Cloud Computing market forecasts and technology trends confirm that Cloud is an Information Technology (IT) disrupting phenomena. However, security, privacy and data protection continue to be major barriers to Cloud adoption. The users’ concerns on security and privacy of Cloud systems strive from the lack of trust, visibility and auditability of the security and privacy controls the Cloud providers offer in their services. There are strong initiatives and recent standards at European and International level aiming to solve the issues of end-user trust in Cloud as well as transparency in Cloud offerings. They are paving the path towards trustworthy and certified Cloud services. Moreover, compliance with the new GDPR is an urgent necessity for Cloud consumers and providers acting as personal data processors or controllers because of the need to perform privacy risks assessments of their systems. In recent years, the number of companies world-wide adopting multiCloud architectures in their business strategies has grown significantly. However, cost optimisation and increased competitiveness of companies exploiting multiCloud will only be possible when they are able to leverage multiple cloud offerings, while mastering both the complexity of multiple cloud provider management as well as security strategies for ensuring the protection against the higher exposure to attacks that multiCloud brings. To this end, it is necessary to consider not only functionality and business aspects of the multiCloud services, but security and privacy aspects as well. In this context, the importance of tackling holistic security and privacy assurance of Cloud and Cloud-based IT systems is clear. Furthermore, there is a need to follow a systematic approach to cyber risk management in multiCloud that addresses both security and privacy threats. This is even more challenging in multiCloud systems because of the need of assessing not only system components’ own risks but also those of the Cloud providers of outsourced components. Fundamental research questions arise about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation. In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications. The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level Agreement Composition method. The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems.
Date of Award | 2020 |
---|
Original language | English |
---|
Awarding Institution | - Universidad del País Vasco (UPV/EHU)
|
---|
Supervisor | Larrucea Uriarte (Supervisor) & Maria Victoria Higuero Aperribay (Supervisor) |
---|
An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications
Rios Velasco, E. (Author). 2020
Doctoral thesis: Doctoral Thesis