Article Preview
Top1. Introduction
Based on virtualization and abstraction techniques, cloud computing (CC) is a model through which dynamic, flexible, and scalable resources (e.g. computing power, data storage) and services (e.g. management, administration) are delivered through the network “as a service” (ISACA, 2011). The commonly accepted definition is from NIST (Mell & Grance, 2011) which defines CC as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”. NIST also defines five essential characteristics of CC (i.e. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (i.e. Software as a Service, Platform as a Service, and Infrastructure as a Service), and four deployment models (i.e. Private cloud, Community cloud, Public cloud and Hybrid cloud).
It is true that CC generates so much operational and financial interest for public and private organizations (Ahuja & Rolli, 2011; Chang et al., 2011), but despite all its benefits there are still many challenges and open issues that impact its credibility and pervasiveness (Almorsy, Grundy, & Ibrahim, 2011). In fact, according to our previous study (Bounagui, Hafiddi, & Mezrioui, 2015), CC adoption led to an increasing number of security, compliance, and legal issues. Additionally, many aspects of IT governance (e.g. information security, risk management, or service level agreement management) are negatively impacted by CC adoption. Consequently, a considerable review and readjustment of these IT governance aspects is highly required to maintain the balance between traditional IT governance and CC governance. Thus, CC governance is a critical and is a key to maximize the value that any organization receives from its investment in IT.
CC governance is literally defined as the set of processes, responsibilities, and practices mainly used to manage and control CC adoption and implementation in accordance with recognized policies, audit procedures, and management policies (Guo Song, M., & Song, J., 2010). In other words CC needs governance to support business goals and objectives, ensure value delivery, improve security, and enable appropriate cloud decision-making. Therefore, to minimize the negative impact of CC and to maximize its value, a CC governance approach is highly required to control enterprises CC virtual assets on the one hand, and also, to mitigate CC risks, communicate clear business objectives, and handle a myriad of regulations on the other hand.
Currently many approaches, standards, and frameworks have been proposed by several organizations and research teams to address the cloud governance issue. Examples include the Cloud Security Alliance, the Federal Risk and Authorization Program, the European Network and Information Security Agency, the Information Systems Audit and Control Association, and also the International Organization for Standardization. But despite their quality, the existing works suffer from several weaknesses e.g. they are limited to one specific governance domain, they are not originally created to respond to CC specific risks, and/or they are not yet commonly accepted as standard throughout the computer industry.