Skip to main content
SpringerLink
Log in

Accountability for Data Governance in the Cloud

  • Chapter
  • First Online:
Book cover Accountability and Security in the Cloud (A4Cloud 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8937))

Included in the following conference series:

Abstract

Cloud computing represents a major shift in the way Information and Communication Technology (ICT) is deployed and utilised across industries. Alongside the technological developments, organisations need to adapt to emerging operational needs associated with data governance, policy and responsibility, as well as compliance with regulatory regimes that may be multi-jurisdictional in nature. This paper is concerned with data governance in cloud ecosystems. It characterises the problem of data governance due to emerging challenges (and threats) in the cloud. It advocates an accountability-based approach for data stewardship. It defines accountability and introduces a model consisting of attributes, practices and mechanisms. The accountability model underpins an accountability framework supporting data governance. This paper also discusses emerging relationships between accountability, risk and trust. The overall objective of the proposed accountability-based approach to data governance is to support a transparent and trustworthy cloud.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. National Institute of Standards and Technology, NIST Special Publication 800-145 (2011)

    Google Scholar 

  2. Cloud Computing Use Case Discussion Group: Cloud Computing Use Cases White Paper, Version 4.0 (2010)

    Google Scholar 

  3. Papanikolaou, N., Pearson, S.: A cross-disciplinary review of the concept of accountability: a survey of the literature. In: International Workshop on Trustworthiness, Accountability and Forensics in the Cloud (TAFC), Malaga (2013)

    Google Scholar 

  4. Article 29 Data Protection Working Party: Opinion 3/2010 on the Principle of Accountability, 00062/10/EN WP 173 (2010)

    Google Scholar 

  5. Article 29 Data Protection Working Party: Opinion 05/2012 on Cloud Computing, 05/12/EN WP 196 (2012)

    Google Scholar 

  6. Guagnin, D., et al. (eds.): Managing Privacy Through Accountability. Palgrave Macmillan (2012)

    Google Scholar 

  7. Organisation for Economic Co-operation and Development (OECD): OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

    Google Scholar 

  8. Galway Project: Accountability: A Compendium for Stakeholders. The Centre for Information Policy Leadership LLP (2011)

    Google Scholar 

  9. Pearson, S.: Toward accountability in the cloud. IEEE Internet Comput. 15(4), 64–69 (2011). IEEE

    Article  Google Scholar 

  10. Charlesworth, A., Pearson, S.: Developing accountability-based solutions for data privacy in the cloud. Innovation, Spec. Issue Priv. Technol. Eur. J Soc. Sci. Res. 26(1), 7–35 (2013). Taylor & Francis

    Article  Google Scholar 

  11. Felici, M., Jaatun, M.G., Kosta, E., Wainwright, N.: Bringing Accountability to the Cloud: Addressing Emerging Threats and Legal Perspectives. In: Felici, M. (ed.) CSP EU FORUM 2013. CCIS, vol. 182, pp. 28–40. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  12. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23 Nov 1995, pp. 0031–0050 (1995)

    Google Scholar 

  13. Felici, M., Koulouris, T., Pearson, S.: Accountability for data governance in cloud ecosystems. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom 2013), vol. 2, pp. 327–332. IEEE (2013)

    Google Scholar 

  14. Article 29 Data Protection Working Party: Opinion 1/2010 on the concepts of “controller” and “processor”, 00264/10/EN (2010)

    Google Scholar 

  15. Badger, L., et al.: Cloud Computing Synopsis and Recommendations. NIST Special Publication 800-146 (2012)

    Google Scholar 

  16. OECD: The OECD Privacy Framework. Organisation for Economic Co-operation and Development (2013)

    Google Scholar 

  17. European Commission: Proposal for a directive of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (2012)

    Google Scholar 

  18. European Commission: Unleashing the Potential of Cloud Computing in Europe (2012)

    Google Scholar 

  19. European Commission: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (2013)

    Google Scholar 

  20. European Commission: Directive on Network and Information Security (2013)

    Google Scholar 

  21. Jansen, W., Grance, T.: Guidelines on Security and Privacy in Public Cloud Computing, NIST SP 800–144 (2011)

    Google Scholar 

  22. CNIL: Recommendations for Companies Planning to Use Cloud Computing Services, Commission nationale de l’informatique et des libertés (2012)

    Google Scholar 

  23. Catteddu, D., Hogben, G. (eds.): Cloud Computing: Benefits, Risks and Recommendations for Information Security. ENISA Report (2009)

    Google Scholar 

  24. Bovens, M.: Analysing and assessing accountability: A conceptual framework. Eur. Law J. 13(4), 447–468 (2007)

    Article  MathSciNet  Google Scholar 

  25. Bovens, M.: Two concepts of accountability: accountability as a virtue and as a mechanism. Spec. Issue Account. Eur. Gov. West Eur. Politics 33(5), 946–967 (2010)

    Article  Google Scholar 

  26. Pearson, S.: On the relationship between the different methods to address privacy issues in the cloud. In: Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., De Leenheer, P., Dou, D. (eds.) ODBASE 2013. LNCS, vol. 8185, pp. 414–433. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  27. Butin, D., Chicote, M., Le Métayer, D.: Strong accountability: beyond vague promises. In: Gutwirth, S., Leenes, R., De Hert, P. (eds.) Reloading Data Protection: Multidisciplinary In-sights and Contemporary Challenges, pp. 343–369. Springer, Netherlands (2014)

    Chapter  Google Scholar 

  28. Van Alsenoy, B.: Allocating responsibility among controllers, processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC. Comput. Law Secur. Rev. 28(1), 25–43 (2012)

    Article  Google Scholar 

  29. Guagnin, D., Hempel, L., Ilten, C.: Bridging the gap: We need to get together. In: Guagnin, D., et al. (eds.) Managing Privacy through Accountability, pp. 102–124. Palgrave (2012)

    Google Scholar 

  30. Liu, F., et al.: NIST Cloud Computing Reference Architecture. National Institute of Standards and Technology, NIST Special Publication 500-292 (2011)

    Google Scholar 

  31. Jaatun, M.G., Pearson, S., Gittler, F., Leenes, R.: Towards strong accountability for cloud service providers. In: 2014 IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom 2014). IEEE (2014)

    Google Scholar 

  32. Bowker, G.C., Star, S.L.: Sorting Things Out: Classification and Its Consequences. The MIT Press, Cambridge (1999)

    Google Scholar 

  33. CSA: Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union. Cloud Security Alliance, Privacy Level Agreement Working Group (2013)

    Google Scholar 

  34. Knode, R., Egan, D.: Digital Trust in the Cloud: A Precis for the CloudTrust Protocol, v2.0. Computer Science Corporation (2010)

    Google Scholar 

  35. Baldwin, A., Pym, D., Shiu, S.: Enterprise information risk management: Dealing with cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing. Springer, Heidelberg (2013)

    Google Scholar 

  36. Reed, C.: Cloud Governance: The Way Forward. In: Millard, C. (ed.) Cloud Computing Law. Oxford University Press, Oxford (2013)

    Google Scholar 

  37. Bowen, P., Hash, J., Wilson, M.: Information Security Handbook: A Guide for Managers. National Institute of Standards and Technology, NIST Special Publication 800–100 (2006)

    Google Scholar 

  38. De Clercq, J., et al.: The HP Security Handbook. HP publication 4AA1-7729EEW (2008)

    Google Scholar 

  39. CSA: The Notorious Nine: Cloud Computing Top Threats in 2013. Cloud Security Alliance, Top Threats Working Group (2013)

    Google Scholar 

  40. CSA: Top Ten Big Data Security and Privacy Challenges. Cloud Security Alliance (2012)

    Google Scholar 

  41. CSA: Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Cloud Security Alliance (2011)

    Google Scholar 

  42. ENISA: ENISA Threat Landscape 2013 – Overview of current and emerging cyber-threats. European Network and Information Security Agency (2013)

    Google Scholar 

  43. Article 29 Data Protection Working Party: Statement on the role of a risk-based approach in data protection legal frameworks, 14/EN WP 218 (2014)

    Google Scholar 

  44. CIPL: A Risk-based Approach to Privacy: Improving Effectiveness in Practice. Centre for Information Policy Leadership (2014)

    Google Scholar 

  45. Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia: Getting Accountability Right with a Privacy Management Program (2012)

    Google Scholar 

  46. ENISA: Privacy, Accountability and Trust – Challenges and Opportunities. European Network and Information Security Agency (2011)

    Google Scholar 

  47. Pearson, S.: Privacy management in global organisations. In: De Decker, B., Chadwick, D.W. (eds.) CMS 2012. LNCS, vol. 7394, pp. 217–237. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  48. Tancock, D., Pearson, S., Charlesworth, A.: Analysis of privacy impact assessments within major jurisdictions. In: Proceedings of the 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 118–125. IEEE (2010)

    Google Scholar 

  49. Trilateral Research & Consulting: Privacy Impact Assessment and Risk Management. UK Information Commissioner’s Office (ICO) (2013)

    Google Scholar 

  50. ICO: Data Protection Act – Conducting privacy impact assessments code of practice. UK Information Commissioner’s Office (ICO) (2013)

    Google Scholar 

  51. Pearson, S., Sander, T.: A decision support system for privacy compliance. In: Gupta, M., Walp, J., Sharman, R. (eds.) Data Mining: Concepts, Methodologies, Tools, and Applications, pp. 1496–1518. IGI Global, New York (2013)

    Chapter  Google Scholar 

  52. Lloyd’s: Lloyd’s 360° Risk Insight Managing Digital Risk: Trends, Issues and Implications for Business (2010)

    Google Scholar 

  53. Boyens, J., et al.: Supply Chain Risk Management: Practices for Federal Information Systems and Organizations, pp. 800–161. NIST Special Publication (2013)

    Google Scholar 

  54. Robinson, N., et al.: Review of the European Data Protection Directive. RAND Europe, Cambridge (2009)

    Google Scholar 

  55. Bennett, C.J., Raab, C.D.: The Governance of Privacy: Policy Instruments in Global Perspective. The MIT Press, Cambridge (2006)

    Google Scholar 

  56. Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, Computer Communications and Networks, pp. 3–42. Springer, Heidelberg (2013)

    Google Scholar 

  57. Schiffman, J., et al.: Cloud Verifier: Verifiable Auditing Service for IaaS Clouds. In: IEEE Ninth World Congress on Services (SERVICES 2013), pp. 239–246, IEEE Computer Society (2013)

    Google Scholar 

  58. CSA: Cloud Control Matrix. Cloud Security Alliance, CSA CCM v3.0 (2013)

    Google Scholar 

  59. Felici, M., Pearson, S.: Accountability, risk, and trust in cloud services: Towards an accountability-based approach to risk and trust governance. In: 2014 IEEE World Congress on Services (SERVICES), pp. 105–112. IEEE (2014)

    Google Scholar 

  60. Coudert, F.: Accountable surveillance practices: Is the EU moving in the right direction? In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 70–85. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  61. Antignac, T., Le Métayer, D.: Privacy by design: From technologies to architectures. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 1–17. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  62. Sunyaev, A., Schneider, S.: Cloud services certification. Commun. ACM 56(2), 33–36 (2013). ACM

    Article  Google Scholar 

  63. CSA: CSA STAR – Security, Trust and Assurance Registry (STAR) Overview. Cloud Security Alliance (2014)

    Google Scholar 

  64. Anisetti, M., et al.: A test-based security certification scheme for web services. ACM Trans. Web (TWEB) 7(2), 1–41 (2013). Article 5, ACM

    Article  Google Scholar 

Download references

Acknowledgements

This work has been partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013), grant agreement 317550, Cloud Accountability Project – http://www.a4cloud.eu/ – (A4Cloud). We would like to thank our project partners and colleagues who contributed to the accountability-based approach presented in this paper, in particular, we acknowledge the contributions of Brian Dziminski, Carmen Fernandez Gago, Simone Fischer-Hübner, Frederic Gittler, Martin Jaatun, Theo Koulouris, Ronald Leenes, Jesus Luna, Maartje Niezen, David Nuñez, Alain Pannetrat, Jenni Reuben Shanthamoorthy, Jean-Claude Royer, Anderson Santana de Oliviera, Dimitra Stefanatou and Vasilis Tountopoulos.

Author information

Authors and Affiliations

  1. Security and Cloud Lab, Hewlett-Packard Laboratories, Long Down Avenue, Bristol, BS34 8QZ, UK

    Massimo Felici & Siani Pearson

Authors
  1. Massimo Felici
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siani Pearson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Massimo Felici .

Editor information

Editors and Affiliations

  1. HP Labs, Bristol, United Kingdom

    Massimo Felici

  2. University of Malaga, Malaga, Spain

    Carmen Fernández-Gago

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Felici, M., Pearson, S. (2015). Accountability for Data Governance in the Cloud. In: Felici, M., Fernández-Gago, C. (eds) Accountability and Security in the Cloud. A4Cloud 2014. Lecture Notes in Computer Science(), vol 8937. Springer, Cham. https://doi.org/10.1007/978-3-319-17199-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17199-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17198-2

  • Online ISBN: 978-3-319-17199-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation