Jump to Navigation


4.8.4 Accountability Assessment from a Cloud Reference Architecture Perspective

In order to provide useful information about the accountability level achieved by an organisation, both the AMM and accountability metrics must be applied to a specific cloud context. This context might refer for example to some particular cloud deployment/service model, possibly resulting from a preliminary risk analysis or an existing set of security/privacy requirements. In any case, the proposed AMM/metrics cannot be applied on an isolated manner. This section elaborates on using the AMM [63] for the quantification of organisational accountability levels based on a cloud reference architecture (CRA). A CRA is typically comprised of a framework (i.e., methodology and tools) that enables security architects, enterprise architects, and risk management professionals to leverage a common set of solutions (patterns). These solutions fulfil a set of common requirements that risk managers must assess regarding the operational status of internal IT security and CSP controls (e.g., from AMM). The controls are expressed in terms of security capabilities and designed to create a common roadmap to meet the security needs of their business. NIST Special Publication 500-299 (draft) [40] and CSA Enterprise Architecture (CSA EA, formerly known as Trusted Cloud Initiative [64] ) are two commonly referenced CRAs at the state of the art. For the sake of A4Cloud standardization, the discussion presented in the rest of this section will be focused on CSA EA.

Figure 18. CSA Enterprise Architecture[65]

The CSA EA (shown in Figure 18) is structured in a hierarchical manner. Eight domains exist at the top level, which are composed of containers, and in turn these are comprised of one or more capabilities.

Within A4Cloud, the CSA EA capabilities were related to the mapped CSA CCM controls (please refer to section 4.9) in order to develop an approach to quantitatively assess the accountability level of an organization through the following sequence of steps:

  1. Map the organizations security architecture components to the CSA EAs capabilities. Additional guidance to perform this mapping can be found on the CSA EA specification (please refer to footnote 17).
  2. Based on the previous mapping, select the AMM controls (resulting from the CSA CCM mapping) that correspond to each components capability.
  3. Using the related set of metrics classify the AMM controls from Step 2 into Quantifiable ( , if at least one accountability metric is associated to them) and No Quantifiable ( , if the control is not associated to any accountability metric).
  4. Evaluate the accountability controls in the following manner:
    1. The controls should be measured according to the respective metric definition also developed by A4Cloud.
    2. The controls should be assessed (e.g., by a human auditor) according to the applicable practice (for example, in the case of CSA CCM please refer to [18]).
  5. Aggregation of results (out of scope in A4Cloud):
    1. The measurement results associated to the controls can be aggregated by using state of the art techniques like [39] or [40].
    2. The assessment results obtained for can be scored to an overall maturity level, following the rules presented in Section 4.8.2.

The final result from Step 5, is the actual maturity level associated to the architectural component being evaluated. The accountability quantification process described above is shown in Figure 19.

Figure 19

Figure 19. Evaluating the accountability level (architectural approach).

A4Cloud's notion of appropriateness [66] is closely related to Step 2 shown in the previous figure, where the set of accountability controls that are required by the organization are selected from the CSA CCM mapping (possibly through a risk management process). Realistic levels of automation related to the process shown in Figure 19 would allow the organisation to periodically assess whether the selected controls are actually appropriate, by periodically computing the achieved Level of Accountability. This is a core idea in continuous certification schemes like CSA OCF STAR [67] .

[63] In this section, the term AMM will also refer to the associated accountability metrics.

[65] extracted from https://research.cloudsecurityalliance.org/tci/ 

[66] Defined by the project as "The extent to which the technical and organisational measures used have the capability of contributing to accountability."

[67] Please refer OCF STAR Level 3: Continuous in https://cloudsecurityalliance.org/star/