Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Review of the environmental and organisational implications of cloud computing: final report.

Cloud computing – where elastic computing resources are delivered over the Internet by external service providers – is generating significant interest within HE and FE. In the cloud computing business model, organisations or individuals contract with a cloud computing service provider on a pay-per-use basis to access data centres, application software or web services from any location. This provides an elasticity of provision which the customer can scale up or down to meet demand. This form of utility computing potentially opens up a new paradigm in the provision of IT to support administrative and educational functions within HE and FE. Further, the economies of scale and increasingly energy efficient data centre technologies which underpin cloud services means that cloud solutions may also have a positive impact on carbon footprints. In response to the growing interest in cloud computing within UK HE and FE, JISC commissioned the University of Strathclyde to undertake a Review of the Environmental and Organisational Implications of Cloud Computing in Higher and Further Education [19]

Design and initial validation of the Raster method for telecom service availability risk assessment

Crisis organisations depend on telecommunication services; unavailability of these services reduces the effectiveness of crisis response. Crisis organisations should therefore be aware of availability risks, and need a suitable risk assessment method. Such a method needs to be aware of the exceptional circumstances in which crisis organisations operate, and of the commercial structure of modern telecom services. We found that existing risk assessment methods are unsuitable for this problem domain. Hence, crisis organisations do not perform any risk assessment, trust their supplier, or rely on service level agreements, which are not meaningful during crisis situations. We have therefore developed a new risk assessment method, which we call RASTER. We have tested RASTER using a case study at the crisis organisation of a government agency, and improved the method based on the analysis of case results. Our initial validation suggests that the method can yield practical results

Secure Cloud-Edge Deployments, with Trust

Assessing the security level of IoT applications to be deployed to heterogeneous Cloud-Edge infrastructures operated by different providers is a non-trivial task. In this article, we present a methodology that permits to express security requirements for IoT applications, as well as infrastructure security capabilities, in a simple and declarative manner, and to automatically obtain an explainable assessment of the security level of the possible application deployments. The methodology also considers the impact of trust relations among different stakeholders using or managing Cloud-Edge infrastructures. A lifelike example is used to showcase the prototyped implementation of the methodology

Towards a Security, Privacy, Dependability, Interoperability Framework for the Internet of Things

A popular application of ambient intelligence systems constitutes of assisting living services on smart buildings. As intelligence is imported in embedded equipment, the system becomes able to provide smart services (e.g. control lights, airconditioning, provide energy management services etc.). IoT is the main enabler of such environments. However, the interconnection of these cyber-physical systems and the processing of personal data raise serious security and privacy issues. In this paper we present a framework that can guarantee Security, Privacy, Dependability and Interoperability (SPDI) in IoT. Taking advantage of the underlying IoT deployment, the proposed framework not only implements the requested smart functionality but also provide modelling and administration that can guarantee those SPDI properties. Moreover, we provide an application example of the framework in a smart building scenario

Evaluating a Reference Architecture for Privacy Level Agreement\u27s Management

With the enforcement of the General Data Protection Regulation and the compliance to specific privacyand security-related principles, the adoption of Privacy by Design and Security by Design principles can be considered as a legal obligation for all organisations keeping EU citizens’ personal data. A formal way to support Data Controllers towards their compliance to the new regulation could be a Privacy Level Agreement (PLA), a mutual agreement of the privacy settings between a Data Controller and a Data Subject, that supports privacy management, by analysing privacy threats, vulnerabilities and Information Systems’ trust relationships. However, the concept of PLA has only been proposed on a theoretical level. In this paper, we propose a novel reference architecture to enable PLA management in practice, and we report on the application and evaluation of PLA management within the context of real-life case studies from two different domains, the public administration and the healthcare, where sensitive data is kept. The results are rather positive, indicating that the adoption of such an agreement promotes the transparency of an organisation while enhances data subjects’ trust

A Case Study for Business Integration as a Service

This paper presents Business Integration as a Service (BIaaS) to allow two services to work together in the Cloud to achieve a streamline process. We illustrate this integration using two services; Return on Investment (ROI) Measurement as a Service (RMaaS) and Risk Analysis as a Service (RAaaS) in the case study at the University of Southampton. The case study demonstrates the cost-savings and the risk analysis achieved, so two services can work as a single service. Advanced techniques are used to demonstrate statistical services and 3D Visualisation services under the remit of RMaaS and Monte Carlo Simulation as a Service behind the design of RAaaS. Computational results are presented with their implications discussed. Different types of risks associated with Cloud adoption can be calculated easily, rapidly and accurately with the use of BIaaS. This case study confirms the benefits of BIaaS adoption, including cost reduction and improvements in efficiency and risk analysis. Implementation of BIaaS in other organisations is also discussed. Important data arising from the integration of RMaaS and RAaaS are useful for management and stakeholders of University of Southampton