The recent advances in “Softwarization” technologies (e.g. virtualization, programming API, decoupling software and hardware) are considered as a game-changer for the whole economy and society. Various industries are transforming their traditional applications and services to the cloud as the given benefits are unarguable. However, the transition also poses several challenges. Cloud application nowadays is not developed for a single hardware platform or operating system anymore but runs on distributed, heterogeneous and systems. The use of such dynamic infrastructure for software application deployment and data storage poses security and privacy concerns to cyber security operations. As a result, newly design software solutions are required evolvable, adaptable and should guarantee nonfunctional properties including security and privacy [1]. Moreover, the integration of cloud application developments with DevOps is current interest as DevOps allows development, quality assurance and operation teams working together to get things done faster in an automated way [2].
Figure 1: ARCADIA Conceptual Flow
ARCADIA Approach:
The ARCADIA project is targeting the alignment of software development paradigms with the opportunities offered by programmable infrastructure, in order to enable applications and services to dynamically adapt to the current execution environment. The main goal is a tight integration between the development and operations processes, enabling automatic deployment and life-cycle management through integrated annotations into the applications. The ARCADIA development paradigm aims at building reactive systems by including more context-awareness in applications and services; the approach is based on the modularization, the organization in microservices and the delegation of the control and management logic to an external entity, namely the “Smart Controller”.
To support application security and privacy requirement, the proposed framework leverages the policy-driven approach and integrates source code annotation technique. Two types of policies are supported: Decision-Making and Access Control. The former will be enforced by the Smart Controller during either application placement (e.g. deploying application at private data center in Germany) or at run-time (e.g. if the number of request from an IP more than 10 times per second, blocking this IP in 10 minutes). In the latter, the Smart Controller will support to distribute such policies to security and privacy-supported microservices automatically and on-demand as specified in the context model through the support of ARCADIA specific annotations in the source code. In addition to that, as embedding inside the source code, such interpretable software annotations enables Smart Controller having a deeper understanding about application semantic (e.g. specified metrics, configuration parameters) to adapt to different types of security and privacy requirements or to support future operation decisions.
Figure 2: ARCADIA Security and Privacy supported Policies
Evaluation Scenario:
“Remote Patient Monitoring” is one of several applications selected to implement by Technical University Berlin (TUB) to evaluate the capability and practical usability of ARCADIA framework towards supporting security and privacy requirements when developing and operating cloud applications. Moreover, the development will follow the current FIWARE reference architecture to support developing IoT applications [3]. Many applications, especially those in related FI-PPP use case projects have already adopted this architecture by its given benefits such as simple sensor data integration, device-independent APIs for quick app development & lock-in prevention, scalable, high available. Some ‘Enablers’ will be selected for the realisation of the RPM scenario. However, such ‘Enablers’ have to be leveraged in ARCADIA Components following ARCADIA metamodel [4]. According to this metamodel, specific information regarding the components’ configuration layer, governance layer, exposed and required interfaces should be strictly defined.
[1]. “Toward a Strategic Agenda for Software Technologies in Europe,” Information Society Technologies Advisory Group (ISTAG), July 2012, Available Online: http://cordis.europa.eu/fp7/ict/docs/istag-soft-techwgreport2012.pdf
[2]. From Dev to Ops: An introduction, https://www.appdynamics.de/media/uploaded-files/White_Paper_-_An_Intro_to_DevOps.pdf
[3]. FIWARE IOT Stack, http://fiware-iot-stack.readthedocs.org/en/latest/index.html
[4]. ARCADIA. D2.3 – Description of the ARCADIA Framework. [Online] Available: http://www.arcadia-framework.eu/documentation/deliverables/