The case for cloud service trustmarks and assurance-as-a-service

Cloud computing represents a significant economic opportunity for Europe. However, this growth is threatened by adoption barriers largely related to trust. This position paper examines trust and confidence issues in cloud computing and advances a case for addressing them through the implementation of a novel trustmark scheme for cloud service providers. The proposed trustmark would be both active and dynamic featuring multi-modal information about the performance of the underlying cloud service. The trustmarks would be informed by live performance data from the cloud service provider, or ideally an independent third-party accountability and assurance service that would communicate up-to-date information relating to service performance and dependability. By combining assurance measures with a remediation scheme, cloud service providers could both signal dependability to customers and the wider marketplace and provide customers, auditors and regulators with a mechanism for determining accountability in the event of failure or non-compliance. As a result, the trustmarks would convey to consumers of cloud services and other stakeholders that strong assurance and accountability measures are in place for the service in question and thereby address trust and confidence issues in cloud computing

Information Security In The Age Of Cloud Computing

Information security has been a particularly hot topic since the enhanced internal control requirements of Sarbanes-Oxley (SOX) were introduced in 2002. At about this same time, cloud computing started its explosive growth. Outsourcing of mission-critical functions has always been a gamble for managers, but the advantages of cloud computing are too tempting to ignore. However, the move to cloud computing could prove very costly for a business if the implementation were to fail. When making the decision to outsource critical functions, managers look to accountants to provide assurance that their data and transactions will be secure and that emergency procedures will be in-place and work as designed, to protect the business from any potential losses due to unforeseen events. Statement on Auditing Standards (SAS) 70 has provided guidance to auditors of third-party service organizations since 1992, but was replaced in April 2010 by Statement on Standards for Attestation Engagements (SSAE) 16. And yet, data breaches continue to occur, costing billions of dollars annually. This research used data from the Privacy Rights Clearinghouse (PRC) database and, through frequency analysis, Chi-square and cluster analysis techniques, found statistically significant differences in the frequency of breaches experienced by various types of consumer organizations based on breach and organization type. This result will be useful to auditors. The research also conducted a survey of 67,749 IT manager/directors. The responses to this survey were to be analyzed using binary logistic regressions and Chi-square tests. Unfortunately, due to severe limitations in the response rate and further complicated by the number of incomplete responses, no inferences can be drawn regarding factors relevant to decision-makers when contemplating the movement of critical business functions into the cloud environment

TOWARDS A BRIGHT FUTURE: ENHANCING DIFFUSION OF CONTINUOUS CLOUD SERVICE AUDITING BY THIRD PARTIES

Using cloud services empowers organizations to achieve various financial and technical benefits. Nonetheless, customers are faced with a lack of control since they cede control over their IT resources to the cloud providers. Independent third party assessments have been recommended as good means to counteract this lack of control. However, current third party assessments fail to cope with an ever-changing cloud computing environment. We argue that continuous auditing by third parties (CATP) is required to assure continuously reliable and secure cloud services. Yet, continuous auditing has been applied mostly for internal purposes, and adoption of CATP remains lagging behind. Therefore, we examine the adoption process of CATP by building on the lenses of diffusion of innovations theory as well as conducting a scientific database search and various interviews with cloud service experts. Our findings reveal that relative advantages, a high degree of compatibility and observability of CATP would strongly enhance adoption, while a high complexity and a limited trialability might hamper diffusion. We contribute to practice and research by advancing the understanding of the CATP adop-tion process by providing a synthesis of relevant attributes that influence adoption rate. More im-portantly, we provide recommendations on how to enhance the adoption process

Assessing database and network threats in traditional and cloud computing

Cloud Computing is currently one of the most widely-spoken terms in IT. While it offers a range of technological and financial benefits, its wide acceptance by organizations is not yet wide spread. Security concerns are a main reason for this and this paper studies the data and network threats posed in both traditional and cloud paradigms in an effort to assert in which areas cloud computing addresses security issues and where it does introduce new ones. This evaluation is based on Microsoft’s STRIDE threat model and discusses the stakeholders, the impact and recommendations for tackling each threat

Framework for Security Transparency in Cloud Computing

The migration of sensitive data and applications from the on-premise data centre to a cloud environment increases cyber risks to users, mainly because the cloud environment is managed and maintained by a third-party. In particular, the partial surrender of sensitive data and application to a cloud environment creates numerous concerns that are related to a lack of security transparency. Security transparency involves the disclosure of information by cloud service providers about the security measures being put in place to protect assets and meet the expectations of customers. It establishes trust in service relationship between cloud service providers and customers, and without evidence of continuous transparency, trust and confidence are affected and are likely to hinder extensive usage of cloud services. Also, insufficient security transparency is considered as an added level of risk and increases the difficulty of demonstrating conformance to customer requirements and ensuring that the cloud service providers adequately implement security obligations. The research community have acknowledged the pressing need to address security transparency concerns, and although technical aspects for ensuring security and privacy have been researched widely, the focus on security transparency is still scarce. The relatively few literature mostly approach the issue of security transparency from cloud providers’ perspective, while other works have contributed feasible techniques for comparison and selection of cloud service providers using metrics such as transparency and trustworthiness. However, there is still a shortage of research that focuses on improving security transparency from cloud users’ point of view. In particular, there is still a gap in the literature that (i) dissects security transparency from the lens of conceptual knowledge up to implementation from organizational and technical perspectives and; (ii) support continuous transparency by enabling the vetting and probing of cloud service providers’ conformity to specific customer requirements. The significant growth in moving business to the cloud – due to its scalability and perceived effectiveness – underlines the dire need for research in this area. This thesis presents a framework that comprises the core conceptual elements that constitute security transparency in cloud computing. It contributes to the knowledge domain of security transparency in cloud computing by proposing the following. Firstly, the research analyses the basics of cloud security transparency by exploring the notion and foundational concepts that constitute security transparency. Secondly, it proposes a framework which integrates various concepts from requirement engineering domain and an accompanying process that could be followed to implement the framework. The framework and its process provide an essential set of conceptual ideas, activities and steps that can be followed at an organizational level to attain security transparency, which are based on the principles of industry standards and best practices. Thirdly, for ensuring continuous transparency, the thesis proposes an essential tool that supports the collection and assessment of evidence from cloud providers, including the establishment of remedial actions for redressing deficiencies in cloud provider practices. The tool serves as a supplementary component of the proposed framework that enables continuous inspection of how predefined customer requirements are being satisfied. The thesis also validates the proposed security transparency framework and tool in terms of validity, applicability, adaptability, and acceptability using two different case studies. Feedbacks are collected from stakeholders and analysed using essential criteria such as ease of use, relevance, usability, etc. The result of the analysis illustrates the validity and acceptability of both the framework and tool in enhancing security transparency in a real-world environment

“Unblackboxing” Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications

IS literature has predominantly taken a black box perspective on IS certifications and studied their diverse set of outcomes, such as signaling superior quality and increased customer trust. As a result, there is little understanding about the structure of certifications and its role in decision makers’ evaluations of certifications to achieve these outcomes. However, idiosyncrasies of novel IT services, such as cloud services, create a need for “unblackboxing” certifications and theorizing about their constituting structural building blocks and structural elements, as well as examining key features that might lead to a more favorable evaluation of a certification by decision makers. To advance theory building on certifications, this article develops an empirically grounded typology of certifications’ key structural building blocks and structural elements, and examines how they interpret substantive features within these elements. Using evidence from 20 interviews with decision makers from a wide range of industries in the context of cloud service certifications, we find that a decision maker’s aggregate evaluation of a certification is a function of their interpretations of its features guided by cognitive interpretive schemas along six key structural elements, contrasted with the decision makers’ expectations regarding the certification’s outcomes. This study contributes by conceptualizing the necessary and sufficient elements of certifications, constructing a nascent theory on decision makers’ evaluations of certifications, and illuminating the dynamics between certifications’ structural elements and outcomes as a coevolutionary process. We discuss implications for the certification literature and give managerial advice regarding the factors to consider when designing and evaluating certifications