The Internet and telephone are successful because they use open protocols and open interfaces, allowing users to communicate, innovate and share at will. We propose to facilitate this process in cloud computing, by developing a set of open security services, protocols and interfaces (APIs) that will allow cloud resource owners to be able to specify their policies for fine grained access control to their cloud resources, and have these enforced everywhere at all times, regardless of the subsequent location or data processing that has ensued. The ability to securely share data with anyone, anywhere, at any time, will facilitate spontaneous collaborations and ensure confidence in collaborative working. This will be achieved by using "sticky policies", delegation of authority, federated access and attribute based access controls. Sticky policies are policies which are cryptographically linked or "stuck" to the data and meta-data they control, so that access to the data is only granted if the policy is honoured. In order to cater for Internet scale cloud usage, federated access and attribute based access controls are needed. Federated access allows users to identify themselves to a cloud service using their existing credentials, without having to first obtain new ones from the cloud service itself. Attribute based access controls allows access to be specified based on a user's identity attributes rather than simply an identifier, which is typically used today. In order to achieve Internet scale in identifying users and data resources, an ontology is needed that will classify both the data and the users who wish to access it. The authorities who issue identity attributes will also need to be classified. The characteristics of any particular set of data will be held in meta-data that describes or identifies the data, and conforms to the ontology. The meta-data itself will be stuck to the data in a similar way to the sticky policy. When data is merged or fused with other data, or is split, filtered or reduced, then its meta-data will need to change accordingly, in order to describe the new data. Similarly the sticky policy that controls access to the new data will need to be derived from the original sticky policy(ies). This project will develop a new algebra and algorithms for deriving the new sticky policy from the old, using the ontology and meta-data as a guide. (Note that this project will not be performing the actual data merging or splitting, but simply assumes that trustworthy services are available to do this.) The protocols and APIs specified in this project will be standardised through an organisation already well versed in cloud APIs, such as the Open Grid Forum or OASIS. In order to ensure the widest take up of the services and APIs specified in this project, pilot implementations will be developed in Python and distributed as part of the OpenStack suite of software. OpenStack is a community project involving over 135 organisations, ranging from multi-nationals such as HP, Cisco and Intel, to specialist SMEs such as Cloudscaling. This project proposes to harness the energies of the OpenStack community by acting in a leading role to facilitate others in contributing to the development effort.