[computer communications and networks] continued rise of the cloud || patterns of trust: role of...
TRANSCRIPT
Chapter 6Patterns of Trust: Role of Certification for SMECloud Adoption
Alea M. Fairchild
Abstract Growth of cloud computing as a concept continues to pose challengeson how to deliver agile, yet secure, information technology (IT) services to enter-prises. While the hype surrounding cloud computing may have peaked, the conceptof “cloudwashing” (adding the term “cloud” to an existing service for marketing rea-sons) continues to cause confusion and inflated expectations with enterprise buyers.This fear, uncertainty, and doubt (FUD) just slows down the growth of a potentiallylarger market. This is especially true for small and medium sized enterprises (SMEs)who turn to IT providers to handle the underlying systems for their businesses. Toassist cloud service buyers, a recent communication from the European Commis-sion advocated voluntary certification for cloud service providers (CSPs). This hassparked a debate as to the relevance and authority of certification bodies in verifyingthe ability and capability of CSPs. In this research, we are developing an exploratorymodel looking at signaling quality, the independence of certifying authorities, andthe impact of regulatory backing for trust of certification bodies, based on the existingacademic literature on standards of adoption and trust. We are examining what rolethe third-party certifiers can play in adoption of cloud by SMEs, exploring the rolesof certifiers in Europe already involved in market adoption to test our framework,together with four established cases of service providers seeking certification.
Keywords Adoption · Certification · Cloud governance · Information economics ·SME · Trust
6.1 Introduction
Buyya et al. [1] defines cloud as: “. . . a type of parallel and distributed systemconsisting of a collection of interconnected and virtualised computers that are dynam-ically provisioned and presented as one or more unified computing resources basedon service-level agreements established through negotiation between the serviceprovider and consumers.”
A. M. Fairchild (�)Hogeschool Universiteit Brussel, Warmoesberg 26, 1000 Brussels, Belgiume-mail: [email protected]
145Z. Mahmood (ed.), Continued Rise of the Cloud, Computer Communicationsand Networks, DOI 10.1007/978-1-4471-6452-4_6,© Springer-Verlag London 2014
146 A. M. Fairchild
This definition shows a computing resource as a service being provided; there isan agreement for said service; and the fact that this service is negotiated betweenparties. The forms of service that cloud computing provides today may be brokendown into managed services, software as a service (SaaS), utility computing, andplatform as a service (PaaS). The ideas behind these forms of service are not new, butthe fact that the users can tap into these services from web browsers via the Internetmakes them “cloud” services [2].
Cloud-based software is often easier to use, quicker to install and implement, andprovides far greater flexibility than on-premise solutions that need to be installed andmaintained, especially for SMEs without resources for a dedicated IT staff. Cloud-based software can also help small businesses lower costs, often by a significantamount. A recent survey by market research firm IDC found that almost every SMEthat uses cloud services saves money, with many lowering costs between 10 and 20 %.Despite these benefits, the path to the cloud has been bumpy, particularly in Europe,and due to a convoluted web of privacy laws and other governmental regulations, aswell as concerns about data security, analysts estimate that business cloud adoptionin Europe lags behind the USA by about 2 years [3]. Cloud provides a big opportunityfor Europe, and openness is the key attributed to provide opportunity for SMEs, witha concern that lock-in and barriers to entry could block that opportunity.
As part of their Europe 2020 strategy on cloud computing, the European Com-mission’s recently released strategy to boost adoption of cloud computing servicesthroughout Europe had a statement was that “cloud certification should be volun-tary and industry driven, building on current and emerging international standardsto foster global compatibility of cloud computing offerings” [4].
But is certification good for making and growing a marketplace? What is the roleof certifiers in making a market, and how are they regulated? Auriol and Schilizzi[5] show us that there is a problem signaling the quality of goods and services whenquality is never observable to consumers. Certification acts to transform unobserv-able credence attributes into observable search attributes. They then studied the costof certification systems on market structure and performance in agricultural seedproduction. Given we are discussing an intangible deliverable, since this is a service,that is not available in bulk, we will take a slightly different approach.
The central research question is “What are the benefits of cloud servicecertification for building trust and establishing market growth for SME customers?”
Our research objectives are the following:
• Define the role of the certifier in creating trust and establishing credibility• Examine the impact of certification on market development• Explore how best to regulate the certification process to protect user benefits, if
needed
For our methodology, in this chapter, we will explore the role of the certifier byexamining complementary markets where certification is active to see how trust hasbeen created as well as the impact over time on market growth; and by examining theactivities of one particular early market entrant in certification to see how stakeholderdynamics work between them, their customers, and the government bodies in the
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 147
Third Party Cer fying Body
Value for CSPs: • Verifica on • Audit document • Marke ng
Value for SMEs: • Signal of quality • Independent
view • Infomediary
Model of Third Party Cer fiers for CSPs and SMEs
Fig. 6.1 Role of the third-party certifying bodies—our model
countries where they are present. Using a case study in this research is motivated byseeing examples in the field to test and extend theory. Figure 6.1 visually demonstratesthe role of the third-party certifier we are examining.
Our model examines the role of the third-party certifying body as an intermediarythat is providing value to both the CSPs and the SMEs in their activities. As shownby the “not equal” sign, the definition of that intermediation role does not includeoversight by one or more governmental bodies at this time, however, this is oneelement that would potentially change the balance between the parties if it becamemandatory.
6.2 Adoption Issues for SMEs: Cultural, Economic,and Organizational
To start, we need to examine why a certifier would be needed for adoption, particularlyfor the SME. What sets this target group apart from larger enterprises? How woulda certifier play a role in influencing this group of companies?
Cloud computing can be seen as an emerging computing service paradigm. And,like other services of this scale, complexity, and novelty, there are fears, uncertainties,and concerns about the technology’s maturity. However, the most important can belisted as those relating to control, vendor lock-in, performance, latency, security,privacy, and reliability [6].
In Europe, SMEs are considered organizations of great importance, which is a fairassessment as they represent more than 95 % of the business sector of the developed
148 A. M. Fairchild
economies [7] and which, due to reduced resources and difficult access to IT, areideal candidates for adopting cloud computing.
In terms of computing resources, an SME can by using cloud leverage a lowercapital expenditure (CAPEX) and have less physical requirements of on-premiseequipment. Cost benefits are derived from an efficient utilization of IT resources andincreased flexibility, i.e., the possibility to request and use resources only when theyare actually needed.
The European Network and Information Security (ENISA) conducted a surveyin 2009 to determine the actual needs, requirements, and expectations of SMEsfor cloud computing services. This survey found that 68 % of the SME responsesit received indicated that avoiding capital expenditure in hardware, software, ITsupport, and information security was behind their possible engagement in cloudcomputing while almost 64 % of the responses also indicated that flexibility andscalability of IT sources was the reason [8].
The ENISA survey showed that 29 out of 62 SME responses saw “loss of controlof services and/or data” as being “very important” [8]. Issues relating to performanceand latency (evidenced by the temporary run-outs of capacity by some providers)are also problematic [6].
Research conducted by Easynet Connect has shown that UK SMEs are increas-ingly eager to adopt cloud computing, with 47 % planning to do so within the next5 years. Of those companies which indicated their preparedness to move to cloudcomputing, 35 % of them cited cost savings as the key driver [9].
6.2.1 Role of SME in Technology Adoption
The results shown below can be found in the ENISA report: “Cloud computingRisk Assessment: Benefits, risks and recommendations for information security(Table 6.1).
Most of the reasons shown above are business continuance and capital expendi-ture rationale. For an SME, given a limited budget and constrained resources, theeconomic rationale and benefits gained might even be of a higher priority, but therisk compared to a multinational enterprise (MNE) might also be perceived as higherwith more to lose.
Cloud adoption for innovation of business processes was not highlighted in thisENISA study. Is there a culture in SME as early adopters or not? Thang and Yap[10] point out that the chief executive officer (CEO) often has a significant role inthe adoption of IT by SMEs. An SME that is likely to adopt IT will most often havea CEO who has a positive attitude toward IT adoption, who is innovative and who isknowledgeable about IT.
Mehrtens et al. [11] show in their research three forms of SME organizationalreadiness as highly relevant to the adoption of the Internet: (a) the level of ITknowledge among IT professionals; (b) the level of IT knowledge among non-ITprofessionals; and (c) the level of IT use within the organization.
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 149
Table 6.1 Reasons for adoption of Cloud [8]
What are the reasons behind your possible engagement in the Cloud Computing area?
Answer options Response percent (%) Response count
Remove economic/expertise barriers impeding tomodernize business processes by the introduction ofInformation Technology
30.6 22
Avoiding capital expenditure in hardware, software, ITsupport, Information Security by outsourcinginfrastructure/platforms/services
68.1 49
Flexibility and scalability of IT resources 63.9 46Increasing computing capacity and business performance 36.1 26Diversification of IT systems 11.1 8Local and global optimisation of IT infrastructure
through automated management of virtual machines25.0 18
Business continuity and disaster recover/capabilities 52.8 38Assessing the feasibility and profitability of new sen/ices
(i.e. by developing business cases into the cloud)29.2 21
Adding redundancy to increase availability and resilience 27.8 20Controlling marginal profit and marginal costs 15.3 11Other (please specify) 13.9 10Answered questions 72
This research leads us back to the early comment of economic constraints forSME cloud adoption. Is the lack of IT personnel in a traditional SME one factor forcloud adoption?
The work of Sultan [6] examined the economic viability and efficiency of cloudcomputing for SMEs and its benefits. Sultan [6] tried to explain how cloud servicesdiffered from anything experienced so far by those businesses in terms of flexibility,availability, and cost structure. Furthermore, they examined the findings of somesurveys which not only reveal the preparedness of many SMEs to use cloud comput-ing and showed that many of those businesses are already using some of the cloudservices on offer. This study concentrated mainly on the merit of “public” cloudservices (where services are provided by “remote” suppliers who take responsibilityfor delivering those services to their clients), and not “private” and “hybrid” cloudoffering. In working with public cloud providers such as Amazon and Rackspace,SMEs can take advantage of economies of scale that large cloud providers are ableto offer, and leverage the potential of an outsourcing partner with industry exper-tise. However many SME enterprises with limited in-house IT support and limitedknowledge about cloud technologies find it difficult to make the choice on private vs.public cloud. In examining organizational issues for adoption, one question to ask:Does size matter to a CSP? Several CSPs have developed specific packages gearedtoward SME needs.
Keung and Kwok [12] have recently developed a cloud deployment model as-sessment method called Cloud Deployment Selection Model (CDSM). The modelhas been validated in real case studies, and recommendations derived have beencompared with real adoption cases. Based on the factors identified from many SMEorganizations, it could be an important tool for SMEs to decide between private or
150 A. M. Fairchild
Table 6.2 Processes that could be outsourced—n = 72 [8]
Which IT services/applications supporting business processes are most likely to be outsourced toa cloud computing service provider?
Answer options Response percent (%) Response count
Payroll 38.9 28Human resources 19.4 14Procurements 16.7 12CRM/sales management 52.8 38Accounting and finance 30.6 22Project management 41.7 30Application development on the cloud 44.4 32Anonymised data analysis 29.2 21Other (please specify) 12.5 9Answered questions 72
public cloud solutions. Marston et al. [13] state that for SMEs, the prices and theterms and conditions (SLAs) are far better with a cloud provider than the SME couldrealize themselves with their moderate investment levels.
Another issue within the SME is expertise within horizontal applications outsideof the core expertise of the business. Knowledge of the latest human resources (HR)and payroll applications may be outside of the employees of the business, therefore,the wish to outsource these applications to someone more knowledgeable may bea driver to external parties. Below, Table 6.2 highlights what processes companieswant to be outsourced from the ENISA study on cloud adoption.
Given some of the economic and organizational drivers for SME cloud adoption,we then examine what role a third-party certifier might play in helping reduce therisk of CSP selection for the SME.
6.2.2 Role of Third-Party Certifiers
Fundamental concepts from information economics can provide a framework forexamining the role of the third-party certifiers who are “external institutions thatassess, evaluate, and certify quality claims” [14]. Five important concepts that wecan use for this framework from an information economics perspective are:
• Uncertainty• Information asymmetries• Opportunistic behavior• Divergences between private and social returns• Signaling institutions
For the framework of our evaluation of the role of certifiers, we started with Spence’s[15] article on Job Market Signaling, which provides an approach for thinking aboutcountervailing institutions (institutions that emerge to address problems that arisefrom uncertainty and asymmetric information). Given uncertainty in the market some
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 151
individuals or institutions may attempt to signal differences to prospective buyers oremployers. Differentiation is critical to position a firm amongst its competitors.
We then looked at Tanner’s [16] argument that third-party certifiers’ key asset istheir perceived independence. If third-party certifiers are truly independent, than thecosts of obtaining third-party certification (for a quality attribute) will be inverselyrelated to the quality of a firm and/or its product. If this were not the case, third-partycertification would not allow for discrimination on the basis of quality. Masters andSanoga [17] raise an additional point in that they argue that the emergence of third-party certifiers depends, in part, on the presence of a national standards authority. Ina sense they provide a basis for certifying the certifiers.
We also have included other industry-specific certifications and quality seals inour evaluation of the role of certification and their role in trust with SMEs. The firstexample is ISO/IEC 27001, initially published in 2005, designed for informationsecurity management and assists firms in developing an independently assessed andcertified information security management system. This standard allows SMEs toprotect their reputation, as well as compete with bigger brands. We also exploredSAS70 II certification, which is developed by the American Institute of CertifiedPublic Accountants (AICPA) and used for audit control for activities and processesin services in ICT in the dedicated server and co-location hosting market. We alsoincluded in our analysis Eurocloud’s Datacentre Star Audit (DCSA), which is a moreniche seal of approval for data centers throughout Europe.
In examining existing related theory, we utilise Habib et al. [18] on trust andreputation in cloud environments. In online service environments, trust and reputationmodels have been proven useful in decision making [19]. We have also includedresearch from Prezas [20] on trust and ISO/IEC 27001 certification.
Using a framework developed on these information economics concepts and in-formation from other certification and quality seal market efforts, we will thereforebe examining the dynamics of market adoption based on:
• Signaling quality in cloud service provisioning• Independence of certification bodies in impacting market adoption• Regulatory backing for trust of certification bodies
After structuring this framework, we will then examine the Cloud Industry Forumas an example of a certifying organization and how their offerings match with theframework as to impact of market growth and adoption.
6.3 Structuring the Framework on Trust and Adoption
As discussed above, we developed a framework to assess the role of the third-partycertifier on trust and adoption for the SME.What did we synthesize from our literatureresearch? Examples of relevant findings from Table 6.3 include:
152 A. M. Fairchild
Table 6.3 Synthesis of findings from literature
Topic Findings
Signaling quality in cloud serviceprovisioning
Fomin et al. [21] argue that the benefits of ISO 9001certification have gradually shifted from earlier timeswhen its certification was used as a signal to markets[22] to one where firms can actually gain direct benefitsfrom the effective use of the quality managementsystem itself. But opinion is mixed as to whether aformal accreditation process would actually providelarge organizations in particular with the assurancerequired to participate seriously in the cloud world [23]
Independence of certification bodiesin impacting market adoption
Tanner’s [16] argument that third-party certifiers’ key assetis their perceived independence. Masters and Sanoga[17] argue that the emergence of third-party certifiersdepends, in part, on the presence of a national standardsauthority
Regulatory backing for trust ofcertification bodies
Empirical research has shown that communication aboutnorms in cases of self-regulation is difficult, for bothparties [24]. Backhouse et al. [25] suggest that in somecases for ISO/IEC27001, in the countries with thelargest number of certificates for ISO/IEC 27001 thecertification process is driven by either governmentregulation, as in Japan or supplier/buyer demands or thenecessity of outsourcing and offshoring in markets suchas Taiwan, Singapore and India
• A shift from earlier times when its certification was used as a signal to marketsto one where firms can actually gain direct benefits from the effective use of thequality management system itself.
• In the countries with high participation in certification, the certification process isdriven either by government regulation, supplier/buyer demands, or the necessityof outsourcing and offshoring the activity.
An additional point is benefits creation. Saint-Germain [26] argues that an importantdriver for ISMS certification is demonstrating to partners that the company has identi-fied and measured their security risks and implemented a security policy and controlsthat will mitigate these risks In addition, international invitations to tender are be-ginning to require that organizations be compliant with certain security standards,and security audit demands from financial institutions and insurance companies areincreasing. A further incentive is lower insurance premiums for ISO 27001 certifiedcompanies [27]. It has been seen that governments and other regulatory agencies aremoving away from this labor intensive command and control approach of govern-mental certification and experimenting with various forms of self-regulation. Partof this self-regulation is adding benefits for the certification process to maintaincompliance.
The next step to our research was to identify the rationale for CSPs to join acertification scheme. Do these kinds of schemes help make a market develop fasterand/or more efficiently?
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 153
6.4 Cloud Service Providers Use Cases of Certificationfrom the Cloud Industry Forum
The Cloud Industry Forum (CIF) is a non-profit organization based in the UK andwas developed to assist in advocating cloud adoption. The CIF has been establishingresearch in cloud adoption, in order to create commonality in language and standards.They claim that they are trying to enable innovation in the marketplace, not restrictit [28].
The CIF has developed a code of practice that aims to provide transparencyamongst CSPs, to assist the cloud service users (CSUs) in determining the core in-formation necessary for decisions on adoption of cloud services, and to incorporatecurrent standards and frameworks (e.g., ISO 9001, ISO 14001, and ITIL®) requir-ing provision of organizational, commercial and operational information which areindependently reviewed. The CIF proposes an annual self-certification process forthe CSPs, which would be an online submission based on off-line review [28].
The three pillars that provide the scope and framework for their certification areas follows:
• Transparency: Of the organization, its structure, location, key people, andservices. This has to be reflected on your website.
• Capability: The processes and procedures in operation to support the delivery ofservices and customer experience.
• Accountability: Commitment of senior executive to the Code of Practice andbehavior with customers.
If successful, this would lead to an approval to use certification mark and listed onthe CIF site as a self-certified vendor.
For our research, we have randomly selected three CSP participants from theCIF certification program and looked at the framework criteria with the exception ofregulatory backing. Using only three CSPs obviously is not reflective of the entiremarketplace, but as all three have already joined a certification scheme, it gaveus a good basis for CSP experience in this area. The rationale for the exclusion ofregulatory backing was that as all three members had already joined CIF, who does nothave regulatory backing, we held with Tanner’s research [16] that the independenceof the certification body was one of the features that drew these CSP firms to join,given their comments. We would have to survey other CSP firms that did not join tosee if the independence was a factor in their not becoming certified by the CIF.
The three CSP firms selected for this study are the following:
• ChannelCloud: This CSP was established 10 years ago in the USA, launched inthe UK and Ireland in January 2011. The goals of this CSP is to build a federationof ChannelCloud partners across the UK and Ireland toward its vision for a new,truly comprehensive method of delivering IT services to clients.
• Unit4: UNIT4 has been at the forefront of cloud computing for many years. Thecompany’s newest offering, Shared Journey, is a cloud-based deployment optiondesigned for organizations looking to set up a shared services operation that is
154 A. M. Fairchild
quick to establish, easy to grow and responsive to change, which can be seen asideal for SMEs.
• Webroot: Founded in 1997, the company provides best-of-breed security so-lutions that protect personal information and corporate assets from online andinternal threats. Based in Broomfield, CO in the USA, the company is privatelyheld and backed by some of the industry’s leading venture capital firms, includingTechnology Crossover Ventures, Accel Partners, and Mayfield. The company wasalso one of the founding members of CIF.
Each of these three CSPs provided materials on their rationale for joining the CIFand some background on how much work the CIF audit was for them to do prior totheir acceptance into the CIF. The management quotes in Table 6.4 came from thefollowing sources, with the materials provided from the CIF:
• ChannelCloud: Paul Byrne, CEO, ChannelCloud UK/Ireland• Unit4: Anwen Robinson, MD of UNIT4 Business Software Ltd.• Webroot: George Anderson, EMEA Product Marketing at Webroot
6.5 Continuance of the Research
There are several options for continuing this research. One is to test if the enhancedquality of service that the certification audit requires benefits the SME in terms oftrust and reliability. Other activities around this research could be to interview SMEfirms who work with these CSP firms to see if the certification was a factor in theselection of the cloud service. The challenge with this is two-fold: these schemesare reasonably new and the SME may not have seen enough service to verify howcertification helped the process, and there may not yet be enough SMEs willing toparticipate in this kind of research to give us a good sample of the marketplace.
The concept of regulation of certification also needs to be addressed. As an ini-tial part of this research, we interviewed lobbyists in Brussels on certification andgovernmental backing. The consensus from these interviews is that it could benefitcertification, but that most European Union (EU) governments would not be willingto make the investment at this time as the governments feel this regulatory effortwould slow down the pace of market development for cloud.
6.6 Conclusion
In this research, our goals were to explore the role of the third-party certificationon adoption of cloud computing by SMEs. The literature base was established byexamining other markets where certification has been used to see how trust has beencreated. We did not get enough empirical data on the impact of certification on othermarkets on growth over time and certification as a direct impact factor to marketgrowth has not appeared in the literature we have examined in this regard.
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 155
Tabl
e6.
4Q
uote
sfr
omC
SPm
anag
emen
ton
bene
fits
ofce
rtifi
catio
n
Cha
nnel
Clo
udU
nit4
Web
root
Sign
alin
gqu
ality
incl
oud
serv
ice
prov
isio
ning
Cru
cial
for
usw
asth
ene
edto
esta
blis
hcr
edib
ility
inth
em
arke
tand
that
isw
hyw
eal
igne
dou
rsel
ves
with
the
Clo
udIn
dust
ryFo
rum
(CIF
)co
deof
prac
tice.
The
reis
nodo
ubtt
hatg
aini
ngC
IFce
rtifi
catio
nha
sen
hanc
edou
rpo
sitio
nin
the
mar
ket.
Itha
sgi
ven
usgr
eat
cred
ibili
tyw
ithou
rcl
ient
san
dpr
ospe
cts
alik
e.Fu
rthe
rmor
e,it
forc
edus
toco
nsid
erw
here
we
mig
htha
vega
psin
our
docu
men
tatio
nan
dbu
sine
sspr
oces
ses
CIF
mem
bers
hip
prov
ides
usw
ithad
ditio
nalm
arke
tcre
dibi
lity
The
code
ofpr
actic
ean
dth
ece
rtifi
catio
npr
oces
sen
able
spr
ofes
sion
alcl
oud
serv
ice
prov
ider
ssu
chas
ours
elve
s,to
dem
onst
rate
with
clar
ityth
eir
ethi
cs,
prac
tices
and
proc
esse
sth
roug
han
inde
pend
ently
reco
gniz
edan
dcr
edib
lebo
dyin
orde
rto
build
trus
tby
asso
ciat
ion
with
pros
pect
ive
cust
omer
s
Inde
pend
ence
ofce
rtifi
catio
nbo
dies
inim
pact
ing
mar
ket
adop
tion
We
shar
ea
view
that
we
have
inco
mm
onw
ithth
eC
IF,o
neba
sed
onbu
ildin
gtr
ust
and
tran
spar
ency
thro
ugho
utth
em
arke
t
By
adop
ting
ase
tof
cert
ifiab
lecr
iteri
a,th
ecl
oud
serv
ice
prov
ider
enab
les
the
end
user
toha
vea
tran
spar
entv
iew
ofth
eve
ndor
’sbu
sine
ssan
dth
ety
peof
serv
ices
and
serv
ice
leve
lsth
eyca
nex
pect
from
them
Ven
dors
veri
fied
byth
eC
IFar
ere
spon
sibl
efo
rad
heri
ngto
the
CIF
code
ofco
nduc
tco
veri
ngfo
llow
ing
appr
opri
ate
and
secu
reda
tapr
oces
sing
proc
esse
s,en
suri
ngro
bust
and
qual
itycl
oud
serv
ice
deliv
ery
and
bein
gac
coun
tabl
eto
cust
omer
sfo
rqu
ality
ofse
rvic
ean
dsu
ppor
tA
dditi
onal
poin
t:B
enefi
tscr
eatio
nT
heC
IFha
she
lped
Cha
nnel
Clo
udU
K/I
rela
nddi
ffer
entia
teits
elf
from
thos
ela
ckin
gth
ere
sour
ces
and
capa
bilit
yto
deliv
era
secu
rean
dro
bust
clou
dou
tcom
efo
rth
ebu
sine
ssus
er
CIF
requ
ires
itsm
embe
rsto
dem
onst
rate
ethi
cala
ndtr
ansp
aren
tde
liver
yof
host
edan
dcl
oud
serv
ices
The
CIF
has
help
edW
ebro
otdi
ffer
entia
teits
elf
from
thos
ela
ckin
gth
ere
sour
ces
and
capa
bilit
yto
deliv
era
secu
rean
dro
bust
clou
dou
tcom
efo
rth
ebu
sine
ssus
er.T
heC
IFis
aidi
ngbu
sine
ss’
confi
denc
ein
usin
gcl
oud
appl
icat
ions
thro
ugh
educ
atio
nale
ndor
sem
ents
and
will
ensu
reth
ese
orga
niza
tions
have
the
best
chan
ceto
max
imiz
ebe
nefit
and
redu
ceri
skin
thei
rse
lect
ion
156 A. M. Fairchild
Tabl
e6.
4(c
ontin
ued)
Cha
nnel
Clo
udU
nit4
Web
root
Eas
eof
audi
tact
ivity
We
took
this
asan
oppo
rtun
ityto
tear
upou
rexi
stin
gle
gala
ndre
-dra
ftin
line
with
the
code
ofpr
actic
e.T
his
was
the
mai
nre
ason
behi
ndth
etim
ein
vest
men
twe
had
tom
ake.
And
inco
mm
onw
ithot
her
orga
niza
tions
that
have
been
thro
ugh
this
proc
ess,
we
did
have
tocr
eate
anu
mbe
rof
new
proc
esse
s,sy
stem
san
ddo
cum
ents
asit
forc
edus
tolo
okat
gaps
inou
rex
istin
gbu
sine
ssop
erat
ions
Itto
okou
rau
ditt
eam
only
3w
eeks
tode
liver
the
nece
ssar
ydo
cum
enta
tion
for
the
accr
edita
tion
proc
ess.
Furt
herm
ore,
we
did
not
need
ate
amof
tech
nica
lexp
erts
todo
it.Fr
oma
man
agem
ent
pers
pect
ive,
this
was
criti
calt
oco
mpl
ete
the
CIF
cert
ifica
tion
Whe
nw
est
arte
dth
ece
rtifi
catio
npr
oces
s,th
ede
man
dsof
exte
rnal
crite
ria
real
lysh
arpe
ned
our
view
ofou
rne
eds.
We
foun
da
few
“gap
s”in
the
info
rmat
ion
we
need
edto
supp
ly,w
hich
noto
nly
prov
ided
ake
yin
cent
ive
tocr
eate
new
mat
eria
lsbu
tals
obr
ough
thom
eth
ere
ality
ofw
hatw
eha
dan
dou
rpe
rcep
tion
6 Patterns of Trust: Role of Certification for SME Cloud Adoption 157
We utilized the case of one particular early market entrant in cloud certification tosee how stakeholder dynamics work between them, their customers, and the govern-ment bodies in the countries where they are present. What we found was anecdotalevidence that the benefits to the CSP of certification lay more in the restructur-ing of their offer to achieve certification than to the SME than in the awareness ofcertification by the potential client.
In terms of the relations with the governmental bodies, in the jurisdictions wherethe certifier is located, there is no governmental backing of these schemes; thereforewe were not able to see a dynamic in that relationship. The UK government hasspecifically stated that it is not interested in a regulator role in a debate with the CIFin November 2012 [30].
The success of cloud certification schemes toward SMEs can be seen as morelongitudinal research. SMEs across geographies and industries are making majorchanges to their business models to be able to compete with larger firms by utilizingcloud services to improve operations and become more efficient. The adoption ofcloud by SMEs initially have been driven by internal user demand [29] and horizontalapplication development (e.g., Dropbox and cloud e-mail), where a trusted partnerdoes add a value component to the implementation.
Acknowledgments We would like to thank the Cloud Industry Forum and Andy Burton for theirassistance in this research.
References
1. Buyya R,Yeo CS,Venugopal S (Sept 2008) Market-oriented cloud computing: vision, hype, andreality for delivering it services as computing utilities. In: HPCC ’08 Proceedings of the 200810th IEEE International Conference on High Performance Computing and Communications.IEEE Computer Society, Washington, DC, pp 5–13
2. Kim W (2009) Cloud computing: today and tomorrow. J Object Technol 8(1):65–723. Guardian Professional (n. d.) Security, performance, fear or confusion: what’s holding
back cloud adoption? http://www.guardian.co.uk/media-network/media-network-blog/2012/apr/11/cloud-computing-adoption?INTCMP=SRCH. Accessed 8 Dec 2012
4. European Commission (2012) Steering board of the European cloud partnership.http://ec.europa.eu/digital-agenda/en/news/steering-board-public-statement. Accessed 8 Dec2012
5. Auriol E, Schilizzi SG (2003) Quality signaling through certification. Theory and an applicationto agricultural seed market. IDEI Working Paper, p 165
6. Sultan NA (June 2011) Reaching for the “cloud”: how SMEscan manage. Int J Info Manage31(3):272–278
7. OECD (2010) Information technology outlook 2010 highlights. OECD publications.http://www.oecd.org/dataoecd/60/21/46444955.pdf. Accessed 10 Sept 2013
8. ENISA (2009) An SME perspective on cloud computing. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-sme-survey/?searchterm=survey. Accessed 10 Sept2013
9. Stening C (2009) Every cloud has a silver lining. Easynetconnect. http://www.easynetconn-ect.net/easynet-news/2009/01/every-cloud-has-a-silver-lining-chris-stening-easynet-connect/.Accessed 23 Aug 2013
158 A. M. Fairchild
10. Thong JYL,Yap CS (1995) CEO characteristics, organizational characteristics and informationtechnology adoption in small businesses. Omega 23(4):429–442
11. Mehrtens J, Cragg PB, Mills AM (20 Dec 2001) A model of Internet adoption by SMEs. InfoManage 39(3):165–176
12. Keung J, Kwok F (2012) Cloud deployment model selection assessment for SMEs: renting orbuying a cloud. Utility and Cloud Computing (UCC), 2012 IEEE Fifth International Conferenceon, p 21, 28, 5–8 Nov 2012
13. Marston S, Li Z, Bandyopadhyay S, Zhang J, Ghalsasi A (April 2011) Cloud computing—thebusiness perspective. Decis Support Syst 51(1):176–189
14. Deaton BJ (Dec 2004) A theoretical framework for examining the role of third-party certifiers.Food Control 15(8):615–619
15. Spence AM (1973) Job market signaling. Quart J Econ 87(3):355–37416. Tanner B (2000) Independent assessment by third-party certification bodies. Food Control
11:415–41717. Masters WA, Sanogo D (2002) Welfare gains from quality certification. Amer J Agr Econ
84(4):974–98918. Habib SM, Ries S, Muhlhauser M (October 2010). Cloud computing landscape and research
challenges regarding trustand reputation. In: Proceedings of the 2010 Symposia and workshopson Ubiquitous, autonomic and trusted computing. IEEE Computer Society, pp 410–415
19. Jøsang A, Ismail R, Boyd C (2007) A survey of trustand reputation systems for online serviceprovision. Decis Support Syst 43(2):618–644
20. Prezas N (2008) Advent of ISO/IEC 27001 certification and its role. In: Initial inter-organizational trust. iSChannel [Journal of the Information Systems and InnovationGroup, Department of Management, The London School of Economics]. 3(1):37–50.http://www.lse.ac.uk/management/documents/iSChannel-Volume-3.pdf#page=37. Accessed2 Feb 2014
21. Fomin VV et al (2008) ISO/IEC 27001 information systems security management standard:exploring the reasons for low adoption. EUROMOT 2008 Conference, Nice, France
22. Rodríguez-Escobar JA, Gonzalez-Benito J, Martínez-Lorente AR (2006) An analysis of thedegree of small companies’ dissatisfaction with ISO 9000 certification. Total Qual ManageBus Excell 17(4):507–521
23. Everett C (June 2009) Cloud computing—a question of trust. Comput Fraud Secur 2009(6):5–724. Burgemeestre B, Hulstijn J, Tan YH (2010) Value-based argumentation for justifying compli-
ance. In: Deontic Logic in Computer Science. Springer, Berlin, pp 214–22825. Backhouse J, Hsu CW, Silva L (2006) Circuits of power in creating de jure standards: Shaping an
international information systems security standard. MIS Quarterly 30(Special Issue):413–438.(Standard making: a critical research frontier for information systems research)
26. Saint-Germain R (2005) Information security management best practice based on ISO/IEC17799. Info Manage J 39(4):60–66
27. von Solms B, von Solms R (2005) From information security to. . . business security. ComputSecur 24:271–273
28. Cloud Industry Forum (2012) ‘Certification’ within cloud computing. Hero or villain?Presentation of Andy Burton at of a round table 23rd November 2012. Brussels, Belgium
29. KimW, Kim SD, Lee E, Lee S (Dec 2009)Adoption issues for cloud computing. In: Proceedingsof the 11th International Conference on Information Integration and Web-based Applications& Services. ACM, pp 3–6
30. OpenForum Academy (2012) Certification within cloud computing: hero or villain?http://www.openforumacademy.org/library/round-table/OFAReport231112final.pdf/at_down-load/file. Accessed 10 Sept 2013