An integrated framework for the methodological assurance of security and privacy in the development and operation of multicloud applications

  1. RIOS VELASCO, ERKUDEN
unter der Leitung von:
  1. Xabier Larrucea Uriarte Doktorvater/Doktormutter
  2. María Victoria Higuero Aperribay Doktorvater/Doktormutter

Universität der Verteidigung: Universidad del País Vasco - Euskal Herriko Unibertsitatea

Fecha de defensa: 16 von Juli von 2020

Gericht:
  1. Juan José Unzilla Galán Präsident/in
  2. Guiomar Corral Torruella Sekretär/in
  3. Lourdes López Santidrián Vocal
Fachbereiche:
  1. Lenguajes y Sistemas Informáticos

Art: Dissertation

Teseo: 152712 DIALNET lock_openADDI editor

Zusammenfassung

This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems.