Accountability in the Cloud
Over the past four decades, legislation and associated regulatory structures regarding the handling of personal data have become established in over sixty countries. Values and regulations vary across the globe but legislation typically creates obligations on service providers to engage in sound data governance and stewardship. What it cannot yet do is empower the end customer to make informed choices about selection of a service provider based on a solid understanding of the consequences of its choices. A chain of accountability allows the members of a cloud ecosystem to ensure that obligations to protect data are observed by all who process the data, irrespective of where that processing occurs. This not only applies when a data subject directly uses cloud services but also when services are provided in an enterprise cloud setting.
Providers, implementing accountability mechanisms, provide customers with control and transparency over data in the cloud. The links in the chain of accountability depicted above are not simply technical mechanisms; they represent accountability relationships between supplier and customer that are embodied in contracts, must address regulatory obligations, ensure each partner uses interoperable policies and function efficiently and effectively for the supplier and the service user. Chains of accountability within the supply chain are possible as a result of deployment of accountability-enhancing mechanisms throughout the service network. Trusted third party services provide monitoring, certification, trust modelling and other services that support accountability in the cloud. They enable providers to implement accountability, support users in assessing the trustworthiness of services, and give governance actors a way to check and monitor the use of data in the cloud.
Within this scope, the Cloud Accountability Project delivers:
- tools that enable cloud service providers to give their users appropriate control and transparency over how their data is used, confidence that their data is handled according to their expectations and is protected in the cloud, delivering increased levels of accountability to their customers
- tools that enable cloud end users to make choices about how cloud service providers may use and will protect data in the cloud, and be better informed about the risks, consequences, and implementation of those choices
- tools to monitor and check compliance with users’ expectations, business policies and regulations
- recommendations and guidelines for how to achieve accountability from an ethical point of view for the use of data by cloud services, addressing commercial, legal, regulatory and end user concerns and ensuring that technical mechanisms work to support them
- the Accountability Framework that will be a comprehensive specification for how to create accountability for cloud services, spanning regulatory, legal, technical, business and user issues