Seeing through the clouds: Managing data flow and compliance in cloud computing

Abstract

As cloud computing becomes an increasingly dominant means of providing computing resources worldwide, legal and regulatory issues associated with the cloud also become more pronounced. In particular, there is a heightened focus on ensuring the privacy and integrity of end-users’ personal data. At present, the cloud is opaque, a black-box. The technical means for enforcing and demonstrating compliance with data management practices lag behind legal and regulatory aspirations. After reviewing existing methods for containing, accessing and encrypting data, we introduce Information Flow Control (IFC) as a technology enabling auditable, fine-grained management as data moves throughout systems. We describe how IFC offers potential in improving the visibility and control over data flows within and between cloud services and cloud-hosted applications. This is demonstrated through real-world legal/ regulatory examples, which show how IFC can help satisfy data management obligations, and improve the accountability of responsible parties. I. Responsibility in the cloud Cloud computing is an industry with rapid and continued growth, reflecting the efficiencies and cost reductions that can be obtained through economies of scale, improved global accessibility, and simplified, ‘outsourced’ management and configuration. Legal issues concerning data in the cloud derive primarily from four areas: contract; data protection; law enforcement; and regulatory and common law protections for particularly sensitive domains such as health, finance, fiduciary relations, and intellectual property assets. From a technical perspective, these legal requirements all impose information management obligations on the transmission and sharing of data within cloud-hosted applications and services. They may restrict how, when, where, and by whom, data may flow and be accessed. These issues must be managed not only between applications, but through the entire, potentially global, cloud supply chain. Currently, cloud providers employ access controls, to prevent unauthorised access to data and services; and containment mechanisms, to prevent data leaking between tenants (those consuming cloud services) using shared infrastructure. But these tend to be security rather than compliance focused, often applying at specific application, system or user boundaries. Further, cloud services tend to be opaque and black-box in Contact author: jatinder.singh@cl.cam.ac.uk

Extracted Key Phrases

4 Figures and Tables

Cite this paper

@inproceedings{Singh2015SeeingTT, title={Seeing through the clouds: Managing data flow and compliance in cloud computing}, author={Jatinder Singh and Julia E. Powles and Thomas F. J.-M. Pasquier and Jean Bacon}, year={2015} }