by Martin Gilje Jaatun, Christian Frøystad and Inger Anne Tøndel (SINTEF ICT)
The complex provider landscape in cloud computing makes incident handling difficult, as cloud service providers (CSPs) with end-user customers do not necessarily get sufficient information about incidents that occur at upstream CSPs. As part of the FP7 project ‘A4Cloud’, we have developed an incident management tool that can embed standard representation formats for incidents in notification messages, and a web-based dashboard for handling the incident workflow.
New tools, procedures and guidelines are needed to help cloud service providers be accountable to their customers. An accountable organisation must commit to responsible stewardship of other people's data, which implies that it must define what it does, perform what it defined, monitor how it acts, remedy any discrepancies between the definition of what should occur and what is actually occurring, and finally must explain and justify any and all actions that are performed . Simply put, being accountable means ‘doing the right thing’. The objective of the Accountability for Cloud and other Future Internet Services project (A4Cloud) [L1] is to develop tools, guidelines and procedures to make being accountable a business advantage.
The Incident Management Tool (IMT) is a tool targeted at organisations and teams that handle computer security incidents – in practice any organisation that provides or consumes an internet service. The targeted audience of IMT is not the end user, but rather professional incident handlers and privacy officers. The contribution of IMT is a simplified incident format and a simplified incident exchange – making the solution usable for smaller companies as well. A dashboard (see Figure 1) is developed to demonstrate and visualise how such a tool can be useful for IM. Through the integration with the A4Cloud toolset, the incident handler is able to send notifications directly to the affected end users.
Figure 1: IMT dashboard description: In the upper right corner, the current incident handler (‘Ola Nordmann’) is indicated, with icons indicating active alerts and pending messages. Below that, there is the lead handler for the current incident. Below the lead handler, there are contact details for the liaison at the originating provider. The next box down indicates whether downstream subscribers have been notified of the incident. At the bottom, there are action buttons to derive an incident or update the incident with more information.
A problem experienced by incident handlers in the context of cloud computing, is the lack of access to sufficient incident information throughout the cloud provider chain . Furthermore, complicated cloud provider chains with multiple participants increase the need for more automated sharing of incident information – potentially allowing for automation of response actions, such as notification of availability-related SLA breaches to cloud providers and end users.
IMT operates in the direct context of multiple tools from the A4Cloud toolkit, namely DTMT, AAS and A-PPLE. IMT receives detected data transfer and audit incidents from DTMT and AAS, and utilises A-PPLE to notify end users about incidents that are relevant for them. When a notification of end users is to be performed, IMT sends a notification to A-PPLE, A-PPLE provides this information to Transparency Log (TL), and Data Track fetches this information from TL in order to inform the end user about the incident. IMT could also be used outside the context of A4Cloud tools as a way for organisations to communicate incident information and have this information propagate the cloud service provision chain.
The IMT interacts with other instances of IMT and other tools by a simple, extensible incident format and a publish-subscribe based API. The integration with A4Cloud tools allows for easy notification of end users. The solution supports incidents propagating through the Cloud Service Provision Chain while preserving traceability. The IMT user interface targeting humans consists of a dashboard in which incident handlers and privacy officers can manage subscriptions, incidents and notifications. The notifications can be directed both to other instances of IMT and to A-PPLE instances capable of notifying end users, as appropriate.
In IMT, a human is involved in making the decision on whether or not to notify subscribers and end users. This is because few or no companies would agree to send their incidents directly to the end users or customers upon happening. Thus, the company can decide when to notify their subscribers and end users. A potential problem with this approach could be that the company might decide not to notify about some incidents, but this should be prevented by maintaining an audit trail.
The A4Cloud project has reached its conclusion, but the project partners will continue to develop the various tools in new research opportunities. For IMT, the natural next step would be a large-scale pilot implementation in a real cloud provider chain, and we are currently exploring different options in this regard.
The Accountability for Cloud and other Future Internet Services project (A4Cloud) was led by Hewlett Packard Labs (Bristol, UK), with partners SINTEF, SAP, ATC, Cloud Security Alliance EMEA, Eurecom, Ecole des Mines de Nantes, University of Stavanger, Furtwangen University, Karlstad University, Queen Mary University of London, Tilburg University and University of Malaga. The project started in October 2012, and had its final review in May 2016.
Tools developed in the A4Cloud project:
- Incident Management Tool (IMT): described in this article
- Cloud Offerings Advisory Tool (COAT): an online tool where a prospective cloud customer can select possible cloud providers based on a set of criteria
- Data Protection Impact Assessment Tool (DPIAT): a checklist-based tool to assist a cloud customer in performing a data protection impact assessment in accordance with the EU General Data Protection Regulation
- Data Track tool (DT): a client-based tool for end-users to keep track of what kind of personal data they have disclosed to various cloud providers
- Accountability PrimeLife Policy Language Engine (APPL-E): a server application running at each cloud provider to ensure that accountability and privacy policies are adhered to
- Audit Agent System (AAS): a distributed server tool running at each cloud provider that is capable of performing continuous audit monitoring of various processes
- Data Transfer Monitoring Tool (DTMT): a server tool running at each cloud provider, monitoring data transfers between physical storage locations for possible violations of customer policies regarding data location.
 M. G. Jaatun, et al.: "Enhancing Accountability in the Cloud", to appear in International Journal of Information Management, DOI 10.1016/j.ijinfomgt.2016.03.004, 2016
 C. Frøystad, et al.: "Security Incident Information Exchange for Cloud Services", in Proc. of International Conference on IoT and Big Data, Rome, 2016
Martin Gilje Jaatun, SINTEF ICT, Norway
+47 900 26 921