Skip to main content
SpringerLink
Log in

Improving Cloud Assurance and Transparency Through Accountability Mechanisms

  • Chapter
  • First Online:
Guide to Security Assurance for Cloud Computing

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

Accountability is a critical prerequisite for effective governance and control of corporate and private data processed by cloud-based information technology services. This chapter clarifies how accountability tools and practices can enhance cloud assurance and transparency in a variety of ways. Relevant techniques and terminologies are presented, and a scenario is considered to illustrate the related issues. In addition, some related examples are provided involving cutting-edge research and development in fields like risk management, security and Privacy Level Agreements and continuous security monitoring. The provided arguments seek to justify the use of accountability-based approaches for providing an improved basis for consumers’ trust in cloud computing and thereby can benefit from the uptake of this technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www8.hp.com/us/en/software-solutions/siem-security-information-event-management/

  2. 2.

    http://www.ibm.com/software/products/en/qradar-siem/

  3. 3.

    https://www.logrhythm.com/

  4. 4.

    http://www.mcafee.com/us/products/enterprise-security-manager.aspx

  5. 5.

    http://uk.emc.com/security/security-analytics/security-analytics.htm

  6. 6.

    http://www.27000.org/

  7. 7.

    http://www.coso.org

  8. 8.

    http://www.isaca.org

  9. 9.

    http://www.sumologic.com

  10. 10.

    http://aws.amazon.com/cloudtrail/

  11. 11.

    https://logentries.com/

References

  1. Alnemr R, Pearson S, Leenes R, Mhungu R (2014) COAT: cloud offerings advisory tool. In: Proceedings of CloudCom, IEEE, pp 95–100

    Google Scholar 

  2. Alnemr R et al (2015) A data protection impact assessment methodology for cloud. In: Proceedings of Annual Privacy Forum (APF), LNCS, Springer, October 2015 (to appear)

    Google Scholar 

  3. American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants (AICPA-CICA) (2015) Privacy maturity model. Available via http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-firms-and-organizations/item47888.aspx. Cited 1 June 2015

  4. Bennett CJ, Raab CD (2006) The governance of privacy: policy instruments in global perspective. MIT Press, Cambridge, MA

    Google Scholar 

  5. Butin D, Chicote M, Le Metayer D (2013) Log design for accountability. In: Proceedings of IEEE CS Security and Privacy Workshops (SPW), pp 1–7

    Google Scholar 

  6. Cayirci E, Garaga A, Santana de Oliveira A, Roudier Y (2014) A cloud adoption risk assessment model. In: Proceedings of Utility and Cloud Computing (UCC), IEEE/ACM, pp 908–913

    Google Scholar 

  7. Centre for Information Policy Leadership (CIPL) (2014) A risk-based approach to privacy: improving effectiveness in practice. Available via http://www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf. Cited 1 June 2015

  8. Cloud Accountability Project (A4Cloud). www.a4cloud.eu

  9. Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). Available via https://cloudsecurityalliance.org/research/ccm/

  10. CSA: Cloud Trust Protocol (CTP). Available via https://cloudsecurityalliance.org/research/ctp/

  11. CSA: Open Certification Framework (OCF). Available via https://cloudsecurityalliance.org/star/

  12. CSA: Privacy Level Agreement (PLA). Available via https://cloudsecurityalliance.org/research/pla/

  13. CSA: Secure Cloud (2014). Available via https://cloudsecurityalliance.org/events/securecloud2014/

  14. European Commission (EC) (2012) Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, January 2012

    Google Scholar 

  15. EC (2013) Cloud computing service level agreements: exploitation of research results

    Google Scholar 

  16. EC (2014) Cloud service level agreement standardisation guidelines. C-SIG SLA

    Google Scholar 

  17. European DG of Justice (Article 29 Working Party) (2010) Opinion 03/2010 on the principle of accountability (WP 173), July 2010

    Google Scholar 

  18. European DG of Justice (Article 29 Working Party) (2012) Opinion 05/2012 on cloud computing

    Google Scholar 

  19. European DG of Justice (Article 29 Working Party) (2014) Statement on the role of a risk-based approach in data protection legal frameworks (WP218). Available via http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf

  20. European Telecommunications Standards Institute (ETSI) Cloud Standards Co-ordination Group (2013) Cloud standards coordination final report

    Google Scholar 

  21. European Union Agency for Network and Information Security (ENISA) (2009) Cloud computing – benefits, risks and recommendations for information security

    Google Scholar 

  22. ENISA (2014) Cloud certification schemes metaframework. Version 1.0, November 2014

    Google Scholar 

  23. Felici M, Pearson S (eds) (2014) Report detailing conceptual framework. Deliverable D32.1, A4Cloud

    Google Scholar 

  24. Felici M, Pearson S (2014) Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: Proceedings of Services, IEEE, pp 105–112

    Google Scholar 

  25. Gittler F et al (2015) Initial reference architecture. Deliverable 42.3, A4Cloud

    Google Scholar 

  26. Hildebrandt M (ed) (2009) Behavioural biometric profiling and transparency enhancing tools, D 7.12, FIDIS

    Google Scholar 

  27. International Data Corporation (IDC) (2012) Quantitative estimates of the demand of cloud computing in Europe

    Google Scholar 

  28. International Organization for Standardization (ISO) (2014) (Draft) Information technology – cloud computing – service level agreement (SLA) framework and terminology. ISO/IEC 19086

    Google Scholar 

  29. ISO (2014) Information technology – security techniques: guidelines on information security controls for the use of Cloud computing services based on ISOIEC 27002. ISOIEC 27002

    Google Scholar 

  30. Jansen W (2010) Directions in security metrics research. TR-7564. NIST

    Google Scholar 

  31. JBoss: Drools business rules management system solution. Available via http://www.drools.org/

  32. Kavanagh KM, Nicolett M, Rochford O (2014) Magic quadrant for security information and event management. Gartner

    Google Scholar 

  33. Luna J, Langenberg R, Suri N (2012) Benchmarking cloud security level agreements using quantitative policy trees. In: Proceeding of the Cloud Computing Security workshop, ACM

    Google Scholar 

  34. Mell P, Grance T (2011) The NIST definition of cloud computing, NIST Special Publication 800-145, September 2011

    Google Scholar 

  35. National Institute of Standards and Technology (NIST) (2002) Risk management guide for information technology systems. SP 800-30. NIST

    Google Scholar 

  36. NIST (2010) Guide for applying the risk management framework to federal information systems. SP 800-37. NIST

    Google Scholar 

  37. NIST (2013) Cloud computing security reference architecture. NIST SP 500-299, vol 1

    Google Scholar 

  38. NIST (2014a) (Draft) Cloud computing: cloud service metrics description. Public RATAX WG, NIST

    Google Scholar 

  39. NIST (2014b) Cloud-adapted risk management framework. Draft NIST SP 800-173

    Google Scholar 

  40. Nymity Inc (2014) Privacy management accountability framework

    Google Scholar 

  41. Organisation for Economic Co-operation and Development (OECD) (2013) Guidelines concerning the protection of privacy and transborder flows of personal data

    Google Scholar 

  42. Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia (2012) Getting accountability right with a privacy management program, April 2012

    Google Scholar 

  43. Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69, IEEE Computer Society

    Article  Google Scholar 

  44. Pearson S (2014) Accountability in cloud service provision ecosystems. In: Secure IT systems, LNCS, vol 8788, Springer, pp 3–24

    Google Scholar 

  45. Pearson S, Wainwright N (2013) An interdisciplinary approach to accountability for future internet service provision. IJTMCC 1(1):52–72

    Article  Google Scholar 

  46. Pulls T, Martucci L (2014) User-centric transparency tools. D-5.2, vol 1, A4Cloud

    Google Scholar 

  47. Ruebsamen T, Pulls T, Reich C (2015) Secure evidence collection and storage for cloud accountability audits. In: Proceedings of CLOSER 2015, Lisbon, Portugal, 20–22 May 2015

    Google Scholar 

  48. Stoneburner G, Hayden C, Feringa A (2004) Engineering principles for information technology security (A baseline for achieving security). SP800-27, NIST

    Google Scholar 

  49. Telecom Italia: Java Agent Development Environment (JADE). http://jade.tilab.com

  50. Telecom Italia: JADE Agent Communication Language (ACL) (2005). Retrieved from http://jade.tilab.com/doc/api/jade/lang/acl/package-summary.html

  51. Wang C, Zhou Y (2010) A collaborative monitoring mechanism for making a multitenant platform accountable. In: Proceedings of HotCloud. Available from https://www.usenix.org/legacy/event/hotcloud10/tech/full_papers/WangC.pdf

  52. Wlodarczyk, Tomasz et al (2014) A4Cloud project: DC-8.1 framework of evidence. A4Cloud

    Google Scholar 

Download references

Acknowledgements

This work is supported in part by EC FP7 SPECS (grant no. 610795) and by EC FP7 A4CLOUD (grant no: 317550). We would like to acknowledge the various members of these projects who contributed to the approach and technologies described.

Author information

Authors and Affiliations

  1. Security and Manageability Lab, Hewlett Packard Labs, Long Down Avenue, Bristol, BS34 8QZ, UK

    Siani Pearson

  2. Cloud Security Alliance, 34 Melville Street, Scotland, EH3 7HA, UK

    Jesus Luna

  3. Furtwangen University, Robert-Gerwig-Platz 1, Furtwangen, 78120, Germany

    Christoph Reich

Authors
  1. Siani Pearson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jesus Luna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoph Reich
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Siani Pearson .

Editor information

Editors and Affiliations

  1. University of Derby, Department of Computing and Mathematics, Derby, United Kingdom

    Shao Ying Zhu

  2. University of Derby, Department of Computing and Mathematics, Derby, United Kingdom

    Richard Hill

  3. University of Derby, Department of Computing and Mathematics, Derby, United Kingdom

    Marcello Trovati

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Pearson, S., Luna, J., Reich, C. (2015). Improving Cloud Assurance and Transparency Through Accountability Mechanisms. In: Zhu, S., Hill, R., Trovati, M. (eds) Guide to Security Assurance for Cloud Computing. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-25988-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25988-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25986-4

  • Online ISBN: 978-3-319-25988-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation