Jump to Navigation


2.2 [DETAILS] Actors and Roles

The roles that we introduced (as an extension of the NIST model) share similarities and articulate differences with the cloud computing roles defined in the NIST model in the following way:

  • We introduce a new role (Cloud Subject) to designate an entity that owns data (or in the case of personal data, that is the data subject i.e. identifiable by that data), which is either directly transferred to a cloud provider for processing, or indirectly through a cloud customer. We further distinguish cloud subjects as individuals or organisations.
  • The role of cloud customer is aligned with the NIST definition (as a synonym of cloud consumer) but we further introduce a distinction between individual cloud customers and organisational cloud customers.
  • The roles of cloud provider and cloud broker are adopted without modification from the definition provided by NIST.
  • The role of cloud auditor is based on the definition provided by NIST but was altered to better reflect the goals of accountability, by additionally referencing data protection as well as regulatory and ethical requirements.

We note that the role of cloud carrier defined by NIST is unlikely to be considered in the context of accountability, since a cloud carrier does not normally take any responsibility for data stewardship but merely acts as a neutral transporter (much like an internet service provider). In the case where a cloud carrier takes a stronger role in terms of data stewardship, or if the routing of data traffic matters, we may consider it as a cloud provider instead without loss of generality.

Even in its extended form, however, the cloud role classification alone cannot provide all the information necessary to fully characterise an actor. For example, a cloud provider can be either a data controller, data co-controller, or a data processor, with fundamentally different responsibilities in each case. For that reason, the proposed model for fully specifying an actor's role in the A4Cloud RA is to provide both the (extended) cloud and the data protection (95/46/EC and 2002/58/EC) role classifications. Table 1 below presents all the possible combinations of cloud computing and data protection role classifications identified in the RA. In conclusion, to fully characterise an actor in the RA and documents produced by the A4Cloud project in general, the proposed nomenclature combining cloud and data protection roles, as presented in Table 1, should be used.

Extended NIST cloud roles

Data protection roles

Cloud subject

Data subject

Cloud customer

Data (co-)controller [5] or

Data processor

Cloud provider

Data processor or

Data (co-)controller

Cloud carrier

Data processor or

Data (co-)controller (unlikely) or

Not applicable.

Cloud broker

Data processor or

Data (co-)controller

Cloud auditor

(Not Applicable)

Cloud supervisory authority

Supervisory authority

(DPA or NRA)

(Not Applicable)

Third party

(Not Applicable)


Table 1: Cloud reference architecture roles.

[5] By data (co-)controller, we designate both the data controller and the data co-controller roles.