Accountability for Data Governance in the Cloud

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Accountability for Data

Governance in the Cloud

Massimo Felici

Hewlett-Packard Laboratories

A4Cloud Summer School

Malaga, Spain, 3 June 2014


Problem of Data Governance

• Data Governance in the Cloud

Accountability Definitions

• Conceptual Definition of Accountability

• Definition of Accountability for Data Stewardship in the Cloud

Accountability Model

• Accountability Attributes, Practices and Mechanisms

Accountability Governance

• Accountability Framework

• Accountability Context

• Accountability Governance

Accountability, Risk and Trust

Overview


PROBLEM OF DATA

GOVERNANCE


• Different national privacy or data protection laws in place

• The EU Data Protection Directive is currently going

through a legislative and revision process

• Complex evolving regulatory regimes to comply with

Regulatory Complexity

In Europe, it is necessary

to comply with the

different national laws

Specific mechanisms

(e.g. Binding Corporate

Rules, contracts) may be

in place in order to

guarantee data transfers

Other arrangements are

necessary to allow

transborder data flows

outside Europe, e.g. safe-

harbour agreement with

US


Evolution of regulatory frameworks

Regulatory Frameworks

ASIAAPEC Cross Border Privacy Rules

New country laws

EUROPEBinding Corporate Rules

Revision of EU Privacy Directive

NORTH AMERICAEnforcement powers in Canada

Proposed Consumer Privacy Bill in USA

LATIN AMERICANew laws in Mexico, Colombia

Proposed laws in Peru, Costa Rica, Chile ...

ACCOUNTABILITY


Emerging Issues: Cloud supply chains, Complexity, Scale, (Big) Data mining

Cloud Ecosystem Challenges

Isolation Failure Compliance

Hazard

Incomplete Data

Deletion

Lock in Hazard

Loss of

Governance


Problem of Data Governance

Different

regulatory

regimes

Complex

governance

environment

Lack of trust in

the cloud

Lack of

governance and

transparency

Transfer of data

into the cloud


Globalisation and new technologies

• Cloud computing is the most significant shift in ICT deployments

• Global business environments

Uncertainty and trust (for customers, providers and regulators)

• Privacy and trust come from sound stewardship of information by service providers for

which we need to hold them accountable

Regulatory complexity for the cloud

• New technologies like cloud are straining traditional privacy frameworks

• It is necessary a clear and consistent framework of data protection rules

• Accountability addresses global interoperability

• Accountability allows avoidance of complex matrix of national laws and reduces

unnecessary layers of complexity for cloud providers

Drivers for Accountability


DEFINING

ACCOUNTABILITY


How do you define (characterise) Accountability?

Identify 3 keywords (features) that

characterise accountability

Accountability


Conceptual Definition of Accountability

Defining Accountability

• Accountability consists of defining governance to comply in aresponsible manner with internal and external criteria, ensuringimplementation of appropriate actions, explaining and justifyingthose actions and remedying any failure to act properly.

Conceptual Definition of Accountability

Applicable across different domains and

capturing a shared multidisciplinary

understanding within the project

Concerned about governance

Compliance with respect to internal and

external criteria defined by stakeholders

Responsibly and proactively (explaining,

justifying, remedying) delivery of actions


Defining Accountability

• Accountability for an organisation consists of accepting responsibility forthe stewardship of personal and/or confidential data with which it isentrusted in a cloud environment, for processing, storing, sharing,deleting and otherwise using the data according to contractual and legalrequirements from the time it is collected until when the data aredestroyed (including onward transfer to and from third parties).

• It involves committing to legal and ethical obligations, policies,procedures and mechanisms, explaining and demonstrating ethicalimplementation to internal and external stakeholders and remedying anyfailure to act properly.

Definition of Accountability for Data Stewardship in the Cloud

Contextualising accountability for

data governance in cloud ecosystems

personal and/or confidential data

Ethical aspects of accountabilityDeploying different mechanisms



Observability

Verifiability

Attributability

Transparency

Responsibility

Liability

Remediability

Defining governance

Ensuring governance

Demonstrating governance

Holding to account

Accountability Definitions

Different mechanisms

supporting accountability


Definitions

Conceptual attributes of accountability as used across different multidisciplinary domains; conceptualbasis for our definitions, and related taxonomic analysis

Observability is a property of an object, process or system which describes how well the internalactions of the system can be described by observing the external outputs of the system.

Verifiability is a property of an object, process or system that its behavior can be verified against arequirement or set of requirements.

Attributability is a property of an observation that discloses or can be assigned to actions of aparticular actor (or system element).

Transparency is the property of an accountable system that it is capable of ‘giving account’ of, orproviding visibility of, how it conforms to its governing rules and commitments.

Responsibility is defined as the state of being assigned to take action to ensure conformity to aparticular set of policies or rules.

Liability is the state of being liable (legally responsible).

Remediability is the state of being able to be remedied.

Accountability Attributes


Accountability Attributes

Analyse

cloud

behaviour

Assess

compliance

Support

openness

Identify

causes

Provide

Assurance


Accountability practices, what organisations must do to be accountable, support

governance

• Defining Governance

Defines governance to responsibly comply with internal and external criteria,

particularly relating to treatment of personal data and/or confidential data

• Ensuring Governance

Ensures implementation of appropriate actions

• Demonstrating Governance

Explains and justifies those actions, namely, demonstrates regulatory compliance that

stakeholders’ expectations have been met and that organizational policies have been

followed

• Holding to Account

Remedies any failure to act properly, for example: notifies the affected data subjects

or organizations, and/or provides redress to affected data subjects or organizations,

even in global situations where multiple cloud service providers are involved

Accountability Practices


Diverse accountability processes, non-technical mechanisms and technical tools that

support accountability practices, that is, accountability practices use them

Examples of Accountability Mechanisms

• Software Tools

• Governance processes

• Risk assessment

• Assurance

• Standards

• Legal mechanisms

• Sanctions

Accountability Mechanisms


From accountability to being accountable

• Operationalise the accountability definitions

• Capture different abstraction levels of accountability

• Identify attributes contributing towards accountability

• Characterise accountable organisations

• Identify elements of accountability practices

• Enable accountability practices



FROM ACCOUNTABILITY

TO BEING ACCOUNTABLE


Accountability Context


Rationale

• Increase trust (and trustworthiness)

• Trust can be achieved through: sound stewardship of information by

service providers for which they need to be held accountable, and by

integrated design for privacy

• Increase transparency, redress and assurance in a

manageable way

• Motivate orgs to improve level of compliance

• Decrease complexity of complying with regulations in global business

environments

• Flexibility in return for demonstration

Accountability-based Approach

in the Cloud


• Organisations accountable for obligations in relation to

treatment of data

• Accountable organisations should ensure that

obligations to protect data are observed by all who store

and process the data, irrespective of where that

processing occurs.

• Obligation:

o Is a requirement, agreement or promise for which

there are certain consequences if it is breached.

o It can be one of three types: contractual, regulatory,

and normative (i.e. derived from social norms)

Obligations


Accountability Context

Regulatory Regimes

Accountability

Cloud Ecosystems

Obligations, responsibilities and liabilities of actors

Clarification ofRequirements

StakeholdersRequirements

Trustworthy Account

Help with meeting Obligations

Transparency


We take a ‘strong accountability’ approach

In particular, via:

• Being precise about what accountability means

• Joining technical measures to enhance the integrity and

authenticity of logs with enhanced reasoning about how

these logs show whether or not data protection

obligations have been fulfilled (trusted logs + analysis)

• Including verification by independent, trusted entities and

certification based on such verification

• Moving beyond accountability of procedures, to

accountability of practice

Accountability-based Approach

in the Cloud


Accountability Framework

Supporting cloud actors

Supporting accountability

at different stages

Co-designing: Responsible

and ethical corporate

governance, Innovative

regulatory frameworks, and

Supporting technologies

Preventive – investigating and mitigating risk in order to

form policies and determine appropriate mechanisms to

put in place; putting in place appropriate policies,

procedures and technical mechanisms)

Detective – monitoring and

identifying policy violation;

putting in place detection

and traceability measures

Corrective – managing

incidents and providing

notifications and redress


Accountability Governance

Claims

Supported by

arguments

Providing

Evidence

Questioning

Evidence

Deciding to

Trust

Emerging

Trustworthiness


ACCOUNTABILITY IN

CLOUD ECOSYSTEMS


Cloud Computing Roles

1. Cloud Subject: An entity whose data is processed by a cloud

provider, either directly or indirectly. When necessary we may

further distinguish:

a) Individual Cloud Subject, when the entity refers to a person.

b) Organisation Cloud Subject, when the entity refers to an

organisation.

2. Cloud Customer: An entity that (1) maintains a business

relationship with, and (2) uses services from a Cloud Provider.

When necessary we may further distinguish:

a) Individual Cloud Customer, when the entity refers to a

person.

b) Organisation Cloud Customer, when the entity refers to an

organisation..

3. Cloud Provider: An entity responsible for making a [cloud]

service available to Cloud Customers

4. Cloud Carrier: The intermediary entity that provides connectivity

and transport of cloud services between Cloud Providers and

Cloud Customers

5. Cloud Broker: An entity that manages the use, performance

and delivery of cloud services, and negotiates relationships

between Cloud Providers and Cloud Customers

6. Cloud Auditor: “An entity that can conduct independent

assessment of cloud services, information system operations,

performance and security of the cloud implementation, with

regards to a set of requirements, which may include security,

data protection, information system management, regulations

and ethics.

7. Cloud Supervisory Authority: An entity that oversees and

enforces the application of a set of rules.


Data Protection Roles

1. Data subject: an identified or identifiable natural person (i.e.

living individual). An identifiable person is one who can be

identified, directly or indirectly, in particular by reference to an

identification number or to one or more factors specific to his

physical, physiological, mental, economic, cultural or social

identity.

2. Data controller: an entity which alone or jointly with others

determines the purposes and means of the processing of

personal data.

3. Data processor: an entity that processes personal data on

behalf of the controller.

4. Third party: an entity other than the data subject, the controller,

the processor and the persons who, under the direct authority of

the controller or the processor, is authorised to process the data.

5. Recipient: an entity to which data is disclosed, whether a third

party or not; (excluding authorities which receive data in the

framework of an inquiry).

6. Supervisory authority: an independent authority that enforces

the application of the data protection regulations in member

states, providing advice to the competent bodies with regard to

legislative and administrative measures relating to the

processing of personal data, hearing complaints lodged by

citizens with regard to the protection of their data protection

rights. The supervisory authority is either the Data Protection

Authority or, less frequently, the National Regulatory Authority in

the telecom sector in some member states.


Cloud Actor Roles


Cloud Actor Roles

Extended NIST cloud roles Data protection roles

Cloud subject Data subject

Cloud customer Data controller or

Data processor

Cloud provider Data processor or

Data controller

Cloud carrier Data processor or

Data controller (unlikely) or

Not applicable.

Cloud broker Data processor or

Data controller

Cloud auditor (Not Applicable)

Cloud supervisory authority Supervisory authority

(DPA or NRA)

(Not Applicable) Third party

(Not Applicable) Recipient


Article 29 WP 173, Opinion 3/2010 on

the principle of accountability:

Data protection must move from

‘theory to practice’.

(i) the need for a controller to take

appropriate and effective measures

to implement data protection

principles;

(ii) the need to demonstrate upon

request that appropriate and

effective measures have been

taken. Thus, the controller shall

provide evidence of (i) above.

Accountability consists of:

• Defining and accepting

responsibility

• Ensuring implementation

of appropriate actions

• Explaining and justifying

actions

• Remediating failure

The Principle of Accountability


Data controllers and data processors:

what's the difference?

Test by the UK Information

Commissioner’s Office (ICO)

Data Controllers

and Processors

http://icocomms.polldaddy.com/s/data-processor-or-data-controller







Hazard

Incomplete Data

Deletion

Lock in Hazard

Loss of

Governance


Accountability through cloud service supply chains to organisation that

uses cloud services

Accountability Relationships

Cloud provider nearly always DP

• may need to assume co-

controllership responsibilities

• may not know who the users

are or what their services are

being used for

DP is accountable for

cooperation with DC to:

• meet data subjects’ rights

• assist DC in providing security

measures

• act only on DC’s behalf


Cloud providers and cloud customers are accountable to cloud subjects

and Cloud Supervisory Authority


• Cloud customer is in

general considered DC

• DC will be accountable for

applicable data protection

measures


Accountability to society


• Cloud subject should

be the rationale and

real beneficiary of

accountability chain

• All actors ultimately

accountable to cloud

subject


1. Accountability should be viewed as a means to an end, not as alternative to

reframing basic privacy principles• Organisations should be accountable for the personal and confidential information that they

collect, store, process and disseminate

2. Accountability must deliver effective solutions whilst avoiding where possible overly

prescriptive or burdensome requirements

3. Commitments of DC need to be well defined – (part of) responsibility• Commitments of DC should include all applicable legal obligations + any industry standards

and declarations made by DC in privacy statements (def. of policies wrt. external criteria, 3

types of obligations)

• Clear allocation of privacy & security responsibilities across DC and DPs

4. Transparency• Public nature of account where possible

• Commitments of DC need to be properly understood by DS (and other parties)

5. Verification of account• Claims should be challengeable

• Strong enough verification process to show (extent to which) commitments have been fulfilled

• Guarantees needed about integrity and authenticity of evidence

• Actor carrying out verification needs to be trusted by DS and to have appropriate authority

and resources to carry out spot checking, etc.

Key Features


ACCOUNTABILITY, RISK

AND TRUST





Hazard

Incomplete Data

Deletion

Lock in Hazard

Loss of

Governance


Risk Assessment

RISK

Likelihood

or

Probability of

Occurrence

Impact

or

Severity

Threat Scenario

CSA top

threats

ENISA risk

analysis

Cloud

Ecosystem

Operational

Evidence

Expert

Judgement



How does

Accountability relate to

Risk and Trust?



STATEMENT YES MAY BE NO

Risk affects accountability

Risk requires trust

(dealing with uncertainty)

Some threats are specific to cloud services

Accountability mitigates risk

Accountability mediates risk and trust (enhancing

knowledge)

Accountability supports interactions in the cloud

Accountability supports trust decisions

Accountability enhances cloud trustworthiness

Trust facilitates interactions

Trust relies on operational evidence of trustworthiness




• Risk affects accountability

• Risk requires trust (dealing with uncertainty)

• Accountability mitigates risk

• Accountability mediates risk and trust (enhancing knowledge)

• Trust facilitates interactions

• Trust relies on operational evidence of trustworthiness





SUMMARY


Addressing data governance in the cloud

• Accountability Definitions

• Accountability Model

• Accountability Framework

• Accountability Governance

Accountability in Cloud Ecosystems


Accountability Highlights


1. A4Cloud, Glossary of Terms and Definitions, November 2013.

2. M. Felici, T. Koulouris, and S. Pearson, “Accountability for Data

Governance in Cloud Ecosystems”, in 2013 IEEE International Conference

on Cloud Computing Technology and Science (CloudCom 2013),

Proceedings, IEEE, pp. 327–332, IEEE Computer Society, 2013.

3. M. Felici, M. G. Jaatun, E. Kosta, and N. Wainwright, “Bringing

Accountability to the Cloud: Addressing Emerging Threats and Legal

Perspectives”, in M. Felici (Ed.), Cyber Security and Privacy, CSP EU

FORUM 2013, Springer-Verlag, CCIS 182, pp. 28–40, 2013.

4. M. Felici, S. Pearson, “Accountability, Risk and Trust in Cloud Services:

Towards an Accountability-based Approach to Risk and Trust Governance”,

IEEE 2014 International Workshop on Security and Privacy Engineering

(SPE 2014), IEEE Services 2014 (To appear).

Further Readings


Thank You.

Documents

Accountability for Data Governance in the Cloud