dc.description.abstract | Organizations’ ever lasting desire to utilize new trending technologies for optimizing their
businesses have been increasing by the years. Cloud computing has been around for a while,
and for many became a vital part of their day-to-day operations. The concept of multi-cloud
has allowed organizations to take advantage of every cloud vendor’s best services, hinder
vendor lock-in, resulting in cost optimization, and resulting in more available services. With
every new technology, there are new vulnerabilities ready to be exploited at any time. As
there is little prior research regarding this field, threat actors can exploit an organization’s
ignorance on important challenges such as interoperability issues, implementing multiple
vendors resulting in losing track of their services, and the lack of expertise in this newly
founded field. To alleviate such issues, one approach could be to develop information security
policies, hence our research question for the thesis: How to develop information security
policies in a multi-cloud environment with considerations of the unique challenges it offers?
To uncover the research question, we have conducted a systematic literature review followed
up by a qualitative research approach. This has resulted in six semi-structured interviews
from respondents with a variety of experience within the multi-cloud realm. The most
prominent findings from this exploratory study has been the focus of thoroughly planning
the need of a multi-cloud and information security policies, as well as applying a top-down
approach for the policy development phase. This gives a more holistic view over the process,
and additionally having the right competence is important. An interesting finding was that
multi-cloud on paper should prevent the vendor lock-in issue, but in reality may provoke the
matter. Using the tools and services provided by the cloud service providers may enhance
the development of information security policies, but proves to be difficult in multi-cloud as
the problem of interoperability hinders this. Lastly, reviewing policies becomes more timeconsuming
and resource heavy in a multi-cloud because of the frequent updates and changes
in technology, which has to be monitored. This research presents a conceptual framework,
which by no means is a one-size-fits-all solution, but raises discussion for future work in this
field. | |