ACM

Communications of the ACM

Home/Magazine Archive/February 2013 (Vol. 56, No. 2)/Cloud Services Certification/Full Text

Viewpoint

Cloud Services Certification

By Ali Sunyaev, Stephan Schneider
Communications of the ACM, February 2013, Vol. 56 No. 2, Pages 33-36
10.1145/2408776.2408789
Comments

View as: Print Mobile App ACM Digital Library Full Text (PDF) In the Digital Edition Share:

Cloud Services Certification, illustration — Credit: Alicia Kubista / Andrij Borys Associates

Cloud computing is an evolving paradigm that affects a large part of the IT industry, in particular the way hardware and software are deployed: as a service.¹ Cloud computing provides new opportunities for IT service providers, such as the adoption of new business models and the realization of economies of scale by increasing efficiency of resource utilization. Adopters are supposed to benefit from advantages like up-to-date IT resources with a high degree of flexibility and low upfront capital investments.⁶

However, despite advantages of cloud computing, small and medium enterprises (SMEs) in particular remain cautious implementing cloud service solutions.⁴ This holds true for both IT service providers and IT service users. The main reasons for the reluctance of companies to adopt cloud computing include:

Due to the prevailing information asymmetry on the market, companies have difficulties comprehensively assessing the individual benefits and challenges associated with the adoption of cloud services. Furthermore, the information asymmetry impedes providers from aligning their services with the needs of potential customers.
Companies lack appropriate, qualified, trustworthy information and benchmarks to assess cloud services with regard to individual benefits and associated risks.
Companies lack approaches and metrics to adequately assess and compare the service quality of cloud services, especially, regarding security and reliability.
Industry-specific requirements and restrictions on IT usage and data processing limit the adoption of cloud services in sectors like health care or banking. Many of those requirements and restrictions are outdated and were issued long before broadband Internet connections and mobile devices became ubiquitous.
Noteworthy uncertainties concerning legal compliance and conformance with international privacy requirements can be observed. Providers are constantly faced with the challenge to design niche-oriented, demand-specific services in a legally compliant manner.

Reflecting these reasons for inhibiting cloud computing adoption, the environment surrounding cloud computing is characterized by uncertainty and a lack of transparency. Yet, trust is necessary in situations in which the interested party is confronted with uncertainty.⁷ Addressing the present trust issues in cloud computing and promoting transparent information exchange between cloud service providers and cloud users are essential premises to accomplish broad diffusion of cloud computing in the market.

Certification of Cloud Services

We believe certification of cloud services by independent certification institutions can cope with the challenging lack of transparency, trust, and acceptance. Research has shown that trust can be built through supporting IT-based mechanisms like certifications and escrows if experience in a market is not readily available.⁸ Furthermore, certifications help to establish market transparency, which companies may not be able to achieve on their own. Potential cloud adopters are faced with an abundance of service offerings of similar functionality. SMEs may not have sufficient resources to adequately assess cloud services, whereas large enterprises may have the resources, but still have to raise funds and undergo significant efforts in order to assess and benchmark cloud services. Ultimately, all companies, which are planning to adopt a cloud service, need to perform similar assessments. Thus, it is economically beneficial to dedicate these assessments to specialized organizations, which issue broadly accepted and standardized certifications.

A cloud service certification process should include on-site data center audits as well as extensive evaluation of contracts and services. In order to achieve such a certification, a cloud service should satisfy specific quality specifications including contractual requirements (for example, service level agreements), legal requirements (for example, privacy policy), security requirements (for example, encryption), functional requirements (for example, API implementations), business processes (for example, quality management), and data center infrastructure (for example, physical access control). Additional industry-specific requirements may apply (for example, in the domain of health care^3,9). In fact, models to assess perceived quality of service have been extensively researched and validated in practice.⁵ Assessments of service quality by a provider's customers or independent third parties can improve trust and acceptance of a service. This approach has successfully been applied in other service industries, for example, sale of goods, news media, or entertainment.²

Reflecting the aforementioned reasons for adoption uncertainty, a certification is particularly beneficial in the following scenarios:

Security and trust. The implementation of cloud computing creates additional challenges concerning IT security. Besides technical issues, customers need to trust in the security and reliability of a service in order to adopt it. In the case of online banking or online shopping, public key certificates issued by certificate authorities are a common way to verify a website's authenticity and promote customers' trust. Extended Validation Certificates do not differ in structure or cryptography from other (cheaper) certificates, but require extensive identity verification of the requesting organization. Thus, the online transaction itself is not more secure (according to its encryption), but the certification is presented more prominently to the user and the extended validation fosters the trustfulness of the website. In the context of cloud computing, a certification by an independent certification authority can improve trust the same way as in the domains of online banking and online shopping. In addition to the provider's identity, a cloud certificate could evaluate infrastructure security and IT security measures of the cloud service provider. We consider the certification of large infrastructure, platform, or software providers as important since these providers serve as hubs for enormous amounts of data. Therefore, security flaws or outages in the systems of these large providers affect a vast number of cloud users.

Certifications help to establish market transparency, which companies may not be able to achieve on their own.

Legal compliance and privacy. Current discussions on legal conflicts between the United States Patriot Act and the European Union (EU) Data Protection Directive (95/46/EC) intensify the need for legally compliant cloud services. Moreover, individual member states of the EU have implemented the 16-year-old EU data protection directive in very different manners. As a consequence, cloud service providers must deal thoroughly with 27 different policies in order to comply with all 27 EU member states' data protection laws. In addition, sector-specific regulations may apply (for example, the Health Insurance Portability and Accountability Act in the U.S.). Implementing a framework with clear guidelines for privacy and legal compliance of cloud services would support providers to design and implement compliant cloud solutions. Cloud service certifications verifying the adherence to such a legal and privacy framework can support users in their adoption decisions as they can rely on the ongoing legal compliance of certified cloud services. Likewise, specialized cloud service providers can benefit from cloud certifications when selecting platform or infrastructure providers to deploy their services, which need to adhere to the national or industry-specific requirements of their customers.

Digital preservation and lock-in effects. Digital preservation describes the management of digital information in order to keep it accessible, reproducible, and interpretable over long periods of time and different innovation cycles. Digital preservation does not only focus on preserving data, but also on preserving the representation information necessary to interpret the preserved data. For example, the representation information may be an application used to access and interpret the data or specifications of the data format. In cloud computing, hardware and software are delivered as a service and are not in possession of the user. Thus, neither data nor applications are physically accessible. Moreover, data formats in cloud services like Google Docs are opaque. Supporting digital preservation of cloud-based information and applications might be included in the certification requirements for cloud services. Another challenge for cloud service providers includes the prevention of lock-in effects. In order to acquire a certification, interfaces for digital preservation and data migration to other cloud service providers need to be provided.

We believe introducing a certification for cloud services is a step forward to a more trustworthy and transparent cloud computing environment.

Transparency. As a result of the late-2000s financial crisis, customers lost their confidence in the banking industry. Risky, complex, and non-transparent financial products, such as mortgage-backed securities or collateralized debt obligations, were placed on the capital market as supposedly secure investments. Applying this situation correspondingly on cloud services, users do not necessarily know which cloud services they are actually using and where data will be processed and stored. A Software as a Service provider in Germany may provide a cloud service, which integrates the capabilities of several cloud services in Europe, Asia, and North America. The provider may implement the service within a Platform as a Service environment in the U.S., which in turn utilizes databases at an Infrastructure as a Service provider in Ireland and sources computing power from a cloud marketplace like Spotcloud (a marketplace for cloud service providers to sell their unused cloud capacity). Cloud adopters will contract and interact with a German provider, assuming the strict German privacy restrictions apply, but in fact it is totally opaque where data is processed and stored. But the concept of cloud computing does not need to be cloudy at all. The clarification of a service's interrelations as part of the certification requirements can clarify complex provider cooperation and interaction.

Challenges for Cloud Certifications

Cloud service certifications can resolve adoption uncertainties and thereby support users and providers of cloud services in their adoption decisions. However, adherence to certification standards also entails challenges that need to be considered:

Particularly, small- and medium-sized cloud service providers may not have the budget to acquire a certification for their cloud services; therefore, they would have to struggle with a competitive disadvantage. A certification needs to be affordable, but nevertheless comprehensive in terms of on-site auditing and contractual evaluations.
The demands of maintaining certifications may preclude small cloud service providers from delivering services in a cost-effective manner, while large cloud service providers can continue to differentiate themselves by their ability to provide significant cost savings and a high level of resource elasticity to their customers. Thus, large cloud service providers can neglect undergoing audits of their physical facilities, services, and processes and accomplish a similar outcome to certification by solely relying on their reputation. In contrast, small cloud service providers may be urged to undergo certification audits in order to differentiate themselves on the market and thereby suffer a competitive disadvantage.
Certifications need to balance the tension between usefulness and complexity. A certification framework may slow down innovation if adherence to the framework is connected with very strict requirements. But innovative, pioneering services, and short innovation cycles are main benefits of the cloud computing paradigm. Therefore, a certification framework needs to be flexible and adaptable in order to cope with the fast innovation cycles of the IT industry. However, due to the wide diversity of cloud service offerings, designing a comprehensive and widely applicable certification framework includes the risk of devolving into a set of lowest common denominator standards, which in turn would undermine the desired outcomes of a certification.
Trustworthy certification institutions need to be appointed in order to ensure acceptance of the certification. Decision makers of cloud service providers and cloud adopters must trust the certification authority; otherwise, the credibility of certified cloud services would be undermined.
Existing cloud service certifications are valid for a predefined time-frame (usually two years) and only provide a snapshot of the situation before and during the time of the audit. Whether the certified criteria are met during the validity period cannot be ensured. By implementing automated certification processes for continuous monitoring and refreshment of the certification in addition to periodic on-site audits (for example, biennially), a constant level of service quality can be monitored and proved, which regular on-site audits cannot accomplish in an economic manner.

Conclusion

Considering the current situation on the cloud computing market, unresolved obstacles need to be addressed for effective development and diffusion of innovative cloud services. A standardized certification for cloud services aims to establish trust and improves acceptance of the cloud computing paradigm. Small, medium, and large cloud service providers as well as cloud users can benefit from the outcomes of established cloud service certifications. By achieving practice-oriented and market-relevant certificates for their cloud services, small and regionally oriented IT service providers can stand out in the marketplace and gain a broader customer base. Furthermore, mid-sized IT service providers can implement legally compliant, customer-specific requirements, which cannot be satisfied by usually highly standardized solutions of large service providers. By signaling valuable qualities like transparency of their services, legal compliance, reliable service levels, and a high level of security at their data centers, large providers can attract other cloud service providers to utilize their services instead of maintaining similar services in-house. By producing trustworthy cloud service certifications, cloud adopters are able to identify risks and benefits of individual cloud services and consider those in their adoption decisions.

Currently, organizations such as Cloud Security Alliance and EuroCloud are launching cloud certification programs for individuals, providers, or services. We emphasize the need for broadly accepted, established, and feasible cloud service certification solutions as well as trustworthy auditing institutions. Time will tell if certifications can mitigate challenges concerning transparency, trust, and acceptance and whether current providers can cope with the outlined challenges of a certification itself. We want to motivate researchers and practitioners to engage in topics concerning cloud service certifications. We believe introducing a certification for cloud services is one possible way to address the current gaps and issues in cloud computing, and that it is a step forward to a more trustworthy and transparent cloud computing environment.

References

1. Armbrust, M. et al. A view of cloud computing. Commun. ACM 53, 4 (Apr. 2010), 5058.

2. Dellarocas, C. The digitization of word of mouth: Promise and challenges of online feedback mechanisms. Management Science 10, (2003) 14071424.

3. Dünnebeil, S. et al. Determinants of physicians' technology acceptance for e-health in ambulatory care. International Journal of Medical Informatics, 2012; DOI:10.1016/j.ijmedinf.2012.02.002.

4. European Commission, Cloud Computing: Public Consultation Report, European Commission, 2011; http://ec.europa.eu/information_society/activities/cloudcomputing/docs/ccconsultationfinalreport.pdf.

5. Fassnacht, M. and Koese, I. Quality of electronic services. Journal of Service Research 9, 1 (2006), 1937.

6. Marston, S. et al. Cloud computingThe business perspective. Decision Support Systems 51, 1 (2011), 176189.

7. Mayer, R.C., Davis, J.H., and Schoorman, F.D. An integrative model of organizational trust. Academy of Management Review 20, 3 (1995), 709734.

8. Pavlou, P. and Gefen, D. Building effective online marketplaces with institution-based trust. Information Systems Research 15, 1 (2004), 3759.

9. Sunyaev, A. and Chornyi, D. Supporting chronic disease care quality: Design and implementation of a health service and its integration with electronic health records. ACM Journal of Data and Information Quality 3, 2 (2012), 121.

Authors

Ali Sunyaev ([email protected]) is an assistant professor in the Department of Management, Economics, and Social Sciences at the University of Cologne in Germany.

Stephan Schneider ([email protected]) is a doctoral researcher in the Department of Information Systems and Systems Development at the University of Cologne.

No entries found