Electronic Markets

, Volume 28, Issue 1, pp 53–75 | Cite as

Cloud providers viability

How to address it from an IT and legal perspective?
  • Cesare BartoliniEmail author
  • Donia El Kateb
  • Yves Le Traon
  • David Hagen
Research Paper


A major part of the commercial Internet is moving toward the cloud paradigm. This phenomenon has a drastic impact on the organizational structures of enterprizes and introduces new challenges that must be properly addressed to avoid major setbacks. One such challenge is that of cloud provider viability, that is, the reasonable certainty that the Cloud Service Provider (CSP) will not go out of business, either by filing for bankruptcy or by simply shutting down operations, thus leaving its customers stranded without an infrastructure and, depending on the type of cloud service used, even without their applications or data. This article attempts to address the issue of cloud provider viability, defining a possible way of modeling viability as a non-functional requirement and proposing some approaches that can be used to mitigate the problem, both from a technical and from a legal perspective. By introducing a structured perspective into the topic of cloud viability, describing the risks, factors and possible mitigators, the contribution of this work is twofold: it gives the customer a better understanding to determine when it can rely on the cloud infrastructure on the long term and what precautions it should take in any case, and provides the CSP with means to address some of the viability issues and thus increase its customers’ trust.


Cloud Viability Standardization Service Level Agreement (SLA) Software escrow 

JEL Classification




The present work is an invited extension of (Bartolini et al. 2015).


  1. Abrahao, B., Almeida, V., Almeida, J., Zhang, A., Beyer, D., Safai, F. (2006). Self-adaptive SLA-driven capacity management for internet services. In Proceedings of the 10th IEEE/IFIP network operations and management symposium (NOMS) (pp. 557–568). IEEE. ISBN: 1-4244-0142-9.
  2. Andrieux, A., Czajkowski, K., Dan, A., Keahey, K., Ludwig, H., Nakata, T., Pruyne, J., Rofrano, J., Tuecke, S., Xu, M. (2007). Web services agreement specification (WS-Agreement). Open Grid Forum (OGF). (Accessed 3 Nov 2016).
  3. Anthony, S. (2012). Megaupload’s demise: what happens to your files when a cloud service dies? (Accessed 3 Nov 2016).
  4. Aubert, B.A., Patry, M., Rivard, S. (2002). Managing IT outsourcing risk: lessons learned. In R. Hirschheim, A. Heinzl, & J. Dibbern III (Eds.), Information systems outsourcing. Enduring themes, emergent patterns and future directions (Vol. 155 p. 176). Berlin: Springer. ISBN: 978-3-662-04756-9. Scholar
  5. Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C. (2004). Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1(1), 11–33.CrossRefGoogle Scholar
  6. Bauer, E., & Adams, R. (2012). Reliability and availability of cloud computing, 1st edn. Wiley-IEEE Press.Google Scholar
  7. Bartolini, C., El Kateb, D., Le Traon, Y., Hagen, D. (2015). Cloud providers viability: how to address it from an IT and legal perspective? In Proceedings of the 12th international conference on economics of grids, clouds, systems and services (GECON). Springer.Google Scholar
  8. Bocciarelli, P., & D’Ambrogio, A. (2011). A BPMN extension for modeling non functional properties of business processes. In Proceedings of the symposium on theory of modeling & simulation (TMS/DEVS) (pp. 160–168). Society for Computer Simulation International.Google Scholar
  9. Boehm, B., Abts, C., Chulani, S. (2000). Software development cost estimation approaches—a survey. Annals of Software Engineering, 10(1–4), 177–205.CrossRefGoogle Scholar
  10. Bowen, J.A. (2011). Legal issues in cloud computing. In R. Buyya, J. Broberg, A.M. Goscinski (Eds.), Cloud computing: principles and paradigms, 1st Edn, Chap. 24 (pp. 593–613). Hoboken: Wiley.CrossRefGoogle Scholar
  11. Brodkin, J. (2008). Gartner: seven cloud-computing security risks. Tech. rep. Gartner.Google Scholar
  12. Butler, B. (2014). The best time to prepare for getting data out of the cloud is before you put it in there. (Accessed 3 Nov 2016).
  13. Buyya, R., Pandey, S., Vecchiola, C. (2009). Cloudbus toolkit for market-oriented cloud computing. In M.G. Jaatun, G. Zhao, C. Rong (Eds.), Cloud computing. Lecture Notes in computer science (Vol. 5931, pp. 24–44). Berlin: Springer.Google Scholar
  14. C-SIG SLA. (2014). Cloud service level agreement standardisation guidelines. Cloud Select Industry Group on Service Level Agreements (C-SIG SLA). Brussels. (Accessed 3 Nov 2016).
  15. Caplan, D.S. (2010). Bankruptcy in the cloud: effects of bankruptcy by a cloud services provider. Tech. rep. 1289. Chapel Hill: Law Offices of David S. Caplan. (Accessed 3 Nov 2016).
  16. Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J. (2000). Non-functional requirements in software engineering (Vol. 5). US: Springer.CrossRefGoogle Scholar
  17. Conley, J.M., & Bryan, R.M. (1985). Software escrow in bankruptcy: an international perspective. North Carolina Journal of International Law and Commercial Regulation, 10(3), 579–607. ISSN: 0743-1759.Google Scholar
  18. Dalpiaz, F., Paja, E., Giorgini, P. (2011). Security requirements engineering via commitments. In Proceedings of the 1st socio- technical aspects in security and trust (STAST). IEEE.Google Scholar
  19. Dichev, I.D. (1998). Is the risk of bankruptcy a systematic risk? The Journal of Finance, 53(3), 1131–1147.CrossRefGoogle Scholar
  20. Dowell, S., Barreto, A. III, Michael, J.B., Shing, M.-T. (2011). Cloud to cloud interoperability. In Proceedings of the 6th international conference on system of systems engineering (SoSE). Albuquerque: IEEE (pp. 258–263).Google Scholar
  21. Franke, U., Johnson, P., König, J. (2014). An architecture framework for enterprise IT service availability analysis. Software & Systems Modeling, 13(4), 1417–1445. ISSN: 1619-1366. Scholar
  22. Fry, M. (2004). Service-continuity goals important. Communications News, 41(10), –48.Google Scholar
  23. Gebregiorgis, S.A., & Altmann, J. (2015). IT service platforms: their value creation model and the impact of their level of openness on their adoption. In K. Jeffery, D. Kyriazis (Eds.), Procedia computer science. 1st international conference on cloud forward: from distributed to complete computing (Vol. 68, pp. 173–187). ISSN: 1877-0509. Scholar
  24. Glinz, M. (2005). Rethinking the notion of non-functional requirements. In Proceedings of the 3rd world congress for software quality (WSCQ) (pp. II–55–II–64).Google Scholar
  25. Glinz, M. (2007). On non-functional requirements. In Proceedings of the 15th IEEE international requirements engineering conference (RE) (pp. 21–26). IEEE.Google Scholar
  26. Gnedenko, B.V., Belyayev, Y.K., Solovyev, A.D. (1969). Mathematical methods of reliability theory. In Z.W. Birnbaum, E. Lukacs (Eds.), Probability and mathematical statistics: a series of monographs and textbooks (518 pp.). Academic Press. ISBN: 978-1-4832-3053-5.Google Scholar
  27. Guo, Q., Zhan, Z., Wang, T., Zhao, X. (2012). Risk assessment and optimal proactive measure selection for IT service continuity management. In Proceedings of the network operations and management symposium (NOMS) (pp. 1386–1391). ISBN: 978-1- 4673-0267-8.
  28. Haile, N., & Altmann, J. (2013). Estimating the value obtained from using a software service platform. In K. Vanmechelen, J. Altmann, O. F. Rana (Eds.), Economics of grids, clouds, systems, and services. 10th international conference, GECON 2013, Zaragoza, Spain, September 18–20, 2013. Proceedings. Lecture notes in computer science (Vol. 8193, pp. 244–255). Berlin: Springer International Publishing. ISBN: 978-3-319-02413-4. Scholar
  29. Harsh, P., Dudouet, F., Cascella, R.G., Jegou, Y., Morin, C. (2012). Using open standards for interoperability - issues, solutions, and challenges facing cloud computing. In Proceedings of the 8th international conference on network and service management (CNSM) and 6th international DMTF academic alliance workshop on systems and virtualization management: standards and the cloud (SVM) (pp. 435–440). Las Vegas: IEEE.Google Scholar
  30. Hennesy, J. (1999). The future of systems research. Computer, 32(8), 27–33.CrossRefGoogle Scholar
  31. Hiles, A. (2000). Service level agreements: winning a competitive edge for support & supply services, 2nd Edn. Rothstein Catalog on Service Level Books. Brookfield: Rothstein Associates Inc.Google Scholar
  32. Hillegeist, S.A., Keating, E.K., Cram, D.P., Lundstedt, K.G. (2002). Assessing the probability of bankruptcy. Review of Accounting Studies, 9(1), 5–34.CrossRefGoogle Scholar
  33. Hu, F., Qiu, M., Li, J., Grant, T., Tylor, D., McCaleb, S., Butler, L., Hamner, R. (2011). A review on cloud computing: design challenges in architecture and security. Journal of Computing and Information Technology, 19(1), 25–55.CrossRefGoogle Scholar
  34. ISO. (2010). Systems and software engineering – Vocabulary. Tech. rep. International Organization for Standardization.
  35. ISO. (2011). Systems and software engineering– systems and software Quality Requirements and Evaluation (SQuaRE) – system and software quality models. Tech. rep. International Organization for Standardization.Google Scholar
  36. ISO. (2012). Societal security – business continuity management systems – requirements. Tech. rep. International Organization for Standardization.Google Scholar
  37. ISO. (2013). Information technology – security techniques – Code of practice for information security controls. Tech. rep. International Organization for Standardization.Google Scholar
  38. Jeffery, K., Kousiouris, G., Kyriazis, D., Altmann, J., Ciuffoletti, A., Maglogiannis, I., Nesi, P., Suzic, B., Zhao, Z. (2015). Challenges emerging from future cloud application scenarios. In K. Jeffery, D. Kyriazis (Eds.), Procedia computer science. 1st international conference on cloud forward: from distributed to complete computing (Vol. 68, pp. 227–237). ISSN: 1877-0509. Scholar
  39. Kandukuri, B.R.,R. Paturi, V., Rakshit, A. (2009). Cloud security issues. In IEEE international conference on services computing (SCC) (pp. 517–520). IEEE. ISBN: 978-1-4244-5183-8.
  40. Kaufman, L.M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61–64. ISSN: 1540-7993. Scholar
  41. Kauffman, R.J., Ma, D., Yu, M. (2014). A metrics suite for firm- level cloud computing adoption readiness. In K. Vanmechelen, J. Altmann, and O.F. Rana (Eds.), Economics of grids, clouds, systems, and services. 11th international conference, GECON 2014, Cardiff, UK, September 16–18, 2014. Revised Selected Papers (Vol. 8914, pp. 19–35). Lecture Notes in Computer Science. Springer International Publishing. ISBN: 978-3-319-14608-9. Scholar
  42. Khajeh-Hosseini, A., Greenwood, D., Sommerville, I. (2010). Cloud migration: a case study of migrating an enterprise IT system to IaaS. In IEEE 3rd international conference on cloud computing (CLOUD) (pp. 450–457). IEEE. ISBN: 978-1-4244-8207-8.
  43. Kharb, L. (2016). Automated deployment of software containers using dockers. International Journal of Emerging Technologies in Engineering Research (IJETER), 4(10), 1–3. ISSN: 2454- 6410.Google Scholar
  44. Klass, A.B. (2006). Modern public trust principles: recognizing rights and integrating standards. Notre Dame Law Review, 82(2), 699–754. ISSN: 0745-3515.Google Scholar
  45. Koch, F., de Assunção, M.D., Netto, M.A.S. (2012). A cost analysis of cloud computing for education. In K. Vanmechelen, J. Altmann, O.F. Rana (Eds.), International conference on grid economic and business models. 9th international conference, GECON 2012, Berlin, Germany, November 27–28, 2012. Proceedings. Lecture notes in computer science (Vol. 7714, pp. 182–196). Berlin: Springer. ISBN: 978-3-642-35193-8. Scholar
  46. Kozina, M. (2009). COBIT - ITIL mapping for business process continuity management. In B. Auer, M. Bača, K. Rabuzin (Eds.), Proceedings of the 20th central European conference on information and intelligent systems (pp. 113–119). Varaždin: University of Zagreb, Faculty of Organization and Informatics.Google Scholar
  47. Kumar Garg, S., Versteeg, S., Buyya, R. (2013). A framework for ranking of cloud computing services. Future Generation Computer Systems, 29(4), 1012–1023.CrossRefGoogle Scholar
  48. Kuyoro, S.O., Ibikunle, F.A., Awodele, O. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 3(5), 247–255.Google Scholar
  49. Laprie, J.-C., & Kanoun, K. (1996). Software reliability and system reliability. In M.R. Lyu (Ed.), Handbook of software reliability engineering, Chap. 2 (pp. 27–69). New York: McGraw-Hill.Google Scholar
  50. Lee, J.Y., Lee, J.W., Cheun, D.W., Kim, S.D. (2009). A quality model for evaluating software-as-a-service in cloud computing. In Proceedings of the 7th ACIS international conference on software engineering research, management and applications (SERA) (pp. 261–266). IEEE.Google Scholar
  51. Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., Leaf, D. (2011). NIST cloud computing reference architecture. Recommendations of the National Institute of Standards and Technology SP 500-292. Gaithersburg: National Institute of Standards and Technology.Google Scholar
  52. Louwers, E.-J. (2013). Continuity in the Cloud: new practical solutions required. ITechLaw 2013 European Conference.Google Scholar
  53. Ludwig, H., Keller, A., Dan, A., King, R. P., & Franck, R. (2003). Web Service Level Agreement (WSLA) language specification. 1.0. IBM Corporation, New York (Accessed 3 Nov 2016).
  54. Lyu, M.R. (Ed.). (1996). Handbook of software reliability engineering. Hightstown: McGraw-Hill. ISBN: 0-07-039400-8.Google Scholar
  55. Machado, G.S., Hausheer, D., Stiller, B. (2009). Considerations on the interoperability of and between cloud computing standards. In: 27th open grid forum (OGF27), G2C-Net workshop: from grid to cloud networks. Banff: OGF.Google Scholar
  56. Maurer, M., Emeakaroha, V.C., Brandic, I., Altmann, J. (2012). Cost-benefit analysis of an SLA mapping approach for defining standardized Cloud computing goods. Future Generation Computer Systems, 28(1), 39–47. ISSN: 0167-739X. Scholar
  57. McKendrick, J. (2013). What to do in case your cloud provider falls off the grid. (Accessed 3 Nov 2016).
  58. Mezrich, J L. (2001). Source code escrow: an exercise in futility? In Marquette intellectual propetry law review 5 (pp. 117–131). ISSN: 1092-5899.Google Scholar
  59. Mills, L.H. (2009). Legal issues associated with cloud computing. (Accessed 3 Nov 2016).
  60. Năstase, P., Năstase, F., Ionescu, C. (2009). Challenges generated by the implementation of the IT standards COBIT 4.1, ITIL V3 and ISO/IEC 27002 in Enterprises. In Economic computation & economic cybernetics studies & research (Vol. 3, pp. 5–20). ISSN: 1842-3264.Google Scholar
  61. Paja, E., Dalpiaz, F., Giorgini, P. (2014). STS-Tool: security requirements engineering for socio-technical systems. In M. Heisel, W. Joosen, J. Lopez, & F. Martinelli (Eds.), Engineering secure future internet services and systems. Lecture Notes in Computer Science (Vol. 8431, pp. 65–96). Berlin: Springer International Publishing.CrossRefGoogle Scholar
  62. Pandey, R.S., & Chaudhary, B. (2008). A cost model for participating roles based on choreography semantics. In Proceedings of the IEEE Asia-pacific services computing conference (APSCC) (pp. 277–283). IEEE. ISBN: 978-0-7695-3473-2.
  63. Pappous, P.A. (1985). The software escrow: the court favorite and bankruptcy law. Santa Clara High Technology Law Journal, 1(2), 309–326.Google Scholar
  64. Peltz, C. (2003). Web services orchestration and choreography. Computer, 36(10), 46–52.CrossRefGoogle Scholar
  65. Pettey, C., & van der Meulen, R. (2009). Gartner says cloud consumers need brokerages to unlock the potential of cloud services. (Accessed 3 November 2016).
  66. Roa Martínez, N.A. (2011). Viernes Negro. Estudios Gerenciales, 27(120), 227–249. ISSN: 0123-5923. Scholar
  67. Rochwerger, B., Breitgand, D., Levy, E., Galis, A., Nagin, K., Llorente, I.M., Montero, R., Wolfsthal, Y., Elmroth, E., Cáceres, J., Ben-Yehuda, M., Emmerich, W., Galán, F. (2009). The reservoir model and architecture for open federated cloud computing. IBM Journal of Research and Development, 53(4), X:1–X:11.CrossRefGoogle Scholar
  68. Roman, G.-C. (1985). A taxonomy of current issues in requirements engineering. Computer, 18(4), 14–23.CrossRefGoogle Scholar
  69. Sahai, A., Machiraju, V., Sayal, M., vanMoorsel, A., Casati, F. (2002). Automated SLA monitoring for web services. In M. Feridun, P. Kropf, G. Babin (Eds.), Management technologies for E-commerce and E-business applications. Lecture notes in computer science (Vol. 2506, pp. 28–41). Berlin: Springer.CrossRefGoogle Scholar
  70. Sahibudin, S., Sharifi, M., Ayat, M. (2008). Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In Proceedings of the second asia international conference on modeling & simulation (AICMS) (pp. 749–753). IEEE. ISBN: 978-0-7695-3136-6.
  71. Sallé, M. (2004). IT service management and IT governance: review, comparative analysis and their impact on utility computing. Tech. rep. HPL-2004-98. Palo Alto: HP Laboratories.Google Scholar
  72. Sauvé, J., Santos, R., Rebouças, R., Moura, A.A., Bartolini, C. (2008). Change priority determination in IT service management based on risk exposure. IEEE Transactions on Network and Service Management, 5(3), 178–187. ISSN: 1932-4537. Scholar
  73. Scott, J. (1981). The probability of bankruptcy: a comparison of empirical predictions and theoretical models. Journal of Banking & Finance, 5(3), 317–344.CrossRefGoogle Scholar
  74. Secteur Financier (CSSF), C. de Surveillance du (2017). Circular CSSF 17/654. (Accessed 10 June 2017).
  75. Tassey, G. (2000). Standardization in technology-based markets. Research Policy, 29(4–5), 587–602. ISSN: 0048-7333. Scholar
  76. Thibodeau, P. (2013). One in four cloud providers will be gone by 2015. (Accessed 3 Nov 2016).
  77. Tordssona, J., Montero, R.S., Moreno-Vozmediano, R., Llorente, R. (2012). Cloud brokering mechanisms for optimized placement of virtual machines across multiple providers. Future Generation Computer Systems, 28(2), 358–367.CrossRefGoogle Scholar
  78. van de Zande, T., & Jansen, S. (2011). Business continuity solutions for SaaS customers. In B. Regnell, I. van de Weerd, O. De Troyer (Eds.), Software business. Lecture Notes in Business Information Processing (Vol. 80, pp. 17–31). Berlin: Springer.Google Scholar
  79. Van Hoboken, J., Arnbak, A., Van Eijk, N. (2013). Obscured by clouds or how to address governmental access to cloud data from abroad. In Proceedings of the 6th annual privacy law scholars conference (PLSC).Google Scholar
  80. van Moorsel, A. (2001). Metrics for the internet age: quality of experience and quality of business. In Proceedings of the 5th international workshop on performability modeling of computer and communication systems (PMCCS).Google Scholar
  81. Venkatraman, A. (2013). 2e2 datacentre administrators hold customers’ data to £ 1m ransom. (Accessed 3 Nov 2016).
  82. Vrable, M., Savage, S., Voelker, G.M. (2009). Cumulus: filesystem backup to the cloud. ACM Transactions on Storage, 5(4), 14:1–14:28. ISSN: 1553-3077. Scholar
  83. Wan, S. (2009). Service impact analysis using business continuity planning processes. Campus-Wide Information Systems, 26(1), 20–42. ISSN: 1065-0741. Scholar
  84. Weber, R.H., & Staiger, D.N. (2014). Cloud computing: a cluster of complex liability issues. Web Journal of Current Legal Issues, 20(1).Google Scholar
  85. Weitzel, T., Beimborn, D., König, W. (2006). A unified economic model of standard diffusion: the impact of standardization cost, network effects, and network topology. MIS Quarterly (Special Issue on Standard Making), 30, 489–514. ISSN: 2162– 9730.Google Scholar
  86. Wieder, P., Butler, J.M., Theilmann, W., Yahyapour, R. (Eds.). (2011). Service level agreements for cloud computing. New York: Springer Science+Business Media, LLC.Google Scholar
  87. Yu, E.S. (1997). Towards modelling and reasoning support for earlyphase requirements engineering. In Proceedings of the 3rd IEEE international symposium on requirements engineering (RE) (pp. 226–235). IEEE.Google Scholar
  88. Zo, H., Nazareth, D.L., Jain, H.K. (2007). Measuring reliability of applications composed of web services. In Proceedings of the 40th Hawaii international conference on system sciences (HICSS). IEEE.Google Scholar

Copyright information

© Institute of Applied Informatics at University of Leipzig 2018

Authors and Affiliations

  1. 1.Interdisciplinary Center for Security, Reliability and Trust (SnT)Université du LuxembourgLuxembourgLuxembourg
  2. 2.LuxTrustLuxembourgLuxembourg
  3. 3.Commission de Surveillance du Secteur Financier (CSSF)LuxembourgLuxembourg

Personalised recommendations