Policy-Driven Governance in Cloud Service Ecosystems By: Dimitrios Kourtesis A thesis submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy The University of Sheffield Faculty of Engineering Department of Computer Science 28 September 2016 South East European Research Centre Abstract Cloud application development platforms facilitate new models of software co-development and forge environments best characterised as cloud service ecosystems. The value of those ecosystems increases exponentially with the addition of more users and third-party services. Growth however breeds complexity and puts reliability at risk, requiring all stakeholders to exercise control over changes in the ecosystem that may affect them. This is a challenge of governance. From the viewpoint of the ecosystem coordinator, governance is about preventing negative ripple effects from new software added to the platform. From the viewpoint of third-party developers and end-users, governance is about ensuring that the cloud services they consume or deliver comply with requirements on a continuous basis. To facilitate different forms of governance in a cloud service ecosystem we need governance support systems that achieve separation of concerns between the roles of policy provider, governed resource provider and policy evaluator. This calls for better modularisation of the governance support system architecture, decoupling governance policies from policy evaluation engines and governed resources. It also calls for an improved approach to policy engineering with increased automation and efficient exchange of governance policies and related data between ecosystem partners. The thesis supported by this research is that governance support systems that satisfy such requirements are both feasible and useful to develop through a framework that integrates Semantic Web technologies and Linked Data principles. The PROBE framework presented in this dissertation comprises four components: (1) a governance ontology serving as shared ecosystem vocabulary for policies and resources; (2) a method for the definition of governance policies; (3) a method for sharing descriptions of governed resources between ecosystem partners; (4) a method for evaluating governance policies against descriptions of governed ecosystem resources. The feasibility and usefulness of PROBE are demonstrated with the help of an industrial case study on cloud service ecosystem governance. Acknowledgements My PhD supervisors Iraklis Paraskakis and Anthony J.H. Simons have my gratitude. I am grateful to Iraklis for introducing me to academic research and for giving me the opportunity to work as a research associate at SEERC for six great years. I am grateful to Tony for his wise advice, his intellectually stimulating teaching and his help with keeping me focused on completing this research. I wish to thank both of them for their genuine support at times when full-time work along part-time research study became challenging. I am thankful to my colleagues at SEERC, to the academics of the Computer Science department at the University’s International Faculty in Thessaloniki and to our research partners from companies and academic institutions with whom I had the privilege to work during my PhD research1. I also want to thank Andigoni Malousi, my beloved cousin who has been an inspiration for the academic studies I pursued in Computer Science - thank you for helping me to cross the PhD finish line. The limitless support and loving patience of my wife Aimilia from the beginning of this research to this day is the single thing that kept me going. This work is really her achievement. Aimilia and the two beautiful children we have been blessed with, Yannis and Thanos, have been my motivation. I am thankful to our son Yannis who is now six years old and planning a future career in science, for being an explosive source of inspiration. I am thankful for his active (daily) encouragement for me to study and complete my writing. At present he finds it extremely cool that dad is pursuing a doctorate degree. I hope he will think the same when he gets to read this dissertation! I am also thankful to our beautiful five-month old son Thanos who has been observing with keen interest and a warm smile but without saying much for the present time —or should I say, not much with clear semantics. Yannis and Thanos will now have more playtime with dad, I promise. My parents, if it wasn’t for you... Mother, I am eternally grateful for your unconditional love and support. Father, I keep your words to my heart and eternally miss you. 1 This research work was supported by a University of Sheffield Scholarship, with full PhD tuition fees sponsored by the South-East European Research Centre (SEERC). It also benefited from my participation in two research projects sponsored by European Commission research grants: CAST, funded by Eureka Eurostars (E! 4373) and Broker@Cloud, funded by the Seventh Framework Programme (FP7-ICT 318392). Table of Contents 1 INTRODUCTION ....................................................................................................... 2 1.1 MOTIVATION ............................................................................................................... 2 1.2 RESEARCH AIMS AND OBJECTIVES .................................................................................... 6 1.3 RESEARCH RESULTS ....................................................................................................... 7 1.4 DISSERTATION OUTLINE ................................................................................................. 8 2 CLOUD SERVICE ECOSYSTEMS AND GOVERNANCE SUPPORT SYSTEMS .................... 12 2.1 INTRODUCTION .......................................................................................................... 12 2.2 CLOUD SERVICES ......................................................................................................... 12 2.2.1 The paradigm of cloud computing ..................................................................... 12 2.2.2 Cloud computing service models ....................................................................... 13 2.2.3 Cloud application platforms............................................................................... 15 2.3 SOFTWARE ECOSYSTEMS IN THE CLOUD .......................................................................... 17 2.3.1 Software co-development .................................................................................. 17 2.3.2 Software ecosystems ......................................................................................... 19 2.3.3 Cloud service ecosystems ................................................................................... 20 2.4 THE CHALLENGE OF GOVERNANCE ................................................................................. 23 2.4.1 Definitions of governance .................................................................................. 23 2.4.2 Governance in cloud service ecosystems ........................................................... 24 2.4.3 Research on governance of software ecosystems ............................................. 27 2.5 GOVERNANCE SUPPORT SYSTEMS – STATE OF THE ART ...................................................... 30 2.5.1 Examples of governance control mechanisms from app stores ........................ 30 2.5.2 Best practices from SOA governance ................................................................. 32 2.5.3 Definition and enforcement of governance policies .......................................... 34 2.6 SUMMARY ................................................................................................................. 36 3 GOVERNANCE IN CLOUD SERVICE ECOSYSTEMS: KEY REQUIREMENTS ..................... 40 3.1 INTRODUCTION .......................................................................................................... 40 3.2 EXAMPLES OF GOVERNANCE IN A CLOUD SERVICE ECOSYSTEM ............................................ 41 3.2.1 Scenario 1: Quality review in a private PaaS environment ................................ 41 3.2.2 Scenario 2: Regulatory compliance audits of cloud applications ...................... 43 3.2.3 Scenario 3: Lifecycle management and quality control in a cloud service ecosystem ....................................................................................................................... 44 3.2.4 Scenario 4: External auditing of cloud service providers ................................... 46 3.2.5 Scenario 5: Policy-based governance by a cloud service broker ........................ 47 3.3 ROLES AND CONCERNS OF STAKEHOLDERS IN THE GOVERNANCE PROCESS ............................. 50 3.3.1 Roles in the governance process ........................................................................ 50 3.3.2 Distribution of governance roles ........................................................................ 50 3.3.3 Types of concerns ............................................................................................... 51 3.3.4 Policy provider concerns .................................................................................... 51 i 3.3.5 Data provider concerns ...................................................................................... 53 3.3.6 Policy evaluator concerns .................................................................................. 55 3.4 IMPLICATIONS ON THE DESIGN OF GOVERNANCE SUPPORT SYSTEMS