Identifying the security risks associated with governmental use of cloud computing

doi:10.1016/j.giq.2010.01.002

Government Information Quarterly

Volume 27, Issue 3, July 2010, Pages 245-253

https://doi.org/10.1016/j.giq.2010.01.002 Get rights and content

Abstract

Cloud computing, which refers to an emerging computing model where machines in large data centers can be used to deliver services in a scalable manner, has become popular for corporations in need of inexpensive, large scale computing. Recently, the United States government has begun to utilize cloud computing architectures, platforms, and applications to deliver services and meet the needs of their constituents. Surrounding the use of cloud computing are many risks that can have major impacts on the information and services supported by this technology. This paper discusses the current use of cloud computing in government, and the risks–tangible and intangible–associated with its use. Examining specific cases of government cloud computing, this paper explores the level of understanding of the risks by the departments and agencies that implement this technology. This paper argues that a defined risk management program focused on cloud computing is an essential part of the government IT environment.

Introduction

Cloud computing, which allows for highly scalable computing applications, storage, and platforms, is increasing in importance throughout government information technology (IT) strategy. Cloud computing providers offer a variety of services to individuals, companies, and government agencies, with users employing cloud computing for storing and sharing information, database management and mining, and deploying web services, which can range from processing vast datasets for complicated scientific problems to using clouds to manage and provide access to medical records (Hand, 2007). Recently, President Barack Obama and Chief Technology Officer (CTO) Vivek Kundra have both expressed the vision to explore the cloud as a key component in the federal IT transformation, and therefore agency use of cloud computing capabilities has increased (Jackson, 2009, Miller, 2009b).

Although many benefits are reported in cloud computing use, a great deal of risk is associated with the implementation, management, and use of cloud computing technologies. In a government context, both tangible risks (such as the risk of unauthorized access, infrastructure failure, or unavailability) and intangible risks (such as confidence in the technologies capabilities, and public access) are introduced along with the functionality and benefits provided by cloud applications. The government's ability to manage these risks will be a key determinant in the success of cloud computing.

This paper discusses the nature of cloud computing and risk management in a governmental context. The risks associated with cloud computing are identified, focusing on both the tangible and intangible risks which can present challenges for IT management. We argue that much evidence exists that cloud computing has become a strategic direction for many government agencies and is already employed in critical areas of the government's IT infrastructure. However, a prudent and in-depth risk management program must accompany the use of this new technology in order to prevent unwanted technical consequences, and even greater problems from a government information management perspective.

Section snippets

The nature of risk and risk management

The word “risk” is derived from the Italian risicare, which translates to English as “to dare.” At the origin of the word is the implication that risk is not a fate, but a choice individuals make depending on internal or personal factors, and the environment in which we live (Bernstein, 1998). Others define risk as the possible impact or result of an event on assets of an organization, and the corresponding consequences that occur (Stoneburner, Goguen & Feringa, 2004). Risk is not defined or

What is cloud computing

Cloud computing refers to an emerging model of computing where machines in large data centers can be dynamically provisioned, configured, and reconfigured to deliver services in a scalable manner, for needs ranging from scientific research to video sharing to e-mail (Wyld, 2009). While usually described as a single entity, cloud computing can comprise several components at once: cloud infrastructure, cloud platform, and cloud application. Cloud infrastructure is the provision of a computer

Government use of cloud computing

Governments, and in particular the United States federal government, have begun to incorporate cloud computing infrastructures into the work of various departments and agencies. Under the leadership of CTO Vivek Kundra, cloud computing is used as a tool to facilitate information sharing, applications processing, and as a cost saving measure from traditional technological architectures. The following section examines the current level of adoption by the federal government, including examples of

Risks specific to government use of cloud computing

The introduction of any new technology to an organization brings many risks associated with the implementation and use. As mentioned in the previous section on risk management, it is important to not only recognize the risks associated with any new or implemented technologies, but to create a strategy that allows organizations to better manage and mitigate these risks. Prior to signing the first contract or agreement, it is vital to have in place a proper risk management program that can

Conclusions

Given the relatively undeveloped and unproven state of federal cloud policies and the widespread unknowns that weave into the question of whether the federal government can successfully identify and manage the risks of working in a cloud environment, proceeding with caution until policies, standards, and technical proficiency are addressed will help the government avoid any unwanted risks. The conventional wisdom at this point suggests that without deliberate planning in scope, deployment,

References (74)

J.M. Burroughs
What users want: assessing government information preferences to drive information services
Government Information Quarterly
(2009)
T. Priebe et al.
The U.S. Government Printing Office's initiatives for the federal depository library program to set the stage for the 21st century
Government Information Quarterly
(2008)
G.L. Rosston et al.
The “state” of universal access
Information Economics and Policy
(2000)
J.A. Shuler
A critique of universal service, e-rate, and the chimera of the public's interest
Government Information Quarterly
(1999)
C. Anderson
The end of theory: the data deluge makes the scientific method obsolete
Wired
(2008)
M. Armburst et al.
Above the clouds: a Berkley view of cloud computing
(2009)
B.A. Aubert et al.
A Framework for information technology outsourcing risk management
The DATABASE for Advances in Information Systems
(2005)
S. Baker
Google and the wisdom of the clouds
(2007)
C. Balding
U.S. Government creates cloud computing security group
(2009)
D. Beizer
DISA debuts self-service computing
(2008)

D. Beizer

USA.gov will move to cloud computing

(2009)

P.L. Bernstein

Against the gods: The remarkable story of risk

(1998)

J. Bertot et al.

Reconciling government documents and e-Government: Government information in policy, librarianship, and education

Government Information Quarterly

(2010)

J. Brodkin

Loss of customer data spurs closure of online storage service “the link up”

(2008)

R. Buyya et al.

Market-oriented cloud computing: vision, hype, and reality for delivering IT services as computing utilities

Y.-C. Chen et al.

Outsourcing for e-Government: managing for success

Public Performance and Management Review

(2003)

T.D. Clarke et al.

The outsourcing of information services: transforming the nature of business in the information industry

Journal of Information Technology

(1995)

R. Cohen

The U.S. federal government defines cloud computing

Cloud Computing Journal

(2009)

S. Condon

Experts: policy could make, break cloud computing

(2009)

M. Cooney

Lots of excuses, little use of encryption on government mobile computers

(2008)

R. Crandall et al.

Who pays for universal service?

(2000)

M. Crouhy et al.

The essentials of risk management

(2006)

N. Cubrilovic

Letting data die a natural death

(2009)

M. Daconta

Cloud computing and five other IT fads that aren't always right for government

(2009)

J. Dibbern et al.

Information systems outsourcing: a survey of analysis of the literature

The DATABASE for Advances in Information Systems

(2004)

D. Gabel

Broadband and universal service

Telecommunications Policy

(2007)

B. Goodwin

Social networks and government

(2008)

B. Gourley

Wall Street crisis, enterprise technology and cloud computing

(2008)

A. Greenberg

If the clouds burst

(2009)

T.H. Grubesic

The spatial taxonomy of broadband providers in the United States: 1999-2004

Telecommunications policy

(2006)

E. Hand

Head in the clouds

Nature

(2007)

R. Harbick et al.

Cloud computing: myth or reality?

(2009)

D. Harris

DISA CIO: Cloud computing “something we absolutely have to do”

(2008)

K. Hart

Tech firms seek to get agencies on board with cloud computing

Washington Post

(2009)

J.N. Hoover

GSA backs away from federal cloud CTO appointment

(2009)

J.B. Horrigan

Use of cloud computing applications and services

(2008)

J. Jackson

Agencies tap online channels to spread the word on swine flu outbreak

(2009)

Cited by (251)

Big data security & individual (psychological) resilience: A review of social media risks and lessons learned from Indonesia
2024, Array
This research aims to reduce social media security risks and develop best practices to help governments address social media security risks more effectively. This research begins by reviewing the different discussions in the literature about social media security risks and mitigation techniques. Based on the extensive review, several key insights were identified and summarized to help organizations address social media security risks more effectively. Many national governments around the world do not have effective social media security policies and are unsure how to develop effective social media security strategies to mitigate social media security risks. This research provides guidance to national governments on mitigating potential social media security risks. This study incorporates ongoing debates in the literature and provides guidance on how to reduce social media security and technological risks. Practical insights are identified and summarized from the extensive literature. More discussions and studies are needed on strategies and practical insights to reduce social media risk for the Indonesian government.
A matter of perspective: Conceptualizing the role of citizens in E-government based on value positions
2023, Government Information Quarterly
Citizens are oftentimes the central unit of analysis in e-government research and treated as one of the stakeholders receiving the most benefits from public sector digitalization. Still, they are mostly described in general terms, and it remains unclear what roles they can assume in relation to e-government. Different understandings of the citizens' role in e-government may impact research, because they entail different axioms mainly in relation to the technological frame for e-government but also for the citizens' relationship to public sector organizations in general. The aim of this article is to investigate and conceptualize the citizens' role in e-government based on public value positions. We depart from Rose et al.'s (2015) framework of value positions for managing e-government. After reviewing and analyzing extensive research on e-government, we use this framework to contribute a clarification of the citizens' role in each value position. Our analysis shows that the ideal citizen is conceptualized differently across the four value positions; ranging from an external entity that should service themselves using digital self-services, to an engaged agent that should be actively involved in policy making and service delivery. In addition to this new perspective on the citizens' role in e-government, we contribute with an extension of the public value positions framework. The extended framework presented in this article makes these differences visible and we discuss consequences of the citizens' role in e-government for other dimensions of the framework.
Optimal cluster based feature selection for intrusion detection system in web and cloud computing environment using hybrid teacher learning optimization enables deep recurrent neural network
2023, Computer Communications
Information technology organizations have experienced rapid growth in recent years, resulting in scalability, mobility, and flexibility challenges. Those organizations move their data to the cloud because security and privacy are major concerns. As cloud computing becomes more popular, security has become an important concern. These confidential data are vulnerable to attacks/malicious or intruders due to the characteristics of the cloud. In order to address the growing concern of real-time intruders, a variety of intrusion detection systems (IDS) used specifically for cloud environments with the aim of enhancing overall security. There are, however, some limitations and known attacks that can be overcome by those IDSs. We recently proposed a hybrid soft computing based IDS (ST-IDS) for web and cloud environments, but missed some novel web and cloud attacks. Using hybrid teacher learning enabled deep recurrent neural networks and cluster based feature optimization, we propose an IDS scheme for web and cloud computing environments. MMFO (modified manta-ray foraging optimization) is used after feature extraction to select optimal features for further detection. To classify the intrusion in the web-cloud environment, a hybrid teacher-learning enabled deep recurrent neural network (TL-DRNN) is introduced. Our proposed IDS scheme has been validated using benchmark datasets including DARPA LLS DDoS-1.0, CICIDS-2017, and CSIC-2010. The performance of our proposed IDS scheme has been compared to existing IDS schemes using various quality measures.
The adoption of remote work platforms after the Covid-19 lockdown: New approach, new evidence
2023, Journal of Business Research
Citation Excerpt :
This study furthermore extended the applicability of the UTAUT model which is the latest in the IS/IT acceptance area (Maruping et al., 2017) by providing a supplementary validation from an additional field. Prior literature has described the disadvantages remote work technologies such as cloud computing services present, including compromised security and limited privacy on sharing (Chu et al., 2013; Paquette, Jaeger & Wilson 2010; Rong, Nguyen & Jaatun 2013) which negatively affect their perceived values. Although privacy, security, and confidentiality are recognized as key determining factors (Gupta, Seetharaman & Raj, 2013), security and confidentiality are not factors in the adoption of remote work platforms in this case study.
With the aim of providing further insights into the driving factors influencing behavioral intentions and expectations to use remote work after the Covid-19 lockdown, this study draws on an enhanced version of the technology acceptance model to analyze the determinants and moderating factors of remote work platform use. From an analysis of quantitative data collected from questionnaires and qualitative data from interviews with employees of Chinese firms in the service sector, we conclude that post-lockdown adoption of remote work is explained by three main variables: behavioral intention, behavioral expectation and facilitating conditions, but demographic characteristics and factors related to the specific features of remote work all nevertheless moderate the relationships in our model. In addition to gender, the generational gap and behavioral tendency should be taken into consideration to improve employee acceptance rates.
A systematic literature Review: Risk analysis in cloud migration
2022, Journal of King Saud University - Computer and Information Sciences
The era of the industrial revolution 4.0 was an era marked by the transition of information and communication technology that was able to create new technology-based investments. Internet of things (IoT), Big Data, and Cloud Computing are the foundations that underlie this 4.0 industrial revolution. Cloud Computing is a service that provides network storage space and computer resources using an internet connection as a medium of access. Cloud Service Providers (CSP) offer attractive services, making more and more companies want to migrate to the cloud. Sometimes the migration process to cloud computing faces problems or even failures, and this is certainly a risk for cloud service users. This study will identify the types of risks and risk components in cloud migration using the Systematic Literature Review (SLR) method. The databases used in selecting articles that match the criteria include: Emerald Online, IEEE Xplore, ScienceDirect, SpringerLink, and between 2015 and 2020. The results of this study, there were 74 articles selected according to the criteria and reviewed. The output of this study shows that there are 7 types of risk in cloud migration, namely information security risk, risk of losing data access, risk of using virtual machines, errors in choosing CSPs, risk of compliance with various laws and regulations, financial risk, and management failure, the weights of 25%, 21%, 18%, 14%, 11%, 7%, and 4% respectively, as well as 5 risk components, namely threats, impacts, risk factors, vulnerabilities, and damage with a weight of 33%, 27%, 20%, 13%, and 7%.
Moderating role of government policy in electronic government adoption among Algerian petroleum companies
2024, Electronic Government

View all citing articles on Scopus

View full text

Identifying the security risks associated with governmental use of cloud computing

Abstract

Introduction

Section snippets

The nature of risk and risk management

What is cloud computing

Government use of cloud computing

Risks specific to government use of cloud computing

Conclusions

Government Information Quarterly

Government Information Quarterly

Information Economics and Policy

Government Information Quarterly

The end of theory: the data deluge makes the scientific method obsolete

Wired

Above the clouds: a Berkley view of cloud computing

A Framework for information technology outsourcing risk management

The DATABASE for Advances in Information Systems

Google and the wisdom of the clouds

U.S. Government creates cloud computing security group

DISA debuts self-service computing

USA.gov will move to cloud computing

Against the gods: The remarkable story of risk

Reconciling government documents and e-Government: Government information in policy, librarianship, and education

Government Information Quarterly

Loss of customer data spurs closure of online storage service “the link up”

Market-oriented cloud computing: vision, hype, and reality for delivering IT services as computing utilities

Outsourcing for e-Government: managing for success

Public Performance and Management Review

The outsourcing of information services: transforming the nature of business in the information industry

Journal of Information Technology

The U.S. federal government defines cloud computing

Cloud Computing Journal

Experts: policy could make, break cloud computing

Lots of excuses, little use of encryption on government mobile computers

Who pays for universal service?

The essentials of risk management

Letting data die a natural death

Cloud computing and five other IT fads that aren't always right for government

Information systems outsourcing: a survey of analysis of the literature

The DATABASE for Advances in Information Systems

Broadband and universal service

Telecommunications Policy

Social networks and government

Wall Street crisis, enterprise technology and cloud computing

If the clouds burst

The spatial taxonomy of broadband providers in the United States: 1999-2004

Telecommunications policy

Head in the clouds

Nature

Cloud computing: myth or reality?

DISA CIO: Cloud computing “something we absolutely have to do”

Tech firms seek to get agencies on board with cloud computing

Washington Post

GSA backs away from federal cloud CTO appointment

Use of cloud computing applications and services

Agencies tap online channels to spread the word on swine flu outbreak