Startup in the Cloud

(1)

Startup In The Cloud

Information Systems For Startup Companies Based On Cloud Computing

Hans Martin Galliker FH BKO-C06

(2)

Information Systems For Startup Companies Based On Cloud Computing

Bachelor Thesis – Individual Work

Bachelor Of Arts In Business Communication

University Of Applied Sciences In Business Administration Zurich

Submitted To: Beat Hofer, Executive MBA General Manager, PanOptimum GmbH

Submitted By: Hans Martin Galliker

FH BKO-C06

Maihusen, 6215 Beromuenster, Switzerland Zurich, February 26, 2010

(3)

Cloud computing is a technology that enables to use software as a service. Cloud computing service providers assure to deliver the software at less cost than ever. The services are promised to run without downtime and require solely an internet connection and a browser. Some services are completely free, such as Google Mail, whereas others like Salesforce are paid according to the effective usage. Cloud computing promises flexible business processes in order to keep up with constantly changing markets, shorter lead times and better connectivity by using the intelligence of social networks.

These promises are not unheard, the business press is constantly giving an account of cloud computing. But what does it mean for startups, entrepreneurs and small companies? This thesis Startup in the Cloud examined whether cloud computing is secure, affordable, simple, lawful, available to all industries and whether it is encouraging innovation.

The research results have shown that startups and small companies are able to benefit from the cloud computing services the most. The absence of capital expenditure is excellent news for startup companies and they also have a leveraged advantage out of the flexibility that cloud computing offers. Simply because smaller organisations can capitalize faster on new market opportunities in comparison to larger companies.

The downside is the dependency on the service provider, the reason being that data is stored in a data center and depending on the contract and technical hurdles can it prove to be difficult to move to another service provider. However, by seriously assessing the business requirements and analyzing the risks, it is possible to compare offerings from different service providers in order to avoid being locked. Furthermore, supranational organizations, public institutions, non-profit organizations, private communities and even the IT industry aim towards an open cloud with compatible, public standards.

Cloud computing has been given the potential to democratize global business opportunities, as

principally anyone with internet access has the chance to use sophisticated information systems. This seems to be an interesting prospect for startups, entrepreneurs and small companies from all over the world. The author of this thesis recommends strongly to assess the opportunities that cloud computing offers to them.

(4)

Management Summary... I Declaration... V Methodological Approach ... Vi

Initial Position ... 1

Defining Cloud Computing ... 2

Definition ... 2

Essential Characteristics ... 3

Service Models ... 6

Deployment Models... 8

Cloud Computing Security... 10

Cloud Computing Enablers And Trends ... 11

Connecting Clouds... 11

Open Standards And Open Source Community ... 12

Service Orientation ... 13

Grid Computing ... 13

Significance: Defining Cloud Computing ... 14

Political Implications And Standardization ... 15

Understanding Global Governance To Enable Global Business Opportunities ...15

Activities On Continental Level ... 19

United States... 20

Asia... 22

Europe... 23

Standardization... 25

ISO Standard For Cloud Computing ... 25

Overlapping Competencies ... 26

Bottom-up Standardization ... 26

Significance: Political Implications And Standardization ... 27

Market, Economics And Trends ... 30

Business Benefits In General... 31

Benefits For Startups And Small Companies In Particular ... 32

(5)

Cloud Computing In Large Enterprises ... 35

Variations And Industries ... 36

Ever Changing Business Requirements ... 38

Relationships As A Driver... 38

Buyers Become Sellers... 40

Human Interaction Management ... 41

Trends... 44

Encouraging Innovation By Simplicity ... 44

Software Paradigm Shift Away From Conventional To Pay As You Go ...45

Freemium - Cloud Computing As A Potential Cost Trap ... 46

Hosted Open Source Business Opportunities ... 46

Paradigm Shift Of Change – From Push To Pull And From Mass To Micro Markets ... 47

Mega Data Centers... 47

Brokering Cloud Services ... 48

Significance: Market, Economics And Trends ... 49

Evaluation Guide... 50

How To Approach A Cloud Computing Evaluation? ... 50

Who Is Initiating And Attending The Evaluation? ... 51

Introduction To CSA Guidance For Cloud Security Assessment ... 52

CSA Guidance: Section 1. Cloud Architecture ... 56

Domain 1: Cloud Computing Architectural Framework ... 56

Domain 2: Governance And Enterprise Risk Management ... 60

Domain 3: Legal And Electronic Discovery ... 61

Domain 4: Compliance And Audit... 61

Domain 5: Information Lifecycle Management ... 62

Domain 6: Portability And Interoperability ... 62

Domain 7: Traditional Security, Business Continuity And Disaster Recovery ... 62

Domain 8: Data Center Operations... 62

Domain 9: Incident Response, Notification And Remediation ... 62

Domain 10: Application Security ... 63

Domain 11: Encryption And Key Management ... 63

Domain 12: Identity And Access Management ... 63

Domain 13: Virtualization... 64

Orientation In The Cloud Computing Jungle ... 64

Significance: Evaluation Guide... 65

(6)

Table Of Tables... 68

Table Of Illustrations... 69

Bibliography... 70

Annex: Consulting Experts... 79

(7)

I certify that:

! the thesis being submitted for examination is my own account of my own research

! the data and results presented are the genuine data and results actually obtained by myself during the conduct of the research

! this thesis in identical or similar form has not yet been submitted to any other board of examiners

Zurich, February 26, 2010

…... Hans Martin Galliker

(8)

The following methodologies have been applied: ! Literature research

! Consulting experts

Experts have been consulted in order to get answers on specific questions of interest:

! Both, experts with a distinct academical background and experts with rather practical background have participated

! A questionnaire with results can be found in the annex

The following table shall give an overview of how the methodological approaches have been applied:

Theoretical only * Mixed theoretical and practical **

Rather practical *** Own assumptions & conclusions ****

Initial Position

_x

Problem Analysis

_{x (H)}

Defining Cloud Computing

_x

Political Implications and

Standardization

x

Markets, Economics and

Trends

x

Evaluation Guide

_x

Conclusion

_x

Table a: Application of methodological approaches. Annotations: (H) main questions and assumptions hypothesized / * Without results from “Consulting Experts” and completely derived and supported by literature / ** Includes results from “Consulting Experts” and extensively derived and

supported by literature / *** Includes results from “Consulting Experts” and enhanced with derived opinions from the author of this thesis / **** Setting in context Assumptions & Findings with own experiences

The citations within text, footnotes and bibliography have generally been made on the base of Chicago

Manual of Style (Note with Bibliography). This style has been introduced in 1906 and is now in its 15th edition. It is widely used in the Angle-Saxon area for scientific publications and books and is the base for several other styles.1

The following list reflects the accredited value of the source types that have been used. In general, the sequence gives an account of the importance given, the exception proves the rule. The designations in the 1 cf. University of Chicago, “The Chicago Manual of Style Online - 15th Edition: Chicago-Style Citation Quick Guide.”

(9)

which the citation elements are structured:

! Documents from standardization bodies with widely recognized acceptance from the business and the academic world (Book or Report or Document)

! Scientific books (Book)

! Scientific publications (Report) ! Scientific journals (Journal)

! Online articles from “serious” newspapers ( Newspaper Article) ! Videos (Video)

! Conference presentations (Presentation) ! Blogosphere (Blog Post)

! An online database application filled with survey replies from consulted experts ( Interview) ! Emails (Email)

! PDF's from commercial companies (Document) ! Informal websites (Web Page)

(10)

Initial Position

Founding a global operating, sustainable company is the dream of many young people. In order to fulfill this dream, fresh ideas, drive, innovation, reliable partners and efficient information handling, amongst many other points, are required. Inspiration and creativity knows no boundaries and many, somewhat challenging, ideas may at first have been scorned, only to be finally

acknowledged as something which truly adds value to our society.

There is a new wave of technology; some call it a new business philosophy, which could help young entrepreneurs to make their dream come true. It is called cloud computing. Cloud computing promises to provide highly-scalable information systems over the internet. All that is required is an internet browser. No investment capital is needed as it follows the pay-as-you-use principle. If what the business press and cloud computing pioneers say is true, then cloud computing could offer unforeseen opportunities to broad levels of the population, no matter where, as long as internet access is granted. It could, in a manner of speaking, enable young people to “Startup in the Cloud”.

But is cloud computing secure, affordable, simple to implement and in line with national laws? Does it foster innovation and is it available to all industries?

Is it possible to cover the information system needs of multinational startup companies based on cloud computing?

This bachelor thesis will answer these questions in a neutral and comprehensible way. It highlights the needs of startup companies who probably have the highest demand for smart but affordable information systems. The thesis is divided into four main parts:

! Defining cloud computing: Describes the characteristics of cloud computing

! Political implications and standardization: Highlights possibilities and opportunities for those who could benefit most from cloud computing

! Market, economics and trends: How cloud computing can be used and the most important trends

! Evaluation guide: How to approach an evaluation of cloud computing

The intended readers are startup companies, entrepreneurs who want to make a change, executive management level from smaller companies and chief information officers, but also everyone else who is interested in technology and in doing business.

(11)

Defining Cloud Computing

“Cloud Computing is a new term for a long-held dream of computing as a utility, which has recently emerged as a commercial reality.”2_{University of California}

Cloud computing does not have a birthday and it was not formally invented. Some underlying technologies have been used since the beginning of computing. Cloud computing is basically a new way of delivering computer resources as a service. According to IDC's analysis, this emerging market for cloud services is estimated to grow from $17.4bn in 2009 to $44.2bn in 2013. In spite of these numbers, cloud computing is not yet clearly defined and is still in an early, but dynamic development process.345

Definition

There is no universal definition for cloud computing, as it is a highly controversial topic. The most heard criticism is that cloud computing is nothing new and therefore does not need a definition. To complicate matters further, no cloud computing standard work has been published yet with an acceptance analogue like for example Kotler's “bible” in the field of marketing.678

However, the most used definition source is a two-pages word document which was initially written in 2008 by the Computer Security Division of the US National Institute of Standards and

Technology (NIST) and since then has continuously evolved under the auspices of NIST after

extensive consultation between IT governance institutions, industry and academia.The European

Network and Information Security Agency (ENISA), which also gained authority in the cloud

computing area, has leveraged the NIST definition by accepting it in November 2009 as the leading cloud computing definition.91011

2 in dependence on Parkhill, 1966, "The Challenge of the Computer Utility", cited by Armbrust et al., Above the Clouds:

A Berkeley View of Cloud Computing , 2.

3 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21. 4 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 7.

5 cf. Gens, Mahowald, and Villars, 2009, "IDC Cloud Computing 2010 - An IDC Update", cited by Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 4.

6 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 1. 7 cf. Chen, Paxson, and Katz, What’s new about Cloud Computing Security? , chap. 2.

8 cf. Balachandran, “The Messiah of marketing.”

9 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 2. 10 cf. Object Management Group et al., “Cloud Standards Coordination.”

(12)

The following sub-chapters are structured according to the NIST definition and quote in each case at the beginning the appropriate definition followed by further considerations.

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics , three service models, and four deployment

models.”12

Essential Characteristics

Many attributes can be accredited to cloud computing, but according to NIST these five essential characteristics can be named: First, on-demand self-service, second, broad network access, third,

resource pooling, forth, rapid elasticity and fifth, measured service. With one of them missing, cloud

computing can in the strict sense not be called as such, or at least the usage value will be limited if one is missing. To improve the reader friendliness, are the conclusive literally quotes set in grey tone.

1. On-demand self-service: “A consumer can unilaterally provision computing

capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.”13

12 Mell and Grance, “The NIST Definition of Cloud Computing v15.” 13 Ibid.

Illustration a: Visual Model of the NIST Working Definition of Cloud Computing. Source: Reproduced according original source by NIST, 2009.

(13)

This can help smaller companies to overcome the obstacles for sophisticated e-business

cooperations. For example, with the latest generation of cloud-based payment services is it possible to easily include payment systems into web applications. Specialized service providers such as PayPal make such cloud web services available to their customers (from end-users up to

multinational companies) and require no more extensive contracts and long-term commitments. It is just pay-as-you-go via credit card. Small companies or even micro businesses such as startups now have online commerce opportunities that go beyond traditional online shopping.14151617

2. Broad network access: “Capabilities are available over the network and

accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).”18

While platform independence has released applications from proprietary hardware, can cloud computing applications be used from anywhere, anytime with any type of device, as long as it has a browser.19

3. Resource pooling: “The provider’s computing resources are pooled to serve

multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.”20

The Cloud Security Alliance (CSA), an often cited non-profit organisation with individual members from science and industry, has chosen to align with the NIST definition but argues the undervaluation of virtualization by subordinating it to resource pooling, the same applies to multi- tenancy.21

In fact, virtualization is both; a strong enabler for the upraise of cloud computing and at the same time not necessarily a requirement. Cloud services can for example be deployed directly on a server without (hardware) virtualization layer. However, virtualization is usually deployed because the virtualization can adjust better to changing performance requirements and uses the resources more 14 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 6.

15 cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance

and Social Interaction, 71-72.

16 cf. Reese, Cloud application architectures , 174. 17 cf. Lawson, “PayPal opens door to developers.”

18 Mell and Grance, “The NIST Definition of Cloud Computing v15.”

19 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 92. 20 Mell and Grance, “The NIST Definition of Cloud Computing v15.”

(14)

efficiently. Widely known are enterprise hardware virtualization technologies such as VMware or the open-source Xen hypervisor, which for example is used by Amazon Web Services (AWS), a well- established cloud service from the cloud computing provider pioneer Amazon. Virtualization can also happen on the software layer, as for example SaaS is using it to offer different users, different, decoupled services while running only one software.2223

Many other definitions than the one from NIST define the multi-tenancy model as an integral characteristic of cloud computing. CSA describes its role as follows: “Multi-tenancy in cloud

service models implies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies. Consumers might utilize a public cloud provider’s service offerings or actually be from the same organization, such as different business units rather than distinct organizational entities, but would still share infrastructure.”24_{The architectural approach of multi-tenancy can lead to improved operational} efficiency because the shared infrastructure, data, metadata, services, and can be shared across many different consumers.2526

4. Rapid elasticity: “Capabilities can be rapidly and elastically provisioned, in

some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.”27

Some conditions must be met to profit from rapid elasticity. Not every application can simply be put in a cloud environment, it needs to be“architected for seamless up and

scale-down in a linear fashion in response to load or declarative policy […] automatic scaling requires additional levels of management of the basic cloud system infrastructure, and it may not be consistently available across cloud system infrastructure providers.”28

5. Measured Service: “Cloud systems automatically control and optimize

resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).”29

22 cf. Reese, Cloud application architectures , 6.

23 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 186.

24 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 17. 25 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 42-43.

26 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 17-18. 27 Mell and Grance, “The NIST Definition of Cloud Computing v15.”

28 Knipp et al., Creating Cloud Solutions: A Decision Framework , 41. 29 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 1-2.

(15)

The measured service characteristic distinguishes the usage-based cloud computing pricing from hosting (rent) and common outsourcings which are to a greater or lesser extent inflexible contracts. 30

Service Models

Cloud computing consists of three distinctive service models which are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Additionally, several other secondary variations exist.31

1. SaaS - Cloud Software as a Service: “The capability provided to the consumer

is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specifi c application configuration settings.”32

SaaS is sometimes described as the user level of cloud computing because SaaS applications are ready to use and just need to be logged in via a browser. Basically, no administrative hassle occurs, at least as long as no change to the SaaS provider is planned.33

SaaS can often be adjusted to company processes and user-specific look-and-feel but usually lack the possibilities to customize it on a deeper level. Some application providers are addressing this problem by offering Application as a Service (APaaS). They open up the hood to their customers by letting them configure, customize and extend the application thanks to integrated development, deployment and management services. These services are optimized for cloud computing by supporting the delivery of the end application as a multi-tenant cloud service without losing the

fine-grained elasticity of the cloud computing infrastructure. Typical APaaS offerings are the online

database application Zoho Creator and Salesforce's Force.com platform service.34

The development does not happen on a low level; it applies the metadata-driven programming of the model-driven architecture. However, compared with pure SaaS leads APaaS to additional

complexity – this is something that startup companies usually try to avoid. Rather than looking for precise adjustments they look for elasticity and seamless integration to other information systems. 35 30 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 20.

31 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 15. 32 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

33 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7; 29. 34 cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 8.

(16)

2. PaaS - Cloud Platform as a Service: “The capability provided to the consumer

is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.”36

PaaS is sometimes described as the developer level of cloud computing, as it is the developers and tech-savvy users who make the infrastructure layer available to the (end-)user. A difference is made between the sub-categories Programming Environments and Execution Environments . Cloud programming environments (for example Django Framework) depend on “conventional”

programming languages and selectively complement them with additional functionalities. Parts of the software are decoupled which eases the adaption of “conventional” environments atop cloud

computing environments. By contrast cloud executing environments (for example Google Apps) rely usually on their own programming environment. However, the borderline between cloud

programming environments and cloud execution environments has become more blurred.3738

3. IaaS - Cloud Infrastructure as a Service: “The capability provided to the

consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of selected networking components (e.g., host fi rewalls).”39

IaaS is sometimes described as the IT level of cloud computing because IaaS is close to the hardware that is commonly operated by so-called “typical” IT personnel such as infrastructure system engineers. IaaS providers (for example IBM Blue Cloud) isolate the hardware from the upper development and application layers in order to maintain a high flexibility to scale-up/out and protection against hardware failures. This abstraction is usually done with the already mentioned hardware virtualization. The aspect of deploying complex existing applications and its middleware to IaaS is probably less relevant for non-IT startups, because they usually start on the greenfield and are therefore more likely candidates for ready to use SaaS applications.404142

36 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

37 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7. 38 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 33-35. 39 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

40 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7.

41 cf. Buyya et al., “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility,” 600.

(17)

Deployment Models

According to NIST, cloud computing instances can be operated according to four different deployment models: Private Cloud, Community Cloud, Public Cloud and Hybrid Cloud . However, it cannot be assumed that every cloud provider support all of these deployment models.43

1. Private cloud: “The cloud infrastructure is operated solely for an organization. It

may be managed by the organization or a third party and may exist on premise or off premise.”44

Private clouds and efficient on the premises installations can have many common characteristics such as virtualization or the same programming models and tools. The difference is the ability of private clouds to move workloads into their own infrastructure and outside sets of infrastructure at the same time. However, as the structure is already reasonably in the public cloud and has gained some independence, it can offer unforeseen opportunities because of the ability to turn the tables by opening their (private) cloud services to external partners to collaborate or to run it like a profit centre.4546

In the strict sense can private clouds not be categorized as cloud computing because “it lacks

the freedom from capital investment and the virtually unlimited flexibility of cloud

computing.”47_{Nonetheless, the fact that private clouds can be run behind the organization's}

firewall can make it a feasible entry point to the world of cloud computing “for companies

that either have significant existing IT investments or feel they absolutely must have total control over every aspect of their infrastructure.”4849

2. Community cloud: “The cloud infrastructure is shared by several organizations

and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.”50

Enterprises, groups or individuals who have a common purpose share their collective distributed computing power in order to accumulate many community cloud subsets that are all connected within trusted Virtual Private Networks.51

43 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 1. 44 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

45 cf. MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.” 46 cf. Bittmann, “Building a Private Cloud: Are We There Yet?.”

47 Reese, Cloud application architectures , 19. 48 Ibid.

49 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 3.2. 50 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

(18)

“There are growing concerns over the control ceded to large cloud vendors, especially the lack of information privacy […] the distributed resource provision from Grid Computing, distributed control from Digital Ecosystems, and sustainability from Grid Computing, can remedy these concerns […] Replacing vendor clouds with nodes potentially fulfilling all roles, consumer, producer, and most importantly coordinator [...] by utilizing the spare resources of networked personal computers collectively to provide the facilities of a virtual data centre and form a Community Cloud.”52_{The concept of a community cloud is}

challenging because of its technical complexity and issues related with distributed computing, the heterogeneity of the nodes, varying quality of service and other security constraints. 53

3. Public cloud: “The cloud infrastructure is made available to the general public or

a large industry group and is owned by an organization selling cloud services.”54

The University of California, Berkeley (UC Berkeley) expands the NIST definition of a public cloud as follows: “When a Cloud is made available in a pay-as-you-go manner to the

general public, we call it a Public Cloud; the service being sold is Utility Computing.”55 Utility computing means that only the current needed amount of resources is being provided. Due to technical and commercial developments, utility computing has finally made its commercial breakthrough in the form of cloud computing because it is now possible to consume these resources in the simple manner of Apple's App Store for the iPhone - marketed off the shelf, automatically deployed and deducted.565758

52 Briscoe and Marinos, “Community Cloud Computing,” chap. 1. 53 cf. Ibid., chap. 5. b).

54 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 55 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 4. 56 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 25-26. 57 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 19.

58 cf. Buyya, Pandey and Vecchiola, 2009, in a collected edition of Jaatun, Zhao, and Chunming, Cloud Computing: First

(19)

4. Hybrid cloud: “The cloud infrastructure is a composition of two or more clouds

(private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).” 59

Hybrid clouds are often used to swap specific functionalities or peak performance requirements to third party cloud providers.60

Cloud Computing Security

“It seems that having your data in the cloud on machines you do not control is very emotionally challenging to people.”61_{George Reese, enStratus}

A restrained point of view regarding moving its data into the cloud can certainly not only be accredited to the natural disposition of IT decision makers. In fact, cloud computing has not yet grown up, critical voices about the insufficient security are unmistakeable. The different aspects need to be considered according the specific requirements, a serious assessment may help to identify potential issues.

59 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 60 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 27. 61 Reese, Cloud application architectures , 63.

Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case Discussion Group, 2010.

(20)

“We believe that there are no fundamental obstacles to making a cloud-computing

environment as secure as the vast majority of in-house IT environments, and that many of the obstacles can be overcome immediately with well- understood technologies such as

encrypted storage, Virtual Local Area Networks, and network middleboxes (e.g. firewalls, packet filters).”62_{UC Berkeley}

There are three main fields that cover most security aspects of cloud computing: First, legal

aspects, second, regulatory compliance and third, standards compliance . Each of these main fields is

connected with political questions regarding global governance of the information society. These, several other issues and additionally a guiding model will be introduced later on in this thesis.636465

“An important point to keep in mind is that the cloud does not introduce any new security threats or issues. To put security in perspective, cloud computing as a whole can be considered the ideal use case to highlight the need for a consistent, transparent, standards-based security framework regardless of cloud deployment model.”66

Cloud Computing Use Case Discussion Group

To put it in a nutshell: A safe car does not necessarily mean a safe drive!

Cloud Computing Enablers And Trends

Besides the already mentioned key technologies and concepts of which cloud computing is based on, other aspects should be mentioned. The ability to connect clouds, virtualization, open source

software & community and additionally technologies from which cloud computing has borrowed its

flexible, modular, interconnected nature; service orientation and grid computing.

Connecting Clouds

The connecting of clouds can bring the benefits of easily connection applications. It requires suitable Application Programming Interfaces (API). API's enables the cloud applications and services to communicate in the background whilst remaining invisible for the user. For example is it possible to connect to a SaaS address database application with an SaaS accounting database in order to implement a seamless workflow between the two programs. API's exist not exclusively in the

62 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15. 63 cf. Zittrain, The future of the Internet and how to stop it , 1.

64 cf. Reese, Cloud application architectures , 63-64.

65 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 10.

(21)

cloud computing world but an industry consensus in favour of common, open, standardized API's becomes apparent.6768

Open standards are also important for the “emerging service model definitions associated with

cloud service brokers, those providers that offer intermediation, monitoring,

transformation/portability, governance, provisioning, and integration services and negotiate relationships between various cloud providers and consumers.”69

Open Standards and Open Source Community

The call for open standards concerns all areas where closed, proprietary solutions can cause incompatible capabilities and interfaces on behalf of consumers. Utility computing and proprietary software are not a good match. The fundamental call for open standards is also justified due to the fact that dominant software stacks used in cloud environments are free open source software.7071

“Open source software is defined as computer software that is governed by a software license in the public domain, or that meets the definition of open source , which allows users to use, change, and improve the software. The flexibility to alter the source code is essential to allow for continued growth in the cloud solution. Open source software is the foundation of the cloud solution and is critical to its continues growth.”72

George Reese, enStratus

In the meantime, open standards are becoming crucial for enterprise solutions and to a certain point important for enterprise customers in order to maintain their employer credibility and competitiveness on the human resources market.

The reason is thus that “open source technologies tend to attract large and vibrant

communities and ecosystems around them, with one result being a variety of products and services tailored for enterprise use. So if an enterprise is not happy with the service or support it is receiving from one vendor, it can turn to a different vendor for that service and support – and if all else fails, it has ready access to the source code and the communities that created and maintain it.”7374

67 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 120-122.

68 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 19. 69 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 16. 70 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 19.

71 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 16. 72 Reese, Cloud application architectures , 27.

73 Sun Microsystems, Inc., “Open Source & Cloud Computing: On-Demand, Innovative IT On A Massive Scale,” 5-6. 74 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 6-8.

(22)

Service Orientation

Generally, regarding all the five essential characteristics , three service models, and four

deployment models NIST also adds: “Cloud software takes full advantage of the cloud paradigm by being service-oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.”75

In this context, service-oriented means that the cloud applications are composed on independent, interoperable, loosely coupled, discrete services that are connected via standardized interfaces. Such services are stateless if a parallel running service from the same source can be reused, without interrupting the other service. Statelessness as well as low coupling and modularity are embodied in cloud software if Service-oriented Architecture (SOA) is used, what is commonly the case. The

semantic interoperability extends compatibility by intelligent, contextually selective allocation of and in between services. The affirmation of NIST for the total structured architecture of SOA or similar

service-oriented architectures or web services to enables an almost borderless freedom of the service execution.7677

This freedom of service execution was exactly for what reason SOA was intended for. Its emergence was technically influenced by Object-oriented Programming (OOP) which already came along with characteristics like abstraction, encapsulation, modularity and by the Object Engineering

Process (OEP) which models (for example with Unified Modeling Language) business requirements

into a blueprint for software developers. This combination has been an important step towards bridging the gap between business and technology and corresponds with the nature of SOA and as a consequence of cloud computing.7879

Grid Computing

There would be no cloud computing without the world wide web. The word web is an abbreviation of network. Sun Microsystems (SUN) has been one of the companies that pushed the development of linking networks the most. Its chief researcher John Gage mentioned 1984 that the

network is the computer. Back then, he did not foresee the internet or cloud computing, but he already

realized then that computer infrastructure and data does not necessarily need to be tied together and that comprehensive networks can lead to better collective results. Some years later, in the early 1990s, was the term grid computing introduced in dependence to the power grid. The idea was simply that computing becomes a utility, same as electricity, consumable at every place where there 75 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2.

76 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 43. 77 cf. Ibid., 55-57.

78 Stantchev and Schroepfer, 2009, in a collected edition of Abdennadher, Advances in Grid and Pervasive Computing:

4th International Conference, GPC 2009, 25.

(23)

is a network. Such distributed computing calls for the decoupling of location, data, network

connection and processing power hardware. Several computers can share one task, it does not matter where they stand, they just need to be connected with a network. Comparably, the virtualization follows a similar approach; the hardware layer is abstracted from the software layer. The concept is just the other way around. In grid computing share many computers the execution of one software, while the virtualization enables to run several software on one or more hardware devices. Cloud computing would not have made such a strong impact without virtualization and is also inseparable from the distributed network approach of grid computing.808182

Significance: Defining Cloud Computing

For startups, entrepreneurs and small companies, the following aspects of cloud computing regarding its characteristics and technology may be of special interest:

! Cloud computing as utility computing facilitates the use of sophisticated information systems ! Ready to use applications without the need for infrastructure

! Rapid provisioning lowers go-to-market lead time

! Possibility to inter-connect (via API) different SaaS applications in order to establish comprehensive workflows

80 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21-22. 81 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 25-27.

(24)

Political Implications And Standardization

The internet is a global phenomenon – the information society is becoming reality. Global solutions are needed to address issues which the information society is facing and open standards are what cloud computing is in need of. Global solutions may offer new markets and significant

opportunities for startups and young entrepreneurs on all continents. However, the political

conditions and global standardization efforts must be understood in order to get an indication of the future of the information society and its most important “tools”, such as cloud computing.

Understanding Global Governance To Enable Global Business Opportunities

In the field of Information and Communication Technology (ICT) is the executive United

Nations (UN) agency International Telecommunication Union (ITU) having the paramount

responsibility. Its vision is to bring the ICT benefits to all the citizens of the world by assisting the governments and the private sector of UN member countries in mobilizing the necessary technical, financial and human resources..83

In 2002 initiated the former UN general-secretary Kofi Annan the World Summit on the

Information Society (WSIS) to involve all stakeholders, individual privacy activists as well

as business organisations and mentioned later on: “What do we mean by an information

society? We mean one in which human capacity is expanded, built up, nourished and

liberated, by giving people access to the tools and technologies they need, with the education and training to use them effectively.”84

WSIS has been created to find multinational answers to the challenges of the information society. A focus point of its work is bridging the digital division between western countries and developing countries. WSIS measures indicators of its UN member countries regarding their development state of the ICT infrastructure and how the population is ready to use it. WSIS is deducts implications about the design of action plans, about how to govern the internet and about the usage of which financial mechanisms to create a sustainable incentive system. WSIS has created in 2006 two executive institutions that should help them to reach the goals. First, the UN Group on the

Information Society (UNGIS) that coordinates with the relevant UN bodies and organizations such as

the World Bank, the International Monetary Fund (IMF) or the World Trade Organization (WTO)

83 Lips, 2006, in a collected edition of Koops et al., Starting points for ICT regulation: Deconstructing prevalent policy

one-liners, 41-46.

(25)

and second, the Internet Governance Forum (IGF) which should solve substantive and policy issues.8586

The findings of WSIS give a consolidated overview about the status quo of the global

information society. They are valid for developed and developing countries alike, whereas the bigger parts of the programs are conducted in developing countries. Developing countries offer relatively higher growth opportunities than developed countries – a convenient initial position in the eyes of startups and entrepreneurs from all over the world.87

Subsequently, listed below are itemized excerpts which resulted from the efforts of WSIS and its affiliated organisations. They were chosen by the author of this thesis according to characteristics that may be of interest for small and startup companies. As cloud computing is a relatively new generic term that contains existing technologies and challenges of the information society with its underlying ICT, cloud computing was introduced in the terminology of WSIS not earlier than in 2009.

The main topics are firstly, ICT access and use, secondly, The broadband divide, thirdly,

Availability of local content and fourthly, Data privacy. Each main topic is followed by a critical

acclaim regarding the information systems perspective with particular notice towards cloud computing:88

1. ICT access and use: “In many respects, the digital divide continued to narrow in

2008. An important milestone in the progress towards a global information society has now been reached: over half the world’s population has obtained at least some level of connectivity. In addition, 80–90 per cent of the world’s population now lives within range of a cellular network, double the level in 2000. […] One of the benefi ts to emerge from mobile telephony has been the versatility of short message services (SMSs), which are used for increasingly innovative purposes, including fi nancial transactions, market price updates, news transmission, emergency alerts and other important functions. […] At the end of 2008, half of the world’s Internet users were in developing countries, especially in Asia. Regionally, Africa and the Middle East are experiencing the fastest mobile and Internet growth. […] Large disparities in terms of penetration and affordability still exist, both across and within countries and regions […] the digital divide debate is increasingly shifting away from measurements of basic connectivity to issues of speed (bandwidth)”89

85 cf. Doria and Kleinwächtger, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years , 7.

86 cf.International Telecommunication Union (ITU), 2007, on behalf of Touré and Panitchpakdi, World Information

Society Report 2007 - Beyond WSIS , 13.

87 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and

Increasing Impact , 45.

88 cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society

outcomes at the Regional and International Levels - Report of the Secretary-General , 3-6.

(26)

The formula is simple, without ICT equipment, business development is difficult. The continual growing rate of the world's population which have access to communication instruments is good to know for entrepreneurs. Globally seen, it leads to millions of new potential customers by every year.90

Still, there is a long way to go. Developed countries have one hundred times more secure servers compared to developed countries. Reliable information systems and especially secure e-commerce platforms are required to enable online business. A benefit of using cloud computing is that simply a browser is required that supports encryption; for example Firefox, which is freely available.919293

Adding to the circumstances is the fact that many people in developing countries use mobile technology, including for financial transactions. With this background in mind, it is foreseeable that if they acquire up to date equipment, there will be less constraints regarding the usage of new

technologies compared to developed countries.

On the contrary to developing countries, IT departments have built up the structures and gained conceptual experience over the period of decades in developed countries. For them is it possibly more “emotional challenging” to let their data manage by a cloud computing provider compared to an entrepreneur in a developing country that until a year ago was doing financial transactions solely via SMS or not at all and now has the chance to use sophisticated cloud computing applications.94

Cloud computing could give companies in developing countries the chance to compete with companies in developed countries at eye level. Engagements in cooperation are also an option due to the fast developments of social networks that now cover most aspects of business. These competitive improvements and possible cooperations could lead to solid economic growth in the developed countries, which is necessary to reduce poverty and to build up a stable civil society. Initiatives such as the 100$ One-Laptop-per-Child (OLTP) have had positive effects on the spot in developing countries and also helped the western society to recognize the need of developing countries for ICT infrastructure and education. It was even an initiator for the now very popular netbooks.95

2. The broadband divide: “In spite of the remarkable progress achieved by

developing countries in deploying ICT and bridging the digital divide, they remain at a disadvantage in terms of broadband coverage […] with Africa accounting for less than 1 per cent. The “digital divide” is therefore giving way to the “broadband 90 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and

91 cf. Ibid., 130-131.

92 cf. Zittrain, The future of the Internet and how to stop it , 235-237. 93 cf. Cohen, “The United Nations of Cloud Computing.”

94 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and

(27)

divide” […] The slow response discourages or even prevents people from using applications that would improve effi ciency and enhance productivity […] The United Nations system and other partners – including Governments, civil society and the private sector – are focusing on broadband issues as part of their efforts to assist developing countries achieve WSIS targets and meet the Millennium Development Goals.”96

The awareness of the importance of broadband requires honest, forceful efforts of both, the governments that are leveling the way with regulations and an investor friendly environment and the private sector which should take the risk to invest in these yet to be developed markets. If the basic broadband infrastructure will be available everywhere around the world, it will be a logical

consequence that the bandwidth will be used with modern business tools as well. It will be up to the choice of the startups, SMB's and entrepreneurs in these developing countries whether they prefer to use cloud computing information systems or to wait until they can afford to build their own data centers.9798

3. Availability of local content: “From the perspective of making ICT available to

all, the lack of local content on the Internet and other forms of ICTs (such as mobile devices) is of growing concern […] Locally produced content can help empower the poor by e.g. providing them with online learning facilities, creating new business opportunities; improving access to agricultural market information and weather forecasts […] If the profitability of firms depends on the willingness among the poor segments of society to pay for local content, it is plausible that the private sector alone cannot create the right market conditions to fi ll this gap […] It would be useful to make an inventory of best policy practices aimed at advancing local content.”99

Advanced information systems offer at least a partial content management functionality that supports multi-language. Content Management Systems (CMS) can be API-connected with mashup services that integrate content such as news, maps or market information to interconnect into one localized, user-friendly web platform. Such localized services can be especially interesting for startups to fill a local market niche. The needed internet web 2.0 technology is widely available for free and does not necessarily require cloud computing.100101

96 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society

outcomes at the Regional and International Levels - Report of the Secretary-General , 4.

97 cf. Subramanian, “Cloud Computing and Developing Countries – Part 2.” 98 cf. Ibid.

99 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society

outcomes at the Regional and International Levels - Report of the Secretary-General , 4-5.

100cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 10.

101cf. Vembu, “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about Innovation,” col. 4.

(28)

4. Data privacy: In the recent past, privacy has become one of the central themes of

the emerging information society, not least in the light of the expanded role of search engines on the Web and of the fast spread of social networking services […] There is also a perceived threat to the personal integrity of users from entrusting too much personal information in the hands of large corporations (e.g. Yahoo, Google, Facebook, MySpace […] Trans-border data fl ows have the ability to circumvent national laws […] The main purpose of data protection legislation is to ensure that personal data are not processed without the knowledge and, except in certain cases, consent of the data subject […] These trends may suggest a need for more effective and up-to-date public policies and regulations at the international, regional, national and local levels. Cyber security and inadequate data privacy solutions are dealt with differently by countries with dissimilar priorities, challenges and levels of development. Many different national approaches have surfaced, but a global response to this truly global problem is yet to emerge.

While the main topics number one (ibid. ICT access and use) and two (ibid. the broadband

divide) can be attributed due to the lack of availability of up to date ICT equipment in developing

countries, the main topic number four (ibid. data privacy) is a problem that directly effects every country. Compromises in privacy and security are firstly, a result of lacking legal frameworks on global and national level and secondly, issues due to the lack of standardization.

Provided that the international society is truly getting involved to make an effort for these four WSIS goals, it could lead slowly but surely to millions of new internet users all over the world. Many of them will do business and will need modern information systems. By using information systems based on cloud computing, they will have the chance to use up to date applications without first having the need to build up their own infrastructure or initiate the build-up by an outsourcing

provider. That can be an interesting prospect for startups and companies in underdeveloped countries but equally for startups and innovative companies in developed countries who are willing to take the risk.102

Activities On Continental Level

Global data flows need harmonized approaches to facilitate cloud computing operations which requires consensual cooperation on regulations and standards. International organizations can be of help to achieve this consensus by providing an exchange of information, education and concrete help in developing countries, but basically it is at the liberty of every independent country to set legal standards that cover cloud computing. As most countries have different regulations, even within the

European Union, is it difficult to state what needs to be changed in which country. A study conducted

by information policy scientist Paul T. Jaeger about cloud computing and information policy has 102cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society

(29)

summarized the most crucial points that lawmakers and politicians should be aware of and try to improve.103

! Basic thresholds for reliability

! Assignment of liability for loss or other violation of the data ! Expectations for data security

! Protections of privacy

! Any potential expectations for anonymity ! Access and usage rights

! International standardization to promote transborder data flows in clouds

There is a obviously a difference between these points compared with the goals (ibid.: 1. ICT

access and use, 2. The broadband divide, 3. Availability of local content, 4. Data privacy) from the

WSIS (ibid.). Jaegers points correspond only with 4. Data privacy. The reason is simply that WSIS is intended for the international community including developing countries while Jaegers points are intended for the national level in developed countries.

The following chapters provides a glimpse of the situation by presenting extracts of current cloud computing discussions in the United States (U.S.), Asia and Europe (EU). The focus lies on cross-national exchange of data as it is there where cloud computing offers in particular many points open to attack because of its distributed nature.104

United States

To a certain extent most things concerning cloud computing are happening in the United States or in collaboration with U.S. institutions such as NIST (ibid. Computer Security Division of the US

National Institute of Standards and Technology) or companies such as Amazon, Salesforce, Google

or IBM. The United States are an intellectual and technological leader in the field of cloud

computing. Therefore, in order to understand what is happening politically and legally in the United States concerning open clouds and cross-country data exchange, one can draw conclusions to get the status quo on a worldwide level and conceive future implications. It may be interesting to look ahead

103cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280-281. 104cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15.

(30)

to where U.S. visionaries and information society lobbyists wants to lead their government, as this opinion-forming process will have an impact on future directions on a worldwide level. 105106

The influential non-profit organisation Aspen Institute Communications and Society Program repeatedly composes a memo to every new U.S. president with calls on how to affect the policies in favour of a sustainable society. The 2009 edition, intended for Barack Obama or John McCain, the future president having not been decided by then, focused on policy proposals and general advice on Information Technology (IT). The proposals and advice are U.S.-centered, but as the economy of the United States is still by far the biggest and the innovation capabilities of its scientific institutes and companies still world-leading, especially in the IT field, it can be of interest for the global society to see what the focus of engagement is.107108109

Number six of the six policy proposals (1. Formulate an identity agenda, 2. Mend the Patriot

Act, 3. Retraining and immigration reform, 4. Modernize the grid, 5. Deploy world-class broadband, 6. Support an open cloud) is explicitly calling for an open cloud: “Support an open cloud. Traditional notions that governments should hoard data within their borders is an outdated notion with the advent of the global cloud economy. We need to pursue

architectures that allow individuals, companies and governments to plug into the best resources on the planet, regardless of where they are located.”110

One aspect of the open cloud is the dominance of the United States regarding the global

management and assignment of top-level domain names and IP addresses. This is still under control of the non-profit organization Internet Corporation for Assigned Names and Numbers (ICANN) which acts on behalf of the U.S. government. The international voices are getting louder that this unilateral control of ICANN by a single government should be replaced by an international

independent institution. Whereas there is a consensus about this topic, there is still a big controversy ongoing about how much influence the governments should have with regard to national policy issues. However, the Aspen Institute, to give an example, put its money on the catalyzing effect of the fast changing global information society that will in the long run pull down national hegemonial ambitions.111

105cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and

106cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280. 107cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance

and Social Interaction, 72-77.

108cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 72-73. 109cf. O'Halloran, Charity Law Social Policy: National and International Perspectives on the Functions of the Law

relating to Charities, 315; 577.

110 Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and

(31)

Cloud computing is given an important role because “the cloud will usher in a seismic shift

in the locus of control in our culture, and it will have ripple effects in all walks of life – energy, the environment, national security, learning, health care, business processes, emerging markets and much more. The cloud is about open access, rapid delivery of

services, the ability to scale quickly and the power of networks. Ultimately, though, the cloud story is not just about computing, communication or information but about empowering citizens.”112

These statements – the conversion from top-down to bottom-up power – are radical in its nature but vague in regard to what will happen concretely. Nonetheless, this to be expected shift towards a more democratized access to high-tech resources, true globalization and commercial opportunities that are more independent of company size sounds definitively promising to young people with entrepreneurial spirit, startups and small companies.

Asia

The Asia-Pacific Economic Cooperation (APEC) is the leading free trade forum in Asia. It is encouraging its member nations to improve ICT and e-commerce. The focus lies on supranational collaboration but without to cede laws and sovereignty to other members, as they are reluctant to do so. While Cross Border Privacy Rules are discussed in privacy-related legislative working groups, cloud computing not yet a big topic. APEC has an Electronic Commerce Steering Group which started discussions about cloud computing with OECD and UN organisations in 2009, but it has not yet resulted in concrete actions or publicly accessible documents. APEC is not purely representing Asia, as it includes countries from South-America, the United States and Canada which naturally also belong to the Asia-Pacific area. On the other hand, the members of the Association of Southeast

Asian Nations (ASEA) are purely Asian countries. ASEA have enlarged their association to become

the ASEAN Free Trade Area (AFTA) which also includes China and Japan. Cloud computing is not yet on the public roadmap.113114115

The fact that supranational Asian efforts are almost absent should not hide the instance that cloud computing is booming in countries like China, Korea and Japan. A survey done with 400 Asian developers conducted by the Evans Data Corporation (EDC) has shown that 11.3 percent of them are 111 Discussion panel "Critical Internet Rescources" hosted by Aguiar, 2009, co-authored by Cerf et al., Internet

Governance Forum (IGF): The First Two Years , 227-228.

112 Aspen Institute Roundtable 2009 consisting of Firestone, Coleman, Brown, Lysyanskaya, Dyson, Clippinger, Taipale, Bregman, Hynes, Burton, Artom, Gupta, Rotenberg, Pearson, Dyson, Dachis, Mancini, rapported by Lasica, Identity in

the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction ,

77.

113 cf. Pearson and Charlesworth, 2009, edited by Koops et al., Starting points for ICT regulation: Deconstructing

prevalent policy one-liners , 133.

114 cf. Bourassa, “20th APEC Electronic Commerce Steering Group Meeting,” 7.