PTC11 Proceedings

PRIVACY AND SECURITY ISSUES IN CLOUD COMPUTING

Nir Kshetri
Associate Professor
The University of North Carolina-Greensboro, USA

ABSTRACT
Cloud computing is a double-edged sword from the privacy and security standpoints.
Despite its potential to provide a low cost security, organizations may increase risks by
storing sensitive data in the cloud. In this paper, we analyze how the clouds
characteristics such as newness, nature of the architecture, and attractiveness and
vulnerability as a cybercrime target are tightly linked to privacy and security. We also
investigate how the contexts provided by formal and informal institutions affect privacy
and security issues in the cloud.
KEYWORDS: Privacy and security, cloud computing, formal institutions, informal
institutions, security costs
1. INTRODUCTION
Organizations are using cloud computing (hereinafter: the cloud) to perform increasingly
strategic and mission critical functions. At the same time, companies are facing
pressures and challenges to protect information assets belonging to their customers
and other sensitive data McCafferty, 2010). Unsurprisingly security, privacy and
availability are among the topmost concerns in their cloud adoption decisions rather
than the total cost of ownership (Brodkin 2010). The cloud is a double-edged sword
from the security standpoint. For organizations that lack technological and human
resources to focus on security third parties in the cloud can provide low-cost security
(Kshetri 2010a). Cloud computing users, on the other hand, face several separate but
related security risks (Talbot 2010).
The cloud poses various technological as well as institutional challenges. The cloudrelated legal system and enforcement mechanisms are evolving more slowly compared
to the technology development. Privacy, security and ownership issues related to data
stored on cloud currently fall into legally gray areas (Bradley 2010). Some argue that an
organization, rather than the cloud provider, is likely legally responsible if customer data
stored in the cloud are compromised (Zielinski 2009). A second criticism is that there
has been arguably a disturbing lack of respect for essential privacy among major cloud
providers (Larkin 2010, p. 44). For instance, in a complaint filed with the Federal Trade
Commission (FTC), the Electronic Privacy Information Center (EPIC) argued that
Google misrepresented the privacy and security of its users data (Wittow & Buller
2010). Cloud providers are also criticized on the ground that they do not conduct
adequate background security investigations for their employees (Wilshusen 2010).
This issue is rather important since significant proportions of cybercrimes are
Page 1 of 23

PTC11 Proceedings

associated with malicious insiders. Likewise, new bugs and vulnerabilities targeting the
cloud are proliferating (Brynjolfsson et al. 2010).
Faced with examples such as the above, analysts focusing on the clouds security and
privacy aspects have tended to divide into two camps. Proponents of the cloud argue
that economies of scale allow third parties to provide a low cost security. This benefit is
especially important for small and medium sized enterprises (SMEs), which lack
resources to address human and technological issues related to security. A study of the
European Network and Information Security Agency noted: The same amount of
investment in security buys better protection [in the cloud] (ENSIA 2009, p. 7). Some
argue that since security is not a core activity for most businesses, it makes sense to
outsource this function to a third-party such as a cloud provider (Khalili 2010)1.
Critics have raised concerns about privacy and security associated with unauthorized
access and use of information stored in the cloud for malicious purposes (McCreary
2008). A commonplace observation is that while cloud providers offer sophisticated
services, their performances have been weak in policies and practices related to privacy
and security (Wittow & Buller 2010; Greengard & Kshetri 2010).
Businesses and consumers have expressed distrust in the cloud and are cautious in
using it to store high-value data or sensitive information. Due to weak security, the cloud
arguably remains a largely nascent technology (Stewart 2010) and critics have argued
that its costs may outweigh the benefits (Tillery 2010)2. According to an IDC report
released by the research firm, International Data Corporation (IDC) in October 2008,
security concern was the most serious barrier to cloud adoption for organizations3.
Organizations rightfully worry about hidden costs associated with security breaches or
lawsuits tied to data privacy restrictions (Zielinski 2009).
In this paper, we would argue that issues related to security and privacy in the cloud,
while well documented, are only partially understood. Although researchers have
acknowledged the role of privacy and security issues in cloud related investment
decisions, they have paid relatively less attention to how institutional contexts such as
structures of the markets, legal and political environment as well as inter-organizational
and intra-organizational arrangements affect the ways in which such decisions are
made. The purpose of our study is to fill this void. The factors related to privacy and
security issues of the cloud focused in the paper can be described by considering a
broad approach to institutions, which defines the concept in terms of a games
equilibrium. Three factors that determine an equilibrium include (i) technologically
determined external constraints; (ii) humanly devised external constraints, and; (iii)
constraints developed within the game through patterns of behavior and the creation of
expectations (Snidal 1996, p. 128). For simplicity, however, technological factors are
discussed separately in this paper instead of lumping with institutions.
Before proceeding, we offer some clarifying definitions. Cloud computing involves
hosting applications on servers and delivering software and services via the Internet. In
the cloud computing model, companies can access computing power and resources on
Page 2 of 23

PTC11 Proceedings

the cloud and pay for services based on usage. Institutions are the rules of the game
(North 1990) and include formal constraints (rules, laws, constitutions), informal
constraints (norms of behavior, conventions, and self-imposed codes of conduct), and
their enforcement characteristics (North 1996, p. 344).
The paper is structured as follows. We proceed by first discussing the elements of our
proposed model on institutional and technological environment facing the cloud. It is
followed by a section on discussion and implications. The final section provides
concluding comments.
2. TECHNOLOGICAL AND INSTITUTIONAL ENVIRONMENT FACING THE CLOUD
Issues revolving around privacy, and ownership and access to data raise interesting
questions in the cloud. As a visual aid, Figure 1 schematically represents how privacy
and security issues in the cloud are tightly linked to the institutional and technological
environments. We discuss the building blocks of the model in this section. Various
characteristics of the cloud affect organizations perceptions of confidentiality, integrity,
and availability of the cloud (Left part of Figure 1). Formal and informal institutions, on
the other hand, affect perception of legitimacy and trustworthiness of the cloud (Right
part of Figure 1). Assessment of institutional and technological facilitators and inhibitors
affect organizations adoption decisions (Figure 1).
Figure 1 about here
Institutional actors responses lag behind the technological changes (Katyal 2001;
Brenner 2004). Moreover, institutional actors vary in their timing of responses. For
instance, whereas trade and professional associations and industry standard
organizations are taking measures to respond to security and privacy issues in the
cloud, government agencies have been slow to adopt necessary legislative, regulatory
and other measures to monitor users and providers of the cloud.
2.1. TECHNOLOGICAL ENVIRONMENT
2.1.1. THE CLOUDS NEWNESS AND UNIQUE VULNERABILITIES
The clouds newness and uniqueness present special problems. With the evolution and
popularity of virtualization technology, new bugs, vulnerabilities and security issues are
being found (Brynjolfsson et al. 2010). The cloud, however, is not a familiar terrain for
most IT security companies. A lack of mechanisms to guarantee security and privacy
has been an uncomfortable reality for many cloud providers.
One problem found in network virtualization is that a user may be able to access to the
providers sensitive portions of infrastructure as well as resources of other users
(Armbrust et al. 2010). In August 2010, the U.S. National Institute of Standards and
Technology announced a vulnerability in which a cloud user can cross from one client
environment to other client environments that are managed by the same cloud provider
Page 3 of 23

PTC11 Proceedings

(NIST 2009). Experts argue that such vulnerabilities could have more adverse impacts
in the cloud than in an on-premise computing (Owens 2010).
The cloud is also forensically challenging in the case of a data breach. For instance,
some public cloud systems may store and process data in different jurisdictions, which
vary in terms of laws related to security, privacy, data theft, data loss and intellectual
property theft (McCafferty 2010). Some organizations may encrypt their data before
storing in the cloud. These factors are likely to make forensic investigation complex and
time consuming (Taylor et al. 2010).
2.1.2. NATURE OF THE ARCHITECTURE
Virtual and dynamic
The virtual and dynamic nature of the cloud computing architecture deserves mention.
For one thing, the shared and dynamic resources of the cloud such as CPU and
networking reduce control for the user and tend to pose new security issues not faced
by on-premise computing (Brynjolfsson et al. 2010). A related point is that these
characteristics of the cloud allow data and information to distribute widely across many
jurisdictions. The locations where data are stored may vary in laws regarding security,
privacy, data theft, and protection of intellectual property (McCafferty 2010).
Virtualization is the primary security mechanism in the cloud. Nonetheless, some
resources are not virtualized. Virtual systems, despite their insulation from the
customer, run on physical systems (Sturdevant 2010). Moreover, virtualization
environments are not necessarily bug-free (Armbrust et al. 2010).
Sophistication and complexity
The clouds security related problems can also be linked to its sophisticated and
complex architecture. In April 2010, U.S. and Canada-based researchers published a
report on a sophisticated cyber-espionage network, which they referred as Shadow
network. The targets included the Indian Ministry of Defense, the United Nations, and
the Office of the Dalai Lama. The report noted: Clouds provide criminals and espionage
networks with convenient cover, tiered defences, redundancy, cheap hosting and
conveniently distributed command and control architectures (IWMSF 2010).
Another problem concerns the clouds complexity4. An important trend facilitated by the
cloud is social media, which are arguably corporate security nightmare (BBW 2010). In
the Shadow case noted above, the cyber-espionage network combined social
networking and cloud platforms, including those of Google, Baidu, Yahoo!, Twitter,
Blogspot and blog.com with traditional command and control servers (IWMSF 2010).
2.1.3. ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A
CYBERCRIME TARGET
Earlier we mentioned that the cloud can provide a low cost security due to economies of
scales. However, an unintended downside of cheap services is more security issues5.
Page 4 of 23

PTC11 Proceedings

Value of data in the cloud

Target attractiveness depends on offenders perceptions of victims. Prior research
indicates that crime opportunity is a function of target attractiveness, which is measured
in monetary or symbolic value and portability (Clarke 1995). Target attractiveness is
also related to accessibilityvisibility, ease of physical access, and lack of surveillance
(Bottoms & Wiles 2002). Large companies networks offer more targets to hackers.
Cloud suppliers, which often are bigger than their clients, are attractive targets. The
cloud thus offers a high surface area of attack (Talbot 2010). That is, information
stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late 2009,
Google explained that the company discovered a China-originated attack on its
infrastructures. The company further noted that the attack was part of a larger
operation, which infiltrated infrastructures of at least 20 other large companies. In the
early 2010, Yale University postponed its plan to move its Webmail service to Google
Apps tailored for students and faculty. Analysts argued that Google's size and visibility
makes it more susceptible to cyber-attacks (eweek.com 2010).
Criminal-controlled clouds
The cloud is potentially most vulnerable, especially when viewed against the backdrop
of criminal owned-clouds operating in parallel. Just like diamond is the only material
hard enough to cut diamond effectively, criminal-owned clouds may be employed to
effectively steal data stored in clouds. The cloud may provide many of the same
benefits to criminals as for legitimate businesses.
The well-known Conficker virus, which reportedly controls 7 million computer systems at
230 regional and country top-level domains and has a bandwidth capacity of 28
terabits/second is arguably the worlds biggest cloud and probably the most visible
example of a criminal-owned cloud. Just like legitimate clouds, Conficker is available for
rent. Cybercriminals can choose a location they want to rent Conficker and pay
according to the bandwidth they want and choose an operating system (Mullins 2010)6.
2.2. INSTITUTIONAL ENVIRONMENT
Institutional theory is described as a theory of legitimacy seeking (Dickson et al., 2004,
p. 81). To gain legitimacy, organizations adopt behaviors irrespective of the effect on
organizational efficiency (Campbell 2004). Institutional influence on adoption decisions
related to the cloud becomes an admittedly complex process when providers and users
of the cloud have to derive legitimacy from multiple sources such as employees, clients,
client customers, professional and trade associations and governments.
Scott (2001) proposed three institutional pillars: (i) regulative; (ii) normative and (iii)
cognitive7, 8. These pillars relate to legally sanctioned, morally governed and
recognizable, taken-for-granted behaviors respectively (Scott et al. 2000, p. 238). The
following examples further illustrate the three pillars from the standpoint of security and
privacy in cloud computing.

Page 5 of 23

PTC11 Proceedings

European Union (EU) countries strong data privacy laws prevent the movement of
identifiable individuals data to jurisdictions that do not provide the same levels of
protection. Privacy regulations (regulative institutions) have arguably hindered the
diffusion of the cloud in the EU countries (Bradner 2010). Edelman and Suchman
(1997) note: the legal rules cause the organizational practices (or vice versa) is, at
best, a gross simplification. Many cloud vendors emphasize their security credentials
by communicating potential clients that they have completed a SAS 70 audit (normative
institutions) (Brodkin 2010). An organizations cloud adoption decision also depend on
its perception of a cloud providers ability to protect the organizations data from a third
party, make the data available whenever the organization needs them and a trust that
the provider would not exploit its clients data (cognitive institutions) (Talbot 2010).
The cloud industry is undergoing a major technological upheaval. In such situations, for
various actors, the institutional context may not provide organizing templates, models
for action, and sources of legitimacy (Greenwood & Hinings 1993). In most cases, such
changes create confusion and uncertainty and produce an environment that lacks
norms, templates, and models about appropriate strategies and structures (Newman
2000). Existing institutions are hopelessly inadequate and obsolete to deal with the
security and privacy problems facing the cloud industry. For instance, cloud computing
has challenged traditional institutional arrangements and notions about auditing and
security (Messmer 2010).
2.2.1. THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD
INDUSTRY
Regulative institutions9 consist of explicit regulative processes: rule setting, monitoring,
and sanctioning activities (Scott 1995, p. 35). In the context of this paper, regulative
institutions consist of regulatory bodies (such as the US Department of Justice and the
US Department of Homeland Security) and existing laws and rules (e.g., the Patriot Act,
Sarbanes-Oxley (SOX) and Health and Human Services Health Insurance Portability
and Accountability Act (HIPAA) in the U.S.) that influence individuals and organizations
to behave in certain ways (Scott 1995). Individuals and organizations adhere to the
rules so that they would not suffer the penalty for noncompliance (Hoffman 1999).
Laws to deal with data on the cloud
The importance of regulative institutions such as laws, contracts and courts in the cloud
industry should be obvious if this industry is viewed against the backdrop of the current
state of security standards. In the absence of radical improvements in security
technology, such institutions become even more important (Armbrust et al. 2010).
The cloud-related legal system and enforcement mechanisms are evolving more slowly
compared to the cloud technology development. Compliance frameworks such as SOX,
HIPAA and PCI-DSS (Payment Card Industry Data Security Standard) do not clearly
define the guidelines and requirements for data stored on the cloud (Bradley 2010).
Cloud computing thus poses various challenges and constraints for companies that
have responsibilities to meet stringent compliance related to these frameworks and
reporting requirements for their data (McCafferty 2010; NW 2010).
Page 6 of 23

PTC11 Proceedings

The cloud has several important new and unique features, which create problems in
writing contracts. For instance, an analysis of the contracts between Google and
Computer Sciences Corporation (CSC) with the City of Los Angeles indicated several
problems related to data breach and indemnification of damages. Google was a CSC
subcontractor in the arrangement. An attorney analyzing the case noted that some of
the complexity in the case would have been avoided if the term "lost data" was defined
more clearly in the contracts (NW 2010).
While some experts understandably argue that it would not be practical to hold cloud
providers liable for everything (TR 2010), current regulations are heavily biased in favor
of cloud providers (and against the users). For instance, in the event of a data breach in
the cloud, the client, not the vendor, may be legally responsible (Zielinski 2009).
According to the Federal Information Security Management Act (FISMA), cloud
providers are required to keep sensitive data belonging to a federal agency within the
country. While Google Apps are FISMA certified for its government cloud, which is not
necessarily the case for the private industry (Brodkin 2010).
Regulatory overreach
There have been concerns about possible overreach by law enforcement agencies. In
the U.S., for instance, thanks to the 2001 Patriot Act, the federal government can ask
service providers to provide details of an Internet users online activities without telling
the Internet user about it. The FBI's audits indicated the possibility of overreach by the
agency in accessing Internet users information (Zittrain 2009).
For some analysts, the biggest concern has been the governments increased ability to
access business and consumer data and censor and a lack of constitutional protections
against these actions (Talbot 2010). The cloud is likely to make it easier for
governments to spy on citizens. Governments worldwide, however, differ in their
approach to and scale of web censorship and surveillance. Especially, the cloud is
likely to provide authoritarian regimes a fertile ground for cyber-control activities10.
The cloud as the ultimate spying machine: There are stories of espionage activities
successful transition to cyber-espionage2.0. National and international security issues
arise from the clouds potential to be the ultimate spying machine. A Google's report
released in April 2010 is especially timely and enlightening. The company described
how government authorities around the world request the company for private
information and to censor its applications.
2.2.2. THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD
INDUSTRY
Normative components introduce a prescriptive, evaluative, and obligatory dimension
into social life (Scott 1995, p. 37). This component focuses on the values and norms
held by individuals and organizations that influence the functioning of the cloud
industry11. Practices that are consistent with and take into account the different
assumptions and value systems are likely to be successful (Schneider 1999). Normative
institutions also include trade associations, professional associations (e.g., The
Page 7 of 23

PTC11 Proceedings

American Institute of Certified Public Accountants), or non-profit organizations (e.g.,

Electronic Privacy Information Center) that can use social obligation requirements (e.g.,
ethical codes of conduct) to induce certain behaviors in the cloud industry.
Professional associations measures
Compared to established industrial sectors, in nascent and formative sectors such as
cloud computing, there is no developed network of regulatory agencies (Powell, 1993).
For instance, there are few, if any, national or international legal precedents for the
cloud industry (McCafferty 2010). As a consequence, there is no stipulated template
for organizing, and thus pressures for conformity are less pronounced (Greenwood &
Hinings 1996). In such settings, professional and trade associations may emerge to
play unique and important roles in shaping the industry (Kshetri & Dholakia 2009).
These associations norms, informal rules, and codes of behavior can create order,
without the laws coercive power, by relying on a decentralized enforcement process
where noncompliance is penalized with social and economic sanctions (North 1990).
Various professional and trade associations are also constantly emerging and
influencing security and privacy issues in the cloud in new ways as a result of their
expertise and interests in this issue. A visible example is the Cloud Security Alliance
(CSA) (www.cloudsecurityalliance.org), a group of information security professionals.
The CSA is is working on a set of best practices as well as information security
standards for cloud providers (Crosman 2010). To take another example, the
American Institute of Certified Public Accountants is making efforts to accelerate cloud
adoption among its 350,000 members12. AICPAs endorsements are based on an
extensive due diligence on the security practices of the vendors (McCann 2010).
Industry standards and certification programs
Some argue that industry standards organizations may address most of the user
concerns related to privacy and security in the cloud industry (Object Management
Group 2009). Organizations such as Object Management Group (OMG), the Distributed
Management Task Force (DMTF), the Open Grid Forum (OGF), and the Storage
Networking Industry Association (SNIA) have made efforts to address security and
privacy concerns in the cloud industry (Wittow & Buller 2010).
There are no formal processes for auditing cloud platforms (Vizard 2010). Analysts
argue that auditing standards to assess a service providers control over data (e.g., SAS
70) or other information security specifications (e.g., the International Organization for
Standardizations ISO 27001) are insufficient to deal with and address the unique
security issues facing the cloud (Brodkin 2010). Note that these standards and
specifications were not developed specifically for the cloud computing.
2.2.3. THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD
INDUSTRY
Cognitive institutions are closely associated with culture (Jepperson, 1991). These
components represent culturally supported habits that influence cloud providers and
Page 8 of 23

PTC11 Proceedings

users behaviors. In most cases, they are based on subconsciously accepted rules and
customs as well as some taken-for-granted cultural account of cloud use (Berger &
Luckmann 1967). Scott (1995, p. 40) suggests that cognitive elements constitute the
nature of reality and the frames through which meaning is made. Cognitive programs
are built on the mental maps of individual cloud users and and thus function primarily at
the individual level (Huff 1990)13. Compliance in cognitive legitimacy concerns is due to
habits. Organizations and individuals may not even be aware that they are complying.
Perception of vendors integrity and capability
Of particular concern is the users dependency on cloud vendors security assurances
and practices. Cloud providers must guard against theft or denial-of-service attacks by
users. Users need to be protected from one another (Armbrust et al. 2010). Surveys
have shown that potential cloud adopters are concerned about the possibility that
service providers security might have ineffective or noncompliant controls, which may
lead to vulnerabilities affecting the confidentiality, integrity, and availability of data
(Wilshusen 2010). Organizations are also concerned that cloud providers may use
insecure ways to delete data once services have been provided (Wilshusen 2010)14.
Admittedly, data theft, denial-of-service attacks by users, threats from other users, and
bugs are not the only-and not the biggest-problem associated with the cloud. There is
also a high degree of temptation for the cloud providers or their employees to engage in
opportunistic behavior (Armbrust et al. 2010). The cloud thus may also increase
exposure to organizational vulnerabilities to insider risks. Indeed, malicious insider risks
are among the most important risks that the cyberspace faces. According to a report
released by the FBI in 2006, over 40% of attacks originate inside an organization
(Regan 2006). Some have raised concerns that service providers do not conduct
adequate background security investigations of their employees (Wilshusen 2010).
One fear has been that intellectual property and other sensitive information stored in the
cloud could be stolen. Worse still, cloud providers may not notify their clients about
security breaches. Evidence indicates that many businesses tend to underreport
cybercrimes due to embarrassment, concerns related to credibility and reputation
damages and fears of stock price drops. A report of the Idaho National Engineering and
Environmental Laboratory (http://www.us-cert.gov/control_systems/pdf/oil_gas1104.pdf)
noted: Many of the cyber attacks go unnoticed or may go unnoticed for long periods of
time (p. 2). An organizations data in the cloud may be stolen but it may not ever be
aware that such incidents had happened.
A final point concerns the outage problems, which would worsen the economics of cloud
computing. For instance, popular clouds such as Google's Gmail, Amazon S3, and
those of Salesforce.com and Microsoft have suffered outages.
Cloud users inertia effects
It is quite possible that organizational inertia15 may affect the lens through which users
view security and privacy issues in the cloud. Organizational inertia may constraint a
firm's ability to exploit emerging opportunities such as cloud computing (Dean & Mayer
Page 9 of 23

PTC11 Proceedings

1996). An inertia effect (resistance to change) is likely to adversely influence an

organizations assessment of the cloud from the security and privacy standpoints.
Reduction in control is an obvious concern. Cloud users dont have access to the
hardware and other resources that store and process their data. There is no physical
control over data and information in the cloud (Wilshusen, 2010). The shared and
dynamic resources in the cloud environment reduce control (Brynjolfsson et al. 2010).
Moreover, while the client has no control over the data managed by the cloud provider,
cloud services contracts often stipulate that data protection is the formers responsibility
(Crosman 2009). A case in point is Google. The company provides security and privacy
assurances to its Google Docs users unless the users publish them online or invite
collaborators. However, Google service agreements explicitly make it clear that the
company provides no warranty or bears no liability for harm in case of Googles
negligence to protect the privacy and security (Wittow & Buller 2010).
Just as important is preference for localness. From the standpoint of security, most
users prefer computing to be local (Brynjolfsson et al. 2010). Organizations arguably
ask: who would trust their essential data out there somewhere? (Armbrust et al. 2010).
3. DISCUSSION
It is important to emphasize that the model presented by figure 1 is dynamic in nature.
We anticipate that the salience of each component of institutional and technological
factors will vary across organizations as well as over time. For instance, barriers
associated with newness and inertia effects are likely to decline over time. On the other
hand, as the penetration level, width and depth of cloud increases, it is likely to be a
more attractive cybercrime target.
One implication of the dynamic aspects of the model is that institutions change over
time in the cloud industry. The idea of institutional field can be helpful in understanding
this dynamic. A field is formed around the issues that become important to the interests
and objectives of specific collectives of organizations (Hoffman 1999, p. 352)16. For a
field formed around privacy and security in the cloud, these organizations include
regulatory authorities (e.g., the FTC), providers and users of the cloud as well as
professional and trade association. The content, rhetoric, and dialogue among these
constituents influence the nature of field formed around the security and privacy issues
associated with the cloud (Hoffman 1999, p. 355).
An understanding of arbiters would provide important insight into the sources of
institutional change in the cloud industry. Wiesenfeld et al. (2008) have identified three
categories of arbiters social, legal, and economic17. Much of the early evidence
indicates that institutions in the cloud industry should rebalance towards a higher power
of the users. Experts argue that courts (legal arbiters) are likely to take a middle
ground and make providers liable for breach (TR 2010). The Electronic Privacy
Information Center (EPIC) (a social arbiter) filed a complaint with the Federal Trade
Commission (FTC) against Googles cloud services. EPIC made the point that Google
Page 10 of 23

PTC11 Proceedings

does not adequately safeguard users confidential information. It requested the FTC to
open an investigation into Googles Cloud services18 (Wittow & Buller 2010). Likewise,
experts argue that market forces and consumer demands (economic arbiters) are likely
to drive a lot of privacy changes in cloud computing (TR 2010).
3.1. MANAGERIAL AND POLICY IMPLICATIONS
The model presented in this paper also has implications for management practice and
public policy. Most cloud providers services come with no assurance or promise of a
given level of security and privacy. Cloud providers lack policies and practices related to
privacy and security. Nor is that their only problem. Cloud providers have also
demonstrated a tendency to reduce their liability by proposing contracts with the service
provided as is with no warranty (McCafferty 2010). Perception of ineffectiveness or
noncompliance of cloud providers may thus act as a roadblock to organizations cloud
adoption decisions. In this regard, above analysis indicates that security and privacy
measures designed to reduce perceived risk as well as transparency and clear
communication processes would create a competitive advantage for cloud providers.
The newness and uniqueness of the cloud often mean that clients would not know what
to ask for in investment decisions. An understanding of model would also help
organizations take technological, behavioral and perceptual/attitudinal measures. The
users of the cloud are functioning on the assumption that cloud providers take privacy
and security issues seriously (Wittow & Buller 2010). However, against the backdrop of
the institutional contexts, this may well be a convenient but possibly false assumption.
The model also leads to useful questions that need to be asked before making cloud
related investments. Given the institutional and technological environment, potential
adopters should ask tough questions to the vendor regarding certification from auditing
and professional organizations (e.g., AICPA), locations of the vendors data centers,
and background check of the vendors employees, etc.
The above analysis suggest that a one size fits all' approach to the cloud cannot work.
The model presented in Figure 1 would also help in making strategic decisions. For
instance, organizations may have to make decisions concerning combinations of public
and private clouds19. For instance, the public cloud is effective for an organization
handling high-transaction/low-security or low data value (e.g., sales force automation).
Private cloud model, on the other hand, may be appropriate for enterprises that face
significant risk from information exposure such as financial institutions and health care
provider or federal agency. For instance, for medical-practice companies dealing with
sensitive patient data, which are required to comply with the HIPAA rules, private cloud
may be appropriate.
In general, legal systems take long time to change (Dempsey 2008). Regulative
institutions related to liability and other issues in the cloud are not well developed. Cloud
providers may feel pressures to obtain endorsements from professional societies.

Page 11 of 23

PTC11 Proceedings

AICPAs endorsements have driven the diffusion of cloud applications among some
CPA firms.
Today, accurately or not, businesses are concerned about issues such as privacy,
availability, data loss (e.g., shutting down of online storage sites), data mobility and
ownership (e.g., availability of data in usable form if the user discontinues the services)
(Martin 2010). Cloud providers are criticized on the ground that they do not answer
questions and fail to give enough evidence to trust them (Brodkin 2010)20,21. In this
regard, many of the user concerns can be addressed by becoming more transparent.
Since geographic dispersion of data is an important factor associated with cost and
performance of the cloud, an issue that deserves mention relates to regulatory
arbitrage. Experts expect that countries update their laws individually rather than to act
in a multilateral fashion (TR 2010). Economies worldwide vary greatly in terms of the
legal systems related to the cloud. Due to the newness, jurisdictional arbitrage is higher
for the cloud compared to the IT industry in general. In this regard critics are concerned
that cloud providers may store sensitive information in jurisdictions that have weak laws
related to privacy, protection and availability of data (Edwards 2009).
Anecdotal evidence suggests that due to increasingly important roles in national
security, many high technology sectors are characterized by a high degree of
protectionism. The atmosphere of suspicion and distrust among states can lead to such
protectionism. To capture the feelings that accompany intergovernmental distrust,
consider the U.S.-China trade and investment policy relationship. Chinese leaders are
suspicious about possible cyber-attacks from the U.S. There has been a deep rooted
perception among Chinese policy-makers that Microsoft and the U.S. government spy
on Chinese computer users through secret back doors in Microsoft products22 (Adams
2001). Chinese leaders thus may be uncomfortable with the idea of storing data on
clouds provided by foreign multinationals. U.S. policy makers are equally concerned
about Chinese technology firms internationalization23. The above analysis indicates that
such concerns are likely to be even more prominent in cloud computing.
Cyber-espionage has been an obvious application of the cloud. If there is any lesson
that recent major cyber-espionage activities teach, it is that countries with strong cyberspying and cyber-warfare capabilities such as China will be in a good position to exploit
the clouds weaknesses for such activities.
In view of the technological capabilities of extra-legal and illegal organizations, one area
that deserves attention is the escalation of economic and industrial espionage activities
such as intellectual property theft. There have been reports that U.S. government
agencies such as the Defense Department as well as private companies have been
targets and victims of such activities24. It is thus reasonable to expect that the cloud may
enable an upgrade of these activities to industrial espionage2.0.
Cloud security and developing countries

Page 12 of 23

PTC11 Proceedings

Some analysts suggest that developing countries will be attractive markets for cloud
services and predict that this technology will soon make healthcare 2.0, banking 2.0,
and education 2.0 realities in these countries (Economist 2008). At the same time,
however, criminal practices on the Internet have upgraded to cybercrime2.0 (Kshetri
2010a). Nonetheless, security and privacy issues in the developing world need to be
viewed in the context of weak defense mechanisms of organizations.
Information technologys hollow diffusion concept can be helpful in understanding a
weak defense. Many companies in developing countries lack technological and human
resources to focus on security. Hollow diffusion can be human-related (lack of skill and
experience) or technology-related (inability and failure to use security products) (Otis &
Evans 2003)25. Especially for developing-based organizations that do not deal with highvalue and sensitive data the cloud may provide low-cost security to address some of the
security-related human (e.g. installing/maintaining software) and technological issues.
Providers and users of the cloud face additional challenges in developing economies.
Various aspects of the institutional environment may weaken the clouds value
proposition and discourage investors. In many developing countries, factors such as
corruption, the lack of transparency, and a weak legal system can exacerbate security
risks. The high-profile attacks on Google cloud allegedly by China-based hackers in
2009 were an eye opener for the cloud industry26.
A final issue that deserves mention relates to the impacts of clouds controlled by the
developing world players on security issues of industrialized countries. It is tempting for
global cloud players to use cheaper hosting services in developing countries. Cybercriminals, however, find it more attractive to target rich economies. For instance, the
U.S. is the No. 1 target for cyber-attacks. Since many developing countries are top
cybercrime sources (Kshetri 2010b), security risks associated with the diffusion of
clouds in these countries may spread to industrialized countries.
Security concerns as a source of a negative country-of-origin effect
Developing world-based cloud providers are internationalizing (Kshetri 2010a). They
may face barriers due to the pervasive perceptions of weak security. One concern is
that institutional environment in these countries is insufficient to guarantee security and
privacy of client data. The prospect of civil and criminal prosecution is weak when
security breaches and privacy violations take place in a country with a weak rule of law.
Observers, for instance, have noted that Indian cybercrime law and privacy enforcement
are weak. A related point is that European or U.S. data protection laws cannot be
enforced in India. Likewise, partly due to real and/or perceived government control,
China-based cloud providers may be perceived less trustworthy and need to combat the
effects of negative country of origin images and stereotypes.
3.2. FUTURE RESEARCH
Before concluding, we suggest several potentially fruitful avenues for future research.
Cloud-related institutions are currently thin and dysfunctional. For instance, as noted
Page 13 of 23

PTC11 Proceedings

above, privacy and security issues of data stored on the cloud currently fall into a legally
gray area. Future research might examine how political, ethical, social and cultural
factors are associated with security issues in cloud computing.
Prior research conducted in other sectors (e.g., chemical industry) indicates that
institutional evolution entails transitions among the three institutional pillarsregulative,
normative, and cognitive. Building a regulative/law pillar system is the first stage of field
formation. It is followed by a formation of normative institutions and then cognitive
institutions (Hoffman 1999). A comparison of institutional evolution in the cloud industry
with that in other economic sectors might be worthwhile target of study.
Second, an empirical examination of core premises and propositions of the model
presented by Figure 1 would be useful to advance the model's utility as a viable
framework for studying the technological and institutional drivers of the cloud industry.
Such a study would shed light on the relative importance of various components of the
model in organizations cloud adoption decision.
Finally, future research might also explore antecedents of organizations cloud
computing decisions in terms of various technological dimensions identified in the prior
literature. One avenue would be to test how the cloud performs in terms of major
dimensions proposed by Rogers (1995) such as relative advantage, compatibility,
complexity, observability and trialability.
4. CONCLUDING COMMENTS
Virtualized resources in the cloud lower upfront investment and product development
costs. However, the low cost comes with a trade-off. The above analysis suggests that it
is too simplistic to view the cloud as a low-cost security. Legitimate as well as
illegitimate organizations and entities are gaining access to data on the cloud through
illegal, extralegal, and quasi-legal means. The clouds diffusion and that of social media
have superimposed onto organizations rapid digitization in a complex manner that
allows cyber-criminals and cyber-espionage networks to exploit the clouds
weaknesses. The above analysis thus indicates that ensuring that both technological
and behavioral/perceptual factors are given equal consideration in the design and
implementation of a cloud network is thus crucial.
Existing institutions are subject to powerful environmental selection mechanisms (Gilson
2001). Existing institutions are likely to be exposed and restructured to support a new
set of beliefs and actions and the rules are likely to be revised. New institutions and the
redesign of existing institutions are needed to confront emerging security and privacy
problems in the cloud industry. There is an indication that existing institutions related to
the cloud are thickening. In this regard, the war for the future of security and privacy
issues in the cloud is just beginning. Tough analysts of cloud security are gaining new
credibility. For instance, a new way of auditing specifically designed for the cloud
industry is evolving. Overall, it is fair to say that privacy and security issues related to
the cloud industry are undergoing political, social, and psychological metamorphosis.
Page 14 of 23

PTC11 Proceedings

REFERENCES
Adams, J. Virtual defense, Foreign Affairs vol. 80, no. 3, 2001, 98112.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G.,
Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud
Computing. Communications of the ACM, 53(4), 50-58.
Barnett, W. P., & Carroll, G. R. (1993). How institutional constraints affected the
organization of early US telephonies. Journal of Law, Economics and Organization,
9, 98126.
Berger, P. L., & Luckmann, T. (1967). The social construction of reality: A treatise in the
sociology of knowledge. New York: Doubleday.
BBW (Bloomberg Businessweek). (2010). Salesforce.com Channels Facebook. August
30-September 5, 34-35.
Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of
Criminology, 620656.
Bradley, T. (2010). Build Your Own Private Azure Cloud with New Microsoft Appliance.
PC World, July 13, 2010, available at
http://www.pcworld.com/businesscenter/article/200988/build_your_own_private_azur
e_clouc_with_new_microsoft_appliance.html?tk=hp_blg. Accessed September 20,
2010.
Bradner, S. (2010). Internet privacy conflicts. Network World, September 27, 2010,
27(18), 15-15.
Brenner, S. W. (2004). Toward a criminal law for cyberspace: A new model of law
enforcement? Rutgers Computer and Technology Law Journal, 30 (2004), 1-9.
Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), 1-27.
Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity:
Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), 32-34.
Campbell, J. L. (2004). Institutional Change and Globalization. Princeton, NJ: Princeton
University Press.
Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.),
Building a safer society. Strategic approaches to crime (pp. 91150). University of
Chicago Press.
Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1,
pp.23.
Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture
Formations in U.S. Manufacturing: a Conceptual and Empirical Analysis of Demand
Determinations. Journal of Business Venturing, 11, 107-132.
Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010,
available at http://www.itbusiness.ca/it/client/en/home/News.asp?id=56870.
Accessed July 24, 2010.
Dempsey, P. J. (2008). Unprepared to fight worldwide cyber crime, available at
http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&piddl
_msgid=154774#msg_154774. Accessed October 27, 2009.
Page 15 of 23

PTC11 Proceedings

Dickson, M., BeShers, R., & Gupta, V. (2004). The impact of societal culture and
industry on organizational culture: Theoretical explanations. In J. H. Robert, J. H.
Paul, J. Mansour, W. D Peter, & and G. Vipin (eds). Culture, leadership, and
organizations: the GLOBE study of 62 societies. Thousand Oaks, Calif: Sage
Publications.
Economist, (2008). The Long Nimbus, 25 October, special section, pp. 15-17.
Edelman, L. B., & Suchman, M. C. (1997). The legal environments of organizations.
Annual Review of Sociology, 23, 479515.
Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8),
26-29.
ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information
security. European Network and Information Security Agency, November, available
at http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment/at_download/fullReport. Accessed July 21, 2010.
eweek.com. (2010). Did Yale Postpone Move to Google Apps over China Flap?, March
31, 2010, available at
http://googlewatch.eweek.com/content/google_apps/did_yale_postpone_move_to_g
oogle_apps_over_china_flap.html. Accessed July 24, 2010.
Gilson, R .J. (2001). Globalizing corporate governance: convergence of form or
function. The American Journal of Comparative Law, 49(2001), 32958.
Greengard, S., & Kshetri, N. (2010). Cloud Computing and Developing Nations.
Communications of the ACM, 53(5), 18-20.
Greenwood, R., & Hinings, C. R. (1993). Understanding strategic change: The
contribution of archetypes. Academy of Management Journal, 36(1993), 1052-1081.
Greenwood, R., & Hinings, C. R. (1996). Understanding radical organizational change:
Bringing together the old and the new institutionalism. Academy of Management
Review, 21, 10221054.
Guillen, M. F. & Suarez, S. L. (2005). Explaining the Global Digital Divide: Economic,
Political and Sociological Drivers of Cross-National Internet Use, Social Forces,
84(2): 681708.
Hoffman, A. J. (1999). Institutional evolution and change: Environmentalism and the US
chemical industry. Academy of Management Journal, 42(4), 351371.
Huff, A. S. (1990). Mapping strategic thought. In A. S. Huff (eds.). Mapping strategic
thought (pp.1149). Chichester, England: Wiley.
IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The
Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor
Shadowserver Foundation, JR03-2010, April 6, 2010, available at
http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf. Accessed July 24,
2010.
Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W.
Powell & P. J. DiMaggio (eds.). The new institutionalism in organizational analysis
(pp. 143163). Chicago: University of Chicago Press.

Page 16 of 23

PTC11 Proceedings

Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law

Review, 149(4), 10031114.
Kelman, S. (1987). Making public policy: A hopeful view of American government. New
York: Basic Books.
Khalili, S. S. (2010). Clearing the air on cloud computing. New Straits Times (Malaysia),
June 21, 9.
Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An
Institutional Perspective, Electronic Markets, 17(2), 113-125
Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer,
October, 43(10), 47-55.
Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and
Strategic Perspectives. New York, Berlin and Heidelberg: Springer-Verlag.
Kshetri, N., & Dholakia, N. (2009). Professional and Trade Associations in a Nascent
and Formative Sector of a Developing Economy: A Case Study of the NASSCOM
Effect on the Indian Offshoring Industry. Journal of International Management, 15(2),
225-239.
Larkin, E. (2010). Will Cloud Computing Kill Privacy?. PC World, Mar 2010, 28(3), 4444.
Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational
inertia and capabilities as dynamic accumulation processes. Simulation Model
Practice and Theory, 10(5), 271-296.
Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr
2010, 28(4), 29-30.
Martnez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6,
2010, available at http://articles.sfgate.com/2010-0306/business/18378297_1_cyber-security-czar-howard-schmidt-qualys-rsa. Accessed
July 24, 2010.
McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air.
Baseline, Mar/Apr2010, 103, 28-33.
McCann, D. (2010). Posted in: Accountants Head to the Cloud, CFO.com, March 24,
2010, available at
http://cfo.com/article.cfm/14484960/c_14485112?f=home_todayinfinance. Accessed
July 24, 2010.
McCreary, L. (2008). What Was Privacy? Harvard Business Review, 86(10), 2008.
Messmer, E. (2010). Cloud computing providers working in secret. Network World, July
12, 2010, 27(13), 10-11.
Messmer, E. (2010). Secrecy of cloud computing providers raises IT security risks,
available at http://www.mis-asia.com/news/articles/secrecy-of-cloud-computingproviders-raises-it-security-risks. Accessed July 24, 2010.
Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security
expert says the biggest cloud providers are botnets, March 22, 2010, available at
http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24,
2010.
Page 17 of 23

PTC11 Proceedings

NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11.
Newman, K. L. (2000). Organizational transformation during institutional upheaval. The
Academy of Management Review, 25(3), 602-619.
NIST (2009). Vulnerability Summary for CVE-2009-3733, 08/21/2010, The US National
Institute of Standards and Technology, available at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733. Accessed
September 20, 2010.
North, D. C. (1990). Institutions, institutional change and economic performance.
Cambridge, UK: Cambridge University Press.
North, D. C. (1996). Epilogue: Economic performance through time. In L. J. Alston, T.
Eggertsson & D. C. North (eds.). Empirical studies in institutional change (pp. 342
355). Cambridge, PA: Cambridge University Press.
Object Management Group. (2009). Cloud-Standards.org, Major Standards
Development Organizations Collaborate to Further Adoption of Cloud Standards,
available at http://www.omg.org/news/releases/pr2009/07-13-09.htm. Accessed
October 14, 2010.
Otis, C. & Evans, P. (2003). The Internet and Asia-Pacific Security: Old Conflicts and
New Behavior, Pacific Rev.16,(4), 549-550.
Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun
2010, 53(6), 46-51.
Powell, W. W. (1993). The Social Construction of an Organizational Field: The Case of
Biotechnology. Paper presented at the Warwick-Venice Workshop on perspectives
on strategic change, University of Warwick.
Regan, K. (2006). FBI: Cybercrime Causes Financial Pain for Many Businesses,
technewsworld, available at http://www.technewsworld.com/story/48417.html.
Accessed October 1, 2007.
Rogers, E. M. (1995). Diffusion of innovations. Fourth edition. New York: Free Press.
Schneider, A. (1999). US neo-conservatism: Cohort and cross-cultural perspective. The
International Journal of Sociology and Social Policy, 19(12), 5686.
Scott, R. (1995). Institutions and organizations. Thousand Oaks, CA: Sage.
Scott, R. (2001). Institutions and organizations. Thousand Oaks, CA: Sage.
Scott, W. R., Ruef, M., Mendel, P. J., & Caronna, C. A. (2000). Institutional change and
healthcare organizations: From professional dominance to managed care. Chicago,
IL: University of Chicago Press.
Snidal, D. (1996). Political economy and international institutions. International Review
of Law and Economics, 16(1), 121137.
Stewart, B. (2010). Apple Keeps iTunes Out of the Cloud. Information Today, Oct 2010,
27(9), 46-46.
Sturdevant, C. (2010). Seeding security into the cloud. eWeek, March 15, 2010, 27(6),
38-38.
Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.

Page 18 of 23

PTC11 Proceedings

Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud
computing systems. Computer Law & Security Review, May 2010, 26(3), 304-308.
TR (Telecommunications Reports). (2010). Microsoft Urges Policymakers To Help
Secure Cloud Computing, 76(3), 18-19.
Tillery, S. (2010). How Safe Is the Cloud?, available at
http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226. Accessed
July 24, 2010.
Vardi, N. (2005). Chinese takeout. Forbes, July 25, p. 54.
Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at
http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloudcomputing/?cs=43712. Accessed July 24, 2010.
Wiesenfeld, B. M., Wurthmann, K. A., & Hambrick, D. C. (2008). The stigmatization and
devaluation of elites associated with corporate failures: A process model. Academy
of Management Review, 33(1), 231251.
Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address
Control Issues with Implementing Cloud Computing. GAO Reports, July 1, 2010,
preceding pp. 1-48.
Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for
Access to Data, Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), 1-10.
Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HRMagazine, Nov,
54(11), 63-65.
Zittrain, J. (2009). Lost in the Cloud. The New York Times, Late Edition Final, Section
A, (July 2009), 19.

Page 19 of 23

PTC11 Proceedings

Figure 1: A framework for understanding security and privacy issues facing the
cloud

Institutional and technological environment

facing the cloud

Technological environment

Nature of the
architecture

Newness

Attractiveness and
vulnerability as a
cybercrime target

Virtual and
dynamic
New and
unique
vulnerabilities

Value of
data in the
cloud

Sophistication
and complexity

Institutional environment

Regulative
institutions

Normative
institutions

Professional
associations
measures

Laws to
deal with
data on the
cloud

Criminal
controlled
clouds

Regulatory
overreach

Perception of confidentiality, integrity,

and availability of the cloud

Cognitive
institutions

Cloud users
Inertia effects
Industry
standards and
certification
programs

Perception of
vendors integrity
and capability to
protect from third
party and other risks

Perception of legitimacy and trustworthiness of

the cloud

Assessment of institutional
and technological facilitators
and inhibitors

Cloud adoption decision

Page 20 of 23

PTC11 Proceedings

ENDNOTES:
1

Unsurprisingly the response of the cloud industry has been: ..clouds are more secure
than whatever youre using now (Talbot 2010).
2

John Chambers, the Cisco Systems chairman, called the cloud a security nightmare
that cant be handled in traditional ways (Talbot 2010).

IDCs another survey conducted in the early 2010 also ranked security concerns as
the No. 1 barrier to cloud adoption (Del Nibletto 2010).

For instance, an analyst of Gartner noted that it is difficult to know whether cloud
providers practice of "hiding the data in a million places" ensures a good security as
there is no way to evaluate such practice (Messmer 2010).

A leader of the cloud security team at the National Institute of Standards and
Technology (NIST) was quoted as saying: Every customer has access to every knob
and widget in that application. If they have a single weakness, [an attacker may] have
access to all the data (Talbot 2010).

Customers also have a range of options for the type of services to put in the Conficker
such as a denial-of-service attack, spreading malware, sending spam or data exfiltration
7

The formation of regulative pillar is characterized by the establishment of legal and

regulatory infrastructures to deal with the cloud industry (Hoffman, 1999). A normative
institutional pillar is said to be established if rich and well developed ethical codes,
guidelines and traditions develop in the cloud industry. Likewise, a cognitive pillar
related to the cloud industry is established if cloud culture is developed that is
considered as normal practices.

Norths formal constraints can be mapped with Scotts (1995, 2001) regulative pillar
while informal constraints can be mapped with normative and cognitive pillars.
9

These institutions focus on the pragmatic legitimacy concerns in managing the

demands of regulators and governments (Kelman 1987).

10

Although over three dozen governments control the online environment, few have
done so more skillfully than by China. Chinas state strategies toward ICTs have been to
balance economic modernization and political control. China has pursued a systematic
massive Internet surveillance. Tens of thousands of government agents reportedly
engage in cyber-control activities. According to the Berkeley China Internet Project, the
Chinese governments censorship software hides websites containing phrases such as
freedom, democracy, China-liberal, and falun (Kshetri 2007). There were also reports
that the Chinese government sent virus to attack banned sites (Guillen & Suarez
2007).
11

The basis of compliance in the case of normative institutions derives from

professional and social obligations. Non-adherence can thus result in societal and
professional sanctions.
12

Paychex, a payroll-solutions provider, was the first cloud provider to win the AICPA's
official endorsement. AICPA also endorsed bill.com for invoice management and
Page 21 of 23

PTC11 Proceedings

payment in 2008. In 2009, it endorsed financial management and accounting software

maker Intacct and tax-automation supplier Copanion (McCann 2010).
13

Although carried by individuals, cognitive programs are social in nature (Berger &
Luckmann 1967).
14

For instance, it is likely that cloud providers may dispose hard disk without deleting
data (Armbrust et al. 2010).
15

Organizational inertia can be defined as formal organizations tendency to resist

internal changes to respond to external changes (Larsen & Lomi 2002).
16

A field is a dynamic system characterized by the entry and exit of various players and
constituencies with competing interests and disparate purposes and a change in
interaction patterns among them (Barnett & Carroll 1993). As is the case of any issuebased field, these players in the cloud industry continuously negotiate over issue
interpretation and engage in institutional war leading to institutional evolution
(Greenwood & Hinings 1996).
17

Social arbiters include members of the press, governance watchdog groups,

academics, and activists. Legal arbiters are those who play role in enforcing rules and
regulations. Economic arbiters make decisions about engaging in economic exchange
with individuals.
18

The EPICs complaint also argued that the FTC should ban Google from offering
services that lack adequate protections of privacy and security of users data.
19

While companies have used the cloud for applications such as payroll and email
services, security has been the most often-cited barrier to cloud adoption for
applications involving sensitive information (Armbrust et al. 2010).
20

Some argue that information about data center locations and practices are arguably
treated like national security secrets (Messmer 2010).
21

Businesses and industry analysts are concerned about the cloud providers don't
ask, don't tell" approach (Messmer 2010).
22

Computer hardware and software imported from the U.S. and its allies are subject to
inspection. Chinese technicians control such imports and resist or closely monitor if
Western experts install them. Several years ago, Chinese cryptographers reportedly
found an NSA Key in Microsoft products, which was interpreted as pertaining to the
National Security Agency. The key allegedly provided the U.S. government back-door
access to Microsoft Windows 95, 98, NT4 and 2000. Although Microsoft denied this
allegation and issued a patch to fix the problem, Chinese officials remain unconvinced.
23

Some U.S. lawmakers argued that Lenovos acquisition of IBMs PC division could
lead to a transfer of advanced technology to the Chinese government. When the U.S.
State Department was about to buy Lenovo computers in 2006, politicians and some
commentators drew attention to the national security implications of placing Chinese
computers into government offices. They argued that Lenovo's connections to the
Chinese government could pose a threat.
Page 22 of 23

PTC11 Proceedings

24

During September 2004 to April 2005, more than a dozen versions of Myfip worm
were reportedly used to steal information such as CAD/CAM files containing mechanical
designs, electronic circuit board schematics and layouts from U.S. businesses (Vardi
2005).
25

Some ISPs in industrialized countries reportedly block content that originated from
problematic networks in developing countries.
26
In 2008, Google CEO said that his company would work with Chinese universities,
starting with Tsinghua University, on cloud-related academic programs. Chinas
unfavorable environment from the security standpoint, however, led to the companys
withdrawal from China.

Page 23 of 23