D:C-6.1: Risk and trust accountability in the cloud

A de Oliviera, A Garaga, L Martucci, Massimo Felici, Rehab Alnemr, D. Stefanatou, M.G.H. Niezen-van der Zwet, C Fernandez-Gago, David Nunez, B Hasnain, A Vranaki, E Cayirci

Research output: Book/ReportReportProfessional

Abstract

Adequate trust and risk management are fundamental for governance in the cloud. Data controllers, processors, or more generally cloud customers must be aware of specific risks for business confidential, personal and other kinds of sensitive data subject to regulatory restrictions when using cloud services. In this deliverable we describe the progress in defining a representation of trust and risk for cloud service chains. We build on existing methodologies to create a high level approach to define risk in terms of the actors involved in a cloud service chain, possibly combining Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), their responsibilities, obligations, and other accountability attributes, to finally determine how the trust assigned to each link in the chain will influence risk assessments. We reviewed extensively risk analysis methodologies, guidelines, models and standards to identify the gaps they have when applied to cloud computing, under the perspective of accountability. We propose a broad approach covering all risk categories mentioned in the literature, very close to the enumeration proposed by ENISA(ENISA, 2009). Establishing a level of trust about a cloud service is dependent on the degree of control an organization is able to exert on the provider to provision the security controls necessary to protect the organization’s data and applications, and also the evidence provided about the effectiveness of those controls. The majority of cloud computing agreements are offered in standard form, often drawn on traditional outsourcing or technology licensing models, but those types of agreements may not cover the particular risks associated with cloud computing. We provide an analysis of the impact of risks to the conclusion of cloud contracts, and how risk allocation affects the reliability of contracts as effective trust mechanisms - in particular, the security obligations allocated to data controllers -and data processors- established under the Data Protection Directive aim at mitigating risks, given that both entities are obliged to adopt "appropriate security measures" depending on the nature of processing.
Trust also greatly influences the adoption of cloud services, shifting the cloud market. It is necessary to understand how social behaviour of (potential) cloud consumers will affect their choice to make use of cloud services. Aiming to integrate both the computer and social science perspectives on trust we investigate the social economic impact of changing roles, responsibilities and risks due to the use of cloud services by the different cloud consumers, as trust is shaped by the consumers’ perceptions of
risk in cloud providers and their services. We depicted different perspectives on trust, in particular on how to make it measurable via the notion of reputation and other important elements for a risk and trust model. The deliverable also elaborates on the understanding of the relationships among accountability, risk, and trust and how this enables accountability governance. We present an analysis of stakeholder feedback (from the B2 – Stakeholder Elicitation workshop dedicated to risks) We created an abstract meta-model for cloud ecosystems, to which we mapped the A4Cloud conceptual framework of the work package C2. From this we can instantiate specific cloud service chains, following a structured approach in order to determine the trust and risk levels. In this deliverable, we set up the basis for modelling trust relationships and for enumerating risks in cloud ecosystems that will be the starting point for the privacy impact assessments. We also investigated how continuous risk monitoring of cloud services can be performed in an accountable and trustworthy setting, by creating a generic analytical model to understand how concrete events about the service operations, security and privacy will influence the risk and reputation levels for a given service composition. We confirmed the fitness of the model using numerical analysis using Monte Carlo simulations.
Original languageEnglish
PublisherSAP
Commissioning bodyEuropean Union FP7
Number of pages110
Publication statusPublished - 2014

Fingerprint

Cloud computing
Ecosystems
Controllers
Data privacy
Social sciences
Outsourcing
Risk analysis
Risk management
Risk assessment
Computer science
Numerical analysis
Analytical models
Concretes
Feedback
Economics
Monitoring
Processing
Chemical analysis
Industry

Cite this

de Oliviera, A., Garaga, A., Martucci, L., Felici, M., Alnemr, R., Stefanatou, D., ... Cayirci, E. (2014). D:C-6.1: Risk and trust accountability in the cloud. SAP.
de Oliviera, A ; Garaga, A ; Martucci, L ; Felici, Massimo ; Alnemr, Rehab ; Stefanatou, D. ; Niezen-van der Zwet, M.G.H. ; Fernandez-Gago, C ; Nunez, David ; Hasnain, B ; Vranaki, A ; Cayirci, E. / D:C-6.1 : Risk and trust accountability in the cloud. SAP, 2014. 110 p.
@book{30cfd8b5d4f84de9afd72e044f14339e,
title = "D:C-6.1: Risk and trust accountability in the cloud",
abstract = "Adequate trust and risk management are fundamental for governance in the cloud. Data controllers, processors, or more generally cloud customers must be aware of specific risks for business confidential, personal and other kinds of sensitive data subject to regulatory restrictions when using cloud services. In this deliverable we describe the progress in defining a representation of trust and risk for cloud service chains. We build on existing methodologies to create a high level approach to define risk in terms of the actors involved in a cloud service chain, possibly combining Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), their responsibilities, obligations, and other accountability attributes, to finally determine how the trust assigned to each link in the chain will influence risk assessments. We reviewed extensively risk analysis methodologies, guidelines, models and standards to identify the gaps they have when applied to cloud computing, under the perspective of accountability. We propose a broad approach covering all risk categories mentioned in the literature, very close to the enumeration proposed by ENISA(ENISA, 2009). Establishing a level of trust about a cloud service is dependent on the degree of control an organization is able to exert on the provider to provision the security controls necessary to protect the organization’s data and applications, and also the evidence provided about the effectiveness of those controls. The majority of cloud computing agreements are offered in standard form, often drawn on traditional outsourcing or technology licensing models, but those types of agreements may not cover the particular risks associated with cloud computing. We provide an analysis of the impact of risks to the conclusion of cloud contracts, and how risk allocation affects the reliability of contracts as effective trust mechanisms - in particular, the security obligations allocated to data controllers -and data processors- established under the Data Protection Directive aim at mitigating risks, given that both entities are obliged to adopt {"}appropriate security measures{"} depending on the nature of processing.Trust also greatly influences the adoption of cloud services, shifting the cloud market. It is necessary to understand how social behaviour of (potential) cloud consumers will affect their choice to make use of cloud services. Aiming to integrate both the computer and social science perspectives on trust we investigate the social economic impact of changing roles, responsibilities and risks due to the use of cloud services by the different cloud consumers, as trust is shaped by the consumers’ perceptions ofrisk in cloud providers and their services. We depicted different perspectives on trust, in particular on how to make it measurable via the notion of reputation and other important elements for a risk and trust model. The deliverable also elaborates on the understanding of the relationships among accountability, risk, and trust and how this enables accountability governance. We present an analysis of stakeholder feedback (from the B2 – Stakeholder Elicitation workshop dedicated to risks) We created an abstract meta-model for cloud ecosystems, to which we mapped the A4Cloud conceptual framework of the work package C2. From this we can instantiate specific cloud service chains, following a structured approach in order to determine the trust and risk levels. In this deliverable, we set up the basis for modelling trust relationships and for enumerating risks in cloud ecosystems that will be the starting point for the privacy impact assessments. We also investigated how continuous risk monitoring of cloud services can be performed in an accountable and trustworthy setting, by creating a generic analytical model to understand how concrete events about the service operations, security and privacy will influence the risk and reputation levels for a given service composition. We confirmed the fitness of the model using numerical analysis using Monte Carlo simulations.",
author = "{de Oliviera}, A and A Garaga and L Martucci and Massimo Felici and Rehab Alnemr and D. Stefanatou and {Niezen-van der Zwet}, M.G.H. and C Fernandez-Gago and David Nunez and B Hasnain and A Vranaki and E Cayirci",
year = "2014",
language = "English",
publisher = "SAP",

}

de Oliviera, A, Garaga, A, Martucci, L, Felici, M, Alnemr, R, Stefanatou, D, Niezen-van der Zwet, MGH, Fernandez-Gago, C, Nunez, D, Hasnain, B, Vranaki, A & Cayirci, E 2014, D:C-6.1: Risk and trust accountability in the cloud. SAP.

D:C-6.1 : Risk and trust accountability in the cloud. / de Oliviera, A; Garaga, A; Martucci, L; Felici, Massimo; Alnemr, Rehab; Stefanatou, D.; Niezen-van der Zwet, M.G.H.; Fernandez-Gago, C; Nunez, David; Hasnain, B; Vranaki, A; Cayirci, E.

SAP, 2014. 110 p.

Research output: Book/ReportReportProfessional

TY - BOOK

T1 - D:C-6.1

T2 - Risk and trust accountability in the cloud

AU - de Oliviera, A

AU - Garaga, A

AU - Martucci, L

AU - Felici, Massimo

AU - Alnemr, Rehab

AU - Stefanatou, D.

AU - Niezen-van der Zwet, M.G.H.

AU - Fernandez-Gago, C

AU - Nunez, David

AU - Hasnain, B

AU - Vranaki, A

AU - Cayirci, E

PY - 2014

Y1 - 2014

N2 - Adequate trust and risk management are fundamental for governance in the cloud. Data controllers, processors, or more generally cloud customers must be aware of specific risks for business confidential, personal and other kinds of sensitive data subject to regulatory restrictions when using cloud services. In this deliverable we describe the progress in defining a representation of trust and risk for cloud service chains. We build on existing methodologies to create a high level approach to define risk in terms of the actors involved in a cloud service chain, possibly combining Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), their responsibilities, obligations, and other accountability attributes, to finally determine how the trust assigned to each link in the chain will influence risk assessments. We reviewed extensively risk analysis methodologies, guidelines, models and standards to identify the gaps they have when applied to cloud computing, under the perspective of accountability. We propose a broad approach covering all risk categories mentioned in the literature, very close to the enumeration proposed by ENISA(ENISA, 2009). Establishing a level of trust about a cloud service is dependent on the degree of control an organization is able to exert on the provider to provision the security controls necessary to protect the organization’s data and applications, and also the evidence provided about the effectiveness of those controls. The majority of cloud computing agreements are offered in standard form, often drawn on traditional outsourcing or technology licensing models, but those types of agreements may not cover the particular risks associated with cloud computing. We provide an analysis of the impact of risks to the conclusion of cloud contracts, and how risk allocation affects the reliability of contracts as effective trust mechanisms - in particular, the security obligations allocated to data controllers -and data processors- established under the Data Protection Directive aim at mitigating risks, given that both entities are obliged to adopt "appropriate security measures" depending on the nature of processing.Trust also greatly influences the adoption of cloud services, shifting the cloud market. It is necessary to understand how social behaviour of (potential) cloud consumers will affect their choice to make use of cloud services. Aiming to integrate both the computer and social science perspectives on trust we investigate the social economic impact of changing roles, responsibilities and risks due to the use of cloud services by the different cloud consumers, as trust is shaped by the consumers’ perceptions ofrisk in cloud providers and their services. We depicted different perspectives on trust, in particular on how to make it measurable via the notion of reputation and other important elements for a risk and trust model. The deliverable also elaborates on the understanding of the relationships among accountability, risk, and trust and how this enables accountability governance. We present an analysis of stakeholder feedback (from the B2 – Stakeholder Elicitation workshop dedicated to risks) We created an abstract meta-model for cloud ecosystems, to which we mapped the A4Cloud conceptual framework of the work package C2. From this we can instantiate specific cloud service chains, following a structured approach in order to determine the trust and risk levels. In this deliverable, we set up the basis for modelling trust relationships and for enumerating risks in cloud ecosystems that will be the starting point for the privacy impact assessments. We also investigated how continuous risk monitoring of cloud services can be performed in an accountable and trustworthy setting, by creating a generic analytical model to understand how concrete events about the service operations, security and privacy will influence the risk and reputation levels for a given service composition. We confirmed the fitness of the model using numerical analysis using Monte Carlo simulations.

AB - Adequate trust and risk management are fundamental for governance in the cloud. Data controllers, processors, or more generally cloud customers must be aware of specific risks for business confidential, personal and other kinds of sensitive data subject to regulatory restrictions when using cloud services. In this deliverable we describe the progress in defining a representation of trust and risk for cloud service chains. We build on existing methodologies to create a high level approach to define risk in terms of the actors involved in a cloud service chain, possibly combining Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), their responsibilities, obligations, and other accountability attributes, to finally determine how the trust assigned to each link in the chain will influence risk assessments. We reviewed extensively risk analysis methodologies, guidelines, models and standards to identify the gaps they have when applied to cloud computing, under the perspective of accountability. We propose a broad approach covering all risk categories mentioned in the literature, very close to the enumeration proposed by ENISA(ENISA, 2009). Establishing a level of trust about a cloud service is dependent on the degree of control an organization is able to exert on the provider to provision the security controls necessary to protect the organization’s data and applications, and also the evidence provided about the effectiveness of those controls. The majority of cloud computing agreements are offered in standard form, often drawn on traditional outsourcing or technology licensing models, but those types of agreements may not cover the particular risks associated with cloud computing. We provide an analysis of the impact of risks to the conclusion of cloud contracts, and how risk allocation affects the reliability of contracts as effective trust mechanisms - in particular, the security obligations allocated to data controllers -and data processors- established under the Data Protection Directive aim at mitigating risks, given that both entities are obliged to adopt "appropriate security measures" depending on the nature of processing.Trust also greatly influences the adoption of cloud services, shifting the cloud market. It is necessary to understand how social behaviour of (potential) cloud consumers will affect their choice to make use of cloud services. Aiming to integrate both the computer and social science perspectives on trust we investigate the social economic impact of changing roles, responsibilities and risks due to the use of cloud services by the different cloud consumers, as trust is shaped by the consumers’ perceptions ofrisk in cloud providers and their services. We depicted different perspectives on trust, in particular on how to make it measurable via the notion of reputation and other important elements for a risk and trust model. The deliverable also elaborates on the understanding of the relationships among accountability, risk, and trust and how this enables accountability governance. We present an analysis of stakeholder feedback (from the B2 – Stakeholder Elicitation workshop dedicated to risks) We created an abstract meta-model for cloud ecosystems, to which we mapped the A4Cloud conceptual framework of the work package C2. From this we can instantiate specific cloud service chains, following a structured approach in order to determine the trust and risk levels. In this deliverable, we set up the basis for modelling trust relationships and for enumerating risks in cloud ecosystems that will be the starting point for the privacy impact assessments. We also investigated how continuous risk monitoring of cloud services can be performed in an accountable and trustworthy setting, by creating a generic analytical model to understand how concrete events about the service operations, security and privacy will influence the risk and reputation levels for a given service composition. We confirmed the fitness of the model using numerical analysis using Monte Carlo simulations.

M3 - Report

BT - D:C-6.1

PB - SAP

ER -

de Oliviera A, Garaga A, Martucci L, Felici M, Alnemr R, Stefanatou D et al. D:C-6.1: Risk and trust accountability in the cloud. SAP, 2014. 110 p.