Issues of trust in the decision-making process

McLeod and Gormly’s study (2017) found that the most significant issues of trust in using a cloud service were concerns about the continued delivery of a sustainable and also economically viable service, and the ability of the service to meet records requirements. Trust in CSPs (cloud service providers) is important and lack of trust in them can adversely affect the cloud adoption decision, reflecting the suggestion by Leverich, Nalliah, and Sud- erman (2015) that trust in the service provider is relatively more important than trust in the technology. These issues can be addressed through a robust decision-making process which involves all relevant stakeholders, identifies and prioritizes requirements, investigates and assesses options, identifies responsibilities and stakeholder impact, and manages risk.

Views of the risks of using cloud services vary. Some organisations consider the risks as similar to those faced on premises, although recognise that the magnitude of the consequences should a risk materialise may be significantly greater, depending on the risk, since they are not wholly in the organisation’s control. Others manage risk based on the criticality of the content, as well as the business actions and access restrictions necessary, choosing to store only certain classes of records and/or cloud services. This strategy follows the conclusions of Stuart and Bromage (2010), who describe cloud adoption as a “risk-based decision” (pp. 223-224) in which the risks differ between organisations and between records of different values. Risk management enables organisations to reap the benefits of cloud services while minimizing any risks.

Issues of trust in cloud service providers

In addressing issues of trust in CSPs offering IaaS (Infrastructure-as-a-Service), we argue that trust should be looked upon as a combined socio-technical set of requirements, roles, rules, policies, procedures, best practices, responsibilities, and responsible governance.

Research methodology

The research presented here was part of the ITrust’s study Ensuring Trust in Storage in Infrastructure-as-a-Service (Stancic, Bursic, & Al-Hariri, 2015), and was divided into four stages: identification, data acquisition, analysis, and interpretation. The research was limited to the EU region, with the focus on Croatia.

In the research, Stancic et al. (2015) looked for the minimum amount of information providing trust in the service and also positioning service providers as trusted ones. For the purpose of research, the NIST (National Institute of Standards and Technology, USA) definition of cloud computing was adopted specifying that it is

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

(Mell & Grance, 2011, p. 2)

Aligning with Mell and Grance (2011), Stancic, Rajh, and Milosevic (2013) differentiate between three service models: SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service), and IaaS (Infrastructure-as-a-Service). They also differentiate between four deployment models: private, community, public, or hybrid cloud. Also following Mell and Grance (2011), the Records in the Cloud project (Duranti, 2014) identifies five essential characteristics of cloud solutions: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service (Table 8.3).

The ITrust terminology database defines trust as “confidence of one party in another, based on alignment of value systems with respect to specific actions or benefits, and involving a relationship of voluntary vulnerability, dependence and reliance, based on risk assessment” (Terminology Database, n.d.). Therefore, the users of cloud services should have enough information on a service, e.g. stated in the terms of service, to be able to trust it. The SLA (service-level agreement) signed between users and CSPs should treat both parties equally. To better understand whether this is the case, a questionnaire containing 36 questions was developed and used for surveying ten CSPs operating at a national level in Croatia. The fact that only three responded in full shows that either the issue of trust is not the focus of the seven CSPs that did not respond (which would be worrying), or that they were not able to respond to the majority of questions (thus they did not want to reveal the low level of trust the users should have in their services), or the survey asked too complicated questions for one person to answer (this is the risk the research team was aware of before sending the survey). Nevertheless, the CSPs that responded provided enough detailed information to give a glimpse of the situation.

Inspired by Jansen and Grance (2011, pp. 14-36), the questionnaire was organized in ten categories: [1]

Service models


Application delivery through client software. User is neither aware of nor controls physical infrastructure, nor can configure other applications than the delivered one.


Environment delivery (e.g. operating system). User can control and configure the delivered environment, but is neither aware of nor controls physical infrastructure nor can configure application-hosting environment.


Virtual data centre delivery where user can configure and deploy virtual environments/ components.




Built for, provisioned for, and used by one organisation. Usually service-oriented and ideal for users having specific requirements.


Built for, provisioned for, administered by, and used by several organisations forming a community and sharing same requirements and goals.


Built for rent by a cloud service provider.


Two or more deployment models combined - physically separated but connected by mutually portable data or applications.


On-demand self-service

Users can access as many computing capabilities as they need.

Broad network access

Access is enabled from any device with an internet connection.

Resource pooling

The underlying infrastructure enables multi-tenancy, i.e. multiple users can use the same infrastructure at the same time without interfering with each other.

Rapid elasticity

Users can increase or decrease the amount of computing resources (processor power, storage, etc.) they use at any time.

Measured service

Pay-as-you-go model allows users to pay only for what they have used. The amount of used resources is precisely measured.

  • 3 compliance
  • 4 trust
  • 5 architecture
  • 6 identity and access management
  • 7 software isolation
  • 8 data protection
  • 9 availability
  • 10 incident response.

The developed questionnaire was later transformed to a checklist (see Appendix 4) and translated into Spanish (Stancic, Bursic, &t Al-Hariri, 2016) so that any user wanting to assess and compare IaaS cloud services can use it and determine whether an IaaS service can or should be trusted.

  • [1] general information 2 governance
< Prev   CONTENTS   Source   Next >