The Cloud Accountability Research Project – A4Cloud
Cloud computing presents tremendous advantages: organisations of all kinds and sizes can extend their information technology capabilities dynamically, incurring no costs for software licenses, to train personnel, nor to invest in new hardware. On the other hand, there are implications to governance, as part of the risk and compliance management are delegated to third parties, whose security practices may not be visible to service consumers. This raises a number of accountability questions: in the emergence of problems, such as, data breaches failure to fulfil service level agreements, or to respect regulations, who is liable in the cloud service provisioning chain, or who is responsible to take remediation actions? Understanding the risks of using cloud services is a fundamental issue, but even more challenging is to provide accountable services in the cloud.
Accountability regards the data stewardship regime in which organisations that are entrusted with personal and business confidential data are responsible and liable for processing, sharing, storing and otherwise using the data according to contractual and legal constraints from the time it is collected until when the data is destroyed (including onward transfers to third parties).
SAP is part of a consortium led by HP’s Security and Cloud Lab, in Bristol, UK, to promote Accountability for the Cloud. The project is funded by the EC FP7 framework, and includes Cloud Security Alliance and top universities and research centres in Europe. For more information, please visit www.a4cloud.eu. The Cloud Accountability project (A4Cloud) is addressing critical needs to increase consumer and business confidence in cloud services.
In the A4Cloud project, we follow a multidisciplinary approach to enact the accountability concept in the cloud. We are integrating legal, socio-economic, regulatory and technical approaches into a framework to provide accountability pre-emptively, to assess risk and avoid privacy harm and reactively to provide transparency, auditing and corrective measures for redress. We work towards implementing chains of accountability, including interdisciplinary mechanisms to ensure that obligations to protect data are observed by all who process the data, irrespective of where that processing occurs. The figure below brings an overview of the relationships among the cloud actors and to whom transparency needs to be provided, and to whom accountability needs to be demonstrated.
A4Cloud is working towards a lasting impact on the competitiveness of the IT sector by addressing concerns about privacy and security in the cloud, significant barriers to mainstream adoption. These include issues around complexity and enforceability of legal, regulatory and contractual provisions; socio‐economic and corporate constraints; issues of trust for service‐users such as risk‐mitigation, privacy, confidentiality and transparency; and operational challenges such as interoperability and enforcing and monitoring compliance, these last topics are particularly interesting for our group at Sophia-Antipolis.