level in 2000. […] One of the benefi ts
to emerge from mobile telephony has been the versatility of short message services
(SMSs), which are used for increasingly innovative purposes, including fi nancial
transactions, market price updates, news transmission, emergency alerts and other
important functions. […] At the end of 2008, half of the world’s Internet users were
in developing countries, especially in Asia. Regionally, Africa and the Middle East
are experiencing the fastest mobile and Internet growth. […] Large disparities in
terms of penetration and affordability still exist, both across and within countries
and regions […] the digital divide debate is increasingly shifting away from
measurements of basic connectivity to issues of speed (bandwidth)” 89
85 cf. Doria and Kleinwächtger, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years ,
7.
86 cf.International Telecommunication Union (ITU), 2007, on behalf of Touré and Panitchpakdi, World Information
Society Report 2007 - Beyond WSIS , 13.
87 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and
Increasing Impact , 45.
88 cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society
outcomes at the Regional and International Levels - Report of the Secretary-General , 3-6.
89 Ibid., 3-4.
The formula is simple, without ICT equipment, business development is difficult. The continual
growing rate of the world's population which have access to communication instruments is good to
know for entrepreneurs. Globally seen, it leads to millions of new potential customers by every
year. 90
Still, there is a long way to go. Developed countries have one hundred times more secure servers
compared to developed countries. Reliable information systems and especially secure e-commerce
platforms are required to enable online business. A benefit of using cloud computing is that simply a
browser is required that supports encryption; for example Firefox, which is freely available. 91 92 93
Adding to the circumstances is the fact that many people in developing countries use mobile
technology, including for financial transactions. With this background in mind, it is foreseeable that if
they acquire up to date equipment, there will be less constraints regarding the usage of new
technologies compared to developed countries.
On the contrary to developing countries, IT departments have built up the structures and gained
conceptual experience over the period of decades in developed countries. For them is it possibly
more “emotional challenging” to let their data manage by a cloud computing provider compared to
an entrepreneur in a developing country that until a year ago was doing financial transactions solely
via SMS or not at all and now has the chance to use sophisticated cloud computing applications. 94
Cloud computing could give companies in developing countries the chance to compete with
companies in developed countries at eye level. Engagements in cooperation are also an option due to
the fast developments of social networks that now cover most aspects of business. These competitive
improvements and possible cooperations could lead to solid economic growth in the developed
countries, which is necessary to reduce poverty and to build up a stable civil society. Initiatives such
as the 100$ One-Laptop-per-Child (OLTP) have had positive effects on the spot in developing
countries and also helped the western society to recognize the need of developing countries for ICT
infrastructure and education. It was even an initiator for the now very popular netbooks. 95
2. The broadband divide: “In spite of the remarkable progress achieved by

developing countries in deploying ICT and bridging the digital divide, they remain at
a disadvantage in terms of broadband coverage […] with Africa accounting for less
than 1 per cent. The “digital divide” is therefore giving way to the “broadband
91 cf. Ibid., 130-131.
92 cf. Zittrain, The future of the Internet and how to stop it , 235-237.
93 cf. Cohen, “The United Nations of Cloud Computing.”
95 cf. Subramanian, “Cloud Computing and Developing Countries – Part 2.”
divide” […] The slow response discourages or even prevents people from using
applications that would improve effi ciency and enhance productivity […] The United
Nations system and other partners – including Governments, civil society and the
private sector – are focusing on broadband issues as part of their efforts to assist
developing countries achieve WSIS targets and meet the Millennium Development
Goals.” 96
The awareness of the importance of broadband requires honest, forceful efforts of both, the
governments that are leveling the way with regulations and an investor friendly environment and the
private sector which should take the risk to invest in these yet to be developed markets. If the basic
broadband infrastructure will be available everywhere around the world, it will be a logical
consequence that the bandwidth will be used with modern business tools as well. It will be up to the
choice of the startups, SMB's and entrepreneurs in these developing countries whether they prefer to
use cloud computing information systems or to wait until they can afford to build their own data
centers. 97 98
3. Availability of local content: “From the perspective of making ICT available to

all, the lack of local content on the Internet and other forms of ICTs (such as mobile
devices) is of growing concern […] Locally produced content can help empower the
poor by e.g. providing them with online learning facilities, creating new business
opportunities; improving access to agricultural market information and weather
forecasts […] If the profitability of firms depends on the willingness among the poor
segments of society to pay for local content, it is plausible that the private sector
alone cannot create the right market conditions to fi ll this gap […] It would be useful
to make an inventory of best policy practices aimed at advancing local content.” 99
Advanced information systems offer at least a partial content management functionality that
supports multi-language. Content Management Systems (CMS) can be API-connected with mashup
services that integrate content such as news, maps or market information to interconnect into one
localized, user-friendly web platform. Such localized services can be especially interesting for
startups to fill a local market niche. The needed internet web 2.0 technology is widely available for
free and does not necessarily require cloud computing. 100 101
96 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society
outcomes at the Regional and International Levels - Report of the Secretary-General , 4.
97 cf. Subramanian, “Cloud Computing and Developing Countries – Part 2.”
98 cf. Ibid.
99 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society
100cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 10.
101cf. Vembu, “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about
Innovation,” col. 4.
4. Data privacy: In the recent past, privacy has become one of the central themes of
the emerging information society, not least in the light of the expanded role of
search engines on the Web and of the fast spread of social networking services […]
There is also a perceived threat to the personal integrity of users from entrusting
too much personal information in the hands of large corporations (e.g. Yahoo,
Google, Facebook, MySpace […] Trans-border data fl ows have the ability to
circumvent national laws […] The main purpose of data protection legislation is to
ensure that personal data are not processed without the knowledge and, except in
certain cases, consent of the data subject […] These trends may suggest a need for
more effective and up-to-date public policies and regulations at the international,
regional, national and local levels. Cyber security and inadequate data privacy
solutions are dealt with differently by countries with dissimilar priorities,
challenges and levels of development. Many different national approaches have
surfaced, but a global response to this truly global problem is yet to emerge.
While the main topics number one (ibid. ICT access and use) and two (ibid. the broadband
divide) can be attributed due to the lack of availability of up to date ICT equipment in developing
countries, the main topic number four (ibid. data privacy) is a problem that directly effects every
country. Compromises in privacy and security are firstly, a result of lacking legal frameworks on
global and national level and secondly, issues due to the lack of standardization.
Provided that the international society is truly getting involved to make an effort for these four
WSIS goals, it could lead slowly but surely to millions of new internet users all over the world. Many
of them will do business and will need modern information systems. By using information systems
based on cloud computing, they will have the chance to use up to date applications without first
having the need to build up their own infrastructure or initiate the build-up by an outsourcing
provider. That can be an interesting prospect for startups and companies in underdeveloped countries
but equally for startups and innovative companies in developed countries who are willing to take the
risk.102
Activities On Continental Level
Global data flows need harmonized approaches to facilitate cloud computing operations which
requires consensual cooperation on regulations and standards. International organizations can be of
help to achieve this consensus by providing an exchange of information, education and concrete help
in developing countries, but basically it is at the liberty of every independent country to set legal
standards that cover cloud computing. As most countries have different regulations, even within the
European Union, is it difficult to state what needs to be changed in which country. A study conducted
by information policy scientist Paul T. Jaeger about cloud computing and information policy has
102cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society
summarized the most crucial points that lawmakers and politicians should be aware of and try to
improve.103
! Basic thresholds for reliability
! Assignment of liability for loss or other violation of the data
! Expectations for data security
! Protections of privacy
! Any potential expectations for anonymity
! Access and usage rights
! International standardization to promote transborder data flows in clouds
There is a obviously a difference between these points compared with the goals (ibid.: 1. ICT
access and use, 2. The broadband divide, 3. Availability of local content, 4. Data privacy) from the
WSIS (ibid.). Jaegers points correspond only with 4. Data privacy. The reason is simply that WSIS is
intended for the international community including developing countries while Jaegers points are
intended for the national level in developed countries.
The following chapters provides a glimpse of the situation by presenting extracts of current cloud
computing discussions in the United States (U.S.), Asia and Europe (EU). The focus lies on cross-
national exchange of data as it is there where cloud computing offers in particular many points open
to attack because of its distributed nature. 104
United States
To a certain extent most things concerning cloud computing are happening in the United States or
in collaboration with U.S. institutions such as NIST (ibid. Computer Security Division of the US
National Institute of Standards and Technology) or companies such as Amazon, Salesforce, Google
or IBM. The United States are an intellectual and technological leader in the field of cloud
computing. Therefore, in order to understand what is happening politically and legally in the United
States concerning open clouds and cross-country data exchange, one can draw conclusions to get the
status quo on a worldwide level and conceive future implications. It may be interesting to look ahead
103cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280-281.
104cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15.
to where U.S. visionaries and information society lobbyists wants to lead their government, as this
opinion-forming process will have an impact on future directions on a worldwide level. 105 106
The influential non-profit organisation Aspen Institute Communications and Society Program
repeatedly composes a memo to every new U.S. president with calls on how to affect the policies in
favour of a sustainable society. The 2009 edition, intended for Barack Obama or John McCain, the
future president having not been decided by then, focused on policy proposals and general advice on
Information Technology (IT). The proposals and advice are U.S.-centered, but as the economy of the
United States is still by far the biggest and the innovation capabilities of its scientific institutes and
companies still world-leading, especially in the IT field, it can be of interest for the global society to
see what the focus of engagement is. 107 108 109
Number six of the six policy proposals (1. Formulate an identity agenda, 2. Mend the Patriot
Act, 3. Retraining and immigration reform, 4. Modernize the grid, 5. Deploy world-class
broadband, 6. Support an open cloud) is explicitly calling for an open cloud: “Support an
open cloud. Traditional notions that governments should hoard data within their borders is
an outdated notion with the advent of the global cloud economy. We need to pursue
architectures that allow individuals, companies and governments to plug into the best
resources on the planet, regardless of where they are located.” 110
One aspect of the open cloud is the dominance of the United States regarding the global
management and assignment of top-level domain names and IP addresses. This is still under control
of the non-profit organization Internet Corporation for Assigned Names and Numbers (ICANN)
which acts on behalf of the U.S. government. The international voices are getting louder that this
unilateral control of ICANN by a single government should be replaced by an international
independent institution. Whereas there is a consensus about this topic, there is still a big controversy
ongoing about how much influence the governments should have with regard to national policy
issues. However, the Aspen Institute, to give an example, put its money on the catalyzing effect of
the fast changing global information society that will in the long run pull down national hegemonial
ambitions. 111
105cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and
106cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280.
107cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance
and Social Interaction, 72-77.
108cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 72-73.
109cf. O'Halloran, Charity Law Social Policy: National and International Perspectives on the Functions of the Law
relating to Charities, 315; 577.
110 Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and
Social Interaction, 74.
Cloud computing is given an important role because “the cloud will usher in a seismic shift
in the locus of control in our culture, and it will have ripple effects in all walks of life –
energy, the environment, national security, learning, health care, business processes,
emerging markets and much more. The cloud is about open access, rapid delivery of
services, the ability to scale quickly and the power of networks. Ultimately, though, the cloud
story is not just about computing, communication or information but about empowering
citizens.” 112
These statements – the conversion from top-down to bottom-up power – are radical in its nature
but vague in regard to what will happen concretely. Nonetheless, this to be expected shift towards a
more democratized access to high-tech resources, true globalization and commercial opportunities
that are more independent of company size sounds definitively promising to young people with
entrepreneurial spirit, startups and small companies.
Asia
The Asia-Pacific Economic Cooperation (APEC) is the leading free trade forum in Asia. It is
encouraging its member nations to improve ICT and e-commerce. The focus lies on supranational
collaboration but without to cede laws and sovereignty to other members, as they are reluctant to do
so. While Cross Border Privacy Rules are discussed in privacy-related legislative working groups,
cloud computing not yet a big topic. APEC has an Electronic Commerce Steering Group which
started discussions about cloud computing with OECD and UN organisations in 2009, but it has not
yet resulted in concrete actions or publicly accessible documents. APEC is not purely representing
Asia, as it includes countries from South-America, the United States and Canada which naturally also
belong to the Asia-Pacific area. On the other hand, the members of the Association of Southeast
Asian Nations (ASEA) are purely Asian countries. ASEA have enlarged their association to become
the ASEAN Free Trade Area (AFTA) which also includes China and Japan. Cloud computing is not
yet on the public roadmap. 113 114 115
The fact that supranational Asian efforts are almost absent should not hide the instance that cloud
computing is booming in countries like China, Korea and Japan. A survey done with 400 Asian
developers conducted by the Evans Data Corporation (EDC) has shown that 11.3 percent of them are
111 Discussion panel "Critical Internet Rescources" hosted by Aguiar, 2009, co-authored by Cerf et al., Internet
Governance Forum (IGF): The First Two Years , 227-228.
112 Aspen Institute Roundtable 2009 consisting of Firestone, Coleman, Brown, Lysyanskaya, Dyson, Clippinger, Taipale,
Bregman, Hynes, Burton, Artom, Gupta, Rotenberg, Pearson, Dyson, Dachis, Mancini, rapported by Lasica, Identity in
the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction ,
77.
113 cf. Pearson and Charlesworth, 2009, edited by Koops et al., Starting points for ICT regulation: Deconstructing
prevalent policy one-liners , 133.
114 cf. Bourassa, “20th APEC Electronic Commerce Steering Group Meeting,” 7.
115 cf. Hunton & Williams LLP, “APEC Forum Discusses International Privacy Legislation Developments.”
already developing on cloud services. Interestingly, the public cloud deployment model is the most
likely type of implementation which EDC derives from the lower average age of Asian developers
compared to their western counterparts. Especially China, with its immense backlog demand for
sophisticated information systems and ICT infrastructure, could become a very interesting market.
Not only for Western and Indian cloud computing service providers, but also for entrepreneurs in
China to work in their huge domestic market and abroad, as well as in order to follow the traces of
the Indian IT services industry. 116 117
Europe
The European Network and Information Security Agency (ENISA), a sub-organisation from
the European Union suggests that “if the cloud provider is in a country outside the European
Economic Area and that country does not offer an adequate level of data protection, it is
advisable to have in place procedures in accordance with […] Standard Contractual Clauses
or Safe Harbor Principles - if the data are transferred to the United States and the cloud
provider participates in such a programme [...] however, it has to be stressed that the
transfer of data within the territory of Member States is not without problems. Indeed,
despite the fact that personal data can freely circulate within Member States, the laws are
not consistent across countries. This inconsistency may create obvious difficulties in
compliance and thus liability issues. We recommend that the European Commission take
steps towards the standardization of minimum data protection requirements in Europe. This
is particularly important in the light of the fact that the Data Protection Directive is
currently under revision. Moreover, a data protection certification scheme based on
minimum data protection standards, which are common across the Member States, may be
extremely useful.” 118
The statement of ENISA shows that even within Europe the situation is not entirely solved. It is
not clear under which jurisdiction cross-country data flows belong to and which result of the Data
Protection Directive is under revision. Some relief of the strain between the European Union and the
United States was brought by the EU Safe Harbor Principles . They underpin the data privacy of EU-
based customers which have put their data on U.S. systems. Concretely, they are not anymore
exposed to the USA PATRIOT Act (acronym for Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 – this law had been
implemented by George W. Bush after the 9/11 attack) which basically provides the U.S. government
full insight into data which they classify as suspect. Admittedly, the EU Safe Harbor Principles are
116 cf. Cohen, “The Future of Cloud Computing Belongs to Asia.”

117 Schindler (EDC), 2009, "APAC Development Survey 2009 v2", cited by Taft, “Asian Developers Moving to Cloud
Computing.”
118 Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 106.
only valid if the cloud service provider supports them. That can be seen fair from the view of the
customer, but it is a burden for the cloud provider who constantly must secure in which country the
data effectively is stored and has therefore obey different jurisdictions. This is difficult to manage,
weakens the flourishing of the free services market and is generally not longer suited to this day and
age of the internet society. 119 120
The Council of Europe focuses rather on the hazard potential and wishes a law enforcement
regarding cloud computing. “We need to have access to traffic data, need subscriber
information, and experience shows us that such information helps us to prosecute criminals
and bring them to court […] we have international cooperation and we can take urgent
measures to assure the safety of data in other countries. If a person's data is stored in
another country there is probably a lower level of protection of rights. We need to give law
enforcement the tools to protect us from cybercrime.” 121
The European Commission criticizes the lack of standardization within the heterogeneity of the
European Union, but also within the other continents. They acknowledge the United States to be the
world leader in cloud computing and advocate for a globalized open cloud market without making
concrete solutions on how to adjust the regulations to ease transnational data flows. 122 123
Finally, the OECD (ibid.) is currently calling upon governments to assure that new laws and
regulations are future-proof in a way that they will not limit the potential of cloud computing. They
grant the governments an important role in fostering standards, especially regarding service-level
management and interaction. They also mention the important role of public procurement by
referring to the example of government of Washington D.C., which has switched thousands of
workstations to using cloud computing applications. 124
Notably, the cloud computing provider at Washington D.C. is Google Apps – suited to the
occasion the following statement from the OECD, which recommend to “use the power of
the purse in their IT procurement policies, governments can push companies to find
consensus on the key Cloud standards.” 125
120Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280.
121Seger, representative of Council of Europe, 2009, cited by Anderson et al., “Workshop: Privacy, Security Implications
of Cloud Computing.”
122cf. Schubert, Jeffery, and Neidecker-Lutz, “The Future of Cloud Computing: Opportunities for European Cloud
Computing Beyond 2010,” 57.
123Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15.
124cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 11.
125Ibid.
Standardization
Stable legal frameworks that cover cloud computing are required but experience shows that
legislation takes its time. The international community and the national legislative bodies, especially
politicians, are not yet advanced in expatiating upon the specific characteristics of cloud computing.
As a result they will not decide unless the decision base is clear. Regarding cloud computing
internationally recognized standards are a conducive factor. 126
ISO standard for cloud computing

On the international level, the non-profit International Organization for Standardization (ISO) is
a leading standardization organisation with 165 countries as members. They are defining industrial
and commercial standards (for example the ISO 9001 quality standard), which are accepted world
wide. In the fields of information technology, ISO is closely cooperating with the non-profit
International Electrotechnical Commission (IEC), which focuses on electronics. They have formed in
1987 a Joint Technical Committee known as the ISO/IEC JTC1. They combined their forces to enable
a symbiosis of their business organisation background (ISO) and their technology background (IEC)
in order to establish a standardization instance that covers computing and by degrees also internet
related aspects and especially information systems. 127
In 2000, ISO and IEC expanded its circle by signing a Memorandum of Understanding on
electronic business (MoU) with the UN/ECE (United Nations Economic Commission for
Europe) whose purpose is “to minimize the risk of divergent and competitive approaches to
standardization, avoid duplication of efforts and avoid confusion amongst users [...] the
MoU will also provide greater intersectoral coherence in the field of electronic business, an
important step considering the uptake of e-commerce.” 128
These joint forces drafted in October 2009 the report Report of JTC 1/SWG-P on possible future
work on Cloud Computing in JTC 1 - ISO/IEC JTC 1 N9687, in order to start the process for a new
ISO norm. The process has started with the just mentioned proposal stage, followed by the
preparatory-, committee-, enquiry-, approval stage and will finally lead one day in the publication
stage as a new ISO and/or IEC norm on cloud computing.
Furthermore have reputable sources announced that ISO/IEC JTC1 is about to intensify its efforts
by having formed a new subcommittee (SC) in November 2009 which will contain working groups
126cf. Ibid.
127cf. Copenhagen University College of Engineering, “JTC1/SC22/WG9 - Welcome to the ISO home of Ada Standards.”
128Houlin Zhao 2000, cited by International Telecommunication Union (ITU), “ITU Telecommunication Standardization
Sector (ITU-T) - MoU on electronic business between IEC, ISO, ITU, and UN/ECE.”
for service-oriented architecture (SOA) and web services as well as a study group for standardization
of cloud computing. 129 130
Overlapping Competencies
ICANN (ibid.) is the guardian of a fully functional internet and has therefore a high interest in a
flourishing development of cloud computing. However,there are frictions between the ITU (ibid.), or
respectively its multistakeholder forum IGF (ibid.), about the hegemony in internet governance.
Subramaniam Ramadorai, chairman of one of India's leading software manufacturers and president of
the Business Action to Support the Information Society (BASIS) which is an initiative of the
International Chamber of Commerce (ICC), argued wherefore:
“One of the schisms that came to light during an Internet Governance Forum meeting was
that between ICANN and the ITU. Some have seen this as emblematic of the clash between
traditional United Nations culture (a largely government-to-government formal process) and
Internet culture (where a range of actors meet as peers) [...] ICANN includes all relevant
stakeholders, but it deals with a specific agenda linked to ICANN’s role in the management
and technical coordination of the Internet’s domain name system.” 131
It is indeed questionable whether ICANN can have a leading role in cloud computing as they are
only specified on managing the domain name system of the world wide web.
For the record, Ramodorai answered what he had put on the table: “Only the IGF offers a
truly multistakeholder discussion forum where all members are on an equal footing, by form
and by definition. It is the only global-level space for discussions that cover the breadth and
depth of Internet governance policy issues. The IGF offers a vital place to discuss Internet
governance issues from infrastructure and access to the free flow of information and security
matters.” 132
Bottom-up Standardization
Whether IGF or ICANN feels more responsible for the development of cloud computing is
maybe not a crucial question. As a matter of fact are international governance, national legislation,
research institutes, politicians, all kind of initiatives and many standardization organisations partly
covering cloud computing and its issues. Unfortunately, there are many issues, for example
129cf. Joint Technical Committee 1, Report of JTC 1/SWG-P on possible future work on Cloud Computing in JTC 1 -
ISO/IEC JTC 1 N9687.
130cf. Cohen, “ISO Forms Group for Cloud Computing Standards.”
131Ramadorai, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years , 31.
132Ramadorai, 2009, co-authored by Ibid.
transborder data flows, which are not yet solved in spite of the multistakeholder approach. One could
be tempted to say that an ant on the move does more than a dozing ox but that would leave out the
fact that legislation and standardization are always lengthy processes because they require
international compromises. 133
However, internationally seen, there is a wide range of people, companies and non-profit
organisations that are not willing to wait until the international governance, the national legislations
and the highly-accredited standardization organisations have solved all issues. The cloud computing
market is booming and has led to acknowledged quasi-standards and since cloud computing is a
combination of existing technologies, a lot of the standardization work has already been done.
Furthermore, industrial demand, so-called cloud communities, the open source community that
develops fundamental software – these stakeholders drive the development of cloud computing in
form of iterative processes.
Sridihar Vembu, founder of ZOHO, a leading online office suite based on cloud computing,
describes the development as an innovation circle using the example of open source
software: “There have been major advances in open source distributed file systems and
databases in recent years, spurred by cloud computing. Javascript frameworks like jQuery
have enabled major advances in client functionality. Open source and cloud applications
have worked in a virtuous cycle of innovation, and adoption.” 134
Significance: Political Implications And Standardization
“Many of the public policy issues, including privacy, access, and copyright protection,
raised by Cloud computing are similar to Internet policy issues that governments have been
struggling with for at least fifteen years. ”135 Michael R. Nelson, Georgetown University and OECD
Nelson's comparison of cloud computing suggests itself – cloud computing is offering many
advantages and it will probably not be stopped by political and legal issues, it will just be slowed by
the lack of standardization and hundreds of millions of world citizens that do not yet have suitable
internet access and devices. The following list summarizes the findings of Political Implications and
Standardization itemized after developing country, developed country and outlook.
134Vembu, “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about Innovation,”
col. 6.
135Nelson, Briefing Paper on Cloud Computing and Public Policy , 11.
Developing countries:
! ICT and cloud computing are needed and offer an immense potential for the people and for
cloud service suppliers
! Many entrepreneurs will for the first time have the chance to use sophisticated information
systems thanks to cloud computing
! Lack of broadband access is a fundamental problem
! Mobile internet can be a favourable solution even though are specialized cloud applications
are required
Developed countries:
! Mainly data privacy issues due to laws and regulations that are not yet adjusted to the
emerging reality of information society and cloud computing
! Transborder (cross-national) data flows are a key issue
! The cloud in 2010 is U.S.-centric but other countries will increase their efforts
Outlook – Expected trends:
! Solving these legal issues will take many years
! These legal issues will not hinder cloud computing in quickly gaining market shares
! Standardization will lower costs and improve innovation
! The call for open clouds will increase
! Empowering citizens: More democratized access to high-tech recourses will facilitate to true
globalization. Radical paradigm shift from top-down to bottom-up thanks to open access,
rapid delivery of services, the ability to scale quickly and the power of networks
Not for the first time in human history have legislation and formal organisations been overtaken
by the market reality. There is no way back, cloud computing will be setting various standards by all
means and cannot be called anymore a marketing ephemera. Cloud computing has an immense
potential for startups, small businesses and entrepreneurs as such and for the information society as a
whole.136
136Ellison, 2008, reported by Johnson, cited by Wyld and IBM Center for the Business of Government, Moving to the
Cloud: An introduction to Cloud Computing in Government , 11.
For startups, entrepreneurs and small companies, the following aspects of cloud computing
regarding its political dimensions and standardization efforts may be of special interest:
! Along with cloud computing will the globalization will further increase and with it global
business opportunities
! Cloud computing will become accepted because it is politically desired and the standardization
efforts are steadily advancing
! Entrepreneurs in developing should campaign for more broadband internet connections

Market, Economics And Trends
“The cloud represents the reinvention of commerce...the control point has shifted so that
suddenly commerce and communication are end to end, with no regard to borders.” 137
William Colemen, Aspen Institute Roundtable
“The interesting thing about cloud computing is that we’ve redefined cloud computing to
include everything that we already do. The computer industry is the only industry that is
more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what
anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy
going to stop?” 138
Larry Ellison, Oracle
“Cloud computing is nothing new. All of these technologies have existed for quite some time.
That's like saying the iPhone is nothing new because all the technologies existed prior to its
arrival. For an innovative company like Apple, it's great that their competitors lack such
imagination, as it leaves the field wide open.” 139
Ray DePena, Los Rios Community College
“We don't know where the data is in cloud computing, and it does not matter because it's
much cheaper, it's more efficient and it can be accessed from anywhere.” 140
Laurent Bernat, OECD
137Coleman, 2009, edited by Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on
Business, Governance and Social Interaction , 71.
138Ellison, 2008, reported by Johnson, cited by Wyld and IBM Center for the Business of Government, Moving to the
Cloud: An introduction to Cloud Computing in Government , 11.
139Depena, “The Beauty of the Cloud.”
140Bernat, 2009, edited by Anderson et al., “Workshop: Privacy, Security Implications of Cloud Computing.”
Whatever one thinks of cloud computing, fact is that a large number of the internet society is
already using cloud computing based on online software probably without being aware. Examples
are: Google's Gmail with its online collaboration office suite Google Docs, Facebook or the photo
sharing application Flickr from Yahoo. 141
However, the main usage area of the above mentioned examples is the private market whereas
one of the most common reasons to use cloud computing is to allow it to assist business operations.
This following chapter Market, Economics and Trends focuses on the business-economical aspects of
cloud computing, the market as such, where cloud computing is not yet a feasible option, as well as
trends.
Business Benefits In General
What are the real business benefits of using cloud computing? The Information Systems Audit
and Control Association (ISACA), which is an international association that is defining IT
Governance standards, arranging education and certifications for its almost 100'000 members
(typically Information Security Auditors or Chief Information Officers) , has pointed out the following
business benefits: 142
! Cost containment: Scalability without high upfront capital expenditure
! Immediacy: Provision and utilization of new services and processes within days instead of
months for ordering as well as configuration and operationalizing in traditional IT
! Availability: Due to economies of scale cloud providers can afford to invest in high-end
bandwidth and systems that small companies could not afford
! Scalability: Cloud computing solutions can flexibly react on arising performance or capacity
demands and provision them on demand
! Efficiency: Spending less time for operational IT activities
! Resiliency: Better protection against unexpected events as the data is stretched between
different geographic areas
The degree of the benefit that companies realize in reality may differ as the case arises.
Additionally, others may mention other benefits or not easily quantifiable effects such as improved
innovation due to easier setup of Customer-Driven Innovation solutions. 143
141cf. Fingar, Dot.cloud: The 21st Century Business Platform , 63-64.

142cf. Spivey et al., “Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives,” 6-7.
143cf. Fingar, Dot.cloud: The 21st Century Business Platform , 84.
A survey from the European Network and Information Security Agency (ENISA) that analyzed
what possible business benefits of cloud computing are most tempting to small- and medium
businesses (often called SME / SMB). Avoiding capital expenditure in hardware, software and IT
personnel was most named. Flexibility and scalability of IT resources was voted second and business
continuity and disaster recovery third. 144
“Cloud computing promises a powerful new platform for innovation. It allows entrepreneurs
to develop, deploy, market, and sell cloud applications worldwide without having to invest in
expensive IT computing infrastructure.” 145 This definition of the Internet Society is less
technical but emphasizes the entrepreneurial aspects of having the hands free for real
business.
Benefits For Startups And Small Companies In Particular
“When a business owner starts up a new business, he wants to set up operation in a

scalable, flexible fashion. Building an IT department is a low priority compared to marketing
the product, investing in research and development, or securing the next round of funding. In
the past, a mature IT infrastructure was a sign that a startup company was ready for an
initial public offering (IPO). A company would demonstrate scalability by implementing a
robust enterprise resource planning (ERP) solution and hosting it on the premises.” 146 This
appraisement of the in the cloud computing scene recognized authorities Tim Mather, Subra
Kumaraswamy and Shahed Latif is roughly categorizing the situation of startup companies
and contrasts it to the up to now more mature information systems of bigger enterprises. 147
144cf. Catteddu and Hogben, An SME perspective on Cloud Computing , 8.

145Internet Society, Advisory Council (AC) Consultation
on Cloud Computing for OECD Foresight Forum October 2009 , 1.
146Mather, Kumaraswamy, and Latif, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance ,
28.
147cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 6; 71.
Illustration c: The various offerings of cloud computing covers different levels of

abstraction, the focus on consuming applications by the end user / business man is
provided by SaaS. Source: Reproduced according original source by LSE Research Online,
2009.
Assumed that the average startup and small business is not an IT company, it is clear the the main
interest of this target group is to use, respectively consume applications, not to develop them.
Therefore are consumption-ready SaaS (see illustration c) applications probably the most used cloud
computing service model of startups and small businesses. 148
“It also gives smaller businesses access to the same industrial-strength computing systems
as large multinational corporations, boosting the competitiveness of small and medium-sized
business. By allowing government and business in developing countries to access
sophisticated computing platforms without having to make large hardware and software
investments or manage complex IT deployments, cloud computing can help jump-start
economic development. All that is required to access cloud computing solutions is a browser
with broad-band access.” 149 Internet Society
The notion that cloud computing can help small businesses to compete with multinational
cooperations at equal terms is certainly a promising statement. The positive aspects that cloud
computing could have in developing countries can be highly welcomed as well (ibid. chap. Political
Implications and Standardization) .
148cf. Briscoe and Marinos, “Community Cloud Computing,” 3.

149Internet Society, Advisory Council (AC) Consultation
on Cloud Computing for OECD Foresight Forum October 2009 , 1.
Fundamental Business Economics
Conventional (on premises) Cloud Computing

Capital expenditure: Operational expenditure:
- Hardware - Subscription charges
- Software licenses
- Occupying IT personnel
Capacity planning On demand
Contract Pay as you go
Security, Disaster management Security, Service level
agreement
Table b: Conventional IT concept (old paradigm) compared with the cloud
computing model (new paradigm). Source: Own comparison based on literature according
bibliographic footnote, 2010.
This table compares fundamental business economic figures between the conventional IT
approach with on the premises implementation of a client/server architecture and the cloud
computing model. Some literature describes the conventional approach as old paradigm and the cloud
computing model as new paradigm. 150 151 152
Investing and running an own IT equipment requires capital expenditure (capex), while using an
external cloud service that offers pay-as-you-go service falls into ongoing operational expenditure
(opex). Both, capex and opex are generating cash flow, but the absolut amount of cash flow cannot be
compared directly. 153
“A payment on a capital good like a server is one of a series - each of which the enterprise is
committed to, no matter if the server is being used or not. Once you purchase a capital good,
you're stuck with it, as anyone who has purchased a car understands. Even if you're no
longer excited about owning it, the finance company still expects its monthly payment.” 154
This commonplace of business economics should is especially important regarding the

depreciation on a once purchased equipment. It is applied either on the full lifetime, or, if it is sold
earlier, the accumulated depreciation is causing a loss.
150cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 398-400; 511.

151cf.Reese, Cloud application architectures , 48; 51-54.
153cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 511.
154Golden, “Capex vs. Opex: Most People Miss the Point About Cloud Economics.”
The incurred operational expenditures can be set in contrast with the following example: “If
you rent a car, you are committed to it only as long as you want to use it -- and once you've
paid for that use, you have no further financial obligation. And guess what, pretty much
everyone understands that you pay a premium for that flexibility, for example, a rental car
costs more per day than the same car would, if purchased. In MBA-speak, there is an option
value in that flexibility, for which a premium is paid.” 155
Dispersing the costs over the time is for startup companies probably even more crucial than for
established companies, because startup companies often do firstly not have enough capital, secondly,
enough securities to borrow money and thirdly they lack a fixed strategy for protection of
investments. Therefore the question of capex vs. opex is a crucial factor for startup companies and is
a point for cloud computing.
It is possible to use common Total Cost of Ownership (TCO) models to calculate the cost for a
cloud computing solution and compare it with a conventional on the premises installation. However,
before this is possible, a serious assessment is needed to specify what the true benchmark for the old
and the new solutions are. 156
“Cloud readiness requires viewing current offerings through the lens of a service provider.
Cloud vendors offer services with certain defined commitments and associated costs for
delivery. If you cannot express existing service capabilities in the same manner, how can a
meaningful build vs. buy cost comparison be done?” 157
Jim Damoulakis, CTO of GlassHouse
Cloud Computing In Large Enterprises
Antonio Palacin, director of the international IBM SAP International Competence Center,
about the ability of cloud computing solutions regarding business process management: “In
specific areas "yes". E.g. simple processes could be hosted in a cloud: eMail, data
repositories for backup, etc. In other areas where mission-critical data and access rights are
targeted I still do not see how this can be ensured.” 158
Cloud computing, especially public cloud, has obviously not yet achieved full acceptance by
large corporations. A similar objection mentioned Rick Franckowiak, Information
Technology Director at Johnson and Johnson perhaps spoke for the industry when he was
155Ibid.
156cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 91-93.
157Goodman, “The CIO’s Guide To Cloud Computing,” 6.
158Palacin, “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from IBM Deutschland GmbH
about Simplicity.”
stating: “Cloud computing can solve the problem of overtaxed internal resources...but not, at
least not yet, for the highest-risk applications involving sensitive data.” 159
Vishal Sikka, Chief Technical Officer at the ERP vendor and SAP notices: “You have to get it
right-and not only from a cost and go-to-market perspective, but from an integrity
perspective. For us, it is far more important to roll this out in a controlled way to make sure
the customer comfort is there and grows with the software, rather than to go out there and
meet some arbitrary definition of some guy's take on cloud computing or SaaS. […] So we
will get it right, and we will take our time. Yeah, it took a little bit longer than we thought,
but we can afford to.” 160
SAP is the market leader in the business-to-business area for ERP software. Microsoft on the
other hand is the overall number one software vendor. Microsoft obviously sees the time coming for
cloud computing and extends their Azure cloud offerings. In February 2010 Microsoft has announced
to offer cloud web connectors from their office suite MS Office 2010 towards social networks such as
Facebook or LinkedIn. Obviously is Microsoft focused on the business-to-consumer market which is
more volatile than SAP's enterprise market. On can guess that if Microsoft is pushing cloud
computing, that will have an effect on the rest of the market. 161
Variations And Industries
There are many sophisticated information systems with lots of functions for different industries
in the market. It is beyond the scope of this thesis to name them here, but even googling the
categories reveals an immense diversity: Enterprise Resource Planning (ERP), Supply Chain
Management (SCM), Enterprise Relationship Management (ERM), Management Information
Systems (MIS), Business Intelligence (BI) and many more.
It can be difficult not to lose the track, as these terms are not standardized. Vishal Sikka,
Chief Technical Officer at the ERP vendor SAP notices: “I sometimes find it amusing. When
vendors call their little salesforce-automation application a "platform", that does actually
bother me, as a technologist, to be honest with you.” 162
There are complaints in the market that many vendors have started to market some cloud
computing services but only in a slim entry version without the whole range of functionality. Maybe
this entry level functionality is enough for many startups and small businesses. But the question
159Franckowiak, 2009, cited by Sansom, “Up in a cloud?,” 15.

160Wailgum, “SAP CTO Vishal Sikka talks clouds,” 2.
161cf. Foley, “Microsoft's Azure cloud is officially open for business.”
162Sikka, 2009, reported by Wailgum, “SAP CTO Vishal Sikka talks clouds,” 2.
should be raised why they are not yet porting the full versions to cloud computing as well. Probably
that will change as the demand for cloud computing services is on the rise and the competition
between the vendors as well. In either way is a serious assessment of the business- and service-level
requirements necessary and it will be a good starting point for a supplier research. A possible
requirements framework is freely available from Cloud Security Alliance (see also chap. Evaluation
guide).163 164
Daniel Stadelmann, founder and general manager of wedoit, a company that is specialized on IT
consolidation projects, identified an obstacle that could slow down the breakthrough of cloud
computing.
“It is increasingly difficult to find skilled specialists for the consolidation projects we do. I
assume this would be even more difficult regarding cloud computing projects.” 165
Daniel Stadelmann, wedoit
163cf. Hummeltberg, Informationsmanagement , 4.

164cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 20.
165Stadelmann, “Startup in the Cloud - Consulting Experts - Interview with Daniel Stadelmann from wedoit AG about
Industry,” col. 2.
Illustration d: Overview of some cloud offerings assigned to different services/taxonomies. Source: OpenCrowd, 2009
Ever Changing Business Requirements
“The prospects look bright for workers with specialized technical knowledge and strong
communications skills [...] as companies are increasingly looking to technology to drive
their revenue.” 166 Alfred P. Sloan Foundation
Relationships as a driver
Information technology has expanded the communication channels and as a result, revolutionized
the way we live relationships. Every aspect of our business life is becoming digitalized, relationships
as well as they are literally evolving digital social networks. Customers have received more power by
having globalized access to information through the internet where they are able to compare suppliers
and their products. 167
166Alfred P. Sloan Foundation, “Information Systems Overview,” 7.

167Hayes-Weier, “Alternative IT Software is New Reality,” 8-9.
The world has changed into one big market with extreme competition and “To make a
difference, the customer must be put in the center of the business activities, just transacting
orders is not enough anymore, the relationship of existing and future relationships must be
developed and improved.” 168
Reinhold Rapp, German Economic Forum
Many companies are changing their strategies, for example to customer relationship
management (CRM) which is “a user-centric marketing- or corporate strategy supported by
information- and communication technology with the intention to establish marketing-,
sales- and service concepts in a sustainable, profitable and holistic way.” 169
Evangelos Xevelonakis Xenis, Swiss Valuenet
Sophisticated information system solutions bring in line people, processes, and technology to
utilize the synergies and to develop and strengthen relationships within the company and outside. 170
Open your eyes and ears, is explained by business strategist Peter Fingar by stating:
“Newcomers disrupt established industries with business model innovation that not only
incorporates their suppliers, and their suppliers' suppliers, but also places their customers at
the very center of their business processes – and taps the creative abilities of all employees
to meet the ever-changing needs of their customers.” 171
Business models that can cope with customer needs and other stakeholders require information
systems which can be flexible adjusted to changing customer requirements and ensures a constant
interaction with all stakeholders via different channels including social networks. The example of the
CRM strategy can also be used to highlight the importance of seriously evaluating new information
systems, because CRM is a typical IT buzzword that can have many meanings. It can mean the just
mentioned marketing- or corporate strategy, but also mean simple versions of CRM tools which are
not much more than an address book with email functionality. There are cloud computing solutions
available for both types. However, it is depending on the requirements which solution shall be chosen
but if an established small business considers to to implement the CRM as their core strategy, cloud
computing based systems should included in the assessment as well, because they may be interesting
regarding the costs and some of them offer comprehensive integration with other cloud based online
collaboration solutions, adaptors to social networks, business intelligence and more. 172 173
168Rapp, Customer Relationship Management: Das neue Konzept zur Revolutionierung der Kundenbeziehungen , 43.
169Xevelonakis, “CRM - Erfolgreiches Kundenbeziehungsmanagement mittels Differenzierungsstrategien,” 6.
170cf. Information Today, Inc., “What Is CRM?.”
171Fingar, Dot.cloud: The 21st Century Business Platform , 16.
172cf. Goldenberg, CRM in Real-time: Empowering Customer Relationships , 138.
173cf. Biddick, “Why You Need A SaaS Strategy.”
Illustration e: Business Process Spectrum: Information systems need to comply with the soaring demand for
relationship and communication. Source: Harrison-Broninski, 2009.
Buyers become sellers

The need for modern information systems in order to correspond with modern business
requirements can go beyond strategies such as CRM. The requirements are ever accelerating:
“Putting the customer at the center, and providing customer experiences that delight, drives
all the rest. By taking such an outside-in versus inside-out view, such companies are not
longer sellers to their customers, they become buyers for their customers, going to the ends
of the earth to find the most cost-effective sources of high-quality goods and services to
deliver to their customers.” 174 By stating this, Fingar brings in another paradigm shift,
underlining that the model buyer-seller model will need to be enhanced.
The seller becomes the extended arm of the buyer. A popular example is the online retailer
Amazon, where customers usually buy books, but can easily change their role and become a seller of
books or even furniture. Social network components are built in reviews from other customers or
hints like other customers who bought this book also bought XY. This makes it possible for Amazon
to offer the customer a comprehensive shopping experience with all kinds of information and
interaction possibilities that can be of value. To realize such solutions, sophisticated information
systems are needed such as top-notch content management systems, databases, data warehouses, data
mining tools and many more which connect the solution within itself and to the stakeholders and
associated supply chains. These systems offer an extended functionality but should not be too static
in order to stay flexible regarding changing requirements. Larger enterprises may have all the
necessary infrastructure and software, but startups usually do not have them. Such solutions are not

cheap in neither way, but if startups can start with using cloud computing services instead of having
the need to buy and set it up by themselves, a successful start seems more realistic. 175 176
Human Interaction Management

Information management scientist Keith Harrison-Broninski presented in 2005 the Human
Interaction Management (HIM) approach which focuses on human interaction rather than on task
processes. While workflow management is a controlled process; a fixed, scripted behavior and
Business Process Management (BPM) is a coordinated process that is suitable for structured,
collaborative processes. HIM has contracted processes based on agreements which are flexible and
allow to adopt dynamically the processing of regular and irregular processes and interactions. HIM
follows, not entirely but to a certain point a bottom-up approach to enable self-regulating abilities. 177
Illustration f: Human Interaction Management - An Evolution of Process Management. Source:

Reproduced according original source by Korhonen, 2006.
HIM supports human work processes, which depend on interaction and are dynamically shaped
by the participants. The model takes greater notice of five main features of human working activity:
Connection visibility, structured messaging, support for mental work, supportive rather than
prescriptive activity management, processes change processes. HIM has four levels of how to turn
strategy into action. First, the Strategic Control, where the aims and measures for each high-level
process are defined. Second, Executive Control, where outline processes consisting of a mixture of
roles, interactions and users are defined. Third, Management Control, where the outline processes for
175cf. Bellomo, How to sell anything on Amazon ... and make a fortune! , 13.
176cf. Reese, Cloud application architectures , 20-24.
177cf. Qi Sui, Dong-Qing Yang, and Teng-Jiao Wang, 2009, in a collected edition of Chen, Liu, and Zhang, Advances in
Web and Network Technologies and Information Management , 5731:141.
initial execution are defined and where an on-going re-definition of the process itself is possible and
finally fourth, Agreements which defines interactions, deliverables and business rules in a kind of
contract that is continually renegotiated during the life of the process. Before a HIM system can be
introduced, it is necessary to define the five principles: 178 179 180
1. Team Building: Who has what personality and skills and is involved in which
processes. The responsibilities are set according to role objects
2. Communication: Interactions should be traceable
3. Knowledge: The mental effort which is invested in researching, comparing,

considering, deciding, and generally turning information into knowledge and ideas
must be structured
4. Empowered time management: The process owner or an interaction partner

acquires the responsibility over the sequence of activities. Every task or work
process must be easily set in context with the organizational strategy and restricted
business rules
5. Collaborative, real-time planning: The process definition is an intrinsic part of

the process itself. Every new activity or problem that needs to be solved gets
assigned a so-called “story” which defi nes a description, involved parties,
responsibilities, methodology to use, tools, interaction partner and whatever else is
of importance. It can be readjusted throughout the life of the process
One of the main elements of HIM is the bottom-up approach called Stories, which allows the
participant in accordance with his role to start collaborative work processes and to evolve it on-the-
fly as part of the work itself. The adherents of HIM praise the effectiveness of this approach, because
of the emphasis on collaborative human work that can now easily be integrated in a structured way.
On the other hand, the emphasis does not lie on efficiency, because routine work processes are more
and more often largely automated and deserve therefore less attention. 181 182 183
According Peter Fingar approaches like HIM in combination with cloud computing could
result in “management structures and styles to become organic networks rather than
hierarchical, function-divided monoliths [...] leaders don’t give commands, they transmit
178cf. Korhonen, “BPM - A Systematic Perspective,” 25.

179cf. Harrison-Broninski, Human interactions: The heart and soul of business process management , 20.
180summarized by the author of this thesis, structure according Harrison-Broninski, “Human Interaction Management,” 6.
181cf. Harrison-Broninski, “The Future of BPM,” 22-24.
183cf. Harrison-Broninski, “Human Interaction Management.”
information, trusting the team members’ competencies and gaining accountability through
transparency [...] true leadership is about cooperation, not control” 184 185
HIM is not widely known and not much literature can be found, nor is the IT industry's adoption
of the theory very advanced at this point in time (February 2010). Significantly, the only enterprise
software that is offers HIM as the core concept is HumanEdj, notably developed by the company
(Role Modelers Ltd) where the creator (Harrison-Broninski) of the HIM principles works.
Nevertheless, HIM is starting to get a grip, for example SAP has introduced a HIM module for its
ERP suite. In the end-user market the productivity application Getting Things Done (GTD) has taken
on parts of HIM and has become quite popular with it. David Allen, the founder of GTD and the
author of the bestseller book with the same name, explained in an interview that cloud computing and
HIM could be the best possible combination. The reason he thinks so is because cloud computing is
able to connect different platforms and applications in order to manage them on the meta-level. Each
part of the five HIM principles (ibid.) can be made better thanks to cloud computing due to the fact
that it is predestinated to interconnect the involved human-driven processes .186 187 188
The following comparison categorizes HIM on the architectures map and underscores its
democratized user-level approach: 189 190
IT Analysts Business Business People

Analysts
SOA BPM HIM
IaaS PaaS SaaS

IT Level Developer Level User Level
Table c: Service-oriented architecture (SOA) is primarily the domain of IT analysts,
BPM is the domain of business analysts. The bottom-up approach of HIM makes it possible for
business people to define the processes, in other words providing support for the way humans work
and interact with each other. Source: Own conclusion based on Fingar, 2009; Rayport and Heyward
2009.
If HIM would become more popular in form of several competing HIMS (Human Interaction
Information Systems) or as a supplement to existing business process management software, it could
lead to a considerable productivity advantage. It would be desirable, if the HIM approach would be

185cf. Fingar, 2009, edited by Meyer, Review: Peter Fingar, Dot.cloud: The 21st century business platform built on cloud
computing, 5.
186cf. SAP, “Getting Started with Human Interaction Management.”
188cf. Mack, Video: David Allen - GTD and Cloud Computing .
189cf.Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7.
190cf. Fingar, Dot.cloud: The 21st Century Business Platform , 143.
taken on by the open source community. What the world need is nothing less than a highly
competitive but free open source business platform of the 21st century! The open source community
has already achieved to develop an impressive number of free, open source business software such as
vTiger (CRM), Compiere (ERP), Pentaho (Business Intelligence), Essential Project (Enterprise
Architecture), Liferay (Office Collaboration) or Alfresco (Enterprise Content Management). The
rather radical, because democratized bottom-up HIM approach needs maybe to be newly developed
from Scratch, probably that is why there is not yet (HumanEdj has been free but is now closed
source) a free, open source HIM available. Especially startups and small businesses could profit a lot
from using an integrated solution that leverages productivity by a more effective communication
which dynamises and even democratizes the processes in companies. 191
“Today, customers are able to connect to the cloud without installing software or buying
specific hardware. A bit reason for their desire to use the cloud is the availability of
collaborative services. Collaboration is the opiate of the masses in cloud land” 192
John Rittinghouse, Cloud Evangelist
Trends
Encouraging Innovation by Simplicity

"In pursuit of knowledge, every day something is acquired; in pursuit of wisdom, every day
something is dropped" 193 Laozi
John Adair, professor for leadership, has mentioned this quote from Laozi to show that wisdom
always tends towards simplicity. The reason being that simplicity reduces things to essentials. It is
important to store solely essential information and to keep the information systems simple, otherwise
change will be become difficult. Information systems need to become accelerators of change and
open ways to let innovation happen. Every change can be a chance for constantly improving the
companies productivity. The information system solutions have to leverage this process of
organizational maturity and learning. It must be possible for startups and small companies to take
advantage of advanced information systems to become more innovative than their larger
competitors. 194 195
191cf. Geeknet, Inc., “SourceForge - Find and Develop Open Source Software.”
192Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 62.
193Laozi (a.k.a. Lao Tzu) ~100 BC, cited by Adair, How to grow Leaders: The seven Key Principles of effective
Leadership Development , 51.
194cf. Ibid.
195cf. Avgerou, Information systems and the economics of innovation , 180.
However, a lot of functionality leads to complexity. And if complexity is not handled the
right way it becomes complicated: “Data moves between processes, and processes move
between departments. Once you get everybody running on the system, you don't know what
ripple a change could create throughout the organization.” 196
Complicated is exactly what startups and small companies do not need. They are looking for
simplicity, low costs and being able to adjust their business processes quickly to changing market
needs. Following this approach, they can concentrate on their core business. If cloud computing
applications support startups and small companies in that way, then they are becoming enablers for
innovation.197 198
Software paradigm shift away from conventional to pay as you go

The to be expected paradigm shift away from purchasing software licenses to on demand, pay as
you go software, will fundamentally transform how enterprises procure and consume technology
solutions. Major vendors that still make the largest part of their profits with the conventional license
model have to adjust their strategy. 199
One of these major vendors, Microsoft, is just one amongst many in the enterprise software
market but still dominant in the end-user desktop market, has publicly disclosed its cloud-computing
strategy in 2008. They expect that cloud computing will lead to a hybrid model of the current on-
premises model and to SaaS that is run on centralized, massive data centers that are operated by
major IT companies. 200 201
Ray Ozzie, Microsoft's chief software architect states: "At the back-end side, it depends on
the size of enterprise and the workload, as well as the segment of the enterprise and whether
it is highly regulated or whatever. The decisions regarding what to keep on-premises versus
what to distribute into the cloud will vary dramatically. Very small businesses will put almost
everything into the cloud. Very large businesses will put all their infrastructural systems,
such as mail, phone systems and document management, into the cloud. Enterprise
applications that have high integration requirements and a lot of legacy issues will stay on
premises. What happens in the middle is a mix.” 202 203
196Mittelstaedt et al., “IT evolution: Why ERP systems face extinction.”

197cf. Ibid.
198cf. Gunasekaran, Global Implications of Modern Enterprise Information Systems: Technologies and Applications , 2.
199cf. Reese, Cloud application architectures , 47-53.
200cf. Verberne, “Global Software Top 100 - Interim Update.”
201cf. Kooten, van and Verberne, “Enterprise Software Top 10: Salesforce running up the ranks.”
202MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.”
203cf. Ibid.
Furthermore he explains Microsoft's position whether the switch will happen evolutionary or
revolutionary: “Cloud computing won't be successful if organizations and developers have to
reinvent everything. That's not what customers want. They want a smooth transition.” 204
Freemium - Cloud Computing as a potential Cost Trap

Many cloud computing providers offers some basic services for free to attract customers.
Ray Ozzie, Microsoft explains: “Give your service away for free, possibly ad supported but
maybe not, acquire a lot of customers very efficiently through word of mouth, referral
networks, organic search marketing, etc., then offer premium priced value added services or
an enhanced version of your service to your customer base […] It works even better with
web native services. A customer is only a click away and if you can convert them without
forcing them into a price/value decision you can build a customer base fairly rapidly and
efficiently. It is important that you require as little as possible in the initial customer
acquisition process. Asking for a credit card even though you won’t charge anything to it is
not a good idea. Even forced registration is a bad idea. You’ll want to do some of this sort of
thing once you’ve acquired the customer but not in the initial interaction.” 205
Richard Stallman, a leading advocate of free software and founder of the Free Software
Foundation warns the public that cloud computing is a trap. The ICT industry is using
Freemium to catch buy into locked, proprietary systems that would cost them more and more
over time: “It's stupidity. It is worse than stupidity: it's a marketing hype campaign […]
somebody is saying this is inevitable – and whenever you hear somebody saying that, it's
very likely to be a set of businesses campaigning to make it true […] One reason you should
not use web applications to do your computing is that you lose control […] It is just as bad
as using a proprietary program. Do your own computing on your own computer with your
copy of a freedom-respecting program. If you use a proprietary program or somebody else's
web server, you are defenseless. You are putty in he hands of whoever developed that
software.” 206
Hosted Open Source Business Opportunities

While some open source ambassador, such as the just mentioned Richard Stallmann, do not like
the business models of many cloud computing offerings, has venture capitalist Bernard Dallé another
story to tell. Bernard Dallé from Index Ventures who transacted the investments in Skype and
MySQL, made the experience that many companies, who hesitated up to now to go with open source
software, because they thought it is too risky, now start using cloud computing without having the
204Ibid.
205Wilson, “My Favorite Business Model.”
206Stallmann, 2008 Johnson, “Cloud computing is a trap, warns GNU founder.”
concerns against hosted open source solutions. This can lead to interesting business opportunities for
open source companies which are now able to address niche applications to well-funded enterprise
companies. These open source do not even need to host the cloud computing based open source
applications themselves. They can use established IaaS or PaaS providers while concentrating of the
developing, marketing and making services and support of their SaaS applications. 207
Up to now, the open source industry consists usually of innovative, rather young people with
moderate incomes that dedicated a lot of their time to improve the open-source solutions out of the
belief that the open-source society is helpful for our society. It can be seen as more than desirable that
these young people of the open source world now are able to become successful entrepreneurs. This
will hopefully underpin the necessary shift towards a business culture that take its social
responsibility more seriously!
Paradigm Shift of Change – from Push to Pull and from Mass to Micro Markets
“The cloud represents the reinvention of commerce, from a push to pull model and from mass
to micro market economics as the long tail dominates value creation enabled by network
effects, which accelerates globalization, greatly increases productivity and improves the
quality of life for all. The control point has shifted so that suddenly commerce and
communication are end to end – with no regard to borders – location and even time
independent. We are just at the beginning of an escalating slope of change that affects how
we will live socially, culturally, politically. This is a once-in-a-millennium paradigm shift.” 208
William Coleman, Aspen Institute Roundtable
Mega Data Centers

Major IT companies like Google, IBM, Amazon or HP are assessing the economies of scales and
are building as a consequence so called “mega data centers” with enormous dimensions that offers an
unseen before efficiency. Microsoft is defining the deploying data center infrastructure into the
following stages of development:
1. Traditional setup: “Installing a server in a rack, deploying operating system,

configuring networks
2. Rack level of deployment: Dozens of servers at a time which arrive prebuilt and
are installed by a third party
3. Modularity to the level of containers: The cutting edge. Fully confi gured
containers with 2'000 servers are implemented in a shell building with enough
power and cooling systems
207Dallé, 2009, cited by Asay, “Open source: The money is in the cloud.”
208Coleman, 2009, reported by Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on
Business, Governance and Social Interaction , 71-72.
4. Fully modular: Currently in trial phase. Is intended to become the primary

model of choice within one year. Fully modular system without shell buildings. The
whole system consists simply of modular server containers, power backup
containers and cooling containers that are connected to form an independent
ecosystem of massive data center computing power. The lead time from detecting
the need for additional computing power to placing into operation will be some
weeks only” 209
This may sound a bit futuristic to both, IT professionals and normal business people, but it is a
fact and these major vendors will use all their market power in order to gain market shares and
utilizing these new “mega data centers”. Vendors in the consumer market will leave nothing undone
to adjust their strategy in a way, that the millions existing customers, end-users and small businesses
alike, will switch to their cloud application offerings. 210 211
Not only end-users are targeted, enterprise customers as well. Microsoft's chief software
architect describes it that way: “I fundamentally believe that all the enterprise applications
that we sell as software will also be a service. I know that every time you add a zero to the
order of magnitude, you can do it more efficiently. So, if we are serving 100 million
Exchange mailboxes, we'll do it better than if we're serving 1 million or 100,000. There is a
significant advantage there.” 212
Global vendors with such efficient state-of-the-art infrastructure coupled with the effective usage
thanks to cloud computing will be highly competitive compared to conventional on the premises
models. Especially compared to shall businesses, can they massively profit from economies of scale.
At small businesses are the necessary IT skills are often not in-house available. 213
Brokering Cloud Services

As already mentioned, cloud computing services are expected one day to be become an
ubiquitous commodity, just as the electricity from the power grid. Rajkumar Buyya, computer
scientist, is concretely studying what concepts would be needed regarding the trade.
“As Cloud platforms become ubiquitous, we expect the need for inter-networking them to
create market-oriented global Cloud exchanges for trading services. Several challenges need
to be addressed to realize this vision. They include: market-maker for bringing service
providers and consumers; market registry for publishing and discovering Cloud service
providers and their services; clearing houses and brokers for mapping service requests to
210cf. Ibid.
211 cf. Metz, “Will Google regret the mega data center?.”
213cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 791.
providers who can meet QoS expectations; and payment management and accounting
infrastructure for trading services.“ 214
His next statement suggests how important the efforts for the standardization of interfaces
and coordinated risk management systems are: “The state-of-the-art Cloud technologies
have limited support for market-oriented resource management and they need to be extended
to support: Negotiation of QoS between users and providers to establish SLAs; mechanisms
and algorithms for allocation of VM resources to meet SLAs; and manage risks associated
with the violation of SLAs. Furthermore, interaction protocols needs to be extended to
support interoperability between different Cloud service providers.“
Further efforts are necessary in order to establish open clouds that offer unlimited flexibility without
cutting back security. That the quality is given is especially important for startups and small
businesses, as they do not have the risk assessment instruments and experiences that larger
cooperations have. 215
Significance: Market, Economics And Trends
For startups, entrepreneurs and small companies, the following aspects regarding cloud
economics, its market development and participants and finally future trends of cloud computing may
be of special interest:
! Operational expenditures instead of capital expenditures are favoured will be valued especially
by startups
! Constantly changing business requirements need information systems that offers the same
flexibility without becoming complicated. The modular, often service-oriented cloud
computing systems can be a good base, depending on the offer of the cloud application
provider
! The IT industry is very keen as it can help them to change their business model from hardware
and licenses to services. This will lead to more standardization efforts and to more
competition what will expand the variations of offerings and will lower the prices as well
! By contrast to enterprise cooperations which their long grown information systems, can
startups start on the greenfield with a completely new solution based on cloud computing
214Buyya et al., “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the
5th utility,” 614.
215Ibid.
Evaluation Guide
“Cloud computing is gaining interest as a potential driver of value generation and cost
savings for migrating and creating new applications, but enterprises must choose carefully
from among varied architectural alternatives based on their degree of alignment with
business processes and existing architectural constraints.” 216
Eric Knipp et al., Gartner Group
How To Approach A Cloud Computing Evaluation?
When taking a look in a library, results in several books in the category requirements engineering
can be found. Requirements engineering is usually quite at the beginning of information system
evaluations. Questions to be asked are: 217
! Why? Requirements of the market: Customer and user needs, business requirements- and
goals as well as other needs
! What? Requirements of the product: Characteristics, system requirements
! How? Requirements of the component: Software requirements
This sounds quite logical so far. However, after having browsed through the requirements
engineering books, one has the impression that it looks all very technical and abstract. Maybe too
technical for business people? Is their business mindset compatible with the mindset of IT
specialists? To what extent is the classic software development process applicable when it comes to
considering a new business application based on cloud computing?
As a matter of fact, it is not the principal idea of cloud computing consumers to develop
software. Therefore, the requirements engineering approach may be too heavily “software
development-oriented”. As most potential cloud computing consumers will lean toward ready to use
Software as a Service (SaaS), requirements engineering will probably not be suitable.
“Because of the wide degree of differentiation among provider offerings and potential use
scenarios, best practices for constructing, hosting, and maintaining cloud-based enterprise
solutions are still evolving.” 218 Eric Knipp et al., Gartner Group
216Knipp et al., Creating Cloud Solutions: A Decision Framework , 1.

217cf. Ebert, Systematisches Requirements-Engineering und Management Anforderungen ermitteln, spezifizieren,
analysieren und verwalten , 23.
218Knipp et al., Creating Cloud Solutions: A Decision Framework , 1.
As cloud computing is still a new discipline, not much literature can be found to answer these
questions in a holistic way. Nonetheless, the cloud computing society has developed best practices.
One of them was developed from the Cloud Computing Security Alliance (CSA). A community of
often well-known individuals from science and the IT industry, has developed the Security Guidance
for Critical Areas of Focus in Cloud Computing (CSA Guidance), which is currently in version 2.1.
They give indications what are the most crucial points in the fields of security, legal and privacy
issues that should be considered during an assessment of cloud computing based information
systems. 219
The author of this thesis assumes that such a framework can be especially helpful for startups and
small companies, as due to its compact dimensions it is more likely to be read whereas complex
literature would probably not be read at all. Instead, an ad hoc decision would be made based upon
the business functionality of the cloud computing application only. Following the pragmatic approach
of CSA, are the consecutive paragraphs which adopts the entire structure of CSA Guidance and cites
only excerpts of the effective content and compares it with other literature.
Additionally, to emphasize the practical value, are the excerpts from CSA guidance enhanced
with information from a practical survey (see annex). This survey Startup in the Cloud - Consulting
Experts has been been conducted by the author of this thesis in order to get practical first hand
feedback as complemental information on whether cloud computing can be the right choice for
startups and small companies.
Who Is Initiating And Attending The Evaluation?
Having an idea how to approach such an evaluation is one thing, the other is who has the overall
responsibility from the business side? One paragraph earlier, it was assumed that startups and small
companies would tend to ad-hoc approaches. But how to do it better? Who should attend such
projects? Antonio Palacin, on of the interviewees from the Consulting Experts survey, has given the
following advice:
“It depends on the industry. In general, the link between business requirements and the
associated information systems should be owned by one of the managing directors. This
person should have a counterpart in each line-of- business or main organization within the
company. Those departements should summarize their needs. Finally it is the task on C-level
to derive the right catalogue of services and to combine the different requests.” 220
Antonio Palacin, IBM
219cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 4.
220Palacin, “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from IBM Deutschland GmbH
about Simplicity,” col. 1.
This answer targets rather bigger companies but the message is clear: Assessing business-
relevant information systems are a top priority and need to be attended by the founders of a startup
company and the same at smaller companies. Evangelos Xevelonakis Xenis, managing director of a
CRM consulting strategy company who attended the Consulting Experts survey as well, confirms this
impression by stating:
“It depends on the company's size. But I think the CEO is the appropriate person.” 221
Evangelos Xevelonakis Xenis, Swiss Valuenet
Introduction To CSA Guidance For Cloud Security Assessment
The following sub-chapters are structured according CSA Guidance and quote in each case at the
beginning the corresponding information from CSA Guidance followed by the further considerations
including the survey results. The guidance is divided into section one, Cloud Computing
Architectural Framework , section two, Governing in the Cloud and section three, Operating in the
Cloud. To improve reader friendliness, literal quotes from CSA Guidance are set in a grey tone.
Additionally, it should be mentioned that the CSA guidance is written in the 4 th person. The editors of
CSA guidance follow this approach in order to attain better acceptance from practitioners.
As there are different cloud services and deployment options (ibid.; for example SaaS service
model or public cloud deployment) , CSA mentions that no guidance or list can cover all
circumstances and that the CSA guidance simply helps to guide the evaluation through a decision
phase. It shall not be seen as a full risk assessment framework or methodology for determining the
whole set of possible risk threats. 222
Deciding What, When, and How to Move to the Cloud

The introduction part Deciding What, When, and How to Move to the Cloud in the CSA guidance
is complete list in order to improve the contextual understanding of the following chapters.
Furthermore, in real life situations it can be assumed that many startups and small businesses even
fail to exercise basic assessments. These would be well advised to consult at least this introduction
part.
221Xevelonakis, “Startup in the Cloud - Consulting Experts - Interview with Evangelos Xevelonakis Xenis from Swiss
Valuenet about about Simplicity,” col. 1.
222cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 9.
Identify the asset for the cloud deployment

“At the simplest, assets supported by the cloud fall into two general buckets:
1. Data or 2. Applications / Functions / Processes
We are either moving information into the cloud, or transactions / processing (from
partial functions all the way up to full applications).
With cloud computing our data and applications don’t need to reside in the same
location, and we can even shift only parts of functions to the cloud. For example, we
can host our application and data in our own data center, while still outsourcing a
portion of its functionality to the cloud through a Platform as a Service.
The first step in evaluating risk for the cloud is to determine exactly what data or
function is being considered for the cloud. This should include potential uses of the
asset once it moves to the cloud to account for scope creep. Data and transaction
volumes are often higher than expected.” 223
Evaluate the asset

“The next step is to determine how important the data or function is to the
organization. You don’t need to perform a detailed valuation exercise unless your
organization has a process for that, but you do need at least a rough assessment of
how sensitive an asset is, and how important an application /function / process is.
For each asset, ask the following questions:
1. How would we be harmed if the asset became widely public and widely
distributed?
2. How would we be harmed if an employee of our cloud provider accessed the

asset?
3. How would we be harmed if the process or function were manipulated by an

outsider?
4. How would we be harmed if the process or function failed to provide expected

results?
5. How would we be harmed if the information/data were unexpectedly changed?
6. How would we be harmed if the asset were unavailable for a period of time?
Essentially we are assessing confi dentiality, integrity, and availability requirements

for the asset; and how those are affected if all or part of the asset is handled in the
cloud. It’s very similar to assessing a potential outsourcing project, except that with
cloud computing we have a wider array of deployment options, including internal
models.”224
223Ibid.
224Ibid., 9-10.
Ray Ozzie, Chief Technology Officer at Microsoft has been asked in an interview with Gartner
Inc., one of the leading IT analysts, how the security concerns of moving to cloud computing should
be adressed. His answer has not been too short but it mentions some reasonable points.
“There's no perfect solution. Security is inherently risk management. If it's described as a

black-and-white issue, we'll never get there. Whether on-premises or off-premises, everything
is vulnerable. So, we just basically invest at different layers of the architecture. There are
different aspects of that investment. Oddly enough, it starts with the lawyers and with our
policy folks. We have to understand the regulatory environment in every single jurisdiction
that we or our customers want to serve. The analogy that I'll make that might resonate is that
we are with cloud computing right now where we were with encryption with mass market
products and exports controls in the early 1990s – which is that everybody had their own
export and import restrictions, which prevented a software developer from writing something
with crypto in it and getting it shipped.” Ray Ozzie, Microsoft CTO
Map the asset to potential cloud deployment models

“Now we should have an understanding of the asset’s importance. Our next step is to
determine which deployment models we are comfortable with. Before we start
looking at potential providers, we should know if we can accept the risks implicit to
the various deployment models: private, public, community, or hybrid; and hosting
scenarios: internal, external, or combined. For the asset, determine if you are
willing to accept the following options:
1. Public
2. Private, internal / on-premises
3. Private, external (including dedicated or shared infrastructure)
4. Community; taking into account the hosting location, potential service provider,
and identification of other community members.
5. Hybrid. To effectively evaluate a potential hybrid deployment, you must have in

mind at least a rough architecture of where components, functions, and data will
reside.
At this stage you should have a good idea of your comfort level for transitioning to
the cloud, and which deployment models and locations fi t your security and risk
requirements.” 225
Evaluate potential cloud service models and providers

“In this step focus on the degree of control you’ll have at each SPI (refers to
Software as a Service, Platform as a Service, or Infrastructure as a Service) tier to
implement any required risk management. If you are evaluating a specifi c offering,
225Ibid., 10.
at this point you might switch to a fuller risk assessment.
Your focus will be on the degree of control you have to implement risk mitigations in
the different SPI tiers. If you already have specifi c requirements (e.g., for handling
of regulated data) you can include them in the evaluation.” 226
Sketch the potential data flow

“If you are evaluating a specifi c deployment option, map out the data fl ow between
your organization, the cloud service, and any customers / other nodes. While most
of these steps have been high-level, before making a fi nal decision it’s absolutely
essential to understand whether, and how, data can move in and out of the cloud.
If you have yet to decide on a particular offering, you’ll want to sketch out the rough
data flow for any options on your acceptable list. This is to insure that as you make
final decisions, you’ll be able to identify risk exposure points.” 227
Conclusions: Deciding What, When, and How to Move to the Cloud

“You should now understand the importance of what you are considering moving to
the cloud, your risk tolerance (at least at a high level), and which combinations of
deployment and service models are acceptable. You’ll also have a rough idea of
potential exposure points for sensitive information and operations.
These together should give you suffi cient context to evaluate any other security
controls in this Guidance. For low-value assets you don’t need the same level of
security controls and can skip many of the recommendations — such as on-site
inspections, discoverability, and complex encryption schemes. A high-value
regulated asset might entail audit and data retention requirements. For another
high-value asset not subject to regulatory restrictions, you might focus more on
technical security controls.
Due to our limited space, as well as the depth and breadth of material to cover, this
document contains extensive lists of security recommendations. Not all cloud
deployments need every possible security and risk control. Spending a little time up
front evaluating your risk tolerance and potential exposures will provide the
context you need to pick and choose the best options for your organization and
deployment.” 228
226Ibid.
227Ibid., 10-11.
228Ibid., 11.
CSA Guidance: Section 1. Cloud Architecture
While the content of the preliminary part Introduction to CSA guidance For Cloud Security
Assessment has been completely taken over in this chapter Evaluation Guide, will only excerpts be
cited from the now following domains 1-13 and some of them completed with interview excerpts
from the survey Startup in the Cloud - Consulting Experts . Nonetheless, the structure will be
completely taken over to give an undistorted overview what the CSA Guidance has to offer to
startups and small companies.The domains 13 domains in total are assigned according the following
three sections:
! Section 1: Cloud Architecture examines Domain 1
! Section 2: Governing in the Cloud examines Domains 2-6
! Section 3: Operating in the Cloud examines Domains 7-13
Domain 1: Cloud Computing Architectural Framework

This first domain is the most voluminous as it contains many definitions. Several of the
definitions and sub-chapters have already been examined earlier in this thesis (ibid. Defining Cloud
Computing) and will therefore not again be expatiated unless it contains important extra information.
The sub-chapters are:
! What Is Cloud Computing?
! What Comprises Cloud Computing?
! Essential Characteristics of Cloud Computing
! Cloud Service Models
! Cloud Deployment Models
! Multi-Tenancy
! Cloud Reference Model
! Cloud Security Reference Model
! What Is Security for Cloud Computing?
! Beyond Architecture: The Areas Of Critical Focus
What Is Cloud Computing?

Has been examined earlier in this thesis (ibid. Defining cloud computing) .
What Comprises Cloud Computing?

Keyword: NIST definition of cloud computing. Has been examined earlier in this thesis (ibid.
Defining cloud computing)
Essential Characteristics of Cloud Computing

Keywords: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity,
Measured service. Has been examined earlier in this thesis (ibid. Defining cloud computing) .
Cloud Service Models

Keywords: Software as a Service, Platform as a Service, Infrastructure as a Service . Has been
examined earlier in this thesis (ibid. Defining cloud computing) .
Cloud Deployment Models

Keywords: Public Cloud, Private Cloud, Community Cloud, Hybrid Cloud . Has been examined
earlier in this thesis (ibid. Defining cloud computing) .
Multi-Tenancy
Keyword: Single instance serving multiple client organizations. Has been examined earlier in this
thesis (ibid. Defining cloud computing) .
Cloud Reference Model

“Understanding the relationships and dependencies between Cloud Computing models is
critical to understanding Cloud Computing security risks. IaaS is the foundation of all cloud
services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described
in the Cloud Reference Model diagram. In this way, just as capabilities are inherited, so are
information security issues and risk.” 229
The Cloud Reference Model illustration can be found in the next chapter, in fact it compromises
only the left part; Cloud Model.
Cloud Security Reference Model

The structure of the Cloud Reference Model, strictly speaking the inherited character regarding
the capabilities and risks, makes it necessary to consider the significant trade-offs to each model. The
trade-offs between the three different cloud deployment models have to be examined regarding
integrated features, complexity versus openness and also security.
229Ibid., 18.
“SaaS provides the most integrated functionality built directly into the offering,
with the least consumer extensibility, and a relatively high level of integrated
security (at least the provider bears a responsibility for security).
PaaS is intended to enable developers to build their own applications on top of the
platform. As a result it tends to be more extensible than SaaS, at the expense of
customer- ready features. This tradeoff extends to security features and
capabilities, where the built- in capabilities are less complete, but there is more
flexibility to layer on additional security.
IaaS provides few if any application-like features, but enormous extensibility. This
generally means less integrated security capabilities and functionality beyond
protecting the infrastructure itself. This model requires that operating systems,
applications, and content be managed and secured by the cloud consumer.” 230
To attain a holistic view of the security and compliance situation, the Cloud Reference Model is
expanded to become the Cloud Security Reference Model .
The gap analysis according the figure below shows “how a cloud service mapping can be
compared against a catalogue of compensating controls to determine which controls exist
and which do not – as provided by the consumer, the cloud service provider, or a third party.
This can in turn be compared to a compliance framework.” 231
If such a gap analysis is accomplished, the risk manager in bigger companies becomes already a
bit friendlier while such an analysis in small companies it is a good start in order to watch out for
possible cloud computing provider.
230Ibid., 19.
231Ibid., 23.
Illustration g: Cloud Security Reference Model. Source: Reproduced according original source by Cloud Security
Alliance, 2009.
What Is Security for Cloud Computing?

As already mentioned, the security controls for cloud computing and any other IT environment
are mostly the same.
But one of the key characteristics and at the same time maybe the strongest critic point is that
“cloud computing is about gracefully losing control while maintaining accountability even if
the operational responsibility falls upon one or more third parties.” 232
Beyond Architecture: The Areas of Critical Focus

CSA categorizes into the two broad categories governance and operations: “Governance
domains are broad and address strategic and policy issues within a cloud computing
environment, while the operational domains focus on more tactical security concerns and
implementation within the architecture.” 233
The following comparison shall give an impression of considerable legal, regulatory and
standardization aspects. CSA calls the issues, UC Berkeley obstacles and ENISA risks. It is roughly
232Ibid., 24.
233Ibid., 26.
about the same thing but the author of this thesis points out that it can only be compared limitedly as
the perspective is varying from case to case. While CSA's issues and ENISA's risks are arranged
according a structured, holistic approach, has UC Berkeley listed ten obstacles. Nonetheless, the
reader may be able to draw his own useful conclusions. 234 235 236
Issues as per CSA Obstacles as per UC Berkeley Risks as per ENISA

Governance (Domains 2-6) Policy and Organisation
Governance and Enterprise Risk Vendor Lock-in
Management Loss of Governance
Legal and Electronic Discovery Compliance Challenges
Compliance and Audit Availability of Service Cloud Provider Acquisition
Information Lifecycle Management Data Lock-In
Portability and Interoperability Data Confidentiality and Audibility Technical Risks
Data Transfer Bottlenecks Data Leakage
Operational (Domains 7-13) Performance Unpredictability Distributed Denial of Service Attacks
Traditional Security Scalable Storage Loss of Encryption-Keys
Business Continuity and DR Bugs in Large Distributed Systems Conflicts-hardening Procedures
Data Center Operations Scaling Quickly
Incident Response, Notification and Reputation Fate Sharing Legal Risks
Remediation Software Licensing Data Protection
Application Security Software Licensing
Encryption and Key Management
Identity and Access Management Influencing Risks
Virtualization Network Problems
Unauthorized Access to Data Centers
Table d: Collection of aspects that need to be considered while assessing cloud

computing solutions. Source: Own comparison based on literature according bibliographic
footnote, 2010.
Domain 2: Governance and Enterprise Risk Management

Outline of Domain 2:“The ability of an organization to govern and measure enterprise risk
introduced by Cloud Computing. Items such as legal precedence for agreement breaches,
ability of user organizations to adequately assess risk of a cloud provider, responsibility to
protect sensitive data when both user and provider may be at fault, and how international
boundaries may affect these issues, are some of the items” 237
234cf. Ibid., 26-28.

235cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 14.
236cf. Catteddu, and Hogben, 2009. "Cloud Computing: Benefits, Risks and Recommendations for Information Security",
European Network and Information Security Agency, cited by Khajeh-Hosseini, Sommerville, and Sriram, “Research
Challenges for Enterprise Cloud Computing,” chap. 4.
237Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 26.
Domain 2 contains the following four sub-domains:
! Governance Recommendations
! Enterprise Risk Management Recommendations
! Information Risk Management Recommendations
! Third Party Management Recommendations 238
Domain 3: Legal and Electronic Discovery

Outline of Domain 3:“Potential legal issues when using Cloud Computing. Issues touched
on in this section include protection requirements for information and computer systems,
security breach disclosure laws, regulatory requirements, privacy requirements,
international laws, etc.” 239
Daniel Jost, on of the interviewees from the Consulting Experts survey, is working in the IT of an
insurance company. His experience is that cloud computing can be an option them, but only if it has
been trough a serious risk assessment. 240
“Large cooperations have the advantage that they are experienced with storing the data at
different locations. They will carefully assess an offering regarding the protection of data
privacy before they would move in the cloud.” 241
Daniel Jost, CSS Group
“The 20th-century-built walls of privacy show serious cracks now. The parapets are rather
useless in facing the threats of the internet. This is the very moment for rebuilding them.” 242
Ray Garcia, Harvard University
Domain 4: Compliance and Audit

Outline of Domain 4:“Maintaining and proving compliance when using Cloud Computing.
Issues dealing with evaluating how Cloud Computing affects compliance with internal
security policies, as well as various compliance requirements (regulatory, legislative, and
238cf. Ibid., 31-34.

239Ibid., 27.
240cf. Ibid., 35-36.
241Jost, “Startup in the Cloud - Consulting Experts - Interview with Daniel Jost from CSS Gruppe about Simplicity,” col.
7.
242authored by Garcia, in a collected edition of Roig and et al., “Proceedings of the First Workshop on Law and Web 2.0,”
72.
otherwise) are discussed here. This domain includes some direction on proving compliance
during an audit.” 243 244
Domain 5: Information Lifecycle Management

Outline of Domain 5:“Managing data that is placed in the cloud. Items surrounding the
identification and control of data in the cloud, as well as compensating controls which can
be used to deal with the loss of physical control when moving data to the cloud, are
discussed here. Other items, such as who is responsible for data confidentiality, integrity,
and availability are mentioned.” 245
Domain 6: Portability and Interoperability

Outline of Domain 6:“The ability to move data/services from one provider to another, or
bring it entirely back in- house. Issues surrounding interoperability between providers are
also discussed.” 246
Domain 7: Traditional Security, Business Continuity and Disaster Recovery

Outline of Domain 7:“How Cloud Computing affects the operational processes and
procedures currently use to implement security, business continuity, and disaster recovery.
The focus is to discuss and examine possible risks of Cloud Computing, in hopes of
increasing dialogue and debate on the overwhelming demand for better enterprise risk
management models. Further, the section touches on helping people to identify where Cloud
Computing may assist in diminishing certain security risks, or entails increases in other
areas.”247
Domain 8: Data Center Operations

Outline of Domain 8:“How to evaluate a provider’s data center architecture and operations.
This is primarily focused on helping users identify common data center characteristics that
could be detrimental to on-going services, as well as characteristics that are fundamental to
long-term stability.” 248
244cf. Ibid., 37-38.
245Ibid., 27.
246Ibid.
247Ibid.
248Ibid.
Domain 9: Incident Response, Notification and Remediation

Outline of Domain 9:“Proper and adequate incident detection, response, notification, and
remediation. This attempts to address items that should be in place at both provider and user
levels to enable proper incident handling and forensics. This domain will help you
understand the complexities the cloud brings to your current incident handling program.” 249
Matthias Schunter, one of the interviewees from the Consulting Experts survey, is security
scientist at the IBM research center in Zurich. He ssupposes a shift from the market towards a higher
security level.
“Large cooperations only choose cloud provider with a long, trustworthy security record.
That will urge providers to increase their quality in order to increase their market.” 250
Matthias Schunter, IBM
Domain 10: Application Security

Outline of Domain 10:“Securing application software that is running on or being developed
in the cloud. This includes items such as whether it’s appropriate to migrate or design an
application to run in the cloud, and if so, what type of cloud platform is most appropriate
(SaaS, PaaS, or IaaS). Some specific security issues related to the cloud are also
discussed.” 251
Domain 11: Encryption and Key Management

Outline of Domain 11:“Identifying proper encryption usage and scalable key management.
This section is not prescriptive, but is more informational is discussing why they are needed
and identifying issues that arise in use, both for protecting access to resources as well as for
protecting data.” 252
Domain 12: Identity and Access Management

Outline of Domain 12:“Managing identities and leveraging directory services to provide
access control. The focus is on issues encountered when extending an organization’s identity
into the cloud. This section provides insight into assessing an organization’s readiness to
conduct cloud-based Identity and Access Management (IAM).” 253 254
249Ibid., 28.
250Schunter, “Startup in the Cloud - Consulting Experts - Interview with Matthias Schunter from IBM Deutschland GmbH
about Security,” col. 7.
252Ibid.
253Ibid.
254cf. Ibid., 63-67.
Domain 12 contains the following sub-domains:
! Identity Provisioning – Recommendations
! Authentication – Recommendations Federation
! Recommendations Access Control Recommendations
! IDaaS Recommendations
Domain 13: Virtualization

Outline of Domain 13:“The use of virtualization technology in Cloud Computing. The
domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co-
residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues
surrounding system/hardware virtualization, rather than a more general survey of all forms
of virtualization.” 255 256
Orientation In The Cloud Computing Jungle
Although several if not most contributors to the CSA guidance are members of the cloud
computing industry, an industry nota bene which wants to sell cloud services. Nonetheless, the author
assumes that the CSA guidance from the Cloud Security Alliance is a honest piece of work in order to
help the cloud computing market to mature.
The maturity transformation will take several years because due to the complex nature of cloud
computing the friction surface is naturally spacious. Regarding not loosing the orientation while
assessing cloud computing solutions, there can be excepted a wide range of literature; from
application-oriented to the point of fundamental and anticipatory scientific considerations. Several
definitions, models and quasi- standards are about to emerge that are guiding and illuminating the
risks and chances. Subsequently, these lists are further elaborated in order to give a cloud computing
status quo overview with recommendable information sources. 257
Definitions about cloud computing:
! Widely accepted cloud computing definition from NIST (ibid.)
255Ibid., 28.
256cf. Ibid., 68-70.
257cf. Chen, Paxson, and Katz, What’s new about Cloud Computing Security? , 2-3.
Maturity of the cloud computing industry:
! Major vendors make some efforts toward inter-compatible, open clouds (ibid. Market)
! Total size and diversified composition of the market (ibid. Defining Cloud Computing)
Literature with “How To” character:
! Cloud Computing Architectures by George Reese
! Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim
Mather et al.
! Cloud Computing Use Cases by the Cloud Computing Use Case Discussion Group
! Cloud Computing: Implementation, Management and Security by John Rittinghouse
Scientific considerations which have an effect on the market:
! A Berkeley View of Cloud Computing as a much cited reference document 258
! Research challenges for Enterprise Cloud Computing as a much cited reference document 259
! Cloud Computing and Information Policy: Computing in a Policy Cloud? is one of a few
sources about policy and cloud computing 260
White papers, presentations and reports from official organisations:
! Cloud Computing: Benefits, Risks and Recommendations for Information Security from the
ENISA which represents a reputable multistakeholder view 261
! Briefing Paper on Cloud Computing and Public Policy on behalf of the OECD 262
Cloud Computing Architecture and Risk Management Model:
! Cloud Computing Architectural Framework by the Cloud Security Alliance that offers a
reference model, standardized, architectural requirements and and challenges (ibid. siehe
practical part)
258cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing .
259cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing.”
260cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?.”
261cf. Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security .
262cf. Nelson, Briefing Paper on Cloud Computing and Public Policy .
These recommendations are an excerpt of convenient information that were also used as research
source for this thesis. Further information can be found in the bibliography. It may help the reader to
orientate and draw conclusions for the benefit of his own projects.
Significance: Evaluation Guide
For startups, entrepreneurs and small companies, the following aspects in the field of legal,
regulatory and standards may be of special interest:
! Technologically speaking is cloud computing secure
! Security is inherently risk management
! An assessment framework such as CSA Guidance is specialized on cloud computing
! Assessing cloud computing solutions needs enough management attention

Conclusion: Cloud Computing Information Systems For Startups
While concluding the significant findings from the four main chapters Defining cloud computing ,
Political implications and standardization , Market, economics and trends and Evaluation guide, it is
evident that cloud computing has an immense potential, not only for startups and small businesses,
but also for global society. As sophisticated information systems are becoming available as a service,
it liberates companies from having to build up and operate their own infrastructure. This is especially
welcomed by entrepreneurs in developing countries as well as by startups and small businesses. It
allows them to benefit from higher service levels and lower costs which the cloud service provider
can offer due to economies of scale.
On the opposite side, enterprise cooperations usually stick to their conventional, long standing
solutions or, on the other hand, avoid public clouds, preferring private clouds which they can run on
their own systems. This way they are able to avoid risks that could occur through the handing of their
mission-critical data to third-parties such as cloud services providers. The risks consist mainly of
legal nature, lack of standardization, and are not classical security risks.
Although cloud computing is politically desired, it will take time until the national legal systems
have adopted to the internet realities of today, such as transborder data flow. On the standardization
side, countless efforts from non-profit organizations and the industry are taken towards open, inter-
compatible cloud standards which would foster innovation and lower costs.
However, it can be assumed that these legal and standardization issues will not hinder cloud
computing from its successful procession. These issues can be mastered by seriously assessing the
business and service-level requirements as a starting point in order to compare the various offerings
that are available for most industries. Assessment frameworks and guidances which are adjusted to
the characteristics of cloud computing are publicly available.
With all factors taken into account, cloud computing is a secure, affordable, lawful option for
startups and small businesses from all over the world a secure, affordable, lawful option that is
becoming more and more available for most industries and can help them concentrate on business
innovation. The writer of this thesis strongly recommends considering cloud computing, but points
out the need for a serious assessment in order to avoid losing control of the data whilst being locked
with a specific cloud computing provider.
Table Of Tables
Table a: Application of methodological approaches. Annotations: (H) main questions and

assumptions hypothesized / * Without results from “Consulting Experts” and completely
derived and supported by literature / ** Includes results from “Consulting Experts” and
extensively derived and supported by literature / *** Includes results from “Consulting
Experts” and enhanced with derived opinions from the author of this thesis / **** Setting in
context Assumptions & Findings with own experiences ......................................................... vi
Table b: Conventional IT concept (old paradigm) compared with the cloud computing model (new
paradigm). Source: Own comparison based on literature according bibliographic footnote,
2010......................................................................................................................................... 34
Table c: Service-oriented architecture (SOA) is primarily the domain of IT analysts, BPM is the
domain of business analysts. The bottom-up approach of HIM makes it possible for business
people to define the processes, in other words providing support for the way humans work
and interact with each other. Source: Own conclusion based on Fingar, 2009; Rayport and
Heyward 2009......................................................................................................................... 43
Table d: Collection of aspects that need to be considered while assessing cloud computing solutions.
Source: Own comparison based on literature according bibliographic footnote, 2010. .........60
Table Of Illustrations
Illustration a: Visual Model of the NIST Working Definition of Cloud Computing. Source:
Reproduced according original source by NIST, 2009. ............................................................ 3
Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case Discussion Group, 2010. .............10
Illustration c: The various offerings of cloud computing covers different levels of abstraction, the
focus on consuming applications by the end user / business man is provided by SaaS.
Source: Reproduced according original source by LSE Research Online, 2009. ...................33
Illustration d: Overview of some cloud offerings assigned to different services/taxonomies. Source:

OpenCrowd, 2009................................................................................................................... 38
Illustration e: Business Process Spectrum: Information systems need to comply with the soaring
demand for relationship and communication. Source: Harrison-Broninski, 2009. ................. 40
Illustration f: Human Interaction Management - An Evolution of Process Management. Source:

Reproduced according original source by Korhonen, 2006. ................................................... 41
Illustration g: Cloud Security Reference Model. Source: Reproduced according original source by
Cloud Security Alliance, 2009................................................................................................ 59
Bibliography
Abdennadher, Nabil. Advances in Grid and Pervasive Computing: 4th International Conference,
GPC 2009. 1st ed. Berlin; New York: Springer, 2009.
Adair, John. How to grow Leaders: The seven Key Principles of effective Leadership Development .
1st ed. London; Philadelphia: Kogan Page, 2007.
Alfred P. Sloan Foundation. “Information Systems Overview.” Sloan Career Cornerstone Center,
April 19, 2009. http://www.careercornerstone.org/pdf/infosys/infosys.pdf .
Anderson, Janna, Andie Diemer, Eugene Daniel, Shelley Russel, Drew Smith, and Dan Anderson.
“Workshop: Privacy, Security Implications of Cloud Computing.” Sharm El Sheikh, Egypt:
Elon University, 2009. http://www.elon.edu/e-web/predictions/igf_egypt/cloud_computing.xhtml .
Armbrust, Michael, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew
Konwinski, Gunho Lee, et al. Above the Clouds: A Berkeley View of Cloud Computing .
Berkeley: Electrical Engineering and Computer Sciences (EECS), University of California,
February 10, 2009. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf .
Asay, Matt. “Open source: The money is in the cloud,” December 3, 2009. http://news.cnet.com/8301-
13505_3-10408562-16.html .
Avgerou, Chrisanthi. Information systems and the economics of innovation . 1st ed. Cheltenham;
Northhampton: Edward Elgar Pub., 2003.
Balachandran, Bala V. “The Messiah of marketing,” July 17, 2006.

http://www.thehindubusinessline.com/manager/2006/07/17/stories/2006071702171100.htm .
Baun, Christian, Marcel Kunze, Jens Nimis, and Stefan Tai. Cloud computing: Web-basierte
dynamische IT-Services . 1st ed. Informatik im Fokus. Berlin; Heidelberg: Springer, 2009.
Bellomo, Michael. How to sell anything on Amazon ... and make a fortune! 1st ed. New York:
McGraw-Hill, 2006.
Biddick, Michael. “Why You Need A SaaS Strategy.” Why You Need A SaaS Strategy, January 16,
2010. http://intelligent-
enterprise.informationweek.com/showArticle.jhtml;jsessionid=5FTQXL0YBW3KVQE1GHPSKHWATMY32JV
N?articleID=222301340 .
Bittmann, Thomas. “Building a Private Cloud: Are We There Yet?,” February 17, 2009.
http://blogs.gartner.com/thomas_bittman/2009/02/17/building-a-private-cloud-are-we-there-yet/ .
Bourassa, Richard. “20th APEC Electronic Commerce Steering Group Meeting.” Singapore:
Electronic Commerce Steering Group (ECSG), 2009.
http://aimp.apec.org/Documents/2009/ECSG/ECSG2/09_ecsg2_summary.pdf .
Briscoe, Gerard, and Alexandros Marinos. “Community Cloud Computing.” Beijing: LSE Research
Online, 2010. http://eprints.lse.ac.uk/26516/1/community_cloud_computing_%28LSERO_version%29.pdf.
Buyya, Rajkumar, Chee Shin Yeo, Srikumar Venugopal, James Broberg, and Ivona Brandic. “Cloud
computing and emerging IT platforms: Vision, hype, and reality for delivering computing as
the 5th utility.” Future Generation Computer Systems 25, no. 6 (December 11, 2008): 599-
616.
Catteddu, Daniele, and Giles Hogben. An SME perspective on Cloud Computing . Heraklion [Crete]:
European Network and Information Security Agency (ENISA), November 20, 2009.
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-sme-survey/at_download/fullReport .
———. Cloud Computing: Benefits, Risks and Recommendations for Information Security .
Heraklion [Crete]: European Network and Information Security Agency (ENISA), November
20, 2009. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment/at_download/fullReport .
Cerf, Vinton G., Sha Zukang, Hamadoun I. Touré, Koichiro Matsuura, Markus Kummer, Nitin Desai,
Michalis Liapsis, et al. Internet Governance Forum (IGF): The First Two Years . 1st ed.
Geneva: World Summit on the Information Society (WSIS), 2008.
http://www.intgovforum.org/cms/hydera/IGFBook_the_first_two_years.pdf .
Chen, Lei, Chengfei Liu, and Xiao Zhang. Advances in Web and Network Technologies and
Information Management. Vol. 5731. 2009th ed. Lecture Notes in Computer Science. New
York; Berlin; Heidelberg: Springer, 2009.
Chen, Yanpei, Vern Paxson, and Randy H. Katz. What’s new about Cloud Computing Security?
Berkeley: Electrical Engineering and Computer Sciences (EECS), University of California,
January 20, 2010. http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.pdf .
Cloud Computing Use Case Discussion Group. “Cloud Computing Use Cases White paper - Version
3.0.” Cloud Computing Use Case Discussion Group, February 2, 2010. http://cloud-computing-
use-cases.googlegroups.com/web/Cloud_Computing_Use_Cases_Whitepaper-3_0.pdf?
gda=iwLqyV8AAAAPGXgkJ5fi30lYg4awQpoEqWScDsHoVk5f48r18wRWOvRsmgvNFNvJoZZD7r3PzEf2eH
jnTEKAfBvfYgf3pCOm2Nl_xKuxFIy3-WR9Ezn4SpxzIUqf6s0oL53Wkz8h1XQ .
Cloud Security Alliance (CSA). Security Guidance for Critical Areas of Focus in Cloud Computing
V2.1. CSA is a group of like-minded associates (contributor list of this document on page 5-
6) and does not have a location because it is purely located in the internet: Cloud Security
Alliance, December 22, 2009. http://www.cloudsecurityalliance.org/csaguide.pdf .
Cohen, Reuven. “ISO Forms Group for Cloud Computing Standards,” November 6, 2009.
http://www.elasticvapor.com/2009/11/iso-forms-group-for-cloud-computing.html .
———. “The Future of Cloud Computing Belongs to Asia,” November 12, 2009.
http://cloudcomputing.sys-con.com/node/1184360 .
———. “The United Nations of Cloud Computing,” June 16, 2009.

http://www.elasticvapor.com/2009/06/united-nations-of-cloud-computing.html .
Copenhagen University College of Engineering. “JTC1/SC22/WG9 - Welcome to the ISO home of

Ada Standards,” October 14, 2009. http://www.open-std.org/jtc1/sc22/WG9/organize.htm#jtc1 .
Depena, Ray. “The Beauty of the Cloud,” August 18, 2009. http://dotnet.sys-con.com/node/1072760.
Ebert, Christof. Systematisches Requirements-Engineering und Management Anforderungen

ermitteln, spezifizieren, analysieren und verwalten . 2nd ed. Heidelberg: dpunkt.verlag, 2008.
Fingar, Peter. Dot.cloud: The 21st Century Business Platform . 1st ed. Tampa: Meghan-Kiffer Press,
2009.
Foley, Mary Jo. “Microsoft's Azure cloud is officially open for business,” February 1, 2010.
http://blogs.zdnet.com/microsoft/?p=5085 .
Geeknet, Inc. “SourceForge - Find and Develop Open Source Software,” February 13, 2010.
http://sourceforge.net/softwaremap/trove_list.php?form_cat=576 .
Golden, Bernard. “Capex vs. Opex: Most People Miss the Point About Cloud Economics,” March
13, 2009.
http://www.cio.com/article/484429/Capex_vs._Opex_Most_People_Miss_the_Point_About_Cloud_Economics .
Goldenberg, Barton. CRM in Real-time: Empowering Customer Relationships . 1st ed. Medford:
CyberAge Books, 2008.
Goodman, Jason. “The CIO’s Guide To Cloud Computing.” GlassHouse Technologies, Inc., 2009.
http://www.scribd.com/doc/26327785/The-CIO-s-Guide-to-Cloud-Computing .
Gunasekaran, Angappa. Global Implications of Modern Enterprise Information Systems:

Technologies and Applications. 1st ed. Hershey: Idea Group Inc., 2009.
Harrison-Broninski, Keith. “Human Interaction Management.” A BPTrends Column, November 30,

2008. http://www.bptrends.com/publicationfiles/ONE%2012-08-COL-HumanProcesses-Harrison-Broninski-
20081104-proofed-corrected.pdf .
———. Human interactions: The heart and soul of business process management . 1st ed. Tampa
FL: Meghan-Kiffer Press, 2005.
———. “The Future of BPM” presented at the SOLEA 2009 - International Symposium on Service-
Oriented Locally adapted Enterprise Architecture, Espoo [Finnland], April 23, 2009.
http://www.uku.fi/solea/symposium2009/pres/Solea09-Harrison-Broninski.pdf .
Hayden, Mary, Jeff Thompson, and Jack Levy. The SAGE handbook of research in international
education. 1st ed. London: SAGE Publications, 2007.
Hayes-Weier, Mary. “Alternative IT Software is New Reality.” InformationWeek, October 16, 2009.
http://www.scribd.com/doc/22676189/Alternative-It-Software-s-New-Reality-Information-Week?
secret_password=1wniolqlkz65sm5gp0iu .
Hummeltberg, Wilhelm. Informationsmanagement. Hamburg: Universität Hamburg, Faculty of

Mathematics, Informatics und Natural Sciences, January 15, 2007. https://uni.uni-
hamburg.de/fachbereiche-einrichtungen/fb03/iwi-ii/IM_Gliederung.pdf .
Hunton & Williams LLP. “APEC Forum Discusses International Privacy Legislation Developments,”
July 28, 2009. http://www.huntonprivacyblog.com/2009/07/articles/international/apec-forum-discusses-
international-privacy-legislation-developments/ .
Information Today, Inc. “What Is CRM?,” February 21, 2002. http://www.destinationcrm.com/Articles/CRM-

News/Daily-News/What-Is-CRM-46033.aspx .
International Telecommunication Union (ITU). “ITU Telecommunication Standardization Sector

(ITU-T) - MoU on electronic business between IEC, ISO, ITU, and UN/ECE,” March 5,
2008. http://www.itu.int/ITU-T/e-business/mou/mou.html .
Internet Society. Advisory Council (AC) Consultation

on Cloud Computing for OECD Foresight Forum October 2009 . Geneva: Internet Society,
October 29, 2009. http://www.isoc.org/pubpolpillar/docs/cloudcomputing_200910.pdf .
Jaatun, Martin, Gansen Zhao, and Rong Chunming. Cloud Computing: First International
Conference, CloudCom 2009, Beijing, China, December 1-4, 2009, Proceedings . 5931 vols.
1st ed. Computer Communication Networks and Telecommunications. Berlin; Heidelberg;
New York: Springer, 2009.
Jaeger, Paul T., Jimmy Lin, and Justin Grimes. “Cloud Computing and Information Policy:
Computing in a Policy Cloud?.” Journal of Information Technology & Politics 5, no. 3 (10,
2008): 269-283.
Johnson, Bobbie. “Cloud computing is a trap, warns GNU founder.” The Guardian. London,
September 29, 2008. http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman .
Joint Technical Committee 1. Report of JTC 1/SWG-P on possible future work on Cloud Computing
in JTC 1 - ISO/IEC JTC 1 N9687. Geneva: International Organization for Standardization
(ISO) and International Electrotechnical Commission (IEC), September 11, 2009.
http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/MoU-MG/Moumg396.pdf .
Jost, Daniel. “Startup in the Cloud - Consulting Experts - Interview with Daniel Jost from CSS
Gruppe about Simplicity.” Online Database Application, January 31, 2010.
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/record-
summary/Simplicity_View/363985000000086003/ .
Khajeh-Hosseini, Ali, Ian Sommerville, and Ilango Sriram. “Research Challenges for Enterprise
Cloud Computing.” Arxiv preprint arXiv:1001.3257 abs/1001.3257 (January 15, 2010). http://
arxiv.org/ftp/arxiv/papers/1001/1001.3257.pdf .
Knipp, Eric, David Smith, David W. Cearley, and Yefim V. Natis. Creating Cloud Solutions: A
Decision Framework. Stamford: Gartner, Inc., December 8, 2009.
http://www.gartner.com/resources/171600/171623/creating_cloud_solutions_a_d_171623.pdf .
Koops, Bert-Jaap, Miriam Lips, Corien Prins, and Maurice Schellekens. Starting points for ICT
regulation: Deconstructing prevalent policy one-liners . 1st ed. The Hague: TMC Asser,
2006.
Kooten, van, Michel, and Balder Verberne. “Enterprise Software Top 10: Salesforce running up the
ranks,” September 4, 2009. http://www.softwaretop100.org/software-top-100/enterprise-top-10 .
Korhonen, Janne. “BPM - A Systematic Perspective,” Helsinki, October 3, 2006.

http://www.jannekorhonen.fi/blog/wp-content/BPM_Systemic_Perspective.pdf .
Lasica, Joseph Daniel. Identity in the Age of Cloud Computing: The Next-generation Internet's
impact on Business, Governance and Social Interaction . 17th ed. Annual Aspen Institute
Roundtable on Information Technology. Washington D.C.: Aspen Institute, 2009.
http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/Identity_in_the_Age_of_Cloud_Computing.pd
f.
Lawson, Stephen. “PayPal opens door to developers,” July 23, 2009. http://www.infoworld.com/d/cloud-
computing/paypal-opens-door-developers-590 .
Lucas, Sylvie. Progress made in the Implementation of and Follow-up to the World Summit on the
Information Society outcomes at the Regional and International Levels - Report of the
Secretary-General. General Assembly Economic and Social Council. Geneva: United
Nations, March 13, 2009. http://www.unctad.org/en/docs/a64d64_en.pdf .
MacDonald, Neil, and David Mitchell Smith. “Gartner Fellows interview with Microsoft's Ray Ozzie
on Cloud Computing,” October 30, 2009. http://www.gartner.com/technology/media-
products/reprints/microsoft/172235.html .
Mack, Eric. Video: David Allen - GTD and Cloud Computing . Adobe Flash on Youtube. Notes on
Productivity, 2010. http://www.notesonproductivity.com/ICA/NOP.nsf/dx/video-david-allen-gtd-and-cloud-
computing.
Mather, Tim, Subra Kumaraswamy, and Shahed Latif. Cloud Security and Privacy: An Enterprise
Perspective on Risks and Compliance . 1st ed. Beijing; Cambridge [Massachusetts]: O'Reilly,
2009.
Mell, Peter, and Tim Grance. “The NIST Definition of Cloud Computing v15.” Computer Security
Division of the US National Institute of Standards and Technology, October 7, 2009.
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc .
Metz, Cade. “Will Google regret the mega data center?,” August 8, 2009.
http://www.theregister.co.uk/2009/08/08/microsoft_azure_migration/ .
Meyer, Dirk. Review: Peter Fingar, Dot.cloud: The 21st century business platform built on cloud
computing. San Jose [California]: Adobe Systems, July 31, 2009.
www.oevermeyer.net/dmeyer/files/dotcloud_reviewdirkmeyer.pdf .
Mittelstaedt, Robert, Dennis Hoffman, Elizabeth Farquhar, Steven Salik, and Sanjay Modi. “IT
evolution: Why ERP systems face extinction - Knowledge@W.P. Carey,” February 28, 2007.
http://knowledge.wpcarey.asu.edu/article.cfm?articleid=1378 .
Nelson, Michael R. Briefing Paper on Cloud Computing and Public Policy. Cloud Computing and
Public Policy. Paris: Organisation for Economic Co-operation and Development; Committee
for Information, Computer and Communications Policy, September 29, 2009.
http://www.olis.oecd.org/olis/2009doc.nsf/ENGDATCORPLOOK/NT00004FC6/$FILE/JT03270509.PDF .
O'Halloran, Kerry. Charity Law Social Policy: National and International Perspectives on the
Functions of the Law relating to Charities . 1st ed. Berlin: Springer Netherland, 2008.
Object Management Group, Distributed Management Task Force, Open Grid Forum, Storage
Networking Industry Association, Open Cloud Consortium, and Cloud Security Alliance.
“Cloud Standards Coordination.” Cloud Standards Wiki, February 2, 2010. http://cloud-
standards.org/wiki .
Oestereich, Bernd. Analyse und Design mit UML 2: Objektorientierte Softwareentwicklung . 7th ed.
München; Wien: Oldenbourg, 2005.
Palacin, Antonio. “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from
IBM Deutschland GmbH about Simplicity.” Online Database Application, January 24, 2010.
Rapp, Reinhold. Customer Relationship Management: Das neue Konzept zur Revolutionierung der
Kundenbeziehungen . 3rd ed. Frankfurt: Campus Verlag, 2005.
Rayport, Jeffrey F., and Andrew Heyward. “Envisioning the Cloud: The Next Computing Paradigm.”
Marketspace LLC, March 20, 2009. http://www.marketspaceadvisory.com/cloud/Envisioning-the-
Cloud.pdf.
Reese, George. Cloud application architectures . 1st ed. Sebastopol [California]: O'Reilly, 2009.
Rittinghouse, John, and James F. Ransome. Cloud Computing: Implementation, Management and
Security. Boca Raton [Florida]: CRC Press, 2009.
Roig, Antoni, and et al. “Proceedings of the First Workshop on Law and Web 2.0.” IDT - Institute of
Law and Technology (UAB) 3. Law and Web 2.0 (September 18, 2009): 91.
Sansom, Clare. “Up in a cloud?.” Nature Biotechnology 28, no. 1 (January 4, 2010): 13-15.
SAP. “Getting Started with Human Interaction Management.” http://ecohub.sdn.sap.com/irj/sdn/nw-him?rid=/

webcontent/uuid/10c0a6f1-429c-2b10-2eb4-9841e450f150 .
Schubert, Lutz, Keith Jeffery, and Burkhard Neidecker-Lutz. “The Future of Cloud Computing:
Opportunities for European Cloud Computing Beyond 2010.” Brussels: Commission of the
European Communities, Information Society & Media Directorate-General, 2010.
http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf .
Schunter, Matthias. “Startup in the Cloud - Consulting Experts - Interview with Matthias Schunter
from IBM Deutschland GmbH about Security.” Online Database Application, January 25,
2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/record-
summary/Security_View/363985000000077011/ .
Spivey, Jeff, Phil Agcaoili, Joshua Davis, Geir Arild Engh-Hellesvik, David Lang, Jim Reavis, Ben
Rothke, Joel Scambray, and Ward Spangenberg. “Cloud Computing: Business Benefits With
Security, Governance and Assurance Perspectives.” Information Systems Audit and Control
Association (ISACA), October 28, 2009. http://www.isaca.org/AMTemplate.cfm?
Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentID=53044 .
Stadelmann, Daniel. “Startup in the Cloud - Consulting Experts - Interview with Daniel Stadelmann
from wedoit AG about Industry.” Online Database Application, January 28, 2010.
summary/Industry_View/363985000000085003/ .
Stanoevska-Slabeva, Katarina. Grid and Cloud Computing: A Business Perspective on Technology

and Applications. 1st ed. Berlin; London: Springer, 2009.
Subramanian, Krishnan. “Cloud Computing and Developing Countries – Part 2,” September 25,
2008. http://www.cloudave.com/link/Cloud-Computing-and-Developing-Countries-%E2%80%93-Part-2 .
Sun Microsystems, Inc. “Open Source & Cloud Computing: On-Demand, Innovative IT On A
Massive Scale.” Sun Microsystems, Inc., 2009. https://www.sun.com/offers/docs/open_cloud.pdf .
Taft, Darryl. “Asian Developers Moving to Cloud Computing,” July 7, 2009.

http://www.eweek.com/c/a/Application-Development/Asian-Developers-Moving-to-Cloud-Computing-726568/ .
Thommen, Jean-Paul. Managementorientierte Betriebswirtschaftslehre . 7th ed. Zurich: Versus, 2004.
Touré, Hamadoun I., and Supachai Panitchpakdi. World Information Society Report 2007 - Beyond
WSIS. World Information Society Report. Geneva: International Telecommunication Union
and United Nations Conference on Trade and Development, May 16, 2007.
http://www.itu.int/osg/spu/publications/worldinformationsociety/2007/WISR07_full-free.pdf .
University of Chicago. “The Chicago Manual of Style Online - 15th Edition: Chicago-Style Citation
Quick Guide,” 2007. http://www.chicagomanualofstyle.org/tools_citationguide.html .
Velte, Toby, Anthony Velte, and Robert Elsenpeter. Cloud Computing: A Practical Approach. 1st ed.
New York: McGraw-Hill, 2010.
Vembu, Sridhar. “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from
Zoho Corp. about Innovation.” Email and Online Database Application, February 2, 2010.
summary/Innovation_View/363985000000089005/ .
Verberne, Michel. “Global Software Top 100 - Interim Update,” December 24, 2009.
http://www.softwaretop100.org/component/content/article/215-Global-Software-Top-100---Interim-Update .
Wailgum, Thomas. “SAP CTO Vishal Sikka talks clouds,” June 23, 2009.
http://www.cio.co.uk/article/117836/sap-cto-talks-clouds/ .
Wilson, Fred. “My Favorite Business Model,” March 23, 2006.

http://www.avc.com/a_vc/2006/03/my_favorite_bus.html .
World Bank Publications. Information and Communications for Development 2009: Extending
Reach and Increasing Impact. 2009th ed. Washington D.C.: World Bank, 2009.
Wyld, David C., and IBM Center for the Business of Government. Moving to the Cloud: An
introduction to Cloud Computing in Government . Hammond: Southeastern Louisiana
University, October 26, 2009. http://www.businessofgovernment.org/pdfs/WyldCloudReport.pdf .
Xevelonakis, Evangelos. “CRM - Erfolgreiches Kundenbeziehungsmanagement mittels

Differenzierungsstrategien.” Zurich: University of Applied Sciences in Business
Administration Zurich (HWZ), 2009.
———. “Startup in the Cloud - Consulting Experts - Interview with Evangelos Xevelonakis Xenis
from Swiss Valuenet about about Simplicity.” Online Database Application, January 24,
2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/record-
Zittrain, Jonathan. The future of the Internet and how to stop it. 1st ed. New Haven: Yale University
Press, 2009.
Annex: Consulting Experts
Source data of the qualitative survey in order to get qualified answers on prevailing questions
about cloud computing. The original survey data can be accessed here:
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Industry_View
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Security_View
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Legal_View
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Costs_View
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Simplicity_View
https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Innovation_View
In case a consulted expert statement has been cited in the thesis, a footnote has been set which is
linked to the corresponding entry in the bibliography. All answers of this Consulting Expert survey
that have been quoted in this thesis, were translated by the author of this thesis.
Dr. Antonio Palacin on “Simplicity”
Interview Partner Dr. Antonio Palacin, Director of ISICC IBM SAP

International Competence Center, Walldorf, Germany
Field of experience IBM broad product portfolio, Sales and management skills,
technical integration of IBM products and SAP applications
More info http://ch.linkedin.com/pub/antonio-palacin/10/8a7/536
Special subject of interview Simplicity
Interview Type Answering predefined questions
In a small company, who can derive business requirements It depends on the industry. In general, the link between
into information management systems based on cloud business requirements and the associated information
computing? systems should be owned by one of the managing directors.
This person should have a counterpart in each line-of-
business or main organization within the company. Those
departements should summarize their needs. Finally it is the
task on C-level to derive the right catalogue of services and
to combine the different requests.
How easy is it to connect one cloud with another? Technically many of those business applications are web
based applications. Connectivity is not the real problem.
Data security and data consistency are still a big problem,
even within traditional IT infrastructures. On the cloud it is
one of the main inhibitors today.
How to switch from one to another cloud computing There are no or only little experiences on that. Main
provider? problem will be to extract all the data and to import into
another application hosted by a different provider. Why
should a cloud service hoster provide this mechanisme that
at the same time is offering his client a way to cancel the
contract?!
Will cloud computing help to popularize BPM even in the In specific areas "yes". E.g. simple processes could be
small company market? hosted in a cloud: eMail, data repositories for backup, etc.
In other areas where mission-critical data and access rights
are targeted I still do not see how this can be ensured.
Should small companies understand the concept of EA The most important thing to understand are the SLA
(enterprise architecture) or is it sufficient if they are able to (Service Level Agreement) between customer and cloud
compare the business functionality of different cloud provider. But a basic understanding what is possible will
computing offerings? also help to question if all promisses are really technically
possible.
Can small companies start using advanced functionality I am not aware of any example that is only provided in the
(e.g. data warehouse) which they hadn't the chance without cloud. Everything can be ran "on-premise" or hosted by a
cloud computing? 3rd party company based on a traditional IT infrastructure.
Comments -
Added Time 24/01/10 19:12
Prof. Dr. Evangelos Xevelonakis Xenis on “Simplicity”
Interview Partner Prof. Dr. Evangelos Xevelonakis Xenis, Managing Director

and CRM Advisor at Swiss Valuenet, Zurich, Switzerland
Field of experience Senior Business Analyst with broad experience in

Telecommunications and Banking. Particularly interested in
CRM Analytics, Campaign Management and Business
Engineering
More info http://ch.linkedin.com/in/xenis
Special subject of interview Simplicity
In a small company, who can derive business requirements It depends on the company's size. But I think the CEO is the
into information management systems based on cloud appropriate person.
computing?
How easy is it to connect one cloud with another? It depends on the environment and the number of different
providers.
How to switch from one to another cloud computing There are some switching costs associated. -contracts, -data
provider? management, -training
Will cloud computing help to popularize BPM even in the I do not see here a direct relationship between these
small company market? concepts.
Should small companies understand the concept of EA II would say they have to differentiate their solution. it is
(enterprise architecture) or is it sufficient if they are able to important to design an architecture containing both
compare the business functionality of different cloud elements.
computing offerings?
Can small companies start using advanced functionality Yes. I think some expensive applications in the BI area and
(e.g. data warehouse) which they hadn't the chance without CRM. However the topic of data privacy and security has to
cloud computing? be addressed.
Comments -
Added Time 24/01/10 20:08

Dr. Matthias Schunter on “Security”
Interview Partner Dr. Matthias Schunter, Research Staff Member of the

Network Security and Cryptography Research Group, IBM
Zurich Research Laboratory, Zurich, Switzerland
Field of experience The IBM Zurich Research Laboratory in Rüschlikon is

globally at the cutting-edge regarding science and
technology
More info http://www.zurich.ibm.com/~mts/
Special subject of interview Security and Privacy regarding cloud computing
Which efforts must be taken to resolve the security worries Depends on type of cloud computing.
of cloud computing? Infrastructure/Software/...
Is a private cloud as secure as a conventional inhouse IT? Yes and no. Depends on the quality/experience of the
provider. Good provider should be better than bad in-house
IT.
Why has public cloud the reputation to be less secure than Because enterprises loose power and control. More
an outsourced IT environment? dependence on internet connection.
Cloud computing applications are often based on open no

source software. Could it become more secure, if the cloud
computing applications would be based on proprietary
closed-source software?
Are cloud computing solutions auditable as good as no

conventional information management solutions?
How are cloud computing solutions fitting in the concepts unclear. Due to black-box approach usually harder to
and practices of ITIL, especially regarding the security integrate into ITIL
management?
Comments Ich vermute, dass der Markt von selbst Reifen wird: Heute
werden meist nur Spielzeuganwendungen verwendet (oder
Startups). Grosse Unternehmen verwenden Clouds nur,
wenn der Betreiber vertrauenswuerdig ist und einen
entsprechenden Track record hat.
Mittelfristig haben also die Provider ein Interesse die

Qualitaet zu erhoehen, um Ihren Markt zu vergroessern.
Da Clouds derzeit komplett intransparent sind, koennte es

helfen, bisherige rechtliche Anforderungen fuer die Cloud
anzupassen. zB Was bedeutet Sarbaines-Oxley, ... in einer
Cloud. Dies muesste zu transparenteren Interfaces fuehren.
Ein weiteres Risiko ist der lock-in und die Monopolbildung

durch die economies of scale.
Added Time 25/01/10 10:57

Daniel Stadelmann on “Industry”
Interview Partner Daniel Stadelmann, General Manager of wedoit AG,

Luzern, Switzerland.
Field of experience wedoit AG is a IBM Premier Business Partner and

infrastructure and project management specialist with
renowned customers such as as Novartis, Pilatus
Flugzeugwerke or RBS Coutts.
More info www.wedoit.ch
Special Subject of interview Industry / Market readiness for cloud computing
Is cloud computing for all industry sectors an option? Nein
Can the cloud computing market provide sufficient Nein! Es ist schon heute sehr schwierig kompetente und
consulting expertise to realize the requirements of entsprechend Ausgebildete Consultants zu finden, die ein
customers of all industries? ganz normales Infrastruktur Projekt mit allem drum und
dran richtig implementieren können. Das Know-how und
die nicht Verfügbarkeit der Spezialisten wird das grösste
Problem für den Durchbruch von Cloud-Computing sein.
Which industries are using broadly cloud computing Im Moment ist es vor allem ein Schlagwort der Hardware
applications? Hersteller, die damit ihre Produkte zu platzieren versuchen.
Wir haben noch keine konkreten Kundenprojekte in denen
Cloud wirklich ein Thema ist.
Which industries don't accept their suppliers to store Alle Kunden die den Wert ihrer Daten kennen, werden diese
business critical data to store in the cloud? nicht in eine Cloud verlegen wollen! In einer Cloud gebe
ich die Kontrolle über die Daten ab. Das damit nur Banken
oder Versicherungen Probleme haben glaube ich nicht, ich
kann mir vorstellen, dass auch Industriebetriebe mit
Patenten und speziellem Know-how damit ein Problem
haben.
Are there industries where public cloud computing offerings Ich sehe im Moment keine Brache, die einfach so Ihre
will not be accepted for the time being? wichtigsten Daten in eine Cloud verlagern würden.
How will trading companies have to differentiate -

themselves in the future, assuming that most market

participants use seamless supply chains with their suppliers?
Comments Cloud bringt einige interessante Ansätze mit, diese sind

vorallem für grosse Firmen interessant, die Firmen intern
versuchen werden Clouds zu implementieren. Ich sehe im
Moment aber nur sehr beschränkt einen Markt für externe
Clouds, in die Firmen ihre Daten hineinverlagern werden.
Added Time 28/01/10 11:10

Daniel Jost on “Simplicity”
Interview Partner Daniel Jost, System Developer, CSS Group, Luzern
Field of experience IT System Engineering and Developing
More info -
Special Subject of interview Simplicity of cloud computing
In a small company, who can derive business requirements In KMU ist das Fachwissen für die Möglichkeit der
into information management systems based on cloud Umsetzung von betrieblichen Prozesse in
computing? Informatiksysteme selten gegeben. Informatik gehört selten
zur der Kernkompetzenz. Somit ist eine Umsetzung con
Cloud Computing nur mit erfahrenen Experten möglich, die
auch über Branchenverständniss verfügen.
How easy is it to connect one cloud with another? Bei sauberer Defintion der Schnittstellen zwischen den
Applikationen ist der Schwierigkeitsgrad sicher nicht
grösser als bei der Integration von verschiedenen
serverbasierten Applikation verschiedener Hersteller.
How to switch from one to another cloud computing Sollte vor Projektbeginn mit dem ausgewählten Provider
provider? festgehalten werden.
Will cloud computing help to popularize BPM even in the Akzeptanz wird solange kritisch bleiben, wie Fragen zu
small company market? Datenschutz (was ist wenn meine Daten auf einem US-
Rechner liegen), nicht mit Sicherheit abgeklärt sind. Im
Moment sicher interessant für internationale Unternehmen,
welche sich schon heute mit diesen Fragestellungen
auseinandersetzen müssen.
Should small companies understand the concept of EA Für KMU reicht es aus, dass sie die Geschäftsfunktionen
(enterprise architecture) or is it sufficient if they are able to der verschiedenen Angebote verstehen. Wichtig ist jedoch,
compare the business functionality of different cloud dass das Vertrauen da ist, wo und was mit den Daten
computing offerings? passiert.
Can small companies start using advanced functionality Wenn cloud computing in KMU ein Thema ist, soll ganz
(e.g. data warehouse) which they hadn't the chance without bewusst Projekte gesucht werden, die nur mit Cloud
cloud computing? Computing geschäftsrelevante Vorteile ergeben.
Comments Zurzeit sehe ich Cloud Computing vorallem für

(internationale) Grossunternehmen, welche heute schon
Erfahrung darin haben, dass Daten an unterschiedlichen
Standorten gespeichert werden. Datenschutz ist dabei aus
dem geschäftlichen Sichtpunkt zentral.
Added Time 31/01/10 16:55

Dr. Sridhar Vembu on “Innovation”
Interview Partner Dr. Sridhar Vembu, CEO Zoho Corporation, Pleasanton,

USA
Field of experience Founder of AdventNet (now Zoho), PhD in Electrical

Engineering from Princeton University
More info http://www.forbes.com/2008/02/22/mitra-zoho-india-tech-

inter-cx_sm_0222mitra.html
Special subject of interview Innovation
How can cloud computing lead to new business? It depends on how the functionality is used. Collaborative
tools can help make transparent and well-informed
decisions. People at various job positions can share their
ideas and contribute to collective innovation. For example,
people at different levels in the organization can come up
with an innovative idea. This is unlikely to happen in
traditional offices. Saas is changing the way you work. But
if someone posted some idea not very “sweet” to the boss
and got punished for it, then nobody would dare to post his
ideas any more, innovation suffers, and we have an
organization of yes-men.
If in the future everyone can afford advanced business Companies do not differentiate themselves because they use
applications because of cloud computing, how can electricity. Why should business applications confer any
companies differentiate themselves from their competitors? particular advantage? No matter how advanced a business
application is, it’s just a tool. Having the tool improves
productivity and efficiency. Companies need to focus on
their businesses, always thinking about how to satisfy
customers’ needs in a better way? As long as companies are
offering what the customers need with better quality, better
user experience, they’re differentiating themselves from
their competitors.
How will cloud computing change the way to do business? Thanks to cloud computing, one can do business faster,
better and cheaper. By networking geographically different
teams, cloud computing enables easy collaboration. Cloud
computing delivers substantial savings in capital expenses

and massive productivity gains to businesses. Today, it is
possible to set up the essential IT apps needed to run a
business in just a few days, entirely online, with a
convenient pay-as-you-go model.
What brings the future of cloud computing? Traditional software is hard to integrate; this is an area
where cloud applications can shine based on technological
advantages in systems integration. I don't know. I believe
contextual integration of applications is the key -
information accessed from a variety of different
applications in a single page, for example.
Will the semantic web become reality because of cloud On the contrary, Saas incubates innovation. Due to the rapid
computing? evolution of cloud services, and the attractive pricing - often
a fraction of traditional software - there is substantial
innovation up and down the technology stack. As an
example, cloud vendors are pioneering new forms of low-
cost network storage, new forms of databases. Both file
systems and databases have been stagnant for a long while,
and it is cloud computing that brought them new life.
The rise of cloud computing goes along with increased There have been major advances in open source distributed
usage of open source based software. Will that lead to file systems and databases in recent years, spurred by cloud
additional innovative business applications and is that computing. Javascript frameworks like jQuery have enabled
beneficial for future efforts of t The rise of cloud computing major advances in client functionality. Open source and
goes along with increased usage of open source software. cloud applications have worked in a virtuous cycle of
How is the open source community anticipating that and innovation, and adoption.
what are the consequences for the degree of innovation?
Comments -
Added Time 01/02/10 23:12

Startup in The Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Startup in The Cloud

Uploaded by

Copyright:

Available Formats

Startup In The Cloud

Information Systems For Startup Companies Based On Cloud Computing

Hans Martin Galliker

Bachelor Thesis – Individual Work

Bachelor Of Arts In Business Communication

University Of Applied Sciences In Business Administration Zurich

Beat Hofer, Executive MBA

General Manager, PanOptimum GmbH

Hans Martin Galliker

Maihusen, 6215 Beromuenster, Switzerland

Zurich, February 26, 2010

Methodological Approach ............................................................................................................... Vi

Initial Position ..................................................................................................................................... 1

Defining Cloud Computing ................................................................................................................ 2

Political Implications And Standardization .................................................................................... 15

Understanding Global Governance To Enable Global Business Opportunities .....................................15

Market, Economics And Trends ...................................................................................................... 30

Business Benefits In General .................................................................................................................. 31

How To Approach A Cloud Computing Evaluation? ............................................................................. 50

Annex: Consulting Experts............................................................................................................... 79

Zurich, February 26, 2010

Hans Martin Galliker

The following methodologies have been applied:

! A questionnaire with results can be found in the annex

! Scientific books (Book)

! Scientific publications ( Report)

! Scientific journals (Journal)

! Online articles from “serious” newspapers ( Newspaper Article)

! Conference presentations ( Presentation)

! Blogosphere (Blog Post)

! PDF's from commercial companies ( Document)

! Informal websites (Web Page)

Is it possible to cover the information system needs of multinational

! Defining cloud computing: Describes the characteristics of cloud computing

! Political implications and standardization: Highlights possibilities and opportunities for

! Evaluation guide: How to approach an evaluation of cloud computing

Defining Cloud Computing

“Cloud computing is a model for enabling convenient, on-demand network access to a

1. On-demand self-service: “A consumer can unilaterally provision computing

12 Mell and Grance, “The NIST Definition of Cloud Computing v15.”

3. Resource pooling: “The provider’s computing resources are pooled to serve

4. Rapid elasticity: “Capabilities can be rapidly and elastically provisioned, in

5. Measured Service: “Cloud systems automatically control and optimize

22 cf. Reese, Cloud application architectures , 6.

1. SaaS - Cloud Software as a Service: “The capability provided to the consumer

2. PaaS - Cloud Platform as a Service: “The capability provided to the consumer

3. IaaS - Cloud Infrastructure as a Service: “The capability provided to the

36 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

1. Private cloud: “The cloud infrastructure is operated solely for an organization. It

2. Community cloud: “The cloud infrastructure is shared by several organizations

52 Briscoe and Marinos, “Community Cloud Computing,” chap. 1.

4. Hybrid cloud: “The cloud infrastructure is a composition of two or more clouds

Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case

Cloud Computing Security

59 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

“We believe that there are no fundamental obstacles to making a cloud-computing

Cloud Computing Enablers And Trends

Open Standards and Open Source Community

“Open source software is defined as computer software that is governed by a software

Significance: Defining Cloud Computing

! Ready to use applications without the need for infrastructure

! Rapid provisioning lowers go-to-market lead time

! Possibility to inter-connect (via API) different SaaS applications in order to establish