Skip to main content

MUlti-cloud Secure Applications

Periodic Reporting for period 2 - MUSA (MUlti-cloud Secure Applications)

Reporting period: 2016-07-01 to 2017-12-31

The wide diffusion of cloud services, offering functionalities related to different application domains and addressing different computing and storage needs, opens up to the possibility of building complex cloud-based applications that rely upon heterogeneous services, possibly offered by different cloud service providers (CSPs), to deliver value added services to end-users.
The greatest challenges for achieving security-aware multi-cloud applications can be summarised as:
i) the identification of the cloud services for the deployment of the application components that allow meeting the application functional and non-functional requirements;
ii) the specification of guarantees on the fulfilment of security policies and regulation compliance; and
iii) the support to the application consistent behaviour (e.g. access to data) regardless of the components locations and of the interconnection topology.
Therefore, there is a need of DevOps frameworks supporting the agile development and operation of multi-cloud applications that help in these processes, the ultimate goal being the early reaction to incidents and adaptation of the application when required.
MUSA is the first open-source security DevOps framework that supports an integrated workflow to tackle security in all the phases of the creation and operation of multi-cloud applications.
The primary target of DevOps frameworks like the one proposed by MUSA are (multi-)Cloud consumers that will benefit from process automation and standardisation of practices including:
- Systematic Risk Analysis to better identify the threats over the components.
- Support to the Selection of cloud services that minimise identified risks.
- Automatic generation of feasible Security SLAs on top of the components’ SLAs and the CSPs’ SLAs.
- Automatic deployment in distributed CSPs.
- Monitoring and enforcement of the security behaviour of the application components.

Even the CSPs can also benefit from MUSA framework for benchmarking their core security competence in Cloud and for monitoring their cloud services in relation to the guarantees offered by the applications that run on top of them.
After three years the MUSA project has successfully achieved all the technical objectives and expected outreach activities impact. The main results of the project can be summarised as:
• MUSA has advanced in state-of-the-art of multi-cloud security by means of the MUSA Framework, which is the first open source Security DevOps solution for applications which combine the use of multiple heterogeneous cloud providers. All tools are available in
• MUSA framework offers a kanban-style Dashboard that seamlessly integrates all the tools in the framework and offers multi-disciplinary approach to DevOps process for multi-cloud applications considering application security in all the workflow.
• MUSA has delivered an extended CAMEL language and a web-based MUSA Modeller for modelling multi-cloud applications with richer deployment and security requirements.
• MUSA has advanced in state-of-the-art of security Service Level Agreement (SLA) modelling, SLA composition and automation of SLA generation developing a complete SLA-based Security-by-Design Engineering Process and supporting tools.
• The MUSA offers a very innovative Risk Management and Decision Support Tool for risk-based identification of required security controls and selection of cloud services that best match those controls.
• MUSA has advanced in cloud-based application assurance by offering a continuous monitoring solution able to correlate distributed multi-source events captured at the system, application and network levels to detect security issues and facilitate the root cause analysis of potential SLAs violations.
The MUSA Framework was successfully validated in two case studies: Flight scheduling prototype application by Lufthansa Systems and Smart cities application by Tampere University of Technology.
Since April 2015, the MUSA project has coordinated the Data Protection, Security and Privacy in Cloud cluster of EU-funded research projects working on these aspects of Cloud computing. As part of this work, the MUSA coordinator was the main editor of three major deliverables of the Cluster, the Map of synergies between the clustered projects, the Whitepaper on Challenges for trustworthy (multi-)Cloud-based services in the Digital Single Market and the Whitepaper on Cloud technology options towards Free Flow of Data.
The DPSP Cluster has organised two joint workshops (February 2016, Naples and September 2017, Amsterdam) where MUSA, as one of the co-organising projects, was presented in technical discussions on research challenges of cloud security and privacy, as well as demonstrated to Cloud stakeholders., was presented and participated in a panel on future.
The Cluster has actively participated in Net Futures 2016 and 2017 with presentations at concertation meetings and a booth in the exhibition area in 2016 that was visited by Digital Economy & Society Commissioner Günther Oettinger.
The consortium has also analysed the market opportunities for MUSA framework components and devised the intended business models for them. Major exploitation activities were carried out in the project including: MUSA organised Workshop with Data Centre Alliance (DCA), Cloud Security Alliance (CSA) and Cloud Industry Forum (CIF) (March 2016, London), MUSA organised booth, presentations and a workshop at Cloud Security Expo 2017 (March 2017, London), participation at Cloud and DevOps World 2017, at CloudWATCH2 Cloud Summit 2017 (September 2017, Amsterdam) and at Cloud days’ 2017 (September 2017, Nancy, France).
MUSA has greatly innovate in security-by-design methods for multi-cloud applications, particularly in formal specification of security controls and metrics in cloud services Service Level Agreements (SLAs), as well as continuous monitoring of security properties stated in the SLA through monitoring agents deployed together with multi-cloud application components. The inclusion of systematic Risk management in multi-cloud for cloud service selection using security attributes is a novelty introduced by MUSA.
MUSA has extremely advanced the cloud security landscape by offering (multi-)cloud based application developers and operators a complete solution to security in their applications.
• MUSA has helped in improving the competitive innovation capacities of European cloud sector by providing multi-cloud application developers and operators (particularly SMEs) with the MUSA Framework which is a set of fully integrated open source tools to enable addressing security in multi-cloud applications design, deployment and operation.
• With the use of MUSA, data security incidents in multi-cloud applications are reduced through the assurance of a secure behaviour of individual cloud-based components and the overall application, even if the data are processed and/or stored by untrustworthy or opaque cloud providers.
• MUSA Framework enhances cloud consumers’ trust on clouds by providing them with tools for expressing their security needs and keeping them informed on the security faults of the multiple cloud services in use.
• MUSA has boost the adoption of clouds even in advanced applications that use sensitive data, through the demonstration that cloud security risks can be minimized by using MUSA tools.
Commissioner Oettinger visiting DPSP Cluster booth organised by MUSA
MUSA presented the DPSP Cluster at Cloud Expo 2017
MUSA organised the DPSP Cluster booth at Cloud Expo 2017