Abstract
Cloud computing represents a major shift in the way Information and Communication Technology (ICT) is deployed and utilised across industries. Alongside the technological developments, organisations need to adapt to emerging operational needs associated with data governance, policy and responsibility, as well as compliance with regulatory regimes that may be multi-jurisdictional in nature. This paper is concerned with data governance in cloud ecosystems. It characterises the problem of data governance due to emerging challenges (and threats) in the cloud. It advocates an accountability-based approach for data stewardship. It defines accountability and introduces a model consisting of attributes, practices and mechanisms. The accountability model underpins an accountability framework supporting data governance. This paper also discusses emerging relationships between accountability, risk and trust. The overall objective of the proposed accountability-based approach to data governance is to support a transparent and trustworthy cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mell, P., Grance, T.: The NIST Definition of Cloud Computing. National Institute of Standards and Technology, NIST Special Publication 800-145 (2011)
Cloud Computing Use Case Discussion Group: Cloud Computing Use Cases White Paper, Version 4.0 (2010)
Papanikolaou, N., Pearson, S.: A cross-disciplinary review of the concept of accountability: a survey of the literature. In: International Workshop on Trustworthiness, Accountability and Forensics in the Cloud (TAFC), Malaga (2013)
Article 29 Data Protection Working Party: Opinion 3/2010 on the Principle of Accountability, 00062/10/EN WP 173 (2010)
Article 29 Data Protection Working Party: Opinion 05/2012 on Cloud Computing, 05/12/EN WP 196 (2012)
Guagnin, D., et al. (eds.): Managing Privacy Through Accountability. Palgrave Macmillan (2012)
Organisation for Economic Co-operation and Development (OECD): OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
Galway Project: Accountability: A Compendium for Stakeholders. The Centre for Information Policy Leadership LLP (2011)
Pearson, S.: Toward accountability in the cloud. IEEE Internet Comput. 15(4), 64–69 (2011). IEEE
Charlesworth, A., Pearson, S.: Developing accountability-based solutions for data privacy in the cloud. Innovation, Spec. Issue Priv. Technol. Eur. J Soc. Sci. Res. 26(1), 7–35 (2013). Taylor & Francis
Felici, M., Jaatun, M.G., Kosta, E., Wainwright, N.: Bringing Accountability to the Cloud: Addressing Emerging Threats and Legal Perspectives. In: Felici, M. (ed.) CSP EU FORUM 2013. CCIS, vol. 182, pp. 28–40. Springer, Heidelberg (2013)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23 Nov 1995, pp. 0031–0050 (1995)
Felici, M., Koulouris, T., Pearson, S.: Accountability for data governance in cloud ecosystems. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom 2013), vol. 2, pp. 327–332. IEEE (2013)
Article 29 Data Protection Working Party: Opinion 1/2010 on the concepts of “controller” and “processor”, 00264/10/EN (2010)
Badger, L., et al.: Cloud Computing Synopsis and Recommendations. NIST Special Publication 800-146 (2012)
OECD: The OECD Privacy Framework. Organisation for Economic Co-operation and Development (2013)
European Commission: Proposal for a directive of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (2012)
European Commission: Unleashing the Potential of Cloud Computing in Europe (2012)
European Commission: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (2013)
European Commission: Directive on Network and Information Security (2013)
Jansen, W., Grance, T.: Guidelines on Security and Privacy in Public Cloud Computing, NIST SP 800–144 (2011)
CNIL: Recommendations for Companies Planning to Use Cloud Computing Services, Commission nationale de l’informatique et des libertés (2012)
Catteddu, D., Hogben, G. (eds.): Cloud Computing: Benefits, Risks and Recommendations for Information Security. ENISA Report (2009)
Bovens, M.: Analysing and assessing accountability: A conceptual framework. Eur. Law J. 13(4), 447–468 (2007)
Bovens, M.: Two concepts of accountability: accountability as a virtue and as a mechanism. Spec. Issue Account. Eur. Gov. West Eur. Politics 33(5), 946–967 (2010)
Pearson, S.: On the relationship between the different methods to address privacy issues in the cloud. In: Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., De Leenheer, P., Dou, D. (eds.) ODBASE 2013. LNCS, vol. 8185, pp. 414–433. Springer, Heidelberg (2013)
Butin, D., Chicote, M., Le Métayer, D.: Strong accountability: beyond vague promises. In: Gutwirth, S., Leenes, R., De Hert, P. (eds.) Reloading Data Protection: Multidisciplinary In-sights and Contemporary Challenges, pp. 343–369. Springer, Netherlands (2014)
Van Alsenoy, B.: Allocating responsibility among controllers, processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC. Comput. Law Secur. Rev. 28(1), 25–43 (2012)
Guagnin, D., Hempel, L., Ilten, C.: Bridging the gap: We need to get together. In: Guagnin, D., et al. (eds.) Managing Privacy through Accountability, pp. 102–124. Palgrave (2012)
Liu, F., et al.: NIST Cloud Computing Reference Architecture. National Institute of Standards and Technology, NIST Special Publication 500-292 (2011)
Jaatun, M.G., Pearson, S., Gittler, F., Leenes, R.: Towards strong accountability for cloud service providers. In: 2014 IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom 2014). IEEE (2014)
Bowker, G.C., Star, S.L.: Sorting Things Out: Classification and Its Consequences. The MIT Press, Cambridge (1999)
CSA: Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union. Cloud Security Alliance, Privacy Level Agreement Working Group (2013)
Knode, R., Egan, D.: Digital Trust in the Cloud: A Precis for the CloudTrust Protocol, v2.0. Computer Science Corporation (2010)
Baldwin, A., Pym, D., Shiu, S.: Enterprise information risk management: Dealing with cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing. Springer, Heidelberg (2013)
Reed, C.: Cloud Governance: The Way Forward. In: Millard, C. (ed.) Cloud Computing Law. Oxford University Press, Oxford (2013)
Bowen, P., Hash, J., Wilson, M.: Information Security Handbook: A Guide for Managers. National Institute of Standards and Technology, NIST Special Publication 800–100 (2006)
De Clercq, J., et al.: The HP Security Handbook. HP publication 4AA1-7729EEW (2008)
CSA: The Notorious Nine: Cloud Computing Top Threats in 2013. Cloud Security Alliance, Top Threats Working Group (2013)
CSA: Top Ten Big Data Security and Privacy Challenges. Cloud Security Alliance (2012)
CSA: Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Cloud Security Alliance (2011)
ENISA: ENISA Threat Landscape 2013 – Overview of current and emerging cyber-threats. European Network and Information Security Agency (2013)
Article 29 Data Protection Working Party: Statement on the role of a risk-based approach in data protection legal frameworks, 14/EN WP 218 (2014)
CIPL: A Risk-based Approach to Privacy: Improving Effectiveness in Practice. Centre for Information Policy Leadership (2014)
Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia: Getting Accountability Right with a Privacy Management Program (2012)
ENISA: Privacy, Accountability and Trust – Challenges and Opportunities. European Network and Information Security Agency (2011)
Pearson, S.: Privacy management in global organisations. In: De Decker, B., Chadwick, D.W. (eds.) CMS 2012. LNCS, vol. 7394, pp. 217–237. Springer, Heidelberg (2012)
Tancock, D., Pearson, S., Charlesworth, A.: Analysis of privacy impact assessments within major jurisdictions. In: Proceedings of the 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 118–125. IEEE (2010)
Trilateral Research & Consulting: Privacy Impact Assessment and Risk Management. UK Information Commissioner’s Office (ICO) (2013)
ICO: Data Protection Act – Conducting privacy impact assessments code of practice. UK Information Commissioner’s Office (ICO) (2013)
Pearson, S., Sander, T.: A decision support system for privacy compliance. In: Gupta, M., Walp, J., Sharman, R. (eds.) Data Mining: Concepts, Methodologies, Tools, and Applications, pp. 1496–1518. IGI Global, New York (2013)
Lloyd’s: Lloyd’s 360° Risk Insight Managing Digital Risk: Trends, Issues and Implications for Business (2010)
Boyens, J., et al.: Supply Chain Risk Management: Practices for Federal Information Systems and Organizations, pp. 800–161. NIST Special Publication (2013)
Robinson, N., et al.: Review of the European Data Protection Directive. RAND Europe, Cambridge (2009)
Bennett, C.J., Raab, C.D.: The Governance of Privacy: Policy Instruments in Global Perspective. The MIT Press, Cambridge (2006)
Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, Computer Communications and Networks, pp. 3–42. Springer, Heidelberg (2013)
Schiffman, J., et al.: Cloud Verifier: Verifiable Auditing Service for IaaS Clouds. In: IEEE Ninth World Congress on Services (SERVICES 2013), pp. 239–246, IEEE Computer Society (2013)
CSA: Cloud Control Matrix. Cloud Security Alliance, CSA CCM v3.0 (2013)
Felici, M., Pearson, S.: Accountability, risk, and trust in cloud services: Towards an accountability-based approach to risk and trust governance. In: 2014 IEEE World Congress on Services (SERVICES), pp. 105–112. IEEE (2014)
Coudert, F.: Accountable surveillance practices: Is the EU moving in the right direction? In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 70–85. Springer, Heidelberg (2014)
Antignac, T., Le Métayer, D.: Privacy by design: From technologies to architectures. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 1–17. Springer, Heidelberg (2014)
Sunyaev, A., Schneider, S.: Cloud services certification. Commun. ACM 56(2), 33–36 (2013). ACM
CSA: CSA STAR – Security, Trust and Assurance Registry (STAR) Overview. Cloud Security Alliance (2014)
Anisetti, M., et al.: A test-based security certification scheme for web services. ACM Trans. Web (TWEB) 7(2), 1–41 (2013). Article 5, ACM
Acknowledgements
This work has been partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013), grant agreement 317550, Cloud Accountability Project – http://www.a4cloud.eu/ – (A4Cloud). We would like to thank our project partners and colleagues who contributed to the accountability-based approach presented in this paper, in particular, we acknowledge the contributions of Brian Dziminski, Carmen Fernandez Gago, Simone Fischer-Hübner, Frederic Gittler, Martin Jaatun, Theo Koulouris, Ronald Leenes, Jesus Luna, Maartje Niezen, David Nuñez, Alain Pannetrat, Jenni Reuben Shanthamoorthy, Jean-Claude Royer, Anderson Santana de Oliviera, Dimitra Stefanatou and Vasilis Tountopoulos.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Felici, M., Pearson, S. (2015). Accountability for Data Governance in the Cloud. In: Felici, M., Fernández-Gago, C. (eds) Accountability and Security in the Cloud. A4Cloud 2014. Lecture Notes in Computer Science(), vol 8937. Springer, Cham. https://doi.org/10.1007/978-3-319-17199-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-17199-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17198-2
Online ISBN: 978-3-319-17199-9
eBook Packages: Computer ScienceComputer Science (R0)