unicorn d1.1 v14unicorn-project.eu/wp-content/uploads/2018/04/360874990... · 2018. 4. 30. · Figure 28: Multi-Cloud Adoption Challenges 57 ... , DevOps, annotation based programming

UNICORNhasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchand

innovationprogrammeundergrantagreementNo731846

StakeholdersRequirementsAnalysisDeliverableD1.1

Editor DemetrisTrihinas Reviewers ManosPapoutsakis(FORTH)

FenaretiLampathaki(Suite5) Date 30June2017 Classification Public

!

D1.1StakeholdersRequirementsAnalysis

2

ContributingAuthor # VersionHistoryName Partner Description

DemetrisTrihinas UCY 1 TableofContents(ToC),documentpurposeandpartnercontributionassignment

AthanasiosTryfonos UCY 2 BackgroundandTerminologysectioninitialcontentmerged,relationtootherWPsadded

ZachariasGeorgiou UCY 3 Contentformethodologyfollowedtoderiverequirements

GeorgePallis UCY 4 Updatedmethodologyandbackgroundsection,surveyfirstresults

MariosD.Dikaiakos UCY 5 Initialnon-functionalrequirementssection,updatedmethodologywithindustryfindings

SpirosAlexakis CAS 6

Minorimprovementstoterminology,refinedindustryfindingsinmethodology,initiallistofsystemrequirementsandkeyfindingsfrominterviewprocess

JuliaVuong CAS 7

Updateduserroles,updatedfunctionalrequirementsaftermergingcommentsreceived,updatedmethodologyandbackground

FenaretiLampathaki Suite5 8

Updatednon-functionalrequirementsandmergedcommentsreferringtosurveykeyfindings,mergedsecuritycontenttobackground

SotirisKoussouris Suite5 9Updatedfunctionalrequirements,addeddataprivacyprotectionmentiontosurveymethodology,mergedsecuritytobackground,

SpirosKoussouris Suite5 10Mergedcommentsonuserroles,conclusionandmergedcommentsonnon-functionalrequirements,conclusion

PanagiotisGouvas Ubitech 11Updatedintroduction,mergedcommentsonmappingoffunctionalrequirementstouserroles

GiannisLedakis Ubitech 12Mergedcommentsonmarketanalysisscheme,executivesummaryandintroduction

ManosPapoutsakis FORTH 13Mergedcommentsonstakeholdersanalysis,functionalrequirementsandfigurenumbering

Bernhardkoelmel Steinbeis 14 Finalversion


3

TableofContents

1 EXECUTIVESUMMARY 7

2 INTRODUCTION 8

2.1 DocumentPurposeandScope 102.2 DocumentRelationshipwithotherProjectWorkPackages 102.3 DocumentStructure 11

3 BACKGROUNDANDTERMINOLOGY 12

3.1 ProgrammableInfrastructure 123.2 Multi-CloudOfferings 133.3 Micro-services 143.4 Containerization 153.5 DevOps–ContinuousIntegrationandDelivery 183.6 Annotation-BasedProgramming 203.7 SecurityEnforcementandDataPrivacyPreserving 21

4 METHODOLOGYFOLLOWEDTODERIVEUNICORNSYSTEMREQUIREMENTS 24

4.1 KeyFindingsfromindustrystudies 27

5 UNICORNSTAKEHOLDERIDENTIFICATION 30

5.1 StakeholdersandTargetAudience 305.2 UserRoles 315.3 Marketpositioning 33

6 REQUIREMENTANALYSISSCHEME 47

6.1 IntervieweeProfile 476.2 UnicornSurveyandInterviewStudyKeyFindings 48

7 UNICORNSYSTEMREQUIREMENTS 64

7.1 FunctionalRequirements 647.2 Non-FunctionalRequirements 76

8 CONCLUSIONS 87

9 REFERENCES 89

10 ANNEX 95

10.1 IdentifiedUnicornFunctionalRequirements 95


4

10.2 DisseminatedQuestionnaire 95


5

ListofFiguresFigure1:UnicornVision 9Figure2:DeliverableRelationshipwithotherTasksandWorkPackages 11Figure3:MonolithicLegacyEnterpriseArchitecturevsMicro-serviceArchitectureApproach 14Figure4:HypervisorvsContainer-basedVirtualization 16Figure5:DockerRelationtoLinuxContainerNotion 16Figure6:CoreOSHostandRelationtoDockerContainers 17Figure7:UnikernelRelationtoVMsandContainers 18Figure8:ContinuousIntegrations,ContinuousDeliveryandContinuousDeploymentSteps 19Figure9:IndicativeExampleofAnnotationDeclarationinJava 21Figure 10: High-Level Abstract Methodology to Derive Unicorn System Requirements and Relevant Key

Technologies 24Figure11:UnicornMarketPositioning 34Figure12:OrganisationOperatingBusinessDomainsasIdentifiedbyInterviewees 48Figure13:NumberofEmployeesinITdepartment 48Figure14:IntervieweeRoleinOrganisation 49Figure15:UsageofAnnotation-basedProgrammingParadigmbyInterviewees 49Figure16:PopularProgrammingFrameworksUsedbyInterviewees 50Figure17:UsageofCollaborationToolsAmongEmployeesofOrganisation 50Figure18:PopularityofCI/CDFrameworksEmbracedbySurveyedOrganisations 51Figure19:ChallengesPreventingFullAdoptionofCI/CDPipeline 51Figure20:CloudIDEEmbracementbyInterviewedOrganisations 52Figure21:PopularreasonspreventingCloudIDEadoptionfromrespondersnotusingCloudIDEs 52Figure22:Micro-serviceArchitectureAdoptionbyInterviewedOrganisations 53Figure23:ContainerizedSolutionAdoptionbyInterviewedOrganisations 54Figure24:ContainerizedSolutionAdoptionChallengesasIdentifiedbyInterviewedOrganisations 54Figure25:ContainerizedSolutionsthathavebeenadoptedbythoseusingorconsideringcontainerization55Figure26:Multi-CloudDeploymentModelAdoptionbyIntervieweeOrganisations 55Figure27:PopularCloudProviders 56Figure28:Multi-CloudAdoptionChallenges 57Figure29:MonitoringLevelTargetsasRespondedbyInterviewedOrganisations 57Figure30:MonitoringToolTypeAdoptionbyInterviewedOrganisations 58Figure31:MonitoringChallengesFacedbytheInterviewedOrganisations 58Figure32:ElasticScalingAdoption 59Figure33ElasticScalingType 59Figure34:ElasticitytoolsusedbyorganizationshaveadoptedelasticscalingaspartoftheirALM 60Figure35:ElasticScalingAdoptionChallenges 60Figure36:StageofApplicationLifecycleatwhichSecurityisConsideredbyInterviewedOrganisations 61Figure37:SecurityMechanismsAdoptedbyInterviewedOrganisations(#1) 62Figure38:SecurityMechanismsAdoptedbyInterviewedOrganisations(#2) 62Figure39:SecurityMechanismsAdoptedbyInterviewedOrganisations(#3) 63Figure40:Non-TechnicalQualityAspectsasOrganisedbyISO/IEC25010:2011 77


6

ListofTablesTable1:IndustryStudiesandPointsofInterestRelevanttoUnicorn 27

Table2:UnicornActors 31

Table3:MarketPlayersAnalysis–BriefOverview 36

Table4:MarketPlayersAnalysis–DevOpsSupportandHighlightFeatures 38

Table5:MarketPlayersAnalysis–Perspectives 43

Table6:OrganisationsParticipatedinInterviewProcess 47

Table7:FunctionalRequirementsRelationtoUserRole 74


7

1 ExecutiveSummaryThemainobjectiveoftheUnicornprojectistodeliveraunifiedplatformthatwillfacilitateSMEsandStartups

todevelop, deploy andmanage secure-by-design andelastic-by-design cloudapplications and services, that

follow themicro-servicearchitecturalparadigm,onmulti-cloudprogrammableexecutionenvironments.The

platform will allow software developers to tackle data privacy constraints and restrictions through the

applicationofvariousprivacypoliciesandwilleasetheresourcemonitoringprocess.Inthisrespect,Deliverable

D1.1 - Stakeholders Requirements Analysis, hereafter simply referred to as D1.1, provides a clear set of

guidelinesthatwillguidethepartnersthroughthetechnicalactivitiesoftheUnicornproject.Theguidelinesthat

will drive the project technical activities, are expressed in the form of functional and non-functional

requirementsthatwillassistinshapingthefinalframeworkthatfulfilsthevisionandobjectivesoftheproject.

The work in this deliverable begins by presenting an agreed background and terminology of innovative

technological concepts such as the programmable infrastructure, multi-cloud offerings, micro-services,

containerization,DevOps,annotationbasedprogrammingandvarioussecurityenforcementmechanisms.This

terminologywillconsistentlybeusedthroughoutallfuturetechnicaldeliverablesastheseconceptsformthe

basictechnologicalpillarsonwhichtheimplementationoftheUnicornprojectwillbebasedon.

Furthermore, the methodology that was used to derive the functional and non-functional requirements is

presented. In the beginning of this agile methodology the partners analysed industry reports, surveys and

practicesinordertoidentifytheUnicornstakeholdersandpotentialuserrolesonwhichthefunctionalsystem

requirementswillbemappedon.Basedonthisanalysisoftheindustry,aninterviewquestionnairewasdesigned

toidentifythekeytechnologiesuptakenbytheSMEandStartupeco-systeminEurope,aswellastheemerging

technologiesthatarewithintheirinterestsbutcannotbesuccessfullyintegrateintotheirsoftwarestackyetdue

todifferentchallengestheyarefacing.

Lastly,theanalysisoftheinterviewresponseshascontributedindecidingandclarifyingasetoffunctionaland

non-functional system requirements that can be assigned to the identified user roles that are involved in

differentstagesoftheapplicationlifecycle.


8

2 IntroductionCloudcomputingshiftsITspendingtoapay-as-you-gomodel,wheresimilartoutilitybilling,youonlypayforwhatyouuseandonlywhenyouuseit[1].CloudcomputinghasrevolutionizedtheITindustrytothepointwhere

anyperson,withevenbasictechnicalskills,canaccessandobtain,viatheinternet,ondemandvastandscalable

computingresourcesatlowcost[2].ForSmallandMediumEnterprises(SMEs)andtoday’sStartups,thiswell-

established argument is sound. Cloud computing eliminates the capital expense of buying hardware and

diminishescostsforconfiguring,runningandmaintainingon-sitecomputinginfrastructuresofanysize.Thus,it

isnowcheaperandeasiertoinnovate,enablingbusinessestodramaticallylowertheircostofoperations,and

byextension lowercostofstartingabusiness—independentbusinessessharetheircollective infrastructure

costsviathecloud—andthusspurringentrepreneurship[3].Therefore,itisnowonderwhySMEsandStartups

aremigratingcoreservicesandproductsoftheirbusinesstothecloud.Arecentstudyshowsthat,inthisdigital

economy,morethan37%ofSMEshaveembracedthecloudtorunpartsoftheirbusiness,whileprojections

showthatby2020thisnumberwillgrowandreach80%[4].

Whileopportunitiesforinnovationareriperthanever,SMEsandStartupswithalimitednumberofdevelopers,

whichideallyshouldbefocusedoncoreproductdevelopment,arefoundconstantlyinneedoftacklingsecurity,

complianceandcodevulnerabilitiesbydesigningsoftwaresecuritymechanismstopreventdatabreachesand

ensurecustomerprivacy.Arecentstudyfoundthat62%ofdatabreachesimpactingSMEsaccountedforaloss

ofmorethan50%oftheircustomerbase[4].Hence,asdatacontinuestomigratetothecloud,thecostofbadsecuritywill only continue to rise. Theother inhibitor that remains a consistentbarrier to cloudadoption is

vendor lock-in, which iswhere an organization fears becoming beholden to an individual cloud vendor [5].

However,while vendor lock-in remains the second inhibitorpreventing cloudadoption concernshavebeen

droppingrecentlydueto interoperability initiatives toestablishopenAPIsand libraries forcloudaccessand

deployment[6],[7]alongwithtopologyspecificationsandstandards[8],[9].ArecentstudybyRightScale(2017)

[10], reveals that SMEs use, on average, up to 6 different clouds (including private clouds) to achieve their

business objectswith the hybrid cloud establishing itself as themost popular deploymentmodel for SMEs.

Nonetheless,while thecloudpromises toautomateapplicationand infrastructuremanagement,multi-clouddeployments raise the complexity of monitoring, managing and effectively projecting cost budgets of theirservicesandcoreproductsdistributedacrossmultiplecloudswithunbearableengineeringrequiredtoovercomethesechallengesinordertocopeandnotperish.

Furthermore,resourcescaling(dubbedaselasticity)introducesanotherchallengethatmustbetackledaswell.

Elasticityisoneofthemost-hypedfeaturesofcloudcomputingandis,from2014,drivingcloudadoption[11].

Albeit,therealitydoesn'tnecessarilymeasureuptocloudproviders'promises[12].Websitetrafficfromsudden

userdemandcanexploderapidly,andtheneedforimmediatescalabilitytoaddressdemandscomeswithmany

obstacles. Cloud providers offering auto-scaling (e.g., AWS), automatically provision virtual instances when

high/low user-defined thresholds are violated [13]. However, auto-scaling is challenging, especially when

determiningwhetheranalertisissuedduetoaspikeindemandofanapplication,orwhethersomethingisa

malfunctionofthesystem[14].Adenialofservice(DDoS)attackorsimilarissuecouldinitiallyappeartobean

increase indemand,andamechanismthatautomaticallyscales, inresponse,maynotbeagoodthing.Fastscalingcould,infact,endupbeingdetrimentalresultinginunwantedcharges[15].


9

Figure1:UnicornVision

Nowadays,anumberofcloudapplicationmanagementframeworksclaimtoaddresstheabovechallengesby

facilitating the design and deployment of cloud applications and services. Some of these frameworks are

proprietary[16][17],lockingtheiruserstospecificproviders,whileothersaregeneric[18][19][20]allowing

managementofapplicationsondifferentinfrastructureswithadaptersforpopularcloudofferingproviders.A

common denominator in all aforementioned frameworks is that none provides the ability to manage the

lifecycleofacloudservicedistributedacrossmultipleavailabilityzonesand/orcloudsites.Inturn,noframeworkcurrentlytacklesdataprotectionprivacyconstraintsandrestrictionsduetonationalandEUdirectivesfordatamovementacrossapplicationtiers,availabilityregionsormultiplecloudsites.Also,elastictechniquesarenotwellsupportedtodealwithmulti-dimensionalelasticpropertiescoveringresources,costsandquality[21].Most

importantly,thesetoolstacklethechallengesofmanagingcloudapplicationsafterapplicationdevelopment.

Thisresultsoftentomoreiterationsintheapplicationdevelopmentcycleifpolicydefinitionforelasticity,securityand privacy deployment constraints for different cloud providers is not foreseen at the development phase,delayingtime-to-marketandimpactingnegativelySMEsandStartupscomprisedofsmalldevelopmentteams.

Asaresult,newcategoriesoftoolsandsolutionsareneededtosupportchallengesholdingbackSMEgrowth.

Therefore, the concept of the Unicorn project is to deliver a platform that facilitates the deployment oftrustworthyapplicationsandservicescreatingamoreentrepreneurialICTecosystem.Specifically,theUnicorn

platformtargets,butisnotlimitedto,SMEandStartupdevelopmentteamsthatfollowagileandcontinuous

softwaredeliveryprinciplestoimprovesoftwaredesignonacontinuousbasisand,thus,increaseproductivity.

Hence,Unicornwillsimplifythedesign,deploymentandmanagementofsecureandelastic–bydesign–multi-

cloudservicesbyprovidingsoftwaredevelopmentteamswithacloudIDEplug-inandsoftwaredesignlibrariestoreducedevelopmenttimeofcloudapplications.Thiswillenablesoftwaredeveloperstodesignanddevelop

secureandreactiveapplicationsthroughtheirIDE,hencerightwheretheywritetheircode,thatincorporatesa

setofsoftwarecodeannotations,validationandpackagingtoolsforsecurity,privacyprotection,monitoringandelasticitypolicydefinitionattheplatform,application,componentandevencodesegmentlevelwithouthaving

to manually perform resource mappings and bindings. To circumvent the burdensome installation and

integrationprocess,theUnicornplatformwillenablecontinuousorchestrationandautomaticoptimizationofportableanddynamiccloudservicesrunningonvirtual instancesormicro-executioncontainersforincreasedsecurity, data protection privacy, and vast resource (de-)allocation. Once the software team has finished

developmentandarereadytodeploytheirapplication,thedeploymenttoolofthecloudIDEpluginwillbundle

applicationcode,third-partylibrariesandUnicornannotatedpoliciesandevenallowuserstosearchforrequired

OSlibrariesandruntimesoftwarestacksastheUnicorndevelopmentparadigmsupportsthenotionofmicro-

executioncontainerenvironments.Specifically,containerizedenvironmentsareparticularlyrelevanttomicro-

servicesandthedevelopingconceptof“immutableinfrastructure”wherecloudofferingsservedfromvirtual

instancesaretreatedasdisposableartefactsandcanberegularlyre-provisionedsolelyfromversion-controlled

code.Whatismore,thesupportfromtheUnicornplatformtosoftwaredevelopmentteamsdoesnotstopat

applicationdeployment.Toeliminatesecuritythreats,theUnicornplatformwillprovidecontinuousrisk,cost

andvulnerabilityassessment.Inotherwords,byusingUnicornsoftwareteamsfocusoncoreapplicationfeature


10

developmentlogic,notthescale,monitoringandsecurityissueswhicharehandledinthebackgroundbythe

Unicornplatformensuringinteroperabilityacrossmultipleanddifferentclouds.Thisreducessoftwarerelease

timeandprovidesapowerful tool forSMEs that followagileandcontinuoussoftwaredeliveryprinciples to

improvesoftwaredesignandcontinuousproductivityimprovement.

2.1 DocumentPurposeandScopeThepurposeofthisdocumentistoprovideacomprehensivefoundationdescribingthebasicsetofdesignand

implementation guidelines thatwill start and guide the development of the IT components comprising the

Unicornplatform.Inrespecttothis,DeliverableD1.1aimstoidentifythestakeholdersoftheUnicornecosystem

andderiveclearandbasicdescriptionsofthesystemrequirementsafteranalysingandprioritizingtheneedsof

the industry and the Unicorn Projects’ Stakeholders. This is achieved by designing an online survey and

performingpersonalinterviewswithcarefullyselectedprojectStakeholderswithinandbeyondtheconsortium

inordertoprobetheICTneedsoftheEUSMEandStartupeco-system.Thus,requirementsaremeanttodrive

thedesignanddevelopmentprocessastheycomprisetheconstraintsthataretohelptheUnicornecosystem

andplatformtobestmatchtheprojectvisionandsatisfythe identifiedtechnologicalchallengesandmarket

gaps. Requirements show the functional and non-functional aspects for the Unicorn project and are an

importantinputtotheverificationandvalidationprocess,sincetestsandevaluationKPIsshouldtracebackto

specificrequirements.Tothisend,functionalrequirementsrepresentthelistoffunctionalpropertiesthatneed

to be implemented and finally supported within the context of the Unicorn ecosystem and platform. This

includesallbehaviouralaspectsofthesystemcomponents,aswellasthetoolsandapplications.Ontheother

hand,non-functionalrequirementswillconcernperformance,scalability,securityandprivacyaspects.

2.2 DocumentRelationshipwithotherProjectWorkPackagesWiththeidentificationofthetargetedstakeholdersandthedocumentationofthebasicfunctionalandnon-

functionaltechnicalrequirements,thisdeliverable(D1.1),willbeusedasanagreeduponinstructionsetguiding

thedevelopmentoftheITcomponentsthatmustbedeliveredbytheUnicornProject.Hence,D1.1(Stakeholders

Requirements Analysis) marks the completion of Task 1.1 “Requirements Analysis and Stakeholders’

Identification”.Figure2depictsthedirectand indirectrelationshipofthedeliverabletotheotherTasksand

WorkPackages(WPs).Thedefinitionofsystem-widerequirementsandthekeytechnologyfindingsidentified

byfollowingtheroadmap(describedinChapter4)forprobingtheEUSMEandStartupeco-system,willdrive

the documentation of the Unicorn reference architecture (D1.2). In particular, the Unicorn reference

architectureiscornerstonefortheprojectasfunctionalandnon-functionalrequirementsaredirectlymapped

towell-definedsystementities,thusguidingthetechnicalworkofWP2-WP5.Ontheotherhand,withtheclear

definitionoftheprojectandtheprioritizationofrequirementstomatchtheneedsoftheuse-cases(D1.2),the

workinWP6“Demonstration”canbeginasplanned.


11

Figure2:DeliverableRelationshipwithotherTasksandWorkPackages

2.3 DocumentStructureTheremainderofthisdeliverableisstructuredasfollows:Chapter3introducesadescriptiveBackgroundand

TerminologysynopsisreferringtothekeyconceptsrelatedtothenotionofProgrammableInfrastructure.This

synopsiswillbeusedasareferenceglossarythroughouttheUnicornprojectdeliverablesandinteractionswith

projectStakeholders.Chapter4presentsacomprehensivedescriptionofthemethodologyfollowedtoderive

SystemRequirementsfortheUnicornprojectbydesigninganonlinesurveyandperformingpersonalinterviews

withcarefullyselectedprojectStakeholders inordertoprobetheICTneedsoftheEUSMEandStartupeco-

system.Inrelationtothis,Chapter5documentstheidentifiedprojectStakeholdersandtargetaudience,while

it also goes one step further by describing the list of the platform User Roles. Chapter 6 introduces the

RequirementsAnalysisSchemewhichdocumentsthekeyfindingsderivedfromthedisseminatedonlinesurvey

andtheconductedpersonalinterviewswhichhelpedtheconsortiumcompilethelistofsystemrequirements,

introducedinChapter7.Thelistoffunctionalandnon-functionrequirementsalongwiththeUnicorneco-system

userroleswillbeobeyedthroughoutfutureprojectdeliverablesandwillserveasguidelinesforthetechnical

worktobeperformedtoderivetheUnicornplatform.Finally,Chapter8concludesthisdeliverable.


12

3 BackgroundandTerminologyBeforeproceedingwiththestakeholderidentificationandtherequirementcollectionandanalysisprocess,itis

importanttoidentifyandelaborateonthekeyconceptsdrivingtheinnovativetechnologicalaxesoftheUnicorn

project.The terminologydetermined in this sectionwillworkasa referenceguideacrossall futureUnicorn

technicaldeliverables.

3.1 ProgrammableInfrastructureProgrammable infrastructure is the IT concept of applying methods and tooling established in software

developmentontothemanagementof IT infrastructure.This includes,but isnot limitedto,automation,on-demandresource(de-)provisioning,serviceintegrationanddelivery,APIversioning,dataaccess,immutabilityandagiledevelopment[22].

Whatismore,thenotionof“programmability”canbeviewedandexaminedfromtwodifferentperspectives

[23].Inparticular,fromadeveloperperspective,“programmability”isthemeanstocreatetheproperexecution

environment independently of theunderlyingphysical resources. Thus, there is a needof bothoverarching

resourceabstractionsatthedesign/developmentstageandconvenientAPIsatrun-time,inordertoimplement

anapplicationinanenvironment-agnosticwayandtodynamicallytailorittotheactual(andusuallychanging)

context.Tothisdirection,theProgrammableInfrastructureprovidesdeveloperswithacommonandsinglepoint

ofaccesstoallresources,hidingphysicalissueslikeresourcenature,faults,maintenanceoperations,andsoon.

Ontheotherhand,fromaninfrastructureofferingproviderperspective,“programmability”mostlyreferstothe

concernsoftheproviderwithoperationandmaintenanceof (usually) largepoolsofresources. Inparticular,

infrastructure providers are in need of handy tools to deal with typical management tasks like insertion,

replacement,removal,upgrade,restorationandconfigurationwithminimalservicedisruptionanddowntimes.

Tothisdirection,ahighdegreeofautomationisdesirable,throughprogrammaticrecoursetoself-*capabilities

(self-tuning,self-configuration,self-diagnosis,self-healing).

Cloud computing adheres to the notion of Programmable Infrastructure by providing users with (virtual)

resourcesondemand,accordingtotheirneeds,andbymetaphoricallyblurringtherealphysicalinfrastructure

(baremetal)insideanopaque“cloud”[24].Thekindofresourcesexposedbycloudsdependsuponthespecific

service model; they are infrastructural elements like (virtual) hosts, storage space, network devices

(Infrastructure-as-a-Servicemodel, IaaS),computingplatforms includingtheOperatingSystemandarunning

environment (Platform-as-a-Servicemodel, PaaS), or application software like databases, web servers,mail

servers(Software-as-a-Servicemodel).InUnicorn,wemainlytargettheIaaSmodel,since,orchestration-wise,

itgivesdevelopersthebroadestcontrolonthecloudexecutionenvironmentfortheirapplications.However,

the Unicorn project also targets providing the appropriate tooling sets to developer teams to ease cloud

applicationdevelopment,securityenforcement,andlifecyclemanagementandthereforewhilenottargeting

persePaaSofferings,itresemblesaPaaSservice,orbetter,aDevOps-as-a-Service.

Inthefollowing,wepresentanoverviewofthekeyconceptsrelatedbothtotheUnicornprojectandthenotion

of Programmable Infrastructure. Although the following approachesmay adhere to different architectures,

frameworks and implementations (State-of-the-Art will be thoroughly documented in D1.2), they are

interrelatedandtheirsynergytowardsafullyprogrammableinfrastructureismoreandmoreevidentintoday’s

platforms.


13

3.2 Multi-CloudOfferingsToachievetheircloudgoals,businessleadersareincreasinglychoosingtoworkwithmultiplecloudofferings

and/orcloudproviders [25].Adominantfactor is that leadingcloudprovidersareconstantly innovatingand

introducing new technologies to better their services, so an enterprise with a multi-cloud solution can be

proactive in themarket,electing toconsistentlyemploy thebest servicesandvalue, fromanygivenservice

provider,atanygivencircumstances.ArecentstudybyIDC[26],predictsthat86%ofenterpriseswillrequirea

multi-cloud strategy to support their business goals within the next two years, while other studies (e.g.,

RightScale’sStateoftheCloudyearlytrends[10],[27])revealthatthehybridcloudisdominatingtheinterests

ofmorethan70%ofITrelatedorganisations[28].However,whilethetermshybrid-clouds,multi-cloudsorevenfederated-clouds are used in studies across the industry as interchangeable terms, only when specifically

questioninginterviewees(ataskperformedbyUnicornasdocumentedinChapters4and6)itisrevealedthat

organisationsoftenrefertodifferentclouddeploymentmodelswhenusingtheaforementionedterms.

Therefore,inwhatfollowsweclarifydifferent(multi-)clouddeploymentmodelsevolvingaroundthenotionof

usingmorethanonecloudofferingsand/orcloudserviceproviders.

• MC1–CloudBursting: Thismodel allows forworkloads tomove between private and public cloud

offerings as computing needs dynamically change [29]. Specifically, organisations benefit from the

scalabilityofpubliccloudsfordemandingcomputeoperations,otherwiselimitedbytheinfrastructural

resources of the organisation, while also leveraging the security provided by their private cloud

infrastructurebynotexposing,atalltimes,protectedandsensitivedata.Furthermore,organisations

canbenefitbythereducedaccesstimeandlatencyofdataexchangeinsideaprivatecloud.

• MC2–OneCloudProviderMultipleAvailabilityZones:Thismodelsupportstheuseofonlyonecloud

providerorcloudofferingstype,albeitmultipleavailabilityzones,regionsand/orcloudsitesareused,

todeployorganisationservicesoncloudofferings[30].Forinstance,anorganisationmayselecttooffer

itsservicesclosertoconsumersbyselectingappropriateavailabilityzones(e.g.,AWSoffersEUofferings

viaIrelandandFrankfurtzones)oritmaydeployloosely-coupledservicesacrossmultiplecloudsitesbut

allusingthesamecloudofferingstype(e.g.,Openstack,VMware).Thelatterisacasehighlyrelevantto

the health sectorwhere health institution data (e.g., clinic patient health records), for security and

privacyreasons,areprotected,andused,behindprivateclouddeploymentsbutcanstillbeaccessed

afterobtainedauthorizationfromotherinter-connectedhealthinstitutions.

• MC3 – Multiple Cloud Providers Heterogeneous Offerings: This model supports the ability of

organisations to route their workload to respected providers that better suit particular tasks of a

service’soperations (e.g.,datastorage,processing) [25].For instance,anorganizationmayconclude

thattoachievecertaincostreductionbenefitsforitscloudcomputingbillage,itscloudstorageneeds

wouldbebest shifted toAmazonWebServices (AWS)while itsdataprocessingneeds forparticular

(offline)tasks(e.g.,imageprocessing)mightbebetterservicedbyutilizingMicrosoft’sAzuremachine

learningdatapipeline.

• MC4–MultipleCloudProvidersHomogeneousOfferings:Thismodelallowstheuseofhomogeneous

offerings (e.g., sameorsimilarVMtypes foradeployedservice) frommultiplecloudproviders (e.g.,

AWS,GoogleComputeEngine)tosupportcontinuousavailabilityofanorganization’sservices[31].With

thismodel,organisationsbenefitbyallowingoperationstocarryon,despitetheeventofcloudprovider

downtimeascloudresourceacquisition isdistributedamongtheselectedcloudserviceproviders. In

particular,thismodelalsoallowsforloadtobebalancedacrossproviders,whilereducedaccesstime


14

andlatencyfor intra-dataexchangeisachievedfortheofferings insidetheboundariesofeachcloud

provider.

3.3 Micro-servicesTheevolvementofnewsoftwaredevelopmentparadigmsisfollowingtheneedfordevelopmentofapplications

thatadheretothenotionsofmodularity,distribution,scalability,elasticityandfault-tolerance [32].Amicro-

servicearchitecturalapproachisconsideredastheresultingsetthatarisesfromthedecompositionofasingle

applicationintosmallerpieces(services)thattendtorunasindependentprocessesandhavetheabilitytointer-

communicateusuallyusinglightweightandstatelesscommunicationmechanisms(e.g.,RESTfulAPIsoverHTTP)

[33].These(micro-)servicesarebuiltaroundbusinesscapabilitiesandareindependentlydeployablebyfully

automateddeploymentmachinery.For(micro-)services,thereisabareminimumofcentralizedmanagement

and such servicesmay bewritten in different programming languages and even use different data storage

technologies[34].

Figure3:MonolithicLegacyEnterpriseArchitecturevsMicro-serviceArchitectureApproach

Tounderstandthelogicbehindamicro-servicearchitecturalapproachitisusefultocompareittoamonolithicapproach(Figure3)whereasingleexecutablehoststheentirefunctionallogicofanapplication,suchasinthe

caseofawebservicehandlingHTTPrequestswhileresponsibleforexecutingdomainlogic,databaseaccess,

andHTMLviewpopulation.Hence,alllogicforhandlingwebrequestsrunswithinasingleprocess.However,

thisapproachfeaturesanumberofdisadvantages,oftenreferredtoasmonolithinhibitors[35].Inparticular,featureroll-outsandsoftwarecodechangesarealwaystiedtogether–evenasinglechangemadetoasmall

codesegmentoftheapplication,requirestheentiremonolithtoberebuiltandre-deployed.Overtime,andas

thesoftwarestackexpands,itbecomesevidentthatagoodmodularstructureishardtokeep,makingitdifficult

totracksoftwarecodechangesthatoughttoonlyaffectonemodulewithinthatmodule.Most importantly,

resourcecapacityprovisioningforthesoftwarestackrequiresscalingtheentireapplicationratherthanonlythe

specificservicesinrealneedofadditionalresources.

In contrast to monoliths, micro-services are decomposed into services organised around discrete businesscapabilities.TheboundariesbetweentheseunitsareusuallycomprisedoffunctionalAPIsthatexposethecorecapabilities of each service. Large systems are then composed of many (micro-) services, whereby

communicationbetweenmicro-servicesisacentralingredient.Forinstance,suchisthecaseofamazon.com1,

1https://www.amazon.com/


15

wherethedifferentaspectsof theire-commerceplatform—recommendations,shoppingcart, invoicingand

inventorymanagement—aresplitintodiscrete,scalableandindependent(micro-)services[36].Insteadofall

beingpartofoneenormousmonolith,eachbusinesscapabilityisaself-containedservicewithawell-defined

interface.Theadvantageofthisisthatseparateteamsareeachresponsiblefordifferentaspectsoftheservice

allowing the team and software core to develop, test, handle failures and scale independently. In turn,continuousdeliveryispossibleassmallunitsareeasiertodeployandmanagetheirentirelifecycle.

Finally,decentralizeddatamanagementishighlyevidentwhereeachservicedealingwithaspecificfunctionof

thebusinessprocessmaymanageitsowndatabase,eitherdifferentinstancesofthesamedatabasetechnology

or entirely different database systems, so as to optimize data storage, processing and acquisition to the

heterogeneousneedsand scaleof eachbusiness function.As statedbyA.Cockcroft,whooversawNetflix’s

transition from amonolithic DVD-rental company to amicro-service architecture comprised ofmany small

teamsworkingtogethertostreamcontenttomillionsofusers,amicro-servicewithcorrectlyboundedcontextisself-containedforthepurposesofsoftwaredevelopment[37].Therefore,onecanunderstandandupdatethemicro-service’scodewithoutknowinganythingabouttheinternalsofitspeers,becausethemicro-servicesand

itspeers interact strictly throughAPIsand therefore there isnoneed for sharingorexposing (with security

threats lurking) data structures, database schemata, or other internal representations of objects. Thus, the

commonlyunderstood“contract”betweenmicro-servicesisthattheirAPIsarestableandforwardcompatible.

3.4 ContainerizationResourcevirtualization,ingeneral,consistsofanintermediatesoftwarelevelontopofphysicalresources(bare

metal)andtheoperatingsystem,providingabstractionsformultiplevirtualresources(e.g.,compute,memory,

storage,etc.),oftenbundledtogetheranddenotedasvirtualmachines(VMs)orvirtualinstances.VMscanalso

beseenasisolatedexecutioncontexts[38].Inparticular,VMsrequirefullguestoperatingsystemsinaddition

tobinariesandvariouslibrariesthatarenecessaryfortheapplicationstorun,whichtranslatesintolargeisolated

filesthatstoretheirentirefile-systemonthehostmachine[39],[40].EachVMisrunontopofahypervisor,

whichisaspecialisedsoftwareonthehostoperatingsystemthatisresponsiblefortheoperationoftheVMand

themanagementoftheresourcesneededfromthehostmachine.Today,hypervisor-basedvirtualizationisthe

mostpopularmethodofresourcevirtualizationandthemainrepresentativesofthespecifiedtechnologycan

be considered the XEN [41], VMWare [42] and KVM [43]. Although security concerns have been addressed

throughisolation,securitylimitationsstillexist,mainlyduetonumerousvulnerabilitiesmaskedindependencies

ofthedeployedapplicationstothird-partybinariesandlibraries[44].

On the other hand, containerization is a virtualization method, for deploying and running distributed

applicationswithout the need to launch entire VMs. In particular, containerization (Figure 4) allows virtual

instancestoshareasinglehostoperatingsystemandrelevantbinaries,dependenciesand/or(virtual)drivers,

inasecurebutalsoportableandinteroperableway[45].Applicationcontainersholdcomponentssuchasfiles,

environmentalvariables,andlibrariesrequiredtorunthedesiredsoftware.Becausecontainersdonothavethe

overheadofanentireguestoperatingsystemrequiredbyVMstooperate,theirsizeissmallerthanVMswhich

makesthemeasiertomigrate,fastertoboot,requirelessmemoryandasaresult, it ispossibletorunmanymorecontainersonthesameinfrastructureratherthanVMs[46].Inturn,applicationdevelopmentwiththeuse

ofcontainers isperfectforamicro-serviceapproachasunderthismodel,complexapplicationsaresplit into

discreteandmodularunitswheree.g.,adatabasebackendmightruninonecontainerwhilethefront-endruns

inaseparateone.Hence,containersreducethecomplexityofmanagingandupdatingtheapplicationbecause


16

aproblemorchangerelatedtoonepartoftheapplicationdoesnotrequireanoverhauloftheapplicationasa

whole[47].

Figure4:HypervisorvsContainer-basedVirtualization

Sincecontainerssharetheoperatingsystemkernel,theisolationprovidedcomparedtothehypervisor-based

virtualizationisweaker,neverthelessitseemsfromtheuserperspective,thateachcontainerexecutesasingle

stand-aloneOS. Isolation in container-based virtualization can be achieved through kernel namespaces and

ControlGroups(cgroups)[48][49].Namespaces,isafeatureoftheLinuxkernelthatallowsdifferentprocesses

tohavedifferentviewsonthesystem,whilecgroups,anotherfeatureoftheLinuxkernel,manageand limit

resourceaccessforprocessaccessgroupsthroughlimitenforcement.Inorderforacontainerizedimagetorun,

it isrequiredthataspecializedsoftwaretobepresentontopoftheoperatingsystem,theContainerEngine

whichutilizestheLinuxkernelmechanisms(LXC)describedabove[50].ThemostpopularContainerEngineis

DockerwhichisbuiltbasedontheLXCtechniques[51].

Figure5:DockerRelationtoLinuxContainerNotion

Docker is the leading container platform with the ability to package and run containerized applications. It

providesacompletetoolset tomanagethe lifecycleofcontainers, fromdevelopmentphasetodeployment.

Docker streamlines thedevelopment lifecyclebyallowingdevelopers towork in standardizedenvironments


17

usinglocalcontainersandallowsforhighlyportableworkloads.ItiswritteninGoandtakesadvantageofseveral

featuresoftheLinuxkerneltodeliveritsfunctionalitysuchasnamespacesandcgroups.However,asDocker's

technology is based on LXC, containers do not run an independent version of the OS kernel. Instead, all

containersonagivenhostrununderthesamekernel,withonlyapplicationresourcesisolatedpercontainer.

Thisallowsforacertaindegreeofisolation(thoughnotasisolatedasafullVM)withalowerresourceoverhead

but leaving an attacking surface for exposed vulnerabilities in the central OS daemonmanaging co-located

containers[52].Toimproveisolationbyprovidingsecurecontainerization,andstilladheretothelinuxkernel

principles, CoreOSwas designed to alleviate and improvemanyof the flaws inherent inDocker's containermodel[53].Inparticular,CoreOS(Figure6)featuresaread-onlylinuxrootfswithonlyetcbeingwritable.In

turn,ascontainersareisolated,evenco-locatedones,andtoreacheachothercommunicationishandledovertheIPnetworkwhilenetworkconfigurationsareexchangedoveretcd.

Figure6:CoreOSHostandRelationtoDockerContainers

For the deployment and orchestration of containers, frameworks such as Docker Swarm [54], Google’sKubernetes[55]andFleet[56]instantiateandcoordinatetheinteractionsbetweencontainersacrossacluster.Therefore,containerorchestrationtoolscanbebroadlydefinedasprovidinganenterprise-levelframeworkfor

integratingandmanagingcontainersatscale.Suchtoolsaimtosimplifycontainermanagementandprovidea

frameworknotonlyfordefininginitialcontainerdeploymentbutalsoformanagingmultiplecontainersasone

entity, for purposes of availability, scaling, and networking, while the underlying CoreOS provides strong

isolationtotheaboveDockerexecutionenvironment.Hencethecontainersolutionstackpresentsitselfasideal

for micro-service architectures [32], as micro-services are indeed built in this manner: a number of thin

containers,eachwithaminimalsetofprocesses,interactoverwell-defined(software)networkinterfaces.Thus,

for micro-services different containers are prepared for each of the components comprising the cloud

applicationwhichisidealtodeployadistributed,multi-componentsystemusingthemicro-servicesarchitecture,

abletoscalebothhorizontallyandverticallythedifferentapplications.

Inturn,unikernelsarespecializedvirtualmachineimagescompiledfromthemodularstackofapplicationcode,

systemlibrariesandconfigurationwhichadheretoboththeprinciplesofcontainerizedexecutionenvironments

and programmable infrastructure [57]. Specifically, unikernels are specialized single-purpose images

disentanglingapplicationsfromtheunderlyingoperatingsystemasOSfunctionalityisdecomposedintomodular

and “pluggable” libraries (similar to CoreOS). Developers select, from a modular stack, the minimal set of

libraries(e.g.,network,blockdevices),whichcorrespondtotheOSconstructsrequiredfortheirapplicationto


18

run. These libraries are then compiled with the application’s code, to build sealed and fixed-purpose

containerized environmentswhich run directly on the hypervisorwithout an interveningOS, as depicted in

Figure7.Therefore,alongwiththebenefitsofcontainerization,whichincludes:(i)shortboottimes(fewsecond

range) [58], (ii) small images sizes (fewMBs) [59] [60]and (iii) fierce security [61];unikernelsexhibit strong

isolationguaranteesduetohypervisor-basedexecution,livemigrationandrobustSLAs[62].Thesebenefitsare

particularlyrelevanttomicro-servicesandthedevelopingconceptofimmutableinfrastructurewhereVMsare

treated as disposable artefacts and can be regularly re-provisioned solely from version-controlled code.

ModifyingsuchVMsdirectlyisnotpermitted:allchangesmustbemadetothesourcecodeitself.

Figure7:UnikernelRelationtoVMsandContainers

3.5 DevOps–ContinuousIntegrationandDeliveryRecent surveys ([63], [64]) have shown that DevOps is rapidly growing especially in the enterprise and the

demandofpeoplewithDevOpsskills is increasing.AccordingtoAmazon[65],DevOps is thecombinationof

cultural philosophies, practices, and tools that increases anorganization’s ability todeliver applications and

services at high velocity. Under the DevOps paradigm, there is no more a distinct separation between

developmentandoperationsteams.Theseteamscanbemergedintoasingleteam,inwhichoperationsand

development engineers participate together in the entire service lifecycle, from design through the

development process to production support. Enterprises and organizations gain huge benefits [66] from

adopting DevOps practices. Such benefits include: (i) improved collaboration between the various teams

(developersandoperations)ofanorganization;(ii)highvelocityandefficiencyonnewdeployments;(iii)reliable

application updates and infrastructure changes; (iv) improved security by using compliance policies and

configurationmanagement techniques; and (v) rapid deliverywhich increases the pace of new releases by

adoptingcontinuousintegrationandcontinuousdeliverypractices


19

Figure8:ContinuousIntegrations,ContinuousDeliveryandContinuousDeploymentSteps

ContinuousIntegration(CI)andContinuousDelivery(CD)aresoftwaredevelopmentpracticesthatautomate

thesoftwarereleaseprocess,frombuildtodeploy.Morespecifically,CI[67]isasoftwaredevelopmentpractice

wheremembersofateamintegratetheirworkfrequently(usuallydaily)intoacentralsoftwarerepository(e.g.

git, svn). Each integration is verified by an automated build (including tests) to detect integration errors as

quicklyaspossible,whichallowsteamstodelivercohesivesoftwaremorerapidly.Continuousintegrationmost

oftenreferstothebuildorintegrationstageofthesoftwarereleaseprocessandentailsbothanautomation

component(e.g.aCIorbuildservice)andaculturalcomponent(e.g.learningtointegratefrequently).Thekey

goalsofcontinuousintegrationaretofindandaddresssoftwarebugsquicker,improvesoftwarequality,and

reducethetimerequiredtovalidateandreleasenewsoftwareupdates.CDisthesoftwaredevelopmentpractice

inwhichteamsareconstantlyproducingnewsoftwarereleases(includingnewfeatures,configurationchanges,

bug fixesandexperiments) inshortcyclesandensurethat itcanbereliably releasedatanytime[68].With

continuousdelivery,everycodechangeisbuilt,tested,andthenpushedtoanon-productiontestingorstaging

environment. The final decision to deploy to a live production environment is triggered by the developer

whereasincontinuousdeploymentthislaststepisautomatic.

TofurtherassistDevOpsengineers,especiallyinthedevelopmentphase,tocollaborateunderbetterconditions

andtobetterpromoteCI/CDpractices,anewcategoryoftools,theCloudIDE,isontheriseoverthepastfew

years [69]. Simply stated, a Cloud IDE is, usually, a browser-based IDE that allows real-time collaborative

software development via portableworking environments (workspaces) deployed on the cloud. They allow

access from anywhere using Internet Access (or even can provide access to a local setup), with minimal

configuration needed. Cloud IDE’s provide support to all major software repositories thus promoting

collaboration and CI practices. Most of the state-of-the-art Cloud IDE’s working environments are usually

containerizedallowingtheusertocustomizethecontainerimagesaccordingtoitsneeds(e.g.EclipseCHE[70],

SAPHana[71]).Moreover,CloudIDEscanconnecttovariouscloudproviders,makingiteasierforDevOpsto

deploytheirapplicationsremotely.

Finally,oneofthemostchallengingtasksofaDevOpsengineer,particularlyinthecloudarea,isthedevelopment

ofelasticapplications,abletoefficientlyadapttheirresourcesaccordingtotheirneeds.Elasticityisdefinedasthedegreetowhichasystemisabletoadapttoworkloadchangesbyprovisioningandde-provisioningresources

inanautonomicmanner,suchthatateachpointintimetheavailableresourcesmatchthecurrentdemandas

closely as possible [1]. It is used to avoid inadequate provision of resources and degradation of system

performance while achieving cost reduction [72], making this service fundamental for cloud performance.

Nowadays,themostcloudprovidersandthird-partytoolsofferanautomatedwaytoscaleresourcesbygiving


20

theabilitytothedevelopertodefinetheoptimalpoliciesforhisapplicationprovisioning.Horizontalscalingis

thescalingmethodofchoiceformanycloudsystemssinceitprovidesawayofscalingtheapplicationtomeet

itsdemands inanuninterruptibleway.Horizontal scaling requires from theapplication to supportawayof

cloning itself, inorder tobedeployed inanothervirtual container tosupportpartof thedemand.Although

vertical scalingseemssimpler since itonly requires increasing resourcesof thevirtual containerhosting the

application, in fact it isnotappropriate to supportapplication’suninterruptibleoperationsincemostof the

operatingsystemsdoesnotsupporton-the-flychanges(withoutrebooting)ontheavailableresources(e.g.CPU

ormemory)ofarunninginstance.Thus,horizontalscalingismostlypreferredincloudsystems.

Auto-scalingtechniquesaredistinguishedtoreactiveandproactive(orpredictive)[1].Reactivetechniquesrefer

tothosemethodsthatreacttothecurrentsystemand/orapplicationstatewhichstatesaredecidedfromthe

latestvaluesofmonitoredvariables.Proactive(orpredictive)techniquesattempttoscaleresourcesinadvance

ofdemandbypredictingthelatter.Reactivetechniquesmayproveinefficienttosupportuninterruptibleatall

timesoperationoftheapplicationespeciallywhenthereisasuddendemandburst.Thisisduetothefactthat

acquiring new resources and instantiating a new execution environment (virtual container) requires a non-

negligibletimeinterval.Ontheotherhand,proactivetechniquesaremorepromising;however, intheworst

casetheymaymisstopredictdemandandactasareactivetechniquewith,possible,additionalcostsoccurring

formiss-predictions.Thus,auto-scaling isasignificantchallenge,asabadperformingauto-scalingtechnique

may lead to problems such as under-provisioning; the application does not have enough resources, over-

provisioning; the application reserves more resources than the ones really needed, and oscillation; scaling

actionsarecarriedouttooquickly,fortheapplicationtoseetheimpactofthescalingaction[31].

3.6 Annotation-BasedProgrammingModern programming languages (e.g., java, C#, python) offer an extremely useful mechanism named

“annotations” that can be exploited for several purposes. Annotations are a form of metadata providing

informationandinstructionsthatarenotpartoftheapplicationitself[73].Annotationsdonotdirectlyaffect

programsemantics,buttheydoaffectthewaysoftwarecodeistreatedbytoolsandlibraries,whichcaninturn

affectthesemanticsoftherunningsoftware.Annotationscanbereadfromsourcefiles,binaryfiles(e.g.,class

files),orreflectivelyatruntime.Theyprovidecompilersandbuildengineswithuseful informationandhints

(e.g.,suppresswarnings),andallowcodeinjectionatcompilationordeploymenttimeforruntimeprocessing

decisions(e.g.,addloggers,providehandlerstocountmethodaccesses,etc.).

Fromthesoftwareengineerperspective,annotationscanbepracticallyseenasaspecialinterfacewhichmay

beaccompaniedbyseveralconstraints,suchasthepartofthecodethatcanbeannotatedorthepartofthe

codethatwillprocesstheannotations.AnindicativeexampleinJavaispresentedinFigure9,whichdefinesanannotationdenotedasTest,thatwillbeusedtoannotateJavamethods.Thescope(javamethods)oftheTest

annotation is defined via another annotation @Target(ElementType.METHOD) while the annotation

@Retention(RetentionPolicy.RUNTIME)indicatesthattheTestannotation(andotherannotationsof

thesametype)willberetainedbytheVMsoastobeparsedreflectivelyatrun-time[74].


21

Figure9:IndicativeExampleofAnnotationDeclarationinJava

AnnotationsarewidelyusedbynumerousframeworkssuchastheSpringFramework[75]andeachframework

selects one handling technique in order to process annotations. In general, there are three strategies for

annotations’handling:

• Sourcecodegeneration:Thisannotationprocessingoptionworksbyreadingtheinitialsourcecodeandgeneratingeithernewsourcecodeormodifyingexistingcode,andnon-sourcecode(e.g.,configfiles,

documentation).The(code)generatorstypicallyrelyoncontainerorotherprogrammingconventions

and work with any retention policy. Indicative frameworks that belong to this category are the

AnnotationProcessingTool(APT)[76]andXDoclet[77].

• Bytecode transformation: Annotation handlers of this form parse binary and/or executable files

containing annotations and emit modified binaries and/or newly generated executables. They also

generatenon-binaryartifacts(e.g.,configfiles).Bytecodetransformerscanruneitheroffline(compile

time),atload-time,ordynamicallyatrun-time.InJava,theyworkwithclassorruntimeretentionpolicy

(asshowninFigure9).IndicativebytecodetransformerexamplesincludeAspectJ[78]andSpring[75].

• Runtimereflection:Annotationhandlersofthisformusereflectiontoprogrammaticallyinspectdata

objectsatruntime.Ittypicallyreliesonthecontainerorotherprogrammingconventionandrequires

runtimeretentionpolicy.ThemostprominenttestingframeworkslikeJUnit[79]useruntimereflection

forprocessingtheannotations.

3.7 SecurityEnforcementandDataPrivacyPreservingData security has consistently been a major issue in information technology. In the cloud computing

environment,itbecomesparticularlyseriousbecausethedataislocatedindifferentplacesandevenallaround

globe.Theincreasingnumberofconnecteddevicesandthehugeamountofsoftwarethatisbeingdeveloped

on a daily basis will continue to generate and introduce new attack vectors and exploit opportunities for

malicioushackers.Datasecurityandprivacyprotectionarethetwomainfactorsofuser'sconcernsaboutthe

cloudtechnology.Forthisreason,theissueofcontinuouscloudandapplicationsecurityenforcementmustbe

tackled, while enabling data protection privacy mechanisms at the cloud/hypervisor layer due to the co-

existenceofmultipleusersandserviceswithinthesamehosts.

Data security is commonly referred to as the confidentiality, availability, and integrity of data. Securityenforcementmechanismsareinplacetoensuredataisnotbeingusedoraccessedbyunauthorizedindividualsor parties. In addition, thosemechanisms ensure that the data is accurate, reliable and availablewhen an

authorizedpartyneedsit.

Tothisdirection,onesecurityenforcementmechanismthat iswidelyusedisthe IntrusionDetectionSystem

(IDS).An IDS is a software component that automates themethodofmonitoringeventswithina computer

systemornetworkandanalysingthemforsignsofpossibleviolationsorthreatsofviolatingcomputersecurity

policies,acceptableusepolicies,orstandardsecuritypractices.Suchsystemscanalsoattempttostoppossible


22

incidents (IDPS - IntrusionDetection and Prevention System). Information gathering, logging, detection and

preventionareamongthecapabilitiesofferedbyIDSs.Asfarasthedetectioncapabilitiesisconcerned,most

IDSsuseacombinationofsignature-baseddetection,anomaly-baseddetection,andstatefulprotocolanalysis

techniquestoperformin-depthanalysisoftheavailabledata.

An IDS in the hypervisor or container level is able tomonitor all available network interfaces used by the

executionenvironmentofthesystem.Theproducedlogsarestoredlocallyandfeedadatabase.Inturn,anhttp

servercanrepresentthosedatatoawebinterface.IDSsrequiresignificantresourcesintermsofcomputation

capacityneededtoprocessapacketandtheamountofmemoryneededtostorethesecurityruleset.Awayto

speed-up this inspection process is to take advantage of GPUs. Their low design cost, the highly parallel

computationandthefactthattheyareusuallyunderutilized,especially inhostsusedfor intrusiondetection

purposes,makes them suitable for use as an extra low-cost coprocessor for time-consuming problems, like

patternmatching.TherehavebeenmanyworkstryingtouseGPUcapabilitiesinordertoimprovethecurrent

stateofIDSandIPSsystems[80]–[83].

Encryptionisanothersecuritymechanismwhichisintendedtoprotecttheconfidentialityofdigitaldatastored

oncomputersystemsor transmittedvia the Internetorcomputernetworks.Encryption is theconversionof

electronic data, often referred to as plaintext, into another form, the ciphertext, by applying an encryption

algorithmandselectinganencryptionkey.Encryptionalgorithmsaredividedintotwomaincategories:

i) Symmetricii) Asymmetric

Symmetric-keyciphersusethesamekey,orsecret,forencryptinganddecryptingamessageorfile.Themost

widelyusedsymmetric-keycipherisAES[84],whichwascreatedtoprotectgovernmentclassifiedinformation.

Symmetric-keyencryptionismuchfasterthanasymmetricencryption,butthesendermustexchangethekey

used to encrypt the data with the recipient before he or she can decrypt it. This requirement to securely

distributeandmanagelargenumbersofkeysmeansmostcryptographicprocessesuseasymmetricalgorithm

toefficientlyencryptdata,butuseanasymmetricalgorithmtoexchangethesecretkey.

Ontheotherhand,Asymmetriccryptography,alsoknownaspublic-keycryptography,usestwodifferentbutmathematicallylinkedkeys,onepublicandoneprivate.Thepublickeycanbesharedwitheveryone,whereas

theprivatekeymustbekeptsecret.RSA[85]isthemostwidelyusedasymmetricalgorithm,partlybecauseboth

thepublicandtheprivatekeyscanencryptamessage;theoppositekeyfromtheoneusedtoencryptamessage

isusedtodecryptit.Thisattributeprovidesamethodofassuringnotonlyconfidentiality,butalsotheintegrity,

authenticity and non-reputability of electronic communications and data at rest through the use of digital

signatures.

Anothercrucialsecuritymechanismthatisusedtoprotectagainstpotentialsecuritythreatsisbyperforming

Risk andVulnerabilityAssessments.Vulnerability assessment is theprocessof identifying, quantifying, and

prioritizing(orranking)thevulnerabilities inasystem.Vulnerabilityassessmenthasmanythings incommon

withriskassessment.Assessmentsaretypicallyperformedaccordingtothefollowingsteps:

i) Catalogingassetsandcapabilities(resources)inasystem.

ii) Assigningquantifiablevalue(oratleastrankorder)andimportancetothoseresources

iii) Identifyingthevulnerabilitiesorpotentialthreatstoeachresource


23

iv) Mitigatingoreliminatingthemostseriousvulnerabilitiesforthemostvaluableresources

Althoughdataprivacyanddatasecurityareoftenusedassynonyms,theysharemoreofasymbiotictypeof

relationship.Dataprivacyissuitablydefinedastheappropriateuseofdata.Dataprivacypreservingmechanisms

areinplacetoensurethatthedatashouldbeusedaccordingtotheagreedpurposes.Makingsurealldatais

private and being used properly can be a near-impossible task that involves multiple layers of security.

Fortunately,withtherightpeople,processandtechnology,datasecuritypolicythroughcontinualmonitoring

andvisibilityintoeveryaccesspointcanbesupported.

Privacypreservingmechanismsofferasetofhighlevelruling,whichallowallinterestedstakeholderstodefine

thetypeandscopeofdataprotectionconstraintstopreventdataaccessfromunauthorizedentitiesandrestrict

datamovementbetweenapplicationservices,countriesorgeographic/legalregions(e.g.,theEU),availability

regionsand/ormultiplecloudsitestoadheretonationaland/orEUdatarestrictiondirectives.Suchmechanisms

offer a safety net against data processing of data,which inmany occasions, are processed in unknowingly

remotedatacentersacrossborderswithsecuritybreachesbreakinglegalactcomplianceduetounsecuredata

movementlurkinginthebackground.


24

4 MethodologyFollowedtoDeriveUnicornSystemRequirementsDerivingsystemrequirements isthecornerstoneactivityofanysuccessfulproject. Itplaysakeyroleforthe

successfulscoping,defining,estimatingandmanagingofaprojectrightfromthestart.Successfulrequirements

collectionistypicallyuniqueineveryprojectandcircumstances,butitalsocanleadtomanyadvantages.For

instance, itcanaccommodatebetterresourcemanagement,systemanalysis,design, improvedquality inthe

productdelivered,andminimizetheriskfordelaysandoverruns.Themethodologyselectedandusedforthe

Unicornprojectisanagilemethodology,whichinprincipleisiterativewhilesomeofthebasicprinciplesitrelies

onpromoteunderstandingbetweenthebusiness,technicalandscientificneedsofaprojectbylayingoutclear

expectationsatthebeginningandateachmilestone(softwarerelease)achievedbytheproject[86].Theagile

methodologybuildsonincreasedcommunication,throughouttheprojectanditfairlydeliverstherequirements

earlierthantraditional,waterfallapproachesforsoftwaredevelopment.

Therequirementsare iteratively improvedateachnewmilestoneandarekeptup-to-date in thebacklogto

influenceinparallelseveraloftheactivitiesintheproject(e.g.,development,testing,newtechnologyuptaking).

TheaimistobringtogetherthetechnicalandresearchpartnersoftheUnicornproject,andmakethemaware

from the start of the importantbusiness aspects identifiedby its respected stakeholders. Themethodology

promotes understanding of the partners’ different views, consolidates opinions and defines what Unicorn

should do. This enables collection and elicitation of concrete high-level requirements, promoting

communication,alignment,consensusandactivebusinessuserandcustomerinvolvementtomeetthegoals

andneedsoftheproject.

In the followingparagraphsadescriptionof theagileand taskdrivenmethodology followedby theUnicorn

consortiumisprovided.Thismethodologyaimstoidentifykeystakeholdersfortheproject,derivetheUnicorn

systemrequirementsandstirthepartnerstothetechnologiesdominatingtheinterestsofitsstakeholderssoas

toguidethetechnicalworkthatwillfollowafterdesigningtheUnicornreferencearchitecture(D1.2).Figure10

depictsahigh-levelandabstractoverviewofthemethodologyprocess.

Figure10:High-LevelAbstractMethodologytoDeriveUnicornSystemRequirementsandRelevantKeyTechnologies

Thefirsttaskofthemethodologyfollowedinvolvedidentifyingandclearlydefiningthestakeholdersandtarget

audienceoftheUnicornplatformwhilealsoprovidinganupdatedmarketpositioningoftheUnicorneco-system

towardsthecontinuouslyevolvingcloudmarket.AcomprehensivedescriptionofthistaskisfoundinChapter5.

Importantoutcomesofthistaskfortherequirementscollectionprocess,isaconcisedescriptionofthetargeted

stakeholders,derivingaglossaryofkeytechnologytermsthatareunderstandablebyUnicornstakeholdersand


25

definingacomprehensivelistofuserrolesfortheUnicornplatform.ThestakeholdersaretheonestheUnicorn

productwillbedevelopedforandwillbeusedbytheiremployeesandmanagementstaff,therefore,acommon

terminology/glossaryofthekeytechnologiescomprisingtheUnicornplatformwasdefinedandagreeduponby

allpartnersandisprovidedinChapter3.Thisterminologywillbeusedasareferenceguideacrossallfuture

deliverablesandinteractionwithUnicornstakeholders.

ThenexttaskinvolvedtrawlingtheICTindustryresearchandtechnologyleaders’websitesforglobalmarket

and technology reports (e.g.,Gartner, IDC),bestpractices from ICTvisionaries,and thebibliography forkey

technologies(e.g.,cloudplatforms,containersolutions)andrequirements(e.g.,cloudcredentialmanagement),

relevanttotheUnicornidentifiedstakeholdersandtargetaudience.Thisprocessismeanttoactasastarting

point for themarket requirements collection, but not as a comprehensive list of detailed technologies and

requirementsparticularlyrelevanttotheUnicornproject. Inaddition, itwasconsideredvitaltovalidatethis

initial listofcollectedrequirementsincollaborationwiththeindustrialpartnersandpractitionersinorderto

increasethelikelihoodofthewidespreadindustryadoptionoftheresultsproducedbytheUnicornproject.A

summaryofkeyfindingsandpointsofinterestfromtheICTindustryreportsrelevanttotheUnicornprojectare

listedinSection4.1thatfollows.

To this end, an online questionnaire and interviewprocesswas developed to probe the EU ICT industry to

provide,validateandprioritizefine-grainedsystemfunctionalandnon-functionalrequirementsrelevanttothe

Unicornplatform(note:AllquestionscomprisingthequestionnairecanbefoundinAnnexI).Thisisimportant

as inseveralcloudreports (e.g.,Gartner’sMagicQuadrant,Rightscale’sStateof theCloudreport) thereare

statementssuchas“elasticscalingandperformancemonitoringaredrivingcloudadoption”,however,atthe

same time, “elasticity andmonitoring” are also consideredmajor challenges across businesses of all types

withouthighlightingwhatthe“elasticityandmonitoring”keymarketfeaturesareandwhatthechallengesstill

inneedtobeaddressedare. In turn,whilesecurity isoftenstatedassomethingcompanieshighly take into

consideration, often offering high standards and guarantees to their customers, security and data privacy

protectionarealsotoponthelistforcloudchallenges.Atthispoint,oneisleftwondering,whichenforcement

mechanismsareappliedforsecurityanddataprivacyprotectionandwhicharestillconsideredaschallenges.

Onadifferentlevel,asintroducedinChapter2,whilethetermshybrid-clouds,multi-cloudsorevenfederated-

clouds are used in studies across the industry as interchangeable terms, onlywhen specifically questioning

stakeholders (a task performed by Unicorn) it is revealed that organisations often refer to different cloud

deploymentmodelswhenusingtheaforementionedterms.

Therefore,theinterviewprocesswasdesignedtostudystatementsandclarifygeneralizationssuchastheones

mentionedabove.Theinterviewprocessisalsobeneficialforidentifyingthekeytechnologiesuptakenbythe

SMEandStartupeco-systeminEurope,aswellastheemergingtechnologiesthatarewithintheirinterestsbut

cannot be successfully integrated into their software stack yet due to different challenges they are facing.

Specifically, the interview process targeted obtaining insights to more than just key technology concepts

dominatingtheinterestsoftheUnicornstakeholders.Forinstance,containerizationissomethingthatisseento

beofinterestforstakeholders.However,aretherecommongo-tosolutionsforthestakeholdersorarethere

anymixturesofsolutionsutilized?ThesequestionsareofinterestfortheprojectandwillhelpshapetheUnicorn

referencearchitectureandbusinessmodelthatwillbedocumentedinD1.2andD6.1respectively.Inparticular,

theinterviewprocesswasheldaftertheonlinequestionnairewascompletedandwasrefinedeachtimetobest

adapttothe intervieweeprofilebasedonthegivenanswerstoobtaingreateranddeeper insights fromthe

interviewees. The intervieweeswere carefully selected by the consortium to span across different industry


26

domainsrelevanttoUnicornandincluded:(i)4StartupsfromtheCINCUBATORStartupHub;(ii)2SMEmembers

fromtheCyberForumdigitalalliance;(iii)the4Unicornpilotsservicingasplatformdemonstrators;and(iv)10

interviewees from EU-based organisations of various size (large enterprises, SMEs, Startups) not affiliated

directlyorindirectlywiththeUnicornproject.Acomprehensivedescriptionofthequestionnaire,theinterview

processandthekeyfindingsderivedfromthisprocess,canbefoundinChapter6.

Atthispoint,itisimportanttomentionthatallintervieweeswereexplicitlynotifiedthattheinformationgiven

bytheintervieweeinthedurationoftheinterviewprocesswillbekeptconfidential,theinterviewee’spersonal

detailswillnotberevealed,andtheprocessingofallanswerswillbeconductedinananonymousmanner,in

compliance with European Union's data privacy laws, solely for the purpose of deriving the technical

requirementsfortheUnicornproject.Forthesereasons,individualintervieweeanswerswillnotberevealedin

thisDeliverable.

Having obtained all completed questionnaires and interviews, the next two tasks involved cross-examining,

correlating,analysingandelaboratingontheresultsinordertomaptheobtainedkeyfindingstoalistofsystem

functional and non-functional requirements (Chapter 7). In addition, this procedure helped us to better

understand thegoals andexpectationsof theusers and stakeholders in amarket like theone thatUnicorn

wishestotarget.Thisprocesshasgreatlycontributedtotheprojectasitallowsustohaveamoreconcisepictureof the key technologies to uptake (e.g., which cloud platforms and containerized solutions are used by ourstakeholders)inthespanoftheprojectandderivetheUnicornreferencearchitectureinD1.2.Basedonthedeepinsightsobtainedfromtheinterviews,wemanagedtodefineasetofuser-andsystem-perspectivetechnical

requirementsthatpavethewayforthedesignanddevelopmentoftheUnicornplatform.Furthermore,wealso

provideadescriptionofeveryrolethatwewillconsiderthroughouttheprojectandhoweachroleisconnected

withthefunctionalrequirementsoftheproject.Prioritizingtheobtainedrequirementswasrequiredinorder

forthelonglistofrequirementsdrivenbytheindustrytoreflecttheparticularneedsemergingfromtheUnicorn

demonstratoruse-cases.Wenotethatinordertoreducerepetition,therequirementprioritizationbasedon

thedemonstrators and the key technologies targetedby theprojectwill be introduced inD1.2whereeach

demonstratorandtechnologywillbedescribedandjustifiedindetail,referringtotheuse-casesrelevantand

theexpectedKPIswhichwillbeachievedbyutilizingtheUnicornplatform.


27

4.1 KeyFindingsfromindustrystudies

Table1:IndustryStudiesandPointsofInterestRelevanttoUnicorn

StudyorReport PointsofInterestandKeyFindings

RightScale2016StateoftheCloudReport[87]

1060respondents

34%Developers

55%ITOperations

61%US,19%EU

• Hybrid-cloudadoptionisdominatingICTindustryinterests(71%-up

from58%in2015)

• Challengesforadoptinghybrid-clouddeploymentmodelincludelack

ofresources/expertiseandmanagingmulti-cloudofferings

• DevOpsgrowthandspecificallycontainersolutionadoptionisonthe

rise.Particularly,Dockerismentionedwhichishighlyadoptedby

enterprises(Dockermarketsharemorethandoubledcomparedto

2015)

• GreatestinterestincontainerizedsolutionsisseeninEuropeantech

companies

RightScale2017StateoftheCloudReport[27]

1002respondents

61%US,20%EU

• Hybrid-cloudadoptionnumbersareevenstrongerin2017(78%)

• Cloudcomputingtopchallengesforadoptersnowinclude(other

thansecurityandmulti-clouddeployments):managingcosts,

monitoringandgovernance,improvingperformanceandcompliance

• Challengesforadoptingcontainerizedsolutionsinclude:lackof

experience,security,maturity,monitoringandresource

orchestration

Gartner2016:MagicQuadrantIaaSCloudSolutions[88]

Gartner2016:MagicQuadrantPaaSCloudSolutionsandContainerizedEnvironments[89]

• Studyreportsnotablecloudprovidingsolutionsincludingmarket

leaders,visionaries,challengersandnicheplayers.

• Distinctionofrecommendedcloudserviceprovidersperbusiness

relatedoperation

• Vendorstrengthsandchallengeswhere,evenforAWS(theonly

notableforitsauto-scalingsolution),elasticscalingfeaturessevere

challengesandgrowthpotentialthatcandriveto-and-away

businessestospecificcloudofferingproviders

• TheIaaScloudmarkethasclearleaders,however,thePaaSand

containermarketsareconsideredbattlefieldsalthoughDocker

seemstobeobtainingaclearadvantageinthecontainersolution

field


28

Veracode2016:SecureDevelopmentSurvey[90]

351respondents

230US,121EU

• Sensitivedataexposureistheprimeconcernforallcompanies

• Securityanddataprivacyprotectionchallengesforcloud

applicationsdevelopedbylargeenterprises,SMEsandStartups

• Mostorganizationswant(butnotalwaysable)toincorporate

securityearlierinthesoftwarelifecycle(requirement,development

phase)ratherafterdevelopmentortestingphase

• ReporthighlightsthatDevOpsisprovidingmoreopportunitiesto

integratesecurityanddataprivacyprotectionmentioningsecurity

methodsenforcedbySMEsandStartupsincludingdynamictesting,

webfirewallsandruntimeapplicationprotectioninproduction.

• Mostsignificantchallenge:runtimesoftwarevulnerabilityand

systemmalwaredetection

VisionMobile2017:Stateofthedevelopernation[91]

21,200+Developers

• Amazonistheleaderpubliccloudprovider,regardlessofthetarget

audienceandcompanysize,followedbyAzurecloudforprivate

clouddeployments

• SMEsusepubliccloudprovidersmorethanlargeenterprises

• Highlightsthepopularprogramminglanguagesandframeworksused

indifferentbusinessdomains(machinelearning,AR/VR,front-end

development,backenddevelopment,etc.)

LightBend2016:Cloud,Container&Micro-services[92]

2151JVMdevelopersaround

theglobe

• Micro-servicesareadoptedby55%ofrespondentDevOpsteams

• DevOpsteamsareembracingmicro-servicesbecauseofincreased

security,improvedresourcemanagementand(elastic)scaling

• Micro-service“laggards”arelargeenterprises

• Toolsneededtoeasemicro-servicedeliveryincludeAPI

management,serviceorchestration,monitoring,andcontinuous

delivery

• PortabilityisconsideredbyDevOpsahugebarriertoovercome

whenbuildingcloudapps

DZone2017:"DevOps:ContinuousDeliveryandAutomation"

497respondents

30%US,45%EU,25%Other

GitLab:2016GlobalDeveloperReport[93]

362StartupandEnterpriseCTOs

• 1outof4SMEshavededicatedDevOpsteamincontrasttothelarge

enterpriseswitha1outof2ratio

• 67%ofDevOpsteamsusingmicro-servicessomehowcomparedto

27%inpreviousyear

• 51%ofDevOpsteamsusecontainerizedsolutionscomparedto25%

inpreviousyear

• PreventingDevOpsteamsfromadoptingacontinuousdelivery

pipelineareconsidered:lackofexperience,unifiedenvironment

toolsformanagementandmonitoring

• Developersusegitforsourcecontrolonadailybasis(92%)while

continuousintegrationisadopted,atsomelevel,by77%of

questionedorganisationsandapplicationmonitoringisconsidered

asveryimportantby67%


29

RebelLabs:2016DevelopmentandProductivityReportandJavaLandscape[94]

2040respondents

RebelLabs:2017ProgrammingtheWebReport[95]

2000Respondents

StackOverflow:2016DeveloperReport[96]56003developers

StackOverflow:2017DeveloperReport[97]64000developers

• TheEclipseIDEisthemostpopularIDEamongdevelopersforover5

yearsnowandisusedexclusivelyby48%ofquestioneddevelopers,

withthepercentagegrowingto55%whenusedwithotherIDEs

(IntelliJIDEA,NetBeans,SpringToolSuite)

• ThereisashiftamongdevelopersfromdesktopIDEstocloudIDEs

withthemostnotablecloudIDEsbeingEclipseChe,SAPHanaand

Cloud9

• Micro-serviceadoptionisparticularlyhighforsmallbusinesseswhile

largeenterprisesaremorehesitant

• 68%ofmicro-serviceadoptersclaimthatmicro-servicesmake

developer’sjobeasier

• Reportdenotesthemostpopularprogramminglanguagesper

businessoperationdomain

• Annotationprogrammingparadigmisdominatinginterestsofjava

andpythondevelopersparticularlyduetothepopularityofSpring

andDjangoframeworkswhichprovidedataabstractions

• RebelLabs2017istheonlyreportdenotingthego-toframeworksfor

micro-servicedevelopmentinjava(Spring,Play)


30

5 UnicornStakeholderIdentification

5.1 StakeholdersandTargetAudienceSmallandmediumenterprises(SME)playaveryimportantroleinEuropeaneconomy.Statisticsshowthatat

present,SMEs(includingstart-ups)amountto99%oftheorganisations,provide60%ofthetotalproduction

value and about 40% of the profit [98]. Moreover, SMEs offer 75% of the jobs. SME contributions to the

innovation system include not only R&D based new products and services, but also improved designs and

processesandtheadoptionofnewtechnologies.

Butatthesametime,theprocessofsupportingofEuropeanSMEslagsbehindduetomarketandeconomic

factors,suchasintensemarketcompetition,demandatrophy,resourcecosts,hightaxesandlowinvestment.

StrategiestoenhancethecompetitivenessofinnovativeICTSMEsshouldtakeintoaccountthat:

• New information and communication technologies facilitate global reach and help reduce the

disadvantageofscaleeconomieswhichsmallfirmsfaceinallaspectsofbusiness.

• Flexible specialisation has proven to be a particularly successful model of industrial organisation:

throughcloseco-operationwithotherfirmsSMEscantakeadvantageofknowledgeexternalitiesand

rapidlyrespondtomarketchanges.

• Usage of cloud development environments lowers the need for administration skills and frees the

companytoconcentrateontheircorebusiness.Whiletoday’sinstallationsareoftenlocal,itisonlya

matteroftimebeforedevelopmentenvironmentsaremigratedtoCloudplatforms.

• Cloud provides a perfect relationship between user demand and price – it is elastic. Fees increase

incrementallyasusersusemorefunctionalities.

Atthesametime,currentcloudenvironmentshavesignificantweaknessesandthereforeincreasethecritical

viewoncloudtransition.Mainbarriersforclouddevelopmentareoutlinedasfollows:

• Complex and costly development process: Developing new SaaS solutions or redeveloping existing

solutionsforthecloudonexistingPaaSisacomplexandverycostlyprojectmakingitoftenprohibitive

especiallyforSMEs.

• Highdependencyoncloudinfrastructureprovider:Thefearofasocalledvendorlock-inisoneofthe

majorbarrierstocloudserviceadoption.Customerscannoteasilymovetoacompetitor’sservice.

• Security Concerns: Deploying confidential information and critical IT resources in the cloud raises

concernsaboutvulnerability toattack,especiallybecauseof theanonymous,multi-tenantnatureof

cloudcomputing.

• DataPrivacy:Regulationofdataprivacypresentstheadditionalthreatofsignificantlegalandfinancial

consequencesifdataconfidentialityisbreached,orifcloudprovidersinadvertentlymoveregulateddata

acrossnationalorEuropeanborders.ACSOOnlinesurvey[99]foundthatthetopfivesecurityorprivacy

related concerns for cloud were all related to ubiquitous data access, regulatory compliance and

managingaccesstothedataandtheapplications.

Unicorn’sscopelieswithinthecoreofstrengtheninginnovationcapacity,anddevelopinginnovationsthatmeet

theneedsofEuropeanICTSMEsandstart-ups.Theprojectaspirestobringtogetherallstakeholdersinvolvedin

thevaluechainofdevelopingCloudsoftwareservices,and,activelyinvolveexternalSMEsandstartupsthrough


31

validation subcontracts. The project aims in delivering a set of innovative concepts, tools and services, for

making the European ICT and software engineering SMEsmore competitive, increasing their scientific and

technologicalpotential.

UnicornspecifictargetaudiencecomprisesITserviceproviders,who,accordingtoDigitalSMEAlliance,count

over 750,000 SMEs in Europe. These SMEs are eager in increasing their market share of the huge Cloud

Computingmarket,worthover$131billion,asNorthAmericatakeshomemorethanhalfoftheglobalrevenues.

Wearetargetingthefollowingthreeaudiencecategories:

• SmallandmediumsizedIndependentSoftwareVendors(ISVs):whocurrentlyofferonpremisebusiness

applicationsbut,inthefuture,wanttoofferthese“asaservice”.

• Startups:whointendtodeployown,newservices,withaneedfordevelopinganddeployingsecureand

elasticapplications.

• SMEs already offering SaaS solutions: Unicorn features will allow them to concentrate on core

functionalityandre-useparticularknowledge,insteadofspendingeffortsforscaling,monitoringand

securityissues.

Concluding,UnicornwillcontributetoallthreeEUDigitalSingleMarket(DSM)pillars,namelytothe“Access”

pillar by lowering the barrier for SME’s to develop advance cloud services, to the “Environment” pillar by

supporting the creation of a trusted cloud environment for European SMEs and finally to the “Economy&

Society”pillarbyofferingasolutionthatwillimproveinteroperability,willcontributetostandardsandwillallow

ICTSMEstoconcentrateontheircorecompetenciesandgrow.

5.2 UserRolesTable2introducestheidentifieduserrolesfortheUnicorneco-system.Fromthistable,weobservethatthe

Unicorneco-systeminvolvesmanyroleswithdiverseresponsibilities.Someoftheseresponsibilitiesmayoverlap

amongusersoftheplatformwhich,atfirst,mayseemtoleadtomisleadinginterpretationofuserroleduties.

However,aswewillseeinthenextChapter,inDevOpsteams,thesilverliningbetweenrolesinthedevelopment

teamarequiteblurwithteammembersoftenuptakingresponsibilitiesspreadacrossdifferentuserroles(e.g.,

aCloudApplicationDevelopermayalsobeinchargeofTestingortheApplicationAdministratormayalsobea

Developeraswell).

InthefollowingTable,theActorterminologyanddescriptionsaredesignedtoclarifyandsummarizeeachactor’s

roles.

Table2:UnicornActors

Actor Description

CloudApplicationOwner

Thepersonprovidingthevisionfortheapplicationasaproject,gatheringandprioritizing

user requirementsandoverseeing thebusinessaspectsofdeployedapplications (e.g.

businessdelivery,functioningandservicesoftheapplication)inaccordancewithvarious

criteria(e.g.costminimizationandpolicydefinitionlikelegalconstraints)


32

DevOpsTeam Development, operation and testing of cloud applications, including the roles: Cloud

Application Product Manager, Cloud Application Developer, Cloud Application

AdministratorandCloudApplicationTester.

CloudApplicationProductManager

Thepersondefiningthecloudapplicationarchitectureandimplementationplanbased

on the Cloud Application Owner’s requirements. This person is also responsible for

packagingthecloudapplicationandenrichingthedeploymentassemblywithruntime

enforcementpolicies for theplaceholdersdefined via codeannotationsby theCloud

ApplicationDeveloper.

CloudApplicationDeveloper

The person that develops a cloud application by using the Unicorn-compliant code

annotation libraries in order to run on a Unicorn-compliant (multi-) cloud execution

environment.

CloudApplicationAdministrator

The person responsible for deploying and managing the lifecycle of developed and

Unicorn-compliantcloudapplications.Thispersonensurestheapplicationrunsreliably

andefficientlywhilerespectingthedefinedbusinessorotherincentivesintheformof

policiesandconstraints.

CloudApplicationTester

ThepersonresponsibleforthequalityassuranceandtestingofaCloudApplication.The

CloudApplicationTesterperformsdeploymentassemblyvalidation(atbusinessand

technicallevel).

CloudApplicationEndUser

ThepersonusingthedeployedUnicorn-compliantcloudapplication.

UnicornAdministrator

The person responsible formanaging andmaintaining theUnicorn ecosystem,which

includesinfrastructure,varioussoftwareandarchitecturalcomponentse.g.CoreContext

Model,codeannotationlibrariesandEnablersinterpretingandenforcinggivenpolicies

andconstraints.

UnicornDeveloper The person that creates Unicorn related (software) components for compliant Cloud

Providers and/or DevOps Engineers such as e.g.Monitoring Probes, code annotation

libraries,servicesutilizingtheUnicornAPI

CloudProvider Organization or service provider that provides cloud offerings in the form of

programmableinfrastructureaccordingtoaservice-levelagreement.TheCloudProvider

isalsoresponsibletooperatetheCloudExecutionEnvironmentsthatwillhostentirely

orpartiallyUnicorn-compliantCloudApplications.


33

Finally,wenotethat,asitcanbeobservedinChapter7,someoftheActorspresentedintheprevioustablemay

not be assigned to any functional requirements (e.g., CloudApplication EndUser), however their existence

contributesintohavingamorecompletedescriptionoftheoverallsystem.

5.3 MarketpositioningOverthepastyears,theworldwidecloudmarkethasevolvedandisexpectedtoenteraperiodofstabilisation

withprojectionsofgrowthof18%in2017tototal$246.8billion,upfrom$209.2billionin2016,accordingto

Gartner[100].Thehighestgrowthwillcomefromcloudsysteminfrastructureservices(IaaS),whichisprojected

togrow36.8%in2017toreach$34.6billion,eveniftheIaaScloudmarkethasclearleadersinAWSandMicrosoft

assuggestedbytheGartner’smagicquadrantforCloudInfrastructureasaServiceworldwidein2016[101].

TheCloudApplicationInfrastructureServices(PaaS)arealsoexpectedtoincreasefrom$8,851millionin2017

to$14,798millionby2020whileCloudManagementandSecurityServicesfollowasimilargrowthrate,from

$8,768millionto$14,004million,respectively[102].AccordingtoKPMG,Platform-as-a-Service(PaaS)adoption

ispredictedtobethefastest-growingsectorofcloudplatforms,growingfrom32%in2017to56%adoptionin

2020[103].Theapplicationcontainersegmentalsoreachedarobust$762million in2016and is forecastto

growata40%compoundrateoverthenextfouryearsto$2.7billion[104],suggestinganimpressiveadoption

growthforatechnologythatwasonlyrecentlybroughttothemarket.

Inparallel,DevOpsisaleadingsoftwareengineeringtrend,representingtheshiftfromtraditionalphased,large-

scale delivery models to an agile, continuous continuous delivery mind-set, enabled by better integrating

developmentandoperationsteamswithinITandemployingmoreautomatedprocesses.TheDevOpsandMicro-

serviceeco-systemmarketisbroadlyexpectedtogrowgloballyatarobustCAGR16%between2017and2022,

reaching $10 billion by 2021 [105]. In practice, though, coding and deploying reliable, loosely coupled,

production-gradeapplicationsbasedonmicro-servicesremainschallengingandevenfrustratingforsoftware

teams who need to account for service discovery, load balancing, fault tolerance, end-to-end monitoring,

dynamicroutingforfeatureexperimentation,complianceandsecurity.

Today,anumberofindustrialplayershavehitthemarketwithclouddevelopersolutionsregardingContainers,

UnikernelsandMicro-services(orDevOpsinabroadersense)asdepictedinthefollowingfigure.


34

Figure11:UnicornMarketPositioning

Inbrief,fromthecontainerstechnologyperspective,theopensourceDockerispracticallyleadingthemarket

and isoftencharacterizedasan“almost”de factocontainerstandard (alsoevident inour interviewprocess

results)thathasgainedmostpublictractionduetoitssimplicityandflexibilityinallowingdeveloperstowrap

theirsoftwareinacontainerthatprovidesacompletelypredictableruntimeenvironment.Otherexamplesfor

container technologies are: CoreOS’ rkt (Rocket) or Cloud Foundry’s Garden / Warden. A recent survey

conductedbyCloudFoundry[106]thoughlistedsignificantcontainerchallengeslikecontainermanagement,

monitoringandpersistencestoragethatmayhinderfurthermarketpenetrationwhilecontainerpersistenceis

in fact acknowledged as a barrier in advancing to stateful containers that are appropriate for production

environments.

Fromtheunikernelperspective,althoughtheconceptisquiteold(since1980’s),anumberofecosystemprojects

supportingthedevelopmentanduseofunikernelshaveemergedinthecloudcomputingageallowingforthe

creationofminimal,bespokeunikerneloperatingsystemsinmanydifferentwaysformanydifferentapplications

onmany different hardware platforms. Some systems (like Rumprun) are language-agnostic, and provide a

platformforanyapplicationcodebasedontherequests itmakesof theoperatingsystemwhileothers (like

MirageOS andHaLVM) leveragehigh-level languages and a runtime to provide anAPI for operating system


35

functionality. OSv and the Xen hypervisor have gained significant attention yet they also impose certain

limitationstoapplicationsaspiringforaunikernelcompilation(e.g.nomultipleprocessesonasinglemachine,

work as single user, need for provision for internal diagnostics when it comes to debugging). Overall, the

unikernelmarketremainsinaratherembryoticstatuswithmostsolutionsstillundergoingtheirexperimental

phaseswhile it isexpected tobeaffectedby the futureevolutionofcontainers (e.g.Docker'sacquisitionof

UnikernelSystems).

Withregardtomicro-services,althoughthediscussionaboutmicro-servicesarchitecturesstartedin2014,the

actual widespread implementation was initiated by Netflix which open sourced plenty of frameworks for

implementingmicro-services[107].Infact,theriseofcontainersandthebroaderacceptanceofwebprotocols,

suchasHTTP, JSONandREST,has resulted inbringingbackserviceorientation tocontemporaryapplication

development and is driving the micro-services momentum. In May 2017, two significant industry-driven

initiativesonthemicro-servicesandDevOpsworldwereannounced:Istio,anopentechnologybyGoogle,IBM

andLyfttostreamlinethemanagementandsecurityofmicro-servicesthroughanintegratedservicemesh,and

OpenShift.io, a free, online development environment by Red Hat optimized for creating cloud-native,

container-basedapplications andautomating theentire applicationpipelineenabling companies tobecome

moreDevOpsdrivenandagile.Inthiscontext,itneedstobenotedthattheroleoforchestrators,aswellasof

continuous integration / continuous delivery solutions, is also instrumental for effective micro-services

managementanddeployment.Kubernetes,anopen-sourceplatformforautomatingdeployment,scaling,and

operations of application containers across clusters of hosts, providing a container-centric infrastructure, is

acknowledgedasa leader incontainerorchestrationandmanagement, followedbyotherplatformssuchas

DockerDatacenter,ApacheMesos,andCloudFoundry,thatalsorunandorchestratemicro-services.

In more detail, in the following tables, 9 developer platforms (namely Docker, IncludeOS, Istio, linkerd,

MirageOS,OpenShift.io,OSv,Rumprun,Rkt)havebeenselected,takingintoaccounttheirrelevancetoUnicorn

and thedegree towhich their features represent theircategory,andhavebeen furtheranalysed.Note: the

informationprovidedinthetablesisbasedontheofficialdocumentationprovidedineachplatform’swebsite

andGitHubatthetimeperiodwhenthisdeliverablewaswritten(May2017).


36

Table3:MarketPlayersAnalysis–BriefOverview

Platform Category ShortDescription SupportedLanguages SupportedPlatforms

Docker[108] Containers Dockerisacontainerplatform,packaginganapplicationandits

dependencies inavirtualcontainer inordertoenableflexibility

andportabilityonwhere theapplicationcan run, tobuildagile

software delivery pipelines (allowing for shipping new features

faster andmore securely) and to manage apps side-by-side in

isolatedcontainerstogetbettercomputedensity.

All Ubuntu, Debian, Red Hat

EnterpriseLinux,CentOS,Fedora,

Oracle Linux, SUSE Linux

Enterprise Server, Microsoft

Windows Server 2016, Microsoft

Windows 10, macOS, Microsoft

Azure,AmazonWebServices

IncludeOS[109] Unikernels IncludeOS isan includable,minimalunikerneloperating system

for C++ services running in the cloud, providing a bootloader,

standardlibrariesandthebuild-anddeploymentsystemonwhich

torunservices.

C++ Linux, Microsoft Windows and

AppleOSX

Istio[110] DevOps –

Microservices

Istio is an open platform to connect, manage, and secure

microservices, providing an easy way to create a network of

deployed services with load balancing, service-to-service

authentication,andmonitoring,withoutrequiringanychangesin

servicecode.

Allforappdevelopment Platform-independentbutservice

deployment only on Kubernetes

(v1.5orgreater)atthemoment-

other environments will be

supportedinfutureversions.

Linkerd[111] DevOps –

Microservices

Linkerd is a transparent proxy that adds service discovery,

routing, failure handling, and visibility to modern software

applications.

All All

MirageOS Unikernels MirageOSisalibraryoperatingsystemthatconstructsunikernels

for secure, high-performance network applications across a

varietyofcloudcomputingandmobileplatforms.

Base unikernel language:

OCaml

x86_64 or armel Linux host to

compileXenkernel.

FreeBSD,OpenBSDorMacOSXfor

theuserlevelversion.

OpenShift.io[112] DevOps -

Microservices

OpenShift.io is a Kubernetes-based container management

platform that provides developerswith the tools they need to

build cloud-native, container-based apps, including team

collaboration services, agile planning, developer workspace

management,anIDEforcodingandtesting,aswellasmonitoring

andcontinuousintegrationanddeliveryservices.

All Linux


37

Platform Category ShortDescription SupportedLanguages SupportedPlatforms

OSv Unikernels OSvisanewopen-sourceoperatingsystemforvirtual-machines

fromCloudiusSystems.OSvwasdesignedfromthegroundupto

executea singleapplicationon topofahypervisor, resulting in

superiorperformanceandeffortlessmanagement.

JVM languages (Java,

JRuby, Scala, Groovy,

Clojure,JavaScript),Ruby

Built on 64-bit x86 Linux

distribution

Rumprun[113] Unikernels Rumprun is a production-ready unikernel that uses the drivers

offered by rump kernels, adds a libc and an application

environmentontop,andprovidesatoolchainwithwhichtobuild

existingPOSIX-yapplicationsasRumprununikernels.

C, C++, Erlang, Go, Java,

Javascript (node.js),

Python,RubyandRust.

hw/x86+x64andXen/x86+x64

Rkt[114] Containers CoreOS’ rkt is CLI for running application containers on Linux,

designedtobesecure,composable,andstandards-based.

Allforappdevelopment-

Command line

environment for

container construction

(nocustomDSL)

Linux


38

Table4:MarketPlayersAnalysis–DevOpsSupportandHighlightFeatures

Platform

Development

Continuous,Integration

andTesting

Continuous

Deployment&

Packaging

Orchestration,

Management&

Monitoring

SecurityScalability&Elasticity

ControlAdd-ons

Docker Completedeveloper

toolkitforcreating

containerizedapps

(build,testandrun

multi-containerapps).

DockerComposefor

development,testing,

andstaging

environments,aswellas

CIworkflows.

DeployinDockerCloud,

AWS,Azure,Digital

Ocean,Packet,

SoftLayer.

Universalpackaging,

portabilitytoany

machinerunning

Docker.

DockerComposefor

orchestration–also

runningKubernetes,

Mesos,AmazonECS,

GoogleContainer

Engine.

DockerMachinefor

provisioningand

managingyour

Dockerizedhosts.

Securebydefault:

MutualTLS,certificate

rotation,imagesigning

andcontainerisolation

DockerSwarm:manual

scalingandbuilt-in

swarmclustering.

Softwaredefined

networkingconnects

containerstogether,

intelligentlyroutesand

loadbalancestraffic.

DockerStore

distributingfreeand

paidimagesfrom

variouspublishers.

AnumberofDocker

certifiedplugins.

IncludeOS Notaddressed. KVM,VirtualBoxand

VMWaresupportwith

fullvirtualization,using

x86hardware

virtualization-Runon

anyx86hardware

platform.

Notaddressed. Increasedsecurityby

defaultinunikernels.

Notsupported. -

Istio Conversionofdisparate

microservicesintoan

integratedservice

mesh.

Dynamicrequest

routingforA/Btesting.

Deploymentof

microserviceswithout

worryingaboutservice

discovery.

Provisionforcanary

deployments.

Fine-grainedcontrolof

trafficbehaviourwith

richroutingrules,fault

tolerance,andfault

injection.

Policychangesaremade

byconfiguringthe

mesh.

Extendedversionofthe

Envoyproxytomediate

allinboundand

outboundtrafficforall

servicesintheservice

mesh.Automaticzone-

awareloadbalancing

andfailoverfor

HTTP/1.1,HTTP/2,

gRPC,andTCPtraffic.

Trafficencryption,

service-to-service

authenticationand

strongidentity

assertionsbetween

servicesinacluster

basedonpolicies.

Vulnerabilitychecksofa

networkanddetection

ofunusualpatterns

(causedbymalwareand

bots).

Apluggablepolicylayer

andconfigurationAPI

supportingaccess

controls,ratelimitsand

quotas.

-


39

Platform

Development


andTesting

Continuous

Deployment&

Packaging

Orchestration,

Management&

Monitoring


ControlAdd-ons

Mixerforenforcing

accesscontroland

usagepoliciesacross

theservicemeshand

collectingtelemetry

datafromtheEnvoy

proxyandother

services.

Fleet-wideVisibility:

Automaticmetrics,logs

andtracesforalltraffic

withinacluster,

includingclusteringress

andegress.

Keyandcertificate

distributioninIstioAuth

isbasedonKubernetes

secrets.

Nosupportfor

authorizationatthe

moment.

linkerd Notapplicable. linkerdrunsasa

separatestandalone

proxy:Applications

typicallyuselinkerdby

runninginstancesin

knownlocations,and

proxyingcallsthrough

theseinstances—i.e.,

ratherthanconnecting

todestinationsdirectly,

servicesconnecttotheir

correspondinglinkerd

instances,andtreat

theseinstancesasif

theywerethe

destinationservices.

Aconsistent,uniform

layerofinstrumentation

andcontrolacross

services:linkerdapplies

routingrules,

communicateswith

existingservice

discoverymechanisms,

balancesrequesttraffic

usingreal-time

performance,reducing

taillatenciesacrossthe

application,and

providesdynamic,

scoped,logicalrouting

rules,enablingblue-

greendeployments,

Notapplicable. Handlestensof

thousandsofrequests

persecondperinstance

withminimallatency

overhead.Scales

horizontallywithease.

-


40

Platform

Development


andTesting

Continuous

Deployment&

Packaging

Orchestration,

Management&

Monitoring


ControlAdd-ons

staging,canarying,

failover.

MirageOS Solo5isthe"baselayer"

torunanddebug

MirageOSunikernels.

Allsourcecode

dependenciesofthe

inputapplicationare

explicitlytracked,

includingallthelibraries

requiredtoimplement

kernelfunctionality.

RunsunderXenand

KVMhypervisors,and

lightweighthypervisors

likeBSD'sbhyve.

DeployinAmazonEC2

andGoogleCompute

Engine.

Potentialtospecifya

versionorrangeof

versionsforapackage

dependency.

Supportforlogging

only.

Increasedsecurityby


Seamlessscalingofdata

structuresthrough

Irmin,alibraryfor

designingGit-like

distributeddatabases,

withbuilt-inbranching,

snapshoting,reverting

andauditing

capabilities.

RresultisanOCaml

moduleforhandling

computationresultsand

errorsinanexplicitand

declarativemanner

withoutresortingto

exceptions

OpenShift.io Anonlinedevelopment

environmentfor

planninganddeveloping

hybridcloudservices

withprioritizable

backlogsandkanban

boardsaswellas

coding,editing,and

debuggingtoolsbuilton

EclipseChe.

Integratedand

automatedCI/CD

pipelines.

Automaticallycreate

containerized

development

environmentswiththe

workspacemanagement

capabilitiesofEclipse

Che,andusing

OpenShiftOnline,a

managed,multi-tenant

offeringofRedHat

OpenShift.

Integrationofthe

JenkinsPipelineplugins

toallowingdevelopers

toassembletheirbuild

pipeline.Pipeline

definitionsarewritten

usingaGroovyDSL.

OpenShift.ioAnalytics

appliesmachine

learningalgorithms

basedontheusage

patternofcomponents.

Thedataisgathered

fromvariouspublicdata

sourcessuchasGithub,

MavenandNPMalong

withourowninternal

OpenShiftdata.

Detectionofvulnerable

packages(indirectly

throughanalytics).

ContainerHealthIndex

thatinspectsandgrades

allofRedHat’sown

containerproducts,as

wellasthosefromits

ISVpartners,toensure

theyaresecureand

stable.

Notaddressed RedHatOpenShift

ApplicationRuntimes,

pre-builtcontainerized

runtimefoundationsfor

microservicesthat

includesupportfor

Node.js,EclipseVert.x,

WildFlySwarmand

others.


41

Platform

Development


andTesting

Continuous

Deployment&

Packaging

Orchestration,

Management&

Monitoring


ControlAdd-ons

Automaticallycreate

Linuxcontainerbased

environmentswithout

theneedtoinstall

anythinglocallyordeal

withdockercommands

andKubernetes

configuration(orYAML)

files.

OSv Rapidlybuildingand

runninganapplication

onOSvthrough

Capstan.

Runsunderhupervisors:

KVMandXen(fully),

VirtualBoxandVMWare

(experimental).Deploy

inAmazonEC2(fully

functional),Google

ComputeEngine

(experimental).

Packagingandrunning

anapplicationonOSv

throughCapstan.

OSvRESTAPItosimplify

management.

In-browserdashboard

providingliveupdates

andincludingOSbasics

suchasmemoryusage

andCPUload,

Tracepointsforall

systemandapplication

functionality,JMX

endpoints(usingthe

JolokiaJMX-over-REST

connector),

Application-specific

metrics,whichcanbe

addedbythe

applicationdeveloper

Increasedsecurityby


Cloud-initmechanism

providingper-instance

configuration

parameterstoanOSv

VMatboottime.

-

Rumprun Rumprundoesnotbuild

atoolchain,butcreates

wrappersarounda

toolchainthedeveloper

supplies.

Runsunderhypervisors

(KVMandXen),andon

baremetal.Rumprun

canbeusedwithor

withoutaPOSIX'y

interface.

Verylimitedmonitoring

throughremotesyslog.

Increasedsecurityby


N.A. -


42

Platform

Development


andTesting

Continuous

Deployment&

Packaging

Orchestration,

Management&

Monitoring


ControlAdd-ons

Rumpkernels

essentiallyprovidea

driverkitproviding

easy-to-integrate

drivers,withthesetof

driversvaryingper

driverkitandusingthe

NetBSDanykernel

architecturetoprovide

unmodifiedNetBSD

kerneldrivers.

Rkt Acommandlineutility,

acbuild,tobuildand

modifycontainer

images,intendedto

provideanimagebuild

workflowindependent

ofspecificformats

(currentlyitsupports

ACI,OCI).

Applydifferent

configurations(like

isolationparameters)at

bothpod-levelandat

themoregranularper-

applicationlevel.

Supportfortwokindsof

pod(coreexecutionunit

ofrkt)runtime

environments:an

immutablepodruntime

environment,anda

new,experimental

mutablepodruntime

environment.

Clusterorchestration

andmanagement

throughcontainer

orchestrationengine

Fleet(anopen-source

clusterscheduler

designedtotreata

groupofmachinesas

thoughtheysharedan

initsystem),tobe

replacedbyKubernetes

inJanuary2018.

rktisdevelopedwitha

principleof"secure-by-

default",andincludesa

numberofimportant

securityfeatureslike

supportforSELinux,

TPMmeasurement,and

runningappcontainers

inhardware-isolated

VMs.

Notaddressed. -


43

Table5:MarketPlayersAnalysis–Perspectives

Platform Performance Integrationwith3rd

partyservices

CommunityAdoption Maturity Pricingmodel

Comments

Docker High [115], [116] (with

Czipri noting that in

certain experiments,

Docker spent a lot less

CPU time being nearly

equivalent with bare-

metal)

Extensible through

open APIs, plugins

anddrivers

High – 40% market share

growth from March 2016

until March 2017 [Source:

Datadog]

Medium Docker Community

Edition:Free

Docker Enterprise

Edition: from $750

pernodeperyear

Significant learning curve.

Differences on how it runs on

differenthostmachines.

Complete and explanatory

documentation.

IncludeOS High (Extremely small

disk- and memory

footprint,Veryfastboot

time: <0.3 seconds

according to

benchmarks[117])

N.A. Low(41contributorsand187

forksinGitHubrepositoryas

of May 29th, 2017) [Source:

GitHub]

Low - v0.8 released

inJune2016

Open source under

Apache2.0licence

Adequatedocumentation

Istio Not officially assessed

yet – Beta version

planned to track

performance testing,

benchmark/comparison,

performance regression

[118]

Extending Envoy

proxyfromLyft

Kubernetes

Calico-ongoing

Medium - Support of key

industry players & strong

community interest (22

contributors and 147 forks

on GitHub repository as of

June 14th, 2017) [Source:

GitHub]

Low – v0.10

released in May

2017

Open source under

Apache2.0licence

Explanatory introduction and

documentation

linkerd Medium[119] Docker-compose,

DC/OS, Mesos,

Kubernetes

Low(43contributorsand198

forksonGitHubrepositoryas

of June 14th, 2017) [Source:

GitHub]

Medium – v1.1.0

released in June

2017

Open source under

Apache2.0licence

Complete and explanatory

documentation.

MirageOS High[120],[121] ModularOS

libraries,whichcan

beswitchedwhen

needed.


forks on mirage/mirage

GitHubrepositoryasofMay

29th,2017)[Source:GitHub]

Medium – v3.0

releasedinFebruary

2017

Open source under

ISC License (with

some exceptions

released under

LGPLv2)

Adequatedocumentation.


44


partyservices


Comments

OpenShift.io Not officially assessed

yet

fabric8, Jenkins,

Eclipse Che,

OpenJDK, PCP,

WildFly Swarm,

Eclipse Vert.x,

Spring Boot,

OpenShift

Kubernetes


forksonGitHubrepositoryas

of June 14th, 2017) [Source:

GitHub]

Low – announced

andlaunchedinMay

2017, developer

preview available

uponrequest

Open source (exact

license not

announcedyet)

Minimal documentation at the

moment.

OSv High (A typical Capstan

image is only 12-20MB

larger than the

application,andadds~3

seconds to the build

time, according to the

official website and

third-party evaluations

conducted)

Jolokia JMX-via-

JSON-REST

connector,

NewRelic


forks on GitHub as of May


Low – currently on

betaversion

Open source,

distributed under

the 3-clause BSD

license

-

Rumprun High[122] Workinprogress.

TravisCI integration

fornewreleases.


forks on

rumpkernel/rumprun



Low – still on

experimentalphase

Open source,

distributed under a

2-clauseBSDlicense

-


45


partyservices


Comments

Rkt Medium (especially

when it comes to

containerstartuptimein

comparison to Docker

[123])

init systems (like

systemd,upstart).

Kubernetes (via

“rktnetes”),Nomad,

Mesos, Mulled,

Quay.io, SELinux,

cAdvisor.

Support for

swappable

executionengines.

Natively run Docker

images.

Medium (185 contributors

and 699 forks on rkt/rkt



Medium Open source under

Apache2.0license

-


46

In a In a largely unchartered and rapidly evolving cloud landscape consisting of DevOps, Containers andUnikernels,UnicornispositionedasanovelDevOpsasaServicewithauniquevaluepropositioninsimplifyingthedesign,deploymentandmanagementofsecureandelasticbydesign,multi-cloudservices.Incontrasttothe existing platforms (that were analysed in the previous paragraphs and typically offer rather targetedsolutions),UnicornwilladdressdifferentDevOpsphases,rangingfromDevelopment,ContinuousIntegration&Testing,andContinuousDeployment&Packaging,toOrchestration,Management&Monitoringinasolidandconsistentmanner.Fromthetechnologywatchandmarketanalysisinitiallyconducted(andthatwillbeongoingthroughouttheproject implementation), IstioandOpenShift.ioaretheplatformsthataredirectlyrelatedtoUnicorn yet, taking into account that theywere only very recently announced, they signify that Unicorn isattunedtotheactualstakeholders’needsintherapidlygrowingcloudDevOpsmarket.

In particular, in respect to micro-services, Unicorn will facilitate the DevOps teams within ICT SMEs (thatrepresentthecoretargetaudienceofUnicorn)inadoptingthemicro-servicearchitecturalparadigmbyprovidinga unifiedweb IDE for development, deployment andmanagement of cloud applications.Going beyond theofferingsoftheexistingplatforms,Unicornputsparticularemphasisonsecurity,scalabilityandelasticitycontrolenabled through policy and constraint definition, as well as through continuous risk and vulnerabilityassessment,andcomplementsitssolutionwithadvancedorchestrationandmonitoringcapabilities.Asfarasthe container and unikernel technologies for cloud application packaging and deployment are concerned,Unicornwillpursue,inordertofacilitateadoption,tosupportpopularcontainerizedexecutionenvironments(e.g.,Docker,CoreOS)andtoorchestratecontainers/unikernelsthatwillbeabletohostcomplexandresourceintensivecloudapplicationsinaminimal,yetpersistent,mannerfortheDevOpsteam,basedonthecontinuouseffortsof theproject toprobe theEU ICT industry for the technologies trulydominating their interestsandneeds.


47

6 RequirementAnalysisSchemeThisChapterdocumentsthekeyfindingsoftheanalysisperformedontheresultsofthedisseminatedonlinesurveyandthepersonalinterviews.

6.1 IntervieweeProfileAltogether20organisationsoperatinginmultipleanddifferentfieldsparticipatedintheinterviewprocessandarelistedinTable6.TheseorganisationsareprimarilybasedintheEuropeanUnionwiththelargerorganisations(e.g., SAP, HP) also spanning their business operations across the globe. Figure 13 depicts the number ofemployeesworkingintheITdepartmentofeachorganisation.Fromthisfigure,weobservethatmostoftheorganisationsinterviewedidentifythemselvesasStartups/SMEsandhavelessthan25employees(65%)intheirITdepartment,while15%haveanumberofemployeesbetween26and50. Inturn,15%oftheinterviewedorganisations identify themselves as large organisations and feature more than 101 employees in their ITdepartment.InordernottolimitthetargetaudienceofUnicorn,theorganisationsinterviewedwerecarefullyselectedsoastooperateinmultipleanddifferentbusinessdomainsandgeographicregions,asshowninTable6andFigure12.

Table6:OrganisationsParticipatedinInterviewProcess

Organisation OrganisationType IntervieweeRole

Country

CASA.G. Pilot Management GermanyCocoon NotRelatedtoUnicorn CTO CyprusCRUKInstitute NotRelatedtoUnicorn ChiefArchitect UnitedKingdomCYTA NotRelatedtoUnicorn System/NetAdmin CyprusFxPro NotRelatedtoUnicorn CTO United Kingdom (operates

globally)EduportalGR NotRelatedtoUnicorn ChiefArchitect GreeceHopu CINCUBATOR CTO SpainHP-Cloud NotRelatedtoUnicorn Programmer US(operatesglobally)Ideas2Life NotRelatedtoUnicorn CTO CyprusLockUp CINCUBATOR CTO SpainNubedianA.G. CyberForum DevOpsEngineer GermanyPointRF NotRelatedtoUnicorn ChiefArchitect Israel(operatesglobally)Proasistech CINCUBATOR Management SpainRedikod Pilot Programmer Sweden/ScandinaviaSAPInnovation NotRelatedtoUnicorn Programmer Germany(operatesglobally)Suite5 Pilot CTO UnitedKingdomSwiftflats CINCUBATOR Programmer SpainTursofthealth NotRelatedtoUnicorn ChiefArchitect Turkey/GreeceUbitech Pilot Programmer GreeceYellowmapA.G. CyberForum DevOpsEngineer Germany/Austria/Switzerland


48

Figure12:OrganisationOperatingBusinessDomainsasIdentifiedbyInterviewees

6.2 UnicornSurveyandInterviewStudyKeyFindingsThefollowingsubsectionsdocumentthekeyfindingsoftheUnicornsurveyandinterviewstudy.

Figure13:NumberofEmployeesinITdepartment

6.2.1 UnclearDistinctionBetweenSoftwareProgrammerandDevOpsEngineerinStartupsFromtheinterviewprocess,itwasrevealedthatthereisanuncleardistinctioninthesilverliningbetweentherole(s)ofaSoftwareProgrammerandDevOpsengineer,especiallyfororganisationsidentifyingthemselvesasStartupswithlessthan25employees.Inparticular,programmersare(usually)tightlyinvolvedinthesoftwaredeliverycycle,uptaking,managementtaskssuchasdesigningsecurityenforcementandmonitoringpolicies,and (virtual) infrastructure provisioning and configuration. When asked, programmers identified security

enforcementandelasticresourcescalingasthemainchallengestheyfaceduetolackofexperienceandtimeto

learnrelatedtechnologiesandmethodologies.ThesefindingsconfirmthedeveloperproductivityreportsfromDZone(2017)andRebelLabs(2016).

Telecommunications,Mobile/WebDevelopment


49

Figure14:IntervieweeRoleinOrganisation

6.2.2 ProgrammingFrameworksareIncreasingAnnotation-BasedProgrammingParadigmAdoptionThe majority (80%) of the interview respondents mention that they have adopted annotation-basedprogramming of some sort.When asked during the interview process, interviewees denote that other thangeneratingsourcecodedocumentation,codeannotationsarewidelyusedforsourcecodeprojectconfiguration,

data and APImodelling, logging,monitoring and testing. In particular, annotations aremostly used by theprogrammersoforganisations thathaveadoptedpopularprogramming frameworks, suchasSpring for Java(55%), Node.js for Javascript (25%) and Django for Python (25%). The popularity of the Spring frameworkconfirmstheRebelLabs(2017)developmentreport,whichemphasisesonmicro-serviceframeworkadoptionforjava.

Figure15:UsageofAnnotation-basedProgrammingParadigmbyInterviewees


50

Figure16:PopularProgrammingFrameworksUsedbyInterviewees

6.2.3 CollaborationToolsarenowIndustryStandardPracticeswhileContinuousIntegrationandDeliveryToolAdoptionisFacingSeriousChallenges

Almost all interview respondents (95%)mention that the employees of their organisation use at least onecollaboration tool. In particular, all positive respondentsmention that a collaboration tool for source codeversioncontrol isalwaysused(mainlygit),whilemorethan70%ofsoftwaredevelopmentteamsalsouseatleastonecollaborativetoolforcommunication(e.g.,Slack,Skype)andtaskmanagement(e.g.,Pivotaltracking,Trello,Team).

Figure17:UsageofCollaborationToolsAmongEmployeesofOrganisation

Basedon the results of our survey, 60%of the respondents’ state that they are currently using continuousintegrationtoolsintheirapplicationdevelopmentcycle.Thisnumberisslightlylowerthanthepercentagesinstudies such as GitLab’s developer report (2016).Moreover, Apache Jenkins (55%) was noted as themostpopularCItoolofchoice,althoughalmostoneoutofthreerespondentsarecurrentlynotusinganyCI/CDtool.Interestinglywhenpersonallyquestioned,theserespondentsusuallystatethatlacktime(50%)andlackofskills(45%),ispreventingthemfromfullyadoptingaCI/CDpipeline.Ontheotherhand,respondentswithexperienceinutilizingCI/CDtools,mentionthatthemostchallengingaspectsoffullyembracingaCI/CDsoftwaredelivery

Android,iOS


51

pipelineisthelackofaunifiedtool(55%)andextremedifficultiesfoundinenvironmentsetupand,inparticular,

integratinginthecycleautomatedtechnologies(40%)suchasresourcescaling,runtimesecurityenforcement

andtesting.

Figure18:PopularityofCI/CDFrameworksEmbracedbySurveyedOrganisations

Figure19:ChallengesPreventingFullAdoptionofCI/CDPipeline

6.2.4 CloudIDE’sareBecomingPopularbutforLarge(r)DevelopmentTeamsOur survey highlights that the transition from traditional desktop IDEs to Cloud IDEs has already started.Particularly,45%ofoursurveyrespondentsstatethattheyarecurrentlyusingaCloudIDEforcloudapplicationdevelopment. We note that this number is rather high when comparing to StackOverflow (2016, 2017)developer reports placing general adoption around 15%. However, we note that our survey targets cloudapplicationdevelopmentwhereCloudIDEsprevail.Also,fromtheresultsofoursurveyitisrevealedthatthemostpopularCloudIDEsareEclipseChe(40%),SAPHana(20%)andCloud9(15%).Moreover,whendiscussing


52

withtheinterviewedITprofessionals,itisrevealedthatorganisationscomprisedoflargerdevelopmentteams

(>11 IT employees) are more keen in adopting Cloud IDE’s as they combine development with CI/CD tool

integrationforautomation,collaboration,softwaredeliveryandcommunication,whichareabsolutenecessities.

Figure20:CloudIDEEmbracementbyInterviewedOrganisations

Ontheotherhand,themajorityofthosenotadoptingaCloudIDEfordevelopmentstatethattheyarehappyusingtheirdesktopIDE(82%)andthattheydonotforeseeintheimmediatefuturethetransitioningtoaCloudIDE.Anothernotablepercentage (30%)also reports thatperformance related issuesalsopreventCloud IDEadoption.Thefirstclaimwasaparticulardiscussionpointwith intervieweesfromorganisations identifiedasStartupsandcomprisedofsmalldevelopmentteams.Tobetterunderstandthis,weaskedaboutthesoftwaredevelopmentprocess,whereitwasrevealedthatasingledeveloperinsuchteamsisusuallyinchargeofthecoding of an entire project, or developers are in charge or specific tasks (e.g., front-end, back-end) andintegrationoftaskshappensattheendofadevelopmentcycle,thus,limiting,atthemoment,theneedofacloudIDE.

Figure21:PopularreasonspreventingCloudIDEadoptionfromrespondersnotusingCloudIDEs

Performancerelatedissues


53

6.2.5 Micro-service Architectural Approach is Becoming a Cloud Trend Especially in the IoT and SaaSdomains

Micro-services are currently used in productionby 40%of our respondents,while another 30% is currentlyexperimentingforultimatelyproductiondeployment.ThesenumbersconfirmDZone’s(2017)andLightbend’s(2016)DevOpsreports.Interestingly,organisationsadoptingmicro-servicesinproductionhaveoriginsfromtheIoTandSaaSdomainswhiletheorganisationsexperimentingoriginatefromthebusinessanalyticsand(location)recommendation services sector. Moreover, from the above organisations, the micro-service architecturalpatternisusedfordata-serving(100%),businesslogic(83%)andthefront-end(66%).Ontheotherhand,only10%oftheintervieweesmentionedthatmicro-servicesarenotofinterestwiththeresponsescomingfromthetelecomandeducationalbusinessdomain.

Figure22:Micro-serviceArchitectureAdoptionbyInterviewedOrganisations

6.2.6 ContainerizedSolutionsareFollowingMicro-serviceAdoptionTrendsWiththeincreaseintheinterestformicro-servicesarchitecturalpatterns,interviewedorganisationsalsoseemto be utilizing containerized solutions for application deploymentwith 20%of the respondents stating thatcurrentlytheyarerunningcontainerizedapplicationsinproduction,whileanother35%isseriouslyplanningandexperimenting to ultimately use this technology in production. Similarly, to micro-services, these numbersconfirm DZone’s (2017) and Lightbend’s (2016) DevOps reports. Also, when questioned, only 36% of therespondents’ state that their entire application deployment is containerized. The rest (64%), reveal thatcontainers are utilized only for the dynamic, scalable and stateless service part comprising their application

deployment,thusadoptingamixtureof(virtualized)solutionsfortheircloudexecutionenvironments.


54

Figure23:ContainerizedSolutionAdoptionbyInterviewedOrganisations

Interestingly,itisacknowledgedthatthecontainerdomainintroducesanumberofchallengesfordevelopers.In particular, interviewees with experience in deploying containerized applications mention that, the topchallengesinthecontainerdomaininclude:performanceandapplicationmonitoring(55%),serviceorchestration

(50%),databaseaccess(45%),lackofexperience(45%)andauto-scaling(40%).Thesechallengesconfirmstudiesfrom RightScale (2017) and DZone (2017), and are highly relevant to the Unicorn project. What is more,challengesrelatedtoreducingcontainersecuritythreatssuchasstripingcontainersfromattackinginterfaces

(35%),secureresourceacquisition(30%),fastboottimes(25%)andreducingimagesizes(20%)arealsorelevant

totheadvancementofunikernelsandconsequentlytotheUnicornproject.Finally,itmustbenotedthatalmostall organisations (92%) have adopted, at some point, Docker as the containerized technology for theirapplications,with other preferred containerized solutions such as Kubernetes (33%) and Swarm (25%) alsotightly coupled to Docker for clustermanagementwhen containers are deployed in production. Therefore,DockerisatechnologythatmustbetargetedbyUnicornforcontainerizedcloudexecutionenvironmentsasitsstakeholders,eitherlargeorsmallinsize,identifyDockerastheirtechnologyofchoice.

Figure24:ContainerizedSolutionAdoptionChallengesasIdentifiedbyInterviewedOrganisations


55

Figure25:ContainerizedSolutionsthathavebeenadoptedbythoseusingorconsideringcontainerization

6.2.7 Multi-CloudDeploymentModelAdoptionandChallengesOursurveyisinlinewithGartner’sMagicQuadrant(2016)reportswhichrevealthatthetopcloudproviderisAmazonWebservices(AWS),followedbyMicrosoftAzureandOpenstack,whicharethemostprominentcloudsolutionsforprivatecloudinfrastructuraldeployments.However,moreinterestinglyisthat25%ofoursurveyrespondents are currently following a multi-cloud deployment approach while another 25% is alsoexperimentingandplanningtodoso.ThesenumberaresignificantlylowerthanreportsfromRightScale(2017)whichputthepercentageoforganisationsadoptinghybrid-cloudover70%.However,onemustnotforgetthatintheStartupeco-system,companiesstartsmalladoptingonecloudproviderandthenexperimentastheyscale,and20%ofourrespondentsalsostatetheyareplayingaroundwithmulti-clouddeployments.Ontheotherhand,thosewhoarenotplanningtoadoptamulti-cloudapproachstatethatthisisduetosignificantsecurityreasonsformovingdataacrosscloudregionsorarehappywithjustusingonecloudprovider.

Figure26:Multi-CloudDeploymentModelAdoptionbyIntervieweeOrganisations

Furthermore,bypersonallytalkingwithintervieweestoobtainuserstories,weidentifiedthatdifferentmulti-cloudchallengesarisebasedontheparticulardeploymentstrategyfollowedbyeachorganisation.Thus,insteadofsimplycompilingalistofchallenges,wefurtherinvestigatedwhenandwhereiseachchallengeapplicable.In


56

particular,MC2(onecloudprovidermultipleavailabilityzones), isapopularmulti-clouddeploymentmodel2.For organisations adopting a multi-cloud deployment model resembling MC2 (one cloud provider multiple

availabilityzones)securityreasonsformovingdataacrosscloudsites/regionsandtrust/complianceissuesare

ofextremeconcern.OrganisationsadoptingtheMC2deploymentmodeloriginatemainlyfromGermanyandUK,andoperateinthee-healthorsocialassistancebusinessdomains,wheresuchorganisationsareobligatedtocomplywithstrictdatamovementnationallawspreventingsensitiveclientdatatobehostedoutsidenationalbordersandforthisreasoninter-connectedprivateclouddeploymentsarepreferred.

Figure27:PopularCloudProviders

Ontheotherhand,challengesrelatedtoportability,vendorlockingandalackofunifiedmanagementtools,are

ofextremeconcernfororganisationsthatadoptthepopularMC3andMC4multi-clouddeploymentmodels.Inparticular,thesemodelsmainlyusemultiplecloudproviderstoruntheirservices,targetingloadbalancingandlatency reduction when serving content to clients, and thus, these models are highly relevant tolocation/recommendationbasedservices,SaaScloudsolutionsandIoTapplications.

2Multi-clouddeploymentmodelsaredescribedindetailinSection3.2


57

Figure28:Multi-CloudAdoptionChallenges

6.2.8 CloudMonitoringAdoptionandChallengesMonitoring is employed by all interviewed organisations with monitoring targeting various levels of theapplication lifecycle and execution environment. In particular, respondents usually stated that serviceavailability(80%),APIaccess(60%)andtheunderlyinginfrastructure(55%)aremonitoredbydeployingeitherin-houseorgeneral-purposemonitoringtools.Interestingly,asthemonitoringlevelbecomesmorespecialized

and moves closer to the client side (e.g., application behaviour, client interaction, transactions, etc.),

organisations start to facechallengesasmonitoring toolsmustbeextended, customizedand tailored to the

organisationmonitoringneeds.

Figure29:MonitoringLevelTargetsasRespondedbyInterviewedOrganisations

Ingeneral,multipleanddifferentmonitoringsolutionsareused.Interestingly,allrespondentsstatedthattheymust resort to usingmore than onemonitoring tool for their needswith 70% is dissatisfied by this fact. Inparticular,65-70%oftherespondentsmentioningthattheyusemostly in-housedevelopedmonitoringtoolsand/orgeneralpurposeopen-sourcetools.Ontheotherhand,40%claimtobeusingtoolsofferedbythecloud


58

provider,while35%oftherespondents’mentionthatthird-partymonitoring-as-a-servicetools(e.g.,NewRelic,Datadog)areusedfortheirmonitoringneeds.

Figure30:MonitoringToolTypeAdoptionbyInterviewedOrganisations

Withregardtochallenges,respondentsstatethatthemostprominentneedarisesfromthelackofparameter

tuningbymonitoringtoolstooptimiseperformance,qualityandcost(70%).Inturn,asmultiplemonitoringtoolsmustbeusedbyorganisations,integratingthemintheexecutionenvironmentorfindingamonitoringtoolthatcanbeusedatdifferentandmultiplelevels,isanotherprominentchallenge/needstatedbytheinterviewees(70%). Interestingly, 50% of the interviewees stated that accessing/processing historic monitoring data isanotherimportantchallenge.Alsomonitoringtoolportabilityacrosscloudplatforms(40%),aswellas,providingmulti-cloud monitoring support (40%) are relevant to the project. On the other hand, accessing real-timemonitoringdata(25%)andplottingdata(5%)seemtobecoveredbytheofferedtoolsandarenotconsideredascurrentchallengesinthemonitoringdomain.

Figure31:MonitoringChallengesFacedbytheInterviewedOrganisations


59

6.2.9 ElasticScalingAdoptionandChallengesTheresultsofoursurveyshowthatmostofourrespondents(65%)donotcurrentlyuseelasticscaling,whichcontradictswithpopularcloudsurveysandreportsfromRightScale(2017)andGartner(2016).However,themajorityoftherespondentsofoursurveyareSMEs/Startupswithservicesrecentlyintroducedtothepublic.Thus,althoughtheyarecurrentlynotusingelasticityscalingalmostallofthese(95%)highlightthatelasticityis

needed(95%)butcertainchallengesmustbeovercomefirst,withthemostprominentbeinglackofexperience

ofhowelasticityworks,followedbyhowtoconfiguretheauto-scalingprocessandhowtobudgetconstrainauto-

scaling.

Figure32:ElasticScalingAdoption

Inturn,thosewhoarecurrentlyusingelasticityfortheirapplicationscaling,originatefromtheIoT,SaaScloudsolutions and recommendation/location service offering business domains. Horizontal scaling is the mostpreferablewaytoscaleresourcesformostoftherespondents(71%),andisadoptedmainlyforloadbalancing.Theseorganisationsmostlyadoptthetoolsprovidedbytheircloudprovider(71%)withthesecondpreferredoptionbeingin-housedevelopedtools(57%).Thisisanoppositepicturefrommonitoringwherein-houseandgeneral-purposemonitoringtoolsaremorepreferredoptionsthanthetoolsofferedbythecloudprovider.Thejustificationforthisisthatdevelopinganauto-scalingtoolisextremelychallengingandthereforeresorttousingwhatisofferedbythecloudproviderevenifthisrestrictsdeploymenttoasingleprovider.

Figure33ElasticScalingType


60

Interestingly,themostprominentchallengeinelasticscalingfororganisationsisparametertuningtooptimizetheperformance,costandqualityoftheirservices(65%)whichisrelatedwiththesecondmostchallengingtask,thelackofexperience.RespondentsthatarecurrentlyusingthetoolsprovidedbytheirCloudproviderandeventheonesthathaven’tyetadoptedelasticscaling,statethatconfiguringtheelasticityservicefortheirapplicationneeds,isanon-trivialtaskduetotheinsufficientknowledgetheypossess,therefore,theneedforasimplebutaccurateelasticitycontrolcomestotheforeground.

Figure34:ElasticitytoolsusedbyorganizationshaveadoptedelasticscalingaspartoftheirALM

Anothermajorchallengepreventingcompaniesforadoptingelasticscalingarebudgetconstraints(50%).Usingelasticservicesofferedbycloudproviders,especiallywhentheyarenotconfiguredproperly,theamountspentissignificantlylargerthantheamountearned.Otherchallengesmentionedbyonethirdoftherespondents,areelasticscalingacrossmultiplecloudregionsandprovidersandlackofaunifiedautoscalingenvironment.Thesechallengesaddresstheneedforaunifiedautoscalingtool,abletoorchestrateinstancesacrossmultiplecloudsites,providersandregions.

Figure35:ElasticScalingAdoptionChallenges


61

6.2.10 WhenisSecurityConsideredintheLifecycleofanApplicationFrom the interview process, respondents’ answers to the question “when is security considered in theapplicationlifecycle”,revealthatthereisnonormtowhensecurityistakenintoconsideration.Particularly,35%oftherespondents’statethatsecurityisconsideredattherequirementphase,30%stateattheprogrammingphase, 25% at the design phase, while 10% mention that security is only considered after deploying theapplicationanddetectingwheresecurityisneeded.Atthispoint,anysecurityissuesaredealtwithandare-deploymentisissued.ThesenumbersconfirmthestudyconductedbyVeracode(2016),showingthatthereisnonormforwhentointegratesecurity.Thisisahighlyrelevantrequirementtotheprojectassecuritycannotsimply be assumed that it will be always considered at the requirement or design phase and thereforeintegratingsecurityorcustomizingsecurity,evenatdevelopmentorruntime,whenpermitted,mustbetakenintoconsideration.

Figure36:StageofApplicationLifecycleatwhichSecurityisConsideredbyInterviewedOrganisations

6.2.11 CloudSecurityEnforcementandPrivacyPreservationChallengesRespondents of our interviewprocess state that themajor challenges faced include: vulnerability detection(16/20),datamovementcompliance(15/20),informationflowtracking(14/20)andprivacyprotection(13/20).TheseresultsareinlinewiththefindingsofVeracode(2016),showingthatsensitivedataexposureandruntimesoftware vulnerability are the prime concern of most SMEs and Startups, therefore, they remain openchallenges.Thesechallengesarehighlyrelevantwiththerequirementsoftheproject,pointingouttheneedofa mechanism for data privacy enforcement and continuous vulnerability assessment. On the other hand,challengessuchaswebfirewalling(15/20),SQLinjectionprevention(13/20),staticcodeanalysis(10/20)cross-siteforgery/scripting(9/20)andauthorizationpermissionmanagement(9/20),seemtobeaddressablebymostoftheinterviewedstakeholdersandarelessrelevanttotheproject.


62

Figure37:SecurityMechanismsAdoptedbyInterviewedOrganisations(#1)



63



64

7 UnicornSystemRequirementsIn thisChapterwewillelaborateon thesystemfunctionalandnon-functional requirements for theUnicornplatformandeco-systemthatarederivedbytheresultsoftherequirementcollectionmethodologydescribedinChapters4and5.

7.1 FunctionalRequirementsFunctional requirements represent the list of system properties that need to be implemented and finallysupportedwithinthecontextoftheUnicornecosystemandplatform.Thisincludesallbehaviouralaspectsofthe system components after taking into consideration the identified roles of the Unicorn ecosystem, asdocumentedinSection5.2.Theserequirementsarelogicallygroupedperrole.WehavefollowedaconsistentandstructuredwayofrepresentingtherequirementswhichwillallowustofurtherdefinethedetailedreferencearchitecturefortheUnicornplatformintheforthcomingdeliverabledenotedasD1.2.Inthesection10.1oftheAnnexweprovideatablelistingalltheidentifiedUnicornfunctionalrequirementswhilethefollowinglistingselaborateonthedescriptionofeachrequirement.Table7providesanoverviewofthemappingoffunctionalrequirements touser roles. Finally,wenote that toderive the functional requirements referring to securityenforcement capabilities offered toUnicorn users, a threat analysismodel (asset, threat, vulnerability, andcountermeasure)isrequired.Inordertoreducerepetition,threatanalysisfortheparticularsecurityandprivacyenforcementmechanismsofferedbyUnicornwillbeintroducedintherespecteddeliverable,denotedasD4.1.

ID FR.1

Title Developcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraints

UserRoles CloudApplicationDeveloper

Description The Unicorn platform must provide cloud application developers with design libraries toannotate the source code of their cloud application under development, for monitoring,resourcemanagement, security and data privacy policy and constraint enforcement pointdefinition.AnnotatedpoliciesdependingonthescopesupportedbytheUnicornplatformcanbedefinedatvariousapplicationgranularitylevels(e.g.,entireapplication,particularservice,codesegment).Unicornusersmustbeabletousetheannotatedentitieswithoutanyfurthermodification in the business logic of the under development application. This practicallymeansthatpolicyandconstraintenforcementistotallytransparenttothedeveloperandwilltakeplaceinthecloudexecutioncontainer.Hence,metadataannotations(e.g.,monitoring)relate to respected Unicorn policy-enforcement enablers (e.g., handler collecting theannotatedmonitoringdata)thatwillgenerate/transformsourcecodeatdesigntimeand/orbe“synchronized”atruntimewiththeCoreContextModel(FR.13)uponinstantiationofthecloudexecutionenvironment.

ID FR.2

Title Securelyregisterandmanagecloudprovidercredentials


65

UserRoles CloudApplicationProductManager,CloudApplicationAdmin,UnicornDeveloper

Description The Unicorn platform must provide the means to support cloud provider credentialmanagement by offering secure management and storage of access credentials (e.g.,user/passwordpairings,APIaccesstokens)forUnicornusers.Thispracticallymeansthatusersarenotrequiredtoprovidetheircredentialseachtimeanapplicationdeploymentisinitiatedorwhena request/query formanaging theapplication lifecycle is conducted (including re-deploymentofanupdatedversionofanapplication).

ID FR.3

Title Searchinterfaceforextractingunderlyingprogrammablecloudofferingsandcapabilitymetadatadescriptions

UserRoles CloudApplicationProductManager

Description Unicornmustexposethroughitsunifieddashboardasearchinterfaceprovidingitsuserswiththe ability to browse for cloud offerings and cloud provider services capabilities, obtainintuitivemetadatadescriptionsandfiltertheresultsto limitthereturnedresultset(s).ThesearchinterfacewillbeprovidedasagraphicalalternativeforusersinsteadofusingdirectlytheUnicornUnifiedAPI(FR.15).

ID FR.4

Title CreationofUnicorn-compliantcloudapplicationdeploymentassembly

UserRoles CloudApplicationProductManager

Description The Unicorn platform must provide its users with a standardized, transparent andinfrastructure-agnosticprocesstocreateandfeedtheUnicornplatformwithadeploymentassemblyfortheapplicationtobedeployed.Unicornadoptsthenotionofadirectedservicegraph, where nodes represent the (micro-) services composing the cloud application andedges represent the relationship(s) and inter-dependencies between services. Nodes aredescribed by a number of attributes denoting resource management parameters (e.g.,requested memory, disk size, network interfaces), monitoring metrics to collect, costconstraintsandelasticscalingpolicies.Inturn,relationshipsandinter-dependenciesdenotethe deployment order and restrictions limiting the security and datamovement betweenservices.Asanumberoftheattributesandparametersdescribingnodesandedgesarealsoavailableascodeannotationpolicies(e.g.,monitoring)attheapplicationdevelopmentphase(FR.1),thesewillbeautomaticallytranslatedandaddedtotheservicegraphdescriptionbyrespectedUnicornenablersinterpretingcodeannotationsbasedontheUnicorncorecontextmodel without any additional user effort (FR.13, FR.14). However, the final deploymentassemblybundlingcodeartifacts,thestandardizeddeploymentdescriptionanddeploymentrequestswillbeautomaticallycreated(noadditionaleffort)onlywhentheuserpackagingtheapplicationdeterminesthatthedevelopedanddescribedapplicationisreadyfordeploymentbytheUnicornplatform.


66

ID FR.5

Title Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironment

UserRoles CloudApplicationAdmin,CloudProvider,UnicornDeveloper

Description The Unicorn platform must provide its users with the means to deploy their compliantapplicationsfromtheUnicorngraphicalinterfaceafterusershavedevelopedtheirapplicationusing theprovideddesign libraries (FR.1)andhavecreatedadeploymentassembly (FR.4).Usersshouldalsobenotifiedofthestatusofthedeployment(success,failed)andinthecaseof a failed deployment, the response should include a descriptive reasoning as to whatproblem occurred. The application deployment is themost critical process and includes anumberofsteps,definedbelow,thatmustbeperformedinorderfortheUnicorn-compliantapplicationtobeoperational:

• Parsedeploymentassembly(FR.4)• Verifyvalidityofdefinedruntimepolicyandconstraintsandassureallannotationscan

be interpreted and handled by the respected Unicorn enablers (e.g., monitoring,securityenforcement)(FR.6)

• Derive(near-)optimalapplicationplacementplan(FR.11)• Basedonplacementplan,instantiateresourcesandservicestoestablishanoperation

(multi-cloud)executionenvironment(FR.16)• Instantiate required Unicorn runtime enablers to enforce runtime policies and

constraintsandverifyoperationstatus(FR.14)Asthisprocessiscriticalandonlyifallstepsaresuccessful,adeploymentmaybeestablished,theentirebootstrappingprocessmustbetransactional.

ID FR.6

Title Deploymentassemblyintegrityvalidation

UserRoles CloudApplicationTester,UnicornDeveloper

Description Before the reservation of underlying programmable infrastructure, the Unicorn platformshouldverifyandvalidate thedeploymentassembly.ThiswillbeperformedbyUnicorn todetectpotentialproblemssuchasunreachableedgesintheservicegraphdescriptionduetoantagonizing policies/constraints which could result to inaccessible nodes or optimizationcriteriaandcirculardependencieswhichleadtoasituationinwhichnovalidevaluationorderexists,becausenoneofthepoliciesinthecyclemaybeorderlyevaluated(FR.4).Thisprocess,while not exhaustive, is an important aspect for Unicorn users and Unicorn componentdevelopers(FR.18),performedatthepre-deploymentphasetodetectifthereisaproblempreventing a successful deployment in order to reduce resource allocation costs ofunsuccessfullargeandcomplexdeployments.


67

ID FR.7

Title Accessapplicationbehaviorandperformancemonitoringdata

UserRoles CloudApplicationAdmin

Description TheUnicornplatformmustprovideitsuserswithaccesstoreal-timeandhistoricalmonitoringdataviatheUnicorngraphicaluserinterface.Themonitoringdataperse(e.g.,responsetime,service availability), the granularity level (e.g., entire application, service part) and theintrusiveness(e.g.,periodicity)atwhichmonitoringdataiscollectedandloggedthroughoutthe entire lifespan of an application should be determined by the user via the provideddeployment assembly compiled based on user’s preferences and his/her annotated code(FR.1).Monitoringannotationsmustallowuserstohandleanddefinecounters,timers,trafficinterceptors and custom metric types to gather resource utilization, application featurebehaviourandperformancefromsingleapplication(micro-)instances,aswellasaggregatedoverviews of metrics across application service tiers and availability regions in order tosuccessfullyassess theperformance,scalabilityandsecurityof theirapplicationseamlesslyacrossmultiplecloudofferingsthroughoneunifiedinterfaceofferedbyUnicorn.

ID FR.8

Title Real-TimenotificationandalertingofsecurityincidentsandQoSguarantees

UserRoles CloudApplicationAdmin

Description TheUnicornplatformmusthavetheabilitytonotifyandalertthroughtheUnicorngraphicaluserinterfaceitsusersofeventsclassifiedeitherby:(i)theplatform’ssecurityenforcementenablers, suchas suspicious incidents (e.g., avulnerabilitydetected);orby themonitoringenableranalyticsprocess,suchaseventsbasedoncertainuser-definedcriteria(e.g.,metricthreshold violation). In turn, the Unicorn platform must detect QoS policy violations onprovisioned services in operational cloud environments and also notify users about theseviolationsinorderforthemtotakeintoconsiderationand,possibly,actupon.

ID FR.9

Title Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanisms

UserRoles CloudApplicationAdmin,CloudProvider

Description Upon the initial placement of an application over a programmable infrastructure, possiblyspanning across multiple cloud provider offerings, the Unicorn platformmust provide themeanstomanagetheoperationalenvironmentinanautonomicmanner.This includesreal-timeadaptionwheretheexecutionenvironmentofanapplicationmaybereconfiguredbasedonconditionsandhigh-levelpolicyconstraintsgivenbytheuserviathedeploymentassemblyandextractedfromtheenablerinterpretingelasticitycodeannotations.Therefore,adaptationcanbetriggeredtowardsthe fulfilmentof theuseroptimizationobjectivesandmayregard


68

scalingaspects(e.g.,vertical/horizontalscaling),adaptationofthequalityofprovidedservices,and/ormonitoringintrusiveness(e.g.,adaptperiodicity).Inordertosupportsuchintelligentfunctionality,asetofdistributedintelligentmechanismsmustbedesignedanddevelopedthatwill be based on various optimization strategies target by the interested users in order tooptimizeresourceallocationacrossmulti-clouddeploymentsforperformance,cost,anddatalocality.

ID FR.10

Title Managetheruntimelifecycleofadeployedcloudapplication

UserRoles CloudApplicationAdmin,UnicornDeveloper

Description TheUnicornplatformmustprovideitsuserswiththeabilitytomanageboththestateandtheruntime aspects of the application as driven by the Unicorn context model through theUnicorngraphicaluserinterface.StatereferstotheresponsibilityoftheUnicornplatformtohandle requests for deployment, undeployment, start, pause, stop and migration of anapplicationtoacloudoffering,andtomakesurethatapplicationsarealwaysinaconsistentstate. To achieve this, the Unicorn platform must maintain an application lifecycle statetransitiongraph,whichdescribes thevalidstate transitions fromonestate toanotherandmust incorporate asynchronous application state transitions for actions that require largetimeframesforcompletion(e.g.,deployment,migration).Ontheotherhand,runtimeaspectsrefertotheUnicorncontextmodel,where,aftertheapplicationinstantiationandduringthesmoothexecutionofanapplication,changesmayberequestedsuchasreconsideringapolicyconstraint(e.g.,restrictingdatamovementfromonegeographicregion).Inthecasewheresuchchangescanbesatisfiedbythecurrentdeployment(thusredeploymentisnotrequired),thentheymustbereflecteddirectlytotheconfigurationoftheUnicornenablershandlingtheruntimecontextoftheaforementionedapplication.

ID FR.11

Title Applicationplacementoverprogrammablecloudexecutionenvironments

UserRoles CloudApplicationDeveloper,CloudApplicationProductManager,CloudApplicationAdmin,UnicornDeveloper

Description TheUnicornplatformmustsupporttheplacementofdeployedapplicationsoveranavailableprogrammable infrastructure which may expand over multiple cloud provider offerings.Application placement may be defined either: (i) manually, by users in their deploymentassembly (e.g., the user specifically defines the resource requirements and offerings toinstantiate);or(ii)constraint-driven,whereplacementisrealizedatdeploymenttimebasedonthehigh-levelpolicyobjectivesgivenbytheuser (e.g., followfairnessplacement takinginto account cost budget, application geo-location, etc.). At this point, high-level userobjectivesmustbetranslatedtolow-levelprimitivesthatcanberealizedthroughappropriatehandling of the operational status of an application’s components by the orchestrationmechanismsoftheUnicornplatformtoachieve(near-)optimalapplicationplacement.Upontheinitialplacement,real-timeadaptionandreconfigurationoftheexecutionenvironment


69

shouldbesupported.Therefore,adaptationcanbetriggeredtowardsthe fulfilmentof theoptimization objectives and may regard scaling aspects (e.g., vertical/horizontal scaling),adaptationofthequalityofprovidedservices,and/ormonitoring intrusiveness(e.g.,adaptperiodicity).

ID FR.12

Title Registerandmanagecloudapplicationowners

UserRoles UnicornAdmin

Description The Unicorn Admin is responsible to approve andmanage (e.g., modify, suspend, revokeaccess)theuserregistrationsintheUnicornplatform(denotedascloudapplicationadmin’s).Therefore,usersmustberegisteredtotheUnicornplatforminordertoobtainaccessto,themaintained and distributed under Unicorn, artifacts (e.g., design libraries) and supportedcloudplatformsforapplicationdeployment.

ID FR.13

Title Managecorecontextmodel

UserRoles UNICORNAdmin

Description TheUnicornplatformmustdesignandmaintainamulti-facetcorecontextmodelthatwillbeused by cloud application developers at design-time when annotating their code and atruntimeduringuser’sapplicationcontextevaluation.TheCoreContextModelwillbeusedbycloudapplicationdevelopersatdesign-timewhenannotatingtheircodeandatruntimeduringuser’sapplicationcontextevaluation.TheContextModelshouldbe,bydefinition,extensiblesince it should allow explicit instantiations and, as a result, the business logic of variouscomponents. The ContextModel should be, by definition, extensible since it should allowexplicitinstantiationsand,asaresult,thebusinesslogicofvariouscomponentsshouldheavilyrelyontheCoreContextModel.Thecreation,deletionandmodificationofthecentralizedCoreContextModel, alongwith versioning (and version deprecation)will be undertaken by theUnicornAdmin.

ID FR.14

Title RegisterandManageenablersinterpretingUnicorncodeannotations

UserRoles UnicornAdmin


70

Description For theUnicornplatform,anenablerentails andconceptualizes the software componentshosted by the Unicorn orchestration service and/or in the (multi-) cloud executionenvironmentofdeployedcloudapplications;andisabletointerprettheUnicorncorecontextmodel (FR.13). Indicative components include orchestration performing runtime context-evaluation upon deployment and the code annotation enablers which perform policyenforcement such as monitoring, auto-scaling, security enforcement and data privacyprotection.Thesecomponentsshouldbeupdatedwhenthecontextmodeliseitherextendedormodifiedsinceadditionalfunctionalcapabilitiesmustalwaysreflectthenewversionofthecorecontextmodel.Asaresult,itisimportantthattheenablersoftheUnicornplatformaremanagedandmaintainedthroughouttheirlifecycle,withtheentityresponsibleforthistaskbeingtheUnicornAdmin.

ID FR.15

Title UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironments

UserRoles CloudApplicationProductManager,UnicornDeveloper

Description TheUnicornplatformmustexposeanAPIthatwillprovideastandardized,consistentandyetsimplifiedviewoftheunderlyingcloudinfrastructure,ofthe-supportedbyUnicorn-providerenvironments,bymeansofstandardinformation,offeringsmetadataanddatamodels.Thiswill allow forauthorizedentities, includingUnicornsub-components (e.g., intelligentauto-scaling, application placement), to query the Unicorn-compliant cloud providers in atransparentand infrastructureagnosticmanner, forprovidersupportedofferingsandtheirmetadata(e.g.,supportedcontainerflavors,costsetc.)alongwiththecapabilitiessupported(e.g., container memory resizing). One of the main concerns in this task is the level ofgranularity for the abstraction.On one hand, not all the details and characteristics of theresources are necessary for Unicorn. On the other hand, excessive abstraction preventsapplications from over-provisioning unnecessary resources because of hidden resourcegranularitydecompositiondetails.

ID FR.16

Title Resourceandservice(de-)reservationovermulti-cloudexecutionenvironments

UserRoles UnicornDeveloper

Description The Unicorn platformmust provide a standardized and consistent interface providing themeansto(de-)reservetheappropriateresourcesandserviceofferingsrequiredforthe(un-)deploymentoftheconsideredapplication,evenacrossmulti-cloudexecutionenvironments.Thismust includethesetupand(de-)allocationofprogrammable infrastructuralresourcesincluding,butnotlimitedto,computational,storageandnetworkingforthedeploymentofdistributed applications in a scalable, dependable, secure and effective way over virtualenvironments spanning across cloud sites, availability zones and/or regions. In order tosupportmulti-clouddeployments, thechallengesof interactingandsynchronizingresourceadvertisementandallocationfrommultipleandheterogeneouscloudofferingplatformsmust


71

besupported.ThistaskwillbeundertakenbytheUnicornorchestratorandistightlycoupledwiththeUnicornbootstrappingprocessdescribedinFR.5.

ID FR.17

Title Developmentofcodeannotationlibraries


Description Thedevelopment,maintenanceandmodificationofdesignlibrariesprovidedtoUnicorncloudapplication developers for annotating their code withmonitoring, resourcemanagement,security and data privacy enforcement policies and constraints, is a task that will beundertaken by Unicorn developers. This requirement relates to developing respectivemetadata code annotations (e.g., for defining monitoring) and providing the means ofhandlingofcodeannotationinterpretationand“synchronization”oftheapplicationbusinesslogicwiththeCoreContextModel(FR.13).

ID FR.18

Title DevelopmentofenablersinterpretingUnicorncodeannotations


Description For theUnicornplatform, theCoreContextModelentailsdesign-timeusage throughcodeannotationsbycloudapplicationdevelopersandruntimeusage.Inparticular,runtimeusagerefers to the various components that rely their business logic to the model. Indicativecomponentsincludeorchestrationperformingruntimecontext-evaluationupondeploymentand the code annotation enablerswhich perform policy enforcement such asmonitoring,auto-scaling,securityenforcementanddataprivacyprotection.

ID FR.19

Title Registerandmanageprogrammableinfrastructureandserviceofferings

UserRoles CloudProvider

Description Theavailable infrastructural resource and serviceofferingsof a cloudproviderhave toberegisteredtotheUnicornplatformwhichwilladvertiseandmakethemavailablethroughaunifiedresourcemanagementAPI(FR.15).Toachievethis,theUnicornplatformmustprovidea“standardized”interfaceinwhichcloudofferingsareregisteredandmadeavailabletotheplatform in order to ease cloud provider on-boarding as well as updating and managingofferingsandtheirmetadatafromtheprovider-side.Thenotionof“programmability"mustbeservedtoshowthegranularityatwhichresourceswillbeadvertisedsoas toallowthe


72

creationofpropercloudexecutionenvironments:providepreferencesfortheinfrastructurethe code runs on (e.g., virtual hardware like servers, storage and networking) and itsconfigurationincludingadditionalproviderservices(e.g.,customizedstoragesolutions).

ID FR.20

Title Monitorcloudofferingallocationandconsumption


Description Advertised infrastructural resource and service offerings deployed throughUnicornmust bemonitoredatruntimeinordertooffercloudproviderswithintuitiveandhigh-levelinsightsofthecurrentutilizationofcloudofferingsallocatedandconsumedbyUnicornusers.

ID FR.21

Title QoSadvertisingandmanagement


Description Cloud execution environments offer different QoS capabilities and guarantees for theirprovided offerings either these refer to raw access to programmable resources such ascompute memory, storage and network resources or to bundled application executioncontainers,whileguaranteesarealsoavailableforquotamanagement,(prioritized)resourcereservation,trafficshapingandmore.AsQoSguaranteesplayanimportantroleinmulti-cloudenvironmentapplicationplacement(FR.11)andruntimeadaptationdecision-making(FR.9),which favor cloud providers based on advertised QoS parameters, providers should beprovidedwith themeans to alter andmanage the QoS guarantees for the cloud offeringadvertisedthroughtheUnicornplatform.

ID FR.22

Title Registerandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzones

UserRoles CloudApplicationDeveloper,CloudApplicationAdmin,UnicornDeveloper

Description The Unicorn platform must provide the means to allow its users to define at variousapplication granularity levels (e.g., entire application, service tier, data object) privacypreservingpolicieswhichrestrictaccesstoexposeduserdata(e.g.,entiredatabase,databasetable, password, SNN, etc.) by describing associations between types of access rulesdependingonthedataobjectsandcircumstancesunderwhichthisaccessshouldbeallowed.The context-aware security model (FR.13) will be used as the background method forannotatingdataaccessobjects(DAO),thusallowingforthedynamicenforcementofpolicy


73

ruleswhentherearenewdataaccessattemptsinordertoencryptdata,protectsensitivedataexposureandrestrictmovementofdatatocloudsites,availabilityzonesorparticulargeo-locationzones(e.g.,outsidetheEU)basedonthedefineduserconstraints.Therefore,duringapplicationruntime,theprivacypreservingenablermustbeabletointerpretannotatedcodebasedonthemappingoftheapplicationbusinesslogictotheCoreContextModel,providetheessentialdecouplingbetweentheaccessdecisionsandthepointsofuse,andfinallygrant,denyandmanageanyincomingdataaccessrequests.

ID FR.23

Title Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehavior


Description TheUnicornplatformmustprovide itsuserswithmechanismscapableofensuring, atanytime, that the trafficexchangedwith the cloudwill notharm the (multi-cloud)applicationexecutionenvironmentwhilepreservingtheprivacyofthedataexposedandmanagedbytheapplication(FR.22).Toachievethis,anIDS(IntrusionDetectionSystem)willbeimplementedat the cloud execution environment level where adaptive network and information flowmonitoringwillbeestablishedatruntimetodetectanyin-boundorout-boundexfiltrationofinformation based on well-known communication channels, information flow patternsobserved through the usage of anomaly detection and pattern recognition algorithms. Asdeploymentsof(micro-)executioncontainersmayberestrictiveinthemeansofresources,theIDSwilladapttheprocessforinformationflowtrackingtorestrictitsruntimeintrusivenessbasedonlow-costapproximateandadaptivemonitoringtechniqueswhileofflineprocessingwillbeboostedperformance-wisebyencompassingGPU-acceleratedtechniques.

ID FR.24

Title Automatedapplicationsourcecodeandunderlyingcloudresourceofferingvulnerabilityassessment,measurementandpolicycomplianceevaluation


Description TheUnicornplatformwillprovideitsuserswiththemechanismstoensurethattheir(multi-)cloud application execution environment behaves, at runtime, as intended, and that thesecurity-enforcementandprivacypreservingpoliciesanddataaccessrulesarenotviolated.Toachievethis,Unicornwillprovidethemeansfortheruntimeassessmentoftheapplicationexecutionenvironmentagainstknownvulnerabilitiesbyperformingsecurityandbenchmarkteststodetectpotentialsecuritythreatsandprivacybreaches.ThelevelofintrusivenessofthetestingperformedbytheUnicornplatformwillbeconfigurablebyusers.Aftertesting,theUnicornplatformwillreportanysuspiciousactivityandthemeasuredriskexposureleveltotheapplicationadministrator(FR.8)inordertoimmediatelytakeactionandpreventsensitivedataleakageandprivacybreaches.


74

Table7:FunctionalRequirementsRelationtoUserRole

UserRole FunctionalRequirements

CloudApplicationDeveloper

FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.22RegisterandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzonesFR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehavior

CloudApplicationProductManager

FR.2SecurelyregisterandmanagecloudprovidercredentialsFR.3SearchinterfaceforextractingunderlyingprogrammablecloudexecutionenvironmentcloudofferingandcapabilitymetadatadescriptionsFR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.11Applicationplacementoverprogrammablecloudexecutionenvironments

CloudApplicationTester

FR.6Deploymentassemblyintegrityvalidation

CloudApplicationAdmin

FR.2SecurelyregisterandmanagecloudprovidercredentialsFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.7AccessapplicationbehaviorandperformancemonitoringdataFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.10ManagetheruntimelifecycleofadeployedcloudapplicationFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.22RegisterandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzonesFR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehavior


75

FR.24Automatedapplicationsourcecodeandunderlyingcloudresourceofferingvulnerabilityassessment,measurementandpolicycomplianceevaluation

UnicornAdmin FR.12RegisterandmanagecloudapplicationownersFR.13ManagecorecontextmodelFR.14RegisterandManageenablersinterpretingUnicorncodeannotations

UnicornDeveloper

FR.2SecurelyregisterandmanagecloudprovidercredentialsFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.6DeploymentassemblyintegrityvalidationFR.10ManagetheruntimelifecycleofadeployedcloudapplicationFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.15UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironmentsFR.16Resourceandservice(de-)reservationovermulti-cloudexecutionenvironmentsFR.17DevelopmentofcodeannotationlibrariesFR.18DevelopmentofenablersinterpretingUnicorncodeannotationsFR.22Registerandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzones

CloudProvider FR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.20MonitorcloudofferingallocationandconsumptionFR.21QoSadvertisingandmanagementFR.24Automatedapplicationsourcecodeandunderlyingcloudresourceofferingvulnerabilityassessment,measurementandpolicycomplianceevaluation


76

7.2 Non-FunctionalRequirementsNon-functionalrequirementsrelatetothedesiredqualityaspectsthatshouldbesatisfiedbythearchitecturalcomponents of the Unicorn eco-system that, in turn, must satisfy the functional requirements previouslyintroduced.Tothisend, thewidelyaccepted,bythesoftwareandresearchcommunity, ISO/IEC25010:2011software quality assurance model was selected to create a shared conceptualization of the non-technicalattributes[124].ThefundamentalobjectiveoftheISO/IEC25010:2011standard3istoaddresssomeofthewell-knownhumanbiasesthatcanadverselyaffectthedeliveryandperceptionofasoftwaredevelopmentprojectwhileitalsodetermineswhichqualitycharacteristicswillbetakenintoaccountwhenevaluatingthepropertiesofasoftwareproduct.TheISO/IEC25010:2011qualitymodelclassifiessoftwarequalityinastructuredsetofcharacteristicsandsub-characteristics,asfollows:

• Functionalsuitability:Itreferstoasetofattributesthatbearontheexistenceofasetoffunctionsandtheirspecifiedproperties.Thefunctionsarethosethatsatisfystatedorimpliedneeds.Indicativesub-characteristicsinclude:softwarefunctionalcompletenessandfunctionalcorrectness.

• Reliability:Itreferstoasetofattributesthatbearonthecapabilityofsoftwaretomaintainitslevelofperformanceunderstatedconditionsforastatedperiodoftime.Indicativesub-characteristicsinclude:softwarematurity,faulttolerance,recoverabilityandreliabilitycompliance.

• Usability:Itreferstoasetofattributesthatbearontheeffortneededforuse,andontheindividualassessment of such use, by a stated or implied set of users. Indicative sub-characteristics include:understandability,learnability,operability,attractivenessandusabilitycompliance.

• Efficiency:Itreferstoasetofattributesthatbearontherelationshipbetweenthelevelofperformanceof the software and the amount of resources used, under stated conditions. Indicative sub-characteristics include:timebehaviour,resourceutilization, latency,serviceavailabilityandefficiencycompliance.

• Maintainability: It refers to a set of attributes that bear on the effort needed to make specifiedmodifications. Indicative sub-characteristics include: analyzability, changeability, stability, testabilityandmaintainabilitycompliance.

• Portability:Itreferstoasetofattributesthatbearontheabilityofsoftwaretobetransferredfromoneenvironmenttoanother.Indicativesub-characteristicsinclude:adaptability,installability,co-existencewithothersoftware,replaceabilityandportabilitycompliance.

• Security:Itreferstoasetofattributesthatdefinethedegreetowhichaproductorsystemprotectsinformation anddata so that persons or other products or systemshave thedegree of data accessappropriatetotheirtypesandlevelsofauthorization.

• Compatibility: It refers to a set of attributes that define the degree towhich a product, system orcomponentcanexchangeinformationwithotherproducts,systemsorcomponents,and/orperformitsrequiredfunctions,whilesharingthesamehardwareorsoftwareenvironment.

Eachqualitysub-characteristic(e.g.adaptability)isfurtherdividedintoattributes.Anattributeisanentitywhichcanbeverifiedormeasuredinthesoftwareproduct.Attributesarenotdefinedinthestandard,astheyvarybetween different software products. An overviewof the aforementioned characteristics is provided in thefollowingfigure.

3NotethatISO/IEC25010hasreplacedISO/IEC9126


77

Figure40:Non-TechnicalQualityAspectsasOrganisedbyISO/IEC25010:2011

Aftertheselectionofthequalitymodel,thenextstepistoexaminewhichattributesarerelatedtotheUnicorneco-systemandhowdotheymaptofunctionalrequirements.Intheenumeratedlistingsthatfollow,wemakea concretemapping between the core quality model attributes and the functional requirements that theycorrelate to. Inparallel, for eachnon-functional requirement, abrief descriptionof theUnicorneco-systemrelevantcharacteristicsisalsoprovided.

NR.1 FunctionalSuitability

Description This characteristic represents the degree to which a product or system providesfunctionsthatmeetstatedandimpliedneedswhenusedunderspecifiedconditions.Thischaracteristiciscomposedofthefollowingsub-characteristics:

• Functional completeness.Degree towhich thesetof functionscoversall thespecifiedtasksanduserobjectives.

• Functional correctness. Degree to which a product or system provides thecorrectresultswiththeneededdegreeofprecision.

• Functional appropriateness. Degree to which the functions facilitate theaccomplishmentofspecifiedtasksandobjectives.

FunctionalRequirements

FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.13ManagecorecontextmodelFR.14RegisterandManageenablersinterpretingUnicorncodeannotations


78

FR.15UnifiedAPIforabstractionandsearchingofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironmentsFR.17DevelopmentofcodeannotationlibrariesFR.18DevelopmentofenablersinterpretingUnicorncodeannotationsFR.21QoSadvertisingandmanagement

NR.2 PerformanceEfficiency

Description Thischaracteristicrepresentstheperformancerelativetotheamountofresourcesusedunder stated conditions. This characteristic is composed of the following sub-characteristics:

• Time behaviour. Degree to which the response and processing times andthroughputratesofaproductorsystem,whenperformingitsfunctions,meetrequirements.

• Resourceutilization.Degreetowhichtheamountsandtypesofresourcesusedbyaproductorsystem,whenperformingitsfunctions,meetrequirements.

• Capacity.Degreetowhichthemaximumlimitsofaproductorsystemparametermeetrequirements.

PerformanceunderthecontextofUNICORNreferstotheabilityofthesystemtosupportcollaborative development allowingmultiple users accessing the systemat the sametime.AlsoforUNICORNtobeefficient,theusersneedtoknowatanytimewhattheresourceutilizationofthesystemis. Itshouldalsoprovidefastencryption/decryptiontimesbetweenservicesthatcommunicateanditshouldprovidetheabilitytoeffectivelyusehardwareresourcesofanytype(e.g.,GPUs)forcomplexandresourcedemandingtaskssuchasperforming intenseanalysison informationflowdata inordertodetectpotentialmaliciousbehaviours.


FR.7AccessapplicationbehaviorandperformancemonitoringdataFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.16Resourceandservice(de-)reservationovermulti-cloudexecutionenvironmentsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.20Monitorcloudofferingallocationandconsumption


79

FR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehavior

NR.3 Compatibility

Description Degreetowhichaproduct,systemorcomponentcanexchangeinformationwithotherproducts,systemsorcomponents,and/orperformitsrequiredfunctions,whilesharingthe same hardware or software environment. This characteristic is composed of thefollowingsub-characteristics:

• Co-existence. Degree to which a product can perform its required functionsefficiently while sharing a common environment and resources with otherproducts,withoutdetrimentalimpactonanyotherproduct.

• Interoperability. Degree to which two or more systems, products orcomponentscanexchangeinformationandusetheinformationthathasbeenexchanged.

TheUNICORNrun-timecomponentsshouldbe,architectural-wiseandimplementation-wise,closetotheindustry.ForthisreasonUNICORNwillprovidesupporttoanumberofcommonlyusedstandards,standardsyntax,APIs,widelyavailabletools,technologies,methodologiesandbestpractices.Thesystemshouldsupportabstractionswhichwillhidefromdevelopersandtheirapplicationsdetailsregardingthesystemandapplicationinfrastructure. UNICORN will also support uniform service descriptions such as SLAofferingswithclearpoliciesandguidelines.


FR.1Developcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraints.FR.2SecurelyregisterandmanagecloudprovidercredentialsFR.3SearchinterfaceforextractingunderlyingprogrammablecloudofferingsandcapabilitymetadatadescriptionsFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.7AccessapplicationbehaviorandperformancemonitoringdataFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.15UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironments


80

FR.18DevelopmentofenablersinterpretingUnicorncodeannotationsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.22Registerandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzones.FR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehaviour.

NR.4 Usability

Description Degreetowhichaproductorsystemcanbeusedbyspecifieduserstoachievespecifiedgoalswith effectiveness, efficiency and satisfaction in a specified context of use. Thischaracteristiciscomposedofthefollowingsub-characteristics:

• Appropriatenessrecognizability.Degreetowhichuserscanrecognizewhetheraproductorsystemisappropriatefortheirneeds.

• Learnability.degreetowhichaproductorsystemcanbeusedbyspecifiedusersto achieve specified goals of learning to use the product or system witheffectiveness,efficiency,freedomfromriskandsatisfactioninaspecifiedcontextofuse.

• Operability.Degreetowhichaproductorsystemhasattributesthatmakeiteasytooperateandcontrol.

• Usererrorprotection.Degreetowhichasystemprotectsusersagainstmakingerrors.

• Userinterfaceaesthetics.Degreetowhichauserinterfaceenablespleasingandsatisfyinginteractionfortheuser.

• Accessibility.Degreetowhichaproductorsystemcanbeusedbypeoplewiththewidestrangeofcharacteristicsandcapabilitiestoachieveaspecifiedgoalinaspecifiedcontextofuse.

Takingintoconsiderationalltheabovecharacteristicsofusability,theUNICORNplatformwillsupportautomaticandseamlessdeploymentmakingitveryeasytouseandlearn.Thedevelopmentplatformandtoolswillbehostedonthecloudandwillbeaccessiblethroughawebbrowser.UNICORNwillhaveallthecontentanduserinterfaceorganizedlogicallyanditwillprovideapresentationinterface(e.g.,menuandnavigation,reporting,usercontrolsetc.)


FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.2Securelyregisterandmanagecloudprovidercredentials


81

FR.3SearchinterfaceforextractingunderlyingprogrammablecloudofferingsandcapabilitymetadatadescriptionsFR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.7AccessapplicationbehaviourandperformancemonitoringdataFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.10ManagetheruntimelifecycleofadeployedcloudapplicationFR.12RegisterandmanagecloudapplicationownersFR.15UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironmentsFR.16Resourceandservice(de-)reservationovermulti-cloudexecutionenvironmentsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.20MonitorresourceandserviceconsumptionFR.21QoSadvertisingandmanagement

NR.5 Reliability

Description Degree towhich a system,productor componentperforms specified functionsunderspecifiedconditionsforaspecifiedperiodoftime.Thischaracteristiciscomposedofthefollowingsub-characteristics:

• Maturity. Degree towhich a system, product or componentmeets needs forreliabilityundernormaloperation.

• Availability.Degreetowhichasystem,productorcomponentisoperationalandaccessiblewhenrequiredforuse.

• Faulttolerance.Degreetowhichasystem,productorcomponentoperatesasintendeddespitethepresenceofhardwareorsoftwarefaults.

• Recoverability.Degreetowhich, intheeventofan interruptionora failure,aproduct or system can recover the data directly affected and re-establish thedesiredstateofthesystem.


82

WithinthecontextofUNICORN,specificmechanismswillbearchitecturallydefinedandimplementedthatguaranteethatanyapplicationcanbesecurelydeployed.


FR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.6DeploymentassemblyintegrityvalidationFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.13ManagecorecontextmodelFR.14RegisterandManageenablersinterpretingUnicorncodeannotationsFR.15UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironmentsFR.21QoSadvertisingandmanagement

NR.6 Security

Description Thedegreetowhichaproductorsystemprotectsinformationanddatasothatpersonsorotherproductsorsystemshavethedegreeofdataaccessappropriatetotheirtypesand levels of authorization. This characteristic is composed of the followingsubcharacteristics:

• Confidentiality. Degree to which a product or system ensures that data areaccessibleonlytothoseauthorizedtohaveaccess.

• Integrity. Degree to which a system, product or component preventsunauthorizedaccessto,ormodificationof,computerprogramsordata.

• Non-repudiation.degreetowhichactionsoreventscanbeproventohavetakenplace,sothattheeventsoractionscannotberepudiatedlater.

• Accountability.Degreetowhichtheactionsofanentitycanbetraceduniquelytotheentity.

• Authenticity.Degreetowhichtheidentityofasubjectorresourcecanbeprovedtobetheoneclaimed.


83

One of themajor focal points of UNICORN is to be able to provide to SMEs securityfeatures for their cloudapplications.For that reasonUNICORNwill incorporateauserauthentication and authorization system along with the ability to securely store andmanagevarioususercredentialsandcloudaccesstokens.UNICORNwillprovideasecureend-to-end encrypted communication channel between the various components of aclouddeploymentandtheabilityforDevOpsteamstosecureapplicationdataaccordingtovariouspoliciesandregulations.


FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.2SecurelyregisterandmanagecloudprovidercredentialsFR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.6DeploymentassemblyintegrityvalidationFR.8Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.12RegisterandmanagecloudapplicationownersFR.13ManagecorecontextmodelFR.21QoSadvertisingandmanagementFR.22RegisterandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzonesFR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehaviourFR.24Automatedapplicationsourcecodeandunderlyingcloudresourceofferingvulnerabilityassessment,measurementandpolicycomplianceevaluation

NR.7 Maintainability

Description This characteristic represents the degree of effectiveness and efficiencywithwhich aproduct or system can bemodified to improve it, correct it or adapt it to changes inenvironment, and in requirements. This characteristic is composed of the followingsubcharacteristics:

• Modularity. Degree to which a system or computer program is composed ofdiscretecomponentssuchthatachangetoonecomponenthasminimalimpactonothercomponents.


84

• Reusability.Degreetowhichanassetcanbeusedinmorethanonesystem,orinbuildingotherassets.

• Analysability.Degreeofeffectivenessandefficiencywithwhichitispossibletoassesstheimpactonaproductorsystemofanintendedchangetooneormoreofitsparts,ortodiagnoseaproductfordeficienciesorcausesoffailures,ortoidentifypartstobemodified.

• Modifiability. Degree to which a product or system can be effectively andefficientlymodifiedwithout introducing defects or degrading existing productquality.

• Testability.Degreeofeffectivenessandefficiencywithwhichtestcriteriacanbeestablishedforasystem,productorcomponentandtestscanbeperformedtodeterminewhetherthosecriteriahavebeenmet.

In order for UNICORN to be easily maintained, all the annotation libraries, the CoreContext Model, and the Cloud Application Enablers that will perform runtime policyenforcementshouldincorporatetheabovementionedfeatures.


FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.2SecurelyregisterandmanagecloudprovidercredentialsFR.9Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedonintelligentdecision-makingmechanismsFR.10ManagetheruntimelifecycleofadeployedcloudapplicationFR.12RegisterandmanagecloudapplicationownersFR.13ManagecorecontextmodelFR.14RegisterandManageenablersinterpretingUnicorncodeannotationsFR.17DevelopmentofcodeannotationlibrariesFR.18DevelopmentofenablersinterpretingUnicorncodeannotationsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.20Monitorcloudofferingallocationandconsumption

NR.8 Portability


85

Description Degreeofeffectivenessandefficiencywithwhichasystem,productorcomponentcanbetransferredfromonehardware,softwareorotheroperationalorusageenvironmenttoanother.Thischaracteristiciscomposedofthefollowingsubcharacteristics:

• Adaptability.Degreetowhichaproductorsystemcaneffectivelyandefficientlybeadaptedfordifferentorevolvinghardware,softwareorotheroperationalorusageenvironments.

• Installability. Degree of effectiveness and efficiency with which a product orsystem can be successfully installed and/or uninstalled in a specifiedenvironment.

• Replaceability. Degree to which a product can replace another specifiedsoftwareproductforthesamepurposeinthesameenvironment.

One of the most important requirements under the context of UNICORN is therequirementofPortability.This requirementrelates to theUNICORNCompliantCloudApplications that should be interoperable and functional in multiple operationalenvironments (multi-cloud environments). To this direction the adoption of variouscommonly used standards (e.g., OASIS TOSCA4) which are infrastructure andenvironmentagnostic.


FR.1DevelopcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraintsFR.4CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.5Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.11ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.13ManagecorecontextmodelFR.14RegisterandManageenablersinterpretingUnicorncodeannotationsFR.15UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloudexecutionenvironmentsFR.16Resourceandservice(de-)reservationovermulti-cloudexecutionenvironmentsFR.17DevelopmentofcodeannotationlibrariesFR.18DevelopmentofenablersinterpretingUnicorncodeannotationsFR.19RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.21QoSadvertisingandmanagement

4https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=tosca


86

FR.22RegisterandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdataaccessandmovementacrosscloudsitesandavailabilityzonesFR.23Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehavior


87

8 ConclusionsThisfinalsectionofthecurrentdeliverable(D1.1)willbeusedasasynopsisofthecontentpresentedinthedocument, which was the outcome of a carefully designedmethodology and research upon industrial andacademicdatacollectedduringtheinitialprojectimplementationactivities.Intherequirementsanalysisphase,whichthisdeliverable(D1.1)ispartof,alogicalprocesshasbeenfollowed,usingtheagilemethodologyinordertoidentifytheUnicornstakeholdersandtargetaudience,deriveacompletesetofUnicornActorsanddefinetheUnicornsystemrequirements.Thestepsofthisprocessinvolvedactivecontributionbyallpartnersandtheresultsofthisanalysisprovidethepillarsonwhichthetechnicalandresearchwork,thatwillfollow(D1.2Unicornreferencearchitecture),willbebased.

ThefirststepofthisprocesswastoidentifythemainUnicornstakeholdersandthetargetaudience.Chapter5of this deliverable (D1.1) depicts the full imageof theones that the final result ofUnicornProject aims at.Moreover,byanalysingthecurrentstateoftheindustry,themarketgapsthattheUnicornprojectwillcontributeto have been identified. Another contribution of D1.1 was the definition of common terminology/glossarypresentedinChapter3thatwillbeusedasareferenceguideacrossallfuturedeliverablesandinteractionwithUnicornstakeholders.Thefinaloutcomeofthefirststepofthemethodologywastheidentificationoftheuserroles for the Unicorn eco-system. Some of the user role responsibilities may overlap among users of theplatform,whichmaycausemisinterpretations,howeverastheanalysisoftheinterviewresultssuggestsinthenextstep,inDevOpsteams,thesilverliningbetweenrolesintheengineeringteamareoftenquiteblur(e.g.,aCloudApplicationDevelopermayalsobeinchargeofTestingortheApplicationAdministratormayalsobeaDeveloper).

ThenextstepofthelogicalprocesswasthedevelopmentoftheinterviewquestionnaireforpotentialUnicorntargetusers and theanalysisof the responseswhichproduced results thatwere inaccordance toallmajorindustry surveys of the field. The analysis of the responses contributed in deciding and clarifying a set offunctionalandnon-functionalsystemrequirementsthatcanbeassignedtotheidentifieduserroles(Chapter7).Inaddition,theinterviewresultshavehighlightedthemainobstaclesanddifficultiesthatITworkersinSMEsarecurrently facing on the cloud environment, such as lack of unified tools for monitoring and elasticity, thedeploymentofapplicationovermulti-cloudenvironmentsandcloudclustermanagement.AnotherinterestingfindingfromtheinterviewprocesswastheprioritizationandrankingofthevarioussecuritythreatsandprivacyissuesthatSMEsarefacing.Thisrankingofthesecurityandprivacythreatscontributed indecidingthecoresecurityfunctionalitythatUnicornwilloffertoitsusers.

Inaddition, the interviewprocessalsoprovidedvaluable informationregardingthetechnologies involvedtorealizevariousaspectsoftheUnicornproject.Micro-servicearchitecturalapproachesaretypicallyincreasinginpopularity among IT workers in the SMEs (some are experimenting, some are partly using amicro-servicearchitecture,somehavefullyembracedthemicro-serviceapproach).Withtheincreaseintheinterestformicro-servicesarchitecturalpatterns,interviewedorganisationsalsoseemtobeutilizingcontainerizedsolutions(e.g.,Docker,Swarm,andKubernetes)forapplicationdeploymentandorchestration.

In the forthcoming steps, based on the outcomes of D1.1, the documentation of the overall architecturedescribing the main components and artefacts of Unicorn, the interconnection scheme and the specificinterfacesforexchangeofinformationamongthemwillbedesignedanddescribedindetailinD1.2.Inadditiontothereferencearchitecture,thesupportedUnicornUseCasesdescribingtheimplementationscenariosofthe


88

mechanismsthatwillbedevelopedwithintheprojectinthedemonstratorswillbeanalysedinordertobeusedasastartingpointfortheresearch/technicalanddemonstration/business-orientedworkpackages.


89

9 References[1] N.R.Herbst,S.Kounev,andR.Reussner,“ElasticityinCloudComputing:WhatItIs,andWhatItIsNot.,”

inICAC,2013,pp.23–27.

[2] N.Loulloudes,C.Sofokleous,D.Trihinas,M.D.Dikaiakos,andG.Pallis,“EnablingInteroperableCloudApplicationManagementthroughanOpenSourceEcosystem,”{IEEE}InternetComput.,vol.19,no.3,pp.54–59,2015.

[3] L.Willcocks,W.Venters,andE.A.Whitley,“CloudinContext:ManagingNewWavesofPower,”inMoving

to the Cloud Corporation:How to face the challenges and harness the potential of cloud computing,London:PalgraveMacmillanUK,2014,pp.1–19.

[4] IntuitInc.,“IntuitStudyShowsHowtheCloudWillTransformSmallBusinessby2020.”2015.

[5] MichaelJ.SKok,“BreakingDowntheBarrierstoCloudAdoption.”2014.

[6] ApacheJClouds,“https://jclouds.apache.org/.”.

[7] ApacheLibClouds,“https://libcloud.apache.org/.”.

[8] OASIS TOSCA Committee, “OASIS Topology and Orchestration Specification for Cloud Applications(TOSCA).”.

[9] OASISCAMPCommittee,“OASISCloudApplicationManagementforPlatforms(CAMP).”.

[10] RackspaceInc.,“StateoftheCloud2016.”2016.

[11] RightscaleInc.,“CloudComputingTrends2015.”2015.

[12] JulieKnudson,“Study:IaaSandCloudChallengesintheEnterprise.”2014.

[13] D.Trihinas,G.Pallis,andM.D.Dikaiakos,“JCatascopia:MonitoringElasticallyAdaptiveApplicationsintheCloud,”inCluster,CloudandGridComputing(CCGrid),201414thIEEE/ACMInternationalSymposium

on,2014,pp.226–235.

[14] D.Trihinas,G.PallisandM.D.Dikaiakos,“MonitoringElasticallyAdaptiveMulti-CloudServices,” IEEETrans.CloudComput.,vol.4,2016.

[15] G.Copiletal.,“Service-OrientedComputing:12thInternationalConference,ICSOC2014,Paris,France,November3-6,2014.Proceedings,”Berlin,Heidelberg:Springer,2014,pp.275–290.

[16] AmazonCloudFormation,“https://aws.amazon.com/cloudformation/.”.

[17] Oracle Virtual Assembly Builder, “http://www.oracle.com/us/products/middleware/exalogic/virtual-assembly-builder/overview/index.html.”.

[18] EclipseIDECommunity,“CloudApplicationManagementFramework(CAMF).”.

[19] JuJufromCanonical,“http://www.ubuntu.com/cloud/juju.”.

[20] ServiceMesh Agility Platform, “http://www.csc.com/cloud/offerings/53410/104965-csc_agility_platform_cloud_management.”.

[21] S.Dustdar,Y.Guo,B.Satzger,andH.-L.Truong,“Principlesofelasticprocesses,”IEEEInternetComput.,no.5,pp.66–71,2011.


90

[22] ProgrammableInfrastructure,“programmableinfrastructure.com.”2017.

[23] P.Gouvas,C.Vassilakis,E.Fotopoulou,andA.Zafeiropoulos,“ANovelReconfigurable-by-DesignHighlyDistributed Applications Development Paradigm over Programmable Infrastructure,” in 2016 28thInternationalTeletrafficCongress(ITC28),2016,vol.2,pp.7–12.

[24] Z.A.Mann,“AllocationofVirtualMachinesinCloudDataCenters&Mdash;ASurveyofProblemModelsandOptimizationAlgorithms,”ACMComput.Surv.,vol.48,no.1,p.11:1--11:34,Aug.2015.

[25] KurtMarkoetal.,“Thebenefitsofamulti-cloudapproach.”.

[26] TonyConnor,IDC,“Thebenefitsofamulti-cloudstrategy.”2016.

[27] RightScale,“StateoftheCloudReport2017,”2017.

[28] Rightscale,“StateoftheCloud2017Trends.”2017.

[29] D.TovarnakandT.Pitner,“Towardsmulti-tenantandinteroperablemonitoringofvirtualmachinesincloud,”inSymbolicandNumericAlgorithmsforScientificComputing(SYNASC),201214thInternational

Symposiumon,2012,pp.436–442.

[30] N.Bassiliades,M.Symeonidis,G.Meditskos,E.Kontopoulos,P.Gouvas,and I.Vlahavas,“ASemanticRecommendationAlgorithmforthePaaSportPlatform-as-a-serviceMarketplace,”ExpertSyst.Appl.,vol.67,no.C,pp.203–227,Jan.2017.

[31] G.Copiletal.,“ADVISE–aframeworkforevaluatingcloudserviceelasticitybehavior,”inService-OrientedComputing,Springer,2014,pp.275–290.

[32] J.Thones,“Microservices,”IEEESoftw.,vol.32,no.1,p.116,Jan.2015.

[33] Lori MacVittie, Micorservices and Microsegmentation,“https://devcentral.f5.com/articles/microservices-versus-microsegmentation.”2015.

[34] Martin Fowler, “Microservices a definition of this new architectural term.” [Online]. Available:https://martinfowler.com/articles/microservices.html.

[35] EricS.Raymond,“TheArtofUNIXProgramming.”2013.

[36] ScottM.Fulton,“WhatLedAmazontoitsOwnMicroservicesArchitecture.”2015.

[37] TonyMauro,“AdoptingMicroservicesatNetflix:LessonsforArchitecturalDesign.”2016.

[38] M.G.Xavier,M.VNeves,F.D.Rossi,T.C.Ferreto,T.Lange,andC.A.F.DeRose,“PerformanceEvaluationof Container-Based Virtualization for High Performance Computing Environments,” in 2013 21stEuromicro InternationalConferenceonParallel,Distributed,andNetwork-BasedProcessing,2013,pp.233–240.

[39] R. Jain and S. Paul, “Network virtualization and software defined networking for cloud computing: asurvey,”IEEECommun.Mag.,vol.51,no.11,pp.24–31,Nov.2013.

[40] J.Sahoo,S.Mohapatra,andR.Lath,“Virtualization:ASurveyonConcepts,TaxonomyandAssociatedSecurityIssues,”in2010SecondInternationalConferenceonComputerandNetworkTechnology,2010,pp.222–226.

[41] XenProject,“http://www.xenproject.org/.”.


91

[42] VMWareVSphereHypervisor,“http://www.vmware.com/products/vsphere-hypervisor.html.”.

[43] KVMHypervisor,“https://www.linux-kvm.org/page/Main_Page.”.

[44] E.Bauman,G.Ayoade,andZ.Lin,“ASurveyonHypervisor-BasedMonitoring:Approaches,Applications,andEvolutions,”ACMComput.Surv.,vol.48,no.1,p.10:1--10:33,Aug.2015.

[45] R.Dua,A.R.Raja, andD.Kakadia, “Virtualization vsContainerization to SupportPaaS,” in2014 IEEEInternationalConferenceonCloudEngineering,2014,pp.610–614.

[46] Nolleetal.,“Continuousintegrationanddeploymentwithcontainers.”2015.

[47] ChrisTozzietal.,“Thebenefitsofcontainerdevelopment.”2015.

[48] E.W.BiedermanandL.Networx,“Multipleinstancesofthegloballinuxnamespaces,”inProceedingsoftheLinuxSymposium,2006,vol.1,pp.101–112.

[49] P.Menageetal.,“C-Groups.”2006.

[50] LXC/LXDLinuxContainers,“https://linuxcontainers.org/.”.

[51] J.Turnbull,TheDockerBook:Containerizationisthenewvirtualization.JamesTurnbull,2014.

[52] DockervsCoreOSRkt,“https://www.upguard.com/articles/docker-vs-coreos.”.

[53] CoreOs,“http://coreos.com/.”

[54] DockerInc.,“DockerCompose.”.

[55] Kubernetes,“http://kubernetes.io/.”.

[56] Fleet,“https://github.com/coreos/fleet.”.

[57] XenProject,“TheUnikernelApproach.”2014.

[58] A.Kivity,D.Laor,G.Costa,andP.Enberg,“OSv—OptimizingtheOperatingSystemforVirtualMachines,”Proc.2014USENIXAnnu.Tech.Conf.,pp.61–72,2014.

[59] MirageOS,“https://mirage.io/.”.

[60] OSv,“http://osv.io/.”.

[61] LarsKurth,“AreCloudOperatingSystemstheNextBigThing?”.

[62] LarsKurth,“HowEarlyAdoptersAreUsingUnikernels-WithandWithoutContainers.”.

[63] DZone,“TheDZoneGuidetoDevOps-ContinuousDeliveryandAutomation,”2016.

[64] R.WEXLER,“theStateofCloudreport,”Weather,vol.27,no.5,pp.211–211,2017.

[65] AWS,“WhatisDevOps?,”https://aws.amazon.com/devops/what-is-devops/.

[66] A.Brown,N.Forsgren,J.Humble,G.Kim,andN.Kersten,“StateofDevopsReport2016,”vol.5,2016.

[67] M.Fowler,“ContinuousIntegration,”2006.

[68] L.Chen,“Continuousdelivery:Hugebenefits,butchallengestoo,”IEEESoftw.,vol.32,no.2,pp.50–54,


92

2015.

[69] StackoverflowCommunity,“DevelopmerReport2016.”.

[70] EclipseCheCloudIDE,“https://eclipse.org/che.”.

[71] SAPHanaCloudIDE,“https://hcp.sap.com/index.html.”.

[72] G.GalanteandL.C.E.DeBona,“Asurveyoncloudcomputingelasticity,”inProceedings-2012IEEE/ACM

5thInternationalConferenceonUtilityandCloudComputing,UCC2012,2012,pp.263–270.

[73] M. Nosal,M. Sulir, and J. Juhar, “Source code annotations as formal languages,” in 2015 FederatedConferenceonComputerScienceandInformationSystems(FedCSIS),2015,pp.953–964.

[74] Y.Golecha,DZone,“HowDoAnnotationsWorkinJava?”.

[75] SpringIOTools,“https://spring.io/tools.”.

[76] AnnotationProcessingTool(APT),“http://docs.oracle.com/javase/7/docs/technotes/guides/apt/.”.

[77] XDocletAnnotations,“http://xdoclet.sourceforge.net/xdoclet/index.html.”.

[78] EclipseAspectJ,“https://eclipse.org/aspectj/.”.

[79] JUnitTesting,“http://junit.org/junit4/.”.

[80] N. Jacob and C. Brodley, “Offloading IDS Computation to the GPU,” in2006 22nd Annual Computer

SecurityApplicationsConference(ACSAC’06),2006,pp.371–380.

[81] L. Marziale, G. G. Richard III, and V. Roussev, “Massive Threading: Using GPUs to Increase thePerformanceofDigitalForensicsTools,”Digit.Investig.,vol.4,pp.73–81,Sep.2007.

[82] G.Vasiliadis,S.Antonatos,M.Polychronakis,E.P.Markatos,andS.Ioannidis,“Gnort:HighPerformanceNetwork Intrusion Detection Using Graphics Processors,” in Proceedings of the 11th InternationalSymposiumonRecentAdvancesinIntrusionDetection,2008,pp.116–134.

[83] G. Vasiliadis, M. Polychronakis, and S. Ioannidis, “MIDeA: A Multi-parallel Intrusion DetectionArchitecture,”inProceedingsofthe18thACMConferenceonComputerandCommunicationsSecurity,2011,pp.297–308.

[84] N.Fips,“AnnouncingtheADVANCEDENCRYPTIONSTANDARD(AES),”Byte,vol.2009,no.12,pp.8–12,2001.

[85] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-keycryptosystems,”Commun.ACM,vol.21,no.2,pp.120–126,1978.

[86] KentBecketal.,“TheAgileManifesto.”2001.

[87] RightScale 2016 State of the Cloud Report, “http://www.rightscale.com/lp/2016-state-of-the-cloud-report.”.

[88] Magic Quadrant for Cloud Infrastructure as a Service, Worldwide,“https://www.gartner.com/doc/reprints?id=1-2G2O5FC&ct=150519.”.

[89] Magic Quadrant for Enterprise Application Platform as a Service, Worldwide,


93

“https://www.gartner.com/doc/reprints?id=1-2C8JHBP&ct=150325&st=sb.”.

[90] Veracode Secure Development Survey 2016, “https://info.veracode.com/report-veracode-developer-survey.html.”.

[91] VisionMobile 2017: State of the developer nation, “https://www.visionmobile.com/reports/state-developer-nation-q1-2017.”.

[92] LightBend2016:Cloud,Container&Micro-services,“https://www.slideshare.net/Lightbend/enterprise-development-trends-2016-cloud-container-and-microservices-insights-from-2100-jvm-developers.”.

[93] GitLab:2016GlobalDeveloperReport,“https://about.gitlab.com/2016/11/02/global-developer-survey-2016/.”.

[94] RebelLabs: 2016 Development and Productivity Report and Java Landscape,“http://pages.zeroturnaround.com/RebelLabs-Developer-Productivity-Report-2016.html.”.

[95] RebelLabs:2017ProgrammingtheWebReport,“https://zeroturnaround.com/webframeworksindex/.”.

[96] StackOverflow:2016DeveloperReport,“https://insights.stackoverflow.com/survey/2016.”.

[97] StackOverflow:2017DeveloperReport,“https://insights.stackoverflow.com/survey/2017.”.

[98] Eu Commission, Annual report on European SMEs performance 2016,“http://ec.europa.eu/growth/smes/business-friendly-environment/performance-review-2016_en.”.

[99] SaaS, PaaS, and IaaS: A security checklist for cloud models - CSO Security Report,“http://www.csoonline.com/article/2126885/cloud-security/saas-paas-and-iaas-a-security-checklist-for-cloud-models.html.”.

[100] Gartner,“GartnerSaysWorldwidePublicCloudServicesMarkettoGrow17Percentin2016,”GartnerPressRelease,2017.[Online].Available:http://www.gartner.com/newsroom/id/3616417.

[101] L. Leong, G. Petri, B. Gill, and M. Dorosh, “Magic Quadrant for Cloud Infrastructure as a Service,Worldwide,” Gartner Inc., 2016. [Online]. Available: https://www.gartner.com/doc/reprints?id=1-2G2O5FC&ct=150519.

[102] Gartner,“GartnerSaysWorldwidePublicCloudServicesMarkettoGrow18Percentin2017,”GartnerPressRelease,2017.[Online].Available:http://www.gartner.com/newsroom/id/3616417.

[103] KPMG,“Journeytothecloud:ThecreativeCIOAgenda,”2017.

[104] G. Leopold, “Container Market Pegged at $2.7B by 2020,” EnterpiseTech, 2017. [Online]. Available:https://www.enterprisetech.com/2017/01/10/container-market-pegged-2-7b-2020/.

[105] “DevOps & Microservice Ecosystem Market Forecast 2017-2022,”Market Analysis, 2017. [Online].Available:https://www.marketanalysis.com/?p=63.

[106] CloudFoundry,“HopeVersusReality:ContainersIn2016.GlobalPerceptionStudy,”2016.

[107] Netflix,“NetflixOSS.”[Online].Available:https://netflix.github.io/.

[108] Docker,“https://www.docker.com/.”

[109] IncludeOs,“http://www.includeos.org/.”


94

[110] Istio,“https://istio.io/.”

[111] Linkerd,“https://linkerd.io/.”

[112] OpenShift,“https://openshift.io/.”

[113] R.Unikernel,“https://github.com/rumpkernel/rumprun.”

[114] Rkt,“https://coreos.com/rkt.”

[115] E.Pekka,“APerformanceEvaluationofHypervisor,Unikernel,andContainerNetworkI/OVirtualization,”2016.

[116] C.Tamas, “AperformancecomparisonofKVM,Dockerand the IncludeOSUnikernel,”MasterThesis,2016.

[117] A.Bratterud,A.A.Walla,H.Haugerud,P.E.Engelstad,andK.Begnum,“IncludeOS:Aminimal,resourceefficient unikernel for cloud services,” in Proceedings - IEEE 7th International Conference on CloudComputingTechnologyandScience,CloudCom2015,2016,pp.250–257.

[118] I.Github,“https://github.com/istio/istio/issues/369.”

[119] Autoletics, “Performance Benchmarking and Hotspot Analysis of Linkerd – Part 1,” 2017. [Online].Available: https://www.autoletics.com/posts/performance-benchmarking-and-hotspot-analysis-of-linkerd-part-1.

[120] E.E.IanBriggs,MattDay,YuankaiGuo,PeterMarheine,“APerformanceEvaluationofUnikernels,”2015.

[121] A.Madhavapeddyetal., “Unikernels: LibraryOperating Systems for theCloud,”Proc. eighteenth Int.Conf.Archit.SupportProgram.Lang.Oper.Syst.-ASPLOS’13,vol.48,no.4,p.461,2013.

[122] “Performance Test For Unikernels (Rumpkernel And OSv).” [Online]. Available:http://tech.donghao.org/2015/12/23/performance-test-for-unikernels-rumpkernel-and-osv/.

[123] “Docker v/s Rkt Benchmarking: Performance Benchmarks.” [Online]. Available:https://shivammaharshi.wordpress.com/2016/08/16/docker-vs-rkt-benchmarking-performance-benchmarks/.

[124] ISO/IEC25010:2011,“https://www.iso.org/standard/35733.html.”.


95

10 Annex

10.1 IdentifiedUnicornFunctionalRequirements

FR.1 Developcloudapplicationbasedoncodeannotationdesignlibrariesanddefineruntimepoliciesandconstraints

FR.2 SecurelyregisterandmanagecloudprovidercredentialsFR.3 Search interface forextractingunderlyingprogrammablecloudofferingsandcapabilitymetadata

descriptionsFR.4 CreationofUnicorn-compliantcloudapplicationdeploymentassemblyFR.5 Cloudapplicationdeploymentbootstrappingtoa(multi-)cloudexecutionenvironmentFR.6 DeploymentassemblyintegrityvalidationFR.7 AccessapplicationbehaviorandperformancemonitoringdataFR.8 Real-TimenotificationandalertingofsecurityincidentsandQoSguaranteesFR.9 Autonomicmanagementofdeployedcloudapplicationsandreal-timeadaptationbasedon

intelligentdecision-makingmechanismsFR.10 ManagetheruntimelifecycleofadeployedcloudapplicationFR.11 ApplicationplacementoverprogrammablecloudexecutionenvironmentsFR.12 RegisterandmanagecloudapplicationownersFR.13 ManagethecorecontextmodelFR.14 RegisterandManageenablersinterpretingUnicorncodeannotationsFR.15 UnifiedAPIprovidingabstractionofresourcesandcapabilitiesofunderlyingprogrammablecloud

executionenvironmentsFR.16 Resourceandservice(de-)reservationovermulti-cloudexecutionenvironmentsFR.17 DevelopmentofcodeannotationlibrariesFR.18 DevelopmentofenablersinterpretingUnicorncodeannotationsFR.19 RegisterandmanageprogrammableinfrastructureandserviceofferingsFR.20 MonitorcloudofferingallocationandconsumptionFR.21 QoSadvertisingandmanagementFR.22 Registerandmanageprivacypreservingencryptedpersistencymechanismsforrestrictingdata

accessandmovementacrosscloudsitesandavailabilityzonesFR.23 Registerandmanagepersistentsecurityenforcementmechanismsforruntimemonitoring,

detectingandlabelingofabnormalandintrusivecloudnetworktrafficbehaviorFR.24 Automatedapplicationsourcecodeandunderlyingcloudresourceofferingvulnerability

assessment,measurementandpolicycomplianceevaluation

10.2 DisseminatedQuestionnaireInwhat follows is in printable format theUnicornquestionnaire. Theonline versionof thequestionnaire isaccessibleviathefollowinglink:https://goo.gl/forms/a8rH60DmD3qSWXXN2


96


97


98


99


100


101


102


103


104


105


106


107


108


109

Documents

unicorn d1.1 v14unicorn-project.eu/wp-content/uploads/2018/04/360874990... · 2018. 4. 30. · Figure 28: Multi-Cloud Adoption Challenges 57 ... , DevOps, annotation based programming