IT outsourcing risk factors in cloud computing environments: Insights from Dutch universities.

(1)

computing environments: Insights from

Dutch universities.

Erik van Dingen

May 2014

(2)

Author

Name: Erik van Dingen

Student number s1703420 Email: erikvandingen@gmail.com Address: Vondellaan 52 9752 ED Haren (Gn) The Netherlands University of Groningen

Faculty: Economics and Business

Master: Business Administration - Business & ICT specialization Supervisor: Prof. Dr. E.W. Berghout

Second reader: Dr. D. Seo

Address: Nettelbosje 2

9747 AE Groningen The Netherlands

PwC - Risk Assurance Services

Supervisor: ir. H.R. Selhorst RC

(3)

Abstract

The rising popularity of cloud computing has so far not been fully reflected in the academic literature, this thesis aims to provide a valuable addition to this field of study. An increasing number of

organizations is using cloud computing, and the organizations that do use cloud computing start to increase the number of clouds they use. To gain some new insights into how organizations deal with the increasing number of clouds they use, this thesis investigates the management of multiple clouds. In addition the thesis also aims to give an overview of the present state of cloud computing among Dutch universities.

The main research question is: How do companies manage multiple clouds, from a risk perspective? To answer this question a literature review on cloud computing was conducted. Important risk factors from IT outsourcing literature were identified, and incorporated into a framework. This IT outsourcing framework was applied to the cloud computing scenarios of a large sample of the Dutch universities. The results showed that although most factors from the IT outsourcing framework were applicable in the cloud computing environment, asset specificity and measurement problems are not applicable in cloud computing scenarios. The main reason that these factors are not applicable, are due to the different characteristics of cloud computing. The literature review and results show that the characteristics ‘variable costs’ and ‘pay-per use’ of cloud computing are the main reason these factors are not applicable.

The Dutch universities all either have started using cloud computing or are planning on using cloud computing. The results show a similar, collective approach to cloud computing by these universities. The main differences being the choice of applications that are transferred to the cloud. All universities view cloud computing as the favorable choice for applications that support business processes that are not closely related to their core competencies. Cloud computing is generally not viewed as a serious alternative for primary processes, and for data that is secret (nuclear research for example) or subject to privacy laws.

(4)

1. Introduction

1.1 Initial motive

Back in the year 2008 the concept of cloud computing had just begun to receive mainstream attention and companies were given the first notion that a new model of IT had surfaced. Many companies planned on or had already embraced cloud computing one way or the other. Remarkably, Oracle CEO Larry Ellison viewed cloud computing as a hype and did not believe in it. "I think it's ludicrous that cloud computing is taking over the world, we think it's very hard to make money in this thing." Ellison said (Tanaka, 2008). A few years later and the tables have turned; in 2012 Oracle launched their cloud offerings and Larry Ellison has changed his mind. “Cloud computing changes everything” Ellison now said in a blog ironically titled: “Oracle Cloud: Larry Ellison’s Top 10 Reasons you’ll Want it” (Evans, 2012). If even one of the biggest sceptics of cloud computing now is promoting it, it indicates that Cloud computing has gone mainstream and is here to stay.

A survey conducted by the accountancy firm PwC (PwC, 2012) in the UK found that roughly three quarters of the respondents was using a cloud service. An IDC survey among 700 European

organizations with 50 or more employees even found that 99 percent of the organizations use cloud services in at least one area, and the majority in more than one area (Bradshaw, 2012).

An important motivating factor to move to the cloud is that organizations don’t need to be actively managing IT related issues and can dedicate their time and resources to their core business. Cloud applications are adopted across all company sizes at the moment. Survey data by Forrester

Consulting (2012) shows that by the end of 2012, on average nine different SaaS applications will be used at the same time in a single enterprise. In the year 2013 this number will have risen to 13, thereby increasing the number of clouds they.

The introduction of cloud computing represents a shift from computing as a product that is purchased to computing as a service that is delivered to consumers. Present-day, still an increasing number of organizations are forced to deal with this change. Although cloud computing has rapidly established itself in the corporate world, many organizations still have a clouded vision of the concept of cloud computing. There are over- and underestimations that cause cloud users to be confused,

disillusioned and have doubts (Smith, 2011).

Although virtually every organization uses IT, IT is not always a core competency. Not every

(7)

from the management issues surrounding IT. Since the number of applications in the cloud increases (Forrester Consulting, 2012), the management of all these applications becomes more complex. Some services on offer are so complex that normal cloud consumers would not be able to easily manage and deploy those services themselves (Khanna & Babu, 2012). The same complexity can also be found in IT outsourcing (ITO) environments (Ramachandran & Gopal, 2010;Bachlechner, Thalmann & Maier, 2014).

The concept of ITO became popular in the 1990’s and at first sight there are many similarities between cloud computing and IT outsourcing. In this thesis, risk factors that are drawn from IT outsourcing literature are used to investigate to what extent IT outsourcing risk factors apply to cloud computing scenarios. For this purpose, empirical evidence collected from Dutch universities will be used. Universities have been selected because these organizations have always been on the forefront of technology (Hall, Link & Scott, 2003). The empirical part of this paper therefore focuses on universities and how they manage the cloud. In addition to answering the research questions, the empirical research also aims to give a complete overview of the current state of cloud computing among the Dutch universities.

1.2 Originality/contribution

Academic contribution

So far scholars have only just begun to realize the increasing complexity organizations face with regards to managing cloud computing. Because of the novelty of cloud computing, academic research on this topic is still scarce. Most of the information readily available on the business implications of cloud computing comes from company websites or brochures. This thesis aims to provide a valuable addition to the growing field of academic research on cloud computing.

Although scholars have recognized many similarities between IT outsourcing and cloud computing (Clemons & Chen, 2011), cloud computing also has some key differences with IT outsourcing. In this thesis a first attempt is made to further investigate which factors are similar and different by applying a proven framework from IT outsourcing literature to cloud computing scenarios.

Practical contribution

(8)

The insights that this thesis provides, may stimulate IT management to rethink their approach to managing risk in a cloud computing environment.

1.3 Main research question

The main research question reflects the explorative nature of this paper. The question that will be answered is: How do organizations manage multiple clouds, from a risk perspective? To answer this question a few sub questions have to be answered:

1. What is cloud computing and what are the implications of the rise of cloud computing for Dutch universities? Literature review (Chapter 3, 7&8)

2. Why do organizations have problems managing the cloud? Literature review (Chapter 4) 3. What are the similarities and differences between cloud computing and traditional IT

outsourcing? Literature review (Chapter 5)

4. Which IT outsourcing risk factors do organizations face when using multiple clouds? Empirical research (Chapters 6,7&8)

1.4 Structure of the thesis

This introduction formed the first chapter of this paper. Chapter 2 will give a detailed description of the methods and techniques that were used for this research. The third chapter will be a literature review on cloud computing in general, this will give a good theoretical basis to delve deeper into cloud management in chapter 4. Chapter 5 will be a literature review uncovering the differences and similarities between cloud computing and IT outsourcing. Chapter 6 will present a framework that is to be used in the empirical part of the paper. The seventh chapter presents the results of the

empirical investigation. These results will be discussed in the eight chapter. Chapter 9 will present a conclusion along with the limitations and some recommendations for future research. Interview transcripts and other information can be found in the appendices.

(9)

2. Methods and techniques

This chapter will give an overview of the methods and techniques that are used to answer the research questions. In this thesis a literature review was conducted, and subsequently an empirical investigation with interviews and questionnaires is part of this thesis.

2.1 Literature review

The literature review features articles from journals, conference proceedings, books and other relevant sources. For the articles from academic journals EBSCO Host and Google Scholar were used. Search terms that were used include: cloud computing, cloud management, cloud service broker, cloud provider, cloud computing solutions, cloud management, it outsourcing, information technology outsourcing risks and many others. The articles that seemed relevant were selected, read and the most important concepts highlighted.

The framework that is used was derived from a number of articles from highly rated journals. The underlying concepts mostly originated in the mid 1990’s but are still applied and further refined present day (e.g.: (Aubert, Houde, Patry & Rivard, 2012; Lacity, Khan, Yan & Willcocks, 2010)). Risk factors that were frequently mentioned were incorporated into the framework.

2.2 Empirical research – interviews with universities

The framework that was developed earlier was slightly adapted in order to apply it to a cloud

computing environment. So for example the risk factor: ‘Lack of expertise and experience of the client with outsourcing’ was changed to ‘Lack of expertise and experience of the client with cloud

computing’.

Measures were set up that formed the basis of the interview. The questions used are based on questions in other research papers as much as possible. The article by Bahli and Rivard (2005) proved to be very useful; providing measures for many IT outsourcing risk factors. For asset

specificity an article by Oh, Gallivan and Kim (2006) provided a solid foundation. For the risk factors that had no readily available measures or complete questions, measures and questions have been developed that reflect the specific factors.

(10)

All of the interviews had a semi-structured nature. A semi-structured interview allows the interviewer to extract more and a greater variety of data than structured interviews. This thesis has a partly exploratory background, therefore it was deemed necessary to extract a larger variety of data to answer the research questions. The interviews were conducted face-to-face, with the benefit of being able to observe and record the verbal- and nonverbal behavior of the interviewee. Because of geographical issues, one interview was conducted via telephone. The duration of each of the

different interviews was between 35 and 50 minutes. The full interview transcripts can be found in the appendices.

Before the interviews were held, an interview script was prepared. The structure of the interview guide was based on Myers and Newman (2007). They state that preparing the script should involve at a minimum:

 Preparing the opening- where the interviewer introduces himself

 Preparing the introduction – where the purpose of the interview is explained

 Preparing the key questions – the actual questions that are of importance for the research  Preparing the close – if needed permission to follow up, or asking who the interviewee

recommends to be interviewed. (Myers & Newman, 2007).

The interviews are all in Dutch, this has multiple reasons. As both the interviewer and interviewee’s mother tongue is Dutch, this would be more comfortable for them. Because the goal is to get in-depth information, it is vital that the interviewee feels comfortable and is not hindered by language barriers. The interview guide thus has been translated into Dutch. The interviews were recorded, transcribed and translated into English by the author. The interviewees were asked to check the transcribed interviews for errors and misinterpretations.

2.3 Empirical research - Questionnaires

The universities that were not approached for an interview, because the initial screening did not reveal substantial involvement in cloud computing activities, were asked to fill out a short

(11)

Empirical data from nine different universities was collected through five interviews and four questionnaires. Of the total of thirteen Dutch universities, nine have participated in this research providing, ensuring a response rate of 69% of the population.

.

2.4 Conclusion

(12)

3. Cloud computing

This third chapter will feature a literature review on cloud computing. Firstly cloud computing will be defined, then the different characteristics of cloud computing will be discussed. Secondly, the advantages and disadvantages of cloud computing will be discussed. The chapter ends with a short conclusion.

3.1 Definition and characteristics of cloud computing

Cloud computing is one of the most discussed topics in the field of information technology. Since its emergence around 2007 the topic has exploded in interest within academic and technical literature (Venters and Whitley, 2012; Wang, He & Wang, 2012) and the concept of cloud computing is ever expanding (Fernando, Loke & Rahayu, 2013). An increasing amount of organizations from a variety of sectors are discovering the advantages of the cloud (Sultan, 2010). Companies that do not already have one or multiple clouds in use are questioning whether to jump onto the cloud bandwagon.

Figure 1: Cloud computing present day and in the near future (PwC, 2011).

Cloud computing definition

(13)

(2007) define cloud computing as: “a pool of virtualized computer resources”. Wang et al (2008) define cloud computing as “a set of network enabled services, providing scalable, QoS guaranteed, normally personalized, inexpensive computing platforms on demand, which could be accessed in a simple and pervasive way”. Plummer has the following definition: “Cloud computing means someone else runs your computers and software while you use what they deliver and focus on delivering value” (Plummer, 2012). Other definitions recognize the interaction between cloud user and cloud provider: ``A Cloud is a type of parallel and distributed system consisting of a collection of inter-connected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resource(s) based on service-level agreements established through negotiation between the service provider and consumers.'' (Buyya, Yeo, Venugopal, Broberg & Brandic, 2009). It is important to note that cloud computing and grid computing are no synonyms. With grid computing you can provision resources as a utility that can be turned on or off. Cloud computing goes a step further and provides on-demand resource provisioning (Myerson, 2009). The definition that is most widely used is the definition of the US National Institute of Standards and Technology (NIST). Their definition captures the commonly agreed aspects of cloud computing, this definition is used as the basis of the further literature review. The NIST definition (Mell & Grance, 2011) describes cloud computing as having five characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Cloud computing has four deployment models: private clouds, community clouds, public clouds, and hybrid clouds. There are three service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The bigger software companies often are active in multiple roles; Google for example offers IaaS (Google Compute Engine), PaaS (Google App Engine) and SaaS (Google Apps).

Essential Characteristics of Cloud Computing:

(14)

pictured below.

Figure 2: Visual representation of the NIST cloud computing definition (NSAI, 2012).

 On-demand self-service. Consumers are able to unilaterally provision computing capabilities. Server time and network storage for example can be used as needed automatically without any human interaction with each service provider (Mell & Grance, 2011).

 Resource pooling. In order to serve multiple consumers, the provider’s resources are pooled using a multi-tenant model. Multi-tenancy is an architectural pattern in which a single

instance of the software is run on the service provider’s infrastructure, and multiple tenants access the same instance. In contrast to the multi-user model, multi-tenancy requires

customizing the single instance according to the multi-faceted requirements of many tenants (Kwok, Nguyen & Lam, 2008). The customer generally has no control or knowledge over the exact location of the provided resources. Processing, memory, network bandwidth and storage are examples of resources (Mell & Grance, 2011).

 Measured service. Cloud systems automatically control and optimize resource use by leveraging some sort of metering capability that is appropriate to the type of service. The resource usage can be monitored, controlled and reported. This provides both provider and consumer with the necessary transparency regarding the utilized service (Mell & Grance, 2011).

(15)

by heterogeneous thin or thick client platforms such as workstations, laptops, smartphones and tablets (Mell & Grance, 2011).

 Rapid elasticity. The capabilities can be elastically provisioned and released, in some cases automatically. This scalability is necessary to cope with fluctuating demand. To the consumer the capabilities available appear to be unlimited and can be appropriated in any quantity at any time (Mell & Grance, 2011).

Service models

The service models that will be discussed are the three most frequently mentioned models in cloud computing research. There are several other service models or different names for basically the same concept but here we will stick to the models described by the NIST.

 Software as a Service (SaaS). This is the service model that brings the most capabilities to the cloud. The provider’s applications running on a cloud infrastructure are used. The

applications are accessed through a thin client interface such as a web browser or through a program interface. The cloud consumer does not manage or control the underlying cloud infrastructure, including network, servers, storage, operating systems and the majority of application setting. Limited user-specific configuration settings are the possible exception. (Mell & Grance, 2011). The cloud service provider thus is also responsible for updates of the software.

 Platform as a Service (PaaS). The capability that is provided to the consumer is to deploy applications created or acquired by the consumer onto the cloud. The provider offers support by making programming languages, services, libraries and tools available to the consumer. The consumer does not manage or control the underlying cloud infrastructure. The consumer does have control over the deployed applications and possibly configuration settings for the application hosting environment (Mell & Grance, 2011).

 Infrastructure as a Service (IaaS). This model provides consumers with processing, networks, storage and other important computing resources. The consumer is able to deploy and run arbitrary software such as applications and operating systems. The underlying cloud

(16)

commoditized cloud segment today (Ried, Matzke, Garbani & Iqbal, 2011).

Figure 3: Overview of different cloud computing service models versus ‘traditional’ IT (Harms & Yamartino, 2010).

Deployment models

Four types of cloud computing deployment models can be identified: public, community, hybrid and private clouds.

 Public cloud. The cloud infrastructure is provisioned for open use by the general public. The public cloud may be owned, managed, and operated by a business, academic, or government organization or a combination of them. The public cloud exists on the premises of the cloud provider (Mell & Grance, 2011).

 Community cloud. Community clouds have a cloud infrastructure intended for exclusive use by a specific community of consumers. These communities consist of consumers from organizations that have shared concerns (e.g. policy, mission, security requirements, and compliance considerations). The community cloud may be owned, managed and operated by one or more of the organizations in the community, a third party or a combination of them. It may exist on or off premises (Mell & Grance, 2011).

(17)

 Private cloud. The cloud infrastructure of the private cloud is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). This type of cloud may be owned, managed or operated by the organization, a third party or a combination of them, and the cloud may exist on or off premises (Mell & Grance, 2011).

There are some remarks on the definition to be noted. Many services that are labeled as ‘cloud’ do not comply with all of the requirements of the definition. For instance, some cloud providers give users the option to choose the location where their data is stored (Yang & Chen, 2010). The definition of cloud computing states that users generally have no knowledge of the location of the provided resources. Several cloud services also don’t offer transparent metering, but retain a traditional pricing model.

Many firms from a variety of different backgrounds try to take advantage of the opportunities cloud computing offers. The figure below gives an overview of some of the companies that engage in different parts of the cloud computing industry.

Figure 4: Overview of different cloud computing technology levels and important suppliers (gravitant.com, 2012).

There is a lot of variation in the cloud services used by organizations; a survey by KPMG (2010) revealed which cloud computing services are already used or implemented by companies.

(18)

Figure 5: Types of cloud computing applications used by companies in the Netherlands (KPMG, 2010).

3.2 Advantages of cloud computing

Much of the appeal of cloud computing is due to the cost reductions cloud computing can offer. The cloud allows a change of IT from an expensive capital expenditure to a pay-as-you-go operating expenditure, for example processors by the hour and storage by the day (Armbrust, et al., 2010; Nikolov, 2011). Consumers are able to enjoy cost reductions because large scale cloud providers benefit from economies of scale and can offer computing at lower costs than traditional on premise computing would (Armbrust, et al., 2010; Clemons & Chen, 2011). The economies of scale emanate from reduced costs of power, infrastructure labor costs and increased buying power of data center operators (Helland, 2013).

Another important benefit of cloud computing over on premise computing is the increased flexibility the cloud offers. Cloud consumers can scale up and ramp down the computing capacity on demand and do only have to pay for their actual usage. The result is that companies are not paying for expensive servers that only need to be able to support the peak demand at certain times, and no resources are wasted during times of lower demand. In 2000, more than 45% of capital equipment budget was spent on IT. However, on average only 6% of the server capacity is utilized. In addition to reduced infrastructure costs, cloud computing also leads to energy savings (Marston, Li,

(19)

High availability is considered a benefit for small and medium sized enterprises. A system run by a large cloud service provider has many resources and redundant equipment and should offer better availability than an infrastructure that runs in-house (Leavitt, 2009). Google’s Gmail cloud service for example was estimated to be 32 times more reliable than the average corporate e-mail in 2010 (McAfee, 2011).

For SMEs cloud computing offers an opportunity because of the lower entry barriers to computing. Cloud computing enables small businesses to utilize high-end applications like ERP software or business analytics, that were previously unavailable to them (Marston, Li, Bandyopadhyay, Zhang & Ghalsasi, 2011). The capabilities of large datacenters were previously inaccessible to SMEs due to high capital costs (Weinhardt, et al., 2009). Areas like business intelligence that were previously only available to companies that were able to make large capital investments now become accessible to other companies as well. When services are no longer necessary it is also relatively easy to

discontinue them. This results in relatively high bargaining power for the cloud customers against the cloud providers. (Benlian, Koufaris & Hess, 2011).

The almost immediate access to hardware resources and the scalability offered by cloud computing facilitates a faster time to market in many businesses (Marston, Li, Bandyopadhyay, Zhang &

Ghalsasi, 2011). The faster time to market is achieved because companies don’t have to design and build a server infrastructure, but can easily rent a few virtual servers from a cloud provider. For organizations that experience seasonal influences, or rapid changes cloud computing enables services to be used without any understanding of their infrastructure (Frantsvog, Seymour & John, 2012).

Employees tend to support cloud computing as well, the average consumer has accepted this latest development (Rose, 2011). The main reason for this support is that employees are able to make full use of a company’s computer systems at more locations (e.g. at home, in the train) using less powerful, increasingly mobile devices such as smartphones, tablets and netbooks (Marston, Li, Bandyopadhyay, Zhang & Ghalsasi, 2011), cloud and ‘bring your own device’ or ‘choose your own device’ often go hand-in-hand.

3.3 Disadvantages of Cloud Computing

Cloud computing also features some characteristics that could be disadvantageous. These disadvantages include: loss of control, vendor and data lock-in, the fact that not every process is cloud ready and the legal disadvantages.

Loss of control

(20)

cloud computing, often the exact location of their data is unknown. Although Service Level Agreements (SLAs) can include amendments that specify the location of data (e.g.: ‘Europe’ to comply with European laws and regulations), the exact location often remains unknown. Large organizations in particular are wary of entrusting critical applications and data to a cloud computing service (Marston, Li, Bandyopadhyay, Zhang & Ghalsasi, 2011). Critical applications and data could include the financial system or personnel files for example. The providers cannot always guarantee the high quality of service and the availability that some of these applications and data require. Sharing a physical infrastructure can lead to fundamental risks, even when their actions are isolated through machine virtualization as is the case with cloud computing services (Ristenpart, Tromer, Shacham & Savage, 2009). Researchers published a disturbing example where one virtual machine was able to spy on another on the same physical server (Zhang, Juels, Reiter & Ristenpart, 2012). Vendor and data lock-in

Currently, most cloud offerings have a different way on how cloud clients, applications and users interact with the cloud (Dikaiakos, Pallis, Katsaros, Mehra & Vakali, 2009). This forces vendor lock-in, prohibiting the ability of users to choose from alternative vendors (Dillon, Chen & Chang, 2010). The lack of active standardization among clouds thus has the result that customers cannot easily extract their data and programs from one cloud and run it on another (Armbrust, et al., 2010;Wang, He & Wang, 2012;Lin & Chen, 2012). The cloud consumers leave themselves vulnerable to price increases, reliability problems and even providers going out of business.

Not everything is cloud-ready

While business executives are often under the impression that moving to the cloud is a ‘packaged deal’. Some services are not ready for cloud computing. Findings from a survey by PwC among 489 CIOs and other senior executives revealed that only 18 percent of the respondents said that more than 50% of their organizations’ workloads were ready for the cloud today (PwC, 2011). Major re-coding and re-architecting will be required for a variety of enterprise applications and systems to take full advantage of the cloud, so it may take some time before the majority of applications take full advantage of the cloud (PwC, 2011).

Legal disadvantages

Cloud computing is used by multinational and international

organizations, and cloud providers are also located in different geographical locations. It is therefore

(21)

important to know which laws and regulations an organization has to comply to. Most regulations hold the cloud consumer ultimately responsible for the security and integrity of their corporate and customer data (Heiser & Nicolett, 2008). There are a lot of different laws and regulations, some of the most important one are Sarbanes-Oxley Act, the Patriot Act and the EU Data Protection Directive. Even though a consumer will want to comply to the laws and regulations that apply to their specific situation, the question remains whether the provider is (1) able to comply to these laws and

regulations (e.g. store data in a specific location/country) and (2) is willing to do so (Svantesson & Clarke, 2010).

3.4 Conclusion

In this chapter a literature review on cloud computing was presented. Cloud computing was defined as having five characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Four deployment models: private clouds, community clouds, public clouds, and hybrid clouds. Three service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The most important benefits are flexibility, costs (capital expenses to operating expenses), availability to computing power and increased

(22)

4. Complex cloud environments

4.1 Introduction

Although during recent years an increasing amount of articles on cloud computing have been published, there are still many gaps in the published research (Schubert & Adisa, 2011;Venters & Whitley, 2012) the issues surrounding the management of the cloud have been relatively ignored by scholars, and managing multiple clouds is virtually untouched. The few articles that discuss complex, or multi-cloud management are focused mostly on the technical aspects (Tsai & Balasooriya,

2010;Gutierrez-Garcia & Sim, 2012) and ignore the IT management issue (Böhm, Leimeister, Riedl & Krcmar, 2011).

4.2 Cloud management issues

In order to investigate why organizations are having problems managing multiple clouds, it is important to know why organizations are even using multiple clouds. The literature review revealed several arguments that can be identified with the increasing complexity of cloud management.

Factors that stimulate complex cloud environments.

One might think that the most convenient way to start using cloud computing would be to select one cloud provider that provisions your complete IT environment. In theory this seems an efficient and effective way of managing IT. In practice several arguments can be made to use complex cloud environments that feature multiple clouds.

Low entry barriers

Nowadays organizations have a tantalizing assortment of clouds to choose from. The entry barriers for cloud computing are low, because cloud computing generally does not require a (substantial) initial investment. Organizations may consider trying many providers and placing different workloads with different providers (Frost & Sullivan, 2012).

Difference in services offered

Even though organizations may want to have one cloud, this is not always possible because there is not always a single cloud provider that can offer all the desired services. Organizations might have specific requirements that can only be fulfilled by a specific cloud application. In addition cloud providers also possess different strengths and pricing models (Sharif, 2010). The result is that organizations are forced to choose multiple clouds from different vendors to support the needs of the business.

(23)

Organizations that have a need for very high availability of data might consider using multiple clouds to prevent having a ‘single source of failure’. Having multiple cloud (providers) is an option for those organizations that are facing high availability needs. (Armbrust, et al., 2010). In practice many organizations use cloud computing as an offsite backup for their most important data and applications already (PwC, 2011).

Problems of having complex cloud environments.

Due to the fact that cloud computing in a business context is a relatively new phenomenon, it brings a variety of new issues and problems to organizations using it.

Why do organizations have problems managing the cloud? The first problem of having multiple clouds is the selection of the cloud service. Given the diversity of cloud service offerings, an important challenge for cloud consumers is to find the cloud services that can satisfy their requirements (Goscinski & Brock, 2010;Garg, Versteeg & Buyya, 2013).

Another issue is that many corporate IT infrastructures have grown piece by piece over many years and the system interdependencies are difficult to understand or define. Especially organizations that have been around for many years often have a mix of hardware, operating systems, and applications that have not been designed for cloud deployment, these could be described as “legacy spaghetti” (McAfee, 2011;Helland, 2013). Large enterprises often have ‘different owners’ in the enterprise and have complex dependencies among the systems themselves, the data they process, the middleware that is used and the platforms on which they run (Wang, He & Wang, 2012). For multinational

enterprises it is even more complicated because their IT has been influenced by geographical differences such as political and economic factors (Wang, He & Wang, 2012).

The different cloud offerings all have their own way of how clients/applications/users interact with the cloud (Dillon, Chen & Chang, 2010). This lack of interoperability severely hinders the cloud users and enterprise (Rimal, Choi & Lumb, 2009). Standardization seems to be a good solution to address the interoperability issue, but so far there is no universally recognized standard for cloud computing. The characteristics of the cloud market also are of influence. Because cloud computing is a relatively new phenomenon organizations often lack the necessary knowledge and skills to grasp the full potential the cloud offers. Although cloud computing has been defined and established up to a certain level, there are many new forms of cloud computing and related issues emerging (Smith, 2011). Even though cloud computing is starting to mature, there are still misunderstandings and confusion in specific aspects of cloud computing (Smith, 2011).

(24)

to dominate the cloud computing scene (Khanna & Babu, 2012), this unstable market adds more complexity to cloud management decisions.

4.3 Conclusion

This chapter identified the arguments to have multiple clouds and the problems with having multiple clouds. The arguments to have multiple clouds include specific needs, low entry barriers, different strengths and pricing of cloud providers. Using several competing vendors can lead to lower costs, higher vendor performance and increased bargaining power.

The problems of having multiple clouds include the existing legacy systems that are difficult to transfer to a cloud platform. Another important problem is the lack of interoperability between clouds. The new and volatile nature of the cloud market brings misunderstandings and confusion.

(25)

5. Cloud computing and IT outsourcing

In this fifth chapter the characteristics of traditional IT outsourcing and cloud computing will be analyzed. The similarities and differences between ITO and cloud computing will be discussed. Companies have different reasons for adopting cloud computing. Enterprises usually follow

developments in technology and determine how well aligned these developments are with their own business strategies (Venters & Whitley, 2012). Many reasons organizations have for outsourcing IT, such as reducing costs, better performance and better alignment of IT strategy with business goals and the ability to focus on core competencies (Fitoussi & Gurbaxani, 2012) are similar with the reasons for engaging in cloud computing (Benlian, Hess & Buxmann, 2009).

5.1 Introduction

Throughout the first chapters of this paper some references have been made towards the similarities between managing the cloud and managing ‘traditional IT outsourcing’. These similarities will be uncovered and leveraged to provide a framework on which the empirical research will be based. Since the early 1990’s IT outsourcing has grown in organizational influence and market size. The result was that during those years IT outsourcing became an integral component of the Information Management agenda (Kern & Willcocks, 2000).

IT outsourcing can be defined as: “the transfer of property or decision right in varying degrees over the IT infrastructure by a user organization to an external organization such as a technology vendor or a systems integrator” (Loh & Venkatraman, 1992). IT outsourcing customers can use IT services at lower costs than the internal IT department of the firm, because of the economies of scale, -scope and –specialization that the vendor realizes (Clemons, Hitt & Snir, 2001).

5.2 Cloud computing and traditional IT outsourcing similarities.

Cloud computing involves a similar transfer of computing capabilities to a third party in the case of public, hybrid, community and some private clouds as well. The reasons companies have for moving to the cloud are very similar to the reasons for traditional outsourcing (Lacity, Khan, Yan & Willcocks, 2010; Thorenz & Zacher, 2013). Among those reasons are: the need to reduce and control IT

(26)

Another similarity is the development of the cloud computing market place and the IT outsourcing market place in the early to mid-1990’s. Both situations are characterized by a dynamic and changing environment (Loh & Venkatraman, 1992). Many of the companies that now offer cloud services such as CSC and Oracle also (used to) offer ‘traditional’ IT outsourcing (Dhar, 2012). One of the issues firms that consume cloud services from a third party need to consider is how to manage resources that the firm does not own anymore (Henderson & Venkatraman, 1990); (Kern, 1997;Lacity & Willcocks, 1998;Lacity, Willcocks & Feeny, 1995;Sabherwal, 1999); (Saunders, Gebelt & Hu, 1997). Some of the issues that firms need to manage are vendor selection, retaining in-house capabilities to ensure that IT resources are adequate and appropriately distributed, relationship management, managerial competence, architectural planning and monitoring emerging technologies (Currie, 1998;Lacity, Willcocks & Feeny, 1995;McFarlan & Nolan, 1995;Quinn, 1999). Like cloud computing, in IT outsourcing the interactions between different vendors and systems is also an important issue (Beulen, Ribbers & Roos, 2011).

5.3 Cloud computing and IT outsourcing differences.

In the previous section the similarities between traditional IT outsourcing and cloud computing have been discussed. In this section the differences between these two concepts will be highlighted. Provisioning of IT resources in organizations is linked closely with the consideration whether

information and communication technology should be kept in- or outside the firm (Böhm, Leimeister, Riedl & Krcmar, 2011). From the early 1990s the option to outsource the information technology to an external service provider has become a more important option for many organizations (Bahli &

Rivard, 2003). Customers nowadays expect cost-effective, flexible and efficient delivery of

information technology from their service providers, ideally with monetary flexibility such as a pay-per-use model. Simultaneously, customers increasingly demand innovations from their service providers (Böhm, Leimeister, Riedl & Krcmar, 2011).

(27)

Interestingly, although there are many ‘traditional’ IT outsourcing vendors who are setting up new cloud services or who have rebranded their offerings as cloud services, a lot of new companies and companies from other backgrounds are acting as cloud vendors. Amazon and Google are examples of companies that developed new business models to market their former by-products (such as large storage and computing capacity;Böhm, Leimeister, Riedl & Krcmar, 2011).

Virtualization is another key difference between ITO and cloud computing. In contrast with traditional ITO, cloud computing relies heavily on virtualization which enables sharing computing resources (Böhm, Leimeister, Riedl & Krcmar, 2011). The end-user often does not know where exactly the process is being performed or the data is being stored. Moreover cloud computing can also be used in-house (private cloud/hybrid/community).

Contractual differences between ITO and cloud computing are also recognized. In contrast to the one-to-many approach of most cloud services, ITO typically involves a more customized service, tailored to the customer’s needs. Cloud suppliers will usually not customize their service for each customer beyond a certain set of parameters (Joint & Baker, 2011). Joint and Baker (2011) thus conclude that approaching a cloud service deal similar to a traditional ITO contract might not be appropriate for all aspects of the contract.

Regarding risk management, there are also some differences to be mentioned. Clemons and Chen (2011) recognized that most of the risk management techniques of outsourcing remain applicable in the cloud, but they also note that managing risks for cloud computing have different requirements.

5.4 Conclusion

(28)

6. Framework

6.1 Introduction

In the previous chapter it was concluded that cloud computing and ITO although they share many similarities, also have some key differences that may be of importance in a cloud computing environment. In this sixth chapter, the risks that are associated with ITO, are presented in a framework.

A variety of authors have studied the ITO risk(factors) over the past two decades (Willcocks, Lacity & Kern, 1999), and these authors have found many different risk factors associated with IT outsourcing (Lacity, Khan & Willcocks, 2009). There are some differences in the academic literature regarding what the most important risk factors for IT outsourcing are, many research articles present

frameworks that closely resemble each other (e.g. (Jurrison, 1995; Earl, 1996; Willcocks, Lacity & Kern, 1999; Aubert, Patry & Rivard, 1998; Bahli & Rivard, 2003; Bahli & Rivard, 2005; Dhar & Balakrishnan, 2006; Lacity, Khan, Yan & Willcocks, 2010). These articles have been selected

because the basic concepts have been verified in the mid 1990’s, such as Earl (1996) and the factors from those articles are still the subject of many research articles some 15 years later (e.g.: Lacity, Khan, Yan & Willcocks, 2010).

In order to present a comprehensive framework, factors from multiple sources are used, combined and duplicates are removed. These risk-based frameworks are not only suitable to investigate management of customer-single vendor outsourcing but also multiple vendor outsourcing scenarios have been examined (Aubert, Patry, Rivard & Smith, 2001;Currie & Willcocks, 2002) with these risk frameworks. The next section will discuss the framework and the individual risk factors and

associated risks.

6.2 Risk factors in perspective.

(29)

Figure 6: Relationship of risk factors, risks and losses (Qin, Wu, Zhang & Li, 2012)

The framework shown in table 1 is based on a variety of literature on IT outsourcing management. In the table the risks are shown with the risk factors that lead to these risk. As stated before; many authors have identified similar risks, but some include more or less factors than others and use slightly different names and descriptions. Not all risk factors lead to all risks (Aubert, Patry & Rivard, 1998). Only the risk factors that, from the literature review appear to be the most closely related to the risks are presented in the framework.

Risks Risk factors

Unexpected transition and management costs

(Earl, 1996; Bahli & Rivard, 2003; Aubert, Patry & Rivard, 1998)

Lack of experience and expertise of the client with the IT activities in the cloud.

(Lacity, Willcocks & Feeny, 1995; Earl, 1996; Aubert, Patry & Rivard, 1998; Abdullah & Verner, 2012)

Lack of experience and expertise of the client with cloud computing

(Earl, 1996; Barthelemy, 2001; Sullivan & Ngwenyama, 2005; Lacity, Khan & Willcocks, 2009; Abdullah & Verner, 2012).

Interdependence of activities

(Aubert, Patry & Rivard, 1998)

Switching costs (lock-in, transfer to another supplier and repatriation).

Asset specificity

(Lacity, Khan, Yan & Willcocks, 2010)

Small number of suppliers.

Costly contractual amendments

(Earl, 1996; Aubert, Patry & Rivard, 1998; Bahli & Rivard, 2003)

Uncertainty

(Earl, 1996; Bahli & Rivard, 2003)

Service debasement

(Lacity & Hirschheim, 1993; Aubert, Patry & Rivard, 1998)

(30)

Lack of experience and expertise of the supplier with the IT operation

(Earl, 1996)

Measurement problems

(Bahli & Rivard, 2005)

Disputes and litigation

(Aubert, Patry & Rivard, 1998;Bahli & Rivard, 2003)

(Bahli & Rivard, 2005)

Lack of experience and expertise of the client with outsourcing

(Earl, 1996;Barthelemy, 2001; Sullivan & Ngwenyama, 2005; Lacity, Khan & Willcocks, 2009; Abdullah & Verner, 2012).

Lack of experience and expertise of the supplier with outsourcing

(Aubert, Rivard & Patry, 1996; Aubert, Patry & Rivard, 1998; Bahli & Rivard, 2005)

Loss of organizational competencies

(Lacity, Willcocks & Feeny, 1995; Earl, 1996; Aubert, Patry & Rivard, 1998)

Proximity of the core competencies

(Prahalad & Hamel, 1990; Aubert, Patry & Rivard, 1998; Sullivan & Ngwenyama, 2005)

Table 1: Overview of risks and related risk factors.

6.3 Risks

Unexpected or ‘hidden’ transition and management costs are often ignored. Any principal (client firm) giving work to an agent (vendor) will have to incur costs to supervise and monitor the agent (Aubert, Patry & Rivard, 1998). Transition costs include set-up, leasing costs, redeployment or relocation costs, etc. Management costs include termination, handover and reimplementation costs of the next generation contract and the human resources devoted to managing the outsourced activity (Earl, 1996;Bahli & Rivard, 2003).

The switching costs of outsourcing include lock-in, repatriation and transfer to another supplier. Switching costs are of importance in decisions to terminate contracts (Whitten & Wakefield, 2006). Switching costs include both economic expenditures and intangible (psychological or relational) costs associated with changing an exchange relationship (Whitten & Wakefield, 2006).

(31)

It is difficult to set up a contract that covers all the issues necessary but also delivers sufficient flexibility. Changing the contract involves costs, vendors might not want to adjust the contract the time and resources spent on the amendments can create a risk for the organization (Earl, 1996). Service debasement refers to the degradation of the level of service (Takeoka & Wanninayaka, 2008). This is one of the main risks when outsourcing, often outsourcing is a cost-driven decision and the service quality received from the vendor can be lower than in the initial situation. Vendors can try to adjust the service quality in their favor (Lacity & Hirschheim, 1993).

Disputes and litigation refers to any controversy concerning the association or representation of both contracting parties in negotiating, setting up, maintaining, changing or seeking to arrange the terms or conditions of a contract and to process of bringing and pursuing a lawsuit (Klepper & Jones, 1998). Loss of organizational competencies can be a negative consequence of outsourcing an activity. The loss some of the expertise a firm possesses can be of minor influence when it is not close to the core competencies of the organization (Aubert, Patry & Rivard, 1998). Outsourcing might lead to loss of key employees, limiting the ability to access new technology and limiting the ability to define new technologies (Qin, Wu, Zhang & Li, 2012).

6.4 Risk factors

Lack of experience and expertise of the client with the outsourced activity.

A company cannot control what it doesn’t understand. A lack of experience and expertise with the activity that is outsourced is considered to be a risk factor (Abdullah & Verner, 2012).The lack of expertise with the outsourced activity that a client possesses may lead to hidden costs, and cause a loss of control over costs (Lacity, Willcocks & Feeny, 1995; Aubert, Patry & Rivard, 1998). A lack of expertise and experience with the outsourced activity also impacts the ability of the firm to assess the quality and costs of the service rendered (Aubert, Patry & Rivard, 1998).

* In a cloud computing environment, the risk factor is modified into: Lack of experience and expertise of the client with the IT activities in the cloud.

Lack of experience and expertise of the client with outsourcing

(32)

security, logistics and catering helps when IT services must be outsourced (Beulen, 2000). There is no substitute available for the actual experience of managing an outsourcing arrangement (Lacity, Khan & Willcocks, 2009); multiple studies have shown significant evidence of the positive influence of client experience with outsourcing (Lacity, Khan, Yan & Willcocks, 2010).

*In a cloud computing environment, the risk factor is modified into: Lack of experience and expertise of the client with cloud computing.

Lack of experience and expertise of the supplier with the outsourced activity

Suppliers may not be able to respond to rapid changes in the business conditions, may not have a firm grasp on the client’s business and their objectives to fulfill the needs of the client. The supplier may overestimate his capabilities and may be unable to handle the operation as technology changes (Aubert, Patry & Rivard, 1998). If the supplier lacks expertise with the business aspects of the

activity, the supplier exposes the client to a business risk; the client may have to invest in training the supplier’s personnel and explaining user requirements (Bahli & Rivard, 2005). A review of IT

outsourcing literature by Lacity et al. (Lacity, Khan, Yan & Willcocks, 2010) showed the importance for successful IT outsourcing arrangements to have a supplier that possesses the required

capabilities.

*In a cloud computing environment, the risk factor is modified into: Lack of experience and expertise of the supplier with the IT activities in the cloud.

Lack of experience and expertise of the supplier with outsourcing

Experience and expertise of the client are not enough to secure a successful outsourcing

relationship, the supplier’s experience and expertise are also of importance. The skill, frequency and comfort of both the contracting parties to perform outsourcing contracts are the main components of their expertise (Bahli & Rivard, 2005). Aubert, Patry and Rivard (1998) state that a lack of expertise of the IT supplier with outsourcing contracts may lead to disputes and litigation. Inexperienced suppliers may find themselves haggling with the client over issues like performance, planning

demands and service expectations and this will result in an increase in costs (Aubert, Rivard & Patry, 1996).

*In a cloud computing environment, the risk factor is modified into: Lack of experience and expertise of the supplier with cloud computing.

Asset specificity

(33)

relationship (Bahli & Rivard, 2003). Heightened asset specificity raises the potential value loss if the outsourcing relationship were to turn sour and it increases the switching costs for clients (Chen & Bharadwaj, 2009). Client firms that outsource IT functions that are highly asset specific are likely to incur greater transactional risk than firms who outsource commodity type IT resources (Oh,

Gallivan & Kim, 2006). Minimized relationship-specific investments, which are of little use in

relationships with other suppliers can decrease the switching costs (Beulen, Ribbers & Roos, 2011). The role of asset specificity has been supported in many different sectors (Aubert, Houde, Patry & Rivard, 2012).

Small number of suppliers

A small number of suppliers is another risk factor, the bargaining power of suppliers increases as their number decreases (Porter, 1985;Nam, Rajagopalan, Rao & Chaudhury, 1996). Lock-in could result from a small number of suppliers, due to the fact that there is only a small number of suppliers available, with limited alternatives for the client (Aubert, Patry & Rivard, 1998). If there is only a small number of capable suppliers in the market, the organization may become a victim of opportunism from vendors during the contract period and at the time of contract renewal (McIvor, 2011). Interdependence of activities

When outsourcing activities, it is expected that the activity that is performed outside of the organization’s boundaries will not have any negative consequences on the activities that remain inside the organization. But once the activity is outsourced, the organization may encounter that there were indeed dependencies between the activities and that this hinders the performance of those activities (Aubert, Patry & Rivard, 1998).

Uncertainty

Uncertainty is considered to have a negative influence on IT outsourcing (Lacity, Khan, Yan & Willcocks, 2010).Three different types of uncertainty are recognized:

 Environmental uncertainty refers to the environmental volatility or the rapidity of market and demand changes (Bahli & Rivard, 2003).

(34)

 Uncertainty related to the nature of the outsourced activities. When the requirements, quality criteria, service levels and other characteristics are not well defined, the client is likely to ask for adjustments (Aubert, Patry & Rivard, 1998). Replacing a known (current) level of service with an unknown level of service spawns uncertainty (Whitten & Wakefield, 2006).

Measurement problems could be described as “the degree of difficulty in measuring performance of exchange partners under circumstances of joint effort, soft outcomes, and/or ambiguous links between effort and performance” (Eisenhardt, 1989). Two types of measurement problems exist: measuring the individual contributions of the parties and measuring the value of those contributions (Bahli & Rivard, 2005). The accuracy with which the buyers measure the quality of activities or products purchased determines the efficiency of market exchanges. When accurate measures are absent, buyers must engage in a costly process of monitoring, or sellers must engage in the costly process of signaling (Barzel, 1982). If it is difficult to evaluate the external supplier’s contribution to the firm, it is likely that disagreements on the price/quality ration will arise. The client may find it difficult to settle on the suppliers’ measurement, and the supplier may find it difficult to settle on the client’s measurement (Bahli & Rivard, 2005).

Proximity of the core competencies.

When an activity is outsourced, it is likely that the firm will lose some of its expertise. This is not necessarily a problem when the activity is not close to the core competencies of the organization. But outsourcing an activity that is close to the core competencies of the organization presents risks (Prahalad & Hamel, 1990;Sullivan & Ngwenyama, 2005). When handing out these activities to a supplier, the firm risks that suppliers will move in a different direction from the one that the client might have chosen or that the supplier will expel the client in its own domain (Aubert, Patry & Rivard, 1998;Sullivan & Ngwenyama, 2005). A lack of organizational learning is possible when the

organization is not centered around its core capabilities. In addition, the company might also lose its innovative capacity when activities close to the core competencies are outsourced (Earl, 1996).

6.5 Conclusion

(35)

7. Results

7.1 Introduction

In this chapter the results from the empirical research will be discussed. In paragraph 7.2.1 till 7.2.6 the results from the interviews will be discussed. In paragraph 7.7 the results from the questionnaires are discussed. In paragraph 7.8 a brief conclusion of the results is given.

7.2.1 Interview results

In the upcoming sections, the interview results will be given. For each interview firstly a background of the organization is given, followed by a global overview of their IT environment and the cloud computing applications in use. The different cloud services that are used will be discussed, followed by the ITO framework.

7.2.2 University 1

University profile [Censored]

IT environment and cloud computing

At the time of the interview the biggest development was the implementation of Google Apps for Education, a public cloud solution. In a few months’ time the University will switch the mail and calendar to the Google powered solution. Another development is the implementation of SugarCRM, a Customer Relationship Management application.

(36)

In addition to these cloud solutions the university is also using Blackboard, an education solution that is provided as a managed service. The university has not outsourced any significant IT activities, the university has a lot of experience and expertise with the management of software themselves.

Cloud application Supplier Type applicatie

Type Users

1 Google Apps for Education

Google Office, e-mail, storage (SaaS)

Public Students

2 Amazon EC2 _{Amazon Web}

Services

IaaS Public Staff

3 Multiple applications Surf foundation

Multiples Community Staff

Framework

Risk factor Explanation

Lack of experience and expertise of the client with the IT activities in the cloud.

The IT personnel does have experience with provisioning, on premise mail and calendar have been supported for many years. The university has a large IT department that has plenty of expertise with the IT operations,

Lack of experience and expertise of the client with cloud computing

The university does have some experience managing cloud computing. They still have to adapt to the new role as intermediary. There is sufficient expertise with cloud computing present, in addition to the current implementation of Google Apps for Education, also other cloud services such as Amazon and services provided by Surfnet are used.

Lack of experience and expertise of the supplier with the IT activities in the cloud.

The operations in the cloud are relatively standard. The suppliers have much experience with this type of operations, Google and Amazon have been providing solutions for these IT operations for years now. Their expertise on these IT operations is also considered to be very good.

Lack of experience and expertise of the supplier with cloud computing

Google & Amazon are established players in the cloud computing market, they have both plenty of experience with cloud computing.as well as expertise. This risk factor thus can be considered low.

(37)

high. Integration between mail, calendar, collaboration etcetera is becoming increasingly important for the users. This is not only a

development that involves the cloud services, but also includes the on premise systems.

Asset specificity At the university there are some applications developed together with the supplier, but the goal is to reduce this. The physical cloud is in possession of the cloud provider. In general, the technology can be considered standard. The more educational services do have technology that is more specialized. The asset specificity thus is rated medium.

Small number of suppliers The number of available suppliers varies per service. The number of suppliers for office productivity is two: Google and Microsoft. So, the choice is limited. The same applies to a situation where the current contract is terminated. For the IaaS cloud, there are many suppliers to choose from. The overall rating for this risk factor thus results in ‘medium’.

Technological discontinuity Special technological developments for specific purposes are managed in-house. The commodity-like services of the cloud and the developments in technology are managed by the cloud provider because of their superior expertise.

Measurement problems The cloud providers do offer a way of monitoring the cloud. The specific functions vary per provider, but in general they offer sufficient insight. The costs are considered to be transparent, although it can take some effort to get it. Overall measurement problems are not really applicable to this situation.

Proximity of core competencies The actual cloud services are not located close to the core competencies, because they are only in use for support services. The ASP (Blackboard) is very strongly related to the core competencies.

A few days without cloud would be very annoying but would not immediately endanger the continuation of the organization, so the proximity to core

competencies is rated low.

(38)

mostly because of the many different users with each having different demands. Obsolescence is

considered to be high. This, in combination with the strategy of the university to always be on the forefront with technology makes for high uncertainty

The University has a diverse and highly demanding set of users, and their IT infrastructure reflects that. The use of Google Apps for Education, Amazon Web Services and the cloud solutions offered by Surfnet all are supporting services. The diverse set of users makes that the applicability of the risk factors also differs for different users and situations.

7.2.3 University 2

University profile

[Censored].

IT environment and cloud computing

The vision of the university is that they should support the IT that students and stuff would like to use. Therefore they offer there internal customers a variety of services from different suppliers. For

instance, for email the University supports their own (Microsoft Exchange based) system. The most important clouds the University uses are cloud services by two of the biggest cloud providers: Google and Microsoft. The University is giving their students the choice which services they want to use. To facilitate this, the IT department is building a provisioning platform that is connected to both Google Apps for Education and Microsoft Office 365. The possibility to use the traditional on premise services also still present.

Cloud application Supplier Type applicatie

Type Users

1 Google Apps for Education

Google Office, e-mail, storage (SaaS)

Public Students

2 Microsoft Office 365 Microsoft Office, e-mail, storage(SaaS)

Public Students

3 Amazon EC2, S3 Amazon Web

Services

(39)

Risk factor Questions Lack of experience and expertise of the client with

the IT activities in the cloud.

The IT department has much experience with the processes that are in the cloud now, services like email, office, calendar have been in use for years. The IT personnel has built up a lot of expertise with the relevant IT processes.

Lack of experience and expertise of the client with cloud computing

The IT department does not have experience with buying cloud services. Regarding managing licenses the SSC does have experience, the contract bureau of the IT department has expertise with managing contracts, two employees dedicate their time to this task. The rating for the experience and expertise is ‘medium’.

Lack of experience and expertise of the supplier with the IT activities in the cloud.

The suppliers, both Google and Microsoft have plenty of experience with IT operations like e-mail, office, collaboration etcetera. The expertise with the IT operation is also considered high, these are two of the biggest and most successful software companies. Therefore the risk factor ‘lack of experience and expertise’ is low.

Lack of experience and expertise of the supplier with cloud computing

The suppliers do have pretty much experience with the cloud. Especially Google is a very mature cloud provider. Google has much expertise with managing cloud contracts, Microsoft is lagging behind on this area, so in general we can rate the experience and expertise as medium..

Interdependence of activities The interdependence of activities is considered to be low. The clouds can operate separately and because of the way the clouds are used, not much

interconnectedness is necessary. The

interconnectedness between cloud and on premise can be considered low. This is mostly because of the dispersed demands of the users.

(40)

the risk factor ‘asset specificity’ is rated low.

Small number of suppliers Other than Google and Microsoft there aren’t any suppliers that offer the same kind of package (for free). The number of suppliers thus is low. However, when you think of it, the IT department already has the replacement for the cloud in-house by using multiple clouds that offer similar functionality. This contradiction results in a rating of ‘medium’.

Technological discontinuity No formal agreements are made. The assumption is that the nature of the cloud spawns technological developments. The lack of formal agreements

combined with the nature of the cloud have a rating of ‘medium’ as the result.

Measurement problems The cloud providers do offer a way of monitoring the cloud in a portal. There is insight in the costs, but it is not fully transparent from the suppliers’ side. The cost structure is not provided.

Proximity of core competencies The business processes in the cloud are not strongly related to the core competencies of the University. The processes in the cloud are support processes. Like in almost every organization, should the cloud collapse it would be very annoying but would not immediately endanger the survival of the

organization.

Uncertainty Uncertainty in the demands of the end-users are not too difficult to predict at the moment, but the

expectation is that this could change in the next few years. Before a reaction will be made, the change in demand has to be substantial. With regards to the obsolescence, this is a responsibility of the cloud provider.

IT outsourcing risk factors in cloud computing environments: Insights from Dutch universities.

computing environments: Insights from

Dutch universities.

Erik van Dingen

May 2014

Abstract

Table of contents

1. Introduction

1.1 Initial motive

1.2 Originality/contribution

1.3 Main research question

1.4 Structure of the thesis

2. Methods and techniques

2.1 Literature review

2.2 Empirical research – interviews with universities

2.3 Empirical research - Questionnaires

2.4 Conclusion

3. Cloud computing

3.1 Definition and characteristics of cloud computing

3.2 Advantages of cloud computing

3.3 Disadvantages of Cloud Computing

3.4 Conclusion

4. Complex cloud environments

4.1 Introduction

4.2 Cloud management issues

4.3 Conclusion

5. Cloud computing and IT outsourcing

5.1 Introduction

5.2 Cloud computing and traditional IT outsourcing similarities.

5.3 Cloud computing and IT outsourcing differences.

5.4 Conclusion

6. Framework

6.1 Introduction

6.2 Risk factors in perspective.

6.3 Risks

6.4 Risk factors

6.5 Conclusion

7. Results

7.1 Introduction

7.2.1 Interview results

7.2.2 University 1

7.2.3 University 2