From Regulatory Obligations to Enforceable Accountability Policies in the Cloud

  • Walid Benghabrit
  • Hervé Grall
  • Jean-Claude Royer
  • Mohamed SellamiEmail author
  • Monir Azraoui
  • Kaoutar Elkhiyaoui
  • Melek Önen
  • Anderson Santana De Oliveira
  • Karin Bernsmed
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 512)


The widespread adoption of the cloud model for service delivery triggered several data protection issues. As a matter of fact, the proper delivery of these services typically involves sharing of personal/business data between the different parties involved in the service provisioning. In order to increase cloud consumer’s trust, there must be guarantees on the fair use of their data. Accountability provides the necessary assurance about the data governance practices to the different stakeholders involved in a cloud service chain. In this context, we propose a framework for the representation of accountability policies. Such policies offer to end-users a clear view of the privacy and accountability clauses asserted by the entities they interact with, as well as means to represent their preferences. Our framework offers two accountability policy languages: (i) an abstract language called AAL devoted for the representation of preferences/clauses in an human readable fashion, and (ii) a concrete one for the implementation of enforceable policies.


Accountability Data protection Framework Policy language Policy enforcement 



This work was funded by the EU’s 7th framework A4Cloud project.


  1. 1.
    Pearson, S., Tountopoulos, V., Catteddu, D., Südholt, M., Molva, R., Reich, C., Fischer-Hübner, S., Millard, C., Lotz, V., Jaatun, M.G., Leenes, R., Rong, C., Lopez, J.: Accountability for cloud and other future internet services. In: CloudCom, pp. 629–632. IEEE (2012)Google Scholar
  2. 2.
    Directive, E.U.: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995).
  3. 3.
    Ardagna, C.A., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Paraboschi, S., Pedrini, E., Preiss, S., Raggett, D., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife policy language (2009).
  4. 4.
    Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51, 82–87 (2008)CrossRefGoogle Scholar
  5. 5.
    Xiao, Z., Kathiresshan, N., Xiao, Y.: A survey of accountability in computer networks and distributed systems. Secur. Commun. Netw. 5, 1083–1085 (2012)CrossRefGoogle Scholar
  6. 6.
    Pearson, S., Wainwright, N.: An interdisciplinary approach to accountability for future internet service provision. Int. J. Trust Manag. Comput. Commun. 1, 52–72 (2013)CrossRefGoogle Scholar
  7. 7.
    Le Métayer, D.: A formal privacy management framework. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 162–176. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  8. 8.
    DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: 9th Annual ACM Workshop on Privacy in the Electronic Society (WPES 2010), pp. 73–82 (2010)Google Scholar
  9. 9.
    Feigenbaum, J., Jaggard, A.D., Wright, R.N., Xiao, H.: Systematizing “accountability” in computer science. Technical report YALEU/DCS/TR-1452, University of Yale (2012)Google Scholar
  10. 10.
    Jagadeesan, R., Jeffrey, A., Pitcher, C., Riely, J.: Towards a theory of accountability and audit. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 152–167. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  11. 11.
    Sundareswaran, S., Squicciarini, A., Lin, D.: Ensuring distributed accountability for data sharing in the cloud. IEEE Trans. Dependable Secure Comput. 9, 556–568 (2012)CrossRefGoogle Scholar
  12. 12.
    Haeberlen, A., Aditya, P., Rodrigues, R., Druschel, P.: Accountable virtual machines. In: 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI, pp. 119–134 (2010)Google Scholar
  13. 13.
    Wei, W., Du, J., Yu, T., Gu, X.: Securemr: a service integrity assurance framework for mapreduce. In: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 73–82. IEEE Computer Society, Washington, DC (2009)Google Scholar
  14. 14.
    Zou, J., Wang, Y., Lin, K.J.: A formal service contract model for accountable SaaS and cloud services. In: International Conference on Services Computing, pp. 73–80. IEEE (2010)Google Scholar
  15. 15.
    US Congress: Health insurance portability and accountability act of 1996, privacy rule. 45 cfr 164 (2002).
  16. 16.
    Legislative Assembly of Ontario: Freedom of information and protection of privacy act (r.s.o. 1990, c. f.31) (1988)Google Scholar
  17. 17.
    Breaux, T.D., Anton, A.I.: Deriving semantic models from privacy policies. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), pp. 67–76 (2005)Google Scholar
  18. 18.
    Kerrigan, S., Law, K.H.: Logic-based regulation compliance-assistance. In: International Conference on Artificial Intelligence and Law, pp. 126–135 (2003)Google Scholar
  19. 19.
    US Congress: Gramm-leach-bliley act, financial privacy rule. 15 usc 6801–6809 (1999).
  20. 20.
    Garaga, A., de Oliveira, A.S., Sendor, J., Azraoui, M., Elkhiyaoui, K., Molva, R., Önen, M., Cherrueau, R.A., Douence, R., Grall, H., Royer, J.C., Sellami, M., Südholt, M., Bernsmed, K.: Policy Representation Framework. Technical report D:C-4.1, Accountability for Cloud and Future Internet Services - A4Cloud Project (2013).
  21. 21.
    OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0. 22, January 2013.
  22. 22.
    Marchiori, M.: The platform for privacy preferences 1.0 (P3P1.0) specification. W3C recommendation, W3C (2002). TR/ 2002/ REC-P3P-20020416/
  23. 23.
    Becker, M.Y., Malkis, A., Bussard, L.: S4p: A generic language for specifying privacy preferences and policies. Technical report MSR-TR-2010-32, Microsoft Research (2010)Google Scholar
  24. 24.
    Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. Electron. Notes Theor. Comput. Sci. 197, 45–58 (2008)CrossRefGoogle Scholar
  25. 25.
    Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  26. 26.
    Barros, A., Oberle, D.: Handbook of Service Description: USDL and Its Methods. Springer Publishing Company, Incorporated, New York (2012)CrossRefGoogle Scholar
  27. 27.
    Lamanna, D.D., Skene, J., Emmerich, W.: SLAng: a language for defining service level agreements. In: Proceedings of the The Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, pp. 100–106. IEEE Computer Society, Washington, DC (2003)Google Scholar
  28. 28.
    OASIS Web Service Security (WSS) TC: Web Services Security: SOAP Message Security 1.1 (2006).
  29. 29.
    OASIS Web Services Secure Exchange (WS-SX) TC: WS-Trust 1.4 (2012).
  30. 30.
    Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (XML). World Wide Web J. 2, 27–66 (1997)Google Scholar
  31. 31.
    Butin, D., Chicote, M., Le Métayer, D.: Log design for accountability. In: IEEE CS Security and Privacy Workshops (SPW), pp. 1–7 (2013)Google Scholar
  32. 32.
    Henze, M., Großfengels, M., Koprowski, M., Wehrle, K.: Towards data handling requirements-aware cloud computing. In: 2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom) (2013)Google Scholar
  33. 33.
    Bradner, S.: IETF RFC 2119: Key words for use in RFCs to Indicate Requirement Levels. Technical report (1997)Google Scholar
  34. 34.
    Knuth, D.E.: Backus normal form vs. backus naur form. Commun. ACM 7, 735–736 (1964)CrossRefGoogle Scholar
  35. 35.
    Fisher, M.: Temporal representation and reasoning. In: van Harmelen, F., Lifschitz, V., Porter, B. (eds.) Handbook of Knowledge Representation, pp. 513–550. Elsevier, Amsterdam (2008)CrossRefGoogle Scholar
  36. 36.
    Benghabrit, W., Grall, H., Royer, J.-C., Sellami, M., Bernsmed, K., De Oliveira, A.S.: Abstract accountability language. In: Zhou, J., Gal-Oz, N., Zhang, J., Gudes, E. (eds.) IFIPTM 2014. IFIP AICT, vol. 430, pp. 229–236. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  37. 37.
    Benghabrit, W., Grall, H., Royer, J.C., Sellami, M.: Accountability for abstract component design. In: 40th EUROMICRO Conference on Software Engineering and Advanced Applications, SEAA, Verona, Italia (2014)Google Scholar
  38. 38.
    Cranen, S., Groote, J.F., Keiren, J.J.A., Stappers, F.P.M., de Vink, E.P., Wesselink, W., Willemse, T.A.C.: An overview of the mCRL2 toolset and its recent advances. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 199–213. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  39. 39.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 30–50 (2000)CrossRefGoogle Scholar
  40. 40.
    Allam, D., Douence, R., Grall, H., Royer, J.C., Südholt, M.: Well-Typed Services Cannot Go Wrong. Rapport de recherche RR-7899, INRIA (2012)Google Scholar
  41. 41.
    Bernsmed, K., Felici, M., Oliveira, A.S.D., Sendor, J., Moe, N.B., Rübsamen, T., Tountopoulos, V., Hasnain, B.: Use case descriptions. Deliverable, Cloud Accountability (A4Cloud) Project (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Walid Benghabrit
    • 1
  • Hervé Grall
    • 1
  • Jean-Claude Royer
    • 1
  • Mohamed Sellami
    • 5
    Email author
  • Monir Azraoui
    • 2
  • Kaoutar Elkhiyaoui
    • 2
  • Melek Önen
    • 2
  • Anderson Santana De Oliveira
    • 3
  • Karin Bernsmed
    • 4
  1. 1.Mines NantesNantesFrance
  2. 2.EURECOMBiot, Sophia AntipolisFrance
  3. 3.SAP Labs FranceMougins, Sophia AntipolisFrance
  4. 4.SINTEF ICTTrondheimNorway
  5. 5.ISEPIssy Les MoulineauxFrance

Personalised recommendations