Abstract
Accountability is a critical prerequisite for effective governance and control of corporate and private data processed by cloud-based information technology services. This chapter clarifies how accountability tools and practices can enhance cloud assurance and transparency in a variety of ways. Relevant techniques and terminologies are presented, and a scenario is considered to illustrate the related issues. In addition, some related examples are provided involving cutting-edge research and development in fields like risk management, security and Privacy Level Agreements and continuous security monitoring. The provided arguments seek to justify the use of accountability-based approaches for providing an improved basis for consumers’ trust in cloud computing and thereby can benefit from the uptake of this technology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
Alnemr R, Pearson S, Leenes R, Mhungu R (2014) COAT: cloud offerings advisory tool. In: Proceedings of CloudCom, IEEE, pp 95–100
Alnemr R et al (2015) A data protection impact assessment methodology for cloud. In: Proceedings of Annual Privacy Forum (APF), LNCS, Springer, October 2015 (to appear)
American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants (AICPA-CICA) (2015) Privacy maturity model. Available via http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-firms-and-organizations/item47888.aspx. Cited 1 June 2015
Bennett CJ, Raab CD (2006) The governance of privacy: policy instruments in global perspective. MIT Press, Cambridge, MA
Butin D, Chicote M, Le Metayer D (2013) Log design for accountability. In: Proceedings of IEEE CS Security and Privacy Workshops (SPW), pp 1–7
Cayirci E, Garaga A, Santana de Oliveira A, Roudier Y (2014) A cloud adoption risk assessment model. In: Proceedings of Utility and Cloud Computing (UCC), IEEE/ACM, pp 908–913
Centre for Information Policy Leadership (CIPL) (2014) A risk-based approach to privacy: improving effectiveness in practice. Available via http://www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf. Cited 1 June 2015
Cloud Accountability Project (A4Cloud). www.a4cloud.eu
Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). Available via https://cloudsecurityalliance.org/research/ccm/
CSA: Cloud Trust Protocol (CTP). Available via https://cloudsecurityalliance.org/research/ctp/
CSA: Open Certification Framework (OCF). Available via https://cloudsecurityalliance.org/star/
CSA: Privacy Level Agreement (PLA). Available via https://cloudsecurityalliance.org/research/pla/
CSA: Secure Cloud (2014). Available via https://cloudsecurityalliance.org/events/securecloud2014/
European Commission (EC) (2012) Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, January 2012
EC (2013) Cloud computing service level agreements: exploitation of research results
EC (2014) Cloud service level agreement standardisation guidelines. C-SIG SLA
European DG of Justice (Article 29 Working Party) (2010) Opinion 03/2010 on the principle of accountability (WP 173), July 2010
European DG of Justice (Article 29 Working Party) (2012) Opinion 05/2012 on cloud computing
European DG of Justice (Article 29 Working Party) (2014) Statement on the role of a risk-based approach in data protection legal frameworks (WP218). Available via http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf
European Telecommunications Standards Institute (ETSI) Cloud Standards Co-ordination Group (2013) Cloud standards coordination final report
European Union Agency for Network and Information Security (ENISA) (2009) Cloud computing – benefits, risks and recommendations for information security
ENISA (2014) Cloud certification schemes metaframework. Version 1.0, November 2014
Felici M, Pearson S (eds) (2014) Report detailing conceptual framework. Deliverable D32.1, A4Cloud
Felici M, Pearson S (2014) Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: Proceedings of Services, IEEE, pp 105–112
Gittler F et al (2015) Initial reference architecture. Deliverable 42.3, A4Cloud
Hildebrandt M (ed) (2009) Behavioural biometric profiling and transparency enhancing tools, D 7.12, FIDIS
International Data Corporation (IDC) (2012) Quantitative estimates of the demand of cloud computing in Europe
International Organization for Standardization (ISO) (2014) (Draft) Information technology – cloud computing – service level agreement (SLA) framework and terminology. ISO/IEC 19086
ISO (2014) Information technology – security techniques: guidelines on information security controls for the use of Cloud computing services based on ISOIEC 27002. ISOIEC 27002
Jansen W (2010) Directions in security metrics research. TR-7564. NIST
JBoss: Drools business rules management system solution. Available via http://www.drools.org/
Kavanagh KM, Nicolett M, Rochford O (2014) Magic quadrant for security information and event management. Gartner
Luna J, Langenberg R, Suri N (2012) Benchmarking cloud security level agreements using quantitative policy trees. In: Proceeding of the Cloud Computing Security workshop, ACM
Mell P, Grance T (2011) The NIST definition of cloud computing, NIST Special Publication 800-145, September 2011
National Institute of Standards and Technology (NIST) (2002) Risk management guide for information technology systems. SP 800-30. NIST
NIST (2010) Guide for applying the risk management framework to federal information systems. SP 800-37. NIST
NIST (2013) Cloud computing security reference architecture. NIST SP 500-299, vol 1
NIST (2014a) (Draft) Cloud computing: cloud service metrics description. Public RATAX WG, NIST
NIST (2014b) Cloud-adapted risk management framework. Draft NIST SP 800-173
Nymity Inc (2014) Privacy management accountability framework
Organisation for Economic Co-operation and Development (OECD) (2013) Guidelines concerning the protection of privacy and transborder flows of personal data
Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia (2012) Getting accountability right with a privacy management program, April 2012
Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69, IEEE Computer Society
Pearson S (2014) Accountability in cloud service provision ecosystems. In: Secure IT systems, LNCS, vol 8788, Springer, pp 3–24
Pearson S, Wainwright N (2013) An interdisciplinary approach to accountability for future internet service provision. IJTMCC 1(1):52–72
Pulls T, Martucci L (2014) User-centric transparency tools. D-5.2, vol 1, A4Cloud
Ruebsamen T, Pulls T, Reich C (2015) Secure evidence collection and storage for cloud accountability audits. In: Proceedings of CLOSER 2015, Lisbon, Portugal, 20–22 May 2015
Stoneburner G, Hayden C, Feringa A (2004) Engineering principles for information technology security (A baseline for achieving security). SP800-27, NIST
Telecom Italia: Java Agent Development Environment (JADE). http://jade.tilab.com
Telecom Italia: JADE Agent Communication Language (ACL) (2005). Retrieved from http://jade.tilab.com/doc/api/jade/lang/acl/package-summary.html
Wang C, Zhou Y (2010) A collaborative monitoring mechanism for making a multitenant platform accountable. In: Proceedings of HotCloud. Available from https://www.usenix.org/legacy/event/hotcloud10/tech/full_papers/WangC.pdf
Wlodarczyk, Tomasz et al (2014) A4Cloud project: DC-8.1 framework of evidence. A4Cloud
Acknowledgements
This work is supported in part by EC FP7 SPECS (grant no. 610795) and by EC FP7 A4CLOUD (grant no: 317550). We would like to acknowledge the various members of these projects who contributed to the approach and technologies described.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Pearson, S., Luna, J., Reich, C. (2015). Improving Cloud Assurance and Transparency Through Accountability Mechanisms. In: Zhu, S., Hill, R., Trovati, M. (eds) Guide to Security Assurance for Cloud Computing. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-25988-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-25988-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25986-4
Online ISBN: 978-3-319-25988-8
eBook Packages: Computer ScienceComputer Science (R0)