5.2.1 Policy Definition and Validation

In general terms, policies in IT systems specify sets of rules related to a particular purpose, such as defining the security credentials one must possess to access a particular data object and the actions to be taken under various conditions. In the scope of the A4Cloud policy representation framework [43], the obligations an organisation must fulfil and hence express in policies are classified as follows:

• Data handling obligations: policies should express which rights should be granted or revoked regarding any action taken on the data in cloud infrastructures including its access, its distribution to third parties and its deletion. Such data handling rules should not only support the definition of roles as specified in the Data Protection Directive, e.g. data controller and data processor but should also capture data subjects’ preferences, express time and location constraints (ie. data retention periods).
  
• Logging and monitoring obligations: accountability policies should express the rules defining the way to verify compliance with data handling obligations. These include the rules specifying which events have to be logged what information should be part of the logs. Such rules enable the auditability of the different actors in the accountability chain. The policies should also incorporate notification rules which will enable cloud providers to notify end-users and cloud customers in case of policy violation or incidents, for instance.
• Incident management obligations: policies should also express recommendations for redress in the policy in order to define the set of actions that need to be taken to handle or recover failures.

Organisations that are subject to obligations need not only to meet their obligations, but also to ensure that their business partners and sub-contractors do not invalidate them. In particular, an accountable organisation needs to make sure that their obligations to protect personal data are adhered to all across the service provisioning chain.

An important aspect of governance in an accountable organisation is to define and deploy policies for their data processing practices and to make sure that they are followed by all the involved service providers. The policies should ideally travel with the data, and they should be used as input to monitoring of data processing practices, to generate evidence that policies are fulfilled, to correct policy violations that may occur and in general to demonstrate policy compliance.

Therefore, an accountability-based approach requires services via which to express accountability obligations using a common policy specification language (or standard interoperable policy specification languages) and to distribute them throughout the cloud provisioning chain. An additional component of policy definition support is the checking of compliance between the original obligation or law and the actual set or rules and actions defined in the policy.

In an accountability policy framework, the cloud customer must define the high-level data-handling requirements and obligations in human readable language. These rules should further be translated into machine-readable policies. These policies can be communicated and agreed with potential cloud providers.

If the cloud provider uses subcontractors, then it must check the conformance of the cloud customer policy with the practices of the actors further down the chain. In Figure 24 we illustrate a cloud service chain. The SaaS provider must propagate Policy 1 from the cloud customer to an adapted form to manage the resources it uses from its subcontractor. Hence, a machine-readable policy language helps in the definition and verification of these dependencies.

Figure 24: Accountability policy distribution and data flows

However the framework should be flexible enough to accommodate further source and target languages. For instance, the Privacy Level Agreement (PLA[68]) is emerging as a federating initiative to make cloud privacy statement declarations clearer and to allow the assessment of the level of privacy disclosure associated with a given service.