Cybersecurity Requirements for Supporting Enterprise Interoperability of Multi-Sided Platforms

. We report on work in capturing cybersecurity requirements for cloud-based and IoT-enabled Multi-Sided Platforms (MSPs). Our approach is designed to capture security aspects related to business rules and constraints of MSPs, thus shaping the platform’s behaviour and the participants interaction and leading towards safer enterprise interoperability. We design the MSPs Privacy Requirements Framework and the MSPs Security Architecture, in order to cater for specific use case-centric and platform-centric cybersecurity requirements. To ensure compliance with the upcoming GDPR, we discuss the mapping between elicited cybersecurity requirements and GDPR rules. The new GDPR regulation is expected to have significant implications on businesses in the EU, and our approach is designed to achieve full compliance with it.


Motivation
Enterprise interoperability of Multi-Sided Platforms (MSPs) enables separately developed enterprise systems, which incorporate different business models and domains to effectively share their data, exchange information through negotiation, interact and perform customized business processes, and maximize their efficiency through interworking. MSPs support interaction and interoperability between two or more sides; e.g., a two-sided platform manages the interaction between two distinct groups (e.g., consumers and software providers), while MSPs facilitate the recurring interaction between more than two distinct groups [1]. Some examples of multi-sided platforms are Uber, XBox, eBay, AirBnB, to name a few. This paper presents our approach to capturing cybersecurity requirements supporting the design and development of the NIMBLE platform's infrastructure and its services. The NIMBLE platform is designed as an MSP, enabling multi-sided B2B trade and enterprise collaboration. The platform development is funded through the EU H2020 research and innovation programme (for more: https://www.nimbleproject.org/). NIMBLE's MSP business model involves contractual relationships between buyers and suppliers, as well as logistics and other services affiliated with the platform. De-signed for cloud environments, the NIMBLE models support a federation of platform instances, each providing a set of core services and offering additional, specifically tailored services enabling interoperation at regional, sectorial, or topical levels The flexibility of such an MSP increases the complexity of enterprise interoperability and opens issues related to cybersecurity and possible serious harm that can be caused to the participating companies, e.g. revealing sensitive information (personal data, design and operational information) and losing customers, facing a host of legal and financial penalties, putting businesses at risk through cyber jamming communication, spoofing and data manipulations affecting the decision-making process.
Paper organization. Section 2 discusses related work on MSPs and platform evolution models, which are used to analyse the overall growth, effectiveness and performances of MSPs in supporting enterprise interoperability. A related work on cybersecurity frameworks and strategies for MSPs is also presented in this section. Section 3 discusses cybersecurity methods used as a baseline to create the MSP Privacy Requirements Framework in NIMBLE. Section 4 describes our approach to cybersecurity requirements elicitation for MSPs, encompassing several aspects targeting enterprise interoperability. For example, we firstly create our MSPs Security Architecture, from which we further derive core platform-centric security controls and specify a set of related cybersecurity requirements. Secondly, we map these security controls into the new General Data Privacy Regulation (GDPR) requirements, which will become enforceable in the EU in May 2018. Section 5 concludes the paper.

2
Related Work

Multi-Sided Platforms and Their Evolution Models
Enterprise MSPs contribute to frictionless access to markets through the reduction of both search costs and shared transaction costs among multiple participating sides [2]. The direct interaction over MSPs occurs with high frequency between participants affiliated with the same platform. Such frequent interaction expands network effects and fosters an extensive platform adoption. In turn, this positively affects the value of the platform to all affiliated sides [1], while the complexity of economic and technology factors that drive the strategic design of MSPs increases accordingly. MSPs prove to be systems that evolve gradually over time, and the phenomenon of the platform's evolution is examined in several platform evolution models: -Hagiu [2] observes platform evolution as gradual transition from being one-sided to two-sided and multi-sided platform; -Evans [3] recognizes the importance of a critical mass of users, which can be achieved by following a zig-zag strategy for attracting new platform participants; -Tiwana [4] focuses on concrete evolutionary metrics to estimate the speed and effectiveness of a platform's evolution. Tiwana's model is the only model that recognizes the importance of aligning platform architecture, governance and business strategy in order to progress the MSPs. However, the above models do not provide coherent decisions on either architecture or governance and business strategies for MSPs that would practically drive platform owners and developers. Thus, the authors in [5] design the Reach and Range Framework for MSPs as an analytical tool providing in-depth understanding of MSP's key mechanisms (such as reach and range), which are used to address the main strategic challenges during platform evolution. In our work, we follow the Tiwana's model for the design of our security requirements methodology in order to elicit more complete cybersecurity requirements and better support their management and further evaluation.

Cybersecurity Frameworks and Strategies Affecting Multi-Sided Platforms
Capturing functional and non-functional cybersecurity requirements for MSPs puts a strong emphasis on an early integration of security and privacy with software development, which is ensured through the key concepts of Information Security, as defined in the ISO/IEC 27000:2009 standard [6]. This standard ensures that the information is neither violated nor compromised through possible critical situations, i.e. device malfunctions, threats (software attacks, ransomware, viruses and the like), identity theft, hazards, natural disasters, etc. In our work, we select several privacy requirements frameworks which are important either because they are influential with regulations or have been designed to provide practical advice for developers: • The Fair Information Practices (FIP) framework opens a list of privacy elements which are useful to be discussed in the system design phase.  [11], this document offers practical guide-lines for creating notice and consent experiences, providing sufficient data security, maintaining data integrity, supplying controls for developing software products, etc. One of the core principles in this document is about user's consent, related to what personal data will be collected, with whom it will be shared, and how it will be used. • Finally, the new GDPR (see: http://www.eugdpr.org/) is a complex regulation created to enhance personal privacy rights, increase duty for protecting personal data, provide mandatory personal data breach reporting, etc. [12]. The GDPR will become enforceable in May 2018 and will have significant implications on businesses in the EU.

Cybersecurity Considerations for Multi-Sided Platforms
Our approach to security and privacy requirements elicitation for the purpose of engineering and delivering secure platform solutions for a variety of MSP's users (e.g. suppliers, logistic operators, service providers, cloud providers, retailers and platform providers), combines several views on MSPs: • A platform-centric view resulting in the design of the MSP security architecture and its alignment to the technical NIMBLE platform architecture; • A use case-centric view resulting in security and privacy control services for MSP's users; • A data-centric view that designs and implements data security and privacy services, governance models, and necessary GDPR compliance models. In our work, we follow the formulation of security as a property to prevent unauthorized access to and modification of information and data, as well as unauthorized use of resources [13], while privacy is seen as a common application of security technologies, with a significant intersection with data provenance that adds security controls for preserving both data integrity and confidentiality [14] [15]. Privacy ensures the development of platform services that satisfy user's requirements related to privacy protection and disclosure of both personal and corporate information.
For the development of privacy preserving mechanisms for MSPs, we combine the FIP framework, the Seven Laws of Identity, the Data Minimization principles and methods for the GDPR implementation as described in [16]. Table 1 presents an excerpt from our work showing the convergence of the proposed privacy frameworks into privacy requirements for MSPs.   Table 2 illustrates the proposed MSPs Privacy Requirements Framework, which addresses the three views: user-centric, platform-centric and data-centric view that incorporates a set of GDPR requirements.

Cybersecurity Requirements Capturing for MSPs
In our work, the process of cybersecurity requirements elicitation for MSPs includes the following steps: -Use case-centric security and privacy requirements elicitation, which is based on requirements collected from platform's participants; -Platform-centric security and privacy requirements elicitation, which is based on the problem context of the platform's system, its architecture and design of components and services; -Mapping between use case-centric and platform-centric cybersecurity requirements with the aim to eliminate possible inconsistencies and repetitions between requirements; and -Security and privacy requirements evaluation that is based on STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) threat analysis [19]. STRIDE analyses assets of the platform and its data flows, and identifies possible threats and vulnerabilities that can affect the platform. The threats point to what the attacker can do to harm the platform, while vulnerabilities are weaknesses of the platform that could be easily exploited by the attacker. Figure 1 illustrates our approach to requirements capturing for MSPs. Firstly, we apply the ISE/IEC 27000 series of Information Security standard for capturing security requirements related to the platform's participants and their use cases, and to the MSP's technical architecture and components. In this way, we identify and specify both use case-centric and platform-centric security requirements related to MSPs. For the privacy requirements, we use the MSPs Privacy Requirements Framework (presented in Section 3.1). Secondly, we map the use case-and platform-centric security and privacy requirements in order to eliminate inconsistences and repetitions between requirements. Finally, we use STRIDE-based methods for the evaluation of security requirements (for more details, see [18]). The objective of our approach to cybersecurity elicitation is to identify the most important security controls and measures to be implemented and maintained during the MSP' security lifecycle. In addition, we design an MSPs Security Architecture (see Fig. 2) for the analysis of platform-centric cybersecurity requirements.

MSPs Security Architecture
MSPs Security Architecture is derived from the NIMBLE Microservice Architecture [17]. Platform-centric security and privacy requirements for each of the identified security controls are elaborated in detail in [18]. The basic security controls have been addressed by the following core components: -The FrontEnd component is designed to ensure an easy-to-use interaction with the users, and to handle authentication, load balancing and related security controls ensuring that only authenticated users can access the platform's services and data. Security monitoring methods must be in control of provenance data, revealing information about the platform's connection parameters.

Security Controls for Data Integrity and Data Quality Management, and their Mapping with the GDPR
A failure to control the distribution of data, data integrity and data quality often leads to data breaches, loss of sensitive information and data manipulation, which need to be prevented using adequate security controls, e.g. only authenticated users can access data in a controlled manner. Data manipulation related to MSPs enables comparison of products and suppliers, filtering and ordering information in a way that forces unfair trade and monopolies. Provenance information about access to the system needs to be kept in audit logs, while security controls for anomaly detection are performed to capture unusual behaviour. Provenance information matters in cybersecurity as a measure for preventing data manipulation that can cause harmful changes of product specifications (e.g. power outages, data sabotage, etc.). The secure exchange of business information through file sharing, email and messaging system for negotiation, is another big concern for platform participants interacting over MSPs.
To demonstrate mapping compliance of the MSPs Security Architecture and its security controls with the GDPR requirements, in Table 3, we discuss security controls supporting Data Integrity and Data Quality Management (more details are given in [18]). Table 3. Security controls supporting Data Integrity and Data Quality Management.

Security control name
Security control description and its compliance with the GDPR

Data Integrity and Data Quality Policy
Data Integrity and Data Quality Policy must be clearly defined and based on the MSPs Privacy Requirements Framework (in order to incorporate different approaches: use-case-centric view, data-centric view and the GDPR requirements).

Data input validation
Controls over various factors: predictable behaviour, manual override, timing, etc. must be integrated, which corresponds to the Data Quality Principle and the GDPR requirement for verifying sensitive data for its accuracy, completeness and for being up-to-date.

Data and metadata protection
Protection against unauthorized access and manipulation; Automated restricted access; Cryptographic protection; GDPR requirement for deletion of personal data and/or personal data modification by the data subject; GDPR requirement for supporting subject's requests to access personal data;

Data protection at rest
Cryptographic protection, off-line storage; GDPR requirement for deletion and/or modification of personal data by the data subject;

Data protection in shared resources
Cryptographic protection; GDPR requirement for deletion of personal data and/or personal data modification by the data subject;

Notification of data integrity violations
Monitoring services must be provided; GDPR requirement for detecting, reporting and investigating personal data breaches; GDPR requirement for reviewing existing privacy notices and keeping them up-to-date

Informed consent by Design
User must have an informed consent on the data usage, which prevents the use of data in a way that is not according to the user wish; GDPR requirement for implementing privacy procedures for seeking, recording, and managing user's consent

Conclusion
The ultimate role of MSPs in digital automation is to increase speed to market, minimize costs and optimize manufacturing and logistic processes through enterprise interoperability. The overall growth, effectiveness and performances of MSPs can be analysed using the platform's evolution models. We consider the Tiwana's platform evolution model, which aligns the architecture of MSPs, governance and business strategies to further progress evolution of MSPs, as an approach that can be extended towards cybersecurity. Therefore, in this paper we the MSPs Privacy Requirements Framework and its specific MSPs Security Architecture featuring security controls that are specifically designed to ensure compliance with the GDPR. In that way, the role of the MSPs can be seen as a "regulatory role", which shapes enterprise interaction and online behaviour, and which is expected to lead towards safer enterprise interoperability.