The analysis of accountability is structured through a multi-layer model, spanning the Conceptual Framework and the Reference Architecture, depicted in the following diagram:
The concept of accountability is defined as being the state of accepting allocated responsibilities, explaining and demonstrating compliance to stakeholders and remedying any failure to act properly. Responsibilities may be derived from law, social norms, agreements, organizational values and ethical obligations.
This concept is refined through the accountability attributes, which refer to:
- Transparency: the property of a system, organisation or individual of providing visibility of its governing norms, behaviour and compliance of behaviour to the norms.
- Responsiveness: the property of a system, organisation or individual to take into account input from external stakeholders and respond to queries of these stakeholders.
- Responsibility: the property of an organisation or individual in relation to an object, process or system of being assigned to take action to be in compliance with the norms.
- Remediability: the property of a system, organisation or individual to take corrective action and/or provide a remedy for any party harmed in case of failure to comply with its governing norms.
Additionally, objects of accountability are associated with the secondary attribute:
- Verifiability: the extent to which it is possible to assess norm compliance.
Accountability attributes may be defined to capture the important aspect of deployment of ‘appropriate and effective measures’ that meet technical, legal and ethical compliance requirements, and act as this type of indicator:
- Appropriateness: the extent to which the technical and organisational measures used have the capability of contributing to accountability.
- Effectiveness: the extent to which the technical and organisational measures used actually contribute to accountability.
In the cloud context, accountability relationships lead us to distinguish seven classes of stakeholders, enlarging the set of cloud actors defined by NIST by the addition of the Cloud Subject and Cloud Supervisory Authority roles. The Accountability Framework identifies different functional aspects of accountability, with examples of corresponding mechanisms that can be used by different types of stakeholders (shown in the rows):
- Preventive: investigating and mitigating risk in order to form policies and determine appropriate mechanisms to put in place; putting in place appropriate policies, procedures and technical mechanisms
- Detective: monitoring and identifying policy violation; putting in place detection and traceability measures, and
- Corrective: managing incidents and providing notifications and redress.
Additional information is described in the Cloud Accountability Conceptual Framework, which develops the above points, considers the concept of accountability and accountability relationships in the cloud, and proposes an approach, model and framework as foundation to develop and validate techniques for implementing accountable cloud ecosystems.