Jump to Navigation

 

5.3.2 Adoption Patterns

This section introduces the concept of the adoption patterns of the A4Cloud Reference Architecture for the different cloud service models and cloud computing and data protection roles. This approach is inspired by the IBM handbook on the Cloud Computing Reference Architecture (CCRA) version 4.0

[70]

. As reflected there, an adoption pattern is “a collection of commonly observed functions and features that customers desire in their solution, where a customer starts to solve a specific business problem, typically driven by the same business motivation”. In IBM CCRA 4.0, the adoption patterns are solely driven by the adopted cloud service model that a specific cloud provider wants to adopt. In A4Cloud, the adoption pattern takes the form of guidance for the different actors in the cloud service provisioning chain in order to follow the accountability lifecycle and be accountable to their collaborating providers.

In more detail, the A4Cloud adoption patterns do not focus only on the cloud provider perspective, but try to capture the operational needs and the respective accountability requirements for the end-to-end chain in the cloud service provision. As such, these patterns should investigate the responsibilities and obligations of the actors, according to their position in the cloud computing/data protection role matrix and offer a guided roadmap for the adoption of the Accountability Framework in their cloud-based business model. From an accountability perspective, the position of an actor in data processing is very important, which raises various security and privacy requirements that should be addressed and a number of legal and normative obligations that should be implemented. In that respect, we can distinguish among the following A4Cloud adoption patterns:
  • The Accountable Cloud Customer and Controller (ACCC) Adoption Pattern: this pattern refers to cloud customers, who act as data controllers and regulate the type of data to be collected from data holders and the purpose for doing so.
  • The Accountable Cloud Provider and Controller (ACPC) Adoption Pattern: this pattern refers to cloud providers, who act as data controllers and regulate the type of data to be collected from data holders and the purpose for doing so.
  • The Accountable Cloud Provider and Processor (ACPP) Adoption Pattern: this pattern refers to cloud providers, who act as data processors.
  • The Accountable Cloud Customer and Processor (ACCP) Adoption Pattern; this pattern refers to cloud customers, who act as data processors.
  • The Cloud Subject Enabling (CSE) Adoption Pattern: this pattern refers to a set of guidelines, through which the cloud subjects could be benefit from the mechanisms being implemented by the cloud providers and offered by the cloud customers with respect to how they could track the disclosure of their personal data in the cloud environments and respond to perceived and/or reported incidents about the way that this data is handled in the cloud.

Such adoption patterns aim to address the principal question for the cloud actors about “how am I going to be accountable to my customers?”, while providing informed guidance to the data owners on how they can take control over the results and the impact of the data processing procedures followed by the cloud providers to their data that has been disclosed in the cloud service provisioning chain. In general, the A4Cloud Adoption Patterns should provide a roadmap for the adoption of the Accountability Framework in all the respective lifecycle phases. Each pattern should, then, instantiate these general principles for the case of each target stakeholder, by detailing on the following items:

  • The security and privacy requirements that drive the definition and the specification of the intended cloud-based business;
  • The actors that are involved and how they relate with the primary actor of the adoption pattern;
  • The accountability use cases and the respective accountability functions for this pattern;
  • The roadmap to adopt the Accountability lifecycle;
  • The instantiation of the A4Cloud RA, highlighting the intended use of each A4Cloud tool and any external tools that serve application specific functions, making references to target AMM;
  • The realization of the operational model for the A4Cloud components and the external tools and the respective information models.

In case of the instantiation of the RA, the adoption patterns describe the association of the accountability support services and the involved artifacts with the implementation of certain tool support functionalities to be addressed from the specific cloud computing and data protection roles. Thus, in Table 25, we analyse which are these functionalities that should be operated by each role, considering the use of software tools that should be accessible by the indicated roles and software tools running in the background that need to be deployed on the specific role machine to implement the respective accountability support service. This table does provide an exhaustive mapping of all the roles, since we skip the cloud carriers and brokers, who mainly act as data processors (and in some case as controllers), since they are seen in the same situation as for cloud providers.

Required functions

Expected usage of tools for Cloud Subjects 

Addressing Accountability Support Service

Involved Accountability Artifact or relevant object

Cloud Subject Enabling (CSE) Adoption Pattern

Track personal data

Tools to control the disclosure of personal data in the cloud

Validation

List of data disclosures from providers

Receive and manage incidents

Tools to allow the collection of violations from the cloud,  against agreed data handling processes, and managing their severity level

Notification and Validation 

 Notification Reports, Ranked incidents

Manage remedies 

Tools to suggest remediation, such as to complete and submit complaints form to a DPA, enforce the selected remediation/ redress actions 

Remediation 

List of data disclosures, Claims 

 Support data integrity

Tools for secure communication with Data Controller 

 Validation

Any type of artifact 

Accountable Cloud Customer and Controller (ACCC) Adoption Pattern

Select a cloud provider

Tools to get a guided selection of a cloud provider, according to functional, security and privacy requirements 

 Policy Definition and Validation

Capabilities, Social and Regulatory Norms, SLAs, PLAs, Contracts

Perform a DPIA 

 Tools to assess the impact of the cloud provider selection on the data protection aspects, and get the requirements to follow specific privacy, security and functional steps

Policy Definition and Validation

Capabilities, Social and Regulatory Norms, SLAs, PLAs, Contracts. Certificates and Assessments 

 Match policies to capabilities

Tools to perform policy matching between abstract policy statements and preferences

Policy Definition and Validation

Capabilities, machine readable Policies 

Run audits

Tools to perform internal and external auditing

Validation 

Audit Reports, Evidence Records 

Manage incidents

Tools to assess the type of the perceived and/or reported incidents and generate notification alerts

Incident Management and Notification

Notification Reports 

Accountable Cloud Customer and Processor (ACCP) Adoption Pattern

 Enforce policies

 Tools to enforce accountability policies for the management of personal data

Policy Management and Enforcement

Machine readable Policies (including the personal data under consideration) 

 Produce logs

Tools to generate logs on the data handling processes with respect to data access, retention and integrity properties for monitoring and auditing purposes 

Monitoring and Environment State Collection

Machine-generated Logs 

Create  evidence

Tools to collect and create evidence

Collection and Management of Evidence

Machine-generated Logs, Evidence Records 

 Run audits

Tools to perform internal and external auditing

Validation

Audit Reports, Evidence Records 

 Securely store evidence

Tools to securely store logs and evidence records

Collection and Management of Evidence

Machine-generated Logs, Evidence Records, machine readable Policies 

 Create incidents

Tools to raise incidents on an abnormal behaviour of the environment

Incident Management

Notification Reports 

Manage incidents

Tools to assess the type of the perceived and/or reported incidents and generate notification alerts

 Incident Management and Notification

Notification Reports 

Accountable Cloud Provider and Controller (ACPC) Adoption Pattern

Select a cloud provider

Tools to get a guided selection of a cloud provider, according to functional, security and privacy requirements

Policy Definition and Validation

 

Capabilities, Social and Regulatory Norms, SLAs, PLAs, Contracts

Perform a DPIA

Tools to assess the impact of the cloud provider selection on the data protection aspects, and get the requirements to follow specific privacy, security and functional steps

Policy Definition and Validation

 

Capabilities, Social and Regulatory Norms, SLAs, PLAs, Contracts. Certificates and Assessments

Match policies to capabilities Tools to perform policy matching between abstract policy statements and preferences

 

Policy Definition and Validation

Capabilities, machine readable Policies

Develop policies

Tools to create accountability policies

Policy Definition and Validation

Capabilities, Social and Regulatory Norms, SLAs, PLAs, Contracts, machine readable Policies

 Enforce policies

Tools to enforce accountability policies for the management of personal data

Policy Management and Enforcement 

Machine readable Policies (including the personal data under consideration) 

 Produce logs

Tools to generate logs on the data handling processes with respect to data access, retention, transfer and integrity properties for monitoring and auditing purposes

Monitoring and Environment State Collection

Machine-generated Logs

 Collect evidence

Tools to collect and create evidence 

Collection and Management of Evidence

Machine-generated Logs, Evidence Records 

 Run audits

Tools to perform internal and external auditing

Validation

Audit Reports, Evidence Records 

 Create incidents

Tools to raise incidents on an abnormal behaviour of the environment

Incident Management

Notification Reports

Manage incidents

Tools to assess the type of the perceived and/or reported incidents and generate notification alerts

Incident Management and Notification

Notification Reports 

 Securely store evidence

Tools to securely store logs and evidence records

Collection and Management of Evidence

Machine-generated Logs, Evidence Records, machine readable Policies 

Support data integrity 

 Tools for secure communication with Data Controller

Validation

Any type of artifact 

Validate functions 

 Tools to validate the proper implementation of the accountability support services

Validation

Any type of artifact 

Accountable Cloud Provider and Processor (ACPP) Adoption Pattern

Enforce policies

Tools to enforce accountability policies for the management of personal data

Policy Management and Enforcement

Machine readable Policies (including the personal data under consideration)

 

Produce logs

 

Tools to generate logs on the data handling processes with respect to data access, retention, transfer and integrity properties for monitoring and auditing purposes

 

Monitoring and Environment State Collection

 

Machine-generated Logs

Collect evidence

Tools to collect and create evidence

Collection and Management of Evidence

Machine-generated Logs, Evidence Records

 Run audits

Tools to perform internal and external auditing

Validation

Audit Reports, Evidence Records

 Create incidents

Tools to raise incidents on an abnormal behaviour of the environment

Incident Management

Notification Reports 

 Manage incidents

Tools to assess the type of the perceived and/or reported incidents and generate notification alerts

Incident Management and Notification

Notification Reports 

 Securely store evidence

Tools to securely store logs and evidence records

Collection and Management of Evidence

Machine-generated Logs, Evidence Records, machine readable Policies 

Validate functions

Tools to validate the proper implementation of the accountability support services

Validation

Any type of artifact 

Table 25: An example depiction of the adoption patterns for the instantiation of the Cloud Accountability Reference Architecture.

The adoption of one of the patterns from a business actor strongly depends on the role that this actor plays in the context of a business scenario. The further analysis of the required functionalities and their implementation details through ICT tools is provided in a separate document, which describes the A4Cloud toolset.