Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

End-Users Leading, Capturing, and Mitigating Risk in a DSDM Project

The study aimed to assess the suitability of Dynamic System Development Methodology (DSDM) for managing strategic risk and incorporating the end user's perspective in developing a Business Risk Strategy. Additionally, it sought to outline the elements and processes of the DSDM risk strategy, devise an end-user-cantered DSDM risk strategy, and evaluate the effectiveness of the model in capturing the end user's voice. It was discovered that the DSDM serves as an agile software development tool aimed at enhancing the efficiency and productivity of software development projects. Traditionally, project teams have relied on conventional methods for assessing and mitigating risks in software development. However, the agile approach has emerged as a solution to common challenges encountered in these projects. While it can enhance project workflow and productivity, agile processes may not always effectively address customers' needs and involve them in the development process. To address this gap, it is essential to align customers' requirements with the technical capabilities and skills of the project team, particularly as team structures evolve. To facilitate this alignment, researchers have developed various techniques, tools, and processes to aid subject matter experts, end-users, and developers in making informed decisions. This approach simplifies the complex process of integrating customers' perspectives into software development, ultimately enhancing the overall success of the project. In this study theories of compliance and stakeholder are foundational in extracting associated element for the development of further strategy. Both theories offer valuable insights for examining the research questions, thereby enhancing the research motivation and contribution. By leveraging compliance theory, the study can analyse how regulatory requirements and standards influence risk management strategies. Stakeholder theory, on the other hand, provides a framework for understanding the diverse interests and perspectives of stakeholders involved in the project, which is crucial for effective risk management. Integrating these theories into the research methodology can enrich the analysis and contribute to more comprehensive and insightful findings. The study adopts a qualitative approach, integrating a case study with qualitative interviews conducted in two organizations within the United Kingdom. It combines secondary data from the organizations, such as risk management records and lessons learned, with primary data collected through in-depth interviews and focused group discussions. Through a detailed analysis of the empirical evidence, the study identifies the central phenomenon of responsiveness as fundamental for mitigating risks and uncertainties in a DSDM project environment. Furthermore, the research uncovers a gap between the potential impact of end-user involvement in risk management and their current capabilities, including skills, knowledge, tools, and approaches. This realization leads to the development of the End User Framework (ERF), which stands as the primary contribution of the study. The ERF is formulated by synthesising key elements from interviews and case studies to bolster risk management in DSDM projects. Drawing on principles from stakeholder theory and compliance theory, which advocate for end-user involvement in the process, the ERF emphasis continuous collaboration between project development managers and product owners. Additionally, it 8 C2 General leverages the Organizational Project Management (OPM) structure to establish a hierarchical framework for risk management. Overall, the study underscores the significance of both primary and secondary data sources in informing the development of the ERF and advancing understanding of risk management in DSDM projects. A total of 26 in-depth interview questions were posed to focus group interviewees from various project contexts. The focus group comprised 14 individuals from different levels of project management. Data collection was distributed as follows: 50% through interviews, 20% through archival data, and 30% through focus groups. Structured interviews, including a pilot interview with five participants, were conducted with 20 key figures within the software development community (refer to Table 5 for details regarding their roles, years in the organization, and employment status, whether full-time, contractor, or line manager). Before conducting the interviews, NVivo was employed for data analysis. The raw data was transformed into transcriptions, each representing an interview session alongside corresponding rationales for the new model. The resulting End User Framework (ERF) comprises three key steps. The thesis makes a multifaceted contribution. Firstly, it offers a solution to mitigate the inherent uncertainty in DSDM projects by emphasizing responsiveness to end-users' voices. Secondly, it introduces the End User Framework (ERF) to capture the end user's perspective throughout the project lifecycle. This framework integrates Soft Systems Methodology (SSM) and Customer, Actor, Transformation, Worldview, Owner, and Environment (CATWOE) approaches in the Environment step, Process step focusing on three levels of organizational view, technical view, and risk analysis, and Product step consisting of iterative cycles of 2-4 weeks. By following these steps, ERF ensures end-user involvement across risk analysis, compliance, and planning and control stages. The significance of ERF lies in its ability to replace existing measures of capabilities (such as skills, knowledge, tools, and approaches) with the end-user voice. However, further testing of ERF's impact in live projects is necessary to validate its effectiveness

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems