Cloud computing evolved as a key delivery model for Information Technology (IT) and data provision for both the private and public sectors. Addressing its governance, legal, and public policy aspects is a condition sine qua non for successful deployment, whether done by the in-house IT department or outsourced. Stakeholders ask for new applications that consumerization is providing. Therefore, IT governance should be adapted to consider this new business pressure. However, the law plays a double role in respect to cloud computing; it functions as a legal framework set by mandatory regulations and as a contractual instrument to manage the cloud technology and information provisioning in an effective way, based on the strategic objectives of any organization. This chapter is devoted to where IT governance frameworks should consider the decisions about specific cloud computing compliance, how to measure them through several indicators, and which are their general legal and public policy aspects.
Several colloquialisms of the IT world converge on cloud computing. Cloud computing takes place in the ‘global village,’ ‘at the speed of light,’ and founded on the famous sentence credited to John Gage at Sun Microsystems, that ‘the network is the compute,’ which enables other more recent phrases like ‘information at your fingertips, everywhere, every time.’ But, it seems that, for the first time in data processing history, these one-liners have the potential to become a consolidated reality. Place and time independent ways of living our lives, perform work, do business and administer public sector tasks, are facilitated in optima forma by the deployment of cloud computing as the premier and captive delivery model for Information Technology (IT) resources.
This is without doubt an exciting and attractive outlook for any organization, which needs to do more with less, raise the quality of service and aims to innovate—all at the same time. The recent standardization of IT Governance tries to implement frameworks in which IT assets are governed as other corporate ones like: human, physical, intellectual, financial and relationship assets. These governance frameworks should also be implemented at government and public enterprises.
Nevertheless, the often unthinkingly advocated transition to cloud computing does not mean that every government information system or all public sector data should be moved to the Cloud in the first place. The future of Information Technology will be of mixed natures: On-premise and in the Cloud; delivered by the internal IT department and by cloud service providers; using private, public and hybrid clouds. Therefore, the preferred way to assess and manage risks, optimize digital technology assets, and reform public administrations is by deploying sound and well-founded cloud policies at IT governance framework implementations.
What constitutes cloud computing? A computer scientist draws computers and software services and connects them to the Internet. Thus ‘the Cloud’ was born, as a metaphor. Search engines Lycos and Yahoo (1994) and the e-mail service Hotmail (1996) were examples avant la lettre, but the first airline reservation system around 1960 already used a cloud model. Exemplary today, Amazon Web Services, Salesforce, Google Docs and Microsoft Office packages Office365 and the immensely popular social networks Facebook and YouTube—not to mention the literally countless apps for smart phones, tablets and more.
Cloud computing takes place largely invisible, but it shows itself to end-users as Web-based software and information that is stored on servers in data centers elsewhere and no longer on their computers or information systems of the organization they work for. The actual processing is done virtualized—the computer programs and information are disconnected from the physical hardware and infrastructure. Consequently, the nature of data (processing) changes in non-permanent and dynamic, and becomes almost ‘liquid.’
Cloud computing developed and keeps developing in an evolutionary way. Technologically speaking, the turning point lies behind us, because essential information technologies, including virtualization and broadband Internet, are now widely available and accessible. Cloud computing may be a service provided by the internal IT department, but cloud computing will more likely involve an outsourcing relationship.
According to the internationally broad-accepted definition, the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (Mell, 2011) describes ‘how cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.’ The cloud matrix comprises public (open and standardized), private (closed and any desired length), community (targeting a particular community) and hybrid (public/private) application models and distinct in the service model (SaaS) software, platforms (PaaS), and infrastructure (IaaS).