This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under grant agreement No 644429
MUlti-cloud Secure Applications
Deliverable title Deliverable ID:
Business scenarios analysis
D7.2
Preparation date:
23/12/2015
Editor/Lead beneficiary (name/partner):
Antonio M. Ortiz / Montimage
Internally reviewed by (name/partner):
Antony Shimmin / AIMES
Andrei Lobov / TUT
Abstract:
This document introduces the MUSA key results from a business perspective that will be used as a
reference guide to orient the MUSA results to a business-attractive approach. The Osterwalder
Business canvas is used as a reference model to illustrate the diverse aspects of the potential MUSA
business scenarios. Together with the business scenarios analysis, an overview of the IPR registry
that the consortium has created to keep track of the property rights on the MUSA exploitable
outcomes is presented.
Dissemination level
PU Public X
CO Confidential, only for members of the consortium and the Commission Services
D7.2: Business scenarios analysis 3
MUSA consortium
Fundación Tecnalia Research &
Innovation
(TECNALIA, Spain)
www.tecnalia.com/en
Project manager: Erkuden Rios
+34 664 100 348
Centro Regionale Information e
Communication Technology
(CER ICT, Italy)
Contact: Massimiliano Rak
CA Technologies Development
Spain SAU (CA, Spain)
Contact: Victor Muntes
Montimage
(MI, France)
Contact: Edgardo Montes de Oca
edgardo.montesdeoca@montimage
.com
AIMES Grid Services
(AIMES, UK)
Contact: Prof Dennis Kehoe
Lufthansa Systems
(LHS, Germany)
Contact: Dirk Muthig
TTY-säätiö
(TUT, Finland)
Contact: José Luis Martínez Lastra
D7.2: Business scenarios analysis 4
Table of contents
MUSA consortium .................................................................................................................................. 3 Table of contents ..................................................................................................................................... 4 List of figures .......................................................................................................................................... 5 List of tables ............................................................................................................................................ 6 Executive summary ................................................................................................................................. 7 1 Introduction ..................................................................................................................................... 8
1.1 Objective of this document .................................................................................................... 8 1.2 Structure of this document ..................................................................................................... 8 1.3 Relationships with other deliverables .................................................................................... 8 1.4 Contributors ........................................................................................................................... 9 1.5 Acronyms and abbreviations .................................................................................................. 9 1.6 Revision history ..................................................................................................................... 9
2 MUSA business context: the multi-cloud security market ............................................................ 11 3 Methodology for the MUSA business models definition .............................................................. 13
3.1 MUSA value chain ............................................................................................................... 14 3.2 MUSA key infrastructure ..................................................................................................... 16 3.3 MUSA financial viability ..................................................................................................... 17
4 MUSA business models ................................................................................................................ 18 4.1 MUSA IDE (KR1) + MUSA libraries (KR2) ...................................................................... 18
4.1.1 Value chain ...................................................................................................................... 18 4.1.2 Key infrastructure ............................................................................................................ 19
4.2 Decision Support Tool (KR3) .............................................................................................. 21 4.2.1 Value chain ...................................................................................................................... 21 4.2.2 Key infrastructure ............................................................................................................ 22
4.3 MUSA Deployer (KR4) ....................................................................................................... 23 4.3.1 Value chain ...................................................................................................................... 23 4.3.2 Key infrastructure ............................................................................................................ 24
4.4 MUSA SaaS (KR8, including KR5-6-7) + MUSA libraries (KR2) ..................................... 25 4.4.1 Value chain ...................................................................................................................... 26 4.4.2 Key infrastructure ............................................................................................................ 27
4.5 MUSA Guide (KR9) and MUSA prototypes (KR10) .......................................................... 30 5 IPR management ........................................................................................................................... 31
5.1 IPR directory ........................................................................................................................ 32 6 Conclusion/Further work ............................................................................................................... 34 References ............................................................................................................................................. 35 Appendix A. MUSA motivation and background ................................................................................. 36 Appendix B. IPR directory information ................................................................................................ 37
D7.2: Business scenarios analysis 5
List of figures
Figure 1. Osterwalder Business canvas [3] ........................................................................................... 13
D7.2: Business scenarios analysis 6
List of tables
Table 1. MUSA Key Exploitable Results and their added value proposition for the customers .......... 14 Table 2. MUSA goals and associated key activities .............................................................................. 16 Table 3. MUSA IDE (KR1) and MUSA libraries (KR2) value chain ................................................... 18 Table 4. MUSA IDE (KR1) and MUSA libraries (KR2) key infrastructure ......................................... 19 Table 5. MUSA decision support tool (KR3) value chain .................................................................... 21 Table 6. MUSA decision support tool (KR3) key infrastructure .......................................................... 22 Table 7. MUSA deployer (KR4) value chain ........................................................................................ 23 Table 8. MUSA deployer (KR4) key infrastructure .............................................................................. 24 Table 9. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security assurance
SaaS (KR8) value chain ........................................................................................................................ 26 Table 10. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security assurance
SaaS (KR8) key infrastructures ............................................................................................................. 27 Table 11. IPR principles for the MUSA key results .............................................................................. 31 Table 12. IPR for the MUSA IDE (KR1) .............................................................................................. 37 Table 13. IPR for the MUSA DST(KR3) .............................................................................................. 38 Table 14. IPR for the MUSA deployer (KR4) ...................................................................................... 38 Table 15. IPR for the MUSA monitoring service (KR5) ...................................................................... 39 Table 16. IPR for the MUSA enforcement service (KR6) .................................................................... 39
Table 17. IPR for the MUSA notification service (KR7) ...................................................................... 40 Table 18. IPR for the MUSA security assurance SaaS (KR8) .............................................................. 40 Table 19. IPR for the MUSA guide (KR9)............................................................................................ 41
D7.2: Business scenarios analysis 7
Executive summary
This document presents a detailed analysis of the business scenarios for both the MUSA framework
and its individual components.
First, the business context for the developments of the project is presented, where we summarise the
needs identified in the multi-cloud security market and the identified potential target customers for the
MUSA framework components. This business contextualization is followed by the introduction to the
methodology for defining the MUSA business models, in which the Osterwalder Business canvas will
be used to detail all the key elements related to the MUSA business strategy.
A detailed analysis of the business aspects for the key results of the project, focused on the value chain
and key infrastructure for each key result is then presented. The value chain gives insight of the added
value proposition, potential customers and channels to approach them, while the key infrastructure
refers to the key activities, resources and partners’ networks to support the commercialisation of the
MUSA results.
Finally, the document includes the description of the Intellectual Property Rights (IPR) registry that
will be used in MUSA project to register the rights on the background and track the rights on the
exploitable foreground of the project. The description includes details related to information property
rights for each MUSA asset, along with a brief explanation for each of its fields. The current IPR state
is detailed in the Appendix B.
The present document aims at serving as a reference guide to orient the MUSA developments and
related actions to promote the project results and foster its future commercialisation.
D7.2: Business scenarios analysis 8
1 Introduction
1.1 Objective of this document
This document is deliverable D7.2 Business scenarios analysis of MUSA project [1] (see Appendix
A).
The document presents the business scenarios analysis for the MUSA framework (see description in
MUSA deliverable D1.1 Initial MUSA framework specification [2]) and its individual components. It
is aimed at offering an overview of the diverse exploitable outputs of the MUSA project from the
business point of view, analysing the opportunities and detailing the initial ideas of their
commercialisation.
In addition, a comprehensive survey of the project key results is presented taking as a basis the
Osterwalder Business canvas [3], which will be completed in D7.3 Initial Exploitation plan in month
24, once the implementation of the key results is advanced and more detailed information for the
commercialisation plans can be provided.
The Osterwalder Business canvas has been selected since it is a well-known and structured approach
to document the business models. The canvas details most of the elements to be considered for the
exploitation and commercialisation, and represents a reference model to conceptualize business
aspects. However, at this stage of the MUSA project, some of the fields of the canvas, mainly related
to the financial analysis, cannot be specified; they will be outlined in the initial exploitation plan in
M24 and concreted in the final exploitation plan in M36.
1.2 Structure of this document
This document starts by contextualizing the MUSA business activities in the multi-cloud security
market, including a brief description of the potential stakeholders. Then, the methodology for defining
the MUSA business models is presented, outlining the Osterwalder Business approach and detailing
the MUSA value chain and the key infrastructures to be used in the project. The document continues
with a detailed view of the business scenarios divided by project key results, describing the specific
value chain and key infrastructure for each key result. Finally, an overview of the MUSA IPR registry
is presented, along with the current information contained in the IPR registry.
The Appendix A presents the overview of the MUSA project while the Appendix B provides the
contents of the IPR registry.
1.3 Relationships with other deliverables
The information presented in this document relates to the following deliverables of MUSA:
D6.2 Dissemination strategy: It describes the MUSA dissemination strategy and identifies the
main target groups for the dissemination of MUSA results. The customers of MUSA are
necessarily part of those groups.
D6.4 Communication plan: It describes the MUSA communication strategy to ensure that the
MUSA outcomes are widely known in the software engineering, security and cloud computing
relevant communities.
D6.5 Networking plan: It describes the MUSA networking strategy towards the close
collaboration of MUSA participants with relevant communities both internal and external to the
project.
D7.1 Initial market study, trends and segmentation: It presents a detailed initial analysis of the
target market of the MUSA solution.
D7.2: Business scenarios analysis 9
1.4 Contributors
While Montimage partner in MUSA has coordinated the work in the task and has taken the role of the
main editor of the deliverable, all MUSA project partners have contributed to this deliverable, i.e.:
Montimage
Tecnalia
AIMES
CeRICT
CA Technologies
Lufthansa Systems
Tampere University
1.5 Acronyms and abbreviations
CAPEX Capital Expenditures PaaS Platform as a Service
DevOps Development and Operations QoS Quality of Service
IaaS Infrastructure as a Service QoSec Quality of Secure
ISV Independent Software Vendor SaaS Software as a Service
OPEX Operating Expenses TLR Technology Readiness Level
1.6 Revision history
Version Date issued Author Organisation Description
0.1 15/10/2015 Antonio M.
Ortiz Montimage Initial ToC.
0.2 23/10/2015
Antonio M.
Ortiz, Erkuden
Ríos, Peter
Matthews
Montimage,
Tecnalia, CA
Technologies
Revised ToC.
0.3 12/11/2015 Antonio M.
Ortiz Montimage
Intermediate proposed. Initial content
for all sections.
0.4 19/11/2015 Alejandra Ruiz,
Erkuden Ríos Tecnalia
Include content on sections: 3, 4 and 5
and provide comments to the rest of the
sections.
0.5 23/11/2015 Luis González,
Stefan Spahr TUT, LHS Information regarding KR10.
0.6 24/11/2015
Antony
Shimmin,
Erkuden Ríos,
Antonio M.
Ortiz
AIMES,
Tecnalia,
Montimage
Added information for several KRs.
0.7 01/12/2015 Peter Mathews CA
Technologies Key infrastructure for several KRs.
D7.2: Business scenarios analysis 10
Version Date issued Author Organisation Description
0.8 01/12/2015
Wissam
Mallouli,
Antonio M.
Ortiz
Montimage Sections 1 and 6; key infrastructure for
several KRs.
0.9 05/12/2015
Valentina
Casola,
Massimiliano
Rak
CeRICT Added information for several KRs.
1.0 10/12/2015 Antonio M.
Ortiz Montimage
Final proposed. Integration and
preparation for internal review.
1.1 11/12/2015 Erkuden Ríos Tecnalia Tables information update.
1.2 11/12/2015 Antonio M.
Ortiz Montimage
Overall review of the document, format
checking and minor corrections.
2.0 18/12/2015 Antonio M.
Ortiz Montimage
Final revised. Reviewers’ comments
addressed.
3.0 23/12/2015 Erkuden Rios Tecnalia Final released.
D7.2: Business scenarios analysis 11
2 MUSA business context: the multi-cloud security market
Nowadays, the young and effervescent market of cloud services is expanding, influenced by the
migration of traditional services to the cloud. With the increasing availability of cloud services [4],
applications making use of multiple cloud services are expected to grow, and so does the amount of
sensitive information managed by these applications. In order to preserve security and privacy, multi-
cloud applications require security enforcing and privacy enhancing mechanisms. In this sense, the
MUSA project aims at designing and developing a security framework to support the security-
intelligent lifecycle management of distributed applications over heterogeneous cloud resources. This
framework includes security-by-design mechanisms to enable application self-protection at runtime
and methods and tools for the integrated security assurance in both the engineering and operation of
multi-cloud applications.
As stated in MUSA deliverable D7.1 Initial market study, trends, segmentation and requirements [5],
and due to the novelty of the multi-cloud technologies, the market for multi-cloud solutions (i.e.,
services, applications, etc.) is still not clearly defined. However, the increasing use of cloud resources
indicates that this technology (and by extension, multi-cloud solutions [6]) will experiment a
significant rise in the coming years.
Cloud computing uptake is expanding for many reasons: availability, performance, costs (deployment
and maintenance), etc. Consequently, the cloud computing market is growing rapidly and has been
enjoying this growth for some time. The current market is seen to be dominated by a few large players
such as Amazon, Google and Microsoft, which are the most frequently mentioned companies.
Nevertheless, many organizations, particularly in Europe, are wary of being locked into one vendor.
This fear of vendor-lock and the need to have a more personalised service will maintain the smaller
vendors for some time. Moving from the provision of cloud infrastructure by PaaS and IaaS to SaaS
and the provision of public services, it is easy to see from the stakeholder analysis presented in D7.1
that some of the growth in cloud computing is related to the growth in hybrid cloud implementations,
bringing developers and users into contact with multi-cloud computing.
It is clear from the market directions detailed in D7.1 that cloud computing is here to stay and is
already evolving as any good technology does. Security of SaaS applications and other architectures
such as PaaS or IaaS is rooted in access and identity control with little difference with other computing
architectures. The increasing componentization of applications and abstraction of IT infrastructures
introduces security issues of individual components that will expose vulnerabilities that are specific to
multi-cloud environments. The market has a need for a different security model for such multi-cloud
applications and multi-app devices (such as mobile phones and tablets), and here is where the MUSA
framework (and its individual components) comes into play.
In order to commercialise the diverse developments of the MUSA project, we cannot specify a unique
business model for all of them. On the contrary, the MUSA business scenarios are made up of the
different business models of the diverse Key Exploitable Results, which are outlined in Section 4.
The main target customers of the MUSA project results can be grouped in (i) multi-cloud application
developers, that design, develop and test the multi-cloud application, and (ii) multi-cloud application
operators, which are in charge of managing the operation of the multi-cloud application, including
application (re-)deployments, runtime management and control (monitoring).
Since the MUSA framework relies over a DevOps approach [7] that promotes the close collaboration
and communication between software developers and other information technology professionals,
MUSA introduces the DevOps Team as the main stakeholder of the MUSA framework, responsible
of the multi-cloud application development, deployment and execution (see D1.1 [2] for more
information). More concretely, the following roles can be taken by the DevOps Team:
Application developer: developers of the multi-cloud applications or services that exploit
multiple heterogeneous cloud resources in diverse cloud service providers. The development
D7.2: Business scenarios analysis 12
shall be understood here as the set of all activities that span from application requirements
specification to implementation, including architecting, detail design, coding, testing, etc.
Therefore, the Application Architect (responsible of the design) and the Security Architect
(specialisation of Application Architect in charge of assuring the security in the multi-cloud
applications design) roles are also Application developers.
System operator: responsible of the deployment of multi-cloud applications.
Service administrator: in charge of the runtime management of the multi-cloud applications
which includes the monitoring of such applications.
Service business manager: has overall responsibility for the business aspects of offering
cloud services to cloud service customers. They create and track the business plan, define the
service offering strategy and manage the business relationship with cloud service customers.
Therefore, such DevOps Team will be the main target customer for MUSA Key Results. Depending
on the purpose of the Key Result and which activity in the multi-cloud application life-cycle the Key
Result is supporting, the role taken by the DevOps team will be mostly one of the above. In the
following we will differentiate between these roles in order to better tailor the Key Results
exploitation activities.
As it will be seen later in Section 4, the Cloud Service Providers (CSP) that offer the cloud services
used by the multi-cloud applications secured by MUSA are also a target customer for the MUSA
Security Assurance Platform (SaaS), Key Result KR8, as they will be potential users of the monitoring
and notification services offered by this platform.
D7.2: Business scenarios analysis 13
3 Methodology for the MUSA business models definition
For the definition of the MUSA business models, we will use the Osterwalder Business Canvas [3],
which is a commonly used template for developing and documenting business models and was
initially proposed by Alexander Osterwalder based on his earlier work on Business Model Ontology. It
has become widely used in both R&D projects and business consulting to identify and depict the key
elements affecting a business model or plan.
Figure 1. Osterwalder Business canvas [3]
The key elements of the Osterwalder Business Canvas, depicted in Figure 1, can be summarised as
follows:
● Customer segments: people or organizations for which the product creates value. They can
be simple users and paying customers.
● Value proposition: there is a value proposition for each segment and they can be bundles,
products and services that solve customer problems and satisfy customer needs.
● Channels: touch-points to interact with customers and delivering value.
● Customer relationships: type of relationships that are established with the customers.
● Key resources: infrastructure to create, deliver and capture value. They show what assets are
indispensable in the business model.
● Key activities: which actions are really needed to perform well.
● Key partnership: who can help to leverage the business model.
● Cost structure: represents the whole cost of the business model.
● Revenue streams: how and through which pricing mechanisms the business models are
capturing value. They result from value propositions successfully offered to customers.
D7.2: Business scenarios analysis 14
In the MUSA project, for an initial analysis of the business models, these nine blocks of the canvas are
grouped in three major business aspects:
● MUSA value chain: including the value proposition of the MUSA solution, their customers
and channels for getting into the market.
● MUSA key infrastructure: grouping key activities, key resources and partner network.
● MUSA financial viability: comprising costs structure and revenue streams.
The two first business aspects can be already defined in the context of the MUSA framework, while
for the financial viability, it is too early in the project to have a clear picture of it. For that, in this
deliverable, we will focus on the MUSA value chain and key infrastructure, as well as on the
definition of the business scenarios for each key exploitable result in the project, leaving the financial
analysis for D7.3 Initial exploitation plan, which will be issued in M24.
3.1 MUSA value chain
As already said, the MUSA value chain describes not only the value proposition of the MUSA
solution, but also the potential customers for which MUSA results can represent high added value, and
the set of channels and activities for getting into the market.
In terms of the value of the MUSA solution, the main outcome of the project is the MUSA framework,
containing the collection of MUSA methods and tools supporting the security-intelligent integrated
lifecycle management of multi-cloud applications. It aims at increasing the quality of user experience
and trust in clouds.
The MUSA framework is composed of 9 individual Key Exploitable Results, which provide an added
value for the customers that is depicted in Table 1.
Table 1. MUSA Key Exploitable Results and their added value proposition for the customers
Key result Added value proposition for the customers
KR1: MUSA Integrated
Development Environment
(IDE)
The IDE will raise the innovation capacities of application developers,
as they will accelerate the creation of applications that exploit multiple
cloud resources in a robust manner, independently of the potential
security lacks that the cloud providers may have. They will be able to
specify both at application components and at integrated SLA of the
application, the security properties offered by the application
leveraging the security, costs and performance properties of the clouds
underneath.
KR2: MUSA security
libraries (monitoring,
enforcement and
notification mechanisms)
The application developers will be able to add smart capabilities to the
multi-cloud applications by embedding the MUSA libraries into the
components in a non-intrusive manner so the applications are prepared
for self-protection at runtime. Application operators will exploit the
libraries capacities for monitoring, enforcement and notification to
ease and automate the integrated assurance of security during the
operation. Both features are novel approaches with no competitors in
the market.
KR3: MUSA decision
support tool
It will guide the application developers during the selection of the
adequate cloud resources where the application components will be
deployed, helping balancing security (QoSec), business (costs) and
functional requirements (QoS). The tool will also serve application
operators in re-deployment processes for selecting new combinations
D7.2: Business scenarios analysis 15
Key result Added value proposition for the customers
of clouds. The application providers that act as both roles will be the
ones that most benefit from the tool as it links both activities through a
DevOps approach, so reducing re-deployment times and faults.
KR4: MUSA distributed
deployment tool
The application operators will be able to automate and normalise the
simultaneous (re-)deployments of the multi-cloud application
components to distributed cloud providers, which is currently a
manual and tedious process. Thanks to the DevOps approach, this
(re)deployment will be faster and aligned with application security
requirements.
KR5: MUSA monitoring
service
Application operators will be empowered with a tool to better control
at real-time, the security and functional properties of multi-cloud
applications and the cloud resources underneath. Currently, these are
two separate options, and particularly security monitoring is not
holistic in the sense that the existing tools do not support integrated
and consistent levels of monitoring (application and cloud).
KR6: MUSA enforcement
support service
Through the use of this service, the application operators will be able
to enforce the multi-cloud application security policies, even if they
do not have control over the data processing and storage SLAs of the
cloud resources used.
KR7: MUSA notification
service
Real-time control and management of the security properties of the
multi-cloud applications will let application operators be informed and
promptly react to security incidents and minimize their impact.
KR8: MUSA security
assurance platform (SaaS)
Application operators will benefit from the pay-per-use model of the
MUSA security assurance services (that include the monitoring,
enforcement and notification services, either independently or in
combination), which will let them save in CAPEX and OPEX.
KR9: Guide for an
integrated multi-cloud
secure applications
lifecycle management
Application developers will learn support practices and tools for
multi-cloud application creation balancing their security and
functional parameters.
Application operators will learn on methods and tools supporting the
integrated and consistent management of multi-cloud applications at
runtime.
Application providers that include development and operations teams
will be the ones taking the most out of the guide, as they will exploit
the gained knowledge on DevOps approach to reduce reworks and
time-to-market.
Regarding the customers, in MUSA deliverable D6.2 Dissemination strategy [8] we identified the
main relevant target groups for the dissemination and communication of MUSA results. Target
communities have been identified in the industrial and academic sectors, including public and private
organisations, as well as standardization bodies and policy makers. In particular, the dissemination is
split into dissemination to the scientific communities (cloud community focused on cloud security,
multi-cloud based application developers, Software engineering), where the focus is on transferring
knowledge and tools into the scientific domain, so that they can be used in complementary research
fields; and dissemination to the commercial community (independent software vendors (ISVs),
investors, technology providers, application providers, users, consultants, open source communities,
etc.), where the focus is on informing potential clients of the MUSA capabilities.
D7.2: Business scenarios analysis 16
Regarding the channels and the activities to engage potential customers, according to the strategy and
actions plan defined in D6.2, all MUSA partners are involved in dissemination activities that include
scientific, industrial and professional dissemination. In particular, they are focused on participation to
thematic workshops and conferences, writing conference and journal articles, and preparation of
updated dissemination materials to distribute. Furthermore, all partners are engaged in the
dissemination activities through their dedicated channels.
3.2 MUSA key infrastructure
The key resources needed to successfully achieve the project objectives and develop the Key Results
are primarily the members of the project consortium that collaboratively work to complete the
technical, scientific and business goals of the project. To this aim, in the networking strategy,
presented in D6.5 Networking plan [9], we have proposed the definition of an internal and external
networking in order to explore singular partner background, with the goal of identifying better ways to
encourage new collaborations among partners and individuals, identify stakeholders’ interest in project
results and to create new opportunities for spreading the project results. We have endorsed the MUSA
researchers as a main part of the network, listing people that are involved in the project and
highlighting their research interests and skills, as well as their scientific background and publications.
Another major key resource is the cloud infrastructure that will be used to deploy the MUSA security
assurance platform SaaS (KR8) on top of it. This infrastructure is offered by AIMES partner during
the project and discussions are taking place to agree with the rest of partners on a fair payment model
for the infrastructure after the project.
Additionally, a series of activities are being carried out to foster the MUSA business model. These
activities are detailed in Table 2 and most of them will be done during and after the project.
Table 2. MUSA goals and associated key activities
Goal Required Key activities
Improve security-aware
behaviour of multi-cloud
applications (reduce
security incidents)
Development of the MUSA framework, including:
Design-time methods and tools for multi-cloud applications security
breaches prevention and security-aware contract specification.
Run-time methods and tools for multi-cloud application security
incident monitoring, notification and enforcement mechanisms.
Ensure that MUSA
results are widely
known in the software
engineering, security
and cloud computing
relevant fora
Create awareness and interest on MUSA results through the
dissemination and communication plans (D6.2 [8] and D6.4 [10]).
Identify a small group of potential adopters of MUSA results and
arrange meetings and seminars with them to raise the interest and get
initial feedback on what will be important in a wider exploitation
strategy.
Potential and current
users of the MUSA
framework can obtain
expert help on how to
effectively use it
Develop commercial seminars/courses (aimed at practitioners and at
decision-makers in management), and use project case-studies as part
of these courses.
Offer advanced consultancy services in effective use of the MUSA
results.
Develop the MUSA guide to security management in multi-cloud
applications, including explanations on the use of the platform and its
benefits for the users with a commercial approach.
MUSA results become Create awareness in and contribute to relevant initiatives and
D7.2: Business scenarios analysis 17
Goal Required Key activities
standardised (either in
“official” standards or as
“de facto” industrial
practice)
standardisation bodies such as OASIS (TOSCA, CAMP), European
Cloud Partnership, etc.
Keep surveillance on cloud standardization trends, as cloud
computing standards arena is big and in continuous change. Special
focus on Cloud SLAs expert groups initiatives and CENELEC CWA
on Cloud Assurance.
Establish a strong
MUSA industrial users
+ researchers
community
In exploitation activities, encourage other experts in the field to join
the MUSA Community. Start by identifying relevant target user
groups and looking for incentives for them to use MUSA. The same
shall be done for research groups to join MUSA and continue with its
results, for instance, fostering the integration of open source
contributions.
3.3 MUSA financial viability
In the MUSA costs structure, the most remarkable costs are those inherent to the MUSA framework
improvement and exploitation: the fixed costs of the salaries of the researchers and experts and the
variable costs of the IaaS that will be needed for offering the MUSA security assurance platform as-a-
service. In any case, the pay-per-use price of the infrastructure provided by AIMES after the MUSA
project is expected to be reasonable for MUSA partners as AIMES are interested party in getting the
MUSA security assurance services as cheaper as possible, so they are used by a great number of multi-
cloud application operators (consumers of their cloud).
In any case, the financial viability of the MUSA framework components depends not only on the cost
structure but also on the revenue streams devised for each the components. These revenue streams
depend on the exploitation model selected for each of the components (free, license, pay-per-use, etc.)
At the edition of this deliverable, the MUSA framework is still in design and early development
stages, and therefore, it is too early to determine the actual costs structure and revenue streams that the
MUSA framework and its components will have. For this reason, this section will be detailed in the
future exploitation deliverables, D7.3 Initial Exploitation plan (M24), and especially in D7.4 Final
Exploitation plan (M36).
D7.2: Business scenarios analysis 18
4 MUSA business models
In the context of MUSA, the business scenarios represent the envisaged possibilities to reach the
targeted market and to achieve the business objectives. As commented above, there are multiple
business scenarios for the MUSA developments depending on the components to be commercialised
and on the particular circumstances of the customers. This section presents an analysis of the business
scenario for each key result, while in future exploitation deliverables (D7.3 and D7.4), the strategy for
the entire MUSA framework as a whole DevOps tool, and the financial analysis will be detailed.
The exploitation strategy for the KR1, 2, 3 and 4 relies on a two-folded approach: a first basic version
that will be open source licensed, and a second commercial version, including advanced features that
could be licensed in proprietary formats. The KR5, 6 and 7 will be integrated in KR8 and will be
commercialised under a pay-per-use license, although it will also be possible to be commercialised
independently. The KR9 will be offered for free as complementary instructions to use the MUSA
framework and/or its individual components.
The following sections detail, per key exploitable result, the value chain (including the added value
proposition, the main customers and the channels to reach them), as well as the key infrastructure
available from each contributing partner (detailing the activities, resources and partner network).
4.1 MUSA IDE (KR1) + MUSA libraries (KR2)
The MUSA Integrated Development Environment (KR1) is composed of the MUSA Modeller for
multi-cloud application model specification (in a CloudML modelling language [11]) and the SLA
Editor that allows creating the Security SLA for multi-cloud application.
At this preliminary phase of the MUSA design, the MUSA Modeller implementation is still under
discussion so the final outcome is still an on-going work. One technological proposal is to develop the
MUSA Modeller as an Eclipse plugin to enable the security embedding into multi-cloud applications.
However, there is a second solution to be developed as an extension of the existing Modelio IDE [12].
The MUSA partners are still discussing the best approach.
The tool will be open source and its primary exploiter will be Tecnalia. As part of its technology
transfer model, Tecnalia will offer this toolset to innovative multi-cloud application providers, mainly
SMEs.
The MUSA Modeller will be in most cases integrated with the MUSA security libraries (KR2) in order
to have a basis to define the required actions to perform security assurance.
The main contributors to the MUSA IDE in terms of development and exploitation are Tecnalia,
CeRICT and Montimage, complementing each other's expertise: Tecnalia is expert in Eclipse based
tools development and multi-cloud applications, CeRICT stands out in cloud security and cloud SLAs,
and Montimage brings its knowledge on performance and security metrics needed in the components.
4.1.1 Value chain
Table 3. MUSA IDE (KR1) and MUSA libraries (KR2) value chain
Key result Added value proposition for
the customers
Customers Channels
KR1: MUSA
Integrated
Development
Environment (IDE)
- Modeller
The MUSA Modeller will allow
the specification of the multi-
cloud application architectural
model in a UML language (e.g., CloudML), including data
protection and security
Multi-cloud
application
developers
(application
architect, security
architect).
The MUSA
Modeller could be
released in Eclipse.
Consultancy and
technology transfer
services,
D7.2: Business scenarios analysis 19
Key result Added value proposition for
the customers
Customers Channels
requirements.
This IDE will increase the
innovation capacities of
application developers, as they
will accelerate the creation of
applications that exploit multiple
cloud resources in a robust
manner, independently of the
potential security issues the
cloud providers may have.
particularly to
software SMEs.
Training events.
KR1: MUSA
Integrated
Development
Environment (IDE)
- SLA Editor
Allows the creation both at
application component level
and at integrated SLA, of the
application the security
properties offered by the
application leveraging the
security, costs and
performance properties of the
clouds underneath.
Multi-cloud
application
developers
(application
architect, security
architect).
This IDE-SLA
Editor will be
proposed as an
interactive Website
to specify security
and non-security
requirements in
terms of SLAs. Its
integration in the
Global MUSA IDE
is still under
discussion.
KR2: MUSA
security libraries
(monitoring,
enforcement and
notification
mechanisms)
The application developers will
improve the multi-cloud
application by embedding the
MUSA libraries into the
components in a non-intrusive
manner so the application is
prepared for self-protection at
runtime. Application operators
will exploit the libraries
capacities for monitoring,
enforcement and notification to
ease and automate the
integrated assurance of
security during the operation.
Both features are novel
approaches with no competitors
in the market.
Multi-cloud
application
developers
(application
architect, security
architect). Ideally
those that fulfil the
double role of
application
developers and
service
administrators)
Through the
MUSA community.
Consultancy and
technology transfer
services,
particularly to
software SMEs.
4.1.2 Key infrastructure
Table 4. MUSA IDE (KR1) and MUSA libraries (KR2) key infrastructure
Partner Activities Resources Partner network
TECNALIA During the project: A MUSA Tecnalia Ventures will
support Tecnalia in the
D7.2: Business scenarios analysis 20
Partner Activities Resources Partner network
Establish a strong MUSA
industrial users + researcher
community
Promotion of the results in the
hands on workshops organised
by DPSP Cluster [13] and
MUSA project where we invite
industrial partners considered
as potential users.
Collaboration with CloudML
and Modelio communities for
security extensions.
After the project:
Maintain MUSA industrial
users + researcher community.
Develop commercial seminars
or courses.
Continue collaboration with
CloudML and Modelio
communities for further
security properties.
community place
on the Web.
Demonstration
prototype.
market orientation of
the project outcomes
while evolving the
prototypes from TRL 4
to TRL 6.
Tecnalia is already
member of Eclipse and
plays a role in
Polarsys, an industrial
working group within
the Eclipse Foundation.
CeRICT During the project:
Establish strong relation with
cloud security research
community.
Collaboration with H2020
projects focused on topics
related to cloud security and
SLAs management in cloud.
Disseminate Security SLA
model and usage.
Make academic seminars.
After the project:
Maintain the MUSA multi-
cloud Security SLA Editor.
Continue collaboration with
partners and contacted projects
to empower security SLA tools.
A dedicated
Web page will
be available in
the Website of
CeRICT
including links
to white papers.
Demonstration
of prototype
tools based on
Security SLA
Editor.
Participation in
industrial events
to promote the
MUSA software
solution and
results.
CeRICT is a
consortium of
Universities and
participates to other
research projects
related to cloud and
security (e.g., SPECS
[14]), bringing the
network of contacts of
the involved
universities (Second
University of Naples,
University of Naples
Federico II and
University of Sannio).
Montimage During the project:
Establish strong relations with
industrial stakeholders,
researchers and application
developers interested on multi-
cloud security and monitoring.
Collaboration with the H2020
CLARUS project in securing
cloud environments.
After the project:
Maintain the MUSA
A dedicated
Web page will
be available in
the Website of
Montimage
including links
to white papers.
Demonstration
of prototype
tools based on
MMT and Other
Montimage is part of
Systematic innovation
cluster, a Paris region
systems and ICT
cluster in which the
MUSA developments
will be disseminated.
Montimage is in
contact with a list of
potential big
stakeholders in France
D7.2: Business scenarios analysis 21
Partner Activities Resources Partner network
community of users and
developers.
Analyse and include new
security requirements updating
the security libraries to detect
and mitigate new
vulnerabilities.
Define a marketing strategy to
convince potential customers
and stakeholders to benefit
from the MUSA outcomes.
security
libraries.
Participation in
events to
promote the
MUSA software
solution and
results.
including Thales,
Orange, etc., and
outside France like
Ericsson and
CyberDefcon.
4.2 Decision Support Tool (KR3)
The MUSA Decision Support Tool (DST) will be provided as a web application and its primary
exploiter will be CA Technologies. They are interested in getting a mature and upgraded version of
their current Decision Support System (DSS) in MODAClouds [15] for intelligent decision based on
well-balanced security, functional and costs aspects of cloud resources. The main novelty of the
MUSA DSS resides in the fact that it is the first DSS focused on security aspects that recommends
cloud services in multi-cloud environments considering risk analysis, costs and quality in the same
tool.
4.2.1 Value chain
Table 5. MUSA decision support tool (KR3) value chain
Key result Added value proposition for the
customers
Customers Channels
KR3: DST - CSP
Data Gathering
Data Gathering tools will help
users/customers to complement existing
data on services with their own
evaluations. These evaluations can be
quantitative or qualitative in the form of
reviews.
Application
developers who
are testing new
services.
Users and
customers who
have data to
share on new or
existing
services.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
KR3: DST - CSP
Data Repository
Data repository will hold data from the
data gathering and provide a central
repository for reviews and measures of
services.
Application
developers who
are testing new
services.
Customers
wanting to
review services.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
D7.2: Business scenarios analysis 22
Key result Added value proposition for the
customers
Customers Channels
KR3: DST - Risk
analysis
Measuring and recording the risk profile
of services is new to the service
procurement process. Prior to
MODAClouds and MUSA, risk was a post
facto activity. This part of the DST will
enable risk to be assessed prior to
development and consumption of
services.
Risk
professionals
developing risk
profiles of
services for
measurement or
review.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
KR3: DST - CS
Discovery
Allows searching for Cloud Services
(CS) according to particular
characteristics.
Application
developers,
speculative
service
customers.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
KR3: DST -
Match-making
Comparison of CS characteristics with
the multi-cloud app requirements.
Application
developers,
speculative
service
customers.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
KR3: DST -
Decision support
Provide recommendations and
indications on best combination of cloud
services according to mc app requirements
(functional, security and business). The
combinations are ranked according to the
risk profile established for the multi-cloud
application assets.
Application
developers,
speculative
service
customers.
MUSA
Community.
Customer
Presentations,
conference
presentations
and
demonstra-
tions.
4.2.2 Key infrastructure
Table 6. MUSA decision support tool (KR3) key infrastructure
Partner Activities Resources Partner network
CA
Technologie
s
CA will develop
demonstrations and
presentations to
conferences, customers and
users of cloud services.
A MUSA
community place
on the web.
CA internal
MUSA community
CA internal
development and
product management
community
D7.2: Business scenarios analysis 23
Partner Activities Resources Partner network
CA will develop an internal
CA presentation to inform
CA staff of the potential of
the MUSA technology.
demonstrations
and promotions.
Tecnalia Tecnalia will enrich the
KR4 demonstrations and
presentations with the
previous step of deployment
decision supported by KR3.
Similarly, demonstrations
and presentations of KR1
(architecture modelling)
will include the use of KR3
for the selection of CS to
use.
Participation in
events to promote
the MUSA
software solution
and results.
Tecnalia research center
collaborates in a number
of EU and international
research projects and
brings its international
network of partners,
alliances and clients.
CeRICT CeRICT will develop
demonstration, presentation
and seminar for academic
activities and scientific
conferences.
CeRICT will enrich the
SLA Editor tools in order to
support Decision tools.
A dedicated Web
page will be
available in the
Website of
CeRICT including
links to white
papers.
Participation in
events to promote
the MUSA
software solution
and results.
CeRICT is a consortium
of Universities and
participates to other
research projects related
to cloud and security
(e.g., SPECS), bringing
the network of contacts
of the involved
universities (Second
University of Naples,
University of Naples
Federico II and
University of Sannio)
4.3 MUSA Deployer (KR4)
The MUSA Distributed Deployment Tool will be primarily developed and exploited by Tecnalia with
the help of CeRICT, CA Technologies and AIMES. This tool will also be one of the key assets of the
multi-cloud application support toolset that Tecnalia is developing.
4.3.1 Value chain
Table 7. MUSA deployer (KR4) value chain
Key result Added value proposition for the
customers
Customers Channels
KR4: MUSA
distributed
deployment tool
The application operators will be able to
automate and normalise the
simultaneous (re-)deployments of the
multi-cloud application components to
distributed cloud providers, which is
currently a manual and tedious process.
This is especially relevant for multi-cloud
and multi-micro environments with
Multi-cloud
application
developers
(application
architect),
online service
providers
(system
The MUSA
Deployer
could be
released in
eclipse.
Consultancy
and
technology
D7.2: Business scenarios analysis 24
Key result Added value proposition for the
customers
Customers Channels
changing context. Thanks to the DevOps
approach, this deployment will be faster
and aligned with application security
requirements.
operators)
transfer
services,
particularly to
software
SMEs.
Training
events.
4.3.2 Key infrastructure
Table 8. MUSA deployer (KR4) key infrastructure
Partner Activities Resources Partner network
TECNALIA During the project:
Establish a strong MUSA
industrial users + researcher
community.
Promotion of the results in
the hands on workshops
organised by DPSP Cluster
and MUSA project where
we invite industrial partners
considered as potential
users.
After the project:
Maintain MUSA industrial
users + researcher
community.
Develop commercial
seminars or courses.
A MUSA
community place
on the Web.
Multi-cloud
application for
demonstration
purposes.
Availability to
deploy an
application in at
least 3 or more
clouds.
Prototype under an
open source
license.
Tecnalia Ventures will
support Tecnalia in the
market orientation of the
project outcomes while
evolving the prototypes
from TRL 4 to TRL 6.
Tecnalia is already
member of eclipse and
plays a role in Polarsys,
an industrial working
group within Eclipse
Foundation.
AIMES During the Project
Provide interfaces for
deployment of multi-cloud
applications into other
CSPs.
Make available cloud
resources for the consortium
to launch their applications
into via the deployment
tool.
After Project
Make available deployment
tool to existing customer
base
Publicise Cloud Resources
to MUSA DSS to allow
deployment in the event
AIMES CSP services are
recommended
AIMES will make
available scalable
cloud resources to the
deployment tool. This
allows for cost
effective billing and
efficient cloud
computing, only
making use of
resources when
required
AIMES growth into a
multi-site cloud service
provider will co-incide
with the deployment of
multi cloud applications.
AIMES Management
Service is the
commercial element of
the business and will
market the deployment
tool as a method towards
adopting multi cloud
deployment.
D7.2: Business scenarios analysis 25
Partner Activities Resources Partner network
CA
Technologie
s
During the project:
Maintain link between DST
and deployment tool.
Maintain the deployment
tool.
After the project:
Continue to promote the
technology to the CA
development and product
management communities
CA will develop
internal and external
sales presentations to
promote the
deployment tool as a
potential product
feature.
Further information
will be the subject of
Tech Talks to the CA
council for Technical
Excellence
CA has an extensive
customer and employee
base which will be the
target for exploitation
efforts.
CA will also engage
with the MUSA
community, the
MODAClouds Alliance
and other project groups.
CeRICT During the project:
Establish strong relation
with cloud security research
community.
Collaboration with H2020
projects focused on topics
related to cloud security and
SLAs management in cloud.
Reuse the SPECS Platform
components for the
assurance platform.
Make academic seminars.
Reuse tools that automate
Security SLA management.
After the project:
Maintain the Models and
related tools.
Continue collaboration with
Partners and interested
projects to empower
Security SLA tools.
A dedicated Web
page will be
available in the
Website of
CeRICT including
links to white
papers.
Demonstration of
prototype tools
based on Security
SLA Editor.
Participation in
industrial events to
promote the
MUSA software
solution and
results.
Maintenance of
Security SLA
automation tools
developed in past
projects.
CeRICT is a consortium
of Universities and
participates to other
research projects related
to cloud and security
(e.g., SPECS), bringing
the network of contacts
of the involved
universities (Second
University of Naples,
University of Naples
Federico II and
University of Sannio)
4.4 MUSA SaaS (KR8, including KR5-6-7) + MUSA libraries (KR2)
Although KR5 (monitoring service), KR6 (enforcement support service) and KR7 (notification
service) may be commercialised independently, they are planned to be exploited as MUSA assurance
services integrated in the MUSA Security Assurance Platform (KR8). This platform will be exploited
as a SaaS built on top of existing open source solutions for cloud middleware that support resource
scalability and multi-tenancy. The main exploiter will be Montimage in collaboration with Tecnalia,
CA Technologies, AIMES and CeRICT. The security libraries that are part of KR2 will also be
included in KR8 since they define the monitoring, enforcement and notification mechanisms.
The MUSA security assurance platform will make use of an IaaS owned and managed by AIMES that
is able to store the user sensitive information with strong security reliability. Application operators
will benefit from the pay-per-use model of the MUSA security assurance services that will be
designed in order for the operators to be able to consume them independently.
MUSA security assurance services provision in the cloud is planned to be done in freemium model
(MUSA lite and MUSA pro). The lite version will be free and will enable basic support for
D7.2: Business scenarios analysis 26
monitoring, reaction and notification capabilities. The commercial version (MUSA pro) will be pay-
per-use and will include proprietary technical features allowing a more complete, integrated and
accurate support to security assurance of multi-cloud applications at runtime. Among others, the
AIMES customer base will be targeted as end users upon completion of the project.
4.4.1 Value chain
Table 9. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security
assurance SaaS (KR8) value chain
Key result Added value proposition for the
customers
Customers Channels
KR5 MUSA
Monitoring Service
Application operators will be able to
monitor their environment at the
application, networking and cloud
infrastructure levels. The MUSA
Monitoring service will provide a holistic
interface for operators to monitor all facets
of their cloud as well as monitoring agents
that need to be deployed in different
virtual machines or containers to collect
relevant security related data.
System
Operators,
Cloud service
providers,
Business
Managers
CSPs,
Training,
Participation
and
organisation
of Cloud
related
events.
KR6 MUSA
Enforcement
Support Service
Enforcing security policies within multi-
cloud environments is needed by
customers when it comes to controlling
their applications. The enforcement
service will provide a set of easy to
deploy security mechanisms that ensure
the reliability and privacy of data and
communications.
Application
Developers,
Security
Architect
MUSA
Security
Consultancy.
MUSA CSPs,
SME
Awareness
and Training
Events.
KR7 MUSA
Notification
Service
Application Customers and business
managers will have visibility of security
incidents in network and application
Service Level Agreements (SLAs) being
contravened.
Application Developers who are managing
the environment on behalf of the client
will have foresight of security status
regarding the monitored multi-cloud
applications.
Application
Developers,
Business
Managers,
System
Administrators,
System
Operators
MUSA
Security
consultancy,
training
events and
value added
service
provided by
MUSA CSPs
KR8: MUSA
security assurance
SaaS
Application operators will benefit from the
pay-per-use model of the MUSA security
assurance services (either independently
or in combination) that will let them save
in CAPEX (capital expenditures) and
OPEX (operational expenditures) by
proposing a solution to monitor and
analyse multi-clouds applications and
activate automatic reactions and
notifications in case of security flaw
Multi-cloud
online service
providers (i.e.,
cloud-based
services and
application
administrators
and security
architect).
MUSA SaaS
Consultancy
and
technology
transfer
services,
particularly to
software
SMEs.
Training
D7.2: Business scenarios analysis 27
Key result Added value proposition for the
customers
Customers Channels
detection in order to maintain the
confidentiality and privacy of sensitive
data and communications.
events.
4.4.2 Key infrastructure
Table 10. MUSA monitoring (KR5), enforcement (KR6), notification (KR7) and security
assurance SaaS (KR8) key infrastructures
Partner Activities Resources Partner network
Montimage During the project:
Establish and maintain the
community of industrial
stakeholders and researchers.
Integrate the MUSA
developments in MMT to
foster the tool
commercialisation and
extend the customer base to
multi-cloud stakeholders.
Define open-source and
commercial versions of
MMT integrating the MUSA
results.
Build a common marketing
strategy to commercialise the
Security Assurance Platform.
After the project:
Maintain and extend the
community of stakeholders,
application developers and
researchers.
Update the monitoring,
enforcement and notification
modules with new
vulnerabilities.
Commercialise MMT as an
integrated solution including
the monitoring, enforcement
and notification capabilities
developed in MUSA.
Demonstration of
the MUSA
Security Assurance
Platform
prototypes in
industrial events.
Publications in
conferences and
journals to target
research
communities and
potential
stakeholders.
Montimage is part of
the Systematic, a Paris
region systems and
ICT cluster in which
the MUSA
developments will be
disseminated.
TECNALIA During the project:
Establish a strong MUSA
industrial users + researcher
community
Promotion of the results in
the hands on workshops
organised by DPSP Cluster
and MUSA project where we
A MUSA community
place on the Web.
Demonstration
prototype where
showing enforcement
functionality.
Tecnalia Ventures will
support Tecnalia in the
market orientation of
the project outcomes
while evolving the
prototypes from TRL 4
to TRL 6.
D7.2: Business scenarios analysis 28
Partner Activities Resources Partner network
invite industrial partners
considered as potential users.
Definition of business model
around the open source
functionality.
After the project:
Maintain MUSA industrial
users+ researcher
community.
Develop commercial
seminars or courses.
Extending the results with
proprietary functionality for
professional services.
Tecnalia and MI will
collaborate in further
development of the results
and integration with billing
and metering services
towards such final product
AIMES During the Project
Research viability of
monitoring of multi-cloud
environments at network and
application layer
Engage with use cases to
understand their requirement
for monitoring and see how
that impacts upon CSP
operations and commercial
activities
Engage with Montimage to
understand their
technologies, and how they
interact with infrastructure
operated by CSPS
Work with the consortium to
understand the ramifications
of notification services and
how this impacts upon cloud
service providers. Help the
consortium understand
through experience, what
data CSPs are happy to share
to a notification service
Refine the notification
enforcement service with the
use cases
Promote transparency within
the CSP community to
provide the MUSA
AIMES IaaS platform
utilises a variety of
cloud technologies.
Including OpenStack,
Windows Azure
Pack/Stack and
VMWare. During the
project AIMES will
facilitate access for
consortium partners to
AIMES cloud
platforms.
AIMES will work
towards adopting the
variety of reporting
mechanisms, and
provide monitoring
interfaces publically
accessible to the
MUSA Monitoring
Service.
AIMES will work with
the Data Centre
Alliance to promote
the MUSA Security
Assurance Platform
amongst the CSPs
within the alliance.
AIMES work closely
with the NWCAHSN
(North West Coast
Academic Health
Science Network)
which amongst other
workstreams, promotes
digital health
applications. AIMES
envisage the digital
health community
being a suitable use
case for the security
assurance platform.
AIMES and the
NWCAHSN will
promote the security
assurance platform
amongst the
community.
The UK based
ASSURED Project
D7.2: Business scenarios analysis 29
Partner Activities Resources Partner network
Monitoring Service
After the Project
Publicise Use of MUSA
Security Assurance Platform
as a value added service by
AIMES
Introduce platform to existing
customers
Work with Montimage to
develop product further in
relation to new cloud and
data centre technologies
Trial the Notification
Enforcement service with
Multi-Cloud adopters
Define business model
around providing the MUSA
Monitoring Service as a
product to existing customers
will make use of the
notification service.
ASSURED addresses
the problem of
protecting data in
industry, and
notification where
SLAs have been
contravened is of great
importance. There will
be shared exploitation
activities, which will
take place across
ASSURED and
MUSA. ASSURED is
due to start in Q1 of
2016.
CA
Technologie
s
Promote the SaaS and libraries
opportunities to CA internal staff.
Support other project members in
their efforts
Internal presentations
and tech talks to the
worldwide employee
community
CA world wide
internal community
including the Cross
company Council for
Technical Excellence
CeRICT During the project:
Establish strong relation with
cloud security research
community
Collaboration with H2020
projects focused on topics
related to cloud security and
SLAs management in cloud
Reuse the SPECS Platform
components for the assurance
platform
Make academic seminars
Reuse tools that automate
Security SLA management
After the project:
Maintain the Models and
related tools
Continue collaboration with
Partners and interested
projects to empower Security
SLA tools
A dedicated Web
page will be
available in the
Website of
CeRICT including
links to white
papers.
Demonstration of
prototype tools
based on Security
SLA Editor.
Participation in
industrial events to
promote the
MUSA software
solution and
results.
Maintenance of
Security SLA
automation tools
developed in past
projects.
CeRICT is a
consortium of
Universities and
participates to other
research projects
related to cloud and
security (e.g., SPECS),
bringing the network
of contacts of the
involved universities
(Second University of
Naples, University of
Naples Federico II and
University of Sannio)
D7.2: Business scenarios analysis 30
4.5 MUSA Guide (KR9) and MUSA prototypes (KR10)
KR9 (reference use guide) and KR10 (MUSA prototypes) will not be commercialised per se, but they
will contribute to the correct design, specification and development of the MUSA framework in the
case of KR10 and to the comprehension and documentation of the MUSA framework and its
components operation in the case of KR9.
KR9 is the guide for an integrated multi-cloud secure applications lifecycle management. It contains
the instructions to manage and use the MUSA developments and will be a useful tool for the MUSA
customers (i.e., multi-cloud application developers and operators). The DevOps community is a
market AIMES are looking to address when it comes to promoting multi-cloud technologies. Our
experience working with the DevOps community is they require on demand cloud, but often they are
not aware of the security considerations when it comes to instant deployment of cloud resources. KR9
provides a medium for communicating the benefits of the MUSA framework in a coherent fashion,
and this will be made available to those looking to use AIMES as one of their CSPs for multi-cloud
deployments.
KR10 constitutes the innovative multi-cloud application service prototypes that exploit heterogeneous
clouds. This key result that will mainly be guided by the TUT and LHS use cases will serve to guide
and prove the correct operation of the MUSA developments in controlled real environments. AIMES
will seek to exploit the success of the use cases adopting multi-cloud by including it within their
product portfolio. The diversity of the use cases, the challenges they face and the scale are similar to
that of AIMES’ customers. However, multi-cloud applications have not been seen as a mature enough
offering. The success of the use cases will provide evidence of how they can address issues around
security at run time, as well as other business and technical requirements.
TUT has the special interest of implementing secure services built on top of Tampere city open data
infrastructure like the intelligent transportation systems. By demonstrating the secure management of
personal data with the usage of MUSA framework will be an incentive for implementing future
services, products and projects that mix open data services and personal data.
The LHS use case is used to prove the correct operation of MUSA and for demonstration purposes
during the project phase (e.g., workshops, review meetings etc.). This use case is based on the
commercial version of the LHS Airline Scheduling application, which is closed source software.
D7.2: Business scenarios analysis 31
5 IPR management
In MUSA, as defined in the Consortium Agreement, the results are owned by the party that generates
them or on whose behalf such results have been generated. In the case of joint ownership (as is the
case for some results, see Section 4), a separate written agreement shall be concluded among the
concerned parties. This agreement should not adversely affect the access rights or other rights of the
other parties provided under the Grant Agreement or the Consortium Agreement.
Although a common strategy for releasing results into open source is adopted, the particular licence is
under discussion especially for the technical point of view. The use, modification or extension of
previous works could result into a licence incompatibility. For this purpose each of the works used as
background will be discussed and appropriate decision will be taken.
Table 11 shows the initial definition of the IPR principles for each MUSA key result including the list
of partners with primary and secondary exploitation interests.
Table 11. IPR principles for the MUSA key results
Key result IPR principles
KR1: MUSA Integrated
Development Environment
(IDE)
Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): Tecnalia, CeRICT
Secondary expl. responsible(s): Montimage
KR2: MUSA security
libraries (monitoring,
enforcement and
notification mechanisms)
Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): Montimage
Secondary expl. responsible(s): Tecnalia, CeRICT
KR3: MUSA decision
support tool Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): CA Technologies
Secondary expl. responsible(s): Tecnalia, CeRICT
KR4: MUSA distributed
deployment tool Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): Tecnalia
Secondary expl. responsible(s): CeRICT, CA Technologies,
AIMES
KR5: MUSA monitoring
service Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): Montimage
Secondary expl. responsible(s): Tecnalia, CeRICT, CA
Technologies, AIMES
KR6: MUSA enforcement
support service Open source and privative commercial products
Joint ownership
Primary expl. responsible(s): Tecnalia, Montimage
Secondary expl. responsible(s): CeRICT, AIMES
KR7: MUSA notification
service Open source and privative commercial products
Joint ownership
D7.2: Business scenarios analysis 32
Key result IPR principles
Primary expl. responsible(s): Montimage
Secondary expl. responsible(s): Tecnalia, AIMES
KR8: MUSA security
assurance platform (SaaS) SaaS product with freemium model (lite and pro)
Joint ownership
Primary expl. responsible(s): Montimage, Tecnalia
Secondary expl. responsible(s): CeRICT, CA Technologies,
AIMES
KR9: Guide for an
integrated multi-cloud
secure applications
lifecycle management
Consultancy services
Joint ownership
Primary expl. responsible(s): CA Technologies
Secondary expl. responsible(s): Tecnalia, CeRICT
KR10: Innovative multi-
cloud application service
prototypes that exploit
heterogeneous clouds
Mixed of open and closed source
Joint ownership based on foreground
Primary expl. responsible(s): LHS, Montimage, TUT
Secondary expl. responsible(s): Tecnalia, CeRICT, CA
Technologies, AIMES
5.1 IPR directory
The MUSA consortium maintains an IPR directory in which all the partners introduce information
related to the property rights to facilitate early agreement and management of IPR issues. The IPR
directory contains the following information:
- Asset name: refers to the name identifying the result that requires IPR information.
- IPR type: defines the type of IPR and can be:
- Background: if it was generated before the MUSA project.
- Foreground: it will be generated during the MUSA project.
- Asset type: identifies the category of the asset. There are two possibilities:
- Software: executable material, libraries, etc., that are aimed to be executed or
somehow participate in the execution of applications and/or services.
- Knowledge: diverse non-executable information related to the project developments
(e.g., manuals, instructions, etc.).
- Category: the main area(s) in which the asset is used, for example website, script, tool,
model, library, SaaS, etc.
- Owner/s: proprietary company/ies of the asset. It can be any of the MUSA Consortium
partners, a combination of them, or “Other” for external open source developments.
- Controlled License Terms: determines whether the asset is controlled under specific license
terms. If a component contains software under Controlled Licence Terms (CLT) the Owner(s)
must provide this info (mandatory), at the latest when a component is put forward for release
(i.e., included in any deliverable), but preferably as soon as software implementation is
planned. If "Yes" on CLT software, info must be provided in the Licences fields.
D7.2: Business scenarios analysis 33
- Implementation rights: Access Rights that the IP holder grants to other consortium members
to use the IP for the MUSA project's implementation, and under what conditions. They can be
Royalty-free, Commercial or Not granted.
- Use rights: Access Rights that the IP holder grants to other consortium members to use the IP
after the MUSA project for exploitation and further research, and under what conditions. They
can be Royalty-free, Commercial or Not granted.
- Background used: previous developments and/or documents used.
- Licenses (int): licenses that govern the IP of the asset for parties internal to MUSA
consortium. They can be: closed source, open source or TBD (To be defined).
- Licenses (ext): licenses that govern the IP of the asset for parties external to MUSA
consortium.
- Dissemination plans: main actions to disseminate the asset in the MUSA project.
- Exploitation plans: specific actions to foster the exploitation of the asset in the MUSA
project.
The IPR directory is a dynamic structure that will evolve during the project, and will be used as a
reference during and after the project to store and maintain the IPR of the diverse MUSA
developments.
The implementation and use rights stated in the IPR directory as well as the dissemination and
exploitation plans need to be aligned with the corresponding clauses in the Consortium Agreement
signed by all MUSA partners for the execution of the project. The WP7 in the project will ensure that
such alignment is kept for all the updates in the IPR directory contents.
The Appendix B presents the current information contained in the MUSA IPR directory, divided per
asset.
D7.2: Business scenarios analysis 34
6 Conclusion/Further work
With the aim of guiding the primary exploitation activities and the project developments, this
document presents a detailed analysis of the business scenarios for the project results. Following a
reduced version of the Osterwalder Business canvas, the value chain for the MUSA framework and for
each key result of the project is presented, along with the key activities to promote the
commercialization of the MUSA results.
This document is oriented to offer a prior knowledge on the business scene where the project results
will be exploited, illustrating the resources and value that the MUSA developments will have for the
potential stakeholders.
Having in mind the needs of the potential stakeholders and the market situation will definitely help to
guide the MUSA developments to create an attractive solution from the business point of view.
Furthermore, the consideration of the user needs will enable the easy adoption of the MUSA
developments in the growing multi-cloud applications market.
Together with the business scenarios analysis, the MUSA consortium maintains an IPR registry that is
summarized in this document. It contains key data related to the information property rights of the
MUSA developments that helps to keep track of which partners in the consortium own the rights to
exploit each result.
As the project advances, the information presented in this document may vary, and as more
information is available, the Osterwalder Business canvas for each key result and for the MUSA
framework itself will be completed and included in D7.3 Initial exploitation plan, that will be issued in
month 24.
D7.2: Business scenarios analysis 35
References
[1] MUSA H2020 Project, Multi-cloud Secure Applications. 2015-2017. Available at:
www.musa-project.eu
[2] The MUSA Project. D1.1 Initial MUSA framework specification (2015).
[3] Osterwalder, A., & Pigneur, Y. Business model generation: a handbook for visionaries, game
changers, and challengers. John Wiley & Sons, 2010.
[4] Brooks, C. & Carter, S. IT as a Service Determining Application Workload Best Execution
Venues. 451 Research, 2014. Available at:
https://451research.com/images/Marketing/Webinar_Slides/451_Advisors_IaaS_Webinar.pdf
[5] The MUSA Project. D7.1 Initial market study, trends, segmentation and requirements (2015).
[6] Weins, K. Cloud Computing Trends: 2015 State of the Cloud Survey. Right Scale, 2015.
http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-
cloud-survey
[7] Gartner IT Glossary – DevOps. Available at http://www.gartner.com/it-glossary/devops.
[8] The MUSA Project. D6.2 Dissemination strategy (2015).
[9] The MUSA Project. D6.5 Networking plan (2015).
[10] The MUSA Project. D6.4 Communication plan (2015).
[11] CloudML Project, Model-based provisioning and deployment of cloud-based systems.
Available at: http://cloudml.org/
[12] Modelio: The open source modelling environment. Available at:
https://www.modelio.org/
[13] Data Protection Security and Privacy in the Cloud cluster of EU-funded research
projects. Available at: https://eucloudclusters.wordpress.com/data-protection-security-and-
privacy-in-the-cloud/
[14] SPECS Project, Secure Provision of Cloud Services based on SLA management.
Available at: http://www.specs-project.eu/
[15] MODAClouds Project, MOdel-Driven Approach for design and execution of
applications on multiple Clouds. Available at: http://www.modaclouds.eu/
D7.2: Business scenarios analysis 36
Appendix A. MUSA motivation and background
The main goal of MUSA is to support the security-intelligent lifecycle management of distributed
applications over heterogeneous cloud resources, through a security framework that includes: a)
security-by-design mechanisms to allow application self-protection at runtime, and b) methods and
tools for the integrated security assurance in both the engineering and operation of multi-cloud
applications.
MUSA overall concept is depicted in the figure below.
Figure A.1: MUSA overall concept
MUSA framework combines 1) a preventive security approach, promoting Security by Design
practices in the development and embedding security mechanisms in the application, and 2) a reactive
security approach, monitoring application runtime to mitigate security incidents, so multi-cloud
application providers can be informed and react to them without losing end-user trust in the multi-
cloud application. An integrated coordination of all phases in the application lifecycle management is
needed in order to ensure the preventive oriented security to be embedded and aligned with reactive
security measures.
D7.2: Business scenarios analysis 37
Appendix B. IPR directory information
This appendix presents the current information on the IPR directory that is kept by the MUSA
consortium partners. As a live document, it may be updated during the project, and these changes will
be reflected in future exploitation deliverables (D7.3 Initial Exploitation plan in M24 and D7.4 Final
Exploitation plan at the end of the project in M36).
The IPR registry, as defined in Section 5, contains a table for each asset that is developed in the
project. Tables 12 to 19 represent the IPR information for each of the identified assets.
Table 12. IPR for the MUSA IDE (KR1)
Asset name MUSA IDE
IPR type Foreground
Asset type Software
Category Modeller
Owner(s) Tecnalia, CeRICT
Controlled License
Terms (CLT) No
Implementation rights Royalty-free
Use rights Royalty-free
Background used CloudML, ModaClouds IDE, SPECS xml framework for SLAs.
Licences (int) Open source
Licences (ext) Open source
Dissemination plans Preparation of demos, videos, and training material
Exploitation plans
Knowledge to deep the expertise of Tecnalia in the field of mc applications,
particularly on the privacy and security aspects. The knowledge will be used for a
number of objectives:
- Strengthen the position of Tecnalia as a leader technology centre at EU level
in the areas of cloud-based applications, interoperability and distributed
environments.
- Consultancy and technology transfer services to local market, particularly
software SMEs.
- A PhD degree for Tecnalia staff.
Professional consultancy services for mc app requirements elicitation and specification
(with focus on security, privacy and data protection). Note that in most cases, the KR1
will be exploited in combination with KR4.
Tecnalia, CeRICT and Montimage partners will collaborate in its development and
will study the exploitation strategy according to the workload and contribution of each
partner in the result.
D7.2: Business scenarios analysis 38
Table 13. IPR for the MUSA DST(KR3)
Asset name MUSA DST
IPR type Background and Foreground
Asset type Software
Category Website
Owner(s) CA Technologies
Controlled License
Terms (CLT) Yes
Implementation rights Royalty-free
Use rights Royalty-free
Background used Decision Support System from MODAClouds (a DST without security aspects)
Licences (int) Open source
Licences (ext) Open source
Dissemination plans Preparation of demos, videos, and training material.
Exploitation plans
As the DST progresses it will be promoted as a potential update to existing CA
products. After a successful review the DST designs and prototypes would be included
in a product backlog for implementation with the development teams. This fits in the
security and API management domains within CA’s product set, but there is an
internal process to follow to include the DST as part of the product set.
Knowledge Transfer within CA Technologies is another channel for exploitation
Table 14. IPR for the MUSA deployer (KR4)
Asset name MUSA deployer
IPR type Foreground
Asset type Software
Category Configuration management tool
Owner(s) Tecnalia
Controlled License
Terms (CLT) No
Implementation rights Royalty-free
Use rights Royalty-free
Background used CSPs specific deployers, open source deployers (TBD)
Licences (int) Open source
Licences (ext) Open source
D7.2: Business scenarios analysis 39
Dissemination plans Preparation of demos, videos, and training material.
Exploitation plans
Professional consultancy services for automated deployment of cloud-based
applications, and particularly multi-cloud environments.
The potential of KR4 comes together with the use of KR3 (a and b) for selecting CSPs.
Basic open source KR3 will most likely be used when exploiting KR4. The use of non-
open source features of KR3 will be studied together with CA Technologies.
Table 15. IPR for the MUSA monitoring service (KR5)
Asset name MUSA monitoring
IPR type Background and Foreground
Asset type Software
Category Set of tools and agents
Owner(s) Montimage
Controlled License
Terms (CLT) Yes (for commercial version)
Implementation rights Royalty-free
Use rights Royalty-free, commercial (depends on feature)
Background used MMT monitoring module
Licences (int) Open source
Licences (ext) Open source, commercial (pay-per-use)
Dissemination plans Preparation of demos, videos, and training material, research articles and papers
Exploitation plans Integration of MUSA developments in MMT, new multi-cloud capabilities will extend
the market and the potential customers, as well as the possibility to analyse SLAs.
Table 16. IPR for the MUSA enforcement service (KR6)
Asset name MUSA enforcement
IPR type Foreground
Asset type Software
Category Libraries
Owner(s) Tecnalia, Montimage
Controlled License
Terms (CLT) Yes (for commercial version)
Implementation rights Royalty-free
Use rights Royalty-free, commercial (depends on feature)
D7.2: Business scenarios analysis 40
Background used Open source libraries
Licences (int) Open source
Licences (ext) Open source, commercial (pay-per-use)
Dissemination plans Preparation of demos, videos, and training material, research articles and papers
Exploitation plans
Tecnalia and Montimage will collaborate in further development of the results and
integration with billing and metering services towards such final product. Even if
Montimage will lead the exploitation, in those cases of joint ownership, both partners
will sign a written agreement that will rule the IPR and exploitation rights.
It is expected that the MUSA Security Assurance SaaS is deployed in a third party
cloud service provider, and AIMES partner will be the natural option for such hosting.
Therefore, the three partners will study the business models of the MUSA Security
Assurance SaaS and individual services (monitoring, enforcement and notification.
Table 17. IPR for the MUSA notification service (KR7)
Asset name MUSA notification
IPR type Foreground
Asset type Software
Category Web-based reports
Owner(s) Montimage
Controlled License
Terms (CLT) Yes (for commercial version)
Implementation rights Royalty-free
Use rights Royalty-free
Background used MMT notification service
Licences (int) Open source
Licences (ext) Open source, commercial (pay-per-use)
Dissemination plans Preparation of demos, videos, and training material, research articles and papers
Exploitation plans After integrated in MMT, the notification service will be adapted to different kinds of
customers.
Table 18. IPR for the MUSA security assurance SaaS (KR8)
Asset name MUSA security assurance SaaS
IPR type Foreground
Asset type Software
Category Software as a Service
D7.2: Business scenarios analysis 41
Owner(s) Montimage, Tecnalia
Controlled License
Terms (CLT) Yes (for commercial version)
Implementation rights Royalty-free
Use rights Royalty-free, commercial (depends on feature)
Background used MMT by MI
Licences (int) Open source
Licences (ext) Open source, commercial (pay-per-use)
Dissemination plans Presentation in industrial venues, marketing campaign, demos, videos and training
material; research articles and papers
Exploitation plans
Montimage and Tecnalia will collaborate in further development and maintenance of
the MUSA Security Assurance SaaS including support for new security mechanisms.
This support will enable the MUSA Security Assurance SaaS to be updated and
commercialised in the multi-cloud applications market, which is expected to grow in
the coming years.
Apart from the support to the MUSA Security Assurance SaaS, Montimage will
incorporate multi-cloud security assurance capabilities to its flagship tool MMT,
which will be commercialised independently since it includes other capabilities not
only focused on security for multi-cloud environments, but also oriented to provide
overall support for monitoring diverse aspects of computing systems such as
networking, performance, QoS/QoE/QoBiz, etc.
Table 19. IPR for the MUSA guide (KR9)
Asset name MUSA guide
IPR type Foreground
Asset type Knowledge
Category Document/wiki
Owner(s) CA Technologies, Tecnalia, CeRICT, MI
Controlled License
Terms (CLT) No
Implementation rights Royalty-free
Use rights Royalty-free
Background used Knowledge from previous EU-funded research projects like MODAClouds, ARTIST,
SPECS, etc.; MMT (from MI) documentation
Licences (int) Open access
Licences (ext) Open access
Dissemination plans Publish (in open access) the guide document on the MUSA website and social
D7.2: Business scenarios analysis 42
networks, and make it the basis for MUSA publications and presentations.
Create a wiki on top of the contents of the initial version of the guide and continuously
keep the wiki alive until the final version is ready.
Exploitation plans Use the guide to support the professional consultancy services around MUSA
framework tools.