2.3 Challenges in Implementing Accountability in the Cloud
Cloud computing describes a model for enabling ubiquitous, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [6]. Its key characteristics are on-demand self-service, broad network access, resource pooling, rapid elasticity, multi-tenancy (of users and/or applications) and measured service. Cloud computing can be provided via different service models, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS), as well as deployment models such as private, hybrid and public cloud [6].
A major benefit of cloud computing is that it enables the flexible composition of powerful applications by chaining together functions provided by different cloud services and providers. For example, end-user-facing cloud applications may be composed from different service components packaged as SaaS offerings, themselves utilising cloud resources provided by different IaaS providers. Furthermore, the use of standard interfaces and technologies means that cloud services [6] along the service provisioning chain may be substituted with others of similar specification without radically altering the way the application is composed.
An implication of this model however is that separate, independent entities assume control, ownership and responsibility for different parts of the service provision chain, the latter constituting separate domains of control. This is illustrated in Figure 6 below, which presents a typical cloud service provisioning chain. Here, a cloud service provider is operating a datacentre to provide a public IaaS cloud offering. Numerous tenants utilise the cloud resources made available to provide applications to the general public in the SaaS model. Each tenants virtual environment is isolated from all others by means of the IaaS providers virtualisation and management infrastructure. Finally, customers access tenant applications over the public Internet to support various business functions.
Clearly, different parts of this provisioning chain belong to different control domains. The IaaS cloud operator has administrative control (and responsibility) over the IaaS support infrastructure. This is indicated in the figure by the area marked by the red dotted line. Employees of the cloud operator may need to access privileged administrative interfaces to manage parts of the IaaS support infrastructure (for example to apply security patches). Naturally, access to those privileged interfaces will only be given to a select, vetted and authorised subset of the IaaS operators staff and will never extend to outside its area of control due to their potential for catastrophic misuse.
Similarly, each of the IaaS tenants only controls the virtual environment made available to them, such as the green or blue areas in the diagram. IaaS tenants have privileged access to configuration and management controls of their SaaS applications which they will not make available to entities outside their own domains for security, liability or business confidentiality reasons.
Finally, an application user may be responsible for the handling of data processed by tenant applications as part of some business function. Such a user, especially if they are processing regulated data, may configure controls (such as at-rest encryption) to prevent upstream providers (e.g. the SaaS or IaaS provider in this example) from having non-authorised access to the raw data.
Figure 6: Separate domains of control in cloud service provisioning chains.
Based on the fundamental accountability practices identified in the A4Cloud conceptual model of accountability and discussed earlier in the text, being accountable largely means for an organisation to implement the controls appropriate for the service offered, demonstrate that obligations stemming from policies and regulations are met, and handle exceptions appropriately, remedying failures when applicable.
Even in the relatively simple example of a cloud service provisioning chain illustrated earlier, the challenges involved with achieving accountability end-to-end, across the entire chain, are evident. Since every part of the chain is separated by technical and organisational boundaries between domains, it is hard for any actor to establish whether the processes and operations executed beyond its own domain are according to the agreed rules and obligations. Thus, even if a number of actors have individually implemented accountability-supporting mechanisms inside their own domains (e.g. by implementing the accountability governance process described in the previous section) there are no obvious means for accountability to be extended beyond the various domain boundaries to cover the entire provisioning chain.
The A4Cloud RA was developed to provide a method to tackle these challenges by designing mechanisms to support accountability both within an organisation and across cloud service provision chains. The accountability process described in section 3 focuses on the former task while the rest of this section addresses the latter. More specifically, the types of information artifact that need to flow across the provisioning chain to support accountability are identified. Next, a high-level view of the service-oriented approach for accountability in the cloud promoted by the RA is presented.
[6] This is especially common for services operating at the IaaS layer, as the functions supported by different vendors at this layer are generally uniform.
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.