Cloud Trust assessment

Yuri Bobbert and Reda Jaaouani | April 26, 2023

It is known that cloud computing delivers business value through economies of scale and flexibility. All organizations adopted cloud technologies to drive innovation and provide digital services to European citizens. However, businesses and governments are keen to maintain security and digital sovereignty from foreign interference. Thus, proper due diligence is needed before cont(r)acting with a foreign cloud provider.

BackgroundIn March 2018, the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed. This Act amended U.S. law to authorize U.S. law enforcement to unilaterally request access to data stored outside the U.S., despite widespread criticism from the international community. The Act provides trans-border access to communications data in criminal law enforcement investigations when fighting terrorism. The first reason to sign the CLOUD Act was to provide timely access to critical electronic data from communications service providers to protect U.S. public safety and combat serious crimes, including terrorism.

The presence of advanced technologies, a growing appetite for personal data, and uncertainties of Cloud Service Providers (CSP) have increased the trust intensity to the point that ‘competing on trust’ has become a differentiating feature and elevated concerns regarding the security and privacy of the data. This calls for additional scrutiny and improvement of existing cloud assessments and examines how to keep up with future needs. One of these needs can be stricter management of user authorizations having access to critical data and workloads in the cloud, especially when organizations run hybrid clouds. These so Cloud Infrastructure Entitlement management practices become important to regulate cloud usage and enforce the Zero Trust concept of “least privilege” across cloud infrastructures[1].

Despite the risks of using U.S. clouds, the three primary beneficiaries of the move to the cloud in Europe (Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)) are all Americans[2]. They capture 65% of the market share worldwide. Without European competitors (OVHCloud captures less than 1% market share), the E.U. loses its influence in the digital sphere. The main question is, how can E.U.’s organizations prepare and equip themselves to work with international BigTech Cloud providers and preserve their national interest and sovereignty?

Why relevantThe public sector handles a lot of personal and confidential data. Private companies deal with intellectual property and -secret- trade data with high interest to cyber criminals, such as espionage. However, the dominant cloud service providers are not European; consequently, the CSP must comply with extraterritorial laws that may act against European interests. This is regarded as a threat to EU sovereignty, also highlighted in the recent Cybersecurity Advisory[3]. As a result, the most public sector does not implicitly trust CSPs with access to their data.

A study by Opara-Martins et al. demonstrated that cloud providers’ contractual terms are not clear to understand by most companies. Opara-Martins shows that only 3% of the surveyed companies understand contractual terms and conditions perfectly. Therefore, most enterprises migrating to the cloud are unaware of the inherited vendor lock-in risk within the cloud environment. The same research recommended clearly defining what lock-in means for organizations before assessing and evaluating the risk of lock-in. Thus, vendor lock-in, data sovereignty, and strategic technology autonomy are genuine ‘boardroom’ concerns.

Our recent research project at Antwerp Management School addresses these issues by examining the question, “How can organizations leverage the Public Cloud Provider’s contextual attributes to assess and score their trustworthiness?” We interviewed many global experts to establish a Trust index with 64 trust factors organizations should consider when acquiring cloud services and exiting cloud collaboration, e.g., data portability and deletion.

ResultsOur research resulted in a global cloud assessment with a core index of 64 trust factors that can help organizationsevaluate a cloud provider's trustworthiness. This evaluation will qualify CSPs to deliver critical services to European organizations, including the public sector and critical infrastructure. By distilling these factors, organizations have an instrument they can immediately benefit from during the decision-making process and later during the exit process. Regulators can use this assessment to determine the trustworthiness of the CSP concerning their industry regulations such as NIS2, GDPR, Digital Operational Resilience Act, etc.

Cloud providers operate in a complex and ever-changing (contextual) environment. Thus, trust assessments need to be continuous and, due to the impact on multiple stakeholders, a collective (collaborative) process. Therefore, the established trust assessment focuses on before and during the contract with the cloud provider varying from Legal requirements, Security, Privacy, and Data localization. The assessment ideally takes place in a collaborative setting. During our research, we used the Group Support System - Meetingwizard to transfer knowledge items and reach an ultimate consensus on the decisions. And finally, to document the arguments. From this research, we can conclude:

- The European Public Sector has no agreement on the definition of trust in public cloud service providers. Therefore, they have no common language, interpretation, or framework to assess and rate the trustworthiness of public cloud service providers.
- Other industries can also use the assessment besides the public sector
- The developed assessment contributes to delivering a structured way of working that can be applied by companies considering going to the cloud but wanting to ensure data sovereignty, amongst others.
- Trustworthiness in CSP is challenging to measure. However, we have demonstrated that we can measure and score their trustworthiness very effectively.

As a result, we established a Cloud Service Provider Trust Assessment that scores the trustworthiness of CSPs and presents new insights from multiple angles for the core top 10. This is an extract of the complete assessment of 64 indicators considered Must Do and Must Know. The entire check of 64 can be requested via the authors. (request the table: info@meetingwizard.nl)

ConclusionsMore and more countries, agencies, and organizations have started raising questions about data sovereignty and the role of BigTech companies in our own IT autonomy. The Dutch Cybersecurity council advises the Ministry of Justice, “Within domains where there are undesirable dependencies on foreign parties, strengthen the requirements for the development and origin of ICT solutions, such as in procurement and tendering processes.” Our research and the development of cloud assessment offer just that. It supports procurement- and legal departments in assessing the CSP. It also helps to make a collective decision on how parties want to enter or exit the cloud contact with the cloud service provider in case of a dispute.

About the authorsReda Jaaouani MSc is a researcher at Antwerp Management School and Information Security officer at European Commission

Prof. Yuri Bobbert PhD is professor in Information Systems at Antwerp Management School and Co-Founder at Meetingwizard

The full Cloud Trust Assessment is available via Reda Jaaouani at CL2R Advisory BV.

Want to learn more about the Antwerp Management Schools 'Executive Master in IT Risk & Cyber Security Management' click here or watch the video here

Sources
- [1] Pentagon cloud service providers face zero-trust test. So-called red teams of ethical hackers from the National Security Agency will test the digital strength of the four cloud service providers, or CSPs Amazon, Google, Microsoft and Oracle to better understand zero-trust cybersecurity in commercial cloud environments
- [2] Source: Top 10 Cloud Service Providers Globally in 2023
- [3] Report 'Strategic Autonomy and Cybersecurity in the Netherlands' https://www.cybersecuritycouncil.nl/documents/reports/2021/02/17/report-strategic-autonomy-and-cybersecurity-in-the-netherlands

Additional sources
- The US. Congress, 'CLOUD ACT,' 2018. [Online]. Available: https://epic.org/privacy/cloud-act/cloud-act-text.pdf.
- Opara-Martins and Sahandi, 'Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective,' J Cloud Comp 5, 2016.
- Bobbert, Y., & Mulder, H. (2016). Boardroom Dynamics. ISACA.
- Canedo, E. D. (2012). Trust Model for Private Cloud. IEEE.
- ENISA. (2009, November 20). Cloud Computing Benefits, risks, and recommendations for information security.Retrieved from ENISA: https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment/
- ENISA. (2020, December ). EUCS – Cloud Services Scheme. Retrieved from ENISA: https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme
- EU Parlement. (2020, Sept). The CJEU judgment in the Schrems II case. Retrieved from https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
European Commission. (2013, October 15). What does the Commission mean by secure Cloud computing services in Europe? Retrieved from European Commission: https://ec.europa.eu/commission/presscorner/detail/en/MEMO_13_898
- Illustrative artwork by Artificial Intelligence from Midjourney.com