Multi-Cloud Information Security Policy Development
Abstract
Organizations’ ever lasting desire to utilize new trending technologies for optimizing theirbusinesses have been increasing by the years. Cloud computing has been around for a while,and for many became a vital part of their day-to-day operations. The concept of multi-cloudhas allowed organizations to take advantage of every cloud vendor’s best services, hindervendor lock-in, resulting in cost optimization, and resulting in more available services. Withevery new technology, there are new vulnerabilities ready to be exploited at any time. Asthere is little prior research regarding this field, threat actors can exploit an organization’signorance on important challenges such as interoperability issues, implementing multiplevendors resulting in losing track of their services, and the lack of expertise in this newlyfounded field. To alleviate such issues, one approach could be to develop information securitypolicies, hence our research question for the thesis: How to develop information securitypolicies in a multi-cloud environment with considerations of the unique challenges it offers?
To uncover the research question, we have conducted a systematic literature review followedup by a qualitative research approach. This has resulted in six semi-structured interviewsfrom respondents with a variety of experience within the multi-cloud realm. The mostprominent findings from this exploratory study has been the focus of thoroughly planningthe need of a multi-cloud and information security policies, as well as applying a top-downapproach for the policy development phase. This gives a more holistic view over the process,and additionally having the right competence is important. An interesting finding was thatmulti-cloud on paper should prevent the vendor lock-in issue, but in reality may provoke thematter. Using the tools and services provided by the cloud service providers may enhancethe development of information security policies, but proves to be difficult in multi-cloud asthe problem of interoperability hinders this. Lastly, reviewing policies becomes more timeconsumingand resource heavy in a multi-cloud because of the frequent updates and changesin technology, which has to be monitored. This research presents a conceptual framework,which by no means is a one-size-fits-all solution, but raises discussion for future work in thisfield.