Skip to main content
SpringerLink
Log in

From Regulatory Obligations to Enforceable Accountability Policies in the Cloud

  • Conference paper
  • First Online:
Cloud Computing and Services Sciences (CLOSER 2014)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 512))

Included in the following conference series:

Abstract

The widespread adoption of the cloud model for service delivery triggered several data protection issues. As a matter of fact, the proper delivery of these services typically involves sharing of personal/business data between the different parties involved in the service provisioning. In order to increase cloud consumer’s trust, there must be guarantees on the fair use of their data. Accountability provides the necessary assurance about the data governance practices to the different stakeholders involved in a cloud service chain. In this context, we propose a framework for the representation of accountability policies. Such policies offer to end-users a clear view of the privacy and accountability clauses asserted by the entities they interact with, as well as means to represent their preferences. Our framework offers two accountability policy languages: (i) an abstract language called AAL devoted for the representation of preferences/clauses in an human readable fashion, and (ii) a concrete one for the implementation of enforceable policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Notes

  1. 1.

    The Cloud Accountability Project: http://www.a4cloud.eu/.

  2. 2.

    This work mainly focus on the European Data Protection directive [2].

  3. 3.

    Here “semi” means that sometimes human assistance could be needed.

  4. 4.

    http://ict-endorse.eu/.

References

  1. Pearson, S., Tountopoulos, V., Catteddu, D., Südholt, M., Molva, R., Reich, C., Fischer-Hübner, S., Millard, C., Lotz, V., Jaatun, M.G., Leenes, R., Rong, C., Lopez, J.: Accountability for cloud and other future internet services. In: CloudCom, pp. 629–632. IEEE (2012)

    Google Scholar 

  2. Directive, E.U.: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995). http://ec.europa.eu/justice/policies/privacy/docs/95--46-ce/dir1995-46_part1_en.pdf

  3. Ardagna, C.A., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Paraboschi, S., Pedrini, E., Preiss, S., Raggett, D., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife policy language (2009). http://www.w3.org/2009/policy-ws/papers/Trabelisi.pdf

  4. Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51, 82–87 (2008)

    Article  Google Scholar 

  5. Xiao, Z., Kathiresshan, N., Xiao, Y.: A survey of accountability in computer networks and distributed systems. Secur. Commun. Netw. 5, 1083–1085 (2012)

    Google Scholar 

  6. Pearson, S., Wainwright, N.: An interdisciplinary approach to accountability for future internet service provision. Int. J. Trust Manag. Comput. Commun. 1, 52–72 (2013)

    Article  Google Scholar 

  7. Le Métayer, D.: A formal privacy management framework. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 162–176. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: 9th Annual ACM Workshop on Privacy in the Electronic Society (WPES 2010), pp. 73–82 (2010)

    Google Scholar 

  9. Feigenbaum, J., Jaggard, A.D., Wright, R.N., Xiao, H.: Systematizing “accountability” in computer science. Technical report YALEU/DCS/TR-1452, University of Yale (2012)

    Google Scholar 

  10. Jagadeesan, R., Jeffrey, A., Pitcher, C., Riely, J.: Towards a theory of accountability and audit. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 152–167. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  11. Sundareswaran, S., Squicciarini, A., Lin, D.: Ensuring distributed accountability for data sharing in the cloud. IEEE Trans. Dependable Secure Comput. 9, 556–568 (2012)

    Article  Google Scholar 

  12. Haeberlen, A., Aditya, P., Rodrigues, R., Druschel, P.: Accountable virtual machines. In: 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI, pp. 119–134 (2010)

    Google Scholar 

  13. Wei, W., Du, J., Yu, T., Gu, X.: Securemr: a service integrity assurance framework for mapreduce. In: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 73–82. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  14. Zou, J., Wang, Y., Lin, K.J.: A formal service contract model for accountable SaaS and cloud services. In: International Conference on Services Computing, pp. 73–80. IEEE (2010)

    Google Scholar 

  15. US Congress: Health insurance portability and accountability act of 1996, privacy rule. 45 cfr 164 (2002). http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html

  16. Legislative Assembly of Ontario: Freedom of information and protection of privacy act (r.s.o. 1990, c. f.31) (1988)

    Google Scholar 

  17. Breaux, T.D., Anton, A.I.: Deriving semantic models from privacy policies. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), pp. 67–76 (2005)

    Google Scholar 

  18. Kerrigan, S., Law, K.H.: Logic-based regulation compliance-assistance. In: International Conference on Artificial Intelligence and Law, pp. 126–135 (2003)

    Google Scholar 

  19. US Congress: Gramm-leach-bliley act, financial privacy rule. 15 usc 6801–6809 (1999). http://www.law.cornell.edu/uscode/usc_sup_01_15_10_94_20_I.html

  20. Garaga, A., de Oliveira, A.S., Sendor, J., Azraoui, M., Elkhiyaoui, K., Molva, R., Önen, M., Cherrueau, R.A., Douence, R., Grall, H., Royer, J.C., Sellami, M., Südholt, M., Bernsmed, K.: Policy Representation Framework. Technical report D:C-4.1, Accountability for Cloud and Future Internet Services - A4Cloud Project (2013). http://www.a4cloud.eu/sites/default/files/D34.1%20Policy%20representation%20Framework.pdf

  21. OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0. 22, January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

  22. Marchiori, M.: The platform for privacy preferences 1.0 (P3P1.0) specification. W3C recommendation, W3C (2002). http://www.w3.org/ TR/ 2002/ REC-P3P-20020416/

  23. Becker, M.Y., Malkis, A., Bussard, L.: S4p: A generic language for specifying privacy preferences and policies. Technical report MSR-TR-2010-32, Microsoft Research (2010)

    Google Scholar 

  24. Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. Electron. Notes Theor. Comput. Sci. 197, 45–58 (2008)

    Article  MATH  Google Scholar 

  25. Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  MATH  Google Scholar 

  26. Barros, A., Oberle, D.: Handbook of Service Description: USDL and Its Methods. Springer Publishing Company, Incorporated, New York (2012)

    Book  Google Scholar 

  27. Lamanna, D.D., Skene, J., Emmerich, W.: SLAng: a language for defining service level agreements. In: Proceedings of the The Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, pp. 100–106. IEEE Computer Society, Washington, DC (2003)

    Google Scholar 

  28. OASIS Web Service Security (WSS) TC: Web Services Security: SOAP Message Security 1.1 (2006). https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

  29. OASIS Web Services Secure Exchange (WS-SX) TC: WS-Trust 1.4 (2012). http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html

  30. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (XML). World Wide Web J. 2, 27–66 (1997)

    Google Scholar 

  31. Butin, D., Chicote, M., Le Métayer, D.: Log design for accountability. In: IEEE CS Security and Privacy Workshops (SPW), pp. 1–7 (2013)

    Google Scholar 

  32. Henze, M., Großfengels, M., Koprowski, M., Wehrle, K.: Towards data handling requirements-aware cloud computing. In: 2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom) (2013)

    Google Scholar 

  33. Bradner, S.: IETF RFC 2119: Key words for use in RFCs to Indicate Requirement Levels. Technical report (1997)

    Google Scholar 

  34. Knuth, D.E.: Backus normal form vs. backus naur form. Commun. ACM 7, 735–736 (1964)

    Article  Google Scholar 

  35. Fisher, M.: Temporal representation and reasoning. In: van Harmelen, F., Lifschitz, V., Porter, B. (eds.) Handbook of Knowledge Representation, pp. 513–550. Elsevier, Amsterdam (2008)

    Chapter  Google Scholar 

  36. Benghabrit, W., Grall, H., Royer, J.-C., Sellami, M., Bernsmed, K., De Oliveira, A.S.: Abstract accountability language. In: Zhou, J., Gal-Oz, N., Zhang, J., Gudes, E. (eds.) IFIPTM 2014. IFIP AICT, vol. 430, pp. 229–236. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  37. Benghabrit, W., Grall, H., Royer, J.C., Sellami, M.: Accountability for abstract component design. In: 40th EUROMICRO Conference on Software Engineering and Advanced Applications, SEAA, Verona, Italia (2014)

    Google Scholar 

  38. Cranen, S., Groote, J.F., Keiren, J.J.A., Stappers, F.P.M., de Vink, E.P., Wesselink, W., Willemse, T.A.C.: An overview of the mCRL2 toolset and its recent advances. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 199–213. Springer, Heidelberg (2013)

    Chapter  MATH  Google Scholar 

  39. Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 30–50 (2000)

    Article  Google Scholar 

  40. Allam, D., Douence, R., Grall, H., Royer, J.C., Südholt, M.: Well-Typed Services Cannot Go Wrong. Rapport de recherche RR-7899, INRIA (2012)

    Google Scholar 

  41. Bernsmed, K., Felici, M., Oliveira, A.S.D., Sendor, J., Moe, N.B., Rübsamen, T., Tountopoulos, V., Hasnain, B.: Use case descriptions. Deliverable, Cloud Accountability (A4Cloud) Project (2013)

    Google Scholar 

Download references

Acknowledgements

This work was funded by the EU’s 7th framework A4Cloud project.

Author information

Authors and Affiliations

  1. Mines Nantes, 5 rue A. Kastler, 44307, Nantes, France

    Walid Benghabrit, Hervé Grall & Jean-Claude Royer

  2. EURECOM, Les Templiers, 450 Route des Chappes, 06410, Biot, Sophia Antipolis, France

    Monir Azraoui, Kaoutar Elkhiyaoui & Melek Önen

  3. SAP Labs France, 805 avenue du Dr Donat Font de l’Orme, 06250, Mougins, Sophia Antipolis, France

    Anderson Santana De Oliveira

  4. SINTEF ICT, P.O. Box 4760, Sluppen, 7465, Trondheim, Norway

    Karin Bernsmed

  5. ISEP, 10 rue de Vanves, 92130, Issy Les Moulineaux, France

    Mohamed Sellami

Authors
  1. Walid Benghabrit
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hervé Grall
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Claude Royer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohamed Sellami
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Monir Azraoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Kaoutar Elkhiyaoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Melek Önen
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Anderson Santana De Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Karin Bernsmed
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Sellami .

Editor information

Editors and Affiliations

  1. School of Computing, Dublin City University, Dublin 9, Ireland

    Markus Helfert

  2. LIP / Inria Ecole normale supérieure de Lyon, Lyon, France

    Frédéric Desprez

  3. Dell, ROUND ROCK, USA

    Donald Ferguson

  4. University of Stuttgart, Stuttgart, Germany

    Frank Leymann

  5. Universitat Autònoma de Barcelona, Bellaterra, Spain

    Victor Méndez Munoz

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Benghabrit, W. et al. (2015). From Regulatory Obligations to Enforceable Accountability Policies in the Cloud. In: Helfert, M., Desprez, F., Ferguson, D., Leymann, F., Méndez Munoz, V. (eds) Cloud Computing and Services Sciences. CLOSER 2014. Communications in Computer and Information Science, vol 512. Springer, Cham. https://doi.org/10.1007/978-3-319-25414-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25414-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25413-5

  • Online ISBN: 978-3-319-25414-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation