Enhancing accountability in the cloud

This article focuses on the role of accountability within information management, particularly in cloud computing contexts. Key to this notion is that an accountable Cloud Provider must demonstrate both willingness and capacity for being a responsible steward of other people's data. More generally, the notion of accountability is defined as it applies to the cloud, and a conceptual model is presented related to the provision of accountability of cloud services. This allows a consideration of accountability at various different levels of abstraction, including the operationalisation of accountability. It is underpinned by fundamental requirements for strong accountability, which in particular are aimed at avoiding risks in the provision and verification of accounts (that include different types of accountability evidence and notifications, that may need to be provided to other cloud actors including data subjects, cloud customers and regulators). In addition, the article sketches what kind of tools, mechanisms and guidelines support this in practice, and discusses these in the light of the upcoming European Data Protection Regulation.

[1]  Martin Gilje Jaatun,et al.  How Much Cloud Can You Handle? , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[2]  F. Rue Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression , 2012 .

[3]  Fred B. Schneider Accountability for Perfection , 2009, IEEE Secur. Priv..

[4]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[5]  Daniele Catteddu and Giles Hogben Cloud Computing. Benefits, risks and recommendations for information security , 2009 .

[6]  Stephen B. Wicker,et al.  Access to the internet is a human right , 2013, CACM.

[7]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[8]  Siani Pearson,et al.  On the Relationship between the Different Methods to Address Privacy Issues in the Cloud , 2013, OTM Conferences.

[9]  Colin J. Bennett,et al.  The Governance of Privacy: Policy Instruments in Global Perspective , 2006 .

[10]  R. Mulgan 'Accountability': an ever-expanding concept? , 2000 .

[11]  A. Bradford,et al.  The Brussels Effect , 2012 .

[12]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[13]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[14]  Martin Gilje Jaatun,et al.  Privacy Enhancing Technologies for Information Control , 2012 .

[15]  Norbert Wiener,et al.  Cybernetics: Control and Communication in the Animal and the Machine. , 1949 .

[16]  Chris Reed,et al.  A Data Protection Impact Assessment Methodology for Cloud , 2015, APF.

[17]  D. L. Métayer,et al.  Strong Accountability: Beyond Vague Promises , 2014 .

[18]  Martin Gilje Jaatun,et al.  Accountability for cloud and other future Internet services , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[19]  Martin Gilje Jaatun,et al.  Towards Strong Accountability for Cloud Service Providers , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[20]  Noah Webster,et al.  An American dictionary of the English language , 1828 .

[21]  Frank Doelitzscher,et al.  Sun Behind Clouds - On Automatic Cloud Security Audits and a Cloud Audit Policy Language , 2013 .

[22]  Steve Jones Cloud computing procurement and implementation: Lessons learnt from a United Kingdom case study , 2015, Int. J. Inf. Manag..

[23]  Siani Pearson,et al.  COAT: Cloud Offerings Advisory Tool , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[24]  Hannes Hartenstein,et al.  Confidential database-as-a-service approaches: taxonomy and survey , 2014, Journal of Cloud Computing.

[25]  Steven Furnell,et al.  Security transparency: the next frontier for security research in the cloud , 2015, Journal of Cloud Computing.

[26]  C. Hood Accountability and Transparency: Siamese Twins, Matching Parts, Awkward Couple? , 2010 .

[27]  Pierangela Samarati,et al.  Exploiting cryptography for privacy-enhanced access control: A result of the PRIME Project , 2010, J. Comput. Secur..

[28]  Anderson Santana de Oliveira,et al.  Monitoring Personal Data Transfers in the Cloud , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[29]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[30]  Paul Ohm Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization , 2009 .

[31]  Tore Dybå,et al.  Process Improvement in Practice: A Handbook for It Companies (The Kluwer International Series in Software Engineering, 9) , 2004 .

[32]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[33]  M. Bovens Analysing and Assessing Accountability: A Conceptual Framework , 2007 .

[34]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[35]  Karin Bernsmed,et al.  A-PPL: An Accountability Policy Language , 2014, DPM/SETOP/QASA.

[36]  Wouter M. P. Steijn,et al.  The Value of Accountability in the Cloud: Individual Willingness to Pay for Transparency , 2015, IEEE Technology and Society Magazine.

[37]  Daniele Catteddu,et al.  Cloud Computing: Benefits, Risks and Recommendations for Information Security , 2009 .

[38]  Wayne Pauley,et al.  Cloud Provider Transparency: An Empirical Evaluation , 2010, IEEE Security & Privacy.

[39]  Colin J. Bennett The Accountability Approach to Privacy and Data Protection: Assumptions and Caveats , 2012, Managing Privacy through Accountability.

[40]  Ben Halpert,et al.  Auditing Cloud Computing: A Security and Privacy Guide , 2011 .

[41]  Jessica Staddon,et al.  The Rules of Redaction: Identify, Protect, Review (and Repeat) , 2009, IEEE Security & Privacy.

[42]  Martin Gilje Jaatun,et al.  Cloud Provider Transparency - A View from Cloud Customers , 2015, CLOSER.

[43]  Siani Pearson,et al.  Developing accountability-based solutions for data privacy in the cloud , 2013 .

[44]  Sören Preibusch,et al.  Privacy behaviors after Snowden , 2015, Commun. ACM.

[45]  Fred B. Schneider Labeling-in Security , 2009, IEEE Secur. Priv..

[46]  Jens Prüfer,et al.  How to Govern the Cloud? Characterizing the Optimal Enforcement Institution that Supports Accountability in Cloud Computing , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[47]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[48]  Martin Gilje Jaatun,et al.  Beyond lightning: A survey on security challenges in cloud computing , 2013, Comput. Electr. Eng..

[49]  Haralambos Mouratidis,et al.  Selecting a Cloud Service Provider in the age of cybercrime , 2013, Comput. Secur..

[50]  Tobias Pulls,et al.  How can Cloud Users be Supported in Deciding on, Tracking and Controlling How their Data are Used? , 2013, Privacy and Identity Management.