[computer communications and networks] continued rise of the cloud || patterns of trust: role of...

14
Chapter 6 Patterns of Trust: Role of Certification for SME Cloud Adoption Alea M. Fairchild Abstract Growth of cloud computing as a concept continues to pose challenges on how to deliver agile, yet secure, information technology (IT) services to enter- prises. While the hype surrounding cloud computing may have peaked, the concept of “cloudwashing” (adding the term “cloud” to an existing service for marketing rea- sons) continues to cause confusion and inflated expectations with enterprise buyers. This fear, uncertainty, and doubt (FUD) just slows down the growth of a potentially larger market. This is especially true for small and medium sized enterprises (SMEs) who turn to IT providers to handle the underlying systems for their businesses. To assist cloud service buyers, a recent communication from the European Commis- sion advocated voluntary certification for cloud service providers (CSPs). This has sparked a debate as to the relevance and authority of certification bodies in verifying the ability and capability of CSPs. In this research, we are developing an exploratory model looking at signaling quality, the independence of certifying authorities, and the impact of regulatory backing for trust of certification bodies, based on the existing academic literature on standards of adoption and trust. We are examining what role the third-party certifiers can play in adoption of cloud by SMEs, exploring the roles of certifiers in Europe already involved in market adoption to test our framework, together with four established cases of service providers seeking certification. Keywords Adoption · Certification · Cloud governance · Information economics · SME · Trust 6.1 Introduction Buyya et al. [1] defines cloud as: “... a type of parallel and distributed system consisting of a collection of interconnected and virtualised computers that are dynam- ically provisioned and presented as one or more unified computing resources based on service-level agreements established through negotiation between the service provider and consumers.” A. M. Fairchild () Hogeschool Universiteit Brussel, Warmoesberg 26, 1000 Brussels, Belgium e-mail: [email protected] 145 Z. Mahmood (ed.), Continued Rise of the Cloud, Computer Communications and Networks, DOI 10.1007/978-1-4471-6452-4_6, © Springer-Verlag London 2014

Upload: zaigham

Post on 24-Feb-2017

213 views

Category:

Documents


1 download

TRANSCRIPT

Chapter 6Patterns of Trust: Role of Certification for SMECloud Adoption

Alea M. Fairchild

Abstract Growth of cloud computing as a concept continues to pose challengeson how to deliver agile, yet secure, information technology (IT) services to enter-prises. While the hype surrounding cloud computing may have peaked, the conceptof “cloudwashing” (adding the term “cloud” to an existing service for marketing rea-sons) continues to cause confusion and inflated expectations with enterprise buyers.This fear, uncertainty, and doubt (FUD) just slows down the growth of a potentiallylarger market. This is especially true for small and medium sized enterprises (SMEs)who turn to IT providers to handle the underlying systems for their businesses. Toassist cloud service buyers, a recent communication from the European Commis-sion advocated voluntary certification for cloud service providers (CSPs). This hassparked a debate as to the relevance and authority of certification bodies in verifyingthe ability and capability of CSPs. In this research, we are developing an exploratorymodel looking at signaling quality, the independence of certifying authorities, andthe impact of regulatory backing for trust of certification bodies, based on the existingacademic literature on standards of adoption and trust. We are examining what rolethe third-party certifiers can play in adoption of cloud by SMEs, exploring the rolesof certifiers in Europe already involved in market adoption to test our framework,together with four established cases of service providers seeking certification.

Keywords Adoption · Certification · Cloud governance · Information economics ·SME · Trust

6.1 Introduction

Buyya et al. [1] defines cloud as: “. . . a type of parallel and distributed systemconsisting of a collection of interconnected and virtualised computers that are dynam-ically provisioned and presented as one or more unified computing resources basedon service-level agreements established through negotiation between the serviceprovider and consumers.”

A. M. Fairchild (�)Hogeschool Universiteit Brussel, Warmoesberg 26, 1000 Brussels, Belgiume-mail: [email protected]

145Z. Mahmood (ed.), Continued Rise of the Cloud, Computer Communicationsand Networks, DOI 10.1007/978-1-4471-6452-4_6,© Springer-Verlag London 2014

146 A. M. Fairchild

This definition shows a computing resource as a service being provided; there isan agreement for said service; and the fact that this service is negotiated betweenparties. The forms of service that cloud computing provides today may be brokendown into managed services, software as a service (SaaS), utility computing, andplatform as a service (PaaS). The ideas behind these forms of service are not new, butthe fact that the users can tap into these services from web browsers via the Internetmakes them “cloud” services [2].

Cloud-based software is often easier to use, quicker to install and implement, andprovides far greater flexibility than on-premise solutions that need to be installed andmaintained, especially for SMEs without resources for a dedicated IT staff. Cloud-based software can also help small businesses lower costs, often by a significantamount. A recent survey by market research firm IDC found that almost every SMEthat uses cloud services saves money, with many lowering costs between 10 and 20 %.Despite these benefits, the path to the cloud has been bumpy, particularly in Europe,and due to a convoluted web of privacy laws and other governmental regulations, aswell as concerns about data security, analysts estimate that business cloud adoptionin Europe lags behind the USA by about 2 years [3]. Cloud provides a big opportunityfor Europe, and openness is the key attributed to provide opportunity for SMEs, witha concern that lock-in and barriers to entry could block that opportunity.

As part of their Europe 2020 strategy on cloud computing, the European Com-mission’s recently released strategy to boost adoption of cloud computing servicesthroughout Europe had a statement was that “cloud certification should be volun-tary and industry driven, building on current and emerging international standardsto foster global compatibility of cloud computing offerings” [4].

But is certification good for making and growing a marketplace? What is the roleof certifiers in making a market, and how are they regulated? Auriol and Schilizzi[5] show us that there is a problem signaling the quality of goods and services whenquality is never observable to consumers. Certification acts to transform unobserv-able credence attributes into observable search attributes. They then studied the costof certification systems on market structure and performance in agricultural seedproduction. Given we are discussing an intangible deliverable, since this is a service,that is not available in bulk, we will take a slightly different approach.

The central research question is “What are the benefits of cloud servicecertification for building trust and establishing market growth for SME customers?”

Our research objectives are the following:

• Define the role of the certifier in creating trust and establishing credibility• Examine the impact of certification on market development• Explore how best to regulate the certification process to protect user benefits, if

needed

For our methodology, in this chapter, we will explore the role of the certifier byexamining complementary markets where certification is active to see how trust hasbeen created as well as the impact over time on market growth; and by examining theactivities of one particular early market entrant in certification to see how stakeholderdynamics work between them, their customers, and the government bodies in the

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 147

Third Party Cer fying Body

Value for CSPs: • Verifica on • Audit document • Marke ng

Value for SMEs: • Signal of quality • Independent

view • Infomediary

Model of Third Party Cer fiers for CSPs and SMEs

Fig. 6.1 Role of the third-party certifying bodies—our model

countries where they are present. Using a case study in this research is motivated byseeing examples in the field to test and extend theory. Figure 6.1 visually demonstratesthe role of the third-party certifier we are examining.

Our model examines the role of the third-party certifying body as an intermediarythat is providing value to both the CSPs and the SMEs in their activities. As shownby the “not equal” sign, the definition of that intermediation role does not includeoversight by one or more governmental bodies at this time, however, this is oneelement that would potentially change the balance between the parties if it becamemandatory.

6.2 Adoption Issues for SMEs: Cultural, Economic,and Organizational

To start, we need to examine why a certifier would be needed for adoption, particularlyfor the SME. What sets this target group apart from larger enterprises? How woulda certifier play a role in influencing this group of companies?

Cloud computing can be seen as an emerging computing service paradigm. And,like other services of this scale, complexity, and novelty, there are fears, uncertainties,and concerns about the technology’s maturity. However, the most important can belisted as those relating to control, vendor lock-in, performance, latency, security,privacy, and reliability [6].

In Europe, SMEs are considered organizations of great importance, which is a fairassessment as they represent more than 95 % of the business sector of the developed

148 A. M. Fairchild

economies [7] and which, due to reduced resources and difficult access to IT, areideal candidates for adopting cloud computing.

In terms of computing resources, an SME can by using cloud leverage a lowercapital expenditure (CAPEX) and have less physical requirements of on-premiseequipment. Cost benefits are derived from an efficient utilization of IT resources andincreased flexibility, i.e., the possibility to request and use resources only when theyare actually needed.

The European Network and Information Security (ENISA) conducted a surveyin 2009 to determine the actual needs, requirements, and expectations of SMEsfor cloud computing services. This survey found that 68 % of the SME responsesit received indicated that avoiding capital expenditure in hardware, software, ITsupport, and information security was behind their possible engagement in cloudcomputing while almost 64 % of the responses also indicated that flexibility andscalability of IT sources was the reason [8].

The ENISA survey showed that 29 out of 62 SME responses saw “loss of controlof services and/or data” as being “very important” [8]. Issues relating to performanceand latency (evidenced by the temporary run-outs of capacity by some providers)are also problematic [6].

Research conducted by Easynet Connect has shown that UK SMEs are increas-ingly eager to adopt cloud computing, with 47 % planning to do so within the next5 years. Of those companies which indicated their preparedness to move to cloudcomputing, 35 % of them cited cost savings as the key driver [9].

6.2.1 Role of SME in Technology Adoption

The results shown below can be found in the ENISA report: “Cloud computingRisk Assessment: Benefits, risks and recommendations for information security(Table 6.1).

Most of the reasons shown above are business continuance and capital expendi-ture rationale. For an SME, given a limited budget and constrained resources, theeconomic rationale and benefits gained might even be of a higher priority, but therisk compared to a multinational enterprise (MNE) might also be perceived as higherwith more to lose.

Cloud adoption for innovation of business processes was not highlighted in thisENISA study. Is there a culture in SME as early adopters or not? Thang and Yap[10] point out that the chief executive officer (CEO) often has a significant role inthe adoption of IT by SMEs. An SME that is likely to adopt IT will most often havea CEO who has a positive attitude toward IT adoption, who is innovative and who isknowledgeable about IT.

Mehrtens et al. [11] show in their research three forms of SME organizationalreadiness as highly relevant to the adoption of the Internet: (a) the level of ITknowledge among IT professionals; (b) the level of IT knowledge among non-ITprofessionals; and (c) the level of IT use within the organization.

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 149

Table 6.1 Reasons for adoption of Cloud [8]

What are the reasons behind your possible engagement in the Cloud Computing area?

Answer options Response percent (%) Response count

Remove economic/expertise barriers impeding tomodernize business processes by the introduction ofInformation Technology

30.6 22

Avoiding capital expenditure in hardware, software, ITsupport, Information Security by outsourcinginfrastructure/platforms/services

68.1 49

Flexibility and scalability of IT resources 63.9 46Increasing computing capacity and business performance 36.1 26Diversification of IT systems 11.1 8Local and global optimisation of IT infrastructure

through automated management of virtual machines25.0 18

Business continuity and disaster recover/capabilities 52.8 38Assessing the feasibility and profitability of new sen/ices

(i.e. by developing business cases into the cloud)29.2 21

Adding redundancy to increase availability and resilience 27.8 20Controlling marginal profit and marginal costs 15.3 11Other (please specify) 13.9 10Answered questions 72

This research leads us back to the early comment of economic constraints forSME cloud adoption. Is the lack of IT personnel in a traditional SME one factor forcloud adoption?

The work of Sultan [6] examined the economic viability and efficiency of cloudcomputing for SMEs and its benefits. Sultan [6] tried to explain how cloud servicesdiffered from anything experienced so far by those businesses in terms of flexibility,availability, and cost structure. Furthermore, they examined the findings of somesurveys which not only reveal the preparedness of many SMEs to use cloud comput-ing and showed that many of those businesses are already using some of the cloudservices on offer. This study concentrated mainly on the merit of “public” cloudservices (where services are provided by “remote” suppliers who take responsibilityfor delivering those services to their clients), and not “private” and “hybrid” cloudoffering. In working with public cloud providers such as Amazon and Rackspace,SMEs can take advantage of economies of scale that large cloud providers are ableto offer, and leverage the potential of an outsourcing partner with industry exper-tise. However many SME enterprises with limited in-house IT support and limitedknowledge about cloud technologies find it difficult to make the choice on private vs.public cloud. In examining organizational issues for adoption, one question to ask:Does size matter to a CSP? Several CSPs have developed specific packages gearedtoward SME needs.

Keung and Kwok [12] have recently developed a cloud deployment model as-sessment method called Cloud Deployment Selection Model (CDSM). The modelhas been validated in real case studies, and recommendations derived have beencompared with real adoption cases. Based on the factors identified from many SMEorganizations, it could be an important tool for SMEs to decide between private or

150 A. M. Fairchild

Table 6.2 Processes that could be outsourced—n = 72 [8]

Which IT services/applications supporting business processes are most likely to be outsourced toa cloud computing service provider?

Answer options Response percent (%) Response count

Payroll 38.9 28Human resources 19.4 14Procurements 16.7 12CRM/sales management 52.8 38Accounting and finance 30.6 22Project management 41.7 30Application development on the cloud 44.4 32Anonymised data analysis 29.2 21Other (please specify) 12.5 9Answered questions 72

public cloud solutions. Marston et al. [13] state that for SMEs, the prices and theterms and conditions (SLAs) are far better with a cloud provider than the SME couldrealize themselves with their moderate investment levels.

Another issue within the SME is expertise within horizontal applications outsideof the core expertise of the business. Knowledge of the latest human resources (HR)and payroll applications may be outside of the employees of the business, therefore,the wish to outsource these applications to someone more knowledgeable may bea driver to external parties. Below, Table 6.2 highlights what processes companieswant to be outsourced from the ENISA study on cloud adoption.

Given some of the economic and organizational drivers for SME cloud adoption,we then examine what role a third-party certifier might play in helping reduce therisk of CSP selection for the SME.

6.2.2 Role of Third-Party Certifiers

Fundamental concepts from information economics can provide a framework forexamining the role of the third-party certifiers who are “external institutions thatassess, evaluate, and certify quality claims” [14]. Five important concepts that wecan use for this framework from an information economics perspective are:

• Uncertainty• Information asymmetries• Opportunistic behavior• Divergences between private and social returns• Signaling institutions

For the framework of our evaluation of the role of certifiers, we started with Spence’s[15] article on Job Market Signaling, which provides an approach for thinking aboutcountervailing institutions (institutions that emerge to address problems that arisefrom uncertainty and asymmetric information). Given uncertainty in the market some

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 151

individuals or institutions may attempt to signal differences to prospective buyers oremployers. Differentiation is critical to position a firm amongst its competitors.

We then looked at Tanner’s [16] argument that third-party certifiers’ key asset istheir perceived independence. If third-party certifiers are truly independent, than thecosts of obtaining third-party certification (for a quality attribute) will be inverselyrelated to the quality of a firm and/or its product. If this were not the case, third-partycertification would not allow for discrimination on the basis of quality. Masters andSanoga [17] raise an additional point in that they argue that the emergence of third-party certifiers depends, in part, on the presence of a national standards authority. Ina sense they provide a basis for certifying the certifiers.

We also have included other industry-specific certifications and quality seals inour evaluation of the role of certification and their role in trust with SMEs. The firstexample is ISO/IEC 27001, initially published in 2005, designed for informationsecurity management and assists firms in developing an independently assessed andcertified information security management system. This standard allows SMEs toprotect their reputation, as well as compete with bigger brands. We also exploredSAS70 II certification, which is developed by the American Institute of CertifiedPublic Accountants (AICPA) and used for audit control for activities and processesin services in ICT in the dedicated server and co-location hosting market. We alsoincluded in our analysis Eurocloud’s Datacentre Star Audit (DCSA), which is a moreniche seal of approval for data centers throughout Europe.

In examining existing related theory, we utilise Habib et al. [18] on trust andreputation in cloud environments. In online service environments, trust and reputationmodels have been proven useful in decision making [19]. We have also includedresearch from Prezas [20] on trust and ISO/IEC 27001 certification.

Using a framework developed on these information economics concepts and in-formation from other certification and quality seal market efforts, we will thereforebe examining the dynamics of market adoption based on:

• Signaling quality in cloud service provisioning• Independence of certification bodies in impacting market adoption• Regulatory backing for trust of certification bodies

After structuring this framework, we will then examine the Cloud Industry Forumas an example of a certifying organization and how their offerings match with theframework as to impact of market growth and adoption.

6.3 Structuring the Framework on Trust and Adoption

As discussed above, we developed a framework to assess the role of the third-partycertifier on trust and adoption for the SME.What did we synthesize from our literatureresearch? Examples of relevant findings from Table 6.3 include:

152 A. M. Fairchild

Table 6.3 Synthesis of findings from literature

Topic Findings

Signaling quality in cloud serviceprovisioning

Fomin et al. [21] argue that the benefits of ISO 9001certification have gradually shifted from earlier timeswhen its certification was used as a signal to markets[22] to one where firms can actually gain direct benefitsfrom the effective use of the quality managementsystem itself. But opinion is mixed as to whether aformal accreditation process would actually providelarge organizations in particular with the assurancerequired to participate seriously in the cloud world [23]

Independence of certification bodiesin impacting market adoption

Tanner’s [16] argument that third-party certifiers’ key assetis their perceived independence. Masters and Sanoga[17] argue that the emergence of third-party certifiersdepends, in part, on the presence of a national standardsauthority

Regulatory backing for trust ofcertification bodies

Empirical research has shown that communication aboutnorms in cases of self-regulation is difficult, for bothparties [24]. Backhouse et al. [25] suggest that in somecases for ISO/IEC27001, in the countries with thelargest number of certificates for ISO/IEC 27001 thecertification process is driven by either governmentregulation, as in Japan or supplier/buyer demands or thenecessity of outsourcing and offshoring in markets suchas Taiwan, Singapore and India

• A shift from earlier times when its certification was used as a signal to marketsto one where firms can actually gain direct benefits from the effective use of thequality management system itself.

• In the countries with high participation in certification, the certification process isdriven either by government regulation, supplier/buyer demands, or the necessityof outsourcing and offshoring the activity.

An additional point is benefits creation. Saint-Germain [26] argues that an importantdriver for ISMS certification is demonstrating to partners that the company has identi-fied and measured their security risks and implemented a security policy and controlsthat will mitigate these risks In addition, international invitations to tender are be-ginning to require that organizations be compliant with certain security standards,and security audit demands from financial institutions and insurance companies areincreasing. A further incentive is lower insurance premiums for ISO 27001 certifiedcompanies [27]. It has been seen that governments and other regulatory agencies aremoving away from this labor intensive command and control approach of govern-mental certification and experimenting with various forms of self-regulation. Partof this self-regulation is adding benefits for the certification process to maintaincompliance.

The next step to our research was to identify the rationale for CSPs to join acertification scheme. Do these kinds of schemes help make a market develop fasterand/or more efficiently?

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 153

6.4 Cloud Service Providers Use Cases of Certificationfrom the Cloud Industry Forum

The Cloud Industry Forum (CIF) is a non-profit organization based in the UK andwas developed to assist in advocating cloud adoption. The CIF has been establishingresearch in cloud adoption, in order to create commonality in language and standards.They claim that they are trying to enable innovation in the marketplace, not restrictit [28].

The CIF has developed a code of practice that aims to provide transparencyamongst CSPs, to assist the cloud service users (CSUs) in determining the core in-formation necessary for decisions on adoption of cloud services, and to incorporatecurrent standards and frameworks (e.g., ISO 9001, ISO 14001, and ITIL®) requir-ing provision of organizational, commercial and operational information which areindependently reviewed. The CIF proposes an annual self-certification process forthe CSPs, which would be an online submission based on off-line review [28].

The three pillars that provide the scope and framework for their certification areas follows:

• Transparency: Of the organization, its structure, location, key people, andservices. This has to be reflected on your website.

• Capability: The processes and procedures in operation to support the delivery ofservices and customer experience.

• Accountability: Commitment of senior executive to the Code of Practice andbehavior with customers.

If successful, this would lead to an approval to use certification mark and listed onthe CIF site as a self-certified vendor.

For our research, we have randomly selected three CSP participants from theCIF certification program and looked at the framework criteria with the exception ofregulatory backing. Using only three CSPs obviously is not reflective of the entiremarketplace, but as all three have already joined a certification scheme, it gaveus a good basis for CSP experience in this area. The rationale for the exclusion ofregulatory backing was that as all three members had already joined CIF, who does nothave regulatory backing, we held with Tanner’s research [16] that the independenceof the certification body was one of the features that drew these CSP firms to join,given their comments. We would have to survey other CSP firms that did not join tosee if the independence was a factor in their not becoming certified by the CIF.

The three CSP firms selected for this study are the following:

• ChannelCloud: This CSP was established 10 years ago in the USA, launched inthe UK and Ireland in January 2011. The goals of this CSP is to build a federationof ChannelCloud partners across the UK and Ireland toward its vision for a new,truly comprehensive method of delivering IT services to clients.

• Unit4: UNIT4 has been at the forefront of cloud computing for many years. Thecompany’s newest offering, Shared Journey, is a cloud-based deployment optiondesigned for organizations looking to set up a shared services operation that is

154 A. M. Fairchild

quick to establish, easy to grow and responsive to change, which can be seen asideal for SMEs.

• Webroot: Founded in 1997, the company provides best-of-breed security so-lutions that protect personal information and corporate assets from online andinternal threats. Based in Broomfield, CO in the USA, the company is privatelyheld and backed by some of the industry’s leading venture capital firms, includingTechnology Crossover Ventures, Accel Partners, and Mayfield. The company wasalso one of the founding members of CIF.

Each of these three CSPs provided materials on their rationale for joining the CIFand some background on how much work the CIF audit was for them to do prior totheir acceptance into the CIF. The management quotes in Table 6.4 came from thefollowing sources, with the materials provided from the CIF:

• ChannelCloud: Paul Byrne, CEO, ChannelCloud UK/Ireland• Unit4: Anwen Robinson, MD of UNIT4 Business Software Ltd.• Webroot: George Anderson, EMEA Product Marketing at Webroot

6.5 Continuance of the Research

There are several options for continuing this research. One is to test if the enhancedquality of service that the certification audit requires benefits the SME in terms oftrust and reliability. Other activities around this research could be to interview SMEfirms who work with these CSP firms to see if the certification was a factor in theselection of the cloud service. The challenge with this is two-fold: these schemesare reasonably new and the SME may not have seen enough service to verify howcertification helped the process, and there may not yet be enough SMEs willing toparticipate in this kind of research to give us a good sample of the marketplace.

The concept of regulation of certification also needs to be addressed. As an ini-tial part of this research, we interviewed lobbyists in Brussels on certification andgovernmental backing. The consensus from these interviews is that it could benefitcertification, but that most European Union (EU) governments would not be willingto make the investment at this time as the governments feel this regulatory effortwould slow down the pace of market development for cloud.

6.6 Conclusion

In this research, our goals were to explore the role of the third-party certificationon adoption of cloud computing by SMEs. The literature base was established byexamining other markets where certification has been used to see how trust has beencreated. We did not get enough empirical data on the impact of certification on othermarkets on growth over time and certification as a direct impact factor to marketgrowth has not appeared in the literature we have examined in this regard.

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 155

Tabl

e6.

4Q

uote

sfr

omC

SPm

anag

emen

ton

bene

fits

ofce

rtifi

catio

n

Cha

nnel

Clo

udU

nit4

Web

root

Sign

alin

gqu

ality

incl

oud

serv

ice

prov

isio

ning

Cru

cial

for

usw

asth

ene

edto

esta

blis

hcr

edib

ility

inth

em

arke

tand

that

isw

hyw

eal

igne

dou

rsel

ves

with

the

Clo

udIn

dust

ryFo

rum

(CIF

)co

deof

prac

tice.

The

reis

nodo

ubtt

hatg

aini

ngC

IFce

rtifi

catio

nha

sen

hanc

edou

rpo

sitio

nin

the

mar

ket.

Itha

sgi

ven

usgr

eat

cred

ibili

tyw

ithou

rcl

ient

san

dpr

ospe

cts

alik

e.Fu

rthe

rmor

e,it

forc

edus

toco

nsid

erw

here

we

mig

htha

vega

psin

our

docu

men

tatio

nan

dbu

sine

sspr

oces

ses

CIF

mem

bers

hip

prov

ides

usw

ithad

ditio

nalm

arke

tcre

dibi

lity

The

code

ofpr

actic

ean

dth

ece

rtifi

catio

npr

oces

sen

able

spr

ofes

sion

alcl

oud

serv

ice

prov

ider

ssu

chas

ours

elve

s,to

dem

onst

rate

with

clar

ityth

eir

ethi

cs,

prac

tices

and

proc

esse

sth

roug

han

inde

pend

ently

reco

gniz

edan

dcr

edib

lebo

dyin

orde

rto

build

trus

tby

asso

ciat

ion

with

pros

pect

ive

cust

omer

s

Inde

pend

ence

ofce

rtifi

catio

nbo

dies

inim

pact

ing

mar

ket

adop

tion

We

shar

ea

view

that

we

have

inco

mm

onw

ithth

eC

IF,o

neba

sed

onbu

ildin

gtr

ust

and

tran

spar

ency

thro

ugho

utth

em

arke

t

By

adop

ting

ase

tof

cert

ifiab

lecr

iteri

a,th

ecl

oud

serv

ice

prov

ider

enab

les

the

end

user

toha

vea

tran

spar

entv

iew

ofth

eve

ndor

’sbu

sine

ssan

dth

ety

peof

serv

ices

and

serv

ice

leve

lsth

eyca

nex

pect

from

them

Ven

dors

veri

fied

byth

eC

IFar

ere

spon

sibl

efo

rad

heri

ngto

the

CIF

code

ofco

nduc

tco

veri

ngfo

llow

ing

appr

opri

ate

and

secu

reda

tapr

oces

sing

proc

esse

s,en

suri

ngro

bust

and

qual

itycl

oud

serv

ice

deliv

ery

and

bein

gac

coun

tabl

eto

cust

omer

sfo

rqu

ality

ofse

rvic

ean

dsu

ppor

tA

dditi

onal

poin

t:B

enefi

tscr

eatio

nT

heC

IFha

she

lped

Cha

nnel

Clo

udU

K/I

rela

nddi

ffer

entia

teits

elf

from

thos

ela

ckin

gth

ere

sour

ces

and

capa

bilit

yto

deliv

era

secu

rean

dro

bust

clou

dou

tcom

efo

rth

ebu

sine

ssus

er

CIF

requ

ires

itsm

embe

rsto

dem

onst

rate

ethi

cala

ndtr

ansp

aren

tde

liver

yof

host

edan

dcl

oud

serv

ices

The

CIF

has

help

edW

ebro

otdi

ffer

entia

teits

elf

from

thos

ela

ckin

gth

ere

sour

ces

and

capa

bilit

yto

deliv

era

secu

rean

dro

bust

clou

dou

tcom

efo

rth

ebu

sine

ssus

er.T

heC

IFis

aidi

ngbu

sine

ss’

confi

denc

ein

usin

gcl

oud

appl

icat

ions

thro

ugh

educ

atio

nale

ndor

sem

ents

and

will

ensu

reth

ese

orga

niza

tions

have

the

best

chan

ceto

max

imiz

ebe

nefit

and

redu

ceri

skin

thei

rse

lect

ion

156 A. M. Fairchild

Tabl

e6.

4(c

ontin

ued)

Cha

nnel

Clo

udU

nit4

Web

root

Eas

eof

audi

tact

ivity

We

took

this

asan

oppo

rtun

ityto

tear

upou

rexi

stin

gle

gala

ndre

-dra

ftin

line

with

the

code

ofpr

actic

e.T

his

was

the

mai

nre

ason

behi

ndth

etim

ein

vest

men

twe

had

tom

ake.

And

inco

mm

onw

ithot

her

orga

niza

tions

that

have

been

thro

ugh

this

proc

ess,

we

did

have

tocr

eate

anu

mbe

rof

new

proc

esse

s,sy

stem

san

ddo

cum

ents

asit

forc

edus

tolo

okat

gaps

inou

rex

istin

gbu

sine

ssop

erat

ions

Itto

okou

rau

ditt

eam

only

3w

eeks

tode

liver

the

nece

ssar

ydo

cum

enta

tion

for

the

accr

edita

tion

proc

ess.

Furt

herm

ore,

we

did

not

need

ate

amof

tech

nica

lexp

erts

todo

it.Fr

oma

man

agem

ent

pers

pect

ive,

this

was

criti

calt

oco

mpl

ete

the

CIF

cert

ifica

tion

Whe

nw

est

arte

dth

ece

rtifi

catio

npr

oces

s,th

ede

man

dsof

exte

rnal

crite

ria

real

lysh

arpe

ned

our

view

ofou

rne

eds.

We

foun

da

few

“gap

s”in

the

info

rmat

ion

we

need

edto

supp

ly,w

hich

noto

nly

prov

ided

ake

yin

cent

ive

tocr

eate

new

mat

eria

lsbu

tals

obr

ough

thom

eth

ere

ality

ofw

hatw

eha

dan

dou

rpe

rcep

tion

6 Patterns of Trust: Role of Certification for SME Cloud Adoption 157

We utilized the case of one particular early market entrant in cloud certification tosee how stakeholder dynamics work between them, their customers, and the govern-ment bodies in the countries where they are present. What we found was anecdotalevidence that the benefits to the CSP of certification lay more in the restructur-ing of their offer to achieve certification than to the SME than in the awareness ofcertification by the potential client.

In terms of the relations with the governmental bodies, in the jurisdictions wherethe certifier is located, there is no governmental backing of these schemes; thereforewe were not able to see a dynamic in that relationship. The UK government hasspecifically stated that it is not interested in a regulator role in a debate with the CIFin November 2012 [30].

The success of cloud certification schemes toward SMEs can be seen as morelongitudinal research. SMEs across geographies and industries are making majorchanges to their business models to be able to compete with larger firms by utilizingcloud services to improve operations and become more efficient. The adoption ofcloud by SMEs initially have been driven by internal user demand [29] and horizontalapplication development (e.g., Dropbox and cloud e-mail), where a trusted partnerdoes add a value component to the implementation.

Acknowledgments We would like to thank the Cloud Industry Forum and Andy Burton for theirassistance in this research.

References

1. Buyya R,Yeo CS,Venugopal S (Sept 2008) Market-oriented cloud computing: vision, hype, andreality for delivering it services as computing utilities. In: HPCC ’08 Proceedings of the 200810th IEEE International Conference on High Performance Computing and Communications.IEEE Computer Society, Washington, DC, pp 5–13

2. Kim W (2009) Cloud computing: today and tomorrow. J Object Technol 8(1):65–723. Guardian Professional (n. d.) Security, performance, fear or confusion: what’s holding

back cloud adoption? http://www.guardian.co.uk/media-network/media-network-blog/2012/apr/11/cloud-computing-adoption?INTCMP=SRCH. Accessed 8 Dec 2012

4. European Commission (2012) Steering board of the European cloud partnership.http://ec.europa.eu/digital-agenda/en/news/steering-board-public-statement. Accessed 8 Dec2012

5. Auriol E, Schilizzi SG (2003) Quality signaling through certification. Theory and an applicationto agricultural seed market. IDEI Working Paper, p 165

6. Sultan NA (June 2011) Reaching for the “cloud”: how SMEscan manage. Int J Info Manage31(3):272–278

7. OECD (2010) Information technology outlook 2010 highlights. OECD publications.http://www.oecd.org/dataoecd/60/21/46444955.pdf. Accessed 10 Sept 2013

8. ENISA (2009) An SME perspective on cloud computing. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-sme-survey/?searchterm=survey. Accessed 10 Sept2013

9. Stening C (2009) Every cloud has a silver lining. Easynetconnect. http://www.easynetconn-ect.net/easynet-news/2009/01/every-cloud-has-a-silver-lining-chris-stening-easynet-connect/.Accessed 23 Aug 2013

158 A. M. Fairchild

10. Thong JYL,Yap CS (1995) CEO characteristics, organizational characteristics and informationtechnology adoption in small businesses. Omega 23(4):429–442

11. Mehrtens J, Cragg PB, Mills AM (20 Dec 2001) A model of Internet adoption by SMEs. InfoManage 39(3):165–176

12. Keung J, Kwok F (2012) Cloud deployment model selection assessment for SMEs: renting orbuying a cloud. Utility and Cloud Computing (UCC), 2012 IEEE Fifth International Conferenceon, p 21, 28, 5–8 Nov 2012

13. Marston S, Li Z, Bandyopadhyay S, Zhang J, Ghalsasi A (April 2011) Cloud computing—thebusiness perspective. Decis Support Syst 51(1):176–189

14. Deaton BJ (Dec 2004) A theoretical framework for examining the role of third-party certifiers.Food Control 15(8):615–619

15. Spence AM (1973) Job market signaling. Quart J Econ 87(3):355–37416. Tanner B (2000) Independent assessment by third-party certification bodies. Food Control

11:415–41717. Masters WA, Sanogo D (2002) Welfare gains from quality certification. Amer J Agr Econ

84(4):974–98918. Habib SM, Ries S, Muhlhauser M (October 2010). Cloud computing landscape and research

challenges regarding trustand reputation. In: Proceedings of the 2010 Symposia and workshopson Ubiquitous, autonomic and trusted computing. IEEE Computer Society, pp 410–415

19. Jøsang A, Ismail R, Boyd C (2007) A survey of trustand reputation systems for online serviceprovision. Decis Support Syst 43(2):618–644

20. Prezas N (2008) Advent of ISO/IEC 27001 certification and its role. In: Initial inter-organizational trust. iSChannel [Journal of the Information Systems and InnovationGroup, Department of Management, The London School of Economics]. 3(1):37–50.http://www.lse.ac.uk/management/documents/iSChannel-Volume-3.pdf#page=37. Accessed2 Feb 2014

21. Fomin VV et al (2008) ISO/IEC 27001 information systems security management standard:exploring the reasons for low adoption. EUROMOT 2008 Conference, Nice, France

22. Rodríguez-Escobar JA, Gonzalez-Benito J, Martínez-Lorente AR (2006) An analysis of thedegree of small companies’ dissatisfaction with ISO 9000 certification. Total Qual ManageBus Excell 17(4):507–521

23. Everett C (June 2009) Cloud computing—a question of trust. Comput Fraud Secur 2009(6):5–724. Burgemeestre B, Hulstijn J, Tan YH (2010) Value-based argumentation for justifying compli-

ance. In: Deontic Logic in Computer Science. Springer, Berlin, pp 214–22825. Backhouse J, Hsu CW, Silva L (2006) Circuits of power in creating de jure standards: Shaping an

international information systems security standard. MIS Quarterly 30(Special Issue):413–438.(Standard making: a critical research frontier for information systems research)

26. Saint-Germain R (2005) Information security management best practice based on ISO/IEC17799. Info Manage J 39(4):60–66

27. von Solms B, von Solms R (2005) From information security to. . . business security. ComputSecur 24:271–273

28. Cloud Industry Forum (2012) ‘Certification’ within cloud computing. Hero or villain?Presentation of Andy Burton at of a round table 23rd November 2012. Brussels, Belgium

29. KimW, Kim SD, Lee E, Lee S (Dec 2009)Adoption issues for cloud computing. In: Proceedingsof the 11th International Conference on Information Integration and Web-based Applications& Services. ACM, pp 3–6

30. OpenForum Academy (2012) Certification within cloud computing: hero or villain?http://www.openforumacademy.org/library/round-table/OFAReport231112final.pdf/at_down-load/file. Accessed 10 Sept 2013