1.1 Fundamental Concepts

Accountability in the context of handling personal and business confidential information is an important but complex notion that encompasses the obligation to act as a responsible steward of the personal information of others, to take responsibility for the protection and appropriate use of that information beyond mere legal requirements, to be transparent (give account) about how this has been done and to provide remediation and redress. The perceived lack of transparency and control over data governance, inherent in complex cloud service provision chains makes accountability a key market enabler which can help overcome barriers to cloud service adoption. Still, providing accountability both legally and technically in the cloud has proved to be very challenging.

In the A4Cloud project we propose a co-designed approach for accountability that combines a range of technological enhancements with legal, regulatory and governance mechanisms to provide the necessary basis for initiating and sustaining trustworthy data processing and a trusted relationship between data subjects, regulators and information and communications technology (ICT) providers.

Although the goal behind the A4Cloud Reference Architecture (the RA hereafter) is to propose a blueprint for end-to-end accountability across the entire cloud service provisioning chain, the starting point for a great many of the concepts and mechanisms discussed focus on making a single organisation accountable. The rationale is that the problem of creating accountable cloud provisioning chains becomes much more tractable if the actors chained together are accountable. Therefore, we begin by defining what it means for an organization to be accountable. In this context, the A4Cloud project has developed a definition of Accountability for Data Stewardship in the Cloud and a corresponding model of how various elements of accountability, can be combined to create a roadmap for accountability [1] .

As illustrated in Figure 4, this A4Cloud accountability model consists of:

• Accountability attributes: central elements of accountability (i.e. the conceptual basis, and related taxonomic analysis of accountability for data stewardship in the cloud). These are transparency, responsiveness, remediability, responsibility, verifiability, effectiveness and appropriateness.
• Accountability practices: emergent behaviour characterising accountable organisations (that is, how organisations can incorporate accountability into their business practices). Specifically, an accountable organisation:
  • Defines governance to responsibly comply with internal and external criteria, particularly relating to treatment of personal data and/or confidential data.
  • Ensures implementation of appropriate actions.
  • Explains and justifies those actions, namely, demonstrates regulatory compliance that stakeholders expectations have been met and that organisational policies have been followed.
  • Remedies any failure to act properly, for example, notifies the affected data subjects or organisations, and/or provides redress to affected data subjects or organisations, even in global situations where multiple cloud service providers are involved.
• Accountability mechanisms: operational processes, non-technical mechanisms and technical tools that support accountability practices. Operational processes operate at the organisational business process level, by extending existing processes like auditing and risk assessment to support accountability practices. Non-technical mechanisms consist of accountability-reinforcing mechanisms that are predominantly non-technical, such as contracts, policies, codes of conduct, and various legal safeguards and deterrents. Finally, technical tools comprise the various software systems and components an organisation may use to carry out various accountability-related operations. We may further classify the accountability mechanisms into three categories:

1. Innovative mechanisms designed and built for purpose by A4Cloud (i.e. things we build).

2. External mechanisms which are imported/utilised by A4Cloud mechanisms (i.e. things we import).

3. External mechanisms with which A4Cloud mechanisms will co-exist (i.e. things we interface with).

This A4Cloud accountability model aims to model accountability at different levels of abstraction, from the abstract to the operational, and thereby it elucidates how accountability mechanisms support accountability.

Next we discuss several key concepts related to accountability, which are necessary to explain as background to the rest of this document. According to [1], accountability reflects an institutional relation arrangement in which an actor can be held to account by a forum (for example, a consumer organisation, business association or even the public at large). Accountability then focuses on the specific social relation or the mechanism that involves an obligation to explain and justify conduct.

A core element of the concept of accountability is the account. Within an accountable system, the account can be seen as an explanation or demonstration of the systems behaviour, norms or compliance. We identify three types of account: proactive account, account of legitimate event(s) and account of incident(s) (see Section 3.5 for details). The description of an account-related event provides answers to the six "reporters' questions":

• Who: identifies actors involved in the described event.
• What: describes what the account is about.
• Where: describes where the event related to the account occurs (not only physical location).
• When: depicts when the described event occurs.
• Why: presents why the event happened (to respect policies/obligations for instance).
• How: illustrates the used means (logs, encryption, etc.) for the described event.

An account also comes with evidence, when possible, associated with these different answers and means for remediation if adequate (the case of an account on an incident, for instance).

In the remainder of this document the core concepts of the accountability model (as summarised in Figure 4) will be utilised and explained further. In particular:

• The core accountability attributes (namely, transparency, responsiveness, remediability, responsibility, verifiability, effectiveness and appropriateness) will be related to the accountability metrics in section 4.6. Indeed, metrics constitute an instrument for verifying the compliance of non-functional requirements. Therefore, metrics offer a means to support accountability by privacy and security governance that is in use.
• The accountability practices are discussed further in section 4.1, where different notions of account and their properties are presented. Two main types of account are highlighted: evidence about compliance and data breach.
• The accountability mechanisms are detailed in section 2.4. In this section, it is explained how high-level goals need to be first decomposed into accountability artifacts and then recomposed to provide assurance and accounts. High-level goals express the privacy and security requirements as well as the laws and regulations that apply in a given context. Accountability artifacts (as discussed further in section 2.5) represent various accountability-related information (such as obligations, evidence records and notification reports).