Jump to Navigation


6 Concluding Thoughts

The A4Cloud Reference Architecture (RA) presented in this document covers a spectrum of topics, including the lifecycle, the artifacts, the processes, and the services. This is much wider than the technically-oriented domain of more traditional reference architectures, which in our case would be a service-oriented architecture. We were led to take this approach as strong accountability requires a holistic approach. In addition, accountability is a property which is applied to a defined set of commitments (or obligations): being accountable for something is a practical topic which can be associated with specific measures and processes, whereas simply “being accountable” remains an abstract topic and the associated artifacts, processes and services are only helpful as tools to frame, analyse, design and implement a solution when associated with an objective (or purpose).

In this report, we propose processes and mechanisms to address the accountability practices defined in the Conceptual Framework [1], i.e.:

  • defining governance to responsibly comply with internal and external criteria
  • ensuring implementation of appropriate actions
  • explaining and justifying those actions
  • remedying any failure to act properly

We do so while remaining agnostic to the purpose to which accountability is to be applied, using the data protection domain as a “privileged use case”. We also refrain from adopting a specific compliance baseline. This limits us in the level of practical details we can provide, but keeps the results relevant for a large spectrum of scenarios.

Therefore, this report can be used as a guide to determining what must be done, and not as a specification of what must be done. This opens up the possibility to instantiate a set of Reference Architectures with more actionable processes and mechanisms to address a specific combination of baseline compliance standards with a specific purpose.

Accountability in the context of the cloud is an emerging concern. Cloud service providers are not yet ready to commit to it, especially as it relates to transparency. The market requirements are however evolving, driven in part by the regulators which mandate an increasingly high level of accountability in the handling and protection of personal data. Cloud service providers will have no choice but to become accountable if they want to remain competitive, as their customers - the data controllers - will require this level of service. This is not the only driving force: commoditisation of cloud services will lead providers to increase the feature sets and quality of service they provide, first in order to gain a competitive advantage, and then to meet what has become a baseline requirement. At some point in this journey, accountability controls will be integrated in control frameworks, such as the CSA CCM, and accountability services will be defined to ensure interoperability. This RA provides the foundation for these two evolutions.