Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Supporting Users in Cloud Plan Selection

Cloud computing is a key technology for outsourcing data and applications to external providers. The current cloud market offers a multitude of solutions (plans) differing from one another in terms of their characteristics. In this context, the selection of the right plan for outsourcing is of paramount importance for users wishing to move their data/applications to the cloud. The scientific community has then developed different models and tools for capturing users\u2019 requirements and evaluating candidate plans to determine the extent to which each of them satisfies such requirements. In this chapter, we illustrate some of the existing solutions proposed for cloud plan selection and for supporting users in the specification of their (crisp and/or fuzzy) needs

Data Security and Privacy in the Cloud

Relying on the cloud for storing data and performing computations has become a popular solution in today\u2019s society, which demands large data collections and/or analysis over them to be readily available, for example, to make knowledge-based decisions. While bringing undeniable benefits to both data owners and end users accessing the outsourced data, moving to the cloud raises a number of issues, ranging from choosing the most suitable cloud provider for outsourcing to effectively protecting data and computation results. In this paper, we discuss the main issues related to data protection arising when data and/or computations over them are moved to the cloud. We also illustrate possible solutions and approaches for addressing such issues

Security risk assessment in cloud computing domains

Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform. The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

Automatically Enforcing Security SLAs in the Cloud

Dealing with the provisioning of cloud services granted by Security SLAs is a very challenging research topic. At the state of the art, the main related issues involve: (i) representing security features so that they are understandable by both customers and providers and measurable (by means of verifiable security-related Service Level Objectives (SLOs)), (ii) automating the provisioning of security mechanisms able to grant desired security features (by means of a security-driven resource allocation process), and (iii) continuously monitoring the services in order to verify the fulfillment of specified Security SLOs (by means of cloud security monitoring solutions). We propose to face the Security SLA life cycle management with a framework able to enrich cloud applications with security features. In this paper we (i) present a novel Security SLA model and (ii) illustrate a security-driven planning process that can be adopted to determine the (optimum) deployment of security-related software components. Such process takes into account both specific implementation constraints of the security components to be deployed and customers security requirements, and enables the automatic provisioning and configuration of all needed resources. In order to demonstrate the applicability of the approach, we present and discuss a practical application of the model on a real case study