An Overview of Cloud Computing Adoption Challenges in the ...

2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing

An Overview of Cloud Computing Adoption Challenges in the Norwegian Context Rania Fahim El-Gazzar Department of Information Systems University of Agder Kristiansand, Norway [email protected]

[4]. The majority of mature markets of cloud services are in Europe [5]. According to a recent survey by IDC on cloud computing trends within Western Europe government sector, the adoption of private clouds is dominant among government municipalities with more than 50%, while public clouds come second with 28%, and hybrid clouds are yet far from the adoption [6]. However, this growing European market of cloud computing is confronted with serious challenges that differ from one organization to another, one industry to another, and one country to another [7]–[10]. Regarding cloud global market, the US is contributing predominantly with 63% to cloud global revenues, while Europe is declining with 23% of which 6% of cloud global revenues are generated by European cloud vendors and 88% by cloud vendors from the U.S. [11]. This slow growth in cloud European market can be attributed to various legal, security, and economic issues [4], [7], [12]–[15]. Earnest initiatives have taken place by national and international stakeholders within the European Union (EU) region to address these issues and accelerate cloud computing adoption in Europe. These initiatives are carried out by the European Commission (EC), European Union Agency for Network and Information Security (ENISA), local governments of each European country, and other institutions (i.e., universities, consultancy companies, and research centers) [12], [13], [16], [17]. Despite Norway is a developed country with notable IT advancements, still there are challenges confronting the adoption of cloud computing, and more endeavors are needed to facilitate the adoption in public and private sectors [9], [13], [18]. The focus of this paper is to review research articles, online news articles, and online shared official documents, published about cloud computing adoption in Europe and Norway as it belongs to the EU region, to answer this research question: what are the challenges facing the adoption of cloud computing adoption in Norway? And how are these challenges addressed? The findings from this review are framed into the isomorphic pressures borrowed from the neo-institutional theory [19]. The paper is organized as follows: Section II provides a literature background about cloud computing adoption in Europe in general and in Norway in specific. Section III presents the concepts utilized from the neo-institutional theory. Section IV discusses the findings from the perspective of the neo-institutional theory. Finally, Section V concludes the contribution of the paper and future avenues.

Abstract—Cloud computing is dominating European countries’ Information and Communication Technology (ICT) agenda. Although the European cloud market is mostly mature, there are still challenges to overcome. Norway is one of the European countries facing such challenges; despite it is a developed country in terms of quality of life and ICT development. This paper identifies the current state of cloud computing adoption challenges in Europe in general and Norway in specific, and the way they are addressed. This is achieved through analyzing research articles, reports published by consulting companies and official bodies, official online news articles, and documents published by official authorities. The findings are organized using isomorphic pressures (i.e., coercive, normative, and mimetic) borrowed from neo-institutional theory. The paper concludes that despite the prevailing concerns about legal issues still exist; there is an increasing tendency towards adopting cloud computing in Norway. The study also suggests future avenues accordingly. Keywords-cloud computing; adoption; Norway; Europe; challenges

I.

INTRODUCTION

Cloud computing is gaining a wide attention from all sized enterprises across countries. As per definition of the National Institute of Standards and Technology (NIST), cloud computing is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” [1, p. 2]. Cloud computing presents an innovative shift in the way Information Technology (IT) services are delivered [2], [3]. These IT services are delivered as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-asa-Service (IaaS) models [1]. These models are deployed, based on sensitivity of data and applications, into public, private, community, and/or hybrid clouds [1]. Given the distinguishing capabilities offered by cloud computing (i.e., agility, flexibility, cost-effectiveness, rapid entry to market, on demand access to various scalable IT resources, etc.), enterprises adopt cloud computing increasingly [3]. The current European market of cloud services is 6.5 billion €, and it is speculated to become 24 billion € by 2020 978-1-4799-7881-6/14 $31.00 © 2014 IEEE DOI

412

II.

BACKGROUND

third parties are important challenges for cloud providers and customers; this is considered to be critical in deciding to use cloud computing by 91% of public sector and 83% of private sector organizations. The survey also reported control over data and integration as important factors when deciding to use cloud computing services. In this regard, the Chief Executive Officer (CEO) of EDB ErgoGroup stated that "An important factor for success in the Norwegian market will be for suppliers to operate the cloud locally so that customers' data remains in Norway. At the same time, a well-documented history of expertise in secure and reliable data storage will be key to winning customers' trust" [25]. In the same direction, a study focused on exploring enablers and inhibitors of adopting cloud computing in 16 Norwegian organizations [26]. Most important enablers are low investment costs and elasticity, while most important inhibitors are security, legal issues concerning storage location of the data, integration issues, identity management, and concern of moving business critical systems to the cloud. Furthermore, the study proposed that, by time, Norwegian organizations will gain more experience with cloud computing, thus, its adoption rate will increase. This comes in line with a report by the Norwegian ministry of government administration [16]; it points out cloud computing services as one of technology trends that will drive future developments. And it is considered as “the biggest game changer in the history of ICT service provision” [16, p. 36]. Norway is considered as a mature cloud market [5], [10], and it is ranked as fifth among ready societies for the use of ICTs in general [9]. According to ICT Development Index (IDI) Norway was ranked eighth in 2008, 11th in 2010, and sixth in 2011 and 2012 [27], [28]. This indicates that Norway remained among the top ten in terms of ICT readiness (i.e., infrastructure and access), use (i.e., intensity), and capabilities (i.e., skills). However, Norway may not be fully ready for adopting cloud computing widely, as there are still legal, strategic, and economic challenges to address [9], [15], [29]. These challenges can be addressed by efforts from all stakeholders in the EU region.

A. Cloud Computing Adoption Challenges in Europe Regarding the EU context, the scarce literature on the state-of-the-art of cloud computing adoption focused on various influential aspects (i.e., economic and legislative). Some of these aspects are seen as enticing influences exerted by the economic advantages of cloud computing business model and some other aspects are seen as challenges exerted by the legal environment [20], [21]. The adoption of cloud computing can happen smoothly if it is introduced gradually to the European market; this will enable business creation and competition in all European markets due to the reduction of the fixed costs of IT capital expenditures [20]. Furthermore, the diffusion of cloud computing speeds entry of small and medium enterprises (SMEs) to market, creates more employment opportunities, and contributes to the growth of the Gross Domestic Product (GDP) [20]. The top motives for using cloud services in Europe are to reduce total costs, improve IT performance, and promote scalability as well as flexibility [22]. European decision makers seemed to be highly interested in moving applications such as customer-facing (i.e., visualization and mapping tools, MS Office and e-publishing, predictive analytics, and enterprise search) and back-office (i.e., Human Resources [HR] and Customer Relationship Management [CRM]) to the cloud [22]. For the European market, benefits have been realized from cloud computing in the maritime and telecoms fields. For maritime field in the EU region, cloud computing could offer trustworthy cross-border, interoperable, and secure e-port services [23]. For telecoms operators in Europe, potential revenues to be generated by cloud services in 2020 are 7.5 – 11.7 billion € [4]. Thus, this is a good reason for the EC to initiate a cloud computing adoption strategy for Europe [12]. A recent study identified barriers to cloud computing adoption in Europe; these barriers are complexity in moving existing legacy systems to the cloud, security in terms of regulatory requirements and storage of data across Europe, and lack of confidence in the cloud provider’s support and expertise [24].

III.

NEO-INSTITUTIONAL THEORY

Neo-institutional theory is chosen to map the findings from this review. It is a useful lens to understand the influence of institutions on the use, and consequences of technologies [30]. Cloud computing adoption in Norway is influenced by legal, economic, normative, and social factors that take place in the organizational field, which is the central concept of neoinstitutional theory; this includes government, CSPs, customers, business partners, consultancy firms, and IT industry associations. These organizations enact and reproduce institutions to shape the adoption of IT [31]. These institutions are carried through laws, authority systems, standard procedures and roles, or objects complying with standards [32], and impose three isomorphic pressures on the adopting organizations, so that they look similar to each other (see Table I) [19].

B. Cloud Computing Adoption Challenges in Norway Norway has witnessed a notable growth in the adoption rate of cloud computing. This is reported by a survey carried out in 2011 on the use of cloud computing in Norway; the survey covered 500 of the largest private sector companies and public sector bodies in Norway [25]. The survey indicated that the SaaS model is the most used than PaaS and IaaS models; 33% of the public sector organizations are using SaaS, while 38% of the private sector organizations are using SaaS. Furthermore, 14% of public sector and 19% of private sector organizations were planning to use SaaS. The survey also reported that maintaining control over data and security to prevent data from being compromised by

413

TABLE I. Isomorphic Pressures Coercive Normative

Mimetic

Description

Sources

Formal (standards) Informal (culture) Normative rules about organizational and professional behavior. Producing individuals with similar orientation and educational backgrounds. When organizations are confronted with poorly understood technology solutions, ambiguous goals, and environment uncertainty, they model themselves on other organizations in hope to find less expensive solutions.

- Legal environment

IV.

serious challenges and various initiatives have taken place to address such challenges. Thus, the EC has set a new strategic initiative to enable faster and harmonized adoption of cloud computing throughout all sectors of the economy as well as cut ICT costs and boost productivity, economic growth, and jobs in the EU region [12]. This initiative aimed at addressing the perception of many potential adopters about cloud computing risks by providing more clarity and knowledge about the applicable legal framework and developing it further. The EC’s strategy for cloud computing focused on standardization, providing secure and fair contract terms and conditions, and establishment of a European cloud partnership to drive innovation and growth [36], [37]. Norway closely monitors the EU policy in this regard, as well as at the Nordic level under the auspices of the Secretariat of the Nordic Council of Ministers [36], [38]. As a result, the EC presented a first draft for a General Data Protection Regulation (GDPR) to harmonize the data protection law in the EU and address the challenges related to cloud computing [39]; it is planned to become effective for all member states in 2016 and replace the EU Directive 95/46/EC that does not fit cloud computing anymore. Due to the borderless nature of cloud computing, information is transferred between and stored at geographically dispersed servers, the EU region showed a serious concern about privacy and security issues when it comes to transferring healthcare data across national borders [35]. For instance, the PATRIOT Act had a negative influence on the decisions of some EU cloud customers to contract cloud services where data centers are located outside Europe. To address this issue, the safe harbor agreement enables U.S. cloud providers to voluntarily selfcertify that they meet the requirements of the EU Directive [35]. However, safe harbor agreement has been criticized for its non-standardized and self-regulation nature [39]. A study by ENISA was conducted on 23 EU countries, and Norway was amongst, in collaboration with the EC to provide good practices on securely deploying governmental clouds in Europe [13]. For foreign cloud providers who are doing business in the EU, TRUSTe can help them certifying their compliance with the EU 1995 Directive on Data Protection [40]. The Directive prohibits the transfer of personal data from Europe to non-European Union nations that do not meet the EU’s adequacy standard for privacy protection [40]. In the Norwegian context, the reasons drove the Norwegian government to consider adopting cloud computing services are to promote efficiency and ICT innovation in doing business, and reduce the need for expensive manual labor, thus, improve profitability [16]. Despite the public sector organizations are adopting cloud computing services growingly, they face a challenge in managing and influencing cloud providers’ SLA in terms of harmonizing both cloud offerings and legislative requirements. Thus, the Norwegian ministry of government

ISOMORPHIC PRESSURES [19]

- Professional associations - Universities and professional training institutions - Consulting firms - Industry trade associations - Employee transfer or turnover (implicit)

FINDINGS AND DISCUSSION

As Norway is associated to the EU through its membership in the European Economic Area (EEA) [33], it is likely affected by any initiatives to adopt cloud computing that take place in Europe under the auspices of the EC. Likewise, challenges that confront the EU region would likely confront Norway. The challenges found confronting the EU region and Norway are presented in Table 2 along with pressures exerted by surrounding organizations in the organizational field to facilitate the adoption of cloud computing and become similar to their counterparts. In the European context, the organizational field consists of the EC, industry associations (i.e., European Union Agency for Network and Information Security [ENISA] and association of European Telecommunications Network Operator [ETNO]), and Nordic Council of Ministers. In the Norwegian context, the organizational field consists of the national regulatory bodies (i.e., Norwegian Data Protection Authority [Datatilsynet] and Norwegian Financial Supervisory Authority [Finanstilsynet]), cloud providers, and cloud customers. In the European context, IT security capability will never be moved to the cloud [22], unless EU authorities revisit their policies related to privacy of personal data [34]. Here comes the role of legislative influences that are exerted by EU governmental bodies to govern the adoption of cloud computing [34]. However, legal issues get more complicated regarding cloud computing as each EU member state has its own national and regional governance policies and there is no common agreed jurisdiction over the cloud regarding the treatment of the data [35]; this also applies to the taxation rules of cloud services [29]. Furthermore, compliance frameworks such as the Sarbanes–Oxley (SOX) Act and the Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) were developed for the non-cloud implementations and are not well-suited for data protection requirements in the cloud [21]. Hence, decision-makers and policy-makers are facing

414

administration will generate guidelines, as an initiative, for public and private enterprises about relevant regulations and standard SLAs to use for procuring cloud services [16]. According to a report on this initiative, the maturing phase is expected to take three to five years, during which legal issues for governing data protection will need more clarification [16]. This triggers the important role of industry associations such as the association of ETNO to influence cloud related policies of the EU and its members and simplify rules of governing data transfers [21]. The legal hazy can be catastrophic to the adoption of cloud computing and harmonizing technology with law should be in place, however, this requires research efforts to get more deep understanding of the phenomenon [41]. Besides the need for clarifying regulations, adopting organizations will desperately need a consulting aid throughout the adoption stages. This is stressed by the Chief Executive Officer (CEO) of EDB ErgoGroup: “Many customers will need extensive assistance to position themselves in a cloud computing world, and this means that IT consultants will increasingly become a kind of IT weather forecaster. This is something that we call ‘Cloud Consulting’, and we see this area becoming ever more important as time goes on” [25]. Furthermore, the CEO also stressed on trust as an equally important aspect that customers will likely look for when deciding to contract cloud computing services: “In order for growth to continue …, it is essential that the IT industry succeeds in creating greater confidence in the technology, and is able to demonstrate successful examples of cloud-based deliveries” [25]. This is the mission of cloud providers and consulting firms. For Norwegian organizations, cloud computing is an opportunity for cost reduction, flexibility, and agility, but related challenges trigger serious concerns [42]. These challenges are: (1) lack of control and transparency due to the fact that cloud service are delivered by many subcontractors, thus, it is difficult to determine who is processing the data and where. (2) lack of determining the accordance with the Norwegian law due to the fact that cloud servers are distributed in many locations outside the borders. (3) limited room for negotiation due to the fact that international cloud providers, especially American ones, use their own standard agreements they unlikely to modify, thus, customers are not able to secure their data the way they should. However, cloud providers entering into an agreement with Norwegian government agencies would have to fulfill specific criteria [43]. Furthermore, recent collective research efforts investigated these criteria and introduced recommendations for developing SLA specifications to adapt cloud providers’ agreements to the European privacy requirements [44]. Legally, Datatilsynet (Norwegian Data Protection Authority) enacted a set of Acts that focuses on the processing of personal data in the cloud, roles and responsibilities among involved parties, requirements for a

written data processing agreement between the data controller (i.e., cloud provider) and data processor (i.e., customer organization), use of subcontractors, restriction on disclosing personal data by the cloud provider to others without the consent of the customer, access controls, and risk assessment and information security audits from both data controller and data processor [42]. These Acts are results of a lesson learnt from what happened to Narvik municipality in 2011, which is the third-largest city and municipality in Nordland county in Norway. Narvik government entered into an agreement with Google Apps to run a SaaS service model that involved using a complete e-mail solution and file sharing of internal documents [45]. Based on a legal assessment, Datatilsynet inferred that Google Apps’ solution was not conforming to the Norwegian Personal Data Act and regulations. This resulted in having Narvik lost control of the personal data due to the lack of valid data processing contract, problematic data transfer to third countries, and missing information on security level and measures. In January of 2012, Datatilsynet banned the use of Google Apps. Then nine months later, this banning is ended and Datatilsynet became satisfied that “Google and Microsoft have increased their cloud computing security and that the data stored in the EU… and in the United States under the safe harbor regime are protected by adequate safeguards… However, the use of cloud computing services in Norway will be made conditional upon strict prerequisites” [46]. Consequently, Datatilsynet gave an approval for all local municipalities to use Google Apps and Microsoft Office 365, but under certain conditions [43], [47], [48]. This approval is valid as long as the municipalities use Google Apps to facilitate communication between staff and do not use it to communicate private data about the public [47], foreign cloud providers comply with the Norwegian and European privacy legislation, as well as customers conduct risk and vulnerability assessment. Customer organization are also required to conduct a risk and vulnerability analysis for their use of ICT, particularly, if they operate in a very sensitive industry such as financial sector that reports to Finanstilsynet (Norwegian Financial Supervisory Authority) [49], as well as critical infrastructures of public municipalities that report to Datatilsynet [50]. The prerequisite conditions to adopting cloud services by Datatilsynet are bullet proof against breaching data security and privacy, however, they increase complexity and create financial and management overhead for customer organizations [51]. Based on the aforementioned findings, cloud computing adoption in Norway is influenced by: (1) the risks triggered by the borderless nature of cloud computing in terms of data security, location of the data, loss of control over data, and limited options around the SLA that represent the broader adoption challenges, (2) distinct jurisdictions and outdated compliance frameworks represent challenges by the global environment (i.e., EU, EC, U.S., ENISA),

415

TABLE II.

CLOUD COMPUTING ADOPTION CHALLENGES AND HOW CHALLENGES ARE ADDRESSED IN EUROPE AND NORWAY

Challenge

Related to

Description

Pressure to Address The Challenge

No common jurisdiction

Global environment

Each EU country has its own national and regional laws

New cloud computing strategy: Standardization Secure and fair contract terms and conditions Establishment of a European cloud partnership General data protection regulation to harmonizes the EU’s data protection law with cloud-related legal issues

Lack of cloud-ready compliance frameworks

Global environment

SOX and HIPAA were developed for the non-cloud implementation

Less control over sensitive data

Cloud computing

Privacy and security issues when transferring healthcare data across national borders; this presents a risk for customers and challenge for foreign cloud providers with the existence of the PATRIOT Act

Difficulty to negotiate SLA

Cloud computing

Hazy legal issues

Global environment

Loss of control over personal data in the cloud

Cloud computing

Public sector organizations need higher levels of security and privacy, which is difficult to guarantee by negotiating and influencing international cloud providers’ standard SLA

Difficulty to understand too many legal issues and governance policies, which need more clarification lack of control and transparency due to many subcontractors and difficulty to determine the accordance with the Norwegian law due to storing data in locations outside the borders

Pressure Type Normative

Pressure Source -

EC Norway Nordic Council of Ministers

Coercive

EC

Addressing perceived risks by potential adopters Providing more clarity and knowledge about the applicable legal framework and developing it further Developing safe harbor agreement to ensure that foreign cloud providers comply with the EU Directive 95/46/EC

Normative

EC

Coercive

-

Help foreign cloud providers to certify their compliance to the safe harbor agreement Providing good practices for deploying a secure governmental clouds in Europe

Mimetic

Normative

-

Generate guidelines for public and private enterprises about relevant regulations and standard SLAs to use for procuring cloud services

Normative

The Norwegian ministry of government administration

Enact an Act to obligate the cloud provider to enter into a separate data processing agreement, to ensure that data are processed according to the Norwegian law Influence cloud related policies of the EU and its members and simplify rules of governing data transfers A set of Acts enacted to focus on: Processing of personal data in the cloud Roles and responsibilities among involved parties Use of subcontractors Restricting disclosure of personal data by the cloud provider to others without the consent of the customer Access controls

Coercive

Normative

Datatilsynet (Norwegian Data Protection Authority) ETNO

Coercive

-

-

U.S. department of commerce EU TRUSTe

-

EC ENISA

Datatilsynet (Norwegian Data Protection Authority) Finanstilsynet (Norwegian Financial Supervisory Authority)

Obligating cloud providers and customers to conduct vulnerability risk analysis Lack of trust in the technology

Cloud computing

The problem of feeling confident in cloud computing as a technology

demonstrate successful examples of cloudbased deliveries

Normative

Increased complexity

Norway

Integration with legacy systems, contracting cloud services, and strict Norwegian laws that require conducting enormous audits and risk assessments consume financial and managerial resources

Offer consulting aid to minimize risks and overhead, as well as maximize benefits

Normative

416

-

Cloud providers Consultancy firms Consultancy firms

[5]

(3) coercive legal frameworks and normative guidelines and best practices generated by European and international stakeholders that serve as facilitators for the adoption of cloud computing, (4) coercive Norwegian laws and guidelines enacted by Norwegian authorities (i.e., Datatilsynet, Finanstilsynet, and the Norwegian ministry of government administration) based on lessons learnt from previous cases such as Narvik municipality matter, which serve as safeguards for the adoption of cloud services in Norway, but raise financial and management overhead on Norwegian customer organizations, (5) the normative role of consultancy firms in facilitating the adoption of cloud services by helping Norwegian customers organizations to balance between the potential benefits from using cloud services, potential risks, and strict Norwegian laws and required audits by Datatilsynet and Finanstilsynet, and (6) the normative influence by consultancy firms and cloud providers to demonstrate successful stories to increase trust for Norwegian customer organizations in cloud services. V.

[6] [7]

[8]

[9]

[10] [11] [12]

CONCLUSION AND FUTURE AVENUES

[13]

This paper reviewed the current challenges facing the adoption of cloud computing phenomenon in the EU region in general and in Norway in specific. The paper provided a literature background about the phenomenon and its context. A lesson to memorize, in addition to aligning IT strategy to adopt cloud computing with business needs, the alignment with the regulatory requirements should also be taken into account. This is likely to be at the expense of financial and managerial resources of the adopting organization. The paper had a legislative flavor regarding the adoption of cloud computing in Norway; however there can be other different types of challenges. Thus, this paper will pave the way for possible research extensions in the near future. A case study research strategy will be conducted through interviewing informants who represent various stakeholders from customer and cloud provider sides, as well as public and private sector. This will help to explore other challenges than legal challenges. Additionally, some borrowed concepts from the neo-institutional theory will be utilized to analyze the findings from the case study and provide more insights based on the field data.

[14]

[15]

[16]

[17]

[18]

REFERENCES [1]

[2]

[3]

[4]

[19]

P. Mell and T. Grance, “The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology.” pp. 1–7, 2011. N. Su, R. Akkiraju, N. Nayak, and R. Goodwin, “Shared Services Transformation : Conceptualization and Valuation from the Perspective of Real Options,” Decis. Sci., vol. 40, no. 3, pp. 381–402, 2009. S. Marston, Z. Li, S. Bandyopadhyay, and A. Ghalsasi, “Cloud Computing – The Business Perspective,” in Proceedings of the 44th Hawaii International Conference on System Sciences (HICSS 2011), 2011, vol. 51, no. 1, pp. 1–11. M. Page and C. Rand, “A Future Policy Framework for Growth.” A.T. Kearney, pp. 1–46, 2013.

[20]

[21]

[22]

417

Parallels, “Parallels SMB Cloud Insights 2013 Europe and North Africa Region.” Parallels IP Holdings GmbH, pp. 1–16, 2013. S. Piai, “Business Strategy: Western Europe Government Sector IT Cloud Computing Trends, 2012–2013,” 2013. W. a Jansen, “Cloud Hooks: Security and Privacy Issues in Cloud Computing,” in 2011 44th Hawaii International Conference on System Sciences, 2011, pp. 1–10. Kommerskollegium, “How Borderless is the Cloud ? An Introduction to Cloud Computing and International Trade.” The National Board of Trade, pp. 1–28, 2012. B. Bilbao-Osorio, S. Dutta, T. Geiger, and B. Lanvin, “The Networked Readiness Index 2013 : Benchmarking ICT Uptake and Support for Growth and Jobs in a Hyperconnected World.” World Economic Forum, pp. 3– 33, 2013. Gartner, “Market Trends : Banking , Worldwide , 2014,” no. January. Gartner, Inc., pp. 1–33, 2014. J. Zwet and V. Veld, “The Evolution of the European Cloud Market.” interxion, pp. 1–12, 2013. EN, “Unleashing the Potential of Cloud Computing in Europe.” European Commission, pp. 1–16, 2012. T. Haeberlen, D. Liveri, and M. Lakka, “Good Practice Guide for Securely Deploying Governmental Clouds.” European Union Agency for Network and Information Security (ENISA), pp. 1–46, 2013. G. Graham, “Lost in a Cloud : Overview of Legal Obstacles to the Growth of Cloud Computing,” Medij. istraž., vol. 18, no. 2, pp. 21–32, 2012. K. Jeffery and B. Neidecker-Lutz, “The Future of Cloud Computing: Opportunities for European Cloud Computing Beyond 2010.” pp. 1–71, 2010. Stoltenberg II Government, “Digital Agenda for Norway: ICT for Growth and Value Creation.” Norwegian Ministry of Government Administration, Reform and Church Affairs, pp. 1–117, 2013. P. Wauters, K. Declercq, S. van der Peijl, and P. Davies, “Study on Cloud and Service Oriented Architectures for e-Government Final Report.” European Commission, pp. 1–130, 2012. O. Brian, T. Brunschwiler, H. Dill, H. Christ, B. Falsafi, M. Fischer, S. G. Grivas, C. Giovanoli, R. E. Gisi, R. Gutmann, M. Kaiserswerth, M. Kündig, S. Leinen, W. Müller, D. Oesch, M. Redli, D. Rey, R. Reidl, A. Schär, A. Spichiger, U. Widmer, A. Wiggins, and M. Zollinger, “SATW White Paper: Cloud Computing.” Swiss Academy of Engineering Sciences, pp. 11–51, 2012. P. DiMaggio and W. Powell, “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields,” Am. Sociol. Rev., vol. 48, no. 2, pp. 147–160, 1983. F. Etro, “The Economic Impact of Cloud Computing on Business Creation, Employment and Output in Europe,” Rev. Bus. Econ., vol. 54, no. 2, pp. 179–208, 2009. N. Kshetri, “Privacy and Security Issues in Cloud Computing: The Role of Institutions and Institutional Evolution,” Telecomm. Policy, vol. 37, no. 4–5, pp. 372– 386, Jul. 2013. CA Technologies, “TechInsights Report: Cloud Succeeds. Now What?,” no. May. pp. 1–9, 2013.

[23]

[24]

[25]

[26]

[27] [28] [29] [30]

[31]

[32] [33] [34]

[35]

[36]

[37]

[38]

[39]

K. Dellios and D. Polemi, “Maritime Clouds for the European Ports,” in Proceedings of the 16th Panhellenic Conference on Informatics, 2012, pp. 422–426. NTT Europe, “Growing Pains in the Cloud: 300 CIOs Express their Views about Barriers to Cloud Adoption,” 2013. Rambøll Management Consulting and EDB ErgoGroup, “Strong Growth in Cloud Computing in Norway,” Reuters, 2011. [Online]. Available: http://www.reuters.com/article/2011/09/07/idUS46774+0 7-Sep-2011+HUG20110907. E. Hustad and D. H. Olsen, “Adoption of Cloud Computing : A Study of Enablers and Inhibitors in a Norwegian Context,” in Proceedings of the 9th International Conference on Enterprise Systems, Accounting and Logistics (9th ICESAL 2012), 2012, no. June, pp. 203–217. ITU, “Measuring the Information Society.” pp. 1–174, 2011. ITU, “Measuring Information Society.” pp. 1–254, 2013. PwC, “VAT & the Cloud  Understanding Your VAT Obligation.” PricewaterhouseCoopers, pp. 1–6, 2013. B. W. J. Orlikowski and S. R. Barley, “Technology and Institutions : What Can Research on Information Technology and Research on Organizations Learn from Each Other?,” MIS Q., vol. 25, no. 2, pp. 145–165, 2001. W. R. Scott, “Unpacking Institutional Arguments,” in The new institutionalism in organizational analysis, W. W. Powell and P. J. DiMaggio, Eds. Chicago: University of Chicago Press, 1991, pp. 143 – 163. W. R. Scott, Institutions and Organizations. Sage, 2001, pp. ix–255. EEA Review Committee, “Outside and Inside: Norway’s agreements with the European Union,” 2012. N. Kshetri and S. Murugesan, “Cloud Computing and EU Data Privacy Regulations,” Computer (Long. Beach. Calif)., vol. 46, no. 3, pp. 86–89, Mar. 2013. J. J. M. Seddon and W. L. Currie, “Cloud computing and trans-border health data: Unpacking U.S. and EU healthcare regulation and compliance,” Heal. Policy Technol., vol. 2, no. 4, pp. 229–241, Dec. 2013. “Digital Agenda for Norway,” Ministry of Local Government and Modernisation, 2013. [Online]. Available: http://www.regjeringen.no/en/dep/kmd/documents/white/ propositions/2012-2013/meld-st-23-201220132/4/4.html?id=729035. J. Hladjk, “New EU Commission Strategy on Sloud Computing,” NewEurope, 2013. [Online]. Available: http://www.neurope.eu/kn/article/new-eu-commissionstrategy-cloud-computing. Nordic Council of Ministers, “Nordic Public Sector Cloud Computing – a discussion paper.” Copenhagen, pp. 1–62, 2012. F. Pfarr, T. Buckel, and A. Winkelmann, “Cloud Computing Data Protection -- A Literature Review and Analysis,” in Proceedings of the 47th Hawaii

[40]

[41]

[42]

[43]

[44] [45]

[46]

[47]

[48]

[49]

[50]

[51]

418

International Conference on System Sciences (HICSS 2014), 2014, pp. 5018–5027. “US-EU and US-Swiss Safe Harbor Privacy Assessment,” TRUSTe. [Online]. Available: http://www.truste.com/products-and-services/enterpriseprivacy/eu-safe-harbor-seal. J. Kanestrøm, “Hazy Legal Regulation of Cloud Computing,” ScienceNordic, 2014. [Online]. Available: http://sciencenordic.com/hazy-legal-regulation-cloudcomputing. I. Hanssen-Bauer, “Personvern ved bruk av skytjenester,” Wikborg Rein, 2013. [Online]. Available: http://wr.laboremus.info/Aktuelt/Personvern-ved-bruk-avskytjenester. H. Veum and L.-O. Nymoen, “Reply - Use of Microsoft Office 365 Cloud Computing Services - Municipality of Moss.” pp. 1–10, 2012. D. Kyriazis, “Cloud Computing Service Level Agreements Exploitation of Research Results,” 2013. K. M. Risung and J. Songe-Møller, “Use of Google Apps’ Cloud Solution,” Schjødt, 2013. [Online]. Available: http://www.schjodt.no/nyheter-innsikt/artikler/ctlr-32012telecommunications-data-protection-cloudcomputing.aspx. C. O’Donoghue, “The Norwegian Data Protection Authority holds off ban, permitting the use of cloud computing services by Norway Municipalities,” Global Regulatory Enforcement Law Blog, 2012. [Online]. Available: http://www.globalregulatoryenforcementlawblog.com/201 2/10/articles/data-security/the-norwegian-data-protectionauthority-holds-off-ban-permitting-the-use-of-cloudcomputing-services-by-norway-municipalities/. L. Tung, “No Personal Data on Google Apps, Norway Tells its Councils as it Clears Cloud Use,” ZDNet, 2012. [Online]. Available: http://www.zdnet.com/no-personaldata-on-google-apps-norway-tells-its-councils-as-itclears-cloud-use-7000004904/. L. Essers, “Norway Ends Nine-Month Ban on Google Apps Use,” Computerworld, 2012. [Online]. Available: http://www.computerworld.com/s/article/9231738/Norwa y_ends_nine_month_ban_on_Google_Apps_use. Finanstilsynet, “Risk and Vulnerability Analysis 2012: Financial Institutions’ Use of Information and Communications Technology (ICT).” pp. 1–40, 2013. I. B. Utne, P. Hokstad, G. Kjølle, J. Vatn, I. A. Tøndel, D. Bertelsen, H. Fridheim, and J. Røstum, “Risk and Vulnerability Analysis of Critical Infrastructures - The DECRIS Approach,” in Proceedings of SMARISK Conference, 2008, pp. 1–10. S. Davies, “Why Norway’s Rigorous Stance on Cloud Computing Highlights the Primacy of Strong Privacy Policies,” The Privacy Surgeon, 2012. [Online]. Available: http://www.privacysurgeon.org/blog/incision/whynorways-rigorous-stance-on-cloud-computing-highlightsthe-crucial-importance-of-strong-privacy-policies/.