COBIT Evaluation as a Framework for Cloud Computing Governance

COBIT Evaluation as a Framework for Cloud Computing Governance

Yassine Bounagui (INPT, Rabat, Morocco), Hatim Hafiddi (IMS Team - SIME Lab., ENSIAS, Mohammed V University of Rabat, Morocco & ISL Team - STRS Lab., INPT, Rabat, Morocco) and Abdellatif Mezrioui (INPT, Rabat, Morocco)
Copyright: © 2016 |Pages: 18
DOI: 10.4018/IJCAC.2016100104


The present paper aims at providing an approach for evaluating COBIT as a base framework for cloud computing governance. For that purpose, the authors firstly conducted a systematic research reviews to identify, analyze, and structure the main cloud computing governance requirements. Secondly, with respect to the systematic research review, a mapping of COBIT control objectives to the corresponding cloud computing governance requirements is proposed. Thirdly, the evaluation of the mapped control objectives against the cloud computing governance requirements is performed to identify and analyze the framework gaps. The paper results are relevant outcomes for the extension of COBIT processes and capabilities and thus can provide a base framework for building a holistic cloud computing governance approach.
Article Preview

1. Introduction

Based on virtualization and abstraction techniques, cloud computing (CC) is a model through which dynamic, flexible, and scalable resources (e.g. computing power, data storage) and services (e.g. management, administration) are delivered through the network “as a service” (ISACA, 2011). The commonly accepted definition is from NIST (Mell & Grance, 2011) which defines CC as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”. NIST also defines five essential characteristics of CC (i.e. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (i.e. Software as a Service, Platform as a Service, and Infrastructure as a Service), and four deployment models (i.e. Private cloud, Community cloud, Public cloud and Hybrid cloud).

It is true that CC generates so much operational and financial interest for public and private organizations (Ahuja & Rolli, 2011; Chang et al., 2011), but despite all its benefits there are still many challenges and open issues that impact its credibility and pervasiveness (Almorsy, Grundy, & Ibrahim, 2011). In fact, according to our previous study (Bounagui, Hafiddi, & Mezrioui, 2015), CC adoption led to an increasing number of security, compliance, and legal issues. Additionally, many aspects of IT governance (e.g. information security, risk management, or service level agreement management) are negatively impacted by CC adoption. Consequently, a considerable review and readjustment of these IT governance aspects is highly required to maintain the balance between traditional IT governance and CC governance. Thus, CC governance is a critical and is a key to maximize the value that any organization receives from its investment in IT.

CC governance is literally defined as the set of processes, responsibilities, and practices mainly used to manage and control CC adoption and implementation in accordance with recognized policies, audit procedures, and management policies (Guo Song, M., & Song, J., 2010). In other words CC needs governance to support business goals and objectives, ensure value delivery, improve security, and enable appropriate cloud decision-making. Therefore, to minimize the negative impact of CC and to maximize its value, a CC governance approach is highly required to control enterprises CC virtual assets on the one hand, and also, to mitigate CC risks, communicate clear business objectives, and handle a myriad of regulations on the other hand.

Currently many approaches, standards, and frameworks have been proposed by several organizations and research teams to address the cloud governance issue. Examples include the Cloud Security Alliance, the Federal Risk and Authorization Program, the European Network and Information Security Agency, the Information Systems Audit and Control Association, and also the International Organization for Standardization. But despite their quality, the existing works suffer from several weaknesses e.g. they are limited to one specific governance domain, they are not originally created to respond to CC specific risks, and/or they are not yet commonly accepted as standard throughout the computer industry.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 10: 4 Issues (2020): 2 Released, 2 Forthcoming
Volume 9: 4 Issues (2019)
Volume 8: 4 Issues (2018)
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing