softwss

PTC’11 Proceedings

Page 1 of 23

PRIVACY AND SECURITY ISSUES IN CLOUD COMPUTING Nir Kshetri Associate Professor The University of North Carolina-Greensboro, USA ABSTRACT Cloud computing is a double-edged sword from the privacy and security standpoints. Despite its potential to provide a low cost security, organizations may increase risks by storing sensitive data in the cloud. In this paper, we analyze how the cloud’s characteristics such as newness, nature of the architecture, and attractiveness and vulnerability as a cybercrime target are tightly linked to privacy and security. We also investigate how the contexts provided by formal and informal institutions affect privacy and security issues in the cloud.

KEYWORDS: Privacy and security, cloud computing, formal institutions, informal institutions, security costs

1. INTRODUCTION

Organizations are using cloud computing (hereinafter: the cloud) to perform increasingly strategic and mission critical functions. At the same time, companies are facing pressures and challenges to protect information assets belonging to their customers and other sensitive data McCafferty, 2010). Unsurprisingly security, privacy and availability are among the topmost concerns in their cloud adoption decisions rather than the total cost of ownership (Brodkin 2010). The cloud is a double-edged sword from the security standpoint. For organizations that lack technological and human resources to focus on security third parties in the cloud can provide low-cost security (Kshetri 2010a). Cloud computing users, on the other hand, face several separate but related security risks (Talbot 2010). The cloud poses various technological as well as institutional challenges. The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to the technology development. Privacy, security and ownership issues related to data stored on cloud currently fall into legally gray areas (Bradley 2010). Some argue that an organization, rather than the cloud provider, is likely legally responsible if customer data stored in the cloud are compromised (Zielinski 2009). A second criticism is that there has been arguably a “disturbing lack of respect for essential privacy” among major cloud providers (Larkin 2010, p. 44). For instance, in a complaint filed with the Federal Trade Commission (FTC), the Electronic Privacy Information Center (EPIC) argued that Google misrepresented the privacy and security of its users’ data (Wittow & Buller 2010). Cloud providers are also criticized on the ground that they do not conduct adequate background security investigations for their employees (Wilshusen 2010). This issue is rather important since significant proportions of cybercrimes are

PTC’11 Proceedings

Page 2 of 23

associated with malicious insiders. Likewise, new bugs and vulnerabilities targeting the cloud are proliferating (Brynjolfsson et al. 2010). Faced with examples such as the above, analysts focusing on the cloud’s security and privacy aspects have tended to divide into two camps. Proponents of the cloud argue that economies of scale allow third parties to provide a low cost security. This benefit is especially important for small and medium sized enterprises (SMEs), which lack resources to address human and technological issues related to security. A study of the European Network and Information Security Agency noted: “The same amount of investment in security buys better protection [in the cloud]” (ENSIA 2009, p. 7). Some argue that since security is not a core activity for most businesses, it makes sense to outsource this function to a third-party such as a cloud provider (Khalili 2010)1. Critics have raised concerns about privacy and security associated with unauthorized access and use of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace observation is that while cloud providers offer sophisticated services, their performances have been weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard & Kshetri 2010). Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store high-value data or sensitive information. Due to weak security, the cloud arguably remains “a largely nascent technology” (Stewart 2010) and critics have argued that its costs may outweigh the benefits (Tillery 2010)2. According to an IDC report released by the research firm, International Data Corporation (IDC) in October 2008, security concern was the most serious barrier to cloud adoption for organizations3. Organizations rightfully worry about hidden costs associated with security breaches or lawsuits tied to data privacy restrictions (Zielinski 2009). In this paper, we would argue that issues related to security and privacy in the cloud, while well documented, are only partially understood. Although researchers have acknowledged the role of privacy and security issues in cloud related investment decisions, they have paid relatively less attention to how institutional contexts such as structures of the markets, legal and political environment as well as inter-organizational and intra-organizational arrangements affect the ways in which such decisions are made. The purpose of our study is to fill this void. The factors related to privacy and security issues of the cloud focused in the paper can be described by considering a broad approach to institutions, which defines the concept in terms of a game’s equilibrium. Three factors that determine an equilibrium include “(i) technologically determined external constraints; (ii) humanly devised external constraints, and; (iii) constraints developed within the game through patterns of behavior and the creation of expectations” (Snidal 1996, p. 128). For simplicity, however, technological factors are discussed separately in this paper instead of lumping with institutions. Before proceeding, we offer some clarifying definitions. Cloud computing involves hosting applications on servers and delivering software and services via the Internet. In the cloud computing model, companies can access computing power and resources on

PTC’11 Proceedings

Page 3 of 23

the “cloud” and pay for services based on usage. Institutions are the “rules of the game” (North 1990) and include “formal constraints (rules, laws, constitutions), informal constraints (norms of behavior, conventions, and self-imposed codes of conduct), and their enforcement characteristics” (North 1996, p. 344). The paper is structured as follows. We proceed by first discussing the elements of our proposed model on institutional and technological environment facing the cloud. It is followed by a section on discussion and implications. The final section provides concluding comments.

2. TECHNOLOGICAL AND INSTITUTIONAL ENVIRONMENT FACING THE CLOUD

Issues revolving around privacy, and ownership and access to data raise interesting questions in the cloud. As a visual aid, Figure 1 schematically represents how privacy and security issues in the cloud are tightly linked to the institutional and technological environments. We discuss the building blocks of the model in this section. Various characteristics of the cloud affect organizations’ perceptions of confidentiality, integrity, and availability of the cloud (Left part of Figure 1). Formal and informal institutions, on the other hand, affect perception of legitimacy and trustworthiness of the cloud (Right part of Figure 1). Assessment of institutional and technological facilitators and inhibitors affect organizations’ adoption decisions (Figure 1).

Figure 1 about here

Institutional actors’ responses lag behind the technological changes (Katyal 2001; Brenner 2004). Moreover, institutional actors vary in their timing of responses. For instance, whereas trade and professional associations and industry standard organizations are taking measures to respond to security and privacy issues in the cloud, government agencies have been slow to adopt necessary legislative, regulatory and other measures to monitor users and providers of the cloud.

2.1. TECHNOLOGICAL ENVIRONMENT

2.1.1. THE CLOUD’S NEWNESS AND UNIQUE VULNERABILITIES The cloud’s newness and uniqueness present special problems. With the evolution and popularity of virtualization technology, new bugs, vulnerabilities and security issues are being found (Brynjolfsson et al. 2010). The cloud, however, is not a familiar terrain for most IT security companies. A lack of mechanisms to guarantee security and privacy has been an uncomfortable reality for many cloud providers. One problem found in network virtualization is that a user may be able to access to the provider’s sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010). In August 2010, the U.S. National Institute of Standards and Technology announced a vulnerability in which a cloud user can cross from one client environment to other client environments that are managed by the same cloud provider

PTC’11 Proceedings

Page 4 of 23

(NIST 2009). Experts argue that such vulnerabilities could have more adverse impacts in the cloud than in an on-premise computing (Owens 2010). The cloud is also forensically challenging in the case of a data breach. For instance, some public cloud systems may store and process data in different jurisdictions, which vary in terms of laws related to security, privacy, data theft, data loss and intellectual property theft (McCafferty 2010). Some organizations may encrypt their data before storing in the cloud. These factors are likely to make forensic investigation complex and time consuming (Taylor et al. 2010). 2.1.2. NATURE OF THE ARCHITECTURE Virtual and dynamic The virtual and dynamic nature of the cloud computing architecture deserves mention. For one thing, the shared and dynamic resources of the cloud such as CPU and networking reduce control for the user and tend to pose new security issues not faced by on-premise computing (Brynjolfsson et al. 2010). A related point is that these characteristics of the cloud allow data and information to distribute widely across many jurisdictions. The locations where data are stored may vary in laws regarding security, privacy, data theft, and protection of intellectual property (McCafferty 2010). Virtualization is the primary security mechanism in the cloud. Nonetheless, some resources are not virtualized. Virtual systems, despite their insulation from the customer, run on physical systems (Sturdevant 2010). Moreover, virtualization environments are not necessarily bug-free (Armbrust et al. 2010). Sophistication and complexity The cloud’s security related problems can also be linked to its sophisticated and complex architecture. In April 2010, U.S. and Canada-based researchers published a report on a sophisticated cyber-espionage network, which they referred as Shadow network. The targets included the Indian Ministry of Defense, the United Nations, and the Office of the Dalai Lama. The report noted: “Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures” (IWMSF 2010). Another problem concerns the cloud’s complexity4. An important trend facilitated by the cloud is social media, which are arguably “corporate security nightmare” (BBW 2010). In the Shadow case noted above, the cyber-espionage network combined social networking and cloud platforms, including those of Google, Baidu, Yahoo!, Twitter, Blogspot and blog.com with traditional command and control servers (IWMSF 2010). 2.1.3. ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME TARGET Earlier we mentioned that the cloud can provide a low cost security due to economies of scales. However, an unintended downside of cheap services is more security issues5.

PTC’11 Proceedings

Page 5 of 23

Value of data in the cloud Target attractiveness depends on offenders’ perceptions of victims. Prior research indicates that crime opportunity is a function of target attractiveness, which is measured in monetary or symbolic value and portability (Clarke 1995). Target attractiveness is also related to accessibility—visibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies’ networks offer more targets to hackers. Cloud suppliers, which often are bigger than their clients, are attractive targets. The cloud thus offers a high “surface area of attack” (Talbot 2010). That is, information stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late 2009, Google explained that the company discovered a China-originated attack on its infrastructures. The company further noted that the attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies. In the early 2010, Yale University postponed its plan to move its Webmail service to Google Apps tailored for students and faculty. Analysts argued that Google's size and visibility makes it more susceptible to cyber-attacks (eweek.com 2010). Criminal-controlled clouds The cloud is potentially most vulnerable, especially when viewed against the backdrop of criminal owned-clouds operating in parallel. Just like diamond is the only material hard enough to cut diamond effectively, criminal-owned clouds may be employed to effectively steal data stored in clouds. The cloud may provide many of the same benefits to criminals as for legitimate businesses. The well-known Conficker virus, which reportedly controls 7 million computer systems at 230 regional and country top-level domains and has a bandwidth capacity of 28 terabits/second is arguably the world’s biggest cloud and probably the most visible example of a criminal-owned cloud. Just like legitimate clouds, Conficker is available for rent. Cybercriminals can choose a location they want to rent Conficker and pay according to the bandwidth they want and choose an operating system (Mullins 2010)6.

2.2. INSTITUTIONAL ENVIRONMENT

Institutional theory is described as “a theory of legitimacy seeking” (Dickson et al., 2004, p. 81). To gain legitimacy, organizations adopt behaviors irrespective of the effect on organizational efficiency (Campbell 2004). Institutional influence on adoption decisions related to the cloud becomes an admittedly complex process when providers and users of the cloud have to derive legitimacy from multiple sources such as employees, clients, client customers, professional and trade associations and governments. Scott (2001) proposed three institutional pillars: (i) regulative; (ii) normative and (iii) cognitive7, 8. These pillars relate to “legally sanctioned”, “morally governed” and “recognizable, taken-for-granted” behaviors respectively (Scott et al. 2000, p. 238). The following examples further illustrate the three pillars from the standpoint of security and privacy in cloud computing.

PTC’11 Proceedings

Page 6 of 23

European Union (EU) countries’ strong data privacy laws prevent the movement of identifiable individuals’ data to jurisdictions that do not provide the same levels of protection. Privacy regulations (regulative institutions) have arguably hindered the diffusion of the cloud in the EU countries (Bradner 2010). Edelman and Suchman (1997) note: “the legal rules ‘cause’ the organizational practices (or vice versa) is, at best, a gross simplification”. Many cloud vendors emphasize their security credentials by communicating potential clients that they have completed a SAS 70 audit (normative institutions) (Brodkin 2010). An organization’s cloud adoption decision also depend on its perception of a cloud provider’s ability to protect the organization’s data from a third party, make the data available whenever the organization needs them and a trust that the provider would not exploit its clients data (cognitive institutions) (Talbot 2010). The cloud industry is undergoing a major technological upheaval. In such situations, for various actors, the institutional context may not provide organizing templates, models for action, and sources of legitimacy (Greenwood & Hinings 1993). In most cases, such changes create confusion and uncertainty and produce an environment that lacks norms, templates, and models about appropriate strategies and structures (Newman 2000). Existing institutions are hopelessly inadequate and obsolete to deal with the security and privacy problems facing the cloud industry. For instance, cloud computing has challenged traditional institutional arrangements and notions about auditing and security (Messmer 2010). 2.2.1. THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Regulative institutions9 consist of “explicit regulative processes: rule setting, monitoring, and sanctioning activities” (Scott 1995, p. 35). In the context of this paper, regulative institutions consist of regulatory bodies (such as the US Department of Justice and the US Department of Homeland Security) and existing laws and rules (e.g., the Patriot Act, Sarbanes-Oxley (SOX) and Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) in the U.S.) that influence individuals and organizations to behave in certain ways (Scott 1995). Individuals and organizations adhere to the rules so that they would not suffer the penalty for noncompliance (Hoffman 1999). Laws to deal with data on the cloud The importance of regulative institutions such as laws, contracts and courts in the cloud industry should be obvious if this industry is viewed against the backdrop of the current state of security standards. In the absence of radical improvements in security technology, such institutions become even more important (Armbrust et al. 2010). The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to the cloud technology development. Compliance frameworks such as SOX, HIPAA and PCI-DSS (Payment Card Industry Data Security Standard) do not clearly define the guidelines and requirements for data stored on the cloud (Bradley 2010). Cloud computing thus poses various challenges and constraints for companies that have responsibilities to meet stringent compliance related to these frameworks and reporting requirements for their data (McCafferty 2010; NW 2010).

PTC’11 Proceedings

Page 7 of 23

The cloud has several important new and unique features, which create problems in writing contracts. For instance, an analysis of the contracts between Google and Computer Sciences Corporation (CSC) with the City of Los Angeles indicated several problems related to data breach and indemnification of damages. Google was a CSC subcontractor in the arrangement. An attorney analyzing the case noted that some of the complexity in the case would have been avoided if the term "lost data" was defined more clearly in the contracts (NW 2010). While some experts understandably argue that it would not be practical to hold cloud providers liable for everything (TR 2010), current regulations are heavily biased in favor of cloud providers (and against the users). For instance, in the event of a data breach in the cloud, the client, not the vendor, may be legally responsible (Zielinski 2009). According to the Federal Information Security Management Act (FISMA), cloud providers are required to keep sensitive data belonging to a federal agency within the country. While Google Apps are FISMA certified for its government cloud, which is not necessarily the case for the private industry (Brodkin 2010). Regulatory overreach There have been concerns about possible overreach by law enforcement agencies. In the U.S., for instance, thanks to the 2001 Patriot Act, the federal government can ask service providers to provide details of an Internet user’s online activities without telling the Internet user about it. The FBI's audits indicated the possibility of “overreach” by the agency in accessing Internet users’ information (Zittrain 2009). For some analysts, the biggest concern has been the government’s increased ability to access business and consumer data and censor and a lack of constitutional protections against these actions (Talbot 2010). The cloud is likely to make it easier for governments to spy on citizens. Governments worldwide, however, differ in their approach to and scale of web censorship and surveillance. Especially, the cloud is likely to provide authoritarian regimes a fertile ground for cyber-control activities10. The cloud as the ultimate spying machine: There are stories of espionage activities’ successful transition to cyber-espionage2.0. National and international security issues arise from the cloud’s potential to be the ultimate spying machine. A Google's report released in April 2010 is especially timely and enlightening. The company described how government authorities around the world request the company for private information and to censor its applications. 2.2.2. THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Normative components introduce “a prescriptive, evaluative, and obligatory dimension into social life” (Scott 1995, p. 37). This component focuses on the values and norms held by individuals and organizations that influence the functioning of the cloud industry11. Practices that are consistent with and take into account the different assumptions and value systems are likely to be successful (Schneider 1999). Normative institutions also include trade associations, professional associations (e.g., The

PTC’11 Proceedings

Page 8 of 23

American Institute of Certified Public Accountants), or non-profit organizations (e.g., Electronic Privacy Information Center) that can use social obligation requirements (e.g., ethical codes of conduct) to induce certain behaviors in the cloud industry. Professional associations’ measures Compared to established industrial sectors, in nascent and formative sectors such as cloud computing, there is no developed network of regulatory agencies (Powell, 1993). For instance, there are few, if any, national or international legal precedents for the cloud industry (McCafferty 2010). As a consequence, there is no stipulated template for organizing, and thus pressures for conformity are less pronounced (Greenwood & Hinings 1996). In such settings, professional and trade associations may emerge to play unique and important roles in shaping the industry (Kshetri & Dholakia 2009). These associations’ norms, informal rules, and codes of behavior can create order, without the law’s coercive power, by relying on a decentralized enforcement process where noncompliance is penalized with social and economic sanctions (North 1990). Various professional and trade associations are also constantly emerging and influencing security and privacy issues in the cloud in new ways as a result of their expertise and interests in this issue. A visible example is the Cloud Security Alliance (CSA) (www.cloudsecurityalliance.org), a group of information security professionals. The CSA is is working on a set of best practices as well as information security standards for cloud providers (Crosman 2010). To take another example, the American Institute of Certified Public Accountants is making efforts to accelerate cloud adoption among its 350,000 members12. AICPA’s endorsements are based on an extensive due diligence on the security practices of the vendors (McCann 2010). Industry standards and certification programs Some argue that industry standards organizations may address most of the user concerns related to privacy and security in the cloud industry (Object Management Group 2009). Organizations such as Object Management Group (OMG), the Distributed Management Task Force (DMTF), the Open Grid Forum (OGF), and the Storage Networking Industry Association (SNIA) have made efforts to address security and privacy concerns in the cloud industry (Wittow & Buller 2010). There are no formal processes for auditing cloud platforms (Vizard 2010). Analysts argue that auditing standards to assess a service provider’s control over data (e.g., SAS 70) or other information security specifications (e.g., the International Organization for Standardization’s ISO 27001) are insufficient to deal with and address the unique security issues facing the cloud (Brodkin 2010). Note that these standards and specifications were not developed specifically for the cloud computing. 2.2.3. THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Cognitive institutions are closely associated with culture (Jepperson, 1991). These components represent culturally supported habits that influence cloud providers’ and

PTC’11 Proceedings

Page 9 of 23

users’ behaviors. In most cases, they are based on subconsciously accepted rules and customs as well as some taken-for-granted cultural account of cloud use (Berger & Luckmann 1967). Scott (1995, p. 40) suggests that “cognitive elements constitute the nature of reality and the frames through which meaning is made”. Cognitive programs are built on the mental maps of individual cloud users and and thus function primarily at the individual level (Huff 1990)13. Compliance in cognitive legitimacy concerns is due to habits. Organizations and individuals may not even be aware that they are complying. Perception of vendor’s integrity and capability Of particular concern is the users’ dependency on cloud vendors’ security assurances and practices. Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be protected from one another (Armbrust et al. 2010). Surveys have shown that potential cloud adopters are concerned about the possibility that service provider’s security might have ineffective or noncompliant controls, which may lead to vulnerabilities affecting the confidentiality, integrity, and availability of data (Wilshusen 2010). Organizations are also concerned that cloud providers may use insecure ways to delete data once services have been provided (Wilshusen 2010)14. Admittedly, data theft, denial-of-service attacks by users, threats from other users, and bugs are not the only-and not the biggest-problem associated with the cloud. There is also a high degree of temptation for the cloud providers or their employees to engage in opportunistic behavior (Armbrust et al. 2010). The cloud thus may also increase exposure to organizational vulnerabilities to insider risks. Indeed, malicious insider risks are among the most important risks that the cyberspace faces. According to a report released by the FBI in 2006, over 40% of attacks originate inside an organization (Regan 2006). Some have raised concerns that service providers do not conduct adequate background security investigations of their employees (Wilshusen 2010). One fear has been that intellectual property and other sensitive information stored in the cloud could be stolen. Worse still, cloud providers may not notify their clients about security breaches. Evidence indicates that many businesses tend to underreport cybercrimes due to embarrassment, concerns related to credibility and reputation damages and fears of stock price drops. A report of the Idaho National Engineering and Environmental Laboratory (http://www.us-cert.gov/control_systems/pdf/oil_gas1104.pdf) noted: “Many of the cyber attacks go unnoticed or may go unnoticed for long periods of time” (p. 2). An organization’s data in the cloud may be stolen but it may not ever be aware that such incidents had happened. A final point concerns the outage problems, which would worsen the economics of cloud computing. For instance, popular clouds such as Google's Gmail, Amazon S3, and those of Salesforce.com and Microsoft have suffered outages. Cloud users’ inertia effects It is quite possible that organizational inertia15 may affect the lens through which users view security and privacy issues in the cloud. Organizational inertia may constraint a firm's ability to exploit emerging opportunities such as cloud computing (Dean & Mayer

PTC’11 Proceedings

Page 10 of 23

1996). An inertia effect (resistance to change) is likely to adversely influence an organization’s assessment of the cloud from the security and privacy standpoints. Reduction in control is an obvious concern. Cloud users don’t have access to the hardware and other resources that store and process their data. There is no physical control over data and information in the cloud (Wilshusen, 2010). The shared and dynamic resources in the cloud environment reduce control (Brynjolfsson et al. 2010). Moreover, while the client has no control over the data managed by the cloud provider, cloud services contracts often stipulate that data protection is the former’s responsibility (Crosman 2009). A case in point is Google. The company provides security and privacy assurances to its Google Docs users unless the users publish them online or invite collaborators. However, Google service agreements explicitly make it clear that the company provides no warranty or bears no liability for harm in case of Google’s negligence to protect the privacy and security (Wittow & Buller 2010). Just as important is preference for localness. From the standpoint of security, most users prefer computing to be local (Brynjolfsson et al. 2010). Organizations arguably ask: “who would trust their essential data out there somewhere?” (Armbrust et al. 2010).

3. DISCUSSION

It is important to emphasize that the model presented by figure 1 is dynamic in nature. We anticipate that the salience of each component of institutional and technological factors will vary across organizations as well as over time. For instance, barriers associated with newness and inertia effects are likely to decline over time. On the other hand, as the penetration level, width and depth of cloud increases, it is likely to be a more attractive cybercrime target. One implication of the dynamic aspects of the model is that institutions change over time in the cloud industry. The idea of institutional field can be helpful in understanding this dynamic. A field is “formed around the issues that become important to the interests and objectives of specific collectives of organizations” (Hoffman 1999, p. 352)16. For a field formed around privacy and security in the cloud, these organizations include regulatory authorities (e.g., the FTC), providers and users of the cloud as well as professional and trade association. The “content, rhetoric, and dialogue” among these constituents influence the nature of field formed around the security and privacy issues associated with the cloud (Hoffman 1999, p. 355). An understanding of arbiters would provide important insight into the sources of institutional change in the cloud industry. Wiesenfeld et al. (2008) have identified three categories of “arbiters”— social, legal, and economic17. Much of the early evidence indicates that institutions in the cloud industry should rebalance towards a higher power of the users. Experts argue that courts (legal arbiters) are likely to take a “middle ground” and make providers liable for breach (TR 2010). The Electronic Privacy Information Center (EPIC) (a social arbiter) filed a complaint with the Federal Trade Commission (FTC) against Google’s cloud services. EPIC made the point that Google

PTC’11 Proceedings

Page 11 of 23

does not adequately safeguard users’ confidential information. It requested the FTC to open an investigation into Google’s Cloud services18 (Wittow & Buller 2010). Likewise, experts argue that market forces and consumer demands (economic arbiters) are likely to drive a lot of privacy changes in cloud computing (TR 2010).

3.1. MANAGERIAL AND POLICY IMPLICATIONS

The model presented in this paper also has implications for management practice and public policy. Most cloud providers’ services come with no assurance or promise of a given level of security and privacy. Cloud providers lack policies and practices related to privacy and security. Nor is that their only problem. Cloud providers have also demonstrated a tendency to reduce their liability by proposing contracts with the service provided “as is” with no warranty (McCafferty 2010). Perception of ineffectiveness or noncompliance of cloud providers may thus act as a roadblock to organizations’ cloud adoption decisions. In this regard, above analysis indicates that security and privacy measures designed to reduce perceived risk as well as transparency and clear communication processes would create a competitive advantage for cloud providers. The newness and uniqueness of the cloud often mean that clients would not know what to ask for in investment decisions. An understanding of model would also help organizations take technological, behavioral and perceptual/attitudinal measures. The users of the cloud are functioning on the assumption that cloud providers take privacy and security issues seriously (Wittow & Buller 2010). However, against the backdrop of the institutional contexts, this may well be a convenient but possibly false assumption. The model also leads to useful questions that need to be asked before making cloud related investments. Given the institutional and technological environment, potential adopters should ask tough questions to the vendor regarding certification from auditing and professional organizations (e.g., AICPA), locations of the vendor’s data centers, and background check of the vendor’s employees, etc. The above analysis suggest that a one size fits all' approach to the cloud cannot work. The model presented in Figure 1 would also help in making strategic decisions. For instance, organizations may have to make decisions concerning combinations of public and private clouds19. For instance, the public cloud is effective for an organization handling high-transaction/low-security or low data value (e.g., sales force automation). Private cloud model, on the other hand, may be appropriate for enterprises that face significant risk from information exposure such as financial institutions and health care provider or federal agency. For instance, for medical-practice companies dealing with sensitive patient data, which are required to comply with the HIPAA rules, private cloud may be appropriate. In general, legal systems take long time to change (Dempsey 2008). Regulative institutions related to liability and other issues in the cloud are not well developed. Cloud providers may feel pressures to obtain endorsements from professional societies.

PTC’11 Proceedings

Page 12 of 23

AICPA’s endorsements have driven the diffusion of cloud applications among some CPA firms. Today, accurately or not, businesses are concerned about issues such as privacy, availability, data loss (e.g., shutting down of online storage sites), data mobility and ownership (e.g., availability of data in usable form if the user discontinues the services) (Martin 2010). Cloud providers are criticized on the ground that they do not answer questions and fail to give enough evidence to trust them (Brodkin 2010)20,21. In this regard, many of the user concerns can be addressed by becoming more transparent. Since geographic dispersion of data is an important factor associated with cost and performance of the cloud, an issue that deserves mention relates to regulatory arbitrage. Experts expect that countries update their laws individually rather than to act in a multilateral fashion (TR 2010). Economies worldwide vary greatly in terms of the legal systems related to the cloud. Due to the newness, jurisdictional arbitrage is higher for the cloud compared to the IT industry in general. In this regard critics are concerned that cloud providers may store sensitive information in jurisdictions that have weak laws related to privacy, protection and availability of data (Edwards 2009). Anecdotal evidence suggests that due to increasingly important roles in national security, many high technology sectors are characterized by a high degree of protectionism. The atmosphere of suspicion and distrust among states can lead to such protectionism. To capture the feelings that accompany intergovernmental distrust, consider the U.S.-China trade and investment policy relationship. Chinese leaders are suspicious about possible cyber-attacks from the U.S. There has been a deep rooted perception among Chinese policy-makers that Microsoft and the U.S. government spy on Chinese computer users through secret ‘back doors’ in Microsoft products22 (Adams 2001). Chinese leaders thus may be uncomfortable with the idea of storing data on clouds provided by foreign multinationals. U.S. policy makers are equally concerned about Chinese technology firms’ internationalization23. The above analysis indicates that such concerns are likely to be even more prominent in cloud computing. Cyber-espionage has been an obvious application of the cloud. If there is any lesson that recent major cyber-espionage activities teach, it is that countries with strong cyber-spying and cyber-warfare capabilities such as China will be in a good position to exploit the cloud’s weaknesses for such activities. In view of the technological capabilities of extra-legal and illegal organizations, one area that deserves attention is the escalation of economic and industrial espionage activities such as intellectual property theft. There have been reports that U.S. government agencies such as the Defense Department as well as private companies have been targets and victims of such activities24. It is thus reasonable to expect that the cloud may enable an upgrade of these activities to industrial espionage2.0. Cloud security and developing countries

PTC’11 Proceedings

Page 13 of 23

Some analysts suggest that developing countries will be attractive markets for cloud services and predict that this technology will soon make “healthcare 2.0,” “banking 2.0,” and “education 2.0” realities in these countries (Economist 2008). At the same time, however, criminal practices on the Internet have upgraded to cybercrime2.0 (Kshetri 2010a). Nonetheless, security and privacy issues in the developing world need to be viewed in the context of weak defense mechanisms of organizations. Information technology’s hollow diffusion concept can be helpful in understanding a weak defense. Many companies in developing countries lack technological and human resources to focus on security. Hollow diffusion can be human-related (lack of skill and experience) or technology-related (inability and failure to use security products) (Otis & Evans 2003)25. Especially for developing-based organizations that do not deal with high-value and sensitive data the cloud may provide low-cost security to address some of the security-related human (e.g. installing/maintaining software) and technological issues. Providers and users of the cloud face additional challenges in developing economies. Various aspects of the institutional environment may weaken the cloud’s value proposition and discourage investors. In many developing countries, factors such as corruption, the lack of transparency, and a weak legal system can exacerbate security risks. The high-profile attacks on Google cloud allegedly by China-based hackers in 2009 were an eye opener for the cloud industry26. A final issue that deserves mention relates to the impacts of clouds controlled by the developing world players on security issues of industrialized countries. It is tempting for global cloud players to use cheaper hosting services in developing countries. Cyber-criminals, however, find it more attractive to target rich economies. For instance, the U.S. is the No. 1 target for cyber-attacks. Since many developing countries are top cybercrime sources (Kshetri 2010b), security risks associated with the diffusion of clouds in these countries may spread to industrialized countries. Security concerns as a source of a negative country-of-origin effect Developing world-based cloud providers are internationalizing (Kshetri 2010a). They may face barriers due to the pervasive perceptions of weak security. One concern is that institutional environment in these countries is insufficient to guarantee security and privacy of client data. The prospect of civil and criminal prosecution is weak when security breaches and privacy violations take place in a country with a weak rule of law. Observers, for instance, have noted that Indian cybercrime law and privacy enforcement are weak. A related point is that European or U.S. data protection laws cannot be enforced in India. Likewise, partly due to real and/or perceived government control, China-based cloud providers may be perceived less trustworthy and need to combat the effects of negative country of origin images and stereotypes.

3.2. FUTURE RESEARCH

Before concluding, we suggest several potentially fruitful avenues for future research. Cloud-related institutions are currently thin and dysfunctional. For instance, as noted

PTC’11 Proceedings

Page 14 of 23

above, privacy and security issues of data stored on the cloud currently fall into a legally gray area. Future research might examine how political, ethical, social and cultural factors are associated with security issues in cloud computing. Prior research conducted in other sectors (e.g., chemical industry) indicates that institutional evolution entails transitions among the three institutional pillars—regulative, normative, and cognitive. Building a regulative/law pillar system is the first stage of field formation. It is followed by a formation of normative institutions and then cognitive institutions (Hoffman 1999). A comparison of institutional evolution in the cloud industry with that in other economic sectors might be worthwhile target of study. Second, an empirical examination of core premises and propositions of the model presented by Figure 1 would be useful to advance the model's utility as a viable framework for studying the technological and institutional drivers of the cloud industry. Such a study would shed light on the relative importance of various components of the model in organizations’ cloud adoption decision. Finally, future research might also explore antecedents of organizations’ cloud computing decisions in terms of various technological dimensions identified in the prior literature. One avenue would be to test how the cloud performs in terms of major dimensions proposed by Rogers (1995) such as relative advantage, compatibility, complexity, observability and trialability.

4. CONCLUDING COMMENTS

Virtualized resources in the cloud lower upfront investment and product development costs. However, the low cost comes with a trade-off. The above analysis suggests that it is too simplistic to view the cloud as a low-cost security. Legitimate as well as illegitimate organizations and entities are gaining access to data on the cloud through illegal, extralegal, and quasi-legal means. The cloud’s diffusion and that of social media have superimposed onto organizations’ rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the cloud’s weaknesses. The above analysis thus indicates that ensuring that both technological and behavioral/perceptual factors are given equal consideration in the design and implementation of a cloud network is thus crucial. Existing institutions are subject to powerful environmental selection mechanisms (Gilson 2001). Existing institutions are likely to be exposed and restructured to support a new set of beliefs and actions and the rules are likely to be revised. New institutions and the redesign of existing institutions are needed to confront emerging security and privacy problems in the cloud industry. There is an indication that existing institutions related to the cloud are thickening. In this regard, the war for the future of security and privacy issues in the cloud is just beginning. Tough analysts of cloud security are gaining new credibility. For instance, a new way of auditing specifically designed for the cloud industry is evolving. Overall, it is fair to say that privacy and security issues related to the cloud industry are undergoing political, social, and psychological metamorphosis.

PTC’11 Proceedings

Page 15 of 23

REFERENCES

Adams, J. Virtual defense, Foreign Affairs vol. 80, no. 3, 2001, 98–112.

Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), 50-58.

Barnett, W. P., & Carroll, G. R. (1993). How institutional constraints affected the organization of early US telephonies. Journal of Law, Economics and Organization, 9, 98–126.

Berger, P. L., & Luckmann, T. (1967). The social construction of reality: A treatise in the sociology of knowledge. New York: Doubleday.

BBW (Bloomberg Businessweek). (2010). Salesforce.com Channels Facebook. August 30-September 5, 34-35.

Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620–656.

Bradley, T. (2010). Build Your Own Private Azure Cloud with New Microsoft Appliance. PC World, July 13, 2010, available at http://www.pcworld.com/businesscenter/article/200988/build_your_own_private_azure_clouc_with_new_microsoft_appliance.html?tk=hp_blg. Accessed September 20, 2010.

Bradner, S. (2010). Internet privacy conflicts. Network World, September 27, 2010, 27(18), 15-15.

Brenner, S. W. (2004). Toward a criminal law for cyberspace: A new model of law enforcement? Rutgers Computer and Technology Law Journal, 30 (2004), 1-9.

Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), 1-27.

Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), 32-34.

Campbell, J. L. (2004). Institutional Change and Globalization. Princeton, NJ: Princeton University Press.

Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.), Building a safer society. Strategic approaches to crime (pp. 91–150). University of Chicago Press.

Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1, pp.23.

Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture Formations in U.S. Manufacturing: a Conceptual and Empirical Analysis of Demand Determinations. Journal of Business Venturing, 11, 107-132.

Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010, available at http://www.itbusiness.ca/it/client/en/home/News.asp?id=56870. Accessed July 24, 2010.

Dempsey, P. J. (2008). Unprepared to fight worldwide cyber crime, available at http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&piddl_msgid=154774#msg_154774. Accessed October 27, 2009.

PTC’11 Proceedings

Page 16 of 23

Dickson, M., BeShers, R., & Gupta, V. (2004). The impact of societal culture and industry on organizational culture: Theoretical explanations. In J. H. Robert, J. H. Paul, J. Mansour, W. D Peter, & and G. Vipin (eds). Culture, leadership, and organizations: the GLOBE study of 62 societies. Thousand Oaks, Calif: Sage Publications.

Economist, (2008). The Long Nimbus, 25 October, special section, pp. 15-17.

Edelman, L. B., & Suchman, M. C. (1997). The legal environments of organizations. Annual Review of Sociology, 23, 479–515.

Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8), 26-29.

ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information security. European Network and Information Security Agency, November, available at http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport. Accessed July 21, 2010.

eweek.com. (2010). Did Yale Postpone Move to Google Apps over China Flap?, March 31, 2010, available at http://googlewatch.eweek.com/content/google_apps/did_yale_postpone_move_to_google_apps_over_china_flap.html. Accessed July 24, 2010.

Gilson, R .J. (2001). Globalizing corporate governance: convergence of form or function. The American Journal of Comparative Law, 49(2001), 329–58.

Greengard, S., & Kshetri, N. (2010). Cloud Computing and Developing Nations. Communications of the ACM, 53(5), 18-20.

Greenwood, R., & Hinings, C. R. (1993). Understanding strategic change: The contribution of archetypes. Academy of Management Journal, 36(1993), 1052-1081.

Greenwood, R., & Hinings, C. R. (1996). Understanding radical organizational change: Bringing together the old and the new institutionalism. Academy of Management Review, 21, 1022–1054.

Guille´n, M. F. & Sua´rez, S. L. (2005). Explaining the Global Digital Divide: Economic, Political and Sociological Drivers of Cross-National Internet Use, Social Forces, 84(2): 681–708.

Hoffman, A. J. (1999). Institutional evolution and change: Environmentalism and the US chemical industry. Academy of Management Journal, 42(4), 351–371.

Huff, A. S. (1990). Mapping strategic thought. In A. S. Huff (eds.). Mapping strategic thought (pp.11–49). Chichester, England: Wiley.

IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR03-2010, April 6, 2010, available at http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf. Accessed July 24, 2010.

Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W. Powell & P. J. DiMaggio (eds.). The new institutionalism in organizational analysis (pp. 143–163). Chicago: University of Chicago Press.

PTC’11 Proceedings

Page 17 of 23

Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4), 1003–1114.

Kelman, S. (1987). Making public policy: A hopeful view of American government. New York: Basic Books.

Khalili, S. S. (2010). Clearing the air on cloud computing. New Straits Times (Malaysia), June 21, 9.

Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An Institutional Perspective, Electronic Markets, 17(2), 113-125

Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), 47-55.

Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and Strategic Perspectives. New York, Berlin and Heidelberg: Springer-Verlag.

Kshetri, N., & Dholakia, N. (2009). Professional and Trade Associations in a Nascent and Formative Sector of a Developing Economy: A Case Study of the NASSCOM Effect on the Indian Offshoring Industry. Journal of International Management, 15(2), 225-239.

Larkin, E. (2010). Will Cloud Computing Kill Privacy?. PC World, Mar 2010, 28(3), 44-44.

Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational inertia and capabilities as dynamic accumulation processes. Simulation Model Practice and Theory, 10(5), 271-296.

Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr 2010, 28(4), 29-30.

Martínez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6, 2010, available at http://articles.sfgate.com/2010-03-06/business/18378297_1_cyber-security-czar-howard-schmidt-qualys-rsa. Accessed July 24, 2010.

McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, Mar/Apr2010, 103, 28-33.

McCann, D. (2010). Posted in: Accountants Head to the Cloud, CFO.com, March 24, 2010, available at http://cfo.com/article.cfm/14484960/c_14485112?f=home_todayinfinance. Accessed July 24, 2010.

McCreary, L. (2008). What Was Privacy? Harvard Business Review, 86(10), 2008.

Messmer, E. (2010). Cloud computing providers working in secret. Network World, July 12, 2010, 27(13), 10-11.

Messmer, E. (2010). Secrecy of cloud computing providers raises IT security risks, available at http://www.mis-asia.com/news/articles/secrecy-of-cloud-computing-providers-raises-it-security-risks. Accessed July 24, 2010.

Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24, 2010.

PTC’11 Proceedings

Page 18 of 23

NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11.

Newman, K. L. (2000). Organizational transformation during institutional upheaval. The Academy of Management Review, 25(3), 602-619.

NIST (2009). Vulnerability Summary for CVE-2009-3733, 08/21/2010, The US National Institute of Standards and Technology, available at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733. Accessed September 20, 2010.

North, D. C. (1990). Institutions, institutional change and economic performance. Cambridge, UK: Cambridge University Press.

North, D. C. (1996). Epilogue: Economic performance through time. In L. J. Alston, T. Eggertsson & D. C. North (eds.). Empirical studies in institutional change (pp. 342–355). Cambridge, PA: Cambridge University Press.

Object Management Group. (2009). Cloud-Standards.org, Major Standards Development Organizations Collaborate to Further Adoption of Cloud Standards, available at http://www.omg.org/news/releases/pr2009/07-13-09.htm. Accessed October 14, 2010.

Otis, C. & Evans, P. (2003). The Internet and Asia-Pacific Security: Old Conflicts and New Behavior, Pacific Rev.16,(4), 549-550.

Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), 46-51.

Powell, W. W. (1993). The Social Construction of an Organizational Field: The Case of Biotechnology. Paper presented at the Warwick-Venice Workshop on perspectives on strategic change, University of Warwick.

Regan, K. (2006). FBI: Cybercrime Causes Financial Pain for Many Businesses, technewsworld, available at http://www.technewsworld.com/story/48417.html. Accessed October 1, 2007.

Rogers, E. M. (1995). Diffusion of innovations. Fourth edition. New York: Free Press.

Schneider, A. (1999). US neo-conservatism: Cohort and cross-cultural perspective. The International Journal of Sociology and Social Policy, 19(12), 56–86.

Scott, R. (1995). Institutions and organizations. Thousand Oaks, CA: Sage.

Scott, R. (2001). Institutions and organizations. Thousand Oaks, CA: Sage.

Scott, W. R., Ruef, M., Mendel, P. J., & Caronna, C. A. (2000). Institutional change and healthcare organizations: From professional dominance to managed care. Chicago, IL: University of Chicago Press.

Snidal, D. (1996). Political economy and international institutions. International Review of Law and Economics, 16(1), 121–137.

Stewart, B. (2010). Apple Keeps iTunes Out of the Cloud. Information Today, Oct 2010, 27(9), 46-46.

Sturdevant, C. (2010). Seeding security into the cloud. eWeek, March 15, 2010, 27(6), 38-38.

Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.

PTC’11 Proceedings

Page 19 of 23

Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), 304-308.

TR (Telecommunications Reports). (2010). Microsoft Urges Policymakers To Help Secure Cloud Computing, 76(3), 18-19.

Tillery, S. (2010). How Safe Is the Cloud?, available at http://www.baselinemag.com/c/a/Security/How-Safe-Is-the-Cloud-273226. Accessed July 24, 2010.

Vardi, N. (2005). Chinese takeout. Forbes, July 25, p. 54.

Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at http://www.itbusinessedge.com/cm/blogs/vizard/assessing-the-risks-of-cloud-computing/?cs=43712. Accessed July 24, 2010.

Wiesenfeld, B. M., Wurthmann, K. A., & Hambrick, D. C. (2008). The stigmatization and devaluation of elites associated with corporate failures: A process model. Academy of Management Review, 33(1), 231–251.

Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. GAO Reports, July 1, 2010, preceding pp. 1-48.

Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for Access to Data, Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), 1-10.

Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HRMagazine, Nov, 54(11), 63-65.

Zittrain, J. (2009). Lost in the Cloud. The New York Times, Late Edition – Final, Section A, (July 2009), 19.

PTC’11 Proceedings

Page 20 of 23

Figure 1: A framework for understanding security and privacy issues facing the

cloud

Technological environment Institutional environment

Regulative

institutions

Normative

institutions

Attractiveness and

vulnerability as a

cybercrime target

Virtual and

dynamic Value of

data in the

cloud

Professional

associations’

measures Laws to

deal with

data on the

cloud

Regulatory

overreach

Criminal

controlled

clouds

Industry

standards and certification

programs

Sophistication

and complexity

Nature of the

architecture

Institutional and technological environment

facing the cloud

New and

unique

vulnerabilities

Cloud users’

Inertia effects

Perception of

vendor’s integrity

and capability to

protect from third

party and other risks

Perception of legitimacy and trustworthiness of

the cloud

Newness Cognitive

institutions

Perception of confidentiality, integrity,

and availability of the cloud

Assessment of institutional and technological facilitators and inhibitors

Cloud adoption decision

PTC’11 Proceedings

Page 21 of 23

ENDNOTES: 1 Unsurprisingly the response of the cloud industry has been: “..clouds are more secure than whatever you’re using now” (Talbot 2010). 2 John Chambers, the Cisco Systems chairman, called the cloud a “security nightmare” that “can’t be handled in traditional ways” (Talbot 2010). 3 IDC’s another survey conducted in the early 2010 also ranked security concerns as the No. 1 barrier to cloud adoption (Del Nibletto 2010). 4 For instance, an analyst of Gartner noted that it is difficult to know whether cloud providers’ practice of "hiding the data in a million places" ensures a good security as there is no way to evaluate such practice (Messmer 2010).

5 A leader of the cloud security team at the National Institute of Standards and Technology (NIST) was quoted as saying: “Every customer has access to every knob and widget in that application. If they have a single weakness, [an attacker may] have access to all the data” (Talbot 2010). 6 Customers also have a range of options for the type of services to put in the Conficker such as a denial-of-service attack, spreading malware, sending spam or data exfiltration 7 The formation of regulative pillar is characterized by the establishment of legal and regulatory infrastructures to deal with the cloud industry (Hoffman, 1999). A normative institutional pillar is said to be established if rich and well developed ethical codes, guidelines and traditions develop in the cloud industry. Likewise, a cognitive pillar related to the cloud industry is established if cloud culture is developed that is considered as normal practices. 8 North’s formal constraints can be mapped with Scott’s (1995, 2001) regulative pillar while informal constraints can be mapped with normative and cognitive pillars. 9 These institutions focus on the pragmatic legitimacy concerns in managing the demands of regulators and governments (Kelman 1987). 10 Although over three dozen governments control the online environment, few have done so more skillfully than by China. China’s state strategies toward ICTs have been to balance economic modernization and political control. China has pursued a systematic massive Internet surveillance. Tens of thousands of government agents reportedly engage in cyber-control activities. According to the Berkeley China Internet Project, the Chinese government’s censorship software hides websites containing phrases such as freedom, democracy, China-liberal, and falun (Kshetri 2007). There were also reports that the Chinese government sent virus to attack banned sites (Guille´n & Sua´rez 2007). 11 The basis of compliance in the case of normative institutions derives from professional and social obligations. Non-adherence can thus result in societal and professional sanctions. 12 Paychex, a payroll-solutions provider, was the first cloud provider to win the AICPA's official endorsement. AICPA also endorsed bill.com for invoice management and

PTC’11 Proceedings

Page 22 of 23

payment in 2008. In 2009, it endorsed financial management and accounting software maker Intacct and tax-automation supplier Copanion (McCann 2010). 13 Although carried by individuals, cognitive programs are social in nature (Berger & Luckmann 1967). 14 For instance, it is likely that cloud providers may dispose hard disk without deleting data (Armbrust et al. 2010). 15 Organizational inertia can be defined as formal organizations’ tendency to resist internal changes to respond to external changes (Larsen & Lomi 2002). 16 A field is a dynamic system characterized by the entry and exit of various players and constituencies with competing interests and disparate purposes and a change in interaction patterns among them (Barnett & Carroll 1993). As is the case of any “issue-based” field, these players in the cloud industry continuously negotiate over issue interpretation and engage in institutional war leading to institutional evolution (Greenwood & Hinings 1996). 17 Social arbiters include members of the press, governance watchdog groups, academics, and activists. Legal arbiters are those who play role in enforcing rules and regulations. Economic arbiters make decisions about engaging in economic exchange with individuals. 18 The EPIC’s complaint also argued that the FTC should ban Google from offering services that lack adequate protections of privacy and security of users’ data. 19 While companies have used the cloud for applications such as payroll and email services, security has been the most often-cited barrier to cloud adoption for applications involving sensitive information (Armbrust et al. 2010). 20 Some argue that information about data center locations and practices are arguably treated like “national security secrets” (Messmer 2010). 21 Businesses and industry analysts are concerned about the cloud providers’ ”don't ask, don't tell" approach (Messmer 2010). 22 Computer hardware and software imported from the U.S. and its allies are subject to inspection. Chinese technicians control such imports and resist or closely monitor if Western experts install them. Several years ago, Chinese cryptographers reportedly found an ‘NSA Key’ in Microsoft products, which was interpreted as pertaining to the National Security Agency. The key allegedly provided the U.S. government back-door access to Microsoft Windows 95, 98, NT4 and 2000. Although Microsoft denied this allegation and issued a patch to fix the problem, Chinese officials remain unconvinced. 23 Some U.S. lawmakers argued that Lenovo‘s acquisition of IBM’s PC division could lead to a transfer of advanced technology to the Chinese government. When the U.S. State Department was about to buy Lenovo computers in 2006, politicians and some commentators drew attention to the national security implications of placing Chinese computers into government offices. They argued that Lenovo's connections to the Chinese government could pose a threat.

PTC’11 Proceedings

Page 23 of 23

24 During September 2004 to April 2005, more than a dozen versions of Myfip worm were reportedly used to steal information such as CAD/CAM files containing mechanical designs, electronic circuit board schematics and layouts from U.S. businesses (Vardi 2005). 25 Some ISPs in industrialized countries reportedly block content that originated from problematic networks in developing countries. 26 In 2008, Google CEO said that his company would work with Chinese universities, starting with Tsinghua University, on cloud-related academic programs. China’s unfavorable environment from the security standpoint, however, led to the company’s withdrawal from China.