• No results found

Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Accountability in Cloud Computing

An Introduction to the Issues, Approaches, and Tools

Nick Papanikolaou, Cloud and Security Lab, HP Labs Europe

[email protected]

(2)

Introduction

• In the context of cloud computing, accountability is all

about developing a holistic approach to achieving

trust and security in the cloud, encompassing

– Legal,

– Regulatory, and – Technical

mechanisms

• In this talk we will give an overview of the subject,

emphasising the importance of international

(3)

International Frameworks

mentioning Accountability

• The notion of accountability appears in several

international frameworks:

– OECD Privacy Guidelines (1980)

– Canada’s Personal Information Protection and

Electronic Documents Act (2000)

– Asia Pacific Economic Cooperation (APEC) Privacy

Framework (2005)

– European Data Protection Directive 95/46/EC

• Also - Outputs of EU Article 29 Working Party

(4)

What is Accountability?

• In the business context, accountability is

about

complying with measures that give

effect to practices articulated in given

(5)

Definitions of Accountability

• In the context of corporate data governance:

– “Accountability is the obligation to act as a

responsible steward of the personal information

of others

, to

take responsibility for the protection

and appropriate use of that information beyond

mere legal requirements

, and to be accountable

for any misuse of that information.”

(6)

Accountability in the Cloud

• In the context of cloud, accountability is a set

of approaches to addresses two key problems:

– Lack of consumer trust in cloud service providers

– Difficulty faced by cloud service providers with

compliance across geographic boundaries

• Emphasis is on data protection, but the

notion of accountability encompasses more

than just privacy

(7)

Barriers to Cloud Adoption

• Lack of consumer trust in CSPs

– End users have increased expectations that companies with which they share their data will handle it responsibly – End users perceive a lack of transparency and less control

over their data as it shifts to the cloud

– Fear that governments might get access to data in their countries

– How to obtain redress in case of a problem?

• Difficulty of Compliance for CSPs

– Data flows are global and dynamic

– Transborder data flows – international agreements

(8)

Enterprise Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 Private Cloud CRM Service … Service 3 Backup Service ILM Service Service Service Service Business Apps/Service Employee User … … … The Internet Data Data Data

Accountable organisations ensure that

obligations to protect data are observed by all who process the data, irrespective of where that processing occurs.

responsibility transparency

validation remediation

(9)

Key Differentiators for Accountable

Cloud Service Providers

• Business reputation - trustworthiness

enhanced

– Enterprises that are accountable will be perceived

as more responsible and

• Business advantage in going beyond mere

legal expectations and providing

good data

stewardship

(10)

Regulators, auditors, business governance

service service service

Cloud service supply chain/network

Trusted services supporting accountability Chain of Accountability Cloud service users Cloud service Corrective Detective Preventive

Cloud service users: control and transparency over how their data is used, and support in obtaining redress

Service providers: techniques to make services more trustworthy, satisfy business policies and allow differentiation

(11)

Solutions: Achieving Organisational

Accountability

• Organisational accountability comprises:

– A company-wide commitment to conformance with

external standards of responsibility and data

stewardship

– Use of mechanisms to put privacy policies in effect

– Having systems in place for internal and external

oversight

– Allowing for transparency and individual participation

– Having means of remediation and external

(12)

A Vision of Governance Continuity

1 2 Data Subject Data Controller BCR Proc BCR Proc BCR Proc BCR Proc BCR Proc BCR Proc BCR Cont Proc. Proc. Proc. Proc. Proc. Proc.

(13)

Who are the Stakeholders?

• Technology-providers

– Partners

– Standards groups (CSA, ENISA,...)

• Infrastructure providers

– Shared infrastructure CSP

• Service providers

– SMEs: CSPs (data processor), primary service provider using CSPs (data controller)

– Large companies: data processor, managed services

• Trusted third parties

– TTP providing certification services – Insurance providers

• Service users

– Auditor

• End users

– Data subjects – Employees

• Regulators etc

– DPAs – EU Commission

• Other intermediaries

– Consumer groups – Brokers

(14)

Solutions: Mechanisms for Achieving

Accountability in the Cloud

Shared SOFTWARE services Shared PLATFORM services Shared INFRASTRUCTURE services SLA Management Incident Mgmt. Trust Management Policy

Enforcement AssessmentImpact

Monitoring status and

violations

Audit and Certification

(15)

Classes of Technical Mechanisms for

Accountability

• Preventive controls

– Risk analysis and decision support tools

– Policy enforcement mechanisms (access control, obligations, ...) – Data Obfuscation

– Identity management

• Detective controls

– Intrusion detection systems – Transaction logs

– Language frameworks for expressing security properties – Verification tools

• Corrective controls

– Incident management plans – Dispute resolution methods – Other forms or remediation

(16)

Related Work at HP Labs:

HP Privacy Advisor

Questionnaire

• Project/activity profile

• Detailed compliance questions • Transborder flows

• Indicators of potential harms

Rules Engine

Knowledgebase

• Rules – HP Policies

• Rules – HP Privacy standards & Specifications

• Rules – Country requirements • Rules – Guidance

Feedback

• Assessment against; HP Policies, Standards, Specifications,

country requirements, etc. • Checklists

(17)

Related Work at HP Labs

• EnCoRe project (

http://www.encore-project.info

)

– Focused on policy enforcement for privacy and

consent

• Cloud Stewardship Economics Project

(

https://www.instisp.org/sslpage.aspx?pid=463

)

• TrustDomains Project

(

http://www.cs.ox.ac.uk/projects/TDoms/

)

(18)

Papers on Accountability in the Cloud

• Siani Pearson, “Toward Accountability in the Cloud”, View from the Cloud, IEEE Internet Computing, IEEE Computer Society, July/August issue, vol. 15, no. 4, pp. 64-69, 2011. • Siani Pearson and Nick Wainwright, “Towards Achieving

Accountability in Future Internet Service Provision”, to

appear.

• For more information please email us at

[email protected]

[email protected]

(19)

Opportunities for Collaboration

• Achieving accountability involves stakeholders

at many different levels

• International cooperation is essential in order

to remove barriers to cloud adoption

• We are interested in collaborations, case

studies, further analysis of the issues

References

Download now ( PDF - 19 Page - 1.07 MB )

Related documents

Achieving Health Equity: Psychology s Role

- Based on a review of relevant research, community-based initiatives, and policy work, the Task Force will produce a comprehensive report articulating a vision for the role of

Methods for Analyzing Multi-Subject Resting-State Neuroimaging Time Series Data

(2017) not only showed that EEG microstates demonstrate heri- tability, but that they also exhibit subject-specific characteristics. Thus, it is desirable that, although we treat

College of Education and Human Development UNIVERSITY OF DELAWARE. Undergraduate Advisement Handbook ELEMENTARY TEACHER EDUCATION

Students in the middle school social studies concentration take the following courses in addition to the ETE General Studies and Professional Studies courses.. Course

The Business Case For Private Cloud Services

A Private Cloud Service Provider offers application hosting and software services available through a private cloud dedicated to a single enterprise.. A Public Cloud Service

An implementation analysis of the Immigration Act 13 0F 2002 (Study permit): A case study of foreign African postgraduate PhD students at the University of KwaZulu-Natal Pietermaritzburg campus.

In-depth interviews were used to collect primary data from key informants comprising two assistant directors from the Department of Home Affairs, two UKZN administrators (with

Sexual Magnetism

If you spend time with a girl but you’re not sure she would sleep with you, don’t waste your time and move on to meet new people.. On the other hand, if you feel a solid connection

MEF. Cloud Africa Summit. Carrier Ethernet Delivery of Cloud Services. Gary Williams. Head of Pre-Sales Engineering. Metrofibre

Enterprise 
 Cloud Consumers Ethernet Service Provider On-Net Private Cloud Services Internet Public Cloud Services. Cloud Service Delivery via Carrier

What Factors Determine Cloud Computing Adoption by Colleges and Universities? Bill Klug Instructor, BCIT

How does cloud Service Provider Support affect cloud