Jump to Navigation

 

2.1 Actors and Roles

A key challenge when reasoning about accountability in a cloud context is the adoption of a common vocabulary for expressing in a full and consistent way elements coming both from the world of technology and from the domain of data protection. The need for a common vocabulary is particularly relevant for the definition of actors and roles in the A4Cloud Reference Architecture (RA).

The NIST Cloud Computing Reference Architecture[5] defines five major actors:

  • Cloud Consumer: A person or organisation that maintains a business relationship with, and uses service from, cloud providers.
  • Cloud Provider: A person, organisation, or entity responsible for making a service available to interested parties.
  • Cloud Auditor: A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation.
  • Cloud Carrier: An intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.
  • Cloud Broker: An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.

Although these five roles are sufficient for representing the vast majority of interactions involved in a cloud service provision and procurement context, they do not effectively capture all the elements necessary to reason about accountability. Specifically, as it is, the NIST model cannot capture the following two roles:

  • Data owners: Individuals, in particular data subjects or organisations who have some personal or confidential data processed in the cloud, and who may not necessarily be qualified as cloud customers (or consumers) in the NIST taxonomy. Though more rarely, this also applies to businesses, which may have business confidential data processed by the cloud despite not being a cloud customer (rather customers of a cloud customer). They are essentially invisible in the NIST model, but represent the ultimate role in an accountability chain.
  • Supervisory authorities: Data protection authorities or telecom regulators may be seen as auditors, but they also have the distinct characteristic of holding enforcement powers, which auditors lack.

In the interest of maintaining maximum compatibility and alignment with the NIST model which appears to be well understood amongst cloud stakeholders, we chose to extend it to cover these roles and support accountability, as follows [4]:

  1. Cloud Subject: An entity whose data is processed by a cloud provider, either directly or indirectly. When necessary, we may further distinguish between:
    • Individual Cloud Subject, when the entity refers to a person.
    • Organisational Cloud Subject, when the entity refers to an organisation.
  2. Cloud Customer: An entity that (1) maintains a business relationship with, and (2) uses services from a cloud provider. When necessary we may further distinguish between:
    • Individual Cloud Customer, when the entity refers to a person.
    • Organisational Cloud Customer, when the entity refers to an organisation.
  3. Cloud Provider: An entity responsible for making a (cloud) service available to cloud customers
  4. Cloud Carrier: The intermediary entity that provides connectivity and transport of cloud services between cloud providers and cloud customers
  5. Cloud Broker: An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between cloud providers and cloud customers
  6. Cloud Auditor: An entity that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation, with regards to a set of requirements, which may include security, data protection, information system management, regulations and ethics.
  7. Cloud Supervisory Authority: An entity that oversees and enforces the application of a set of rules.

[4] For an extended discussion please refer to the A4Cloud Conceptual Framework document [1].