An advanced approach to security accountability for cloud service providers
Portable heart-rate monitoring devices, which are for example very popular among joggers, are just one of the many devices that nowadays collect sensitive personal information. When combined with Wi-Fi or GPS-enabled technologies, they create instant online records for the user, as well as for hospitals, insurance companies and other intermediaries along the information value-chain who process personal data via the cloud. The cloud raises a lot of questions about the accountability of the handling of personal data: how are they handled? how to trace who is responsible if things go wrong? Indeed, because the cloud is relatively new, there are no established rules of accountability and transparency that apply to it. ‘It’s all about data privacy—as an individual and an organisation,’ says Julie Grady, a researcher at Hewlett Packard Enterprise in the UK. ‘Companies have to be accountable for the security of their data and the remedies, and take responsibility for how they do that.’ Framing the accountability guidelines for cloud service providers was the goal of A4CLOUD, a recently completed cyber-security research project co-funded by the EU and coordinated by Grady’s company. A4CLOUD’s main objective was to frame an ‘advance’ approach to accountability for cloud service provision ecosystems ahead of the EU’s general data protection regulation (GDPR), which enters into force in 2019. This was done through a survey of current and best practices across the Member States and by coming up with detailed check-lists of tasks that cloud service providers and their customers should do to ensure transparency and accountability regarding data protection. ‘Our biggest challenge was trying to reconcile the technical with the legal, making sure that these work together. Implementation of this by cloud-based business will be very challenging,’ said Grady. ‘All players, whether small or large, will be subject to the GDPR. On one level, it will be easier for the large ones since they have the means and have been accustomed to doing the due diligence anyway. Our checklists are really there for the SMEs.’ Asked if accountability varies significantly from one Member-State to the next, she gave a nuanced answer. ‘Each Member State’s interpretation has been slightly different. However, there have not been any big fines concerning data processing and the cloud so far: no one has been punished at the customer level. But that will change after 2019, so getting the good-practice guidelines in place is important. Most companies won’t worry about this until the regulatory ‘stick’ comes into the picture. So in that sense, we were ahead of the curve with A4CLOUD,’ said Grady.
A4CLOUD, cyber security, guidelines, accountability, cloud, data protection