Abstract
In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers’ verification of their providers’ security measures. This paper provides a qualitative in-depth examination of companies’ attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selection. Nevertheless, providers are required to guarantee security and comply. Traditional forms of assurance techniques play a role in assessing cloud providers and verifying their security measures. Moreover, compliance is identified as a strong driver to pursue security and assurance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. In: Uncertainty in Economics, pp. 235–251. Elsevier (1978)
Alhenaki, L., Alwatban, A., Alahmri, B., Alarifi, N.: Security in cloud computing: a survey. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 17(4), 67–90 (2019)
Anisetti, M., Ardagna, C.A., Damiani, E.: A certification-based trust model for autonomic cloud computing systems. In: 2014 International Conference on Cloud and Autonomic Computing, pp. 212–219 (2014)
Anisetti, M., Ardagna, C.A., Damiani, E.: A test-based incremental security certification scheme for cloud-based systems. In: 2015 IEEE International Conference on Services Computing, pp. 736–741 (2015)
Anisetti, M., Ardagna, C.A., Damiani, E., Gaudenzi, F., Veca, R.: Toward security and performance certification of open stack. In: 2015 IEEE 8th International Conference on Cloud Computing, pp. 564–571 (2015)
Anisetti, M., Ardagna, C.A., Gaudenzi, F., Damiani, E.: A certification framework for cloud-based services. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, SAC 2016, pp. 440–447. ACM (2016)
Ardagna, C.A., Asal, R., Damiani, E., Vu, Q.H.: From security to assurance in the cloud: a survey. ACM Comput. Surv. 48(1), 2:1–2:50 (2015)
Ba, H., Zhou, H., Bai, S., Ren, J., Wang, Z., Ci, L.: jMonAtt: integrity monitoring and attestation of JVM-based applications in cloud computing. In: ICISCE, pp. 419–423 (2017)
Bleikertz, S., Mastelic, T., Pape, S., Pieters, W., Dimkov, T.: Defining the cloud battlefield - supporting security assessments by cloud customers. In: IC2E, pp. 78–87 (2013)
Briggs, B., Lamar, K., Kark, K., Shaikh, A.: Manifesting legacy: looking beyond the digital era. Technical report, 2018 Global CIO Survey, Deloitte (2018)
Casola, V., Benedictis, A.D., Rak, M., Villano, U.: SLA-based secure cloud application development: the SPECS framework. In: SYNASC, pp. 337–344 (2015)
CSA: Top threats to cloud computing v1.0. Technical report, Cloud Security Alliance (2010). https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
CSA: The notorious nine: cloud computing top threats in 2013. Technical report, Cloud Security Alliance (2013). https://cloudsecurityalliance.org/download/artifacts/the-notorious-nine-cloud-computing-top-threats-in-2013/
CSA: The treacherous 12 - cloud computing top threats in 2016. Technical report, Cloud Security Alliance (2016). https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
CSA: Top threats to cloud computing the egregious 11. Technical report, Cloud Security Alliance (2019). https://cloudsecurityalliance.org/download/artifacts/top-threats-to-cloud-computing-egregious-eleven/
Dax, J., et al.: IT security status of German energy providers (2017). https://arxiv.org/abs/1709.01254
Deng, L., Liu, P., Xu, J., Chen, P., Zeng, Q.: Dancing with wolves: towards practical event-driven VMM monitoring. In: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on VEE, pp. 83–96. ACM (2017)
Di Giulio, C., Kamhoua, C., Campbell, R.H., Sprabery, R., Kwiat, K., Bashir, M.N.: IT security and privacy standards in comparison: improving FedRAMP authorization for cloud service providers. In: CCGrid, pp. 1090–1099 (2017)
Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R.H., Bashir, M.N.: Cloud standards in comparison: are new security frameworks improving cloud security? In: CLOUD, pp. 50–57 (2017)
Ferguson, J.: Bridging the gap between research and practice. Knowl. Manag. Dev. J. 1(3), 46–54 (2005)
Fernando, R., Ranchal, R., Bhargava, B., Angin, P.: A monitoring approach for policy enforcement in cloud services. In: CLOUD, pp. 600–607 (2017)
Ghutugade, K.B., Patil, G.A.: Privacy preserving auditing for shared data in cloud. In: CAST, pp. 300–305 (2016)
Gupta, P., Seetharaman, A., Raj, J.R.: The usage and adoption of cloud computing by small and medium businesses. Int. J. Inf. Manag. 33(5), 861–874 (2013)
Haeberlen, T., Dupré, L.: Cloud computing - benefits, risks and recommendations for information security. Technical report, ENISA (2012)
Henze, M., et al.: Practical data compliance for cloud storage. In: 2017 IEEE International Conference on Cloud Engineering (IC2E), pp. 252–258 (2017)
Hetzenecker, J., Kammerer, S., Amberg, M., Zeiler, V.: Anforderungen an cloud computing Anbieter. In: MKWI (2012)
Ismail, U.M., Islam, S., Islam, S.: Towards cloud security monitoring: a case study. In: Cybersecurity and Cyberforensics Conference (CCC), pp. 8–14 (2016)
Jakhotia, K., Bhosale, R., Lingam, C.: Novel architecture for enabling proof of retrievability using AES algorithm. In: ICCMC, pp. 388–393 (2017)
Jansen, W., Grance, T.: SP 800-144. Guidelines on security and privacy in public cloud computing. Technical report, NIST (2011)
Jiang, T., Chen, X., Ma, J.: Public integrity auditing for shared dynamic cloud data with group user revocation. IEEE Trans. Comput. 65(8), 2363–2373 (2016)
Kaaniche, N., Mohamed, M., Laurent, M., Ludwig, H.: Security SLA based monitoring in clouds. In: IEEE EDGE, pp. 90–97 (2017)
Kanstrén, T., Lehtonen, S., Savola, R., Kukkohovi, H., Hätönen, K.: Architecture for high confidence cloud security monitoring. In: IC2E, pp. 195–200 (2015)
Katopodis, S., Spanoudakis, G., Mahbub, K.: Towards hybrid cloud service certification models. In: IEEE International Conference on Services Computing, pp. 394–399 (2014)
Krotsiani, M., Spanoudakis, G.: Continuous certification of non-repudiation in cloud storage services. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 921–928 (2014)
Krutz, R.L., Vines, R.D.: Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Wiley, Hoboken (2010)
Kuckartz, U.: Qualitative Inhaltsanalyse: Methoden, Praxis, ComputerunterstĂĽtzung. Beltz Juventa (2016)
Kumar, R., Goyal, R.: On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput. Sci. Rev. 33, 1–48 (2019)
Lacity, M.C., Reynolds, P.: Cloud services practices for small and medium-sized enterprises. MIS Q. Exec. 13(1), 31–44 (2014)
Lang, M., Wiesche, M., Krcmar, H.: What are the most important criteria for cloud service provider selection? A Delphi study. In: ECIS (2016)
Lee, C., Kavi, K.M., Paul, R.A., Gomathisankaran, M.: Ontology of secure service level agreement. In: 2015 IEEE 16th International Symposium on High Assurance Systems Engineering, pp. 166–172 (2015)
Lins, S., Grochol, P., Schneider, S., Sunyaev, A.: Dynamic certification of cloud services: trust, but verify!. IEEE Secur. Priv. 14(2), 66–71 (2016)
Lins, S., Schneider, S., Sunyaev, A.: Trust is good, control is better: creating secure clouds by continuous auditing. IEEE Trans. Cloud Comput. 6(3), 890–903 (2018)
Lins, S., Thiebes, S., Schneider, S., Sunyaev, A.: What is really going on at your cloud service provider? Creating trustworthy certifications by continuous auditing. In: 48th HICSS, pp. 5352–5361 (2015)
Luna, J., Suri, N., Iorga, M., Karmel, A.: Leveraging the potential of cloud security service-level agreements through standards. IEEE Cloud Comput. 2(3), 32–40 (2015)
Ma, M., Weber, J., van den Berg, J.: Secure public-auditing cloud storage enabling data dynamics in the standard model. In: DIPDMWC, pp. 170–175 (2016)
Mahesh, A., Suresh, N., Gupta, M., Sharman, R.: Cloud risk resilience: investigation of audit practices and technology advances-a technical report. Int. J. Risk Conting. Manag. (IJRCM) 8(2), 66–92 (2019)
Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)
Meera, G., Geethakumari, G.: A provenance auditing framework for cloud computing systems. In: SPICES, pp. 1–5 (2015)
Mohammed, M.M.Z.E., Pathan, A.K.: International center for monitoring cloud computing providers (ICMCCP) for ensuring trusted clouds. In: IEEE 11th International Conference on Ubiquitous Intelligence and Its Associated Workshops, pp. 571–576 (2014)
More, S.S., Chaudhari, S.S.: Secure and efficient public auditing scheme for cloud storage. In: CAST, pp. 439–444 (2016)
Munoz, A., Mafia, A.: Software and hardware certification techniques in a combined certification model. In: SECRYPT, pp. 1–6 (2014)
Norman, D.A.: The research-practice gap: the need for translational developers. Interactions 17(4), 9–12 (2010)
Nugraha, Y., Martin, A.: Towards the classification of confidentiality capabilities in trustworthy service level agreements. In: IC2E, pp. 304–310 (2017)
Pape, S., Pipek, V., Rannenberg, K., Schmitz, C., Sekulla, A., Terhaag, F.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber (2018). http://dokumentix.ub.uni-siegen.de/opus/volltexte/2018/1394/
Parasuraman, K., Srinivasababu, P., Angelin, S.R., Devi, T.A.M.: Secured document management through a third party auditor scheme in cloud computing. In: ICECCE, pp. 109–118 (2014)
Pasquier, T.F.J., Singh, J., Bacon, J., Eyers, D.: Information flow audit for PaaS clouds. In: IEEE IC2E, pp. 42–51 (2016)
Polash, F., Shiva, S.: Building trust in cloud: service certification challenges and approaches. In: 9th International Conference on Complex, Intelligent, and Software Intensive Systems, pp. 187–191 (2015)
Ramokapane, K.M., Rashid, A., Such, J.M.: Assured deletion in the cloud: requirements, challenges and future directions. In: CCSW, pp. 97–108. ACM (2016)
Rashmi, R.P., Sangve, S.M.: Public auditing system: improved remote data possession checking protocol for secure cloud storage. In: iCATccT, pp. 75–80 (2015)
Repschläger, J., Wind, S., Zarnekow, R., Turowski, K.: Developing a cloud provider selection model. In: EMISA (2011)
Rewadkar, D.N., Ghatage, S.Y.: Cloud storage system enabling secure privacy preserving third party audit. In: ICCICCT, pp. 695–699 (2014)
Rios, E., Mallouli, W., Rak, M., Casola, V., Ortiz, A.M.: SLA-driven monitoring of multi-cloud application components using the MUSA framework. In: IEEE 36th ICDCSW, pp. 55–60 (2016)
Rizvi, S.S., Bolish, T.A., Pfeffer III, J.R.: Security evaluation of cloud service providers using third party auditors. In: Second International Conference on Internet of Things, Data and Cloud Computing, pp. 106:1–106:6 (2017)
Ryoo, J., Rizvi, S., Aiken, W., Kissell, J.: Cloud security auditing: challenges and emerging approaches. IEEE Secur. Priv. 12(6), 68–74 (2014)
Schneider, S., Lansing, J., Gao, F., Sunyaev, A.: A taxonomic perspective on certification schemes: development of a taxonomy for cloud service certification criteria. In: HICSS, pp. 4998–5007 (2014)
Sen, A., Madria, S.: Data analysis of cloud security alliance’s security, trust & assurance registry. In: ICDCN, pp. 42:1–42:10. ACM (2018)
Sotiriadis, S., Lehmets, A., Petrakis, E.G.M., Bessis, N.: Unit and integration testing of modular cloud services. In: AINA, pp. 1116–1123 (2017)
Stephanow, P., Khajehmoogahi, K.: Towards continuous security certification of software-as-a-service applications using web application testing techniques. In: AINA, pp. 931–938 (2017)
Thendral, G., Valliyammai, C.: Dynamic auditing and updating services in cloud storage. In: International Conference on Recent Trends in Information Technology, pp. 1–6 (2014)
Tung, Y., Lin, C., Shan, H.: Test as a service: a framework for web security TaaS service in cloud environment. In: 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 212–217 (2014)
Zhang, H., Manzoor, S., Suri, N.: Monitoring path discovery for supporting indirect monitoring of cloud services. In: IEEE IC2E, pp. 274–277 (2018)
Zhang, H., Trapero, R., Luna, J., Suri, N.: deQAM: a dependency based indirect monitoring approach for cloud services. In: IEEE SCC, pp. 27–34 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Pape, S., Stankovic, J. (2020). An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-42048-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42047-5
Online ISBN: 978-3-030-42048-2
eBook Packages: Computer ScienceComputer Science (R0)