The Cloud Accountability Reference Architecture (CARA) Reference Framework captures in a single diagram the foundation elements required to address accountability in a cloud context: the accountability processes to be deployed by accountable organisations, the accountability artifacts exchanged by actors along the service provisioning chain, and the accountability support services allowing the exchange of these artifacts with a cloud service paradigm:
Accountability is a holistic concern that must be addressed at all levels and in all practices of organisations. CARA identifies a lifecycle which associates the governance and core processes of the organisation with the operational lifecycle of solutions and services. Accountability practices are distributed across this blended lifecycle, organised in six groups corresponding to the main steps required to be accountable:
CARA also offers practical guidance on how organisations which operate in a cloud context can behave in an accountable manner. This guidance is defined at three different levels of abstractions, providing guidance for both SME-sized structures as well as larger organisations:
- A set of principles for accountable behaviour, designed specifically for use by small and medium sized organisations (SMEs) which do not have the organisational structure to adopt the more detailed recommendations
- A simplified control framework specific to accountable organisations, which leverages existing control frameworks to specifically address accountability
- A series of best practices which provide practical guidance about the governance and processes that accountable organisations need to deploy. This list can also be used in case of questions in the interpretation of the control framework
Demonstrating accountability is central to operating in an accountable manner. CARA addresses this through an in-depth analysis of the account, which is the core instrument to demonstrate accountability. An account is a report or description, which may be written and/or oral, of an event or process. It serves to report what happened, what has happened, or what might happen. It is produced on a schedule, on request, or as an answer to specific questions. Accounts are produced at various points of the service lifecycle: as a companion to service descriptions for the prospective customer, to communicate audit results and system state to existing customers, and to report on the handling of failures to continuously meet obligations. Accounts are primarily intended for customers and for auditors mandated by regulators, depending on the situation.
Additional methods which complement the account when demonstrating accountability, either in a very dynamic context or being more effective in the use of resources are also described in CARA. The Accountability Maturity Model focuses on capturing both the maturity of individual organisations in terms of accountability practices, as well as a measurement of the appropriateness of the measures used across the whole cloud provisioning chains, as a way to aid organisations (in particular, SMEs) to quantitatively assess their accountability practices as a first step to improving them.