A Cloud Accountability Policy Representation Framework

Walid Benghabrit, Hervé Grall, Jean-Claude Royer, Mohamed Sellami, Monir Azraoui, Kaoutar Elkhiyaoui, Melek Önen, Anderson Santana De Oliveira, Karin Bernsmed


Nowadays we are witnessing the democratization of cloud services. As a result, more and more end-users (individuals and businesses) are using these services for achieving their electronic transactions (shopping, administrative procedures, B2B transactions, etc.). In such scenarios, personal data is generally flowed between several entities and end-users need (i) to be aware of the management, processing, storage and retention of personal data, and (ii) to have necessary means to hold service providers accountable for the usage of their data. In fact, dealing with personal data raises several privacy and accountability issues that must be considered before to promote the use of cloud services. In this paper, we propose a framework for the representation of cloud accountability policies. Such policies offer to end-users a clear view of the privacy and accountability obligations asserted by the entities they interact with, as well as means to represent their preferences. This framework comes with two novel accountability policy languages; an abstract one, which is devoted for the representation of preferences/obligations in an human readable fashion, a concrete one for the mapping to concrete enforceable policies. We motivate our solution with concrete use case scenarios.


  1. Aktug, I. and Naliuka, K. (2008). ConSpec - a formal language for policy specification. In Electronic Notes in Theoretical Computer Science, volume 197, pages 45-58.
  2. Allam, D., Douence, R., Grall, H., Royer, J.-C., and Südholt, M. (2012). Well-Typed Services Cannot Go Wrong. Rapport de recherche RR-7899, INRIA.
  3. Ardagna, C. A., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Paraboschi, S., Pedrini, E., Preiss, S., Raggett, D., Samarati, P., Trabelsi, S., and Verdicchio, M. (2009). Primelife policy language. http://www.w3.org/2009/policyws/papers/Trabelisi.pdf.
  4. Becker, M. Y., Malkis, A., and Bussard, L. (2010). S4P: A generic language for specifying privacy preferences and policies. Microsoft Research.
  5. Bernsmed, K., Felici, M., Oliveira, A. S. D., Sendor, J., Moe, N. B., Rübsamen, T., Tountopoulos, V., and Hasnain, B. (2013). Use case descriptions. Deliverable, Cloud Accountability (A4Cloud) Project.
  6. Bradner, S. (1997). IETF RFC 2119: Key words for use in RFCs to Indicate Requirement Levels. Technical report.
  7. Breaux, T. D. and Anton, A. I. (2005). Deriving semantic models from privacy policies. In Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 7805), pages 67-76.
  8. Cranen, S., Groote, J. F., Keiren, J. J. A., Stappers, F. P. M., de Vink, E. P., Wesselink, W., and Willemse, T. A. C. (2013). An overview of the mCRL2 toolset and its recent advances. TACAS'13, pages 199-213, Berlin, Heidelberg. Springer-Verlag.
  9. DeYoung, H., Garg, D., Jia, L., Kaynar, D., and Datta, A. (2010). Experiences in the logical specification of the
  10. Directive, E. U. (1995). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data . http://ec.europa.eu/justice/policies/privacy/docs/95- 46-ce/dir1995-46 part1 en.pdf.
  11. Feigenbaum, J., Jaggard, A. D., Wright, R. N., and Xiao, H. (2012). Systematizing ”accountability” in computer science. Technical Report YALEU/DCS/TR1452, University of Yale.
  12. Garaga, A., de Oliveira, A. S., Sendor, J., Azraoui, M., Elkhiyaoui, K., Molva, R., O nen, M., Cherrueau, R.- A., Douence, R., Grall, H., Royer, J.-C., Sellami, M., Südholt, M., and Bernsmed, K. (2013). Policy Representation Framework. Technical Report D:C-4.1, Accountability for Cloud and Future Internet Services - A4Cloud Project.
  13. Haeberlen, A., Aditya, P., Rodrigues, R., and Druschel, P. (2010). Accountable virtual machines. In OSDI, pages 119-134.
  14. Jagadeesan, R., Jeffrey, A., Pitcher, C., and Riely, J. (2009). Towards a theory of accountability and audit. In Proceedings of the 14th European conference on Research in computer security, ESORICS'09, pages 152-167, Berlin, Heidelberg. Springer-Verlag.
  15. Kerrigan, S. and Law, K. H. (2003). Logic-based regulation compliance-assistance. In International Conference on Artificial Intelligence and Law, pages 126-135.
  16. Knuth, D. E. (1964). backus normal form vs. backus naur form. Commun. ACM, 7(12):735-736.
  17. Lamanna, D. D., Skene, J., and Emmerich, W. (2003). SLAng: A Language for Defining Service Level Agreements. In Proceedings of the The Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, pages 100-, Washington, DC, USA. IEEE Computer Society.
  18. Legislative Assembly of Ontario (1988). Freedom of information and protection of privacy act (r.s.o. 1990, c. f.31).
  19. Marchiori, M. (2002). The platform for privacy preferences 1.0 (P3P1.0) specification. W3C recommendation, W3C. http://www.w3.org/TR/2002/REC-P3P20020416/.
  20. Métayer, D. L. (2009). A formal privacy management framework. Formal Aspects in Security and Trust, pages 1-15.
  21. OASIS Standard (2013). eXtensible Access Control Markup Language (XACML) Version 3.0. 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml3.0-core-spec-os-en.html.
  22. Pearson, S., Tountopoulos, V., Catteddu, D., Südholt, M., Molva, R., Reich, C., Fischer-Hübner, S., Millard, C., Lotz, V., Jaatun, M. G., Leenes, R., Rong, C., and Lopez, J. (2012). Accountability for cloud and other future internet services. In CloudCom, pages 629- 632. IEEE.
  23. Pearson, S. and Wainwright, N. (2013). An interdisciplinary approach to accountability for future internet service provision. International Journal of Trust Management in Computing and Communications, 1(1):52-72.
  24. Schneider, F. B. (2000). Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30-50.
  25. Sundareswaran, S., Squicciarini, A., and Lin, D. (2012). Ensuring distributed accountability for data sharing in the cloud. Dependable and Secure Computing, IEEE Transactions on, 9(4):556-568.
  26. US Congress (1999). Gramm-leach-bliley act, financial privacy rule. 15 usc 6801- 6809. http://www.law.cornell.edu/uscode/ usc sup 01 15 10 94 20 I.html.
  27. US Congress (2002). Health insurance portability and accountability act of 1996, privacy rule. 45 cfr 164. http://www.access.gpo. gov/- nara/cfr/waisidx 07/45cfr164 07.html.
  28. Wei, W., Du, J., Yu, T., and Gu, X. (2009). Securemr: A service integrity assurance framework for mapreduce. In Proceedings of the 2009 Annual Computer Security Applications Conference, pages 73-82, Washington, DC, USA. IEEE Computer Society.
  29. Weitzner, D. J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., and Sussman, G. J. (2008). Information accountability. Commun. ACM, 51(6):82-87.
  30. Zhifeng Xiao, Nandhakumar Kathiresshan, Y. X. (2012). A survey of accountability in computer networks and distributed systems. Security and Communication Networks, 5(10):1083-1085.
  31. Zou, J., Wang, Y., and Lin, K.-J. (2010). A formal service contract model for accountable SaaS and cloud services. In International Conference on Services Computing, pages 73-80. IEEE.

Paper Citation

in Harvard Style

Benghabrit W., Grall H., Royer J., Sellami M., Azraoui M., Elkhiyaoui K., Önen M., Santana De Oliveira A. and Bernsmed K. (2014). A Cloud Accountability Policy Representation Framework . In Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-019-2, pages 489-498. DOI: 10.5220/0004949104890498

in Bibtex Style

author={Walid Benghabrit and Hervé Grall and Jean-Claude Royer and Mohamed Sellami and Monir Azraoui and Kaoutar Elkhiyaoui and Melek Önen and Anderson Santana De Oliveira and Karin Bernsmed},
title={A Cloud Accountability Policy Representation Framework},
booktitle={Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},

in EndNote Style

JO - Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - A Cloud Accountability Policy Representation Framework
SN - 978-989-758-019-2
AU - Benghabrit W.
AU - Grall H.
AU - Royer J.
AU - Sellami M.
AU - Azraoui M.
AU - Elkhiyaoui K.
AU - Önen M.
AU - Santana De Oliveira A.
AU - Bernsmed K.
PY - 2014
SP - 489
EP - 498
DO - 10.5220/0004949104890498