Risk-Driven Compliant Access Controls for Clouds

TL;DR

This paper proposes a risk-driven approach to access control in cloud environments, integrating compliance metrics into policies to manage multi-jurisdictional data sharing and ensure regulatory adherence.

Contribution

It introduces a conceptual model of explicit regulatory requirements and defines compliance risk metrics integrated into access control policies for clouds.

Findings

Regulatory compliance can be modeled explicitly for cloud data sharing.

Metrics for non-compliance risks can be integrated into access policies.

Pre-decision policy analysis can mitigate compliance violations.

Abstract

There is widespread agreement that cloud computing have proven cost cutting and agility benefits. However, security and regulatory compliance issues are continuing to challenge the wide acceptance of such technology both from social and commercial stakeholders. An important facture behind this is the fact that clouds and in particular public clouds are usually deployed and used within broad geographical or even international domains. This implies that the exchange of private and other protected data within the cloud environment would be governed by multiple jurisdictions. These jurisdictions have a great degree of harmonisation; however, they present possible conflicts that are hard to negotiate at run time. So far, important efforts were played in order to deal with regulatory compliance management for large distributed systems. However, measurable solutions are required for the context of cloud. In this position paper, we are suggesting an approach that starts with a conceptual model of explicit regulatory requirements for exchanging private data on a multijurisdictional environment and build on it in order to define metrics for non-compliance or, in other terms, risks to compliance. These metrics will be integrated within usual data access-control policies and will be checked at policy analysis time before a decision to allow/deny the data access is made.