The project leading to this work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429

Antonio M. OrtizMUSA Project Exploitation Manager

MUlti-cloud Secure Applications

2

What is multi-cloud?

- Use of different cloud services

- Working in an integrated fashion

- Transparently for the end-user

The MUSA project

Ø EU Horizon 2020 ICT-2015

n Call: Advanced Cloud Infrastructures and Services

Ø MUSA aims at contributing to building up the innovation capacity and technology excellence of the European software and service industry, particularly Cloud services

Ø Start date: Jan 1st 2015

Ø Duration: 36 months.

Ø Coordinator: Erkuden Rios, Tecnalia (Spain)

3

MUSA consortium

4

The MUSA project - Objectives

Ø Ensure security in multi-cloud environments

Ø Provide a framework supporting:

n The security-intelligent lifecycle management of distributed applications over heterogeneous cloud resources

Ø Security-by-design mechanisms

Ø Application self-protection

Ø Integrated security assurance

5

Security in multi-cloud applicationsØ Multi-cloud application:

n Distributed application over heterogeneous cloud resources. Its components are deployed in or use different cloud service providers and work in an integrated way and transparently for the end-user

Ø How to secure multi-cloud applications?Ø Challenges:

n Deal with the security of the individual components and, n Overall application securityØ Including the communications and the data flow between the components

6

ChallengesØ Enable the security aware design of distributed applications

over heterogeneous cloud resources Ø Automatic discovery of the cloud services that match with

the application security requirements as well as functional and business needs

Ø Decision support to select the combinations of cloud services that best match the required balance between security and functional properties

Ø Automated distributed deployment of the componentsØ Security assurance through continuous monitoring of

components and CSP behaviourØ Integrated methods in both engineering and operation of

multi-cloud applications

7

8

Public Cloud 2

Public Cloud 1Private Cloud

Monitoring,enforcementandnotification services

MUSASecurityAssurance Platform

(SaaS)

MUSASLAGenerator

QoS &QoSec

MUSAModeller

A

B

C D

Applicationarchitecturemodelling

Mechanisms to ensure securityat runtime

Public Cloud 3

MUSADistributedDeployer

B

A

C D

DevOps teamAgile DevOps

MUSA SecDevOps

DASHBOARD

MUSARisk Analysis &Decision SupportTool

CSPcategorization

Identify Risks &required SecurityControls

SelectCSPs

Component SLAsComposite app SLA

The MUSA SecDevOps FrameworkØ MUSA Framework – a holistic framework to support the

security-intelligent lifecycle management of multi-cloud applications

Security-by-design

engineering

Securedeployment

Runtimesecurityassurance

Security-intelligentlifecycle– SecDevOps &agile

MUSAModeller MUSASecurityAssurance Platform

(SaaS)

MUSADecisionSupport Tool

MUSADistributedDeployer

DEVELOPMENT DEPLOYMENT EXECUTION

MUSARiskAssessment

MUSASLAGenerator

- Monitoring- Enforcement- Notification

9

MUSA Dashboard

Ø Kanban-styled integration interface (web-based frontend)n Each column representing the state of the components

Ø Multi-cloud application configurationØ Enables individual setup of the application components

Ø MUSA tools alignment for agile collaborationØ DevOps team can manage

n Design, deployment and operation lifecycle

10

MUSA Modeller

11

Ø Enables the creation and update of the Cloud Provider Independent Model (CPIM) of a multi-cloud applicationn Supports CAMEL format

Ø Requirements specification

Ø Independent of the cloud services used

Ø Allows to include security agents from the MUSA security cataloguen Will be automatically deployed

MUSA ModellerØ Used to model the application (CAMEL-based)Ø Specifies requirements and parameters for the application

components

12

MUSA Risk Analysis

Ø Allows the DevOps team to conduct a continuous risk analysis over a multi-cloud application

Ø Automatically identifies the potential risks of each application componentn Indicating a severity risk

Ø Specific security controls can be selected for each type of potential threat

13

MUSA Risk Analysis

14

MUSA Decision Support Tool (DST)Ø Facilitates the task of choosing the best cloud provider for

each multi-cloud application component

Ø Provides the DevOps team a list of cloud service combinationsn Matching the multi-cloud application requirements

n Analysing the identified potential risks

n Considering technical and non-technical parameters (e.g., location)

n To ensure the proposed CSPs are optimal for a given multi-cloud application

Ø Allows the selection of one of the combinations as a deployment option candidate

15

MUSA Decision Support Tool (DST)

16

MUSA Deployer

Ø Facilitates the creation of an implementation plan Ø Enables the automatic execution of the multi-cloud

application components deploymentØ Also copes with the security of the multi-cloud application

n Acquires resources on selected CSPs that cover the specified security requirements

n Automatically deploys the security enforcement agents selected by the DevOps team

17

MUSA Deployer

18

MUSA SLA GeneratorØ Allows the specification and creation of service level agreements

(SLAs) n For each component of the multi-cloud application, and

n For the whole multi-cloud application (composite SLA)

Ø Enables to determine countermeasures to be taken into account at the design stagen To thwart the main existing threats and assess the effective security

Ø The MUSA SLA Generator is based onn The multi-cloud application model

n The required security controls

n The selection of the combination of cloud services

19

MUSA SLA Generator

20

Multi-cloud application runtime

Ø The DevOps team deploys the multi-cloud application components, as specified in the implementation plan

Ø Once the components are deployed, the DevOps team can monitor the application using the MUSA Security Assurance Platform (SecAP)

21

The MUSA SecAP

Three main services:• Monitoring capable of collecting security properties using

standard APIs, cloud interoperability frameworks, or measures by MUSA monitoring agents

• Notification to the application provider about detected security relevant incidents

• Enforcement to ensure that the multi-cloud application respects the security requirements in its SLA, by MUSA enforcement agents.

Multi-cloud application contract verification supported by composition of measures of low-level metrics.

22

Monitoring,EnforcementandNotification Services

MUSASecurityAssurance Platform

(SaaS)

The MUSA Security AssurancePlatform (MUSA SecAP) - SaaS

Runtime Security Assurance -Monitoring

24

Select cloud servicecombination

Monitoring, Enforcementand Notification Services

MUSA Security Assurance Platform

(SecAP) - SaaS

Ensure security at runtime

Comp A Comp B Comp CMulti-cloudapplication

CSP 1 CSP 2 CSP 3

CSP 1, CSP 2,CSP3…

Feedback onmonitored securitybehaviour of CSPs

üComponent SLAsüComposite app SLA

MUSARisk Analysis &Decision SupportTool

CSPcategorization

SelectCSPs

Monitoring agents

- Network- System- Application

SLA violation

Runtime Security Assurance

25

Select cloud servicecombination

Monitoring, Enforcementand Notification Services

MUSA Security Assurance Platform

(SecAP) - SaaS

Ensure security at runtime

Comp A Comp B Comp CMulti-cloudapplication

CSP 1 CSP 2 CSP 3

CSP 1, CSP 2,CSP3…

Feedback onmonitored securitybehaviour of CSPs

MUSARisk Analysis &Decision SupportTool

CSPcategorization

SelectCSPs

Security enforcement agents

- Activation- Deploymentwith application component- DeploymentaaS

SLA violation

Tools in the MUSA FrameworkMUSA tools are all open sourceFirst prototypes available to test! www.musa-project.eu

MUSADeployer

MUSASecurityAssurance Platform

(SaaS)

Application Developers

MUSAModeller

Business Managers

Service Administrators

System OperatorsDevOps Team

MUSASLAGenerator

MUSA SecDevOps

DASHBOARD

MUSARisk Analysis&

Decision SupportTool

MUSA success stories

Smart Mobility• Energy efficient and sustainable multi-modal transit

of Tampere citizens when commuting from home to work and vice versa

• Based on services exposed in Intelligent Transport Systems and Services (ITS) platform (http://wiki.itsfactory.fi)

• Confidentiality and privacy of citizens’ personal data and location

Airline Flight Scheduling• NetLine/Sched prototype by Lufthansa Systems • Data localisation, data retention and deletion,

data integrity, confidentiality, access control, etc.

27

The MUSA Framework and its individual tools can be used in a widerange of multi-cloud applications. During the project, two application use cases are being developed.

The project leading to this work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429

Thank you!MUlti-cloud Secure Applications

Antonio M. OrtizMUSA Exploitation ManagerMontimage EURL R&D Departmentantonio.ortiz@montimage.comwww.montimage.com

www.musa-project.eu@MUSA_projectMUSA project (Group)MUSA Project