This document discusses accountability for data governance in cloud computing. It defines key roles in cloud ecosystems including cloud subjects, customers, providers, carriers, brokers, auditors, and supervisory authorities. It also defines related data protection roles such as data subjects, controllers, processors, third parties, recipients, and supervisory authorities. The document explores challenges around regulatory complexity, lack of transparency and governance in cloud environments and how accountability can help address these issues by increasing trust and compliance.
The document discusses the Cloud Security Alliance (CSA) Cloud Trust Protocol (CTP) and the A4Cloud project. The CTP is designed to allow cloud service clients to request and receive security-related information from cloud providers to promote transparency and trust. The A4Cloud project focuses on accountability in the cloud and developing mechanisms and tools to help cloud providers demonstrate compliance and allow for effective governance. The CSA and A4Cloud are working to standardize security attributes, integrate the CTP into frameworks like the Open Certification Framework, and establish a CTP working group to further define and implement the protocol.
Implementation of the European Interoperability Framework in SpainMiguel A. Amutio
This document summarizes Miguel Amutio's presentation on the implementation of the European Interoperability Framework in Spain. Amutio discusses how Spain has aligned its national interoperability framework with the EIF, embedding interoperability principles in its legal framework and ensuring coordination. He also notes Spain's involvement in ISA2 actions and reuse of interoperability solutions, building blocks, and other assets at the European level. Finally, Amutio emphasizes that interoperability requires a continuous, collaborative effort over time to maintain alignment between European and national strategies and account for emerging technologies.
This document provides information about an IP management webinar hosted by the European IPR Helpdesk on May 23, 2018. The webinar focused on IP management in Horizon 2020 projects, with a special focus on Marie Skłodowska Curie Actions. The document outlines key IP terms, rules and agreements relevant to Horizon 2020 projects including the Grant Agreement, Consortium Agreement, and Partnership Agreements. It also provides information on the European IPR Helpdesk services available to assist with IP questions and training related to Horizon 2020 and Marie Skłodowska Curie Actions projects.
Social Media and ICT in Neighbourhood Policing - Opportunities and ChallangesTrilateral Research
The document discusses the INSPEC2T project, which aims to develop a framework for community policing that promotes collaboration between police and communities. It received EU funding. The project involves 18 partners across 8 countries. It will test its solutions in 5 locations, including Preston in November 2017. Social media presents opportunities like improved engagement but also challenges like limited resources. The baseline assessment found stakeholders see benefits and risks to social media use for community policing.
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...e-SIDES.eu
The Safe-DEED project received Horizon 2020 funding to develop secure data marketplaces. The 36-month project involves 8 partners across Europe developing privacy-preserving technologies like secure multi-party computation. The project aims to address barriers to data sharing by enhancing trust and assessing data value to incentivize sharing. If successful, the project expects to see at least 30 companies using the software in new revenue streams within 3 years.
An overview of the ICARUS project and its trusted data brokerage framework, provided during the PRO-VE, Parallel Session C1: Collaborative Knowledge Management, on September 23rd, 2019, in Turin.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
The European cyber security cPPP strategic research & innovation agendaEUBrasilCloudFORUM .
Presentation by Fabio Martinelli, CNR, National Research Council of Italy, representing the NECS project (European Network for Cybersecurity) at Cloudscape Brazil 2017
The document discusses the Cloud Security Alliance (CSA) Cloud Trust Protocol (CTP) and the A4Cloud project. The CTP is designed to allow cloud service clients to request and receive security-related information from cloud providers to promote transparency and trust. The A4Cloud project focuses on accountability in the cloud and developing mechanisms and tools to help cloud providers demonstrate compliance and allow for effective governance. The CSA and A4Cloud are working to standardize security attributes, integrate the CTP into frameworks like the Open Certification Framework, and establish a CTP working group to further define and implement the protocol.
Implementation of the European Interoperability Framework in SpainMiguel A. Amutio
This document summarizes Miguel Amutio's presentation on the implementation of the European Interoperability Framework in Spain. Amutio discusses how Spain has aligned its national interoperability framework with the EIF, embedding interoperability principles in its legal framework and ensuring coordination. He also notes Spain's involvement in ISA2 actions and reuse of interoperability solutions, building blocks, and other assets at the European level. Finally, Amutio emphasizes that interoperability requires a continuous, collaborative effort over time to maintain alignment between European and national strategies and account for emerging technologies.
This document provides information about an IP management webinar hosted by the European IPR Helpdesk on May 23, 2018. The webinar focused on IP management in Horizon 2020 projects, with a special focus on Marie Skłodowska Curie Actions. The document outlines key IP terms, rules and agreements relevant to Horizon 2020 projects including the Grant Agreement, Consortium Agreement, and Partnership Agreements. It also provides information on the European IPR Helpdesk services available to assist with IP questions and training related to Horizon 2020 and Marie Skłodowska Curie Actions projects.
Social Media and ICT in Neighbourhood Policing - Opportunities and ChallangesTrilateral Research
The document discusses the INSPEC2T project, which aims to develop a framework for community policing that promotes collaboration between police and communities. It received EU funding. The project involves 18 partners across 8 countries. It will test its solutions in 5 locations, including Preston in November 2017. Social media presents opportunities like improved engagement but also challenges like limited resources. The baseline assessment found stakeholders see benefits and risks to social media use for community policing.
"Towards Value-Centric Big Data" e-SIDES Workshop - "Safe and secure data mar...e-SIDES.eu
The Safe-DEED project received Horizon 2020 funding to develop secure data marketplaces. The 36-month project involves 8 partners across Europe developing privacy-preserving technologies like secure multi-party computation. The project aims to address barriers to data sharing by enhancing trust and assessing data value to incentivize sharing. If successful, the project expects to see at least 30 companies using the software in new revenue streams within 3 years.
An overview of the ICARUS project and its trusted data brokerage framework, provided during the PRO-VE, Parallel Session C1: Collaborative Knowledge Management, on September 23rd, 2019, in Turin.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
The European cyber security cPPP strategic research & innovation agendaEUBrasilCloudFORUM .
Presentation by Fabio Martinelli, CNR, National Research Council of Italy, representing the NECS project (European Network for Cybersecurity) at Cloudscape Brazil 2017
An examination of NHS England's journey to the cloud with a particular focus on security and governance issues related to the NHS & UK Government.
Please note that there are additional notes in the presentation including some additional explanation of the slides.
For many organizations, a move to Azure creates issues with managing costs and resource ownership. Why? Cloud-based technologies rely on a different cost model - one based on usage consumption, rather than purchasing hardware and software.
Watch our team of Azure experts and learn how to effectively plan and manage the costs associated with your Azure investment. In this webinar, you'll learn how to:
- Build an Azure cost model based on best practices
- Use chargebacks to assign and track IT usage to specific business units
- Avoid unexpected consumption expenses by seeing what - and who - is consuming data
Our team will also demo the Softchoice Azure Dashboard, a proprietary tool providing our clients with the visibility they need to align resource spend, and control their azure costs.
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
The document discusses cloud governance and becoming a "cloud governance ninja." It covers the value of cloud governance, especially as companies move to complex multicloud implementations. It discusses best practices for cloud governance including defining policies, designing a governance model, and using cloud management platforms to automate governance through policy-driven management and monitoring across multiple cloud environments.
The document discusses security issues related to cloud computing data storage. It examines how companies can make informed decisions about storing data in the cloud and ensure sufficient privacy protection and regulatory compliance. The purpose is to look at basic security methods and how compliance is controlled. It recommends companies consider the security, availability, scalability, and stability of cloud providers before contracting with them. Privacy, security, and compliance are major concerns since companies lose direct oversight of their data and may not know where it is located or who the external providers are. Cloud computing storage may not be suitable for all businesses due to these challenges.
Scalable cloud governance, risk management and compliancePeter HJ van Eijk
Cloud consumers are primarily worried about security. If you are a cloud provider, or cloud broker, learn how to get improve your trustworthiness to your customers efficiently and scalable, by integrating governance, risk management and compliance.
"What does 'Full Life-Cycle' Data Management Mean ?"Tom Moritz
This document discusses full life-cycle data management for federal agencies. It notes that agencies are responsible for creating and maintaining authentic and reliable records according to National Archives and Records Administration regulations. The document also provides examples of data, datasets, and stakeholders related to vaquita conservation to illustrate concepts around full life-cycle data management.
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Single Sign-On security issue in Cloud ComputingRahul Roshan
This document discusses cloud computing and single sign-on authentication. It provides an overview of cloud service models including software as a service, platform as a service, and infrastructure as a service. It then describes how single sign-on systems work with an identity provider and relying parties, and the benefits of single sign-on in reducing password overhead. However, it also discusses the security risk of assertion consumer service spoofing attacks on single sign-on implementations. Potential mitigations like whitelisting and signing authentication requests are presented.
The document summarizes a presentation given by Rolf Frydenberg on governing in the cloud. It discusses the Cloud Security Alliance's guidance on cloud security, including the Cloud Controls Matrix tool which maps 98 security controls to standards like ISO 27001. It also covers governance and risk management best practices for the cloud, such as collaborative risk management between customers and providers. Legal and compliance topics like electronic discovery, auditing, and information lifecycle management are also addressed.
AgilePath's Live Webinar: Exploring the Cloud Governance Lifecycle Dec 16 2010AgilePath Corporation
The document discusses AgilePath Corporation's approach to cloud governance. It introduces their Cloud Governance Lifecycle model which covers the entire process from planning to offboarding. It also discusses their Cloud Computing Reference Model (CC-RM) which provides a framework for modeling cloud patterns and architectures. The document outlines some of the major challenges around cloud governance and defines key terms.
Enterprise Cloud Governance: A Frictionless ApproachRightScale
As enterprise IT teams become a broker of cloud services, they need to embrace a new approach to cloud governance. Frictionless governance embeds and automates necessary controls to drive delays to zero by offering developers and business units cloud resources as quickly as teams can obtain them directly from cloud providers.
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
When you run a complex AWS environment with thousands of Amazon EC2 instances, more than half a petabyte of object storage, and support the largest daily newspapers in the UK, you need a world-class cloud management strategy. For companies like News Corp, implementing policies that automate infrastructure schedules, right-size workloads, and manage and modify reservations is critical. As you scale your cloud infrastructure, defining centralized governance rules while enabling decentralized management is key to running an optimized cloud.
This session is designed for advanced operations, infrastructure, and engineering teams to improve/deploy optimization strategies. It covers the five best cloud management practices, including automating Reserved Instance modifications, setting policies to ensure proper tagging, and scheduling lights-on/lights-off policies. Session sponsored by CloudHealth Technologies.
Integrating On-premises Enterprise Storage Workloads with AWS (ENT301) | AWS ...Amazon Web Services
AWS gives designers of enterprise storage systems a completely new set of options. Aimed at enterprise storage specialists and managers of cloud-integration teams, this session gives you the tools and perspective to confidently integrate your storage workloads with AWS. We show working use cases, a thorough TCO model, and detailed customer blueprints. Throughout we analyze how data-tiering options measure up to the design criteria that matter most: performance, efficiency, cost, security, and integration.
How Social and the Cloud Impact Your Governance StrategyChristian Buckley
This document summarizes a presentation about how social media and cloud computing are impacting governance strategies. It notes that these new technologies are still maturing and presents challenges to manageability, security, and compliance. The presentation outlines governance fundamentals for social media and cloud collaboration and helps ensure systems remain scalable, secure, compliant and manageable as platforms evolve rapidly. It discusses key drivers of social media and cloud adoption as well as risks and best practices for a holistic governance strategy that considers both on-premise and cloud-based systems.
This document discusses cloud security and provides an overview of McAfee's cloud security solutions. It summarizes McAfee's cloud security program, strengths, weaknesses, opportunities, threats, and competitors in the cloud security market. It also discusses Netflix's migration to the cloud for its infrastructure and content delivery and outlines Netflix's cloud security strategy.
Presentation on the Value and Impact of Social Science Data Archives and the CESSDA SaW Toolkit
A set of 38 slides used for the Focus Group Cost-Benefit Funding Advocacy Program (Task 4.6) session at the CESSDA Saw Workshop in The Hague 16/17 June 2016.
This was an interactive focus group repeated over two parallel sessions. It was aimed at European social science data archive staff with responsibility for bidding for funding or promotion and advocacy of the archive to key stakeholders.
The presentation covers some of the key ideas on how the CESSDA Saw funding advocacy toolkit will be structured, its components, and key facts and approaches it will include.
We expect the cost-benefit funding advocacy toolkit under development to support the negotiation with ministries and funding organisations across Europe.
The results of the toolkit user requirements survey with responses from 24 European social science archives were presented and discussed, together with suggested approaches and content for the toolkit. 22 people attended the two sessions overall, representing a mix of countries at different stages on the development path for social science archives (none, new/emerging, mature). There was strong interest and support for the emerging toolkit together with open discussion of how it can be applied in the specific political and administrative context of different European countries.
The slide set presented here is an extended version including a number of hidden background/ reference slides not used in the presentation. The focus group is one of a series guiding further development of the toolkit and its adoption being given to either: (a) social science data archive staff or (b) their key stakeholders (senior management in their universities, research councils and academies, funding ministries, national statistics offices, research users and depositors).
CESSDA is the Consortium of European Social Science Data Archives. The CESSDA SaW project “Strengthening and widening the European infrastructure for social science data archives” is funded by the European Commission as part of its Horizon2020 programme.
PrepData4Mobilty Data Gap Analysis - Approach and Discussion.pptxFIWARE
Europe is on its way to generate and make use of more data than ever. The project PrepDSpace4Mobility aims at contributing to the development of the common European mobility data space by supporting the creation of a technical infrastructure that will facilitate easy, cross-border access to key data for both passengers and freight. Given the enormous potential of data and digital technologies, the project is expected to have a positive impact on European competitiveness, society, and the environment.
We invited experts in the field of mobility, transport and data space technology to join PrepDSpace4Mobility expert workshop #1 to learn more about the preliminary results of the project and give early feedback in order to sharpen the focus as needed and requested from the real market.
Project PrepDSpace4Mobility is Funded by the European Union and coordinated by acatech (Germany), activities are carried out by Amadeus SAS (France), EIT Urban Mobility, an initiative of the European Institute of Innovation and Technology, a body of the European Union, (Spain), FIWARE (Germany), FhG (Germany), IDSA (Germany), iSHARE (Netherlands), TNO (Netherlands), USI (Germany), VTT (Finland), EMTA (France), Group ADP (France), KU Leuven (Belgium), ERTICO (Belgium), BAST (Germany), UIH (Hungary), and MDS (Germany).
The E-CRIME project received EU funding to research cybercrime over three years with 10 partners across 8 countries. The project aims to measure the economic impact of cybercrime, develop deterrence measures, and increase awareness among policymakers and the public. Key outputs include a cybercrime taxonomy, training programs, economic models, and policy recommendations to help businesses prevent cybercrime.
The document discusses dilemmas around sustainability for the European Open Science Cloud (EOSC). It notes that EOSC drivers come from both open science ambitions and industrial politics. There are interweaved but separate economies for data and electronic services that power research. Ensuring open access to data and services while also supporting long-term preservation of these digital assets presents a "commons challenge." Beyond direct funding, partnerships and visibility will be important to achieve sustainability, while adopting some private sector techniques but maintaining academic values. The document outlines several dilemmas around funding models, roles of commercial versus public infrastructure, and level of intervention, and provides recommendations to help navigate these dilemmas.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
02 agriculture challenges, existing standardisation efforts and data bio agri...plan4all
Karel Charvat (Lesprojekt) presented the current challenges in agriculture. Karel mentioned the standardisation in agriculture as one of the main challenges that needs much more attention.
This document discusses standardization activities related to the ACTIVAGE project. It describes contributions to standards for body area networks, sensor integration, and data modeling. It discusses the development of an extension to the SAREF standard for eHealth and aging well domains. It also covers the IEEE P2510 standard for establishing quality of data sensor parameters, and the opportunities for digital innovation hubs around this standard. The document concludes that data quality is crucial for industries like health, and that certification processes for vendors will be important to integrate as work continues.
An examination of NHS England's journey to the cloud with a particular focus on security and governance issues related to the NHS & UK Government.
Please note that there are additional notes in the presentation including some additional explanation of the slides.
For many organizations, a move to Azure creates issues with managing costs and resource ownership. Why? Cloud-based technologies rely on a different cost model - one based on usage consumption, rather than purchasing hardware and software.
Watch our team of Azure experts and learn how to effectively plan and manage the costs associated with your Azure investment. In this webinar, you'll learn how to:
- Build an Azure cost model based on best practices
- Use chargebacks to assign and track IT usage to specific business units
- Avoid unexpected consumption expenses by seeing what - and who - is consuming data
Our team will also demo the Softchoice Azure Dashboard, a proprietary tool providing our clients with the visibility they need to align resource spend, and control their azure costs.
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
The document discusses cloud governance and becoming a "cloud governance ninja." It covers the value of cloud governance, especially as companies move to complex multicloud implementations. It discusses best practices for cloud governance including defining policies, designing a governance model, and using cloud management platforms to automate governance through policy-driven management and monitoring across multiple cloud environments.
The document discusses security issues related to cloud computing data storage. It examines how companies can make informed decisions about storing data in the cloud and ensure sufficient privacy protection and regulatory compliance. The purpose is to look at basic security methods and how compliance is controlled. It recommends companies consider the security, availability, scalability, and stability of cloud providers before contracting with them. Privacy, security, and compliance are major concerns since companies lose direct oversight of their data and may not know where it is located or who the external providers are. Cloud computing storage may not be suitable for all businesses due to these challenges.
Scalable cloud governance, risk management and compliancePeter HJ van Eijk
Cloud consumers are primarily worried about security. If you are a cloud provider, or cloud broker, learn how to get improve your trustworthiness to your customers efficiently and scalable, by integrating governance, risk management and compliance.
"What does 'Full Life-Cycle' Data Management Mean ?"Tom Moritz
This document discusses full life-cycle data management for federal agencies. It notes that agencies are responsible for creating and maintaining authentic and reliable records according to National Archives and Records Administration regulations. The document also provides examples of data, datasets, and stakeholders related to vaquita conservation to illustrate concepts around full life-cycle data management.
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
In this session Protegrity CTO and data security thought leader Ulf Mattsson will focus on practical advice on what to look for in cloud service providers and a review of the technologies and architectures available to protect sensitive data in the cloud, both on- and off-site. Through real life use cases, Ulf will discuss solutions to some of the most common issues of data governance, usability, compliance and security in the cloud environment.
Single Sign-On security issue in Cloud ComputingRahul Roshan
This document discusses cloud computing and single sign-on authentication. It provides an overview of cloud service models including software as a service, platform as a service, and infrastructure as a service. It then describes how single sign-on systems work with an identity provider and relying parties, and the benefits of single sign-on in reducing password overhead. However, it also discusses the security risk of assertion consumer service spoofing attacks on single sign-on implementations. Potential mitigations like whitelisting and signing authentication requests are presented.
The document summarizes a presentation given by Rolf Frydenberg on governing in the cloud. It discusses the Cloud Security Alliance's guidance on cloud security, including the Cloud Controls Matrix tool which maps 98 security controls to standards like ISO 27001. It also covers governance and risk management best practices for the cloud, such as collaborative risk management between customers and providers. Legal and compliance topics like electronic discovery, auditing, and information lifecycle management are also addressed.
AgilePath's Live Webinar: Exploring the Cloud Governance Lifecycle Dec 16 2010AgilePath Corporation
The document discusses AgilePath Corporation's approach to cloud governance. It introduces their Cloud Governance Lifecycle model which covers the entire process from planning to offboarding. It also discusses their Cloud Computing Reference Model (CC-RM) which provides a framework for modeling cloud patterns and architectures. The document outlines some of the major challenges around cloud governance and defines key terms.
Enterprise Cloud Governance: A Frictionless ApproachRightScale
As enterprise IT teams become a broker of cloud services, they need to embrace a new approach to cloud governance. Frictionless governance embeds and automates necessary controls to drive delays to zero by offering developers and business units cloud resources as quickly as teams can obtain them directly from cloud providers.
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
When you run a complex AWS environment with thousands of Amazon EC2 instances, more than half a petabyte of object storage, and support the largest daily newspapers in the UK, you need a world-class cloud management strategy. For companies like News Corp, implementing policies that automate infrastructure schedules, right-size workloads, and manage and modify reservations is critical. As you scale your cloud infrastructure, defining centralized governance rules while enabling decentralized management is key to running an optimized cloud.
This session is designed for advanced operations, infrastructure, and engineering teams to improve/deploy optimization strategies. It covers the five best cloud management practices, including automating Reserved Instance modifications, setting policies to ensure proper tagging, and scheduling lights-on/lights-off policies. Session sponsored by CloudHealth Technologies.
Integrating On-premises Enterprise Storage Workloads with AWS (ENT301) | AWS ...Amazon Web Services
AWS gives designers of enterprise storage systems a completely new set of options. Aimed at enterprise storage specialists and managers of cloud-integration teams, this session gives you the tools and perspective to confidently integrate your storage workloads with AWS. We show working use cases, a thorough TCO model, and detailed customer blueprints. Throughout we analyze how data-tiering options measure up to the design criteria that matter most: performance, efficiency, cost, security, and integration.
How Social and the Cloud Impact Your Governance StrategyChristian Buckley
This document summarizes a presentation about how social media and cloud computing are impacting governance strategies. It notes that these new technologies are still maturing and presents challenges to manageability, security, and compliance. The presentation outlines governance fundamentals for social media and cloud collaboration and helps ensure systems remain scalable, secure, compliant and manageable as platforms evolve rapidly. It discusses key drivers of social media and cloud adoption as well as risks and best practices for a holistic governance strategy that considers both on-premise and cloud-based systems.
This document discusses cloud security and provides an overview of McAfee's cloud security solutions. It summarizes McAfee's cloud security program, strengths, weaknesses, opportunities, threats, and competitors in the cloud security market. It also discusses Netflix's migration to the cloud for its infrastructure and content delivery and outlines Netflix's cloud security strategy.
Presentation on the Value and Impact of Social Science Data Archives and the CESSDA SaW Toolkit
A set of 38 slides used for the Focus Group Cost-Benefit Funding Advocacy Program (Task 4.6) session at the CESSDA Saw Workshop in The Hague 16/17 June 2016.
This was an interactive focus group repeated over two parallel sessions. It was aimed at European social science data archive staff with responsibility for bidding for funding or promotion and advocacy of the archive to key stakeholders.
The presentation covers some of the key ideas on how the CESSDA Saw funding advocacy toolkit will be structured, its components, and key facts and approaches it will include.
We expect the cost-benefit funding advocacy toolkit under development to support the negotiation with ministries and funding organisations across Europe.
The results of the toolkit user requirements survey with responses from 24 European social science archives were presented and discussed, together with suggested approaches and content for the toolkit. 22 people attended the two sessions overall, representing a mix of countries at different stages on the development path for social science archives (none, new/emerging, mature). There was strong interest and support for the emerging toolkit together with open discussion of how it can be applied in the specific political and administrative context of different European countries.
The slide set presented here is an extended version including a number of hidden background/ reference slides not used in the presentation. The focus group is one of a series guiding further development of the toolkit and its adoption being given to either: (a) social science data archive staff or (b) their key stakeholders (senior management in their universities, research councils and academies, funding ministries, national statistics offices, research users and depositors).
CESSDA is the Consortium of European Social Science Data Archives. The CESSDA SaW project “Strengthening and widening the European infrastructure for social science data archives” is funded by the European Commission as part of its Horizon2020 programme.
PrepData4Mobilty Data Gap Analysis - Approach and Discussion.pptxFIWARE
Europe is on its way to generate and make use of more data than ever. The project PrepDSpace4Mobility aims at contributing to the development of the common European mobility data space by supporting the creation of a technical infrastructure that will facilitate easy, cross-border access to key data for both passengers and freight. Given the enormous potential of data and digital technologies, the project is expected to have a positive impact on European competitiveness, society, and the environment.
We invited experts in the field of mobility, transport and data space technology to join PrepDSpace4Mobility expert workshop #1 to learn more about the preliminary results of the project and give early feedback in order to sharpen the focus as needed and requested from the real market.
Project PrepDSpace4Mobility is Funded by the European Union and coordinated by acatech (Germany), activities are carried out by Amadeus SAS (France), EIT Urban Mobility, an initiative of the European Institute of Innovation and Technology, a body of the European Union, (Spain), FIWARE (Germany), FhG (Germany), IDSA (Germany), iSHARE (Netherlands), TNO (Netherlands), USI (Germany), VTT (Finland), EMTA (France), Group ADP (France), KU Leuven (Belgium), ERTICO (Belgium), BAST (Germany), UIH (Hungary), and MDS (Germany).
The E-CRIME project received EU funding to research cybercrime over three years with 10 partners across 8 countries. The project aims to measure the economic impact of cybercrime, develop deterrence measures, and increase awareness among policymakers and the public. Key outputs include a cybercrime taxonomy, training programs, economic models, and policy recommendations to help businesses prevent cybercrime.
The document discusses dilemmas around sustainability for the European Open Science Cloud (EOSC). It notes that EOSC drivers come from both open science ambitions and industrial politics. There are interweaved but separate economies for data and electronic services that power research. Ensuring open access to data and services while also supporting long-term preservation of these digital assets presents a "commons challenge." Beyond direct funding, partnerships and visibility will be important to achieve sustainability, while adopting some private sector techniques but maintaining academic values. The document outlines several dilemmas around funding models, roles of commercial versus public infrastructure, and level of intervention, and provides recommendations to help navigate these dilemmas.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
02 agriculture challenges, existing standardisation efforts and data bio agri...plan4all
Karel Charvat (Lesprojekt) presented the current challenges in agriculture. Karel mentioned the standardisation in agriculture as one of the main challenges that needs much more attention.
This document discusses standardization activities related to the ACTIVAGE project. It describes contributions to standards for body area networks, sensor integration, and data modeling. It discusses the development of an extension to the SAREF standard for eHealth and aging well domains. It also covers the IEEE P2510 standard for establishing quality of data sensor parameters, and the opportunities for digital innovation hubs around this standard. The document concludes that data quality is crucial for industries like health, and that certification processes for vendors will be important to integrate as work continues.
The document discusses the Once-Only Principle Project (TOOP), an EU-funded project aimed at establishing a digital single market in Europe. The project seeks to (1) bridge data silos and reduce duplication by enabling information to be accessed once and reused many times across borders and sectors; (2) be user-centric and bring most-used citizen services online with cross-border access; and (3) decrease administrative burdens through increased data sharing between public agencies. The TOOP project has run pilots involving 20 EU member states and over 50 partners from public administrations, universities, and businesses to test the feasibility of the Once-Only Principle across Europe.
This document summarizes a project that received funding from the European Union's Horizon 2020 program. The project aims to develop an integrated framework for efficiently producing custom-designed products using flexible and autonomous manufacturing systems. It involves partners from Brazil and Europe conducting pilots in both regions. The objectives are to foster digital manufacturing sustainability, provide a decision support tool, and contribute to the competitiveness of industries in Brazil and Europe. Results so far include a flexible robotic system, an open industrial IoT platform, and predictive real-time simulation and optimization. Upcoming activities through September 2018 are specified.
This document provides guidance for applicants on submitting proposals for the FP7-ICT-2013-11 call for large-scale integrating projects (IPs). It outlines the purpose of IPs, which aim to generate new knowledge and technologies to improve European competitiveness or address societal needs through clearly defined scientific objectives. IPs involve at least three independent legal entities from different EU countries and have a comprehensive, integrated set of activities to achieve specific deliverables. The guide provides information on proposal structure, evaluation criteria, and the application process for this funding opportunity.
Value&impact research dataservices_idcc_2017Neil Beagrie
This document outlines the development and contents of a Cost-Benefit Advocacy Toolkit being created as part of the CESSDA-SaW project to help social science data services demonstrate their value. It describes conducting a user requirements survey and focus groups with stakeholders. The toolkit will include factsheets on ROI, benefits and costs, worksheets, a Development Canvas tool, case studies and links to external tools. It was designed to be easy to use and allow customization. The goal is to help data services advocate for support by showing their economic and social impacts.
This document outlines an academic session on cluster analysis taking place on September 28th and 29th, 2015 in Cork, Ireland. The session is sponsored by Cork County Council and the Faculty of Business and Humanities at Cork Institute of Technology (CIT). It will include presentations on using network and econometric analysis to study clusters, building international collaborations, and how clusters can drive economic growth. The first session on September 28th at CIT will focus on cluster analysis in academia.
Integrated security plan for medical device software: scalability and the lif...Anna Gomez
• Integrated security plan: key activities to
ensure scaling up operations, lifecycle coverage, successful
interaction with regulators.
• Six foundations addressing design, risk management,
operations, users, incident response, service enhancements,
based on a detailed, ongoing regulatory review.
• Security experience from designing the system and
interaction with regulators and sponsors on a novel pharmacy
patient and medication monitoring service.
This document summarizes the DataBio project, which received funding from the European Union's Horizon 2020 program. The project aims to boost bioeconomy industries by showing how big data technologies can increase performance and productivity in raw material production from agriculture, forestry, and fisheries. It will build a platform for handling distributed, heterogeneous data from these domains and provide analytics capabilities. The platform will be tested through pilots focused on precision agriculture, horticulture, arable farming, and subsidies/insurance. The project involves 48 partners, including several that provide relevant technologies and solutions.
This document summarizes the DataBio project, which received funding from the European Union's Horizon 2020 program. The project aims to boost bioeconomy industries by showing how big data technologies can increase performance and productivity in raw material production from agriculture, forestry, and fisheries. It will build a platform for handling distributed, heterogeneous data from these domains and provide analytics capabilities. The platform will be tested through pilots focused on precision agriculture, horticulture, arable farming, and subsidies/insurance. The project involves 48 partners, including several that provide relevant technologies and solutions.
This document summarizes the DataBio project, which received funding from the European Union's Horizon 2020 program. The project aims to boost bioeconomy industries by showing how big data technologies can increase performance and productivity in raw material production from agriculture, forestry, and fisheries. It will build a platform for handling distributed, heterogeneous data from these domains and provide analytics capabilities. The platform will be tested through pilots focused on precision agriculture, horticulture, arable farming, and subsidies/insurance. The project involves 48 partners, including several that provide relevant technologies and solutions.
This document discusses living labs and their role in regional smart specialization strategies. It defines living labs and provides examples of how they can function as vertical tools for specific sectors, as orchestrators between users and other stakeholders, and as models for territorial innovation. The document argues that living labs can help implement smart specialization strategies by involving users in research and development and strengthening regional strengths. Examples of projects involving cross-border, thematic, and whole-region living labs are provided.
This presentation was held at the 1st EOSC Stakeholder Forum 28-29/11/2017 in Brussels.
For more information on the 1st EOSC Stakeholder Forum visit: https://eoscpilot.eu/eosc-stakeholder-forum-shaping-future-eosc
Follow EOSCpilot on Twitter: https://twitter.com/eoscpilot
and LinkedIn: https://uk.linkedin.com/in/eoscpiloteu
Similar to Accountability for Data Governance in the Cloud (20)
This document proposes a Cloud Accountability Assurance Service to help monitor security and privacy in cloud services. The service would provide transparency and accountability across cloud supply chains by capturing how services can demonstrate accountability through different operational controls. It would assess deployed controls and their dependencies to systematically build dynamic assurance cases and support continuous monitoring-based certification.
SPACE provides a solution to help cloud service providers, customers, and auditors. It maps security and privacy policies to controls through an assurance case environment. Evidence is gathered from a software-defined storage solution to show how controls support policies. This provides continuous and evidence-driven assurance of cloud services and supply chains for all parties.
This 3-sentence document summary provides an overview of the key topics covered in the May/June 2016 issue of the IEEE Security & Privacy magazine. The magazine discusses smart TVs, code obfuscation techniques, and considerations around building trust for the future. It focuses on economic aspects of cybersecurity across these three main subject areas.
The document provides an overview of the organization and resources for the Software Engineering with Objects and Components (SEOC) course. It discusses the course webpage, mailing list, textbook, lecture notes, tutorials, coursework structure, and software recommended for the course (NetBeans or Eclipse). The document also contains slides on the course organization, tutorials, and coursework deadlines.
1. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability for Data
Governance in the Cloud
Massimo Felici
Hewlett-Packard Laboratories
A4Cloud Summer School
Malaga, Spain, 3 June 2014
2. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Problem of Data Governance
• Data Governance in the Cloud
Accountability Definitions
• Conceptual Definition of Accountability
• Definition of Accountability for Data Stewardship in the Cloud
Accountability Model
• Accountability Attributes, Practices and Mechanisms
Accountability Governance
• Accountability Framework
• Accountability Context
• Accountability Governance
Accountability, Risk and Trust
Overview
3. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
PROBLEM OF DATA
GOVERNANCE
4. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Different national privacy or data protection laws in place
• The EU Data Protection Directive is currently going
through a legislative and revision process
• Complex evolving regulatory regimes to comply with
Regulatory Complexity
In Europe, it is necessary
to comply with the
different national laws
Specific mechanisms
(e.g. Binding Corporate
Rules, contracts) may be
in place in order to
guarantee data transfers
Other arrangements are
necessary to allow
transborder data flows
outside Europe, e.g. safe-
harbour agreement with
US
5. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Evolution of regulatory frameworks
Regulatory Frameworks
ASIA
APEC Cross Border Privacy Rules
New country laws
EUROPE
Binding Corporate Rules
Revision of EU Privacy Directive
NORTH AMERICA
Enforcement powers in Canada
Proposed Consumer Privacy Bill in USA
LATIN AMERICA
New laws in Mexico, Colombia
Proposed laws in Peru, Costa Rica, Chile ...
ACCOUNTABILITY
6. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Emerging Issues: Cloud supply chains, Complexity, Scale, (Big) Data mining
Cloud Ecosystem Challenges
Isolation Failure Compliance
Hazard
Incomplete Data
Deletion
Lock in Hazard
Loss of
Governance
7. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Problem of Data Governance
Different
regulatory
regimes
Complex
governance
environment
Lack of trust in
the cloud
Lack of
governance and
transparency
Transfer of data
into the cloud
8. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Globalisation and new technologies
• Cloud computing is the most significant shift in ICT deployments
• Global business environments
Uncertainty and trust (for customers, providers and regulators)
• Privacy and trust come from sound stewardship of information by service providers for
which we need to hold them accountable
Regulatory complexity for the cloud
• New technologies like cloud are straining traditional privacy frameworks
• It is necessary a clear and consistent framework of data protection rules
• Accountability addresses global interoperability
• Accountability allows avoidance of complex matrix of national laws and reduces
unnecessary layers of complexity for cloud providers
Drivers for Accountability
9. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
DEFINING
ACCOUNTABILITY
10. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
How do you define (characterise) Accountability?
Identify 3 keywords (features) that
characterise accountability
Accountability
11. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Conceptual Definition of Accountability
Defining Accountability
• Accountability consists of defining governance to comply in a
responsible manner with internal and external criteria, ensuring
implementation of appropriate actions, explaining and justifying
those actions and remedying any failure to act properly.
Conceptual Definition of Accountability
Applicable across different domains and
capturing a shared multidisciplinary
understanding within the project
Concerned about governance
Compliance with respect to internal and
external criteria defined by stakeholders
Responsibly and proactively (explaining,
justifying, remedying) delivery of actions
12. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Defining Accountability
• Accountability for an organisation consists of accepting responsibility for
the stewardship of personal and/or confidential data with which it is
entrusted in a cloud environment, for processing, storing, sharing,
deleting and otherwise using the data according to contractual and legal
requirements from the time it is collected until when the data are
destroyed (including onward transfer to and from third parties).
• It involves committing to legal and ethical obligations, policies,
procedures and mechanisms, explaining and demonstrating ethical
implementation to internal and external stakeholders and remedying any
failure to act properly.
Definition of Accountability for
Data Stewardship in the Cloud
Contextualising accountability for
data governance in cloud ecosystems
personal and/or confidential data
Ethical aspects of accountabilityDeploying different mechanisms
13. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Model
Observability
Verifiability
Attributability
Transparency
Responsibility
Liability
Remediability
Defining governance
Ensuring governance
Demonstrating governance
Holding to account
Accountability Definitions
Different mechanisms
supporting accountability
14. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Definitions
Conceptual attributes of accountability as used across different multidisciplinary domains; conceptual
basis for our definitions, and related taxonomic analysis
Observability is a property of an object, process or system which describes how well the internal
actions of the system can be described by observing the external outputs of the system.
Verifiability is a property of an object, process or system that its behavior can be verified against a
requirement or set of requirements.
Attributability is a property of an observation that discloses or can be assigned to actions of a
particular actor (or system element).
Transparency is the property of an accountable system that it is capable of ‘giving account’ of, or
providing visibility of, how it conforms to its governing rules and commitments.
Responsibility is defined as the state of being assigned to take action to ensure conformity to a
particular set of policies or rules.
Liability is the state of being liable (legally responsible).
Remediability is the state of being able to be remedied.
Accountability Attributes
15. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Attributes
Analyse
cloud
behaviour
Assess
compliance
Support
openness
Identify
causes
Provide
Assurance
16. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability practices, what organisations must do to be accountable, support
governance
• Defining Governance
Defines governance to responsibly comply with internal and external criteria,
particularly relating to treatment of personal data and/or confidential data
• Ensuring Governance
Ensures implementation of appropriate actions
• Demonstrating Governance
Explains and justifies those actions, namely, demonstrates regulatory compliance that
stakeholders’ expectations have been met and that organizational policies have been
followed
• Holding to Account
Remedies any failure to act properly, for example: notifies the affected data subjects
or organizations, and/or provides redress to affected data subjects or organizations,
even in global situations where multiple cloud service providers are involved
Accountability Practices
17. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Diverse accountability processes, non-technical mechanisms and technical tools that
support accountability practices, that is, accountability practices use them
Examples of Accountability Mechanisms
• Software Tools
• Governance processes
• Risk assessment
• Assurance
• Standards
• Legal mechanisms
• Sanctions
Accountability Mechanisms
18. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
From accountability to being accountable
• Operationalise the accountability definitions
• Capture different abstraction levels of accountability
• Identify attributes contributing towards accountability
• Characterise accountable organisations
• Identify elements of accountability practices
• Enable accountability practices
Accountability Model
19. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
FROM ACCOUNTABILITY
TO BEING ACCOUNTABLE
20. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Context
21. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Rationale
• Increase trust (and trustworthiness)
• Trust can be achieved through: sound stewardship of information by
service providers for which they need to be held accountable, and by
integrated design for privacy
• Increase transparency, redress and assurance in a
manageable way
• Motivate orgs to improve level of compliance
• Decrease complexity of complying with regulations in global business
environments
• Flexibility in return for demonstration
Accountability-based Approach
in the Cloud
22. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Organisations accountable for obligations in relation to
treatment of data
• Accountable organisations should ensure that
obligations to protect data are observed by all who store
and process the data, irrespective of where that
processing occurs.
• Obligation:
o Is a requirement, agreement or promise for which
there are certain consequences if it is breached.
o It can be one of three types: contractual, regulatory,
and normative (i.e. derived from social norms)
Obligations
23. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Context
Regulatory Regimes
Accountability
Cloud Ecosystems
Obligations,
responsibilities and
liabilities of actors
Clarification of
Requirements
Stakeholders
Requirements
Trustworthy
Account
Help with meeting
Obligations
Transparency
24. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
We take a ‘strong accountability’ approach
In particular, via:
• Being precise about what accountability means
• Joining technical measures to enhance the integrity and
authenticity of logs with enhanced reasoning about how
these logs show whether or not data protection
obligations have been fulfilled (trusted logs + analysis)
• Including verification by independent, trusted entities and
certification based on such verification
• Moving beyond accountability of procedures, to
accountability of practice
Accountability-based Approach
in the Cloud
25. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Framework
Supporting cloud actors
Supporting accountability
at different stages
Co-designing: Responsible
and ethical corporate
governance, Innovative
regulatory frameworks, and
Supporting technologies
Preventive – investigating and mitigating risk in order to
form policies and determine appropriate mechanisms to
put in place; putting in place appropriate policies,
procedures and technical mechanisms)
Detective – monitoring and
identifying policy violation;
putting in place detection
and traceability measures
Corrective – managing
incidents and providing
notifications and redress
26. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability Governance
Claims
Supported by
arguments
Providing
Evidence
Questioning
Evidence
Deciding to
Trust
Emerging
Trustworthiness
27. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
ACCOUNTABILITY IN
CLOUD ECOSYSTEMS
28. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud Computing Roles
1. Cloud Subject: An entity whose data is processed by a cloud
provider, either directly or indirectly. When necessary we may
further distinguish:
a) Individual Cloud Subject, when the entity refers to a person.
b) Organisation Cloud Subject, when the entity refers to an
organisation.
2. Cloud Customer: An entity that (1) maintains a business
relationship with, and (2) uses services from a Cloud Provider.
When necessary we may further distinguish:
a) Individual Cloud Customer, when the entity refers to a
person.
b) Organisation Cloud Customer, when the entity refers to an
organisation..
3. Cloud Provider: An entity responsible for making a [cloud]
service available to Cloud Customers
4. Cloud Carrier: The intermediary entity that provides connectivity
and transport of cloud services between Cloud Providers and
Cloud Customers
5. Cloud Broker: An entity that manages the use, performance
and delivery of cloud services, and negotiates relationships
between Cloud Providers and Cloud Customers
6. Cloud Auditor: “An entity that can conduct independent
assessment of cloud services, information system operations,
performance and security of the cloud implementation, with
regards to a set of requirements, which may include security,
data protection, information system management, regulations
and ethics.
7. Cloud Supervisory Authority: An entity that oversees and
enforces the application of a set of rules.
29. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Data Protection Roles
1. Data subject: an identified or identifiable natural person (i.e.
living individual). An identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his
physical, physiological, mental, economic, cultural or social
identity.
2. Data controller: an entity which alone or jointly with others
determines the purposes and means of the processing of
personal data.
3. Data processor: an entity that processes personal data on
behalf of the controller.
4. Third party: an entity other than the data subject, the controller,
the processor and the persons who, under the direct authority of
the controller or the processor, is authorised to process the data.
5. Recipient: an entity to which data is disclosed, whether a third
party or not; (excluding authorities which receive data in the
framework of an inquiry).
6. Supervisory authority: an independent authority that enforces
the application of the data protection regulations in member
states, providing advice to the competent bodies with regard to
legislative and administrative measures relating to the
processing of personal data, hearing complaints lodged by
citizens with regard to the protection of their data protection
rights. The supervisory authority is either the Data Protection
Authority or, less frequently, the National Regulatory Authority in
the telecom sector in some member states.
30. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud Actor Roles
31. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud Actor Roles
Extended NIST cloud roles Data protection roles
Cloud subject Data subject
Cloud customer Data controller or
Data processor
Cloud provider Data processor or
Data controller
Cloud carrier Data processor or
Data controller (unlikely) or
Not applicable.
Cloud broker Data processor or
Data controller
Cloud auditor (Not Applicable)
Cloud supervisory authority Supervisory authority
(DPA or NRA)
(Not Applicable) Third party
(Not Applicable) Recipient
32. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Article 29 WP 173, Opinion 3/2010 on
the principle of accountability:
Data protection must move from
‘theory to practice’.
(i) the need for a controller to take
appropriate and effective measures
to implement data protection
principles;
(ii) the need to demonstrate upon
request that appropriate and
effective measures have been
taken. Thus, the controller shall
provide evidence of (i) above.
Accountability consists of:
• Defining and accepting
responsibility
• Ensuring implementation
of appropriate actions
• Explaining and justifying
actions
• Remediating failure
The Principle of Accountability
33. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Data controllers and data processors:
what's the difference?
Test by the UK Information
Commissioner’s Office (ICO)
Data Controllers
and Processors
34. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Emerging Issues: Cloud supply chains, Complexity, Scale, (Big) Data mining
Cloud Ecosystem Challenges
Isolation Failure Compliance
Hazard
Incomplete Data
Deletion
Lock in Hazard
Loss of
Governance
35. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability through cloud service supply chains to organisation that
uses cloud services
Accountability Relationships
Cloud provider nearly always DP
• may need to assume co-
controllership responsibilities
• may not know who the users
are or what their services are
being used for
DP is accountable for
cooperation with DC to:
• meet data subjects’ rights
• assist DC in providing security
measures
• act only on DC’s behalf
36. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud providers and cloud customers are accountable to cloud subjects
and Cloud Supervisory Authority
Accountability Relationships
• Cloud customer is in
general considered DC
• DC will be accountable for
applicable data protection
measures
37. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability to society
Accountability Relationships
• Cloud subject should
be the rationale and
real beneficiary of
accountability chain
• All actors ultimately
accountable to cloud
subject
38. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
1. Accountability should be viewed as a means to an end, not as alternative to
reframing basic privacy principles
• Organisations should be accountable for the personal and confidential information that they
collect, store, process and disseminate
2. Accountability must deliver effective solutions whilst avoiding where possible overly
prescriptive or burdensome requirements
3. Commitments of DC need to be well defined – (part of) responsibility
• Commitments of DC should include all applicable legal obligations + any industry standards
and declarations made by DC in privacy statements (def. of policies wrt. external criteria, 3
types of obligations)
• Clear allocation of privacy & security responsibilities across DC and DPs
4. Transparency
• Public nature of account where possible
• Commitments of DC need to be properly understood by DS (and other parties)
5. Verification of account
• Claims should be challengeable
• Strong enough verification process to show (extent to which) commitments have been fulfilled
• Guarantees needed about integrity and authenticity of evidence
• Actor carrying out verification needs to be trusted by DS and to have appropriate authority
and resources to carry out spot checking, etc.
Key Features
39. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
ACCOUNTABILITY, RISK
AND TRUST
40. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Emerging Issues: Cloud supply chains, Complexity, Scale, (Big) Data mining
Cloud Ecosystem Challenges
Isolation Failure Compliance
Hazard
Incomplete Data
Deletion
Lock in Hazard
Loss of
Governance
41. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Risk Assessment
RISK
Likelihood
or
Probability of
Occurrence
Impact
or
Severity
Threat Scenario
CSA top
threats
ENISA risk
analysis
Cloud
Ecosystem
Operational
Evidence
Expert
Judgement
42. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability, Risk and Trust
How does
Accountability relate to
Risk and Trust?
43. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability, Risk and Trust
STATEMENT YES MAY BE NO
Risk affects accountability
Risk requires trust
(dealing with uncertainty)
Some threats are specific to cloud services
Accountability mitigates risk
Accountability mediates risk and trust (enhancing
knowledge)
Accountability supports interactions in the cloud
Accountability supports trust decisions
Accountability enhances cloud trustworthiness
Trust facilitates interactions
Trust relies on operational evidence of trustworthiness
44. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability, Risk and Trust
45. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Risk affects accountability
• Risk requires trust (dealing with uncertainty)
• Accountability mitigates risk
• Accountability mediates risk and trust (enhancing knowledge)
• Trust facilitates interactions
• Trust relies on operational evidence of trustworthiness
Accountability, Risk and Trust
46. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability, Risk and Trust
47. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
SUMMARY
48. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Addressing data governance in the cloud
• Accountability Definitions
• Accountability Model
• Accountability Framework
• Accountability Governance
Accountability in Cloud Ecosystems
Accountability, Risk and Trust
Accountability Highlights
49. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
1. A4Cloud, Glossary of Terms and Definitions, November 2013.
2. M. Felici, T. Koulouris, and S. Pearson, “Accountability for Data
Governance in Cloud Ecosystems”, in 2013 IEEE International Conference
on Cloud Computing Technology and Science (CloudCom 2013),
Proceedings, IEEE, pp. 327–332, IEEE Computer Society, 2013.
3. M. Felici, M. G. Jaatun, E. Kosta, and N. Wainwright, “Bringing
Accountability to the Cloud: Addressing Emerging Threats and Legal
Perspectives”, in M. Felici (Ed.), Cyber Security and Privacy, CSP EU
FORUM 2013, Springer-Verlag, CCIS 182, pp. 28–40, 2013.
4. M. Felici, S. Pearson, “Accountability, Risk and Trust in Cloud Services:
Towards an Accountability-based Approach to Risk and Trust Governance”,
IEEE 2014 International Workshop on Security and Privacy Engineering
(SPE 2014), IEEE Services 2014 (To appear).
Further Readings
50. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Thank You.