Information security accountability in the cloud computing context

Al Rashdi, Z 2018, Information security accountability in the cloud computing context, Doctor of Philosophy (PhD), Business IT and Logistics, RMIT University.

Document type: Thesis
Collection: Theses

Attached Files
Name Description MIMEType Size
Al_Rashdi.pdf Thesis application/pdf 9.68MB
Title Information security accountability in the cloud computing context
Author(s) Al Rashdi, Z
Year 2018
Abstract This thesis presents a model of the core conceptual elements that determine information security accountability in a cloud computing context. Accountability is a core concern for information security within cloud computing; it represents the trust in service relationships between clients and cloud service providers. Without evidence of accountability, a lack of trust and confidence in cloud computing is to be expected from decision-makers. Furthermore, a lack of accountability is considered as an added level of risk, especially since a client's essential services are controlled and managed by a third-party. Consequently, this new paradigm of outsourcing increases the difficulty of maintaining data security and privacy, supporting data and service availability, and demonstrating compliance.

In addition, there is the problem of ensuring that security obligations are implemented by cloud service providers. Although technical aspects for cloud security and privacy have been actively researched, the focus on detective controls in relation to cloud accountability and auditability is scarce. Encryption and other privacy protection techniques will only manage a part of this problem. Research is needed into accountability and auditability of cloud service providers to affect both preventive and detective measures in ways that promote transparency, governance and the accountability of the cloud service providers. The enormous growth in moving businesses to cloud computing - due to its flexibility, cost effectiveness, scalability, and the perceived benefits of transference of data security - highlights the growing need for research in this area.

This study used an interpretive qualitative case study using a grounded theory approach. The research provides an explanation of what information security accountability in the cloud computing context is, and how government organisations achieve information security accountability in cloud computing. This study conducted eighteen qualitative case studies with nineteen different Omani government organisations and three cloud service providers (a total of thirty-four interviews). An extensive literature review was carried out on information security accountability in the context of cloud computing. Four core elements of information security accountability were identified in the literature and confirmed in this study - transparency, remediation, assurance and responsibility. The key finding from this study was that there are eight core elements that make up information security accountability. Therefore, this study presents a more detailed definition of information security accountability than what was previously described in the literature.

First, the researcher examined the meaning of information security accountability against the eight core elements. The eight core elements were identified along with their sub-elements. Then, the researcher examined the meaning of information security accountability to find out whether the four components identified from the literature could be extended. The four key conceptual elements identified in the literature were confirmed and extended to include more sub-elements as a result of the case studies. Four new elements were also identified by the case studies: accountability support environment, flexible change process, collaboration, and a commitment to external criteria. It was concluded that for an organisation to be considered information security accountable, it must address each of these eight factors as necessary in achieving information security accountability.
Additional findings were presented in this research, such as, eleven key operational mechanisms, and the role of the cloud service provider. There were also newly identified relationships between the core elements of information security accountability. These findings contribute to the growing awareness of the importance of information security accountability during all stages of data migration. It was also found that the level of relevance for each of the eight elements is highly context-dependent.
The study also revealed that the perception of information security accountability varies between government client organisations and cloud service providers and is highly dependent on the sensitivity or classification of the data migrated to the cloud - whether it is classified as having a high, medium, or low level of security. The nature of the organisation also plays an important role in determining the perception of accountability. The study shows there are three distinct types of relationships in cloud service provision namely, (1) collaboration based (two-way relationship); (2) marketing based (one-way relationship); and (3) internally based (private cloud that is hosted internally within the government entity and has to comply with internal service level agreements and internal standards).

Most importantly, this study revealed three main strategies to strengthen accountability. The first is a coercive strategy - this appears in the relationship between government client organisations and for-profit cloud service providers. The second strategy is a collaborative strategy - this appears in the relationship between governments and government cloud service providers (in this case, the Information Technology Authority of Oman). The third is an independent strategy. In this strategy, the government client organisation decides not to have any external hosting of their applications or data, and instead establishes an internal cloud service provider.
Degree Doctor of Philosophy (PhD)
Institution RMIT University
School, Department or Centre Business IT and Logistics
Subjects Information Systems Management
Keyword(s) Cloud computing
Information security
Information Security Accountability
Cloud service provision
Accountability elements
Version Filter Type
Access Statistics: 126 Abstract Views, 154 File Downloads  -  Detailed Statistics
Created: Thu, 13 Jun 2019, 08:04:21 EST by Adam Rivett
© 2014 RMIT Research Repository • Powered by Fez SoftwareContact us