Jump to Navigation


4.8.1 Instantiating the Accountability Control Framework

The accountability control framework elicited in section 3.3 can be mapped into well-known frameworks like CSA CCM to provide the foundations of the proposed AMM. A4Cloud followed two complementary approaches to perform the suggested mapping namely (i) mapping of CSA CCM v3.01 controls to Accountability Attributes, and (ii) mapping of CSA CCM v3.01 controls to the accountability controls shown in section 3.3.

Summary of results: mapping CSA CCM to A4Cloud Accountability Attributes

The mapping between CSA CCM and A4Cloud Accountability Attributes resulted on a coverage of approximately 46%, meaning that only 62 controls (out of 136 CSA CCM controls) were mapped to at least one accountability attribute. Furthermore, the highest accountability coverage related to the Transparency attribute (11,5%) followed by Responsibility (5%) and Remediability (4%). These results mostly relate to the fact that CSA CCM was designed as a security control framework, where accountability in data protection (i.e., the A4Cloud perspective) does not have a central role. Further information and results associated to the CSA CCM Accountability Attributes mapping can be found in section 4.9.

Summary of results: mapping CSA CCM to A4Cloud Accountability Controls

A second mapping process took place between CSA CCM and the Accountability Controls (cf. Section 3.3) to also realize the degree of accountability that is provided by the CCM controls and domains. An immediate result of this analysis is that certain domains of the CCM are particularly aligned with the accountability controls and best practices. The domains "Audit Assurance & Compliance" (AAC) and "Security Incident Management, E-Discovery & Cloud Forensics" (SEF) are fully covered by accountability controls (100% coverage). The former domain is intimately related to the Governance and Audit & Validation phases of the Accountability lifecycle, whereas the latter is associated to the Handling Exceptions phase, which explains their strong degree of relevance. Other domains, such as "Supply Chain Management, Transparency and Accountability" (STA), and "Governance and Risk Management" (GRM) also present high rates of coverage (between 80% and 90%).

At the other end of the spectrum are those domains that are fully devoted to the specifics of security tasks, and which, therefore, are not mapped to any accountability control. These domains are "Datacenter Security" (DCS), "Encryption & Key Management" (EKM), "Mobile Security" (MOS) and "Threat & Vulnerability Management" (TVM). As in the case of the CSA CCM Accountability Attributes mapping, this result is understandable because the Accountability lifecycle does not deal with particularities of technical mechanisms and CCM is strongly security-focused. Other CCM domains tightly related to technical security measures are "Application & Interface Security" (AIS), "Identity and Access Management" (IAM) and "Infrastructure & Virtualisation Security" (IVS), and therefore, present a low coverage with respect to accountability controls (lower than 25%).

The remaining CCM domains present a medium level of coverage. For example, "Data Security & Information Lifecycle Management" (DSI) is devoted to mechanisms for ensuring the protection of customers' data, which is explained given the fact that accountability and data protection are both in the scope of this project. Other domains of relative importance are "Business Continuity Management & Operational Resilience" (BCR), due its role in accountability functions such as Handling Exceptions, Remedy and Redress, and Risk Assessment, and "Human Resources" (HRS), which can be associated to Staff Commitment and Governance for Accountability. Finally, "Change Control & Configuration Management" (CCC) and "Interoperability & Portability" (IPY) are relevant to the Risk Assessment function.

The next sections further discuss the quantitative scoring and metrics associated to the elicited AMM controls, which allow for some realistic level of automation to be adopted by the assessment process.