Trust and Cloud Computing

Dr. Theo Lynn

Irish Centre for Cloud Computing

and Commerce

Dublin City University

Dublin 9, Ireland

theo.lynn@dcu.ie

Agenda

1. What is trust? How is it developed?

2. Can trust be recovered once breached? How?

3. Bringing trust, technology and the cloud together

The conscious regulation of one’s dependence on another (Zand, 1972)

Positive Perception

& Expectation

Decision to accept

vulnerability

Trust Behaviour

Context is important

What trust factors do we assess?

Benevolence

IntegrityAbility

Predictability?

Src: Mayer et al. 1995

Interpersonal Presumptive Trust Cues

Identity-based Trust Cues

Gender, race, accent, ttire

We expect them to be more benevolent and reciprocal

Role-based Trust Cues

Training, Title, Reputation, Code of Ethics

We feel safer and have higher competence and integrity expectations

Rule-based Trust Cues (Assurance)

Org norms, Traditions, Practices, Semiotics

Increases predictability and integrity “oughts” and “likely-to-dos” in given situations

Src: Kramer & Lewicki, 2010

MESO:Organisational Level Cues

Src: Gillespie and Dietz, 2009

Management

Practice

Culture/Climate

Strategy

Structural Assurances

Internal

Components

External Governance

Public Reputation

External

Components

Trustworthiness Perception

Trust Development

identification

collaboration psychological safety complete trust

knowledge based trust

relational interdependence knowledge sharing

calculus based trust

contracting bureaucracy transactional

Dis

trust

Elim

ina

tion

/

Ma

na

ge

me

nt

Tru

st B

uild

ing

Adapted from Lewicki & Bunker 1996; Dietz 2004

Trust in people and trust in technology is different

Object of Dependence People Technology

Contextual Condition Risk

Uncertainty

Lack of total control

Risk

Uncertainty

Lack of total user control

Nature of Trustor’s

Expectations

Ability (Competence)

Benevolence

Predictability

Integrity

Functionality

Performance

Helpfulness

Purpose

Reliability

Process

Adapted from McKnight et al. (2011); Solliner et al. 2012; Mayer et al. (1995)

Trust Breach

Who is to blame?

Which aspect of trustworthiness does it breach?

Trust Violation

Shock, Surprise

What was the reason?

a. Conscious?

b. Deliberate-Intended?

c. Beyond their Control?

a. Benevolence

b. Competence

What helps repair trust?

Apology (as against regret)

Sincere

Timing

Expressed as taking responsibility

Explanations

Credible

Willingness to take responsibility for rectifying situation

Endeavour to maintain goodwill

Reparations & Penance

Willingness to endure penance

Victim role in defining the terms/extent.

Structural Solutions

New Rules/Regulations

Monitoring Systems

New Monitoring/Regulating Roles

“Hostage Posting”

Significant punishments

Effective in competence based violation

Deter or punish future trust violation

Steps in Organisational Trust Repair

Immediate Response

• Vendor acknowledgement | Commitment to investigation | Regret

• Action against known causes

Diagnosis

• Accurate

• Timely

• Transparent

Performing Interventions

• Verbal apology and reparations as appropriate

• Action based on diagnosis

Evaluation

• Accurate

• Timely

• Transparent

Src: Gillespie and Dietz, 2009

Willingness to Repair

Relationship Deterioration

Trustworthiness Rebuilt

Trust Restoring Activity

No, No

Yes, No

No, Yes

Trust Violation

Yes, Yes

Process of Trust Repair and Role of Accountability

some context

World Values Survey Average 1999-2008

Generally speaking would you say that most people can be trusted?

Historically, Irish people said yes.

Cloud computing could contribute up to €250bn to EU GDP in 2020 and 3.8mn jobs (IDC, 2012)

Long-term final barriers’ relevance

What actions do businesses think would improve cloud adoption?

Trust Development

identification

collaboration psychological safety complete trust

knowledge based trust

relational interdependence knowledge sharing

calculus based trust

contracting bureaucracy transactional

Dis

trust

Elim

ina

tion

/

Ma

na

ge

me

nt

Tru

st B

uild

ing

Adapted from Lewicki & Bunker 1996; Dietz 2004

Contractual issues complicate rather than ameliorate. Widespread use of standard form contracts.

1. Choice of law/jurisdiction

2. Data location and transfer to countries outside of the EEA

3. Data integrity and availability

4. Security of data

5. IP Issues Copyright (incl. ownership of

metadata)

Patents and trade secrets

6. Liability and indemnities

7. Acceptable use requirements

8. Service levels and performance

9. Variation of contract terms

14. Monitoring

15. Backup

16. Termination Data / application preservation

Data transfer

Data deletion

impact of the change of service provision is often ignored

Vendor Lock-in increases costs, limits competition and may hinder innovation

Customer dependency on a vendor for products and services such that they cannot switch to another provider without suffering substantial costs and thus are locked in to continuing the relationship with that provider

It may be a deliberate vendor strategy e.g. data and application lock-in

Designing software incompatible with other software

Using closed architectures or proprietary standards that lack interoperability with other software vendors

Licensing under exclusive conditions

It may be an opportunistic vendor strategy e.g.

On termination, threaten immediate deletion of data / applications

Lack of migration assistance e.g. lack of data export tools

Customer-drive customisation may also result in lock-in

The No. 1 Search Phrase on Google about Cloud Computing” is “What is Cloud Computing?”

Security Breaches - Segment

Non public-sector organisations are likely to be under reported due to public sector legislation and penalties

Security Breaches - Type

BSR, BSO, Finance

BSR, BSO

Health

Health

Health

Health

Responses to Data Breach – Public sector organisations have more robust policies, training and response plans

1. Purpose

2. Scope

3. Policy

4. Roles and Responsibilities

5. Incident Detection and Reporting Incident Record

Initial Assessment

Criminal Investigation

Incident Notification

6. Data Breach Incident Ratings Form

7. Internal Notification Requirement for Initial Notification

Contents of Notification

8. Risk Assessment Incident Analysis

Summary of facts and recommendations

9. Incident Handling and Response Course of Action Risk Mitigation

10. External Breach Notification Whether External Breach Notification is

Required Timeliness of Notification Source of Notification Contents of the Notification Means of providing notification Who receives notification: public outreach

in response to a breach

14. Documentation of Breach Notification

15. Evaluation of Breach Response

16. Disciplinary Action

17. Appendices Information Security Incident Report Sample Written Notification Data Breach Impact Severity Ratings Form Related Documents References Contacts

Data Breach Impact Severity Ratings Form

Who does improved knowledge of cloud quality metrics help?

General Public & Prospective

Customers

Cloud Customers

Management

Marketing

SLA Management

Quality Management

How are you measuring quality of service in your organisation?

CloudPass Nutritional Label for Cloud Service Assurance and Accountability

• Dynamic real-time trust label for monitoring and communicating trust signals to the market

• Diagnostic process and toolset for assisting cloud service providers identify areas for improvement and competitive advantage

• Workflow and processes for SLA enforcement, risk management and quality assurance

trust as a source of competitive advantage/innovation

Trust-driven integrated framework for assurance and accountability in the cloud

theo.lynn@dcu.ie