Scope

  1. The focus of the Cloud Accountability Project is accountability under data protection laws for personal data processed in cloud service provision ecosystems.
  2. We will consider accountability obligations owed by cloud service providers, and organisations that use cloud services, to data subjects and data protection regulators. Accountability of individuals in a private context is excluded, although accountability of service providers for the actions (or inactions) of their employees is in scope.
  3. We will also consider how our proposed accountability mechanisms might apply to certain types of confidential information that do not involve personal data.
  4. Government surveillance, including government acquisition of data from cloud service providers, is outside the scope of this project, except where it relates specifically to a data protection law accountability mechanism.

Objectives

A4Cloud has four interlocking objectives to bring users, providers, and regulators together in chains of accountability for data in the cloud, clarifying liability and providing greater transparency overall:

  • Enable cloud service providers to give their users appropriate control and transparency over how their data is used: A4Cloud will develop tools that enable cloud service providers to give their users appropriate control and transparency over how their data is used, confidence that their data is handled according to their expectations and is protected in the cloud, delivering increased levels of accountability to their customers
  • Enable users to make choices about how cloud service providers may use and will protect data in the cloud: A4Cloud will create tools that enable cloud end users to make choices about how cloud service providers may use and will protect data in the cloud, and be better informed about the risks, consequences, and implementation of those choices.
  • Monitor and check compliance with users’ expectations, business policies, and regulations: A4Cloud will develop tools to monitor and check compliance with users’ expectations, business policies and regulations.
  • Implement accountability ethically and effectively: A4Cloud will develop recommendations and guidelines for how to achieve accountability for the use of data by cloud services, addressing commercial, legal, regulatory and end user concerns and ensuring that technical mechanisms work to support them

Approach

The Cloud Accountability Project exploits an orchestrated set of mechanisms for addressing accountability in a preventive (mitigating risk), detective (monitoring and identifying risk and policy violation) and corrective (managing incidents and providing redress) way. The project will combine socio-economic, legal, regulatory and technical approaches and bring these together into a coherent and interoperable system of tools and services, enabling a shift to Accountability-based approaches for trust and security in the cloud. This approach follows an inter-disciplinary co-design of the Accountability assets by implementing it in different perspectives (technical, legal, socio-economic and ethical) and addressing the four main objectives of the project. Used individually or collectively, the mechanisms that are developed in the Cloud Accountability Project will make the Internet in the short- and longer-term more transparent and trustworthy for:

  • the users of cloud services who are not convinced by the balance of risk against opportunity
  • the customers of cloud services providers, especially end-users who do not understand the need to control access to personal information
  • the suppliers within the cloud eco-system, who need to be able to differentiate themselves in the ultimate commodity market.

Results

The project builds the Accountability Framework as a comprehensive specification for how to create accountability for cloud services, spanning regulatory, legal, technical, business and user issues. The Cloud Accountability Project delivers a set of tools for:

  • Enabling cloud service providers to give their users appropriate control and transparency over how their data is used
  • Enabling cloud end users to make choices about how cloud service providers may use and will protect data in the cloud, and be better informed about the risks, consequences, and implementation of those choices
  • Monitoring and checking compliance with users’ expectations, business policies and regulations

Tools for Accountability

  • Policy Configuration and Enforcement System - give:
    • service providers a way to implement users’ specification for data use, provide logs of how it is used in support of evidence collection, and pass obligations through the supply chain, e.g. for consent
      management
    • service users the possibility to interact with enforcement systems, specify and update policies (e.g. privacy preferences and consent) and correct/delete data online if permitted by the enforcement system.
  • Accountability Validation Tool - enables assertions about accountability to be made
  • Risk Assessment Tool - provide users with an assessment of potential risks and impact of a cloud service
  • Contract Support Tool - support users and service providers in identifying the contract terms that are appropriate to the context of use
  • System for Evidence Collection - capture, integrate and process the information, including logs, policies and context in a way that privacy and confidentiality are preserved, and support audit and attribution
  • Remediation Tool - support for remediation and redress
  • Policy Monitoring Tool - enable continuous configuration checking and keep the users informed about where and how data is being used and whether policies have been followed

Accountability Framework

  • Conceptual foundation for accountability, including clarification of core functions
  • Recommendations and guidelines on data governance in complex, multi-tenant IT infrastructures and the cloud, including analysis of the revised EU Data Protection Framework, reports on legal and regulatory dependencies for effective accountability and governance and guidelines for privacy-friendly design, liability and cloud contracts
  • Reference architecture for implementing accountability
  • Enumeration and technical specification of the accountability components
  • Models of risk, trust, human understanding and economic data governance in cloud ecosystems
  • Languages for interoperable accountability policies
  • Metrics for measuring accountability

Impact

Make all stakeholders accountable for the use of data in the cloud

The Cloud Accountability Project aims to address the risks arising for individual cloud service users when their personal data are being proliferated in the cloud. New data protection regulations are imminent that will provide individual users of online services with greater protection. Such risks are also applicable for businesses, which make use of cloud services to process personal or proprietary data. The Cloud Accountability Project delivers the tools and mechanisms for users to hold service providers accountable on how data is used in the cloud. The lasting impact will be to fundamentally shift the balance of power in the relationship between providers and users of cloud services.

Realise the potentials

The adoption of the Cloud Accountability Project enables realising the potentials and benefits that are being brought to the involved stakeholders:

  • Reduced costs and risk of bringing data intensive services to market by making the process for respecting the data protection obligations simpler and less costly for businesses, especially entrepreneurs and SMEs
  • Enabling uptake of new value added services in the cloud by overcoming the barriers that make businesses holding back from using cloud services because of the uncertainty over the potential consequences
  • Better control over the use of data in the cloud enables new services, which make use of personal or confidential data
  • Novel accountability services support the start up of new business opportunities
A shift towards individuals being in control of their online presence
Data protection legislation addresses the need of individual end users as data subjects for privacy and protection online and creates obligations for service providers. Implementing accountability-based approaches for data use in the cloud puts the users in control of that data. The  envisaged results  will create a shift towards individual users actively exercising control over their digital presence in the cloud.
Independent initiative for accountability in cloud services
The Cloud Accountability Project will support evolving governance frameworks, including the revised EU Data Protection Directive. It will demonstrate and enhance compliance with data governance guidelines by means of contributing to those guidelines, providing a coherent framework for accountability that integrates legal, technical and governance approaches and by providing a range of codesigned mechanisms that can be used individually or in combination, including risk analysis, flexible contact management, transparency-enhancing tools, policy compliance and enforcement, security, assurance, liability clarification and redress. The participation of Cloud Security Alliance in the Consortium gives us an avenue to the Cloud Security world. But the project plans to penetrate more in the cloud security and leverage accountability as a principal concept for establishing security in Future Internet.