Cloud Computing Providers: Characteristics and Recommendations

Maciej Lecznar1, Susanne Patig2

SBB AG, Lindenhofstrasse 1, CH-3048 Worblaufen, Switzerland maciej.lecznar@sbb.ch 2 Institute of Information Systems, University of Bern, Engehaldenstrasse 8 CH-3012 Bern, Switzerland susanne.patig@iwi.unibe.ch
1

Abstract. This paper deals with the current reality of cloud computing: First, based on a historical analysis, the core characteristics of cloud computing are summarized and joined together in a general definition; then, two classifications of cloud computing are presented. These results are used to assess the existing cloud computing providers. A sample of success stories is analyzed to find out which benefits were realized by current cloud computing consumers, and we contrast our findings with the ones of other empirical investigations. Finally, the risks of cloud computing are collected from the relevant literature to derive some recommendations. Keywords: Cloud computing, cloud computing providers, benefits, risks.

1 Introduction
The nature of the term is still rather vague [8]: Some see cloud computing as the revolution of computer science [16], others as the evolution of service-oriented architecture [17] or grid computing [28] and the cynics as a new marketing label for well-known practices [9]. Nevertheless, cloud computing can help in reducing the costs for information technology (IT), and for that reason many companies intend to use it. However, these companies are confronted with the following difficulties: First, from a theoretical point of view, the definition and characteristics of cloud computing are not clear. Secondly, several cloud computing providers offer distinct cloud computing services at specific prices, which makes it difficult to compare them. Thirdly, cloud computing carries some risks that should be contrasted with its benefits before it becomes the basis of a companys everyday business. Our paper addresses these difficulties: In Section 2 we derive a general definition of cloud computing and give two classifications of clouds. The results of Section 2 are used to assess current cloud computing providers in Section 3.1. Based on an analysis of success stories, Section 3.2 shows the benefits realized by the current

consumers of each cloud computing provider. Section 4 classifies the risk of cloud computing, and Section 5 gives some recommendations.

2 Cloud Computing
2.1 Defining Cloud Computing The idea of cloud computing is still evolving. Table 1 shows the most popular definitions1. All of them mention several characteristics of cloud computing, which have (in spite of the differing terms) the following generalized intensions: 1. Shared IT resources: Cloud computing pools IT resources to serve several consumers. 2. Capabilities as IT services: What is provided by the shared IT resources (qualitative point of view) meets the consumers specific needs (see Section 2.2) and is available off-the-shelf. 3. Elastic: The provided IT capabilities can be automatically adapted to the varying quantitative demand of the consumers at any time. 4. Measured by use: The (quantitative) usage of the IT capabilities is tracked by metrics to provide transparency for both the provider and consumer of cloud computing. 5. Broad network/Internet access: All IT capabilities are available over a network and accessed via web-based technologies
Table 1. Definitions of cloud computing.
Forrester [27] Standardized IT capability (services, software, or infrastructure) delivered via Internet technologies in a pay-per-use, self-service way IT capability () selfservice way delivered via Internet (5) technologies (2) Characteristics (1) (3) (4) pay-per-use Gartner [20] Style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service to external customers using Internet technologies Service based U.S. NIST [18] Model for enabling convenient, ondemand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction On-demand self-service

Definition

Uses Internet technologies Broad network access Shared Scalable and elastic Metered by use Resource pooling Rapid elasticity Measured service

These generalized characteristics of cloud computing can be summarized in the following definition, which we use throughout this paper: Cloud computing provides elastic and metered IT capabilities, which are provided by shared IT resources and delivered on demand by web-based technologies.

As we dont derive cloud computing from grid computing, the characteristics in Table 1 differ from the ones in [28].

2.2 Classifications of Cloud Computing In practice, distinct types of cloud computing exist, which differ in the provided IT capabilities and their accessibility. In the following, we present both classifications [18], [21]. Concerning the (qualitative) IT capabilities that are provided and used, the following types of cloud computing can be identified [20]: Software as a Service (SaaS): A (cloud computing2) consumer uses the (cloud computing2) providers applications running on a cloud infrastructure without dealing with the applications management or monitoring. Platform as a Service (PaaS): A preconfigured infrastructure or application platform is provided where a consumer can deploy, test, monitor or develop his own applications, but does not control the underlying IT infrastructure such as storage or network devices. Infrastructure as a Service (IaaS): A consumer uses IT resources (such as storage or network devices) and is allowed to deploy and run arbitrary software, which can include operating systems. The consumer controls operating systems, devices or even the selection of network components and, thus, the IT infrastructure. These xyz as a service-layers can be completed with Communication as a Service and Monitoring as a Service [21]. Communication as a Service (CaaS) means the management of hardware and software required to deliver voice over IP, instant messaging, and video conferencing. Though CaaS capabilities can replace infrastructure components such as a phones or mobile devices, CaaS is based on communication applications (software solutions). Therefore, we include CaaS into the SaaS layer. Monitoring as a Service (MaaS) corresponds to outsourced IT security services because it comprises real-time, 24/7 monitoring and nearly immediate incident response across a security infrastructure [21]. As the security infrastructure consist of hardware such as routers, switches and servers, we subsume MaaS under IaaS. According to the accessibility of a clouds capabilities, the following types of cloud computing can be distinguished [18]: Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud computing services. The applications from several consumers coexist together on the cloud computing providers infrastructure. Public clouds are most often hosted away from the consumers premises, and, thus, reduce risk and cost by flexibly extending the consumers IT infrastructure. Community cloud: The cloud computing infrastructure is shared by several organizations that have common concerns. It may be managed by these organizations or a third party and may exist on or off the consumers premises. As an example, we refer to the SETI initiative [26], where each user adds a part of IT resources to the shared pool for long lasting calculations. Private cloud: The cloud infrastructure is operated solely for an organization and is built for the exclusive use by one consumer. Thus, this cloud computing type
2

For brevity, we omit the terms cloud computing in the following wherever appropriate.

provides the utmost control over data, security, and quality of service. The consumer owns the cloud infrastructure and controls how applications are deployed on it. Private clouds can be built and managed by a companys own IT department or by a cloud computing provider. Hybrid clouds combine two or more types of technical clouds (private, community, or public), which remain unique entities, but are bound together by standardized or proprietary technology to enable data and application portability. Hybrid clouds require determining how applications are distributed across public and private clouds. An issue that needs to be considered here is the relationship between processing and data: If the amount of data is small or the application is stateless, a hybrid cloud can be more successful than in a scenario where large amounts of data must be transferred from a private into a public cloud for a small amount of processing. Table 2 compares the accessibility-driven types of cloud computing with the characteristics of clouds in general (Section 2.1). To improve the separation among the types, we have introduced the attributes physical location of the cloud infrastructure, provider and consumer. We ignore hybrid clouds in Table 2 because they are defined as a composition of several accessibility types. Private clouds are built within one enterprise; so, the shared IT resources dont serve several consumers, and the IT services cannot be considered as ready to use, direct from the shelf. Moreover, in a private cloud the consumer owns the IT infrastructure and provides its capabilities within the organization. In that manner we doubt whether a private cloud still is cloud computing and suggest that it should be treated as an evolution of enterprise data centers, where the new focus is on delivering IT services instead of applications.
Table 2. Characterization of cloud computing by accessibility.
Cloud computing (1) Shared IT resources Characteristics (2) Capabilities as services (3) Elastic (4) Measured by use (5) Internet access Location of infrastructure Attributes Provider Consumer Public cloud Yes Yes Yes Yes Yes At providers site. External provider. Community cloud Yes Yes Yes Yes Yes Private cloud Not supported in full Not full Yes Yes Yes supported in

In the community. At consumers site. Community member Consumers IT or or external provider. external provider. Part of or whole enterprise.

Enterprise, community Community members, Internet user. members.

3 Market of Cloud Computing

3.1 Cloud Computing Providers Because of the economies of scale in providing large amounts of IT resources, the market of cloud computing is dominated by the big players in IT, namely Amazon.com, Google, Microsoft, Oracle and Saleforce.com. In this section we investigate and compare their solutions and pricing models. Table 3 characterizes the providers in terms of the clouds general characteristics (Section 2.1), capabilities and accessibility type (Section 2.2) as well as costs. We used the following scenario (see also [3] and [7]) to calculate and compare the costs of cloud computing for one month: (1) storage of 2 TB (Terabyte) of data, (2) computation requiring 50 hours of CPU/instance time per month and (3) data transfer of (3a) 2 TB (initial transfer for storage; only first month) or (3b) 500 GB (Gigabyte) per month for computation, respectively. The prices we state in the following sections were gathered from the Web sites of the providers and refer to May 2010. The distinction between the characteristics derived from the providers Web sites (not shaded in Table 3) and perceived by the consumers (shaded in Table 3) is explained in Section 3.2. Risks of cloud computing and risk management are discussed in Section 4.
Table 3. Properties of cloud computing.
Cloud computing Pricing Provi Type Characteristics der Access Capabilities (as perceived) Model IaaS, PaaS, SaaS (with software vendors) Risk Management

Scenario values (month)

Amazon

Public

(1) (2) (3) (4) (5)

Instances (number, usage hours), data (1) US$ 307 volume (stored, (2) US$ 9 to 144 transferred), PUT/ GET (3) US$ 307/75 requests CPU usage hours, (1) US$ 307 stored data volume, (2) US$ 5 number of applications; (3) Free of charge Data volume (stored, transferred), CPU usage hours; Subscription (with limitation) (1) US$ 307 (2) US$ 6 (3) US$ 205/50

Security management and best practices are documented

Google

Public

PaaS, SaaS

(1) (2) (3) (4) (5)

Unknown

Microsoft

Public

IaaS, PaaS, SaaS

(1) (2) (3) (4) (5) (2) (3) (5) restricted (1) perceived (3) (2) (5) restricted (3) perceived (4)

Unknown

Hybrid, Public, PaaS, SaaS Private Private PaaS, SaaS

Fee per user account (licence) without any resource limitation.

Hybrid clouds for one consumer Private clouds for one consumer

Scenario values: (1) Data storage: 2 TB; (2) Time for computation: 50h/month; (3) Data transfer: 2 TB non-recurring/500 GB/month

Oracle

Salesforce

3.1.1 Amazon.com In early 2006 Amazon Web Services (AWS) started to provide companies of all sizes with IT services out of a cloud. Currently the backbone of the Amazon cloud includes the following solutions [1]: Amazon Elastic Compute Cloud (Amazon EC2) is a Web service that provides resizable computing capacity with virtual machines as individual instances and a configurable infrastructure. The pricing is per consumed instance-hour for each type of the virtual machine. Amazon Simple Storage Service (Amazon S3) is a simple Web service interface that can be used to store and retrieve large amounts of data. Charges are based on data storage volume. Amazon CloudFront is a content delivery Web service that allows the distribution of content to end users. The fees are calculated from the amount of transferred outgoing data. Amazon SimpleDB stores and executes queries in real time. The pricing model uses the Amazon SimpleDB machine utilisation hours and data transfer. Amazon Simple Queue Service (Amazon SQS) is a hosted queue for storing messages. It enables moving data between distributed components of applications without losing messages. We associate the Amazon.com solutions with PaaS (EC2) and IaaS (S3, CloudFront, SimpleDB, SQS) as they are related to platform and infrastructure, respectively. Apart from order fulfillment (Amazon Fulfillment Web Service FWS) and payment (Amazon Flexible Payments Service FPS), there is a gap in the SaaS layer, which is filled by alliances with software vendors: For instance, Amazon.com and SAP provide a scalable environment with SAP ERP, CRM and BI products [25]. The Amazon.com cloud has all cloud characteristics of Section 2.1. The pooled IT resources provide services for Internet users, i.e., it is a public cloud. The pricing model agrees with measured by use: The fee for Amazon EC2, SimpleDB and the SAP products is based on usage hours of instances. According to the distinct specifications of the instances, the prices range from US$ 0.18 to 2.88 per hour [1]. In case of Amazon Cloud Front and SQS, a user pays for the volume of data transfer: US$ 0.15/GB for the first 10 TB to US$ 0.03/GB for over 1,000 TB. Due to fee progression, e.g., the cost for stored data in Amazon S3 decreases from US$ 0.15/GB for the first 50 TB to, finally, US$ 0.055/GB for more than 5,000 TB [1]. Consequently, consumers are encouraged to utilize Amazon.com solutions on a large scale. 3.1.2 Google Currently Google acts in the cloud computing market with the following solutions [11]: Google App Engine provides the capability of running the consumers Web applications on Googles preconfigured infrastructure. Google Docs offers tools for the creation and storage of office documents, e.g., spreadsheets, presentations, calendars, as well as a collaboration environment.

Both solutions are distributed to consumers via the Internet and satisfy the properties of PaaS (App Engine) or SaaS (Docs). As the infrastructure is available to the general public, we categorize the Google cloud as a public one. The billing policy is founded on the free of charge model, where the consumers need to create a Google account, or based on the used resources, e.g., the CPU time (US$ 0.10 per hour), the volume of stored data (US$ 0.15 per GB per month) or the number of deployed applications ($8 per user per month each). 3.1.3 Microsoft The core of Microsofts cloud is the Windows Azure platform with the following components [5]: Windows Azure provides a Windows-based environment (platform) for running applications and storing data on servers in Microsoft data centers. SQL Azure provides data services in the cloud based on SQL Server. Windows Azure platform AppFabric provides infrastructure services to connect applications running in the cloud or locally. Altogether, Windows Azure supports a consumer by platform, software and infrastructure services, therefore covers all three levels of cloud capabilities (PaaS, SaaS and IaaS). The pricing model is pay-per-use; usage is calculated based on CPU time (US$ 0.12 per hour), storage space (US$ 0.15 per GB per month) or data transfer (US$ 0.10 to 0.45 per GB). Alternatively users can subscribe, and the monthly base fee includes defined amounts of allowed resource usage. Microsoft cloud computing solutions are available to anyone, and therefore the cloud is public [30]. 3.1.4 Salesforce.com Salesforce.com released the first version of its online products in 2001 [23]. Currently, the company offers three cloud products [22]: Salesforce CRM offers CRM and ERP applications based on the providers or the consumers IT infrastructure. Force.com Platform is the platform for business applications. Chatter enables collaborating with people at work. Thus, the cloud computing solution portfolio of Salesforce.com covers SaaS and PaaS; Chatter corresponds to a CaaS solution, which we classified as SaaS in Section 2.2. Because of the fact that the infrastructure resides either on the providers or consumers location, hybrid clouds can be built. The Salesforce.com cloud does not cover all characteristics of Section 2.1: Firstly, the charges rely on the users licenses, which are valid for a user and an application without any limitation of time or resources and, thus, contradict our cloud characteristic measured by use (4). Secondly, Salesforce CRM can be placed in a private cloud, which violates our characteristic (1), i.e., shared IT resources.

3.1.5 Oracle Oracle offers two types of cloud capabilities [19]: Oracle on Demand is a SaaS cloud as it provides CRM and ERP applications for enterprises Oracle Platform for SaaS is the underlying middleware platform and, thus, PaaS. Both products are delivered by private clouds, where a consumer pays the licenses per user account. Moreover, Oracles cloud services work on the IT infrastructure provided by the consumer. Due to these facts the coverage of the cloud characteristics is limited: The characteristics shared IT resources (1) and measured by use (4) are not fully supported; support for elastic (3) - via virtual machines - can be assumed. 3.2 Cloud Computing Consumers Every cloud computing provider has its consumers (see Table 4), whose decisions on whether or not to use cloud computing usually depend on an analysis of benefits and risks. Here, we concentrate on the benefits. Based on the success stories published at the cloud computing providers Web sites in May 2010, Table 4 summarizes why the consumers decided to use cloud computing. We have used the English Web sites; success stories in the form of video or audio streams were ignored. The total number of analyzed consumers amounts to 35 - which is limited, but gives first indications for typical benefits. Companies of any size are represented. The column reasons in Table 4 shows the wording from the success stories, which we translated in the characteristics of cloud computing (see Table 2). This translation is based on the assumption that the reasons to use cloud computing (benefits) are grounded in the characteristics of cloud computing, and it enables a comparison and quantitative assessment of the importance of particular benefits (see Table 5). Almost half of the consumers of Table 4 named more than one reason to use cloud computing. In the following, we give the absolute frequency of each reason and the percentage of consumers that have mentioned it. Because of multiple answers per consumer, the sum of percentages exceeds 100%. Scalability turned out to be the most important benefit (25/71%) of cloud computing. The second most important benefit (16/46%) is cost saving due to measured by use, followed by access from anywhere (6/17%), capabilities as services (5/14%) and, finally, shared IT resources (4/11%). Table 5 compares our results with two other studies: The first study was conducted in June and July 2009 by IBM [14] in a group of 1090 IT decision makers around the world. The study focused on the potential drivers behind cloud computing adoption: 77% of the respondents chose cost saving as a key driver. The faster time-to-value, including being able to scale IT resources to meet needs (elasticity), was mentioned by 72 % of the respondents. The fact that cloud capabilities are provided as IT services off-the-shelf allows companies to focus on their core competences, which was an important benefit for 38% of the IT decision makers. Finally, 37% of the respondents believe in a reduction of in-house IT infrastructure because of sharing IT resources.

Table 4. Consumers reasons to choose cloud computing solutions, ordered by provider.

Reasons "scalable" "elastic", "cost-effective", "easily accessible" "granular pricing", "elastic scale" "increase system robustness without increasing costs", "multiple location availability", "scalability" "the speed and easy of deploying new instances" "avoiding buying and managing computers" "stable, robust, flexible, and low cost" "needed access to more computing capacity than we could possibly maintain internally " "speed of system deployment and roll-out" "scalability, reliability and the detailed reporting" "perfect match for the pay as you go model" "cost structure and scalability" "scale the hardware very, very quickly" "scalability, reliability, and utility pricing" "maximal utilization of resources", "pay for actual usage", "have a scalable solution" "reduce the friction of scaling" "scalable experience that has the minimum footprint on local network" "to scale capacity on demand", "per-hour pricing" "take advantage of the $2B+ that Amazon has invested" "easily-scaled services " "flexibility, price, reliability, and security" "track site performance on a granular lever " "to create a highly scalable, global solution" "to provide scalability" "highly elastic needs" "scale up and down ", "provisioning, billing, and metering capabilities" "to provide applications to customers everywhere, without deploying data centres around the world" "the pricing model is easy to calculate" "we can respond to large-scale peaks in demand" "our challenge is scaling" Having the whole system implemented in-house had made it expensive to distribute software, "implement rapidly and that would give us more agility", "flexibility and the cost factor were key drivers" "a system that could be developed and implemented quickly" "we needed simplicity" "lever on cost, up or down, depending on which way we go with our business" "the scalability and flexibility" Abbreviation: (R): Reliability Characteristics (3) (3) (4) (5) (3) (4) (3) (4) (5) (R) (2) (1) (3) (4) (R) (1) (3) (2) (3) (4) (R) (4) (3) (4) (3) (3) (4) (R) (1) (3) (4) (3) (3) (5) (3) (4) (1) (3) (3) (4) (R) (4) (3) (5) (3) (3) (3) (4) (5) (4) (3) (3) (2) (3) (4) (5) (2) (2) (3) (4) (3) Consumers Ipswitch Moonwalk Sonian HiperStratus July Systems Cycle Computing Harvard Medical School Pathwork Diagnostics Hitachi Systems Tubaah SearchBlox Digitaria Virgin Atlantic Airlines DreamFactory MarketSimplified Morph AppSpace Napera Networks PostRank StarPound CapGemini San Francisco Consulting The Huffing Post Quark Sitemasher TicketDirect Wipro 3M City of Miami European Environment Agency Origin Digital/Accenture Siemens Microsoft [29] Google [10] Amazon [2] Providers

Konica Minolta Polycom Agilent Exterran

Salesforce [24] Oracle [20]

Secondly, the European Network and Information Security Agency (ENISA) launched the online survey An SME perspective on cloud computing on the 16th of April 2009, where the reasons behind a possible engagement in cloud computing were gathered. Till the 1st of November 2009, 74 answers were collected [6]. This study shows that avoiding capital expenditure was the most important benefit of cloud computing for 68% of the respondents. The second most important benefits (63,9%) were flexibility and scalability of IT resources, followed by increased computing capacity and business performance as a result of the clouds IT services, i.e., the clouds capabilities (36%). 29% of the respondents found access from anywhere important. Finally, the optimization of the shared IT infrastructure showed up as an important factor for one fourth (25%) of the studys participants. Both the IBM and the ENISA study asked potential consumers about the expected benefits that may prompt them to use cloud computing. In contrast, our results are based on benefits that are realized by current cloud computing consumers. The most important expected benefit is cost saving, while the most important realized benefit is scalability (see Table 5). Altogether, our analysis of success stories confirms both benefits as the two main ones of cloud computing. Moreover, in our analysis one unanticipated benefit emerged: reliability, which was mentioned by 5 of the current consumers (14%) in Table 4. Finally, the current consumers appreciate the access to their cloud solutions from anywhere; in contrast to the characteristic (5) from Section 2.1, Internet access, at least literally, is not required.
Table 5. Comparison of the reasons to choose cloud computing.
Cloud computing benefits Scalability Cost saving Access from anywhere Capabilities as services Reliability Resource pooling Cloud computing Success stories IBM study [14] characteristics (3) (4) (5) (2) (1) 71% 46% 17% 14% 14% 11% 72% 77% 38% 37% ENISA study [6] 63,9% 68% 29% 36% 25%

The deviating perception of cloud computing characteristics (see Table 3) can be explained as follows: First, the marketing departments of the cloud computing providers edit the success stories and control which characteristics are emphasized. Secondly, the characteristics (1) and (2), shared IT resources and capabilities as services, are closely intertwined with particular cloud computing solutions and, thus, often overlooked by the consumers. Moreover, these characteristics are not only applicable to cloud computing, but also to traditional outsourcing. Thirdly, probably because of the private clouds provided, the characteristic Internet access is not perceived for Oracle; for the clouds of Google this characteristic is not valued as a benefit as Internet access is the key business of this company. Whether or not the Salesforce solutions are scalable was probably not known for the two consumers analyzed; however, it can be assumed according to the information at the providers Web site.

4 Cloud Computing Risks

Because of the benefits listed in Section 3.2, consumers are keen on using cloud computing, but they should be aware of the potential risks. Cloud computing risks are rarely reported in success stories. Therefore we base our discussion on the existing surveys and literature [3], [4], [6], [12], [13]. Table 6 summarizes our classification of risks, which is explained in the following. Basically, three types of risks can be identified [7] that are, however, interrelated. Related risks are arranged in the same row in Table 6. Organizational risks stem from relying on an additional business partner; technical risks arise from the use of an external, distributed IT infrastructure, and legal risks refer to regulations relevant for IT. Table 6. Cloud computing risks, their relevance and management measures.
Organizational Risks Type (1) Loss of governance (1a) Cloud provider acquisition (2) Co-tenant vulnerability To Technical Risks Action Type (5) Security (5a) Malicious ++ S, insider +C (5b) Data leak- G age in transit G P P (8) Data trans- G fer bottleneck Abbreviations: Y (6) Isolation failure (7) Unavailability ++ S G To Action P Y, C P P (12) Licensing ++ C, +S Legal Risks Type To Action P

++ S, P +C G (P)

P(RM) (9) Privacy

++ S, +C P(RM)

(10) Compliance, G auditability (10a) Change of jurisdiction (11) Subpoena, e-discovery

++ S, +C ++ S, +C

(3) Cloud serv- G ice termination (4) Lock-in G

G: General, S: Storage, C: Computation, ++/+: High/moderate risk P: Provider selection, Y: Physical data transfer, C: Secure channel, RM: Risk management

Loss of governance means that the cloud computing consumer (necessarily) cedes control over data to the cloud computing provider (or its buyer in case of an acquisition). This raises both the technical issue of data security (i.e., data must be kept safe from lost or corruption and under controlled access) and the legal problems of privacy (i.e., personally identifiable information must be protected) and compliance (i.e., difficulties with audits or certification processes; untransparent storage of data in multiple jurisdictions, which may, moreover, change). Typical technical security risks of cloud computing are malicious insider, i.e., an abuse of high privilege roles in the cloud providers organization, and data leakage in transit, i.e., by sniffing, spoofing, man-inthe-middle attacks etc. Some of these risks are especially high (++) when data is stored at a cloud computing providers infrastructure (e.g., malicious insider, privacy) and a little smaller (+) when cloud computing is only used for computations; see Table 6. Since both usage types (storage/computation) require data transfer from

the consumer to the provider, data leakage in transit is a general risk of cloud computing. Because of pooling resources, several cloud computing consumers usually share IT infrastructure. One consumers bad behavior can affect the reputation of all other consumers (co-tenant vulnerability). If the providers hardware is confiscated (as a result of subpoena), stored data of several consumers is at risk of disclosure. Moreover, the technical risk of isolation failures exists, i.e., the failure of mechanisms to separate storage or memory between tenants of the shared IT infrastructure. Cloud computing consumers are prone to the technical risk of short-time unavailability of a service and the organizational risk that a cloud computing provider changes its business and eventually terminates some service. In that case, the lack of standardization among cloud computing providers makes it extremely difficult to move data or applications from one site to another (lock-in). To aggravate this problem, current software licenses often restrict the IT infrastructure on which software can run, or they are not applicable to the cloud computing situation (e.g., per seats agreements, online license checks). Either cloud computing usage type requires at least an initial data transfer (from the cloud computing consumer to the provider), which can become a bottleneck as the following example illustrates (see also [5]): For the Amazon S3 service, a write bandwidth between 5 and 18 was measured [11]. If we apply a bandwidth of 20 Mbit/s to our scenario, the following (tremendous) upload times result: (2TB* 1024GB * 1024MB * 8Bit)/20 MBit/s =16,777,216MBit/ 20 MBit/s = 838,860s 9.7 days (500GB * 1024MB * 8Bit)/20 MBit/s = 4,096,000MBit/ 20 MBit/s = 204,800s = 56.8h 2.4 days We have derived the cloud computing risks (1) to (12) in Table 6 from the relevant literature. Empirically, the top five concerns named by potential cloud computing consumers in the ENISA study [10] were confidentiality (94% of the respondents3), privacy (89%) as well as integrity of data (85%), availability (82%), and loss of control (74%). The identification of risks is a prerequisite to risk assessment and minimization. Currently not enough empirical data exists to assess all risks of cloud computing, but at least the risk of unavailability is de facto disproved by the benefit of reliability we observed (see Table 5). Measures to reduce the other risks are sketched in Section 5.

5 Conclusions
Companies that aim at scalability should consider cloud computing because scalability is the most important realized benefit. According to the ISACA, the risks of cloud computing still outweigh its benefits for 45% of the US business and IT professionals [15]. Thus, as a next step in deciding about cloud computing, companies
3

The percentages are calculated by dividing the sum of counts for the ratings very important and showstopper by the response count.

should assess the relevant risks (see Section 4) and take measures to reduce them. The following measures can be recommended (see Table 6): Carefully decide about the usage type, as storing in the cloud is more risky than computing (see Table 6). Ship data physically on hard disks to avoid data transfer bottlenecks (recommended by Amazon.com for large data quantities [11]) and to reduce data transfer risks. Secure channels to reduce data leakage in transit. Do not only use cost criteria to select a cloud computing provider, but also consider its reputation and risk management strategies. Table 3 shows the risk management strategies of the analyzed cloud computing providers (as far as they are communicated): For the Amazon Services, security management descriptions and best practices [1] are given. Moreover, the private or hybrid clouds of Salesforce.com and Oracle, which are designed for one consumer, increase privacy. In case of Microsoft and Google we were not able to find information about risk management. Altogether (see Table 3), Amazon.com shows all cloud computing characteristics, has not only the largest number of perceived benefits, but also the most detailed strategies for risk management; its pricing is comparable and its reputation sound. Thus, our results suggest relying on Amazon.com as a cloud computing provider. The validity of our quantitative results is limited by the following facts: First, the success stories were published by the cloud computing providers and, thus, are probably biased. Secondly, we did not consider all success stories of a particular provider, but only those with explicit, literal statements on the reasons to use cloud computing. Third, the sample period was May 2010, and the number of cloud computing consumers has been constantly increasing since then. The first limitation must be accepted, the second and third one will be removed in future research where we use a coding schema to gather the benefits of cloud computing from free texts. Based on the increased amount of data that will result from the coding, we can do a more sophisticated statistical analysis of the benefits of cloud computing. Since decisions about cloud computing have to balance benefits and risks, our next research task is a detailed empirical investigation of cloud computing risks and the measures used to reduce them.

References
1. 2. 3. Amazon: Amazon Web Services, http://aws.amazon.com Amazon: Case Studies, http://aws.amazon.com/solutions/case-studies/ Armbrust, M., et al.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report No. UCB/EECS-2009-28. UC Berkeley Reliable Adaptive Distributed Systems Laboratory, http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf (2009) Catteddu, D., Hogben, G.: Cloud Computing. Benefits, risks and recommendation for information security. Technical Report. ENISA, http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment/at_download/fullReport (2009)

4.

5.

6.

7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.

Chappell, D.,: Introducing the Windows Azure Platform. Technical Report. David Chappell & Associate, http://www.davidchappell.com/writing/white_papers/Windows_Azure_Platf orm_v1.3--Chappell.pdf (2009) European Network and Information Security Agency (ENISA): An SME perspective on Cloud Computing. Survey. http://www.coe.int/t/dghl/cooperation/economiccrime/cybercr ime/cy-activity-interface2010/presentations/Outlook/SURVEY_An_SME_perspective_on_Cloud_Computing.pdf (2010) Garfinkel, S.: An Evaluation of Amazons Grid Computing Services: EC2, S3 and SQS. Technical Report TR-08-07, Harvard University, (2007) Geelan, J.: Twenty-One Experts Define Cloud Computing. Cloud Computing Journal, http://cloudcomputing.sys-con.com/node/612375 (2009) Gillet, A.: Cloud Computing - Interview at the MIT campus. Beet.tv: http://www.beet.tv/ 2008/09/cloud-computing.html (2008) Google: Google Apps Case Studies, http://www.google.com/apps/intl/en/business/ customer_story.html Google: Google App Engine Google Code, http://code.google.com/appengine/ Gregg, M.,: 10 Security Concerns for Cloud Computing. White Paper, Global Knowledge Training LLC, http://www.globalknowledgesa.com/pdf/WP_VI_10SecurityConcernsCloudComputing.pdf (2009) Heiser, J., Nicolett, M.: Assessing the Security Risks of Cloud Computing. Gartner, Document ID 685308 (2008) IBM: Dispelling the vapour around cloud computing. Drivers, barriers and considerations for public and private cloud adoption. IBM White Paper, ftp://ftp.software.ibm.com/ common/ssi/sa/wh/n/ciw03062usen/CIW03062USEN.PDF (2010) ISACA: IT Risk/Reward Barometer US Edition. ISACA, http://www.isaca.org/AMTemplate.cfm?Section=20102&Template=/ContentManagemen t/ContentDisplay.cfm&ContentID=56656 (2009) Jennings, C.: The cloud computing revolution. ComputerWeekly.com, December 22, 2008, http://www.computerweekly.com/Articles/2008/12/22/234026/the-cloudcomputing-revolution.htm (2008) Jetter, M.: Cloud Computing: Evolution in der Technik, Revolution im Geschft. BITKOM (2009) Mell, P., Grance, T.: The NIST Definition of Cloud Computing. National Institute of Standard and Technology (NIST), July 10, 2009, http://csrc.nist.gov/groups/SNS/cloudcomputing/cloud-def-v15.doc (2009) Oracle: CRM On Demand | Oracle On Demand | Oracle, http://www.oracle.com/us/ products/ondemand/index.html Plummer D.C., et al.: Cloud Computing: Defining and Describing an Emerging Phenomenon. Gartner Research, Document ID 697413 (2008) Rittinghouse, J. W., Ransome, J. F.: Cloud Computing. Implementation, Management and Security. Taylor & Francis Group, (2010) Salesforce: Application Development with the Force.com Cloud Computing Platform, http://www.salesforce.com/platform/. Salesforce: CRM Press Releases, http://www. alesforce.com/company/news-press/pressreleases/ Salesforce: CRM Snapshots and Case Studies & Force.com Testimonials, http://www.salesforce.com/customers/ SAP: Virtualization at SAP, http://www.sdn.sap.com/irj/sdn/virtualization SETI: Institute Homepage, http://www.seti.org

27. 28. 29. 30.

Staten, J.: Cloud Computing for the Enterprise. Forrester Research, http://www.forrester.com/imagesV2/uplmisc/CloudComputingWebinarSlideDeck.pdf (2009) Weinhardt, C., et al.: Cloud-Computing A Classification, Business Models and Research Direction. Business & Information Systems Engineering 51, pp. 453-462 (2009) Windows: Windows Azure Case Studies | Microsoft Cloud Evidence | Windows Azure Platform, http://www.microsoft.com/windowsazure/evidence/ Windows: Windows Azure Platform | Cloud Computing | Online Service | Data Storage, http://www.microsoft.com/windowsazure/