Cloud computing is an evolving paradigm that affects a large part of the IT industry, in particular the way hardware and software are deployed: as a service.1 Cloud computing provides new opportunities for IT service providers, such as the adoption of new business models and the realization of economies of scale by increasing efficiency of resource utilization. Adopters are supposed to benefit from advantages like up-to-date IT resources with a high degree of flexibility and low upfront capital investments.6
However, despite advantages of cloud computing, small and medium enterprises (SMEs) in particular remain cautious implementing cloud service solutions.4 This holds true for both IT service providers and IT service users. The main reasons for the reluctance of companies to adopt cloud computing include:
Reflecting these reasons for inhibiting cloud computing adoption, the environment surrounding cloud computing is characterized by uncertainty and a lack of transparency. Yet, trust is necessary in situations in which the interested party is confronted with uncertainty.7 Addressing the present trust issues in cloud computing and promoting transparent information exchange between cloud service providers and cloud users are essential premises to accomplish broad diffusion of cloud computing in the market.
We believe certification of cloud services by independent certification institutions can cope with the challenging lack of transparency, trust, and acceptance. Research has shown that trust can be built through supporting IT-based mechanisms like certifications and escrows if experience in a market is not readily available.8 Furthermore, certifications help to establish market transparency, which companies may not be able to achieve on their own. Potential cloud adopters are faced with an abundance of service offerings of similar functionality. SMEs may not have sufficient resources to adequately assess cloud services, whereas large enterprises may have the resources, but still have to raise funds and undergo significant efforts in order to assess and benchmark cloud services. Ultimately, all companies, which are planning to adopt a cloud service, need to perform similar assessments. Thus, it is economically beneficial to dedicate these assessments to specialized organizations, which issue broadly accepted and standardized certifications.
Reflecting the aforementioned reasons for adoption uncertainty, a certification is particularly beneficial in the following scenarios:
Security and trust. The implementation of cloud computing creates additional challenges concerning IT security. Besides technical issues, customers need to trust in the security and reliability of a service in order to adopt it. In the case of online banking or online shopping, public key certificates issued by certificate authorities are a common way to verify a website's authenticity and promote customers' trust. Extended Validation Certificates do not differ in structure or cryptography from other (cheaper) certificates, but require extensive identity verification of the requesting organization. Thus, the online transaction itself is not more secure (according to its encryption), but the certification is presented more prominently to the user and the extended validation fosters the trustfulness of the website. In the context of cloud computing, a certification by an independent certification authority can improve trust the same way as in the domains of online banking and online shopping. In addition to the provider's identity, a cloud certificate could evaluate infrastructure security and IT security measures of the cloud service provider. We consider the certification of large infrastructure, platform, or software providers as important since these providers serve as hubs for enormous amounts of data. Therefore, security flaws or outages in the systems of these large providers affect a vast number of cloud users.
Certifications help to establish market transparency, which companies may not be able to achieve on their own.
Legal compliance and privacy. Current discussions on legal conflicts between the United States Patriot Act and the European Union (EU) Data Protection Directive (95/46/EC) intensify the need for legally compliant cloud services. Moreover, individual member states of the EU have implemented the 16-year-old EU data protection directive in very different manners. As a consequence, cloud service providers must deal thoroughly with 27 different policies in order to comply with all 27 EU member states' data protection laws. In addition, sector-specific regulations may apply (for example, the Health Insurance Portability and Accountability Act in the U.S.). Implementing a framework with clear guidelines for privacy and legal compliance of cloud services would support providers to design and implement compliant cloud solutions. Cloud service certifications verifying the adherence to such a legal and privacy framework can support users in their adoption decisions as they can rely on the ongoing legal compliance of certified cloud services. Likewise, specialized cloud service providers can benefit from cloud certifications when selecting platform or infrastructure providers to deploy their services, which need to adhere to the national or industry-specific requirements of their customers.
Digital preservation and lock-in effects. Digital preservation describes the management of digital information in order to keep it accessible, reproducible, and interpretable over long periods of time and different innovation cycles. Digital preservation does not only focus on preserving data, but also on preserving the representation information necessary to interpret the preserved data. For example, the representation information may be an application used to access and interpret the data or specifications of the data format. In cloud computing, hardware and software are delivered as a service and are not in possession of the user. Thus, neither data nor applications are physically accessible. Moreover, data formats in cloud services like Google Docs are opaque. Supporting digital preservation of cloud-based information and applications might be included in the certification requirements for cloud services. Another challenge for cloud service providers includes the prevention of lock-in effects. In order to acquire a certification, interfaces for digital preservation and data migration to other cloud service providers need to be provided.
We believe introducing a certification for cloud services is a step forward to a more trustworthy and transparent cloud computing environment.
Transparency. As a result of the late-2000s financial crisis, customers lost their confidence in the banking industry. Risky, complex, and non-transparent financial products, such as mortgage-backed securities or collateralized debt obligations, were placed on the capital market as supposedly secure investments. Applying this situation correspondingly on cloud services, users do not necessarily know which cloud services they are actually using and where data will be processed and stored. A Software as a Service provider in Germany may provide a cloud service, which integrates the capabilities of several cloud services in Europe, Asia, and North America. The provider may implement the service within a Platform as a Service environment in the U.S., which in turn utilizes databases at an Infrastructure as a Service provider in Ireland and sources computing power from a cloud marketplace like Spotcloud (a marketplace for cloud service providers to sell their unused cloud capacity). Cloud adopters will contract and interact with a German provider, assuming the strict German privacy restrictions apply, but in fact it is totally opaque where data is processed and stored. But the concept of cloud computing does not need to be cloudy at all. The clarification of a service's interrelations as part of the certification requirements can clarify complex provider cooperation and interaction.
Cloud service certifications can resolve adoption uncertainties and thereby support users and providers of cloud services in their adoption decisions. However, adherence to certification standards also entails challenges that need to be considered:
Considering the current situation on the cloud computing market, unresolved obstacles need to be addressed for effective development and diffusion of innovative cloud services. A standardized certification for cloud services aims to establish trust and improves acceptance of the cloud computing paradigm. Small, medium, and large cloud service providers as well as cloud users can benefit from the outcomes of established cloud service certifications. By achieving practice-oriented and market-relevant certificates for their cloud services, small and regionally oriented IT service providers can stand out in the marketplace and gain a broader customer base. Furthermore, mid-sized IT service providers can implement legally compliant, customer-specific requirements, which cannot be satisfied by usually highly standardized solutions of large service providers. By signaling valuable qualities like transparency of their services, legal compliance, reliable service levels, and a high level of security at their data centers, large providers can attract other cloud service providers to utilize their services instead of maintaining similar services in-house. By producing trustworthy cloud service certifications, cloud adopters are able to identify risks and benefits of individual cloud services and consider those in their adoption decisions.
Currently, organizations such as Cloud Security Alliance and EuroCloud are launching cloud certification programs for individuals, providers, or services. We emphasize the need for broadly accepted, established, and feasible cloud service certification solutions as well as trustworthy auditing institutions. Time will tell if certifications can mitigate challenges concerning transparency, trust, and acceptance and whether current providers can cope with the outlined challenges of a certification itself. We want to motivate researchers and practitioners to engage in topics concerning cloud service certifications. We believe introducing a certification for cloud services is one possible way to address the current gaps and issues in cloud computing, and that it is a step forward to a more trustworthy and transparent cloud computing environment.
4. European Commission, Cloud Computing: Public Consultation Report, European Commission, 2011; http://ec.europa.eu/information_society/activities/cloudcomputing/docs/ccconsultationfinalreport.pdf.
9. Sunyaev, A. and Chornyi, D. Supporting chronic disease care quality: Design and implementation of a health service and its integration with electronic health records. ACM Journal of Data and Information Quality 3, 2 (2012), 121.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.
No entries found