CLOUD COMPUTING:

A business and economical perspective

Gianmario Motta1, Nicola Sfondrini2, Daniele Sacco3

Department of Industrial and Information Engineering
University of Pavia
Via Ferrata 1, Pavia, Italy
1
[email protected], [email protected], [email protected]

Abstract— We present a Systematic Literature Review (SLR)

on Cloud Computing that selected 51 papers from first tier TABLE 1 - CLASSIFICATION OF C LOUD COMPUTING ISSUES
journals and conferences in the period 2008-2012. The selective
Primary Secondary Content
approach captures the economical perspective on Cloud
Computing highlighting especially the business issues, Domains Domain
cost/pricing models, and legal issues raised by the adoption of Service Level Performance, Performance studies to
this new technological approach. Finally, it also spots emerging Management Security refine workflow setting and
issues as a general lack of framework for security and service security.
level management that respond to the peculiar profile of Cloud Business Cost, Legal The economic value and
Computing. Issues Issues privacy issues.
Other Papers that cover multiple
Cloud Computing, Literature Review, Cloud Deployment domains
Model, Cloud Delivery Model, IT management
C. Source Selection
A SLR may be complete or selective. We follow the
I. INTRODUCTION latter approach. We are aware that in this case some relevant
ideas may be missed, but analyzing thousands of papers
Undoubtedly, Cloud Computing (CC) is a fashionable would be frankly infeasible. Our selective SLR has been
topic from 2007 onwards. The issue we deal with is about based on web search engines:
the kind of comprehension we have about CC. In more  IEEE Computer Society
precise terms we state it as “What cloud computing really is  Google Scholar
and what level of maturity has reached”. To answer it, we  ACM Digital Library
have conducted a Systematic Literature Review (SLR). In We have selected English-written sources given the small
the following sections we illustrate its method. number of relevant documents in other languages. Books
A. The method of Systematic Literature Review (SLR) were not considered, because they often deal many different
SLR is an “explicitly formulated, reproducible and up-to- concepts that may cover too many areas. In short, 51 articles
were selected trough three steps:
date summary” [1]. As opposed to narrative reviews, it is
based on a specified structured method. Our SLR includes  An initial set of pertinent studies is extracted from
the following steps: the titles retrieved by search engines by reading title,
 Formulation of the research question abstract and introduction.
 Eliminate short papers, non-English papers, non-
 Selection of sources and inclusion of primary studies
international
 Quality assessment and data extraction
 Select the final set of papers based on to their
 Summary of study result adherence to research questions.
 Results interpretation. Within each of the research perspectives we have
B. Formulation of the research mentioned in Table 1, a source may fall in various
The overall research question is, as we said earlier, categories, that we list in Table 2.
“What cloud computing really is and what level of maturity TABLE 2 - CATEGORIES OF SOURCES
has reached”. Once the question is stated, the second point is
how to classify articles. This point is discussed by various Category Description
authors [2] [3]. We have classified research by a two levels Case study An investigation on a single individual,
grid (Table 1). Each of these research domains is illustrated group, incident, community or enterprise
by a dedicated section in section 2. Theory Guidelines on or introduction to a particular
subject; theoretical considerations on the
 research issue encryption technique. Moreover, by combining the technique
Survey An investigation on a given topic based on of proxy re-encryption with KP-ABE, it is possible to solve
the analysis of a given sample the issue of user revocation, by delegating burdensome tasks
Simulation A study that introduces simulation methods to cloud servers [15]. A common vision proposes a Trusted
and related results Third Party (TTP) to ensure authentication, integrity and
Position Presents an opinion about an issue confidentiality of data and communications [16] [17].
paper Trust management and policy integration: The
Literature Profiles the literature related to a given topic combined use of multiple service providers increases
Review performance and flexibility but raises security issues because
of different security and privacy mechanisms. Therefore,
II. FINDINGS mechanisms that handle dynamic collaboration properly and
We here discuss the positions emerging from the SLR, that effectively monitor during interoperations security
breaches, are needed. A framework should be established
segmented by domain [2] [4] [5].
with a set of indicators to measure security levels and
A. Service Level Management manage evolving requirements [11]. Cloud computing also
Cloud computing is the last technological trend that has attracted Governments, because it offers substantial
changed the concept of IT infrastructure. The physical opportunities for information sharing, applications
servers are split into virtual machines whose resources are processing and cost saving. However cloud computing
flexible and scalable according to the requests made by involves tangible risks, as unauthorized accesses, and
users. In this way the same machine can be shared by intangible risks, as the reliability of the access. Governments
multiple users and data can be fragmented in different should create a policy structure to avoid unforeseen risks and
locations. These characteristics raise important doubts about to provide effective risk management that identifies common
the security of these systems and the ability of properly tangible risks and intangible risks [18].
governing the services provided. 2) Performance
1) Security The real potential of cloud computing is the subject of
The architectural concept of cloud computing involves several studies that consider performance measurement and
benefits as centralization of security, data redundancy and performance improvement by workflow scheduling and load
process segmentation. However it introduces also new balancing. Let us summarize the main topics of this area.
security issues [6] [7] [8]. Computational power: the power promised by cloud is
Authentication and identity management: a critical attracting the community of scientific computing, who saw
factor is to provide a robust federated identity management an alternative where resources are no longer in a private data
architecture and strategy [9] [10]. The use of different center but leased as needed. Scientific applications as
identity tokens and identity negotiation protocols may astronomical calculations or human genome sequencing
generate challenges. While an user interacts with a web require huge computing power and, thus, are good tests.
service, the same service may need to ensure that identity is Several experiments have shown that cloud systems can
protected from other services. Therefore, in multi-tenant provide excellent computing performance but have also
cloud environments, providers should isolate customer highlighted scheduling delays and wide area
identity and authentication information by integrating related communications issues [19] [20]. Moreover cloud computing
components to other security components [11]. Cloud is still immature, because, in solving linear systems, cost
providers offer different options to fortify traditional grows exponentially with the problem size, and this is in
authentication based on ID and password using one-time contrast with scalable high-performance computing systems
password systems or digital certificates. Higher levels of (HPC). This challenge opens new scenarios for cloud
protection can be obtained by Open Authorization (OAuth), providers; for, they could use, in future, different cost models
that allows users to easily login without revealing the and better interconnections or nodes with greater physical
information of user account and password, or by ID memory to overcome the bottleneck caused by slow
management systems based on open ID frameworks as the networks [21] [22] [23].
Security Assertion Markup Language (SAML) and WS- Performance Provisioning: Although cloud has been
Federation [12] [13]. created to prevent provisioning operations, simulating
Privacy and data protection: Cloud customers fear alternative provisioning scenarios is highly recommended.
greatly that data and applications are stored outside their For, a proactive approach allows to test performances in a
datacenters. Cloud Providers should therefore assure a high free cost environment and to identify bottlenecks before
security and, at the same time, a complete transparency in deployment [24]. However, these simulations reflect
operations. Another important issue is tracking data changes, forecasts and not actual requests. Therefore, some
that could be used for the history-based access control; researchers have developed systems to test the cloud by the
however the balance between data provenance and privacy load profile extracted from the execution history, with a
becomes complex in clouds, where physical perimeters are plausible scenario [25].
abandoned [11] [14]. To solve this issue, providers offer Load balancing: In real time whatever load beyond the
solutions based on classic cryptography and hybrid limits considered in the simulations may block the system;
therefore, resources should be allocated dynamically. This the key elements through which the analyst can compute the
option could be extended beyond the resources available in a cost of the solutions [36] [37] [38] [39]. If a complete
private cloud or in a traditional data center by directing extra migration is impossible or inconvenient, companies can buy
load requests to resources of a public cloud [26]. The resources in a public cloud to augment their capacity. This
importance of an efficient load balancer has prompted many scenario has pushed the University of Melbourne to a series
researchers to study improvements that allow shorter of experiments. The results show that the cost of
activation time and better use of pre-allocated resources [27]. performance increases where the cluster is under-utilized;
Moreover, to increase the flexibility of cloud systems, new also, cloud computing may have different complexities that
paradigms have been developed, such as MapReduce and should be assessed and managed before its adoption [40].
Hadoop, that allow applications to work with thousands of The first item to assess is the cost to create a datacenter and
nodes and petabytes of data [23]. These solutions involve, to provide resources for both internal and commercial
however, to redesign agile data centers, where applications services. To simplify this task, researchers have developed a
are loosely coupled with underlying infrastructure and easily framework to calculate the Total Cost of Ownership (TCO),
communicate and share virtual resources [28]. that takes into account the number of physical server and
Service level agreement: the benefits offered by storage space, on the basis of the maximum number of VMs
resource scalability and pay-as-you-go approach contrast that can be deployed and simultaneously executed on a
with the low standardization and continuous change of physical server [41]. With the same purpose of low cost,
systems. Therefore, a clear Service Level Agreements (SLA) other researchers propose to run data centers at hotter
is critical. The lack of a precise set of metrics complicates temperatures to reduce cooling cost and to build micro data
management, especially when services are across many centers near end users to reduce bandwidth cost. This
providers. Other factors, as trust in the cloud providers, strategy, however, implies additional initial cost and
become important to companies that are clouding critical maintenance operations outside corporate walls [42]. To
data. Web Service Level Agreement (WSLA) framework eliminate the need of micro data centers, an economic model
offers a mechanism for SLA monitoring and SLA for self-tuned cloud caching has been proposed. This
enforcement in a Service Oriented Architecture (SOA) requires minimal capital expenditure and also ensures an
proposing itself as an optimal approach as seen in cloud high QoS to multiple users [43]. A second step is pricing. To
computing environment [29]. get higher profit, an autonomic pricing may be used; it self-
adjusts pricing parameters on the amount of resources
B. Business Issues reserved to each user and their actual utilization. For
Cloud computing offers benefits to all actors involved in reservation ensures users to access future resources and
the service but has raised new business models and legal improves planning and management of operations [44].
issues about data confidentiality and privacy; other less
obvious topics as cultural imperialism or issues of 2) Legal issues
accountability are important ethical problems in cloud Cloud computing raises several legal issues both for
computing [30] [31] [32]. Therefore, many researchers have customers and providers [45]. The physical location is
investigated cost and benefits of cloud computing and legal critical because there are no international agreement on data
issues that may undermine it [4] [33]. protection and privacy [46]. Governments might play a
strategic role to promote cloud computing as they supported
1) Cost Internet in the years '80-'90 [47]. Although many critical
The ability of quickly scaling resource usage is a popular factors are common with web services, some legal issues
benefit of cloud computing. For, it avoids both the cost of have a particular prominence and are ruled differently in
over-provisioning and the risks of under-provisioning during different countries.
a peak [34]. Therefore, cloud providers have introduced USA: U.S. have legal and regulatory rules, especially on
pricing models where users "pay as they go”. These new privacy rights, that hardly can be enforced in massive cloud
business models together with the concept of multi-tenancy computing [48].
generate benefits for end users and providers. The  HIPAA Restrictions on Health Data: it imposes
commonest pricing models are [35]: significant restrictions on the disclosure of protected
 Tiered pricing: several levels of hardware health information.
specifications are provided at a cost per unit time;  Gramm-Leach-Bliley Act: it restricts financial
 Per-unit pricing: resources provided are flexible institutions from disclosing consumers personal data
and scalable on the basis of the requests and the user to third parties, verifying that service provider is
pays for their exact usage; capable of maintaining an appropriate data
 Subscription-based pricing: typical of SaaS, management and of ensuring such security level by
involves a contract that specifies the resources contract.
available and the number of users.  State Breach Notification Laws: it requires that
Some researchers have developed frameworks to data owners notify individuals whose computerized
compare the cost of cloud computing to conventional in- personal information has been subject to
house approaches; they identify business domains, unauthorized access. In a cloud computing control is
objectives, demand behavior and technical requirements as
 complex because the data owner has not a complete III. CONCLUSION
control on the security of company data. Our SLR has illustrated the current academic research
Europe: data protection authorities have recently landscape on Cloud Computing (CC) and has highlighted
covered cloud computing to ensure compliance with EU data relevant trends. In our review, we found different definitions
protection requirements [49]. that still show a conceptual uncertainty. All articles, even
 Data Controllers and Service Providers: Data underline important benefits provided by the CC adoption,
Controller determines purposes and methods of have also addressed several issues. These issues are
treatment of personal data and is responsible for developed, in most cases, from the provider’s perspective,
compliance with data protection law. Service while research should still cover the quality of the service
providers have to ensure measures to protect from the end-user’s viewpoint [51]. Some authors have
personal data against accidental or unlawful considered benefits and challenges of cloud computing from
destruction or loss or unauthorized access and a broad perspective, thus showing economic benefits for
alteration. providers and end users. On the other hand, CC might imply
 International Data Transfers: transferring personal key ethical and legal issues that may delay or even prevent a
data outside European Economic Area is prohibited, mass adoption. The review shows that the CC involves not
unless the receiving country provides an adequate only the corporate world but can provide computational
protection. This rule is tight and recognizes data power to the masses. For this reason we can describe CC as
transferring to few countries, causing significant an IT “commodization” that provides technological services
limitations to cloud computing. Currently, U.S. do in the same manner of standard utilities such as electricity,
not satisfy EU specifications and a data transfer to water and telephony. Finally, as highlighted by our review,
them may be authorized only if the data recipient has despite of the high potentiality, cloud computing has also
implemented a legal mechanism to enforce an server issues resulting from the lack of precise definition and
adequate protection (e.g. U.S. Safe .Harbor the lack of standards that are slowing the massive spread of
Program). this technology still not completely mature.
 Legal Bases for Processing Data in a Cloud:
Under EU data protection law the data upload in a
cloud computing environment is considered as REFERENCES
processing. Furthermore the organizations should
have a legal basis to process personal data or obtain [1] M. Egger, G. D. Smith, and K. O’Rourke, “Rationale, potentials, and
permission through an explicit agreement of specific promise of systematic reviews”, Systematic reviews in health care:
items in the contract. Meta-analysis in context, pp. 3-19, 2001
UK: UK shares with EU several measures [50]. [2] H. Yang and M. Tate, Where are we at with cloud computing?: a
 The Data Protection Act 1998 contains eight descriptive literature review, 2009.
principles for protection and restriction on personal [3] I. Sriram and A. Khajeh-Hosseini, “Research agenda in cloud
data treatment. The first principle states that personal technologies”, arXiv:1001.3259,. 2010.
data should be processed fairly and lawfully. In [4] A. Khajeh-Hosseini, I. Sommerville, and I. Sriram, “Research
challenges for enterprise cloud computing”, arXiv:1001.3257, 2010.
accordance with its principle the cloud provider
[5] G., Motta and N. Sfondrini, “Research studies on cloud computing: a
obtains permission to treat these data by inserting a systematic literature review”, 17th International Business Information
specific consent in contracts. The seventh principle Management Association Conference (IBIMA), 2011.
states that "appropriate technical and organizational [6] S. Subashini and V. Kavitha, “A survey on security issues in service
measures must be taken to prevent unauthorized or delivery models of cloud computing”, Journal of Network and
unlawful processing or accidental loss or destruction Computer Applications, 34, pp. 1-11, 2011.
of personal data". However, in cloud computing [7] L. X. Liu, G. Hu, Z. Huang and Y. X. Peng, “White Cloud or Black
access to data can be accessed from any device thus Cloud: Opportunity and Challenge of Spectrum Sharing on Cloud
Computing”, Advanced Materials Research, 430, pp. 1290-1293,
violating such restrictions. Anyway, data 2012.
fragmentation used by cloud computing system
[8] B. Hay, K. Nance, and M. Bishop, “Storm Clouds Rising: Security
indirectly provides some level of security by Challenges for IaaS Cloud Computing”, IEEE, pp. 1-7, 2011.
preventing to know the location of files. [9] S. Srinivasamurthy and D. Liu, Survey on Cloud Computing Security.
 The Copyright and Rights in Databases 2010.
Regulations 1997 established a stand-alone [10] A. Almutairi, M. Sarfraz, S. Basalamah, W. Aref, and A. Ghafoor, “A
intellectual property right where a database has Distributed Access Control Architecture for Cloud Computing”, IEEE
originality in the selection or arrangement of its software, 2011.
contents and there has been a substantial investment [11] H. Takabi, J. B. D. Joshi and G. Ahn, “Security and Privacy
in obtaining, verifying or presenting that content". Challenges in Cloud Computing Environments”, Security & Privacy
IEEE, 8, pp. 24-31, 2010.
Afterwards, a court has clarified the meaning of
[12] C. L. Tsai, U. C. Lin, A. Chang, and C. J. Chen, “Information security
"substantial investment" by specifying that it applies issue of enterprises adopting the application of cloud computing”,
to the creation of the database itself and not to the IEEE, pp. 645-649, 2010.
collection of information content.
[13] M. Okuhara, T. Shiozaki, and T. Suzuki, “Security Architecture for [36] M. Klems, J. Nimis, and S. Tai, “Do clouds compute? a framework
Cloud Computing”, FUJITSU Sci. Tech. J, 46, pp. 397-402, 2010. for estimating the value of cloud computing”, Designing E-Business
[14] ComPUtING, C., “Cloud computing privacy concerns on our Systems: Markets, Services, and Networks, pp. 110-123, 2009.
doorstep”, Communications of the ACM, 54. 2011. [37] E. Walker, “The real cost of a CPU hour”, Computer, 42, pp. 35-41,
[15] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, 2009.
and fine-grained data access control in cloud computing”, IEEE, pp. [38] A. Khajeh-Hosseini, I. Sommerville, J. Bogaerts, and P. Teregowda,
1-9, 2010. “Decision Support Tools for Cloud Migration in the Enterprise”.
[16] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public arXiv:1105.0149, 2011.
auditing for data storage security in cloud computing”, IEEE, pp. 1-9, [39] C. Weinhardt, A. Anandasivam, B. Blau, and J. Stößer, “Business
2010. models in the service world”, IT professional, 11, pp. 28–33, 2009
[17] D. Zissis and D. Lekkas, “Addressing cloud computing security [40] M. D. De Assuncao, A. Di Costanzo, and R. Buyya, “Evaluating the
issues”, Future Generation Computer Systems, 2010. cost-benefit of using cloud computing to extend the capacity of
[18] S. Paquette, P. T. Jaeger, and S. C. Wilson, “Identifying the security clusters”, ACM, pp. 141-150, 2009.
risks associated with governmental use of cloud computing”, [41] X. Li, Y. Li, T. Liu, J. Qiu, and F. Wang, “The method and tool of
Government Information Quarterly, 27, pp. 245-253. 2010. cost analysis for cloud computing”, IEEE, pp. 93-100, 2009.
[19] S. Hazelhurst, “Scientific computing using virtual high-performance [42] A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel, “The cost of a
computing: a case study using the Amazon elastic computing cloud”, cloud: research problems in data center networks”, ACM SIGCOMM
ACM, pp. 94-103, 2008. Computer Communication Review, 39, pp. 68-73, 2008.
[20] C. Hoffa, G. Mehta, T. Freeman, E. Deelman, K. Keahey, B. [43] D. Dash, V. Kantere, and A. Ailamaki, “An economic model for self-
Berriman and J. Good, “On the use of cloud computing for scientific tuned cloud caching”, IEEE, pp. 1687-1693, 2009.
workflows”, IEEE, pp. 640-645, 2008. [44] C. S. Yeo, S. Venugopal, X. Chu, and R. Buyya, “Autonomic metered
[21] J. Napper and P. Bientinesi, “Can cloud computing reach the pricing for a utility computing service”, Future Generation Computer
top500?”, ACM, pp. 17-20, 2009. Systems, 26, pp. 1368-1380, 2010.
[22] S. Ostermann, A. Iosup, N. Yigitbasi, R. Prodan, T. Fahringer, and D. [45] S. Pearson, “Taking account of privacy when designing cloud
Epema, “A performance analysis of EC2 cloud computing services computing services”, IEEE Computer Society, pp. 44-52, 2009.
for scientific computing”, Cloud Computing, pp. 115-131, 2010 [46] P. T. Jaeger, J. Lin, J. M. Grimes, and S. N. Simmons, “Where is the
[23] J. Ekanayake and G. Fox, “High performance parallel computing with cloud? Geography, economics, environment, and jurisdiction in cloud
clouds and cloud technologies”, Cloud Computing, pp. 20-38, 2010. computing”, First Monday, 14, 2009
[24] N. Yigitbasi, A. Iosup, D. Epema, and S. Ostermann, “C-meter: A [47] M. R. Nelson, “The cloud, the crowd, and public policy”, Issues in
framework for performance analysis of computing clouds”, IEEE Science and Technology, 25, pp. 71-76, 2009.
Computer Society, pp. 472-477, 2009. [48] W. J. Robison, “Free at What Cost?: Cloud Computing Privacy Under
[25] D. H. Woo and H. H. S. Lee, “PROPHET: goal-oriented provisioning the Stored Communications Act”, Georgetown Law Journal, 98,
for highly tunable multicore processors in cloud computing”, ACM 2010.
SIGOPS Operating Systems Review, 43, pp. 102-103, 2009. [49] L. J. Sotto, B. C. Treacy, and M. L. McLellan, “Privacy and data
[26] T. Dornemann, E. Juhnke, and B. Freisleben, “On-demand resource security risks in cloud computing”, Electronic Commerce & Law
provisioning for BPEL workflows using Amazon's elastic compute Report, 15, pp. 186, 2010.
cloud”, IEEE Computer Society, pp. 140-147, 2009. [50] A. Joint, E. Baker, and E. Eccles, “Hey, you, get off of that cloud?”,
[27] H. A. Lagar-Cavilla, J. A. Whitney, A. M. Scannell, P. Patchin, S. M. Computer Law & Security Review, 25, pp. 270-274, 2009.
Rumble, E. De Lara, M. Brudno, and M. Satyanarayanan, [51] M. Pastaki Rad, A. Sajedi Badashian, G. Meydanipour, M. Ashurzad
“SnowFlock: rapid virtual machine cloning for cloud computing”, Delcheh, M. Alipour, and H. Afzali, “A Survey of Cloud Platforms
ACM, pp. 1-12, 2009. and Their Future”, Computational Science and Its Applications–
[28] A. Singh,, M. Korupolu, and D. Mohapatra, “Server-storage ICCSA, pp. 788-796, 2009.
virtualization: integration and load balancing in data centers”, IEEE
Press, 53, 2008.
[29] P. Patel, A. Ranabahu, and A. Sheth, Service Level Agreement in
Cloud Computing, 2009.
[30] G. Motta and N. Sfondrini, “Cloud computing and enterprises: a
survey”, The 2nd International Conference on Computer and
Management (CAMAN), 2012.
[31] F. M. Aymerich, G. Fenu, and S. Surcis, “An approach to a Cloud
Computing network”, IEEE, pp. 113-118, 2008.
[32] J. Timmermans, V. Ikonen, B. C. Stahl, and E. Bozdag, “The Ethics
of Cloud Computing: A Conceptual Review”, IEEE, pp. 614-620,
2010.
[33] V. Chang, C. S. Li, D. De Roure, G. Wills, R. Walters, and T. Barry,
“Cloud Computing Business Framework: Linking Operations, IT and
Enterprises”, Journal of Operations Management, 2011.
[34] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A.
Konwinski, G. Lee, D. Patterson, A. Rabkin, and I. Stoica, “A view
of cloud computing”, Communications of the ACM, 53, pp. 50-58,
2010.
[35] L. Youseff, M. Butrico, and D. Da Silva, “Toward a unified ontology
of cloud computing”, IEEE, pp. 1-10, 2008.