Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

Peer reviewe

The SafetyOps Dilemma: a Systematic Mapping Study on Rapidity in Safe AD Development - Supplementary Materials

Supplementary Material regarding included and excluded data, and the rationale

Students’ Professional Certification (SCert) in IS Higher Education

An individual certification (IC) may help to improve the grades and the employability of IS undergraduate students. On the other hand, IS educators are still facing the dilemma of adopting or not IC in their computing curricula. To deal with this challenge, in this research we described and tested the Student’s Professional Certification (SCert) process. SCert introduces certification exams into the IS teaching and learning environment as an optional activity for students. SCert is an artifact derived from DevOps-based learning. We embedded two kinds of free certification exams: Scrum and DevOps. We choose Design Research to verify the following research question: does student certification increase the student\u27s grade? We collected historical data from 112 students from four different classes that occurred from 2019 to 2020. By adopting SCert, the main results were: i) students that achieved one certification only graded statistically better than non-certified students with a 5% ANOVA confidence level; ii) students that achieved two or three certification badges had better grades than those that achieved one certification only, although the grades were statistically better grades than non-certified students only. This research aims to contribute to the investigation of how to embed certifications into the IS higher education context; provide alternatives to the IS higher education teaching methods that may benefit students’ grades

Contribución a la estimulación del uso de soluciones Cloud Computing: Diseño de un intermediador de servicios Cloud para fomentar el uso de ecosistemas distribuidos digitales confiables, interoperables y de acuerdo a la legalidad. Aplicación en entornos multi-cloud.

184 p.El objetivo del trabajo de investigación presentado en esta tesis es facilitar a los desarrolladores y operadores de aplicaciones desplegadas en múltiples Nubes el descubrimiento y la gestión de los diferentes servicios de Computación, soportando su reutilización y combinación, para generar una red de servicios interoperables, que cumplen con las leyes y cuyos acuerdos de nivel de servicio pueden ser evaluados de manera continua. Una de las contribuciones de esta tesis es el diseño y desarrollo de un bróker de servicios de Computación llamado ACSmI (Advanced Cloud Services meta-Intermediator). ACSmI permite evaluar el cumplimiento de los acuerdos de nivel de servicio incluyendo la legislación. ACSmI también proporciona una capa de abstracción intermedia para los servicios de Computación donde los desarrolladores pueden acceder fácilmente a un catálogo de servicios acreditados y compatibles con los requisitos no funcionales establecidos.Además, este trabajo de investigación propone la caracterización de las aplicaciones nativas multiNube y el concepto de "DevOps extendido" especialmente pensado para este tipo de aplicaciones. El concepto "DevOps extendido" pretende resolver algunos de los problemas actuales del diseño, desarrollo, implementación y adaptación de aplicaciones multiNube, proporcionando un enfoque DevOps novedoso y extendido para la adaptación de las prácticas actuales de DevOps al paradigma multiNube

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highly non-trivial task that requires expert knowledge and depends upon the available security tools, ease of integration into the DevOps pipeline, as well as support for IT and OT interfaces and protocols. This paper addresses the aforementioned problem focusing on the automated validation of ISA/IEC 62443-4-2 standard component requirements. We present an extensive qualitative analysis of the standard requirements and the current tooling landscape to perform validation. Our analysis demonstrates the coverage established by the currently available tools and sheds light on current gaps to achieve full automation and coverage. Furthermore, we showcase for every component requirement where in the CI/CD pipeline stage it is recommended to test it and the tools to do so

INTEGRATING DEVOPS INTO NAVY COMBAT SYSTEMS DEVELOPMENT

This thesis seeks to answer three questions concerning the Navy's adoption of DevOps and its practices. Those questions are: What is DevOps in a naval context? What stands in the way of that adoption? What are some ways that the Navy can overcome those obstacles? By drawing upon both an extensive review of literature on the topic, as well as interviews with subject-matter experts, this work provides a comprehensive understanding of the breadth and complexity of the change needed in order for the Navy to adopt a culture of DevOps as well as its attendant practices. Pursuant to the same end, this thesis proposes process architectures for continuous integration, continuous testing, and continuous certification, as well as the reorganization of the Navy's combat systems development hierarchy necessary for the transition to DevOps.Lieutenant, United States NavyApproved for public release. distribution is unlimite