4.8 The Accountability Maturity Model
A4Cloud has identified the need to aid organisations (in particular, SMEs) to quantitatively assess their accountability practices as a first step to improve them. The proposal was to develop an Accountability Maturity Model (AMM) that could be used to assess the maturity of the mechanisms deployed to support accountability. This practice is not new on ICT, where maturity models have existed for several years (for example [37]).
In analogy to widely used maturity models, the AMM proposed by A4Cloud is composed of two elements:
- Control Framework: a set of controls that an organisation will apply to address requirements such as security, privacy and/or accountability.
- Scoring Methodology: a technique used to assign a quantitative or qualitative value that rates the level of implementation of the control framework. The assigned value is known as a "maturity level". The score typically increases with the level of sophistication of control implementation.
The novelty of the AMM is its focus on capturing both the maturity of individual organisations in terms of accountability practices, as well as an assessment of the appropriateness of the measures used across whole cloud provisioning chains.
Based on the control framework proposed in section 3.3, the rest of this section further develops and instantiates the notion of AMM by:
- Mapping the accountability controls (cf., section 3.3) to a real-world control framework, and eliciting the associated accountability metrics in order to allow the implementation of semi-automated accountability assessment/certification processes.
- Associating the assessment of controls and metrics from the AMM to both the CSAs cloud reference architecture.
With respect to the mapping process mentioned above and in order to align the AMM to A4Clouds standardisation efforts (being performed by WP:A-5), the control framework to be used in the rest of this section will be the Cloud Security Alliances Cloud Control Matrix [58] (CSA CCM).
[58] Please refer to https://cloudsecurityalliance.org/research/ccm/
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.