An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11980)


In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers’ verification of their providers’ security measures. This paper provides a qualitative in-depth examination of companies’ attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selection. Nevertheless, providers are required to guarantee security and comply. Traditional forms of assurance techniques play a role in assessing cloud providers and verifying their security measures. Moreover, compliance is identified as a strong driver to pursue security and assurance.


Cloud provider selection Security assurance Interviews 


  1. 1.
    Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. In: Uncertainty in Economics, pp. 235–251. Elsevier (1978)Google Scholar
  2. 2.
    Alhenaki, L., Alwatban, A., Alahmri, B., Alarifi, N.: Security in cloud computing: a survey. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 17(4), 67–90 (2019) Google Scholar
  3. 3.
    Anisetti, M., Ardagna, C.A., Damiani, E.: A certification-based trust model for autonomic cloud computing systems. In: 2014 International Conference on Cloud and Autonomic Computing, pp. 212–219 (2014)Google Scholar
  4. 4.
    Anisetti, M., Ardagna, C.A., Damiani, E.: A test-based incremental security certification scheme for cloud-based systems. In: 2015 IEEE International Conference on Services Computing, pp. 736–741 (2015)Google Scholar
  5. 5.
    Anisetti, M., Ardagna, C.A., Damiani, E., Gaudenzi, F., Veca, R.: Toward security and performance certification of open stack. In: 2015 IEEE 8th International Conference on Cloud Computing, pp. 564–571 (2015)Google Scholar
  6. 6.
    Anisetti, M., Ardagna, C.A., Gaudenzi, F., Damiani, E.: A certification framework for cloud-based services. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, SAC 2016, pp. 440–447. ACM (2016)Google Scholar
  7. 7.
    Ardagna, C.A., Asal, R., Damiani, E., Vu, Q.H.: From security to assurance in the cloud: a survey. ACM Comput. Surv. 48(1), 2:1–2:50 (2015)CrossRefGoogle Scholar
  8. 8.
    Ba, H., Zhou, H., Bai, S., Ren, J., Wang, Z., Ci, L.: jMonAtt: integrity monitoring and attestation of JVM-based applications in cloud computing. In: ICISCE, pp. 419–423 (2017)Google Scholar
  9. 9.
    Bleikertz, S., Mastelic, T., Pape, S., Pieters, W., Dimkov, T.: Defining the cloud battlefield - supporting security assessments by cloud customers. In: IC2E, pp. 78–87 (2013)Google Scholar
  10. 10.
    Briggs, B., Lamar, K., Kark, K., Shaikh, A.: Manifesting legacy: looking beyond the digital era. Technical report, 2018 Global CIO Survey, Deloitte (2018)Google Scholar
  11. 11.
    Casola, V., Benedictis, A.D., Rak, M., Villano, U.: SLA-based secure cloud application development: the SPECS framework. In: SYNASC, pp. 337–344 (2015)Google Scholar
  12. 12.
    CSA: Top threats to cloud computing v1.0. Technical report, Cloud Security Alliance (2010).
  13. 13.
    CSA: The notorious nine: cloud computing top threats in 2013. Technical report, Cloud Security Alliance (2013).
  14. 14.
    CSA: The treacherous 12 - cloud computing top threats in 2016. Technical report, Cloud Security Alliance (2016).
  15. 15.
    CSA: Top threats to cloud computing the egregious 11. Technical report, Cloud Security Alliance (2019).
  16. 16.
    Dax, J., et al.: IT security status of German energy providers (2017).
  17. 17.
    Deng, L., Liu, P., Xu, J., Chen, P., Zeng, Q.: Dancing with wolves: towards practical event-driven VMM monitoring. In: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on VEE, pp. 83–96. ACM (2017)Google Scholar
  18. 18.
    Di Giulio, C., Kamhoua, C., Campbell, R.H., Sprabery, R., Kwiat, K., Bashir, M.N.: IT security and privacy standards in comparison: improving FedRAMP authorization for cloud service providers. In: CCGrid, pp. 1090–1099 (2017)Google Scholar
  19. 19.
    Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R.H., Bashir, M.N.: Cloud standards in comparison: are new security frameworks improving cloud security? In: CLOUD, pp. 50–57 (2017)Google Scholar
  20. 20.
    Ferguson, J.: Bridging the gap between research and practice. Knowl. Manag. Dev. J. 1(3), 46–54 (2005)Google Scholar
  21. 21.
    Fernando, R., Ranchal, R., Bhargava, B., Angin, P.: A monitoring approach for policy enforcement in cloud services. In: CLOUD, pp. 600–607 (2017)Google Scholar
  22. 22.
    Ghutugade, K.B., Patil, G.A.: Privacy preserving auditing for shared data in cloud. In: CAST, pp. 300–305 (2016)Google Scholar
  23. 23.
    Gupta, P., Seetharaman, A., Raj, J.R.: The usage and adoption of cloud computing by small and medium businesses. Int. J. Inf. Manag. 33(5), 861–874 (2013)CrossRefGoogle Scholar
  24. 24.
    Haeberlen, T., Dupré, L.: Cloud computing - benefits, risks and recommendations for information security. Technical report, ENISA (2012)Google Scholar
  25. 25.
    Henze, M., et al.: Practical data compliance for cloud storage. In: 2017 IEEE International Conference on Cloud Engineering (IC2E), pp. 252–258 (2017)Google Scholar
  26. 26.
    Hetzenecker, J., Kammerer, S., Amberg, M., Zeiler, V.: Anforderungen an cloud computing Anbieter. In: MKWI (2012)Google Scholar
  27. 27.
    Ismail, U.M., Islam, S., Islam, S.: Towards cloud security monitoring: a case study. In: Cybersecurity and Cyberforensics Conference (CCC), pp. 8–14 (2016)Google Scholar
  28. 28.
    Jakhotia, K., Bhosale, R., Lingam, C.: Novel architecture for enabling proof of retrievability using AES algorithm. In: ICCMC, pp. 388–393 (2017)Google Scholar
  29. 29.
    Jansen, W., Grance, T.: SP 800-144. Guidelines on security and privacy in public cloud computing. Technical report, NIST (2011)Google Scholar
  30. 30.
    Jiang, T., Chen, X., Ma, J.: Public integrity auditing for shared dynamic cloud data with group user revocation. IEEE Trans. Comput. 65(8), 2363–2373 (2016)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Kaaniche, N., Mohamed, M., Laurent, M., Ludwig, H.: Security SLA based monitoring in clouds. In: IEEE EDGE, pp. 90–97 (2017)Google Scholar
  32. 32.
    Kanstrén, T., Lehtonen, S., Savola, R., Kukkohovi, H., Hätönen, K.: Architecture for high confidence cloud security monitoring. In: IC2E, pp. 195–200 (2015)Google Scholar
  33. 33.
    Katopodis, S., Spanoudakis, G., Mahbub, K.: Towards hybrid cloud service certification models. In: IEEE International Conference on Services Computing, pp. 394–399 (2014)Google Scholar
  34. 34.
    Krotsiani, M., Spanoudakis, G.: Continuous certification of non-repudiation in cloud storage services. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 921–928 (2014)Google Scholar
  35. 35.
    Krutz, R.L., Vines, R.D.: Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Wiley, Hoboken (2010)Google Scholar
  36. 36.
    Kuckartz, U.: Qualitative Inhaltsanalyse: Methoden, Praxis, Computerunterstützung. Beltz Juventa (2016)Google Scholar
  37. 37.
    Kumar, R., Goyal, R.: On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput. Sci. Rev. 33, 1–48 (2019)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Lacity, M.C., Reynolds, P.: Cloud services practices for small and medium-sized enterprises. MIS Q. Exec. 13(1), 31–44 (2014)Google Scholar
  39. 39.
    Lang, M., Wiesche, M., Krcmar, H.: What are the most important criteria for cloud service provider selection? A Delphi study. In: ECIS (2016)Google Scholar
  40. 40.
    Lee, C., Kavi, K.M., Paul, R.A., Gomathisankaran, M.: Ontology of secure service level agreement. In: 2015 IEEE 16th International Symposium on High Assurance Systems Engineering, pp. 166–172 (2015)Google Scholar
  41. 41.
    Lins, S., Grochol, P., Schneider, S., Sunyaev, A.: Dynamic certification of cloud services: trust, but verify!. IEEE Secur. Priv. 14(2), 66–71 (2016)CrossRefGoogle Scholar
  42. 42.
    Lins, S., Schneider, S., Sunyaev, A.: Trust is good, control is better: creating secure clouds by continuous auditing. IEEE Trans. Cloud Comput. 6(3), 890–903 (2018)CrossRefGoogle Scholar
  43. 43.
    Lins, S., Thiebes, S., Schneider, S., Sunyaev, A.: What is really going on at your cloud service provider? Creating trustworthy certifications by continuous auditing. In: 48th HICSS, pp. 5352–5361 (2015)Google Scholar
  44. 44.
    Luna, J., Suri, N., Iorga, M., Karmel, A.: Leveraging the potential of cloud security service-level agreements through standards. IEEE Cloud Comput. 2(3), 32–40 (2015)CrossRefGoogle Scholar
  45. 45.
    Ma, M., Weber, J., van den Berg, J.: Secure public-auditing cloud storage enabling data dynamics in the standard model. In: DIPDMWC, pp. 170–175 (2016)Google Scholar
  46. 46.
    Mahesh, A., Suresh, N., Gupta, M., Sharman, R.: Cloud risk resilience: investigation of audit practices and technology advances-a technical report. Int. J. Risk Conting. Manag. (IJRCM) 8(2), 66–92 (2019)CrossRefGoogle Scholar
  47. 47.
    Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)CrossRefGoogle Scholar
  48. 48.
    Meera, G., Geethakumari, G.: A provenance auditing framework for cloud computing systems. In: SPICES, pp. 1–5 (2015)Google Scholar
  49. 49.
    Mohammed, M.M.Z.E., Pathan, A.K.: International center for monitoring cloud computing providers (ICMCCP) for ensuring trusted clouds. In: IEEE 11th International Conference on Ubiquitous Intelligence and Its Associated Workshops, pp. 571–576 (2014)Google Scholar
  50. 50.
    More, S.S., Chaudhari, S.S.: Secure and efficient public auditing scheme for cloud storage. In: CAST, pp. 439–444 (2016)Google Scholar
  51. 51.
    Munoz, A., Mafia, A.: Software and hardware certification techniques in a combined certification model. In: SECRYPT, pp. 1–6 (2014)Google Scholar
  52. 52.
    Norman, D.A.: The research-practice gap: the need for translational developers. Interactions 17(4), 9–12 (2010)CrossRefGoogle Scholar
  53. 53.
    Nugraha, Y., Martin, A.: Towards the classification of confidentiality capabilities in trustworthy service level agreements. In: IC2E, pp. 304–310 (2017)Google Scholar
  54. 54.
    Pape, S., Pipek, V., Rannenberg, K., Schmitz, C., Sekulla, A., Terhaag, F.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber (2018).
  55. 55.
    Parasuraman, K., Srinivasababu, P., Angelin, S.R., Devi, T.A.M.: Secured document management through a third party auditor scheme in cloud computing. In: ICECCE, pp. 109–118 (2014)Google Scholar
  56. 56.
    Pasquier, T.F.J., Singh, J., Bacon, J., Eyers, D.: Information flow audit for PaaS clouds. In: IEEE IC2E, pp. 42–51 (2016)Google Scholar
  57. 57.
    Polash, F., Shiva, S.: Building trust in cloud: service certification challenges and approaches. In: 9th International Conference on Complex, Intelligent, and Software Intensive Systems, pp. 187–191 (2015)Google Scholar
  58. 58.
    Ramokapane, K.M., Rashid, A., Such, J.M.: Assured deletion in the cloud: requirements, challenges and future directions. In: CCSW, pp. 97–108. ACM (2016)Google Scholar
  59. 59.
    Rashmi, R.P., Sangve, S.M.: Public auditing system: improved remote data possession checking protocol for secure cloud storage. In: iCATccT, pp. 75–80 (2015)Google Scholar
  60. 60.
    Repschläger, J., Wind, S., Zarnekow, R., Turowski, K.: Developing a cloud provider selection model. In: EMISA (2011)Google Scholar
  61. 61.
    Rewadkar, D.N., Ghatage, S.Y.: Cloud storage system enabling secure privacy preserving third party audit. In: ICCICCT, pp. 695–699 (2014)Google Scholar
  62. 62.
    Rios, E., Mallouli, W., Rak, M., Casola, V., Ortiz, A.M.: SLA-driven monitoring of multi-cloud application components using the MUSA framework. In: IEEE 36th ICDCSW, pp. 55–60 (2016)Google Scholar
  63. 63.
    Rizvi, S.S., Bolish, T.A., Pfeffer III, J.R.: Security evaluation of cloud service providers using third party auditors. In: Second International Conference on Internet of Things, Data and Cloud Computing, pp. 106:1–106:6 (2017)Google Scholar
  64. 64.
    Ryoo, J., Rizvi, S., Aiken, W., Kissell, J.: Cloud security auditing: challenges and emerging approaches. IEEE Secur. Priv. 12(6), 68–74 (2014)CrossRefGoogle Scholar
  65. 65.
    Schneider, S., Lansing, J., Gao, F., Sunyaev, A.: A taxonomic perspective on certification schemes: development of a taxonomy for cloud service certification criteria. In: HICSS, pp. 4998–5007 (2014)Google Scholar
  66. 66.
    Sen, A., Madria, S.: Data analysis of cloud security alliance’s security, trust & assurance registry. In: ICDCN, pp. 42:1–42:10. ACM (2018)Google Scholar
  67. 67.
    Sotiriadis, S., Lehmets, A., Petrakis, E.G.M., Bessis, N.: Unit and integration testing of modular cloud services. In: AINA, pp. 1116–1123 (2017)Google Scholar
  68. 68.
    Stephanow, P., Khajehmoogahi, K.: Towards continuous security certification of software-as-a-service applications using web application testing techniques. In: AINA, pp. 931–938 (2017)Google Scholar
  69. 69.
    Thendral, G., Valliyammai, C.: Dynamic auditing and updating services in cloud storage. In: International Conference on Recent Trends in Information Technology, pp. 1–6 (2014)Google Scholar
  70. 70.
    Tung, Y., Lin, C., Shan, H.: Test as a service: a framework for web security TaaS service in cloud environment. In: 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 212–217 (2014)Google Scholar
  71. 71.
    Zhang, H., Manzoor, S., Suri, N.: Monitoring path discovery for supporting indirect monitoring of cloud services. In: IEEE IC2E, pp. 274–277 (2018)Google Scholar
  72. 72.
    Zhang, H., Trapero, R., Luna, J., Suri, N.: deQAM: a dependency based indirect monitoring approach for cloud services. In: IEEE SCC, pp. 27–34 (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Chair of Mobile Business and Multilateral SecurityGoethe University FrankfurtFrankfurtGermany

Personalised recommendations