Improving Cloud Assurance and Transparency Through Accountability Mechanisms

  • Siani PearsonEmail author
  • Jesus Luna
  • Christoph Reich
Part of the Computer Communications and Networks book series (CCN)


Accountability is a critical prerequisite for effective governance and control of corporate and private data processed by cloud-based information technology services. This chapter clarifies how accountability tools and practices can enhance cloud assurance and transparency in a variety of ways. Relevant techniques and terminologies are presented, and a scenario is considered to illustrate the related issues. In addition, some related examples are provided involving cutting-edge research and development in fields like risk management, security and Privacy Level Agreements and continuous security monitoring. The provided arguments seek to justify the use of accountability-based approaches for providing an improved basis for consumers’ trust in cloud computing and thereby can benefit from the uptake of this technology.


Accountability Assurance Cloud computing Continuous monitoring Privacy level agreement (PLA) Service level agreement (SLA) Transparency 



This work is supported in part by EC FP7 SPECS (grant no. 610795) and by EC FP7 A4CLOUD (grant no: 317550). We would like to acknowledge the various members of these projects who contributed to the approach and technologies described.


  1. 1.
    Alnemr R, Pearson S, Leenes R, Mhungu R (2014) COAT: cloud offerings advisory tool. In: Proceedings of CloudCom, IEEE, pp 95–100Google Scholar
  2. 2.
    Alnemr R et al (2015) A data protection impact assessment methodology for cloud. In: Proceedings of Annual Privacy Forum (APF), LNCS, Springer, October 2015 (to appear)Google Scholar
  3. 3.
    American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants (AICPA-CICA) (2015) Privacy maturity model. Available via Cited 1 June 2015
  4. 4.
    Bennett CJ, Raab CD (2006) The governance of privacy: policy instruments in global perspective. MIT Press, Cambridge, MAGoogle Scholar
  5. 5.
    Butin D, Chicote M, Le Metayer D (2013) Log design for accountability. In: Proceedings of IEEE CS Security and Privacy Workshops (SPW), pp 1–7Google Scholar
  6. 6.
    Cayirci E, Garaga A, Santana de Oliveira A, Roudier Y (2014) A cloud adoption risk assessment model. In: Proceedings of Utility and Cloud Computing (UCC), IEEE/ACM, pp 908–913Google Scholar
  7. 7.
    Centre for Information Policy Leadership (CIPL) (2014) A risk-based approach to privacy: improving effectiveness in practice. Available via Cited 1 June 2015
  8. 8.
    Cloud Accountability Project (A4Cloud).
  9. 9.
    Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). Available via
  10. 10.
    CSA: Cloud Trust Protocol (CTP). Available via
  11. 11.
    CSA: Open Certification Framework (OCF). Available via
  12. 12.
    CSA: Privacy Level Agreement (PLA). Available via
  13. 13.
    CSA: Secure Cloud (2014). Available via
  14. 14.
    European Commission (EC) (2012) Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, January 2012Google Scholar
  15. 15.
    EC (2013) Cloud computing service level agreements: exploitation of research resultsGoogle Scholar
  16. 16.
    EC (2014) Cloud service level agreement standardisation guidelines. C-SIG SLAGoogle Scholar
  17. 17.
    European DG of Justice (Article 29 Working Party) (2010) Opinion 03/2010 on the principle of accountability (WP 173), July 2010Google Scholar
  18. 18.
    European DG of Justice (Article 29 Working Party) (2012) Opinion 05/2012 on cloud computingGoogle Scholar
  19. 19.
    European DG of Justice (Article 29 Working Party) (2014) Statement on the role of a risk-based approach in data protection legal frameworks (WP218). Available via
  20. 20.
    European Telecommunications Standards Institute (ETSI) Cloud Standards Co-ordination Group (2013) Cloud standards coordination final reportGoogle Scholar
  21. 21.
    European Union Agency for Network and Information Security (ENISA) (2009) Cloud computing – benefits, risks and recommendations for information securityGoogle Scholar
  22. 22.
    ENISA (2014) Cloud certification schemes metaframework. Version 1.0, November 2014Google Scholar
  23. 23.
    Felici M, Pearson S (eds) (2014) Report detailing conceptual framework. Deliverable D32.1, A4CloudGoogle Scholar
  24. 24.
    Felici M, Pearson S (2014) Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: Proceedings of Services, IEEE, pp 105–112Google Scholar
  25. 25.
    Gittler F et al (2015) Initial reference architecture. Deliverable 42.3, A4CloudGoogle Scholar
  26. 26.
    Hildebrandt M (ed) (2009) Behavioural biometric profiling and transparency enhancing tools, D 7.12, FIDISGoogle Scholar
  27. 27.
    International Data Corporation (IDC) (2012) Quantitative estimates of the demand of cloud computing in EuropeGoogle Scholar
  28. 28.
    International Organization for Standardization (ISO) (2014) (Draft) Information technology – cloud computing – service level agreement (SLA) framework and terminology. ISO/IEC 19086Google Scholar
  29. 29.
    ISO (2014) Information technology – security techniques: guidelines on information security controls for the use of Cloud computing services based on ISOIEC 27002. ISOIEC 27002Google Scholar
  30. 30.
    Jansen W (2010) Directions in security metrics research. TR-7564. NISTGoogle Scholar
  31. 31.
    JBoss: Drools business rules management system solution. Available via
  32. 32.
    Kavanagh KM, Nicolett M, Rochford O (2014) Magic quadrant for security information and event management. GartnerGoogle Scholar
  33. 33.
    Luna J, Langenberg R, Suri N (2012) Benchmarking cloud security level agreements using quantitative policy trees. In: Proceeding of the Cloud Computing Security workshop, ACMGoogle Scholar
  34. 34.
    Mell P, Grance T (2011) The NIST definition of cloud computing, NIST Special Publication 800-145, September 2011Google Scholar
  35. 35.
    National Institute of Standards and Technology (NIST) (2002) Risk management guide for information technology systems. SP 800-30. NISTGoogle Scholar
  36. 36.
    NIST (2010) Guide for applying the risk management framework to federal information systems. SP 800-37. NISTGoogle Scholar
  37. 37.
    NIST (2013) Cloud computing security reference architecture. NIST SP 500-299, vol 1Google Scholar
  38. 38.
    NIST (2014a) (Draft) Cloud computing: cloud service metrics description. Public RATAX WG, NISTGoogle Scholar
  39. 39.
    NIST (2014b) Cloud-adapted risk management framework. Draft NIST SP 800-173Google Scholar
  40. 40.
    Nymity Inc (2014) Privacy management accountability frameworkGoogle Scholar
  41. 41.
    Organisation for Economic Co-operation and Development (OECD) (2013) Guidelines concerning the protection of privacy and transborder flows of personal dataGoogle Scholar
  42. 42.
    Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia (2012) Getting accountability right with a privacy management program, April 2012Google Scholar
  43. 43.
    Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69, IEEE Computer SocietyCrossRefGoogle Scholar
  44. 44.
    Pearson S (2014) Accountability in cloud service provision ecosystems. In: Secure IT systems, LNCS, vol 8788, Springer, pp 3–24Google Scholar
  45. 45.
    Pearson S, Wainwright N (2013) An interdisciplinary approach to accountability for future internet service provision. IJTMCC 1(1):52–72CrossRefGoogle Scholar
  46. 46.
    Pulls T, Martucci L (2014) User-centric transparency tools. D-5.2, vol 1, A4CloudGoogle Scholar
  47. 47.
    Ruebsamen T, Pulls T, Reich C (2015) Secure evidence collection and storage for cloud accountability audits. In: Proceedings of CLOSER 2015, Lisbon, Portugal, 20–22 May 2015Google Scholar
  48. 48.
    Stoneburner G, Hayden C, Feringa A (2004) Engineering principles for information technology security (A baseline for achieving security). SP800-27, NISTGoogle Scholar
  49. 49.
    Telecom Italia: Java Agent Development Environment (JADE).
  50. 50.
    Telecom Italia: JADE Agent Communication Language (ACL) (2005). Retrieved from
  51. 51.
    Wang C, Zhou Y (2010) A collaborative monitoring mechanism for making a multitenant platform accountable. In: Proceedings of HotCloud. Available from
  52. 52.
    Wlodarczyk, Tomasz et al (2014) A4Cloud project: DC-8.1 framework of evidence. A4CloudGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Security and Manageability Lab, Hewlett Packard LabsBristolUK
  2. 2.Cloud Security AllianceScotlandUK
  3. 3.Furtwangen UniversityFurtwangenGermany

Personalised recommendations