1.1 Introduction

Trust. A word that, while commonly used, is a complex concept that means different things to different people in different contexts. Technology is no different. “We don’t trust the cloud” is a common phrase used to describe consumer or industry reluctance to adopt cloud computing. You will find it, or wording to the same effect, in numerous scholarly studies, industry surveys, and media, new and old. No matter what part of the economy, society, or world that you are in, you can find a report or survey suggesting that significant proportions of the public, businesses of all sizes, and the public sector do not or should not trust the cloud. Similarly, there are a myriad of, often conflicting, proposals and ‘solutions’ for overcoming trust issues in cloud computing. These include greater regulation, increased certification, stronger security, anonymity, trust by design, privacy by design, and so on. Indeed the importance of establishing trust in the cloud has been highlighted time and time again both in industry and academic discourse, with trust heralded as a solution to ease any concerns related to privacy and security on the cloud.

The objective of this book is to make some progress in teasing out what trust means in the context of cloud computing through a variety of lenses—psychology, law, ethics, information systems, and computing. The remainder of this chapter briefly introduces the trust literature including definitions and antecedents of trust. Next, we provide an overview of cloud computing and some of the reported trust-related barriers to cloud adoption and proposed solutions. Finally, we present a high-level framework for exploring assurance and accountability in the cloud.

1.2 Trust

Trust is generally defined as a willingness to accept vulnerability based on positive expectations of another party (Rousseau et al. 1998). This definition has two critical elements—first, the psychological state of willingness to be vulnerable which represents a volitional choice or decision (van der Werff et al. 2019a). Second, there are positive expectations of another party, which refers to the influence of proximal antecedents or drivers of trust. Thus far, the trust literature has focused predominantly on a relatively small subset of proximal trust antecedents known as trustworthiness (Baer and Colquitt 2018). Trustworthiness is an aggregate perception of the characteristics of another party along three sub-dimensions: ability, integrity, and benevolence (Mayer et al. 1995). These concepts have been applied within the context of technology and appear regularly in the information systems literature (see van der Werff et al. 2018 for a review). This section will provide an overview of several potential antecedents of trust in cloud computing organised into two broad categories: knowledge based antecedents, including trustworthiness, and heuristic antecedents.

1.2.1 Knowledge Based Antecedents

The two aspects of trustworthiness most commonly studied in the trust in technology literature are ability and integrity. Ability or competence refers to a perception that the other party possesses the skills and knowledge to complete the tasks expected. This aspect of trustworthiness is readily applicable to perceptions of technology in terms of its performance levels including accuracy, capability and functionality (McKnight et al. 2011; Söllner et al. 2016). That is, can this cloud service do what I need it to do well? Integrity generally refers to the perception that another party adheres to a set of principles that the trustor finds acceptable, acts honestly and fulfils their promises (Mayer et al. 1995; McKnight et al. 1998). In the technology environment, this concept has typically been translated as a perception of reliability and consistency in performance. For instance, will this cloud service do what I need it to do every time I use it? In this setting in particular, the conceptualisation of integrity is expanded to integrate aspects of predictability and the extent to which it is possible to anticipate the other party’s behaviour accurately (van der Werff et al. 2018). Interestingly, as they are applied in the computer science literature (see Chap. 7), these aspects of trustworthy cloud computing are sometimes portrayed as an objective feature of the technology rather than a more subjective user’s perception of the technology as the original trust theory intended. This difference has particularly important implications in situations where the decision maker is not a technology expert and so subjective perceptions of trustworthiness are likely to differ significantly from any objective reality.

The third aspect of trustworthiness, benevolence, has received less attention in the cloud computing literature. As a perception of the extent to which another party will act in your best interests, benevolence incorporates aspects of agency and motivation into calculations of trustworthiness. Does the other party want to act in my best interests? At the moment, cloud services are not likely to act with either agency or motivation and benevolence perceptions have been applied in this context as a perception of alignment between user needs and the technology’s purpose, helpfulness and responsiveness (McKnight et al. 2011; Söllner et al. 2016). However, while we may have some way to go before cloud services are automated to the point of agency, for many users anthropomorphisation of technology is common and perceptions of its motives and intentions are likely to play a role in trust decisions (Shank and DeSanti 2018).

1.2.2 Heuristic Antecedents

The use of knowledge based cues for trust is sometimes described as trust based on “good reasons” or rational decision making (Lewis and Weigert 1985, p. 970). However, a growing body of theoretical work and empirical evidence suggests that trust processes can be influenced by less rational antecedents and by beliefs about other related entities. The idea that such factors impact trust has gained traction over the last decade particularly in relation to trust in new or unknown other parties (e.g. Baer et al. 2018; Kramer and Lewicki 2010; McKnight et al. 1998) and trust in technology (e.g. McKnight et al. 2011). This section will briefly discuss four antecedents that may have a heuristic influence on trust in cloud computing: situational normality, aesthetics, structural assurances, and relational context.

The concept of situational normality was originally introduced to the trust literature by McKnight et al. (1998) who proposed that feeling like a situation was normal, familiar or as expected could be a powerful heuristic in building trust in unknown other parties. Since then, empirical evidence has repeatedly demonstrated the utility of situational normality as an antecedent of trust in organisations (Baer et al. 2018), e-commerce (Gefen 2000), recommendation agents (Komiak and Benbasat 2006) and software using speech (Lee 2010). The concept of situational normality is also readily observable in the context of cloud computing where cloud storage solutions integrate with other software on a user’s personal computer to make the transition from personal to cloud storage as normal and un-noteworthy as possible.

A second heuristic influence on trust is aesthetics. This cue for trust relies on the halo effect which began as a concept in the social psychology literature to describe how immediately observable positive attributes such as physical attractiveness influence perceptions of other attributes. It has since been applied to the trust literature and used to explain everything from the outcomes of elections (Todorov et al. 2005) and new employees trust in organisations (Baer et al. 2018) to trust in websites (Cyr et al. 2010) and mobile commerce (Li and Yeh 2010). Regardless of the referent, the general principle of aesthetics cues is that other parties who are seen as aesthetically appealing are also likely to be seen as trustworthy, particularly in the early stages of a relationship.

Structural assurance is a cue for trust that is based less on a perception of the trust referent itself but more on a perception of the environment within which an interaction takes place. Kramer and Lewicki (2010) refer to this type of trust as rule based trust influenced by a perception that some form of checking or restraint in the environment will prevent another party from acting in a way that is not trustworthy. Again this concept, has proved useful in understanding trust in technology and evidence suggests that the effectiveness of regulatory and assurance systems can influence consumer trust in technology (e.g. Gefen and Pavlou 2006).

The final cue that has received attention in the literature also relates to the wider context of the trust relationship. Recent theory suggests that the immediate relational context plays a significant role in creating trust motivation or a desire to trust another party on the basis of the social function of the relationship (van der Werff et al. 2019a). In essence, if a technological artefact fulfils an important role for us in terms of depending on it to do something necessary, enjoying interacting with it or seeing it as being in line with our identity and personal values, we are more likely to trust it. Many relationships take place in a wider context or chain of interrelated parties. A growing body of evidence suggests that information about parties at another level in that chain can be used as a cue for trust (De Cremer et al. 2018; Lipponen et al. 2020) and that trust in one party can be transferred to referents at another level (Stewart 2003). It is likely in the technology context that information regarding other parties in a chain and the trust this information engenders can lead to trust in other parties.

1.3 Cloud Computing

Despite its ubiquity, cloud computing, as we know it today, is a recent phenomenon. It is hard to relate to the idea that when a company known for selling books online, Amazon, launched Amazon Web Services in 2006, it would help create a public cloud computing market worth nearly US$200 billion by 2019 (IDC 2019). In its most widely referenced definition, NIST define cloud computing as:

…model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. (Mell and Grance, p. 2)

For the most part, the cloud model defined by Mell and Grance and the subsequent cloud reference architecture introduced by Liu et al. (2011) continue to be the basis of cloud computing industry. However, it would be wrong to say that cloud computing has not evolved. In particular, the emergence of the Internet of Things and Big Data, has led to the introduction and increasing adoption of a new service model, Function-as-a-Service, and two new computing paradigms, fog computing and edge computing (Lynn et al. 2017; Iorga et al. 2018). While further discussion is beyond the scope of this chapter, it is useful to be aware of these concepts and technology paradigms when considering trust and privacy issues, not only in this chapter but throughout the book. It is also important to note that these are not the only developments in cloud computing but the most influential at the time of writing. Table 1.1 below provides a brief definition of these some of the key concepts in cloud computing.

Table 1.1 Definitions of key concepts in cloud computing

The essential characteristics of cloud computing, provide a wide range of benefits to businesses including increased infrastructure reliability and scalability (up and down), improved cashflow through reduced capital expenditure (CapEx) and operational expenditure (OpEx), as well providing competitive capabilities through increased agility, faster time-to-market, and new revenue streams (Lynn 2018). The induced effect for consumers is better quality of service and quality of experience, at lower or no financial cost. In the last two decades, advances in the coverage, speed, and reliability of global telecommunications networks has made the large scale outsourcing of information systems a reality. Consequently, more and more organisations are migrating from on-premise infrastructure to the cloud to focus on their core capabilities and to exploit potential IT efficiencies and business agility offered by the cloud (Kim 2009).

1.4 Trust Barriers to Cloud Adoption

Cloud computing is a form of outsourcing where organisations, and indeed albeit at a smaller scale, consumers, outsource some or all of their IT infrastructure (hardware, software, networks etc.) to one or more cloud service providers (CSP) on a metered basis. In return for fees, the CSP agrees to provide access to the cloud service at agreed service levels, typically contained in a Service Level Agreement (SLA).

Like all outsourcing, the decision to adopt cloud computing involves organisations assuming four main risks—relational, performance, compliance and regulatory, technological risks. Relational risk typically involves poor cooperation and opportunistic behaviour (Das and Teng 1996). As a by-product of both the on-demand nature of cloud computing and dominance of a relatively small number of hyperscale CSPs, standard form contracts are commonplace. Only the largest customers or those customers a CSP considers strategic, for example governments, have room to negotiate terms, or to develop a personal relationship with these providers. In the absence of a personal relationship, cloud computing relies largely on rule- or calculus-based trust, represented by these agreements. As will be discussed later in Chap. 2, not only do cloud computing contracts typically favour the service provider but cloud customers can find themselves locked-in from a technical perspective and dependent on the CSP for business continuity with important implications for trust.

Historically, performance risk has been the primary concern with cloud computing as evidenced by the focus of industry and scholars on service levels and SLAs. Clearly, availability and access are critical if one outsources IT infrastructure to the cloud. This is often further complicated by uncertainty related to the functioning of the cloud services, transparency on how service levels are calculated and of the underlying cloud systems and associated system data, and exceptions included in cloud contracts. Again, given the disparity in dependence and impact in the vendor-customer relationship, the risk of failure is significantly higher on the part of the customer.

The third risk, compliance and regulatory risk is where a customer fails to adhere to regulatory standards due to the provider’s errors (Anderson et al. 2014). Increasingly but not exclusively, the primary barriers to cloud adoption, by organisations and consumers alike, relate to data, and more specifically the location, integrity, portability, security and privacy of data (Lynn et al. 2014; Leimbach et al. 2014; Eurostat 2016). Cloud computing is a largely location-independent technology and is built on a chain of service provision which is largely opaque to the customer. Data may be stored, processed, and transported across borders, and/or come in to contact with a wide range of partners, without the knowledge of the customer. Furthermore, CSPs, no matter what size are not immune from security vulnerabilities. Each service model, deployment model, and architecture, and combination and configuration thereof has its own discrete set of security issues. For SaaS models alone, Subashini and Kavitha (2011) identify 14 security elements that need to be considered independently of the PaaS and IaaS infrastructure upon which these are situated. At and within each layer, different parties may be responsible and accountable for the security of different elements. This is particularly pertinent in the context of data protection laws, such as the General Data Protection Regulation (GDPR), where misuse or mismanagement of data can result in significant fines and penalties, independent of the loss of reputation, and potential loss of corporate value associated with data and other security breaches (Goel and Shawky 2009).

Against this backdrop and in the absence of a personal relationship or knowledge, prospective customers and users of the cloud are faced with a relatively stark choice: To stay or go. The former involves assuming the risk laid out, relying on the contracts provided, and the competence, benevolence, and integrity of the CSP, while mitigating risks by other means, if possible or desirable. The alternative is to forego the benefits of the cloud altogether.

1.5 Existing Approaches to Overcoming Trust Barriers to Cloud Adoption

In addition to contracts, a variety of trust-building mechanisms have been proposed by policymakers, industry, and scholars. These include regulation, standardization, certification, communication, and technological innovation. For over a decade, the European Commission has sought to mitigate the impact of the risks outlined above through the activities leading to and from the 2012 European Cloud Strategy (European Commission 2012) and subsequent initiatives including the new European digital strategy, Shaping Europe’s Digital Future (European Commission 2020). In addition to the GDPR, consumer protection regulations are in place to protect them from behaviour and contracts prejudicial to their consumer rights (see Chap. 2). Similarly, there have been numerous efforts to support standards not only for cloud system interoperability and data portability, but also for SLAs (see for example C-SIG-SLA 2014), however these are not mandatory. More recently, there has been a renewed focus on certification as a means of assurance.

Assurance involves expert practitioners evaluating an CSP against agreed criteria to improve the degree of confidence of intended users. In effect, this involves a cloud service provider redesigning their security and management processes to meet the requirements of a certification scheme, and then being audited by an independent third party to assess compliance periodically (Tecnalia 2016). This approach provides an opportunity for rule-based trust to develop and, in situations where the providers of the certification are trusted, the potential for trust transfer to occur. In a report for the European Commission published in 2018, Tecnalia identified over 20 such schemes, the most popular being compliance with ISO 27001; others included CSA Star, PCI-DSS, ENISA-CCM and the SOC (ISAE-3402) (Tecnalia 2016). A major limitation of the certification approach is the timeliness and the depth of the audit. In-depth audits may only take place every three years with light-touch reviews annually. Similarly, given the complexity of cloud computing, the level of detail that a certification or an auditor can go to is limited.

Three common methods are used to communicate trust in CSPs—website design, feedback mechanisms, and third party endorsements (Lynn et al. 2016). There is a substantial body of literature on the direct and indirect impact of visual website appearance on trust including colour choice and design symmetry which represent powerful heuristic cues for trust. However, aesthetic preferences in website design tend to vary across demographic characteristics and thus may have limited practical utility for CSPs trying to communicate trust (Cyr et al. 2010; Tuch et al. 2010). Feedback mechanisms or reputation systems are an increasingly popular alternative mechanism for communicating trust. As cloud and API marketplaces have emerged, such as Salesforce AppExchange, Microsoft Azure Marketplace and RapidAPI, so too have market-driven feedback systems within these marketplaces. Ratings, reviews, and vendor ecosystem status all act as a signal to consumers that the vendor has an incentive to behave in an appropriate manner and that they have been informally certified by previous consumers (Pavlou and Gefen 2004). Again, these mechanisms are likely to impact trust by providing a level of structural assurance and cues regarding the rules governing trustworthy behaviour. Independently of the cloud sector, a plethora of general reputation and review systems, such as Feefo and Trust Pilot, have emerged in recent years that seek to provide prospective customers, both business-to-business (B2B) and business-to-consumer (B2C), with similar signals on an independent basis by aggregating ratings, surveys and reviews (Banerjee et al. 2020). Increasingly, these are integrated not only in to a vendor’s website but into search engine ranking algorithms, providing additional incentives for vendors to behave. Notwithstanding their widespread and increasing use, feedback and reputation systems have been criticised for their vulnerability to false, manipulated or biased feedback (Sabater and Sierra 2005).

A third approach to communicating trust in CSPs involves the use of assurance seals or trustmarks that combine certification and communication to dispel consumer concerns about risk and communicate adherence with best practice, a code of conduct, or certification scheme using a third-party mark or symbol (Aiken and Boush 2006). Like certification, trustmark holders are typically subject to periodic third party verification. However, in addition to recognition and lack of information depth, trustmarks suffer from the same limitations as certification in general. They have been criticised for reliance on human intervention, limited scope, timeliness, lacking warranties, and subject to co-optation risk (Aiken et al. 2003).

Technological innovation to build trust in cloud computing largely revolves around designing clouds that meet the three pillars of trustworthy computing—security and privacy, reliability, and business integrity (Mundie et al. 2002). Chapter 7 discusses this topic in detail. It is important to note, however, that technical innovation in trustworthy computing overwhelmingly focuses on the first two pillars, security and privacy, and reliability. Research on the former focuses on the provision of effective attack resilient systems, typically using encryption techniques of increasing strength and complexity. Reliability research focuses on the design, monitoring, and measurement of highly reliable systems. Both domains are largely hidden from end-users. Business integrity is more nuanced and suffers from a lack of inter-disciplinary research. As such, it focuses largely on monitoring key service level metrics and ranking services based on this data. One of the main limitations of purely technological approaches, is that by and large, customers are human. Their decisions to trust are based on a vast array of conscious and subconscious signals that are often forgotten about in purely technological approaches and solutions.

In attempt to address this gap and marry the various approaches to mitigating trust issues in cloud computing, we have previously proposed an active dynamic online trust label (Lynn et al. 2014; Lynn et al. 2016; Emeakaroha et al. 2016; van der Werff et al. 2019b). Inspired by nutritional labels, these labels present consumers with corporate information, policies, and historic and near real-time service level metrics based on data from CSP monitoring systems (Emeakaroha et al. 2016). The system can allow for third party independent certification and could allow for corporate attestation using digital signatures. Based on an experimental study with 227 business decision makers, the proposed cloud trust label communicated trustworthiness effectively (van der Werff et al. 2019b). While these results are promising, such a system requires widespread support to be effective. Until then, it remains an academic exercise.

1.6 Assurance and Accountability Framework

In general, mechanisms to build trust in cloud computing fall in to two main categories—assurance and accountability. Standards, certification, and communication strategies seek to assure the consumers by providing cues of CSP competence, integrity, and benevolence, and to some extent consistency. Regulation and contractual mechanisms seek to hold CSPs accountable in the event of a trust violation. A key problem is that these initiatives are currently highly fragmented, with multiple initiatives by as many stakeholders, but no particular comprehensive, coordinated, and holistic framework of activity that provides direction for policy makers, users, cloud service providers, and indeed researchers.

Figure 1.1 below presents an integrated multi-stakeholder framework for assurance and accountability for cloud-based trust building. It extends the chain of accountability concept first proposed by Pearson and Wainwright (2013) to provide transparency and clarity on liability in the event of a data breach in the cloud. While Pearson and Wainwright (2013) envisaged a set of mechanisms for mitigating risk (preventative controls), monitoring and identifying risk and policy violations (detective controls), and providing redress (corrective controls), their approach is largely built on calculative trust-based model whereby accountability is both quantitative and absolute. The goal is to eliminate distrust or mitigate the negative impact of a trust violation. In effect, it is an ab initio pre-emptive trust repair approach.

Fig. 1.1
figure 1

An integrated multi-stakeholder framework for building and repairing trust in cloud computing based on assurance and accountability

In contrast, we propose, a more positive approach couched in theories of trust building and repair. The focus is on trust building mechanisms; trust repair mechanisms only initiate when a trust violation occurs. Based on our work in Lynn et al. (2014), we suggest that cloud consumers should have control of their data, how it is used, where it is used, and who should use it, and this should be auditable by all involved. They should have a say, if they want it, but as a default standard declarations should be weighed towards the best interests of the consumer, and neither prejudicial to consumer rights, nor contrary to government policy. As such, we propose that in addition to preventative controls, there are declarative controls where all parties can declare their policies and expectations irrespective of contracts or policies which seek to circumvent local laws and regulation. Furthermore, there are confirmative controls that report and alert stakeholders that these policies and expectations are being met. In this way, trust is not only being built on the basis on rules and transactions, but proactive mechanisms are in place so that knowledge-based trust is being built between all stakeholders. These two assurance based controls are necessities. Accountability mechanisms are contingent; they only come in to effect when a trust violation occurs. Furthermore, when initiated, these mechanisms are not mere objective features of the system but recognise the psychological impact of trust violation and largely follow accepted theory for repairing trust including immediate response, diagnosis, intervention performance, and evaluation (Gillespie and Dietz 2009). Specifically, the framework includes actions that are effective for repairing violations of different types of trust, whether competence-, benevolence- or integrity-based. The framework is technology-agnostic and in this way, can not only accommodate technological solutions to building and repairing trust, but new use cases and evolutions of cloud computing including the Internet of Things.

By recognising that policymakers and regulators, users and providers, have different priorities and perceptions of what trust means in the context of cloud computing, all stakeholders start on the basis of building trust rather than waiting for that trust to be violated. Ultimately, this should lead to greater understanding of the needs of different stakeholders, longer and deeper relationships, and innovation so that when a violation does occur, and it will, the relationship will be strong enough to survive.

1.7 Conclusions

This chapter introduces trust, cloud computing, and discusses some of the issues that present challenges to building trust in cloud computing, and wider and deeper adoption thereof. While there has been extensive work done to mitigate relational, performance, and compliance and regulatory risks, these initiatives are highly fragmented and lack cohesion. They are based on a conceptualisation of trust portrayed as an objective feature of cloud computing technology rather than either policymaker or user perceptions of trust. We suggest that all stakeholders in the cloud computing ecosystem need to come together and focus on how to build trust rather than focusing on what to do when there is a violation of trust, a reposition to assurance first, then accountability only when needed. To this end, we reiterate the need for an integrated multi-stakeholder approach to assurance and accountability, and related inter-disciplinary research to support the adoption of such approaches.