Jump to Navigation

 

Accountability for Cloud and Other Future Internet Services

Cloud services allow enterprises to outsource non-core aspects of their business to third parties. The complexity of the service provision eco-system may not be visible to an individual or business end user. However, it should ideally be possible to hold each provider accountable for how it manages, uses, and passes on data and other related information (e.g. metadata).

Over the past four decades, legislation and associated regulatory structures regarding the handling of personal data have become established in over sixty countries. Values and regulations vary across the globe but legislation typically creates obligations on service providers to engage in sound data governance and stewardship. What it cannot yet do is empower the end customer to make informed choices about selection of a service provider based on a solid understanding
of the consequences of its choices.

The Accountability for Cloud and Other Future Internet Services project (or A4Cloud for short) focuses on accountability as the most critical prerequisite for effective governance and control of corporate and private data processed by cloud-based IT services. The project aims to assist holding cloud (and other) service
providers accountable for how they manage personal, sensitive and confidential information ”in the cloud”, and how they deliver services. This will be achieved by an orchestrated set of mechanisms: preventive (mitigating risk), detective (monitoring and identifying risk and policy violation) and corrective (managing incidents and providing redress). Used individually or collectively, they will make the Internet in the short- and longer-term more transparent and trustworthy for:

  • users of cloud services who are not convinced by the balance of risk against opportunity;
  • their customers, especially end-users who do not understand the need to control access to personal information;
  • suppliers within the cloud eco-system, who need to be able to differentiate themselves in the ultimate commodity market.

A4Cloud will combine socio-economic, legal, regulatory and technical approaches and bring these together into a coherent and interoperable system of tools and services, enabling a shift to ”Accountability-based approaches for trust and security” in the cloud.

Several major international reviews of these regulatory frameworks are currently underway, including that of the European Data Protection Framework, due for delivery within the lifetime of A4Cloud. Europe’s strong position on data protection reflects European values on the protection of the rights of individuals, including privacy, and the A4Cloud approach will help to address societal fears about loss of privacy and data protection, especially with regard to ”generation
Facebook”. The balance of power is firmly on the side of the service provider, since the user does not normally have the ability to negotiate redress, even if they knew it was theoretically possible. Only a large-scale multidisciplinary approach with industrial and scientific participation, addressing technical, legal, and socio-economic issues, can realistically achieve a significant change in the balance of power and instil confidence in the cloud business model. A4Cloud provides
such an approach to accountability.

A chain of accountability allows the members of a cloud ecosystem to ensure that obligations to protect data are observed by all who process the data, irrespective of where that processing occurs. This not only applies when a data subject directly uses cloud services, but also when services are provided in an enterprise cloud setting.

A4Cloud will produce an Accountability Framework that will be a comprehensive specification for how to create accountability for cloud services, spanning regulatory, legal, technical, business and user issues. This will provide:

  • a conceptual foundation for accountability, including clarification of core functions
  • a reference architecture for implementing accountability
  • recommendations and guidelines on data governance in complex, multi-tenant IT infrastructures and the cloud, including analysis of the revised EU Data Protection Framework, reports on legal and regulatory dependencies for effective accountability and governance and guidelines for privacy-friendly design, liability and cloud contracts
  • models of risk, trust, human understanding and economic data governance in cloud ecosystems
  • languages for interoperable accountability policies, with associated mapping of higher level policy constraints to machine readable policies to evidence provided within logs
  • metrics for measuring accountability

Read more in A4Cloud Publications.

 

Authors: 
Siani Pearson, Vasilis Tountopoulos, Daniele Catteddu, Mario Sudholt, Refik Molva, Christoph Reich, Simone Fischer-Hubner, Christopher Millard, Volkmar Lotz, Martin Gilje Jaatun, Ronald Leenes, Chunming Rong, and Javier Lopez