MUlti-cloud Secure Applications...framework includes security-by-design mechanisms to enable application self-protection at runtime and methods and tools for the integrated security

This project has received funding from the European Union’s Horizon 2020 research and innovation

programme under grant agreement No 644429

MUlti-cloud Secure Applications

Deliverable title Deliverable ID:

Business scenarios analysis

D7.2

Preparation date:

23/12/2015

Editor/Lead beneficiary (name/partner):

Antonio M. Ortiz / Montimage

Internally reviewed by (name/partner):

Antony Shimmin / AIMES

Andrei Lobov / TUT

Abstract:

This document introduces the MUSA key results from a business perspective that will be used as a

reference guide to orient the MUSA results to a business-attractive approach. The Osterwalder

Business canvas is used as a reference model to illustrate the diverse aspects of the potential MUSA

business scenarios. Together with the business scenarios analysis, an overview of the IPR registry

that the consortium has created to keep track of the property rights on the MUSA exploitable

outcomes is presented.

Dissemination level

PU Public X

CO Confidential, only for members of the consortium and the Commission Services

D7.2: Business scenarios analysis 3

MUSA consortium

Fundación Tecnalia Research &

Innovation

(TECNALIA, Spain)

www.tecnalia.com/en

Project manager: Erkuden Rios

[email protected]

+34 664 100 348

Centro Regionale Information e

Communication Technology

(CER ICT, Italy)

Contact: Massimiliano Rak

[email protected]

CA Technologies Development

Spain SAU (CA, Spain)

Contact: Victor Muntes

[email protected]

Montimage

(MI, France)

Contact: Edgardo Montes de Oca

edgardo.montesdeoca@montimage

.com

AIMES Grid Services

(AIMES, UK)

Contact: Prof Dennis Kehoe

[email protected]

Lufthansa Systems

(LHS, Germany)

Contact: Dirk Muthig

[email protected]

TTY-säätiö

(TUT, Finland)

Contact: José Luis Martínez Lastra

[email protected]

http://www.tecnalia.com/en

mailto:[email protected]









Table of contents

MUSA consortium .................................................................................................................................. 3 Table of contents ..................................................................................................................................... 4 List of figures .......................................................................................................................................... 5 List of tables ............................................................................................................................................ 6 Executive summary ................................................................................................................................. 7 1 Introduction ..................................................................................................................................... 8

1.1 Objective of this document .................................................................................................... 8 1.2 Structure of this document ..................................................................................................... 8 1.3 Relationships with other deliverables .................................................................................... 8 1.4 Contributors ........................................................................................................................... 9 1.5 Acronyms and abbreviations .................................................................................................. 9 1.6 Revision history ..................................................................................................................... 9

2 MUSA business context: the multi-cloud security market ............................................................ 11 3 Methodology for the MUSA business models definition .............................................................. 13

3.1 MUSA value chain ............................................................................................................... 14 3.2 MUSA key infrastructure ..................................................................................................... 16 3.3 MUSA financial viability ..................................................................................................... 17

4 MUSA business models ................................................................................................................ 18 4.1 MUSA IDE (KR1) + MUSA libraries (KR2) ...................................................................... 18

4.1.1 Value chain ...................................................................................................................... 18 4.1.2 Key infrastructure ............................................................................................................ 19

4.2 Decision Support Tool (KR3) .............................................................................................. 21 4.2.1 Value chain ...................................................................................................................... 21 4.2.2 Key infrastructure ............................................................................................................ 22

4.3 MUSA Deployer (KR4) ....................................................................................................... 23 4.3.1 Value chain ...................................................................................................................... 23 4.3.2 Key infrastructure ............................................................................................................ 24

4.4 MUSA SaaS (KR8, including KR5-6-7) + MUSA libraries (KR2) ..................................... 25 4.4.1 Value chain ...................................................................................................................... 26 4.4.2 Key infrastructure ............................................................................................................ 27

4.5 MUSA Guide (KR9) and MUSA prototypes (KR10) .......................................................... 30 5 IPR management ........................................................................................................................... 31

5.1 IPR directory ........................................................................................................................ 32 6 Conclusion/Further work ............................................................................................................... 34 References ............................................................................................................................................. 35 Appendix A. MUSA motivation and background ................................................................................. 36 Appendix B. IPR directory information ................................................................................................ 37


List of figures

Figure 1. Osterwalder Business canvas [3] ........................................................................................... 13


List of tables

Table 1. MUSA Key Exploitable Results and their added value proposition for the customers .......... 14 Table 2. MUSA goals and associated key activities .............................................................................. 16 Table 3. MUSA IDE (KR1) and MUSA libraries (KR2) value chain ................................................... 18 Table 4. MUSA IDE (KR1) and MUSA libraries (KR2) key infrastructure ......................................... 19 Table 5. MUSA decision support tool (KR3) value chain .................................................................... 21 Table 6. MUSA decision support tool (KR3) key infrastructure .......................................................... 22 Table 7. MUSA deployer (KR4) value chain ........................................................................................ 23 Table 8. MUSA deployer (KR4) key infrastructure .............................................................................. 24 Table 9. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security assurance

SaaS (KR8) value chain ........................................................................................................................ 26 Table 10. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security assurance

SaaS (KR8) key infrastructures ............................................................................................................. 27 Table 11. IPR principles for the MUSA key results .............................................................................. 31 Table 12. IPR for the MUSA IDE (KR1) .............................................................................................. 37 Table 13. IPR for the MUSA DST(KR3) .............................................................................................. 38 Table 14. IPR for the MUSA deployer (KR4) ...................................................................................... 38 Table 15. IPR for the MUSA monitoring service (KR5) ...................................................................... 39 Table 16. IPR for the MUSA enforcement service (KR6) .................................................................... 39

Table 17. IPR for the MUSA notification service (KR7) ...................................................................... 40 Table 18. IPR for the MUSA security assurance SaaS (KR8) .............................................................. 40 Table 19. IPR for the MUSA guide (KR9)............................................................................................ 41


Executive summary

This document presents a detailed analysis of the business scenarios for both the MUSA framework

and its individual components.

First, the business context for the developments of the project is presented, where we summarise the

needs identified in the multi-cloud security market and the identified potential target customers for the

MUSA framework components. This business contextualization is followed by the introduction to the

methodology for defining the MUSA business models, in which the Osterwalder Business canvas will

be used to detail all the key elements related to the MUSA business strategy.

A detailed analysis of the business aspects for the key results of the project, focused on the value chain

and key infrastructure for each key result is then presented. The value chain gives insight of the added

value proposition, potential customers and channels to approach them, while the key infrastructure

refers to the key activities, resources and partners’ networks to support the commercialisation of the

MUSA results.

Finally, the document includes the description of the Intellectual Property Rights (IPR) registry that

will be used in MUSA project to register the rights on the background and track the rights on the

exploitable foreground of the project. The description includes details related to information property

rights for each MUSA asset, along with a brief explanation for each of its fields. The current IPR state

is detailed in the Appendix B.

The present document aims at serving as a reference guide to orient the MUSA developments and

related actions to promote the project results and foster its future commercialisation.


1 Introduction

1.1 Objective of this document

This document is deliverable D7.2 Business scenarios analysis of MUSA project [1] (see Appendix

A).

The document presents the business scenarios analysis for the MUSA framework (see description in

MUSA deliverable D1.1 Initial MUSA framework specification [2]) and its individual components. It

is aimed at offering an overview of the diverse exploitable outputs of the MUSA project from the

business point of view, analysing the opportunities and detailing the initial ideas of their

commercialisation.

In addition, a comprehensive survey of the project key results is presented taking as a basis the

Osterwalder Business canvas [3], which will be completed in D7.3 Initial Exploitation plan in month

24, once the implementation of the key results is advanced and more detailed information for the

commercialisation plans can be provided.

The Osterwalder Business canvas has been selected since it is a well-known and structured approach

to document the business models. The canvas details most of the elements to be considered for the

exploitation and commercialisation, and represents a reference model to conceptualize business

aspects. However, at this stage of the MUSA project, some of the fields of the canvas, mainly related

to the financial analysis, cannot be specified; they will be outlined in the initial exploitation plan in

M24 and concreted in the final exploitation plan in M36.

1.2 Structure of this document

This document starts by contextualizing the MUSA business activities in the multi-cloud security

market, including a brief description of the potential stakeholders. Then, the methodology for defining

the MUSA business models is presented, outlining the Osterwalder Business approach and detailing

the MUSA value chain and the key infrastructures to be used in the project. The document continues

with a detailed view of the business scenarios divided by project key results, describing the specific

value chain and key infrastructure for each key result. Finally, an overview of the MUSA IPR registry

is presented, along with the current information contained in the IPR registry.

The Appendix A presents the overview of the MUSA project while the Appendix B provides the

contents of the IPR registry.

1.3 Relationships with other deliverables

The information presented in this document relates to the following deliverables of MUSA:

D6.2 Dissemination strategy: It describes the MUSA dissemination strategy and identifies the

main target groups for the dissemination of MUSA results. The customers of MUSA are

necessarily part of those groups.

D6.4 Communication plan: It describes the MUSA communication strategy to ensure that the

MUSA outcomes are widely known in the software engineering, security and cloud computing

relevant communities.

D6.5 Networking plan: It describes the MUSA networking strategy towards the close

collaboration of MUSA participants with relevant communities both internal and external to the

project.

D7.1 Initial market study, trends and segmentation: It presents a detailed initial analysis of the

target market of the MUSA solution.


1.4 Contributors

While Montimage partner in MUSA has coordinated the work in the task and has taken the role of the

main editor of the deliverable, all MUSA project partners have contributed to this deliverable, i.e.:

Montimage

Tecnalia

AIMES

CeRICT

CA Technologies

Lufthansa Systems

Tampere University

1.5 Acronyms and abbreviations

CAPEX Capital Expenditures PaaS Platform as a Service

DevOps Development and Operations QoS Quality of Service

IaaS Infrastructure as a Service QoSec Quality of Secure

ISV Independent Software Vendor SaaS Software as a Service

OPEX Operating Expenses TLR Technology Readiness Level

1.6 Revision history

Version Date issued Author Organisation Description

0.1 15/10/2015 Antonio M.

Ortiz Montimage Initial ToC.

0.2 23/10/2015

Antonio M.

Ortiz, Erkuden

Ríos, Peter

Matthews

Montimage,

Tecnalia, CA

Technologies

Revised ToC.

0.3 12/11/2015 Antonio M.

Ortiz Montimage

Intermediate proposed. Initial content

for all sections.

0.4 19/11/2015 Alejandra Ruiz,

Erkuden Ríos Tecnalia

Include content on sections: 3, 4 and 5

and provide comments to the rest of the

sections.

0.5 23/11/2015 Luis González,

Stefan Spahr TUT, LHS Information regarding KR10.

0.6 24/11/2015

Antony

Shimmin,

Erkuden Ríos,

Antonio M.

Ortiz

AIMES,

Tecnalia,

Montimage

Added information for several KRs.

0.7 01/12/2015 Peter Mathews CA

Technologies Key infrastructure for several KRs.


Version Date issued Author Organisation Description

0.8 01/12/2015

Wissam

Mallouli,

Antonio M.

Ortiz

Montimage Sections 1 and 6; key infrastructure for

several KRs.

0.9 05/12/2015

Valentina

Casola,

Massimiliano

Rak

CeRICT Added information for several KRs.

1.0 10/12/2015 Antonio M.

Ortiz Montimage

Final proposed. Integration and

preparation for internal review.

1.1 11/12/2015 Erkuden Ríos Tecnalia Tables information update.

1.2 11/12/2015 Antonio M.

Ortiz Montimage

Overall review of the document, format

checking and minor corrections.

2.0 18/12/2015 Antonio M.

Ortiz Montimage

Final revised. Reviewers’ comments

addressed.

3.0 23/12/2015 Erkuden Rios Tecnalia Final released.


2 MUSA business context: the multi-cloud security market

Nowadays, the young and effervescent market of cloud services is expanding, influenced by the

migration of traditional services to the cloud. With the increasing availability of cloud services [4],

applications making use of multiple cloud services are expected to grow, and so does the amount of

sensitive information managed by these applications. In order to preserve security and privacy, multi-

cloud applications require security enforcing and privacy enhancing mechanisms. In this sense, the

MUSA project aims at designing and developing a security framework to support the security-

intelligent lifecycle management of distributed applications over heterogeneous cloud resources. This

framework includes security-by-design mechanisms to enable application self-protection at runtime

and methods and tools for the integrated security assurance in both the engineering and operation of

multi-cloud applications.

As stated in MUSA deliverable D7.1 Initial market study, trends, segmentation and requirements [5],

and due to the novelty of the multi-cloud technologies, the market for multi-cloud solutions (i.e.,

services, applications, etc.) is still not clearly defined. However, the increasing use of cloud resources

indicates that this technology (and by extension, multi-cloud solutions [6]) will experiment a

significant rise in the coming years.

Cloud computing uptake is expanding for many reasons: availability, performance, costs (deployment

and maintenance), etc. Consequently, the cloud computing market is growing rapidly and has been

enjoying this growth for some time. The current market is seen to be dominated by a few large players

such as Amazon, Google and Microsoft, which are the most frequently mentioned companies.

Nevertheless, many organizations, particularly in Europe, are wary of being locked into one vendor.

This fear of vendor-lock and the need to have a more personalised service will maintain the smaller

vendors for some time. Moving from the provision of cloud infrastructure by PaaS and IaaS to SaaS

and the provision of public services, it is easy to see from the stakeholder analysis presented in D7.1

that some of the growth in cloud computing is related to the growth in hybrid cloud implementations,

bringing developers and users into contact with multi-cloud computing.

It is clear from the market directions detailed in D7.1 that cloud computing is here to stay and is

already evolving as any good technology does. Security of SaaS applications and other architectures

such as PaaS or IaaS is rooted in access and identity control with little difference with other computing

architectures. The increasing componentization of applications and abstraction of IT infrastructures

introduces security issues of individual components that will expose vulnerabilities that are specific to

multi-cloud environments. The market has a need for a different security model for such multi-cloud

applications and multi-app devices (such as mobile phones and tablets), and here is where the MUSA

framework (and its individual components) comes into play.

In order to commercialise the diverse developments of the MUSA project, we cannot specify a unique

business model for all of them. On the contrary, the MUSA business scenarios are made up of the

different business models of the diverse Key Exploitable Results, which are outlined in Section 4.

The main target customers of the MUSA project results can be grouped in (i) multi-cloud application

developers, that design, develop and test the multi-cloud application, and (ii) multi-cloud application

operators, which are in charge of managing the operation of the multi-cloud application, including

application (re-)deployments, runtime management and control (monitoring).

Since the MUSA framework relies over a DevOps approach [7] that promotes the close collaboration

and communication between software developers and other information technology professionals,

MUSA introduces the DevOps Team as the main stakeholder of the MUSA framework, responsible

of the multi-cloud application development, deployment and execution (see D1.1 [2] for more

information). More concretely, the following roles can be taken by the DevOps Team:

Application developer: developers of the multi-cloud applications or services that exploit

multiple heterogeneous cloud resources in diverse cloud service providers. The development


shall be understood here as the set of all activities that span from application requirements

specification to implementation, including architecting, detail design, coding, testing, etc.

Therefore, the Application Architect (responsible of the design) and the Security Architect

(specialisation of Application Architect in charge of assuring the security in the multi-cloud

applications design) roles are also Application developers.

System operator: responsible of the deployment of multi-cloud applications.

Service administrator: in charge of the runtime management of the multi-cloud applications

which includes the monitoring of such applications.

Service business manager: has overall responsibility for the business aspects of offering

cloud services to cloud service customers. They create and track the business plan, define the

service offering strategy and manage the business relationship with cloud service customers.

Therefore, such DevOps Team will be the main target customer for MUSA Key Results. Depending

on the purpose of the Key Result and which activity in the multi-cloud application life-cycle the Key

Result is supporting, the role taken by the DevOps team will be mostly one of the above. In the

following we will differentiate between these roles in order to better tailor the Key Results

exploitation activities.

As it will be seen later in Section 4, the Cloud Service Providers (CSP) that offer the cloud services

used by the multi-cloud applications secured by MUSA are also a target customer for the MUSA

Security Assurance Platform (SaaS), Key Result KR8, as they will be potential users of the monitoring

and notification services offered by this platform.


3 Methodology for the MUSA business models definition

For the definition of the MUSA business models, we will use the Osterwalder Business Canvas [3],

which is a commonly used template for developing and documenting business models and was

initially proposed by Alexander Osterwalder based on his earlier work on Business Model Ontology. It

has become widely used in both R&D projects and business consulting to identify and depict the key

elements affecting a business model or plan.

Figure 1. Osterwalder Business canvas [3]

The key elements of the Osterwalder Business Canvas, depicted in Figure 1, can be summarised as

follows:

● Customer segments: people or organizations for which the product creates value. They can

be simple users and paying customers.

● Value proposition: there is a value proposition for each segment and they can be bundles,

products and services that solve customer problems and satisfy customer needs.

● Channels: touch-points to interact with customers and delivering value.

● Customer relationships: type of relationships that are established with the customers.

● Key resources: infrastructure to create, deliver and capture value. They show what assets are

indispensable in the business model.

● Key activities: which actions are really needed to perform well.

● Key partnership: who can help to leverage the business model.

● Cost structure: represents the whole cost of the business model.

● Revenue streams: how and through which pricing mechanisms the business models are

capturing value. They result from value propositions successfully offered to customers.


In the MUSA project, for an initial analysis of the business models, these nine blocks of the canvas are

grouped in three major business aspects:

● MUSA value chain: including the value proposition of the MUSA solution, their customers

and channels for getting into the market.

● MUSA key infrastructure: grouping key activities, key resources and partner network.

● MUSA financial viability: comprising costs structure and revenue streams.

The two first business aspects can be already defined in the context of the MUSA framework, while

for the financial viability, it is too early in the project to have a clear picture of it. For that, in this

deliverable, we will focus on the MUSA value chain and key infrastructure, as well as on the

definition of the business scenarios for each key exploitable result in the project, leaving the financial

analysis for D7.3 Initial exploitation plan, which will be issued in M24.

3.1 MUSA value chain

As already said, the MUSA value chain describes not only the value proposition of the MUSA

solution, but also the potential customers for which MUSA results can represent high added value, and

the set of channels and activities for getting into the market.

In terms of the value of the MUSA solution, the main outcome of the project is the MUSA framework,

containing the collection of MUSA methods and tools supporting the security-intelligent integrated

lifecycle management of multi-cloud applications. It aims at increasing the quality of user experience

and trust in clouds.

The MUSA framework is composed of 9 individual Key Exploitable Results, which provide an added

value for the customers that is depicted in Table 1.

Table 1. MUSA Key Exploitable Results and their added value proposition for the customers

Key result Added value proposition for the customers

KR1: MUSA Integrated

Development Environment

(IDE)

The IDE will raise the innovation capacities of application developers,

as they will accelerate the creation of applications that exploit multiple

cloud resources in a robust manner, independently of the potential

security lacks that the cloud providers may have. They will be able to

specify both at application components and at integrated SLA of the

application, the security properties offered by the application

leveraging the security, costs and performance properties of the clouds

underneath.

KR2: MUSA security

libraries (monitoring,

enforcement and

notification mechanisms)

The application developers will be able to add smart capabilities to the

multi-cloud applications by embedding the MUSA libraries into the

components in a non-intrusive manner so the applications are prepared

for self-protection at runtime. Application operators will exploit the

libraries capacities for monitoring, enforcement and notification to

ease and automate the integrated assurance of security during the

operation. Both features are novel approaches with no competitors in

the market.

KR3: MUSA decision

support tool

It will guide the application developers during the selection of the

adequate cloud resources where the application components will be

deployed, helping balancing security (QoSec), business (costs) and

functional requirements (QoS). The tool will also serve application

operators in re-deployment processes for selecting new combinations


Key result Added value proposition for the customers

of clouds. The application providers that act as both roles will be the

ones that most benefit from the tool as it links both activities through a

DevOps approach, so reducing re-deployment times and faults.

KR4: MUSA distributed

deployment tool

The application operators will be able to automate and normalise the

simultaneous (re-)deployments of the multi-cloud application

components to distributed cloud providers, which is currently a

manual and tedious process. Thanks to the DevOps approach, this

(re)deployment will be faster and aligned with application security

requirements.

KR5: MUSA monitoring

service

Application operators will be empowered with a tool to better control

at real-time, the security and functional properties of multi-cloud

applications and the cloud resources underneath. Currently, these are

two separate options, and particularly security monitoring is not

holistic in the sense that the existing tools do not support integrated

and consistent levels of monitoring (application and cloud).

KR6: MUSA enforcement

support service

Through the use of this service, the application operators will be able

to enforce the multi-cloud application security policies, even if they

do not have control over the data processing and storage SLAs of the

cloud resources used.

KR7: MUSA notification

service

Real-time control and management of the security properties of the

multi-cloud applications will let application operators be informed and

promptly react to security incidents and minimize their impact.

KR8: MUSA security

assurance platform (SaaS)

Application operators will benefit from the pay-per-use model of the

MUSA security assurance services (that include the monitoring,

enforcement and notification services, either independently or in

combination), which will let them save in CAPEX and OPEX.

KR9: Guide for an

integrated multi-cloud

secure applications

lifecycle management

Application developers will learn support practices and tools for

multi-cloud application creation balancing their security and

functional parameters.

Application operators will learn on methods and tools supporting the

integrated and consistent management of multi-cloud applications at

runtime.

Application providers that include development and operations teams

will be the ones taking the most out of the guide, as they will exploit

the gained knowledge on DevOps approach to reduce reworks and

time-to-market.

Regarding the customers, in MUSA deliverable D6.2 Dissemination strategy [8] we identified the

main relevant target groups for the dissemination and communication of MUSA results. Target

communities have been identified in the industrial and academic sectors, including public and private

organisations, as well as standardization bodies and policy makers. In particular, the dissemination is

split into dissemination to the scientific communities (cloud community focused on cloud security,

multi-cloud based application developers, Software engineering), where the focus is on transferring

knowledge and tools into the scientific domain, so that they can be used in complementary research

fields; and dissemination to the commercial community (independent software vendors (ISVs),

investors, technology providers, application providers, users, consultants, open source communities,

etc.), where the focus is on informing potential clients of the MUSA capabilities.


Regarding the channels and the activities to engage potential customers, according to the strategy and

actions plan defined in D6.2, all MUSA partners are involved in dissemination activities that include

scientific, industrial and professional dissemination. In particular, they are focused on participation to

thematic workshops and conferences, writing conference and journal articles, and preparation of

updated dissemination materials to distribute. Furthermore, all partners are engaged in the

dissemination activities through their dedicated channels.

3.2 MUSA key infrastructure

The key resources needed to successfully achieve the project objectives and develop the Key Results

are primarily the members of the project consortium that collaboratively work to complete the

technical, scientific and business goals of the project. To this aim, in the networking strategy,

presented in D6.5 Networking plan [9], we have proposed the definition of an internal and external

networking in order to explore singular partner background, with the goal of identifying better ways to

encourage new collaborations among partners and individuals, identify stakeholders’ interest in project

results and to create new opportunities for spreading the project results. We have endorsed the MUSA

researchers as a main part of the network, listing people that are involved in the project and

highlighting their research interests and skills, as well as their scientific background and publications.

Another major key resource is the cloud infrastructure that will be used to deploy the MUSA security

assurance platform SaaS (KR8) on top of it. This infrastructure is offered by AIMES partner during

the project and discussions are taking place to agree with the rest of partners on a fair payment model

for the infrastructure after the project.

Additionally, a series of activities are being carried out to foster the MUSA business model. These

activities are detailed in Table 2 and most of them will be done during and after the project.

Table 2. MUSA goals and associated key activities

Goal Required Key activities

Improve security-aware

behaviour of multi-cloud

applications (reduce

security incidents)

Development of the MUSA framework, including:

Design-time methods and tools for multi-cloud applications security

breaches prevention and security-aware contract specification.

Run-time methods and tools for multi-cloud application security

incident monitoring, notification and enforcement mechanisms.

Ensure that MUSA

results are widely

known in the software

engineering, security

and cloud computing

relevant fora

Create awareness and interest on MUSA results through the

dissemination and communication plans (D6.2 [8] and D6.4 [10]).

Identify a small group of potential adopters of MUSA results and

arrange meetings and seminars with them to raise the interest and get

initial feedback on what will be important in a wider exploitation

strategy.

Potential and current

users of the MUSA

framework can obtain

expert help on how to

effectively use it

Develop commercial seminars/courses (aimed at practitioners and at

decision-makers in management), and use project case-studies as part

of these courses.

Offer advanced consultancy services in effective use of the MUSA

results.

Develop the MUSA guide to security management in multi-cloud

applications, including explanations on the use of the platform and its

benefits for the users with a commercial approach.

MUSA results become Create awareness in and contribute to relevant initiatives and


Goal Required Key activities

standardised (either in

“official” standards or as

“de facto” industrial

practice)

standardisation bodies such as OASIS (TOSCA, CAMP), European

Cloud Partnership, etc.

Keep surveillance on cloud standardization trends, as cloud

computing standards arena is big and in continuous change. Special

focus on Cloud SLAs expert groups initiatives and CENELEC CWA

on Cloud Assurance.

Establish a strong

MUSA industrial users

+ researchers

community

In exploitation activities, encourage other experts in the field to join

the MUSA Community. Start by identifying relevant target user

groups and looking for incentives for them to use MUSA. The same

shall be done for research groups to join MUSA and continue with its

results, for instance, fostering the integration of open source

contributions.

3.3 MUSA financial viability

In the MUSA costs structure, the most remarkable costs are those inherent to the MUSA framework

improvement and exploitation: the fixed costs of the salaries of the researchers and experts and the

variable costs of the IaaS that will be needed for offering the MUSA security assurance platform as-a-

service. In any case, the pay-per-use price of the infrastructure provided by AIMES after the MUSA

project is expected to be reasonable for MUSA partners as AIMES are interested party in getting the

MUSA security assurance services as cheaper as possible, so they are used by a great number of multi-

cloud application operators (consumers of their cloud).

In any case, the financial viability of the MUSA framework components depends not only on the cost

structure but also on the revenue streams devised for each the components. These revenue streams

depend on the exploitation model selected for each of the components (free, license, pay-per-use, etc.)

At the edition of this deliverable, the MUSA framework is still in design and early development

stages, and therefore, it is too early to determine the actual costs structure and revenue streams that the

MUSA framework and its components will have. For this reason, this section will be detailed in the

future exploitation deliverables, D7.3 Initial Exploitation plan (M24), and especially in D7.4 Final

Exploitation plan (M36).


4 MUSA business models

In the context of MUSA, the business scenarios represent the envisaged possibilities to reach the

targeted market and to achieve the business objectives. As commented above, there are multiple

business scenarios for the MUSA developments depending on the components to be commercialised

and on the particular circumstances of the customers. This section presents an analysis of the business

scenario for each key result, while in future exploitation deliverables (D7.3 and D7.4), the strategy for

the entire MUSA framework as a whole DevOps tool, and the financial analysis will be detailed.

The exploitation strategy for the KR1, 2, 3 and 4 relies on a two-folded approach: a first basic version

that will be open source licensed, and a second commercial version, including advanced features that

could be licensed in proprietary formats. The KR5, 6 and 7 will be integrated in KR8 and will be

commercialised under a pay-per-use license, although it will also be possible to be commercialised

independently. The KR9 will be offered for free as complementary instructions to use the MUSA

framework and/or its individual components.

The following sections detail, per key exploitable result, the value chain (including the added value

proposition, the main customers and the channels to reach them), as well as the key infrastructure

available from each contributing partner (detailing the activities, resources and partner network).

4.1 MUSA IDE (KR1) + MUSA libraries (KR2)

The MUSA Integrated Development Environment (KR1) is composed of the MUSA Modeller for

multi-cloud application model specification (in a CloudML modelling language [11]) and the SLA

Editor that allows creating the Security SLA for multi-cloud application.

At this preliminary phase of the MUSA design, the MUSA Modeller implementation is still under

discussion so the final outcome is still an on-going work. One technological proposal is to develop the

MUSA Modeller as an Eclipse plugin to enable the security embedding into multi-cloud applications.

However, there is a second solution to be developed as an extension of the existing Modelio IDE [12].

The MUSA partners are still discussing the best approach.

The tool will be open source and its primary exploiter will be Tecnalia. As part of its technology

transfer model, Tecnalia will offer this toolset to innovative multi-cloud application providers, mainly

SMEs.

The MUSA Modeller will be in most cases integrated with the MUSA security libraries (KR2) in order

to have a basis to define the required actions to perform security assurance.

The main contributors to the MUSA IDE in terms of development and exploitation are Tecnalia,

CeRICT and Montimage, complementing each other's expertise: Tecnalia is expert in Eclipse based

tools development and multi-cloud applications, CeRICT stands out in cloud security and cloud SLAs,

and Montimage brings its knowledge on performance and security metrics needed in the components.

4.1.1 Value chain

Table 3. MUSA IDE (KR1) and MUSA libraries (KR2) value chain

Key result Added value proposition for

the customers

Customers Channels

KR1: MUSA

Integrated

Development

Environment (IDE)

- Modeller

The MUSA Modeller will allow

the specification of the multi-

cloud application architectural

model in a UML language (e.g., CloudML), including data

protection and security

Multi-cloud

application

developers

(application

architect, security

architect).

The MUSA

Modeller could be

released in Eclipse.

Consultancy and

technology transfer

services,


Key result Added value proposition for

the customers

Customers Channels

requirements.

This IDE will increase the

innovation capacities of

application developers, as they

will accelerate the creation of

applications that exploit multiple

cloud resources in a robust

manner, independently of the

potential security issues the

cloud providers may have.

particularly to

software SMEs.

Training events.

KR1: MUSA

Integrated

Development

Environment (IDE)

- SLA Editor

Allows the creation both at

application component level

and at integrated SLA, of the

application the security

properties offered by the

application leveraging the

security, costs and

performance properties of the

clouds underneath.

Multi-cloud

application

developers

(application

architect, security

architect).

This IDE-SLA

Editor will be

proposed as an

interactive Website

to specify security

and non-security

requirements in

terms of SLAs. Its

integration in the

Global MUSA IDE

is still under

discussion.

KR2: MUSA

security libraries

(monitoring,

enforcement and

notification

mechanisms)

The application developers will

improve the multi-cloud

application by embedding the

MUSA libraries into the

components in a non-intrusive

manner so the application is

prepared for self-protection at

runtime. Application operators

will exploit the libraries

capacities for monitoring,

enforcement and notification to

ease and automate the

integrated assurance of

security during the operation.

Both features are novel

approaches with no competitors

in the market.

Multi-cloud

application

developers

(application

architect, security

architect). Ideally

those that fulfil the

double role of

application

developers and

service

administrators)

Through the

MUSA community.

Consultancy and

technology transfer

services,

particularly to

software SMEs.

4.1.2 Key infrastructure

Table 4. MUSA IDE (KR1) and MUSA libraries (KR2) key infrastructure

Partner Activities Resources Partner network

TECNALIA During the project: A MUSA Tecnalia Ventures will

support Tecnalia in the



Establish a strong MUSA

industrial users + researcher

community

Promotion of the results in the

hands on workshops organised

by DPSP Cluster [13] and

MUSA project where we invite

industrial partners considered

as potential users.

Collaboration with CloudML

and Modelio communities for

security extensions.

After the project:

Maintain MUSA industrial

users + researcher community.

Develop commercial seminars

or courses.

Continue collaboration with

CloudML and Modelio

communities for further

security properties.

community place

on the Web.

Demonstration

prototype.

market orientation of

the project outcomes

while evolving the

prototypes from TRL 4

to TRL 6.

Tecnalia is already

member of Eclipse and

plays a role in

Polarsys, an industrial

working group within

the Eclipse Foundation.

CeRICT During the project:

Establish strong relation with

cloud security research

community.

Collaboration with H2020

projects focused on topics

related to cloud security and

SLAs management in cloud.

Disseminate Security SLA

model and usage.

Make academic seminars.

After the project:

Maintain the MUSA multi-

cloud Security SLA Editor.


partners and contacted projects

to empower security SLA tools.

A dedicated

Web page will

be available in

the Website of

CeRICT

including links

to white papers.

Demonstration

of prototype

tools based on

Security SLA

Editor.

Participation in

industrial events

to promote the

MUSA software

solution and

results.

CeRICT is a

consortium of

Universities and

participates to other

research projects

related to cloud and

security (e.g., SPECS

[14]), bringing the

network of contacts of

the involved

universities (Second

University of Naples,

University of Naples

Federico II and

University of Sannio).

Montimage During the project:

Establish strong relations with

industrial stakeholders,

researchers and application

developers interested on multi-

cloud security and monitoring.

Collaboration with the H2020

CLARUS project in securing

cloud environments.

After the project:

Maintain the MUSA

A dedicated

Web page will

be available in

the Website of

Montimage

including links

to white papers.

Demonstration

of prototype

tools based on

MMT and Other

Montimage is part of

Systematic innovation

cluster, a Paris region

systems and ICT

cluster in which the

MUSA developments

will be disseminated.

Montimage is in

contact with a list of

potential big

stakeholders in France



community of users and

developers.

Analyse and include new

security requirements updating

the security libraries to detect

and mitigate new

vulnerabilities.

Define a marketing strategy to

convince potential customers

and stakeholders to benefit

from the MUSA outcomes.

security

libraries.

Participation in

events to

promote the

MUSA software

solution and

results.

including Thales,

Orange, etc., and

outside France like

Ericsson and

CyberDefcon.

4.2 Decision Support Tool (KR3)

The MUSA Decision Support Tool (DST) will be provided as a web application and its primary

exploiter will be CA Technologies. They are interested in getting a mature and upgraded version of

their current Decision Support System (DSS) in MODAClouds [15] for intelligent decision based on

well-balanced security, functional and costs aspects of cloud resources. The main novelty of the

MUSA DSS resides in the fact that it is the first DSS focused on security aspects that recommends

cloud services in multi-cloud environments considering risk analysis, costs and quality in the same

tool.

4.2.1 Value chain

Table 5. MUSA decision support tool (KR3) value chain

Key result Added value proposition for the

customers

Customers Channels

KR3: DST - CSP

Data Gathering

Data Gathering tools will help

users/customers to complement existing

data on services with their own

evaluations. These evaluations can be

quantitative or qualitative in the form of

reviews.

Application

developers who

are testing new

services.

Users and

customers who

have data to

share on new or

existing

services.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.

KR3: DST - CSP

Data Repository

Data repository will hold data from the

data gathering and provide a central

repository for reviews and measures of

services.

Application

developers who

are testing new

services.

Customers

wanting to

review services.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.



customers

Customers Channels

KR3: DST - Risk

analysis

Measuring and recording the risk profile

of services is new to the service

procurement process. Prior to

MODAClouds and MUSA, risk was a post

facto activity. This part of the DST will

enable risk to be assessed prior to

development and consumption of

services.

Risk

professionals

developing risk

profiles of

services for

measurement or

review.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.

KR3: DST - CS

Discovery

Allows searching for Cloud Services

(CS) according to particular

characteristics.

Application

developers,

speculative

service

customers.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.

KR3: DST -

Match-making

Comparison of CS characteristics with

the multi-cloud app requirements.

Application

developers,

speculative

service

customers.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.

KR3: DST -

Decision support

Provide recommendations and

indications on best combination of cloud

services according to mc app requirements

(functional, security and business). The

combinations are ranked according to the

risk profile established for the multi-cloud

application assets.

Application

developers,

speculative

service

customers.

MUSA

Community.

Customer

Presentations,

conference

presentations

and

demonstra-

tions.


Table 6. MUSA decision support tool (KR3) key infrastructure


CA

Technologie

s

CA will develop

demonstrations and

presentations to

conferences, customers and

users of cloud services.

A MUSA

community place

on the web.

CA internal

MUSA community

CA internal

development and

product management

community



CA will develop an internal

CA presentation to inform

CA staff of the potential of

the MUSA technology.

demonstrations

and promotions.

Tecnalia Tecnalia will enrich the

KR4 demonstrations and

presentations with the

previous step of deployment

decision supported by KR3.

Similarly, demonstrations

and presentations of KR1

(architecture modelling)

will include the use of KR3

for the selection of CS to

use.

Participation in

events to promote

the MUSA

software solution

and results.

Tecnalia research center

collaborates in a number

of EU and international

research projects and

brings its international

network of partners,

alliances and clients.

CeRICT CeRICT will develop

demonstration, presentation

and seminar for academic

activities and scientific

conferences.

CeRICT will enrich the

SLA Editor tools in order to

support Decision tools.

A dedicated Web

page will be

available in the

Website of

CeRICT including

links to white

papers.

Participation in

events to promote

the MUSA

software solution

and results.

CeRICT is a consortium

of Universities and


research projects related

to cloud and security

(e.g., SPECS), bringing

the network of contacts

of the involved




Federico II and

University of Sannio)

4.3 MUSA Deployer (KR4)

The MUSA Distributed Deployment Tool will be primarily developed and exploited by Tecnalia with

the help of CeRICT, CA Technologies and AIMES. This tool will also be one of the key assets of the

multi-cloud application support toolset that Tecnalia is developing.

4.3.1 Value chain

Table 7. MUSA deployer (KR4) value chain


customers

Customers Channels

KR4: MUSA

distributed

deployment tool

The application operators will be able to

automate and normalise the

simultaneous (re-)deployments of the

multi-cloud application components to

distributed cloud providers, which is

currently a manual and tedious process.

This is especially relevant for multi-cloud

and multi-micro environments with

Multi-cloud

application

developers

(application

architect),

online service

providers

(system

The MUSA

Deployer

could be

released in

eclipse.

Consultancy

and

technology



customers

Customers Channels

changing context. Thanks to the DevOps

approach, this deployment will be faster

and aligned with application security

requirements.

operators)

transfer

services,

particularly to

software

SMEs.

Training

events.


Table 8. MUSA deployer (KR4) key infrastructure


TECNALIA During the project:



community.

Promotion of the results in

the hands on workshops

organised by DPSP Cluster

and MUSA project where

we invite industrial partners

considered as potential

users.

After the project:


users + researcher

community.

Develop commercial

seminars or courses.

A MUSA

community place

on the Web.

Multi-cloud

application for

demonstration

purposes.

Availability to

deploy an

application in at

least 3 or more

clouds.

Prototype under an

open source

license.

Tecnalia Ventures will


market orientation of the

project outcomes while

evolving the prototypes

from TRL 4 to TRL 6.

Tecnalia is already

member of eclipse and

plays a role in Polarsys,

an industrial working

group within Eclipse

Foundation.

AIMES During the Project

Provide interfaces for

deployment of multi-cloud

applications into other

CSPs.

Make available cloud

resources for the consortium

to launch their applications

into via the deployment

tool.

After Project

Make available deployment

tool to existing customer

base

Publicise Cloud Resources

to MUSA DSS to allow

deployment in the event

AIMES CSP services are

recommended

AIMES will make

available scalable

cloud resources to the

deployment tool. This

allows for cost

effective billing and

efficient cloud

computing, only

making use of

resources when

required

AIMES growth into a

multi-site cloud service

provider will co-incide

with the deployment of

multi cloud applications.

AIMES Management

Service is the

commercial element of

the business and will

market the deployment

tool as a method towards

adopting multi cloud

deployment.



CA

Technologie

s

During the project:

Maintain link between DST

and deployment tool.

Maintain the deployment

tool.

After the project:

Continue to promote the

technology to the CA

development and product

management communities

CA will develop

internal and external

sales presentations to

promote the

deployment tool as a

potential product

feature.

Further information

will be the subject of

Tech Talks to the CA

council for Technical

Excellence

CA has an extensive

customer and employee

base which will be the

target for exploitation

efforts.

CA will also engage

with the MUSA

community, the

MODAClouds Alliance

and other project groups.


Establish strong relation

with cloud security research

community.




SLAs management in cloud.

Reuse the SPECS Platform

components for the

assurance platform.

Make academic seminars.

Reuse tools that automate

Security SLA management.

After the project:

Maintain the Models and

related tools.


Partners and interested

projects to empower

Security SLA tools.

A dedicated Web

page will be

available in the

Website of

CeRICT including

links to white

papers.

Demonstration of

prototype tools

based on Security

SLA Editor.

Participation in

industrial events to

promote the

MUSA software

solution and

results.

Maintenance of

Security SLA

automation tools

developed in past

projects.

CeRICT is a consortium

of Universities and


research projects related

to cloud and security

(e.g., SPECS), bringing

the network of contacts

of the involved




Federico II and


4.4 MUSA SaaS (KR8, including KR5-6-7) + MUSA libraries (KR2)

Although KR5 (monitoring service), KR6 (enforcement support service) and KR7 (notification

service) may be commercialised independently, they are planned to be exploited as MUSA assurance

services integrated in the MUSA Security Assurance Platform (KR8). This platform will be exploited

as a SaaS built on top of existing open source solutions for cloud middleware that support resource

scalability and multi-tenancy. The main exploiter will be Montimage in collaboration with Tecnalia,

CA Technologies, AIMES and CeRICT. The security libraries that are part of KR2 will also be

included in KR8 since they define the monitoring, enforcement and notification mechanisms.

The MUSA security assurance platform will make use of an IaaS owned and managed by AIMES that

is able to store the user sensitive information with strong security reliability. Application operators

will benefit from the pay-per-use model of the MUSA security assurance services that will be

designed in order for the operators to be able to consume them independently.

MUSA security assurance services provision in the cloud is planned to be done in freemium model

(MUSA lite and MUSA pro). The lite version will be free and will enable basic support for


monitoring, reaction and notification capabilities. The commercial version (MUSA pro) will be pay-

per-use and will include proprietary technical features allowing a more complete, integrated and

accurate support to security assurance of multi-cloud applications at runtime. Among others, the

AIMES customer base will be targeted as end users upon completion of the project.

4.4.1 Value chain

Table 9. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security

assurance SaaS (KR8) value chain


customers

Customers Channels

KR5 MUSA

Monitoring Service

Application operators will be able to

monitor their environment at the

application, networking and cloud

infrastructure levels. The MUSA

Monitoring service will provide a holistic

interface for operators to monitor all facets

of their cloud as well as monitoring agents

that need to be deployed in different

virtual machines or containers to collect

relevant security related data.

System

Operators,

Cloud service

providers,

Business

Managers

CSPs,

Training,

Participation

and

organisation

of Cloud

related

events.

KR6 MUSA

Enforcement

Support Service

Enforcing security policies within multi-

cloud environments is needed by

customers when it comes to controlling

their applications. The enforcement

service will provide a set of easy to

deploy security mechanisms that ensure

the reliability and privacy of data and

communications.

Application

Developers,

Security

Architect

MUSA

Security

Consultancy.

MUSA CSPs,

SME

Awareness

and Training

Events.

KR7 MUSA

Notification

Service

Application Customers and business

managers will have visibility of security

incidents in network and application

Service Level Agreements (SLAs) being

contravened.

Application Developers who are managing

the environment on behalf of the client

will have foresight of security status

regarding the monitored multi-cloud

applications.

Application

Developers,

Business

Managers,

System

Administrators,

System

Operators

MUSA

Security

consultancy,

training

events and

value added

service

provided by

MUSA CSPs

KR8: MUSA

security assurance

SaaS

Application operators will benefit from the

pay-per-use model of the MUSA security

assurance services (either independently

or in combination) that will let them save

in CAPEX (capital expenditures) and

OPEX (operational expenditures) by

proposing a solution to monitor and

analyse multi-clouds applications and

activate automatic reactions and

notifications in case of security flaw

Multi-cloud

online service

providers (i.e.,

cloud-based

services and

application

administrators

and security

architect).

MUSA SaaS

Consultancy

and

technology

transfer

services,

particularly to

software

SMEs.

Training



customers

Customers Channels

detection in order to maintain the

confidentiality and privacy of sensitive

data and communications.

events.


Table 10. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security

assurance SaaS (KR8) key infrastructures


Montimage During the project:

Establish and maintain the

community of industrial

stakeholders and researchers.

Integrate the MUSA

developments in MMT to

foster the tool

commercialisation and

extend the customer base to

multi-cloud stakeholders.

Define open-source and

commercial versions of

MMT integrating the MUSA

results.

Build a common marketing

strategy to commercialise the

Security Assurance Platform.

After the project:

Maintain and extend the

community of stakeholders,

application developers and

researchers.

Update the monitoring,

enforcement and notification

modules with new

vulnerabilities.

Commercialise MMT as an

integrated solution including

the monitoring, enforcement

and notification capabilities

developed in MUSA.

Demonstration of

the MUSA

Security Assurance

Platform

prototypes in

industrial events.

Publications in

conferences and

journals to target

research

communities and

potential

stakeholders.

Montimage is part of

the Systematic, a Paris

region systems and

ICT cluster in which

the MUSA

developments will be

disseminated.

TECNALIA During the project:



community

Promotion of the results in

the hands on workshops

organised by DPSP Cluster

and MUSA project where we

A MUSA community

place on the Web.

Demonstration

prototype where

showing enforcement

functionality.

Tecnalia Ventures will


market orientation of

the project outcomes

while evolving the

prototypes from TRL 4

to TRL 6.



invite industrial partners

considered as potential users.

Definition of business model

around the open source

functionality.

After the project:


users+ researcher

community.

Develop commercial

seminars or courses.

Extending the results with

proprietary functionality for

professional services.

Tecnalia and MI will

collaborate in further

development of the results

and integration with billing

and metering services

towards such final product

AIMES During the Project

Research viability of

monitoring of multi-cloud

environments at network and

application layer

Engage with use cases to

understand their requirement

for monitoring and see how

that impacts upon CSP

operations and commercial

activities

Engage with Montimage to

understand their

technologies, and how they

interact with infrastructure

operated by CSPS

Work with the consortium to

understand the ramifications

of notification services and

how this impacts upon cloud

service providers. Help the

consortium understand

through experience, what

data CSPs are happy to share

to a notification service

Refine the notification

enforcement service with the

use cases

Promote transparency within

the CSP community to

provide the MUSA

AIMES IaaS platform

utilises a variety of

cloud technologies.

Including OpenStack,

Windows Azure

Pack/Stack and

VMWare. During the

project AIMES will

facilitate access for

consortium partners to

AIMES cloud

platforms.

AIMES will work

towards adopting the

variety of reporting

mechanisms, and

provide monitoring

interfaces publically

accessible to the

MUSA Monitoring

Service.

AIMES will work with

the Data Centre

Alliance to promote

the MUSA Security

Assurance Platform

amongst the CSPs

within the alliance.

AIMES work closely

with the NWCAHSN

(North West Coast

Academic Health

Science Network)

which amongst other

workstreams, promotes

digital health

applications. AIMES

envisage the digital

health community

being a suitable use

case for the security

assurance platform.

AIMES and the

NWCAHSN will

promote the security

assurance platform

amongst the

community.

The UK based

ASSURED Project



Monitoring Service

After the Project

Publicise Use of MUSA

Security Assurance Platform

as a value added service by

AIMES

Introduce platform to existing

customers

Work with Montimage to

develop product further in

relation to new cloud and

data centre technologies

Trial the Notification

Enforcement service with

Multi-Cloud adopters

Define business model

around providing the MUSA

Monitoring Service as a

product to existing customers

will make use of the

notification service.

ASSURED addresses

the problem of

protecting data in

industry, and

notification where

SLAs have been

contravened is of great

importance. There will

be shared exploitation

activities, which will

take place across

ASSURED and

MUSA. ASSURED is

due to start in Q1 of

2016.

CA

Technologie

s

Promote the SaaS and libraries

opportunities to CA internal staff.

Support other project members in

their efforts

Internal presentations

and tech talks to the

worldwide employee

community

CA world wide

internal community

including the Cross

company Council for

Technical Excellence


Establish strong relation with

cloud security research

community




SLAs management in cloud

Reuse the SPECS Platform

components for the assurance

platform

Make academic seminars

Reuse tools that automate

Security SLA management

After the project:

Maintain the Models and

related tools


Partners and interested

projects to empower Security

SLA tools

A dedicated Web

page will be

available in the

Website of

CeRICT including

links to white

papers.

Demonstration of

prototype tools

based on Security

SLA Editor.

Participation in

industrial events to

promote the

MUSA software

solution and

results.

Maintenance of

Security SLA

automation tools

developed in past

projects.

CeRICT is a

consortium of

Universities and


research projects

related to cloud and

security (e.g., SPECS),

bringing the network

of contacts of the

involved universities

(Second University of

Naples, University of

Naples Federico II and



4.5 MUSA Guide (KR9) and MUSA prototypes (KR10)

KR9 (reference use guide) and KR10 (MUSA prototypes) will not be commercialised per se, but they

will contribute to the correct design, specification and development of the MUSA framework in the

case of KR10 and to the comprehension and documentation of the MUSA framework and its

components operation in the case of KR9.

KR9 is the guide for an integrated multi-cloud secure applications lifecycle management. It contains

the instructions to manage and use the MUSA developments and will be a useful tool for the MUSA

customers (i.e., multi-cloud application developers and operators). The DevOps community is a

market AIMES are looking to address when it comes to promoting multi-cloud technologies. Our

experience working with the DevOps community is they require on demand cloud, but often they are

not aware of the security considerations when it comes to instant deployment of cloud resources. KR9

provides a medium for communicating the benefits of the MUSA framework in a coherent fashion,

and this will be made available to those looking to use AIMES as one of their CSPs for multi-cloud

deployments.

KR10 constitutes the innovative multi-cloud application service prototypes that exploit heterogeneous

clouds. This key result that will mainly be guided by the TUT and LHS use cases will serve to guide

and prove the correct operation of the MUSA developments in controlled real environments. AIMES

will seek to exploit the success of the use cases adopting multi-cloud by including it within their

product portfolio. The diversity of the use cases, the challenges they face and the scale are similar to

that of AIMES’ customers. However, multi-cloud applications have not been seen as a mature enough

offering. The success of the use cases will provide evidence of how they can address issues around

security at run time, as well as other business and technical requirements.

TUT has the special interest of implementing secure services built on top of Tampere city open data

infrastructure like the intelligent transportation systems. By demonstrating the secure management of

personal data with the usage of MUSA framework will be an incentive for implementing future

services, products and projects that mix open data services and personal data.

The LHS use case is used to prove the correct operation of MUSA and for demonstration purposes

during the project phase (e.g., workshops, review meetings etc.). This use case is based on the

commercial version of the LHS Airline Scheduling application, which is closed source software.


5 IPR management

In MUSA, as defined in the Consortium Agreement, the results are owned by the party that generates

them or on whose behalf such results have been generated. In the case of joint ownership (as is the

case for some results, see Section 4), a separate written agreement shall be concluded among the

concerned parties. This agreement should not adversely affect the access rights or other rights of the

other parties provided under the Grant Agreement or the Consortium Agreement.

Although a common strategy for releasing results into open source is adopted, the particular licence is

under discussion especially for the technical point of view. The use, modification or extension of

previous works could result into a licence incompatibility. For this purpose each of the works used as

background will be discussed and appropriate decision will be taken.

Table 11 shows the initial definition of the IPR principles for each MUSA key result including the list

of partners with primary and secondary exploitation interests.

Table 11. IPR principles for the MUSA key results

Key result IPR principles

KR1: MUSA Integrated

Development Environment

(IDE)

Open source and privative commercial products

Joint ownership

Primary expl. responsible(s): Tecnalia, CeRICT

Secondary expl. responsible(s): Montimage

KR2: MUSA security

libraries (monitoring,

enforcement and

notification mechanisms)

Open source and privative commercial products

Joint ownership

Primary expl. responsible(s): Montimage

Secondary expl. responsible(s): Tecnalia, CeRICT

KR3: MUSA decision

support tool Open source and privative commercial products

Joint ownership

Primary expl. responsible(s): CA Technologies


KR4: MUSA distributed

deployment tool Open source and privative commercial products

Joint ownership

Primary expl. responsible(s): Tecnalia

Secondary expl. responsible(s): CeRICT, CA Technologies,

AIMES

KR5: MUSA monitoring

service Open source and privative commercial products

Joint ownership


Secondary expl. responsible(s): Tecnalia, CeRICT, CA

Technologies, AIMES

KR6: MUSA enforcement

support service Open source and privative commercial products

Joint ownership

Primary expl. responsible(s): Tecnalia, Montimage

Secondary expl. responsible(s): CeRICT, AIMES

KR7: MUSA notification

service Open source and privative commercial products

Joint ownership


Key result IPR principles


Secondary expl. responsible(s): Tecnalia, AIMES

KR8: MUSA security

assurance platform (SaaS) SaaS product with freemium model (lite and pro)

Joint ownership

Primary expl. responsible(s): Montimage, Tecnalia

Secondary expl. responsible(s): CeRICT, CA Technologies,

AIMES

KR9: Guide for an

integrated multi-cloud

secure applications

lifecycle management

Consultancy services

Joint ownership

Primary expl. responsible(s): CA Technologies


KR10: Innovative multi-

cloud application service

prototypes that exploit

heterogeneous clouds

Mixed of open and closed source

Joint ownership based on foreground

Primary expl. responsible(s): LHS, Montimage, TUT

Secondary expl. responsible(s): Tecnalia, CeRICT, CA

Technologies, AIMES

5.1 IPR directory

The MUSA consortium maintains an IPR directory in which all the partners introduce information

related to the property rights to facilitate early agreement and management of IPR issues. The IPR

directory contains the following information:

- Asset name: refers to the name identifying the result that requires IPR information.

- IPR type: defines the type of IPR and can be:

- Background: if it was generated before the MUSA project.

- Foreground: it will be generated during the MUSA project.

- Asset type: identifies the category of the asset. There are two possibilities:

- Software: executable material, libraries, etc., that are aimed to be executed or

somehow participate in the execution of applications and/or services.

- Knowledge: diverse non-executable information related to the project developments

(e.g., manuals, instructions, etc.).

- Category: the main area(s) in which the asset is used, for example website, script, tool,

model, library, SaaS, etc.

- Owner/s: proprietary company/ies of the asset. It can be any of the MUSA Consortium

partners, a combination of them, or “Other” for external open source developments.

- Controlled License Terms: determines whether the asset is controlled under specific license

terms. If a component contains software under Controlled Licence Terms (CLT) the Owner(s)

must provide this info (mandatory), at the latest when a component is put forward for release

(i.e., included in any deliverable), but preferably as soon as software implementation is

planned. If "Yes" on CLT software, info must be provided in the Licences fields.


- Implementation rights: Access Rights that the IP holder grants to other consortium members

to use the IP for the MUSA project's implementation, and under what conditions. They can be

Royalty-free, Commercial or Not granted.

- Use rights: Access Rights that the IP holder grants to other consortium members to use the IP

after the MUSA project for exploitation and further research, and under what conditions. They

can be Royalty-free, Commercial or Not granted.

- Background used: previous developments and/or documents used.

- Licenses (int): licenses that govern the IP of the asset for parties internal to MUSA

consortium. They can be: closed source, open source or TBD (To be defined).

- Licenses (ext): licenses that govern the IP of the asset for parties external to MUSA

consortium.

- Dissemination plans: main actions to disseminate the asset in the MUSA project.

- Exploitation plans: specific actions to foster the exploitation of the asset in the MUSA

project.

The IPR directory is a dynamic structure that will evolve during the project, and will be used as a

reference during and after the project to store and maintain the IPR of the diverse MUSA

developments.

The implementation and use rights stated in the IPR directory as well as the dissemination and

exploitation plans need to be aligned with the corresponding clauses in the Consortium Agreement

signed by all MUSA partners for the execution of the project. The WP7 in the project will ensure that

such alignment is kept for all the updates in the IPR directory contents.

The Appendix B presents the current information contained in the MUSA IPR directory, divided per

asset.


6 Conclusion/Further work

With the aim of guiding the primary exploitation activities and the project developments, this

document presents a detailed analysis of the business scenarios for the project results. Following a

reduced version of the Osterwalder Business canvas, the value chain for the MUSA framework and for

each key result of the project is presented, along with the key activities to promote the

commercialization of the MUSA results.

This document is oriented to offer a prior knowledge on the business scene where the project results

will be exploited, illustrating the resources and value that the MUSA developments will have for the

potential stakeholders.

Having in mind the needs of the potential stakeholders and the market situation will definitely help to

guide the MUSA developments to create an attractive solution from the business point of view.

Furthermore, the consideration of the user needs will enable the easy adoption of the MUSA

developments in the growing multi-cloud applications market.

Together with the business scenarios analysis, the MUSA consortium maintains an IPR registry that is

summarized in this document. It contains key data related to the information property rights of the

MUSA developments that helps to keep track of which partners in the consortium own the rights to

exploit each result.

As the project advances, the information presented in this document may vary, and as more

information is available, the Osterwalder Business canvas for each key result and for the MUSA

framework itself will be completed and included in D7.3 Initial exploitation plan, that will be issued in

month 24.


References

[1] MUSA H2020 Project, Multi-cloud Secure Applications. 2015-2017. Available at:

www.musa-project.eu

[2] The MUSA Project. D1.1 Initial MUSA framework specification (2015).

[3] Osterwalder, A., & Pigneur, Y. Business model generation: a handbook for visionaries, game

changers, and challengers. John Wiley & Sons, 2010.

[4] Brooks, C. & Carter, S. IT as a Service Determining Application Workload Best Execution

Venues. 451 Research, 2014. Available at:

https://451research.com/images/Marketing/Webinar_Slides/451_Advisors_IaaS_Webinar.pdf

[5] The MUSA Project. D7.1 Initial market study, trends, segmentation and requirements (2015).

[6] Weins, K. Cloud Computing Trends: 2015 State of the Cloud Survey. Right Scale, 2015.

http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-

cloud-survey

[7] Gartner IT Glossary – DevOps. Available at http://www.gartner.com/it-glossary/devops.

[8] The MUSA Project. D6.2 Dissemination strategy (2015).

[9] The MUSA Project. D6.5 Networking plan (2015).

[10] The MUSA Project. D6.4 Communication plan (2015).

[11] CloudML Project, Model-based provisioning and deployment of cloud-based systems.

Available at: http://cloudml.org/

[12] Modelio: The open source modelling environment. Available at:

https://www.modelio.org/

[13] Data Protection Security and Privacy in the Cloud cluster of EU-funded research

projects. Available at: https://eucloudclusters.wordpress.com/data-protection-security-and-

privacy-in-the-cloud/

[14] SPECS Project, Secure Provision of Cloud Services based on SLA management.

Available at: http://www.specs-project.eu/

[15] MODAClouds Project, MOdel-Driven Approach for design and execution of

applications on multiple Clouds. Available at: http://www.modaclouds.eu/

http://www.musa-project.eu/

https://451research.com/images/Marketing/Webinar_Slides/451_Advisors_IaaS_Webinar.pdf

http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-cloud-survey

http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-cloud-survey

http://www.gartner.com/it-glossary/devops

http://cloudml.org/

https://www.modelio.org/

https://eucloudclusters.wordpress.com/data-protection-security-and-privacy-in-the-cloud/

https://eucloudclusters.wordpress.com/data-protection-security-and-privacy-in-the-cloud/

http://www.specs-project.eu/

http://www.modaclouds.eu/


Appendix A. MUSA motivation and background

The main goal of MUSA is to support the security-intelligent lifecycle management of distributed

applications over heterogeneous cloud resources, through a security framework that includes: a)

security-by-design mechanisms to allow application self-protection at runtime, and b) methods and

tools for the integrated security assurance in both the engineering and operation of multi-cloud

applications.

MUSA overall concept is depicted in the figure below.

Figure A.1: MUSA overall concept

MUSA framework combines 1) a preventive security approach, promoting Security by Design

practices in the development and embedding security mechanisms in the application, and 2) a reactive

security approach, monitoring application runtime to mitigate security incidents, so multi-cloud

application providers can be informed and react to them without losing end-user trust in the multi-

cloud application. An integrated coordination of all phases in the application lifecycle management is

needed in order to ensure the preventive oriented security to be embedded and aligned with reactive

security measures.


Appendix B. IPR directory information

This appendix presents the current information on the IPR directory that is kept by the MUSA

consortium partners. As a live document, it may be updated during the project, and these changes will

be reflected in future exploitation deliverables (D7.3 Initial Exploitation plan in M24 and D7.4 Final

Exploitation plan at the end of the project in M36).

The IPR registry, as defined in Section 5, contains a table for each asset that is developed in the

project. Tables 12 to 19 represent the IPR information for each of the identified assets.

Table 12. IPR for the MUSA IDE (KR1)

Asset name MUSA IDE

IPR type Foreground

Asset type Software

Category Modeller

Owner(s) Tecnalia, CeRICT

Controlled License

Terms (CLT) No

Implementation rights Royalty-free

Use rights Royalty-free

Background used CloudML, ModaClouds IDE, SPECS xml framework for SLAs.

Licences (int) Open source

Licences (ext) Open source

Dissemination plans Preparation of demos, videos, and training material

Exploitation plans

Knowledge to deep the expertise of Tecnalia in the field of mc applications,

particularly on the privacy and security aspects. The knowledge will be used for a

number of objectives:

- Strengthen the position of Tecnalia as a leader technology centre at EU level

in the areas of cloud-based applications, interoperability and distributed

environments.

- Consultancy and technology transfer services to local market, particularly

software SMEs.

- A PhD degree for Tecnalia staff.

Professional consultancy services for mc app requirements elicitation and specification

(with focus on security, privacy and data protection). Note that in most cases, the KR1

will be exploited in combination with KR4.

Tecnalia, CeRICT and Montimage partners will collaborate in its development and

will study the exploitation strategy according to the workload and contribution of each

partner in the result.


Table 13. IPR for the MUSA DST(KR3)

Asset name MUSA DST

IPR type Background and Foreground

Asset type Software

Category Website

Owner(s) CA Technologies

Controlled License

Terms (CLT) Yes



Background used Decision Support System from MODAClouds (a DST without security aspects)



Dissemination plans Preparation of demos, videos, and training material.

Exploitation plans

As the DST progresses it will be promoted as a potential update to existing CA

products. After a successful review the DST designs and prototypes would be included

in a product backlog for implementation with the development teams. This fits in the

security and API management domains within CA’s product set, but there is an

internal process to follow to include the DST as part of the product set.

Knowledge Transfer within CA Technologies is another channel for exploitation

Table 14. IPR for the MUSA deployer (KR4)

Asset name MUSA deployer

IPR type Foreground

Asset type Software

Category Configuration management tool

Owner(s) Tecnalia

Controlled License

Terms (CLT) No



Background used CSPs specific deployers, open source deployers (TBD)




Dissemination plans Preparation of demos, videos, and training material.

Exploitation plans

Professional consultancy services for automated deployment of cloud-based

applications, and particularly multi-cloud environments.

The potential of KR4 comes together with the use of KR3 (a and b) for selecting CSPs.

Basic open source KR3 will most likely be used when exploiting KR4. The use of non-

open source features of KR3 will be studied together with CA Technologies.

Table 15. IPR for the MUSA monitoring service (KR5)

Asset name MUSA monitoring

IPR type Background and Foreground

Asset type Software

Category Set of tools and agents

Owner(s) Montimage

Controlled License

Terms (CLT) Yes (for commercial version)


Use rights Royalty-free, commercial (depends on feature)

Background used MMT monitoring module


Licences (ext) Open source, commercial (pay-per-use)

Dissemination plans Preparation of demos, videos, and training material, research articles and papers

Exploitation plans Integration of MUSA developments in MMT, new multi-cloud capabilities will extend

the market and the potential customers, as well as the possibility to analyse SLAs.

Table 16. IPR for the MUSA enforcement service (KR6)

Asset name MUSA enforcement

IPR type Foreground

Asset type Software

Category Libraries

Owner(s) Tecnalia, Montimage

Controlled License





Background used Open source libraries




Exploitation plans

Tecnalia and Montimage will collaborate in further development of the results and

integration with billing and metering services towards such final product. Even if

Montimage will lead the exploitation, in those cases of joint ownership, both partners

will sign a written agreement that will rule the IPR and exploitation rights.

It is expected that the MUSA Security Assurance SaaS is deployed in a third party

cloud service provider, and AIMES partner will be the natural option for such hosting.

Therefore, the three partners will study the business models of the MUSA Security

Assurance SaaS and individual services (monitoring, enforcement and notification.

Table 17. IPR for the MUSA notification service (KR7)

Asset name MUSA notification

IPR type Foreground

Asset type Software

Category Web-based reports

Owner(s) Montimage

Controlled License




Background used MMT notification service




Exploitation plans After integrated in MMT, the notification service will be adapted to different kinds of

customers.

Table 18. IPR for the MUSA security assurance SaaS (KR8)

Asset name MUSA security assurance SaaS

IPR type Foreground

Asset type Software

Category Software as a Service


Owner(s) Montimage, Tecnalia

Controlled License




Background used MMT by MI



Dissemination plans Presentation in industrial venues, marketing campaign, demos, videos and training

material; research articles and papers

Exploitation plans

Montimage and Tecnalia will collaborate in further development and maintenance of

the MUSA Security Assurance SaaS including support for new security mechanisms.

This support will enable the MUSA Security Assurance SaaS to be updated and

commercialised in the multi-cloud applications market, which is expected to grow in

the coming years.

Apart from the support to the MUSA Security Assurance SaaS, Montimage will

incorporate multi-cloud security assurance capabilities to its flagship tool MMT,

which will be commercialised independently since it includes other capabilities not

only focused on security for multi-cloud environments, but also oriented to provide

overall support for monitoring diverse aspects of computing systems such as

networking, performance, QoS/QoE/QoBiz, etc.

Table 19. IPR for the MUSA guide (KR9)

Asset name MUSA guide

IPR type Foreground

Asset type Knowledge

Category Document/wiki

Owner(s) CA Technologies, Tecnalia, CeRICT, MI

Controlled License

Terms (CLT) No



Background used Knowledge from previous EU-funded research projects like MODAClouds, ARTIST,

SPECS, etc.; MMT (from MI) documentation

Licences (int) Open access

Licences (ext) Open access

Dissemination plans Publish (in open access) the guide document on the MUSA website and social


networks, and make it the basis for MUSA publications and presentations.

Create a wiki on top of the contents of the initial version of the guide and continuously

keep the wiki alive until the final version is ready.

Exploitation plans Use the guide to support the professional consultancy services around MUSA

framework tools.

Documents

MUlti-cloud Secure Applications...framework includes security-by-design mechanisms to enable application self-protection at runtime and methods and tools for the integrated security