Strategic Approaches to Digital Platform Security Assurance Yuri Bobbert ON2IT BV, The Netherlands & Antwerp Management School, University of Antwerp, Belgium Maria Chtepen BNP Paribas Group, Belgium Tapan Kumar Cognizant, The Netherlands Yves Vanderbeken DXC, Belgium Dennis Verslegers Orange Cyberdefense, Belgium A volume in the Advances in Information Security, Privacy, and Ethics (AISPE) Book Series Published in the United States of America by IGI Global Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA, USA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.igi-global.com Copyright © 2021 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Names: Bobbert, Yuri, author. | Chtepen, Maria, 1980- author. | Kumar, Tapan, 1983- author. | Vanderbekan, Yves, 1966- author. | Verslegers, Dennis, 1982- author. Title: Strategic approaches to digital platform security assurance / Yuri Bobbert, Maria Chtepen, Tapan Kumar, Yves Vanderbekan, and Dennis Verslegers. Description: Hershey PA : Information Science Reference, [2021] | Includes bibliographical references and index. | Summary: “With the field of digital transformation and the associated risk and security management rapidly changing due to emerging technologies and upcoming regulations this book offers extensive Design Science Research approaches to on one hand extensively examine the problem and on the other hand offer pragmatic solutions (artefacts) that can serve both academia and practitioners”-- Provided by publisher. Identifiers: LCCN 2020050609 (print) | LCCN 2020050610 (ebook) | ISBN 9781799873679 (h/c) | ISBN 9781799873686 (s/c) | ISBN 9781799873693 (eISBN) Subjects: LCSH: Computer security. | Application software--Development. | Business enterprises--Data processing. Classification: LCC QA76.9.A25 B595 2021 (print) | LCC QA76.9.A25 (ebook) | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2020050609 LC ebook record available at https://lccn.loc.gov/2020050610 This book is published in the IGI Global book series Advances in Information Security, Privacy, and Ethics (AISPE) (ISSN: 1948-9730; eISSN: 1948-9749) British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher. For electronic access to this publication, please contact: [email protected]. Advances in Information Security, Privacy, and Ethics (AISPE) Book Series Manish Gupta State University of New York, USA ISSN:1948-9730 EISSN:1948-9749 Mission As digital technologies become more pervasive in everyday life and the Internet is utilized in ever in- creasing ways by both private and public entities, concern over digital threats becomes more prevalent. The Advances in Information Security, Privacy, & Ethics (AISPE) Book Series provides cutting- edge research on the protection and misuse of information and technology across various industries and settings. Comprised of scholarly research on topics such as identity management, cryptography, system security, authentication, and data protection, this book series is ideal for reference by IT professionals, academicians, and upper-level students. Coverage • Risk Management IGI Global is currently accepting manuscripts • Information Security Standards for publication within this series. To submit a pro- • Security Information Management posal for a volume in this series, please contact our • Data Storage of Minors Acquisition Editors at [email protected] • Tracking Cookies or visit: https://www.igi-global.com/publish/. • Device Fingerprinting • Access Control • CIA Triad of Information Security • IT Risk • Global Privacy Concerns The Advances in Information Security, Privacy, and Ethics (AISPE) Book Series (ISSN 1948-9730) is published by IGI Global, 701 E. Chocolate Avenue, Hershey, PA 17033-1240, USA, www.igi-global.com. This series is composed of titles available for purchase individually; each title is edited to be contextually exclusive from any other title within the series. For pricing and ordering information please visit https:// www.igi-global.com/book-series/advances-information-security-privacy-ethics/37157. Postmaster: Send all address changes to above address. Copyright © 2021 IGI Global. All rights, including translation in other languages reserved by the publisher. No part of this series may be reproduced or used in any form or by any means – graphics, electronic, or mechanical, including photocopying, recording, taping, or informa- tion and retrieval systems – without written permission from the publisher, except for non commercial, educational use, including classroom teaching purposes. The views expressed in this series are those of the authors, but not necessarily of IGI Global. Titles in this Series For a list of additional titles in this series, please visit: https://www.igi-global.com/book-series/advances-information-secu- rity-privacy-ethics/37157 Revolutionary Applications of Blockchain-Enabled Privacy and Access Control Surjit Singh (Thapar Institute of Engineering and Technology, India) and Anca Delia Jurcut (University College Dublin, Ireland) Information Science Reference • © 2021 • 297pp • H/C (ISBN: 9781799875895) • US $225.00 Multidisciplinary Approaches to Ethics in the Digital Era Meliha Nurdan Taskiran (Istanbul Medipol University, Turkey) and Fatih Pinarbaşi (Istanbul Medipol University, Turkey) Information Science Reference • © 2021 • 369pp • H/C (ISBN: 9781799841173) • US $195.00 Handbook of Research on Digital Transformation and Challenges to Data Security and Privacy Pedro Fernandes Anunciação (Polytechnic Institute of Setúbal, Portugal) Cláudio Roberto Magalhães Pessoa (Escola de Engenharia de Minas Gerais, Brazil) and George Leal Jamil (Informações em Rede Consultoria e Treinamento, Brazil) Information Science Reference • © 2021 • 529pp • H/C (ISBN: 9781799842019) • US $285.00 Limitations and Future Applications of Quantum Cryptography Neeraj Kumar (Babasaheb Bhimrao Ambedkar University, Lucknow, India) Alka Agrawal (Babasaheb Bhimrao Ambedkar University, Lucknow, India) Brijesh K. Chaurasia (Indian Institute of Information Technology, India) and Raees Ahmad Khan (Indian Institute of Information Technology, India) Information Science Reference • © 2021 • 305pp • H/C (ISBN: 9781799866770) • US $225.00 Advancements in Security and Privacy Initiatives for Multimedia Images Ashwani Kumar (Vardhaman College of Engineering, India) and Seelam Sai Satyanarayana Reddy (Vardhaman College of Engineering, India) Information Science Reference • © 2021 • 278pp • H/C (ISBN: 9781799827955) • US $215.00 Blockchain Applications in IoT Security Harshita Patel (Vellore Institute of Technology, India) and Ghanshyam Singh Thakur (Maulana Azad National Institute of Technology, India) Information Science Reference • © 2021 • 275pp • H/C (ISBN: 9781799824145) • US $215.00 701 East Chocolate Avenue, Hershey, PA 17033, USA Tel: 717-533-8845 x100 • Fax: 717-533-8661 E-Mail: [email protected] • www.igi-global.com Table of Contents Preface..................................................................................................................................................vii Acknowledgment.................................................................................................................................xv Introduction........................................................................................................................................xvi Chapter 1 ProblemsintheAreaofBusinessPlatformModels:HowAreGovernmentsAdaptingthe PlatformModeltoImproveCitizenServices..........................................................................................1 Yves Vanderbeken, DXC, Belgium Chapter 2 ResearchFindingsintheDomainofBusinessPlatformModels:DefiningthePracticestoDesign aPerfectGovernmentBusinessPlatformModel..................................................................................66 Yves Vanderbeken, DXC, Belgium Chapter 3 FindingsandCorePracticesintheDomainofBusinessPlatformModels:OverallEvaluationof thePractices........................................................................................................................................187 Yves Vanderbeken, DXC, Belgium Chapter 4 ProblemsintheAreaofAgileMethodologies...................................................................................205 Tapan Kumar, Cognizant, The Netherlands Chapter 5 ResearchFindingsintheDomainofAgileMethodologies................................................................214 Tapan Kumar, Cognizant, The Netherlands Chapter 6 FindingsandCorePracticesintheDomainofAgileMethodologies................................................244 Tapan Kumar, Cognizant, The Netherlands Chapter 7 ProblemsofCI/CDandDevOpsonSecurityCompliance.................................................................256 Yuri Bobbert, ON2IT BV, The Netherlands & Antwerp Management School, University of Antwerp, Belgium Maria Chtepen, BNP Paribas Group, Belgium Chapter 8 ResearchFindingsintheDomainofCI/CDandDevOpsonSecurityCompliance...........................286 Yuri Bobbert, ON2IT BV, The Netherlands & Antwerp Management School, University of Antwerp, Belgium Maria Chtepen, BNP Paribas Group, Belgium Chapter 9 FindingsandCorePracticesintheDomainofCI/CDandDevOpsonSecurityCompliance...........308 Yuri Bobbert, ON2IT BV, The Netherlands & Antwerp Management School, University of Antwerp, Belgium Maria Chtepen, BNP Paribas Group, Belgium Chapter 10 ChallengesandOpportunitiesforSecurityAssuranceinDevOps.....................................................314 Dennis Verslegers, Orange Cyberdefense, Belgium Chapter 11 ResearchFindingsintheDomainofSecurityAssuranceinDevOps.................................................322 Dennis Verslegers, Orange Cyberdefense, Belgium Chapter 12 FindingsandCorePracticesintheDomainofSecurityAssuranceinDevOps.................................378 Dennis Verslegers, Orange Cyberdefense, Belgium About the Contributors....................................................................................................................391 Index...................................................................................................................................................393 vii Preface Nowadays,itisimpossibletoimagineabusinesswithouttechnology.Mostindustriesarebecoming “smarter”andmoretech-driven(Desdemoustier,Crutzen,&Giffinger,2019).Weliveintheeraofthe “platformsociety.”WehavebecomefamiliarwiththenewwayofdoingbusinessthatUber,Airbnb, Amazon,Tencent,Alibaba,andmanyothershaveintroducedtousandconsiderthisthenewnormal. Digitalplatformsandeco-systemsarenotrestrictedbyborders,locations,andindustries(Nambisan, Zahra,&Luo,2019).ForexampleCourserahasbecometheworld’smostprominentonlineeducator, collaboratingwithover200leadinguniversitiesandcompanies.PioneersrangingfromAmazontoLyft andZillowandAirbnbtoZalandoandZBJaredisruptingtheretail,healthcare,realestate,banking, lodging,steelindustries,andlabormarkets. InhisbookPlatforms Scale,Choudaryclaimedthatplatformswouldbecomeincreasinglypowerful andconcentrateoncollectingmoreandmoredatatocross-orupsellservices(Choudary,2015).Ranging fromsmallindividualtechinitiativestocompletebusinessmodelswithintertwinedsupplychainsand “Platform”basedbusinessmodels.Newwaysofworking,suchasAgileandDevOps,areintroduced, leadingtoopportunitiesandunknownrisks.Theserisksdonotrestrictthemselvestothetechnology domain;newchallengesarisebyteamsworkingtogetherinadistributedmannertodeliverhighpaced valueatahigherpacebyreducingthetimetomarket.Weseesmart-citiesemerge,andsocietyistaking amoreholisticviewoftheregulationofsuchhigh-techdevelopments.Notonlyfromaprivacyper- spective:whocollectswhat,andforwhichpurpose?Orfromahumanaspect:Howcanwegivemore autonomytoteamswithoutlosing“control”andposecompliancerisks?Newrisksalsoemergefroma cybersecurityperspective:whoprotectsourdigitalsovereigntyandour“digitalheritage”?Technology isnolongeradomainthatisshroudedinmystery;instead,itisanessentialbusinessdisciplinehereto stay(Bobbert,2018).Businessschoolsworldwideincludecybersecurityintotheircurriculumsinceroles emerge,andHRprofessionalsneedtoequipthemselveswithnewinsightsandunderstandingsofthese changingroles(Bobbert&Butterhoff,2020).Itisalsoaprofessionaldisciplinethathasgottheatten- tionofanalystsandsupervisoryboards(ITGI,2005).However,atthesametime,organizedcrimehas arrivedonthesceneinabigway(Stackpole&Oksendahl,2011).Throughhacksanddenial-of-service attacks,allsortsofmaliciousactorsareinfiltratingour‘digital’society.Theycaneasilytakeadvantage ofsystemswithpoordesign,implementation,andconfigurations.Analternativepathconsistsofawide rangeofadvanced“socialengineering”techniquestotricktheirwayintoorganizations. Thisresearchbookaimstocontributeinseveralways.Itaddressesthesignificantproblemswhen transforminganorganizationbyembracinganAPI-basedplatformmodelandallowinganecosystem ofpartnerstotakeacentralroleinthe(business)transactions.Certainly,whenthismodelisappliedby governmentstoimprovecitizenservices.Itgoesin-depthintomakinguseofsmall(er)DevOpsteamsand leveragingproventechnologicalarchitecturesasameanstoreleaseincrementalfeaturestothemarket Preface fast.Thistechnologyisbuiltandmaintainedthroughsoftware-basedproductionstreets,referredtoas ContinuousDeliveryPipelines(Forsgren,2018).Thisbookaimstofollowthethreadofourbusiness’s functiontothebasementoftheindividualorganization(construction)workinginaeco-systemofplat- forms(Hoogervorst,2011).ThisfunctionversusconstructionviewisneededsinceCEO/CIOsneedto providereasonableassuranceoverthisentirechaindowntothenitty-grittydetailsoftheir“information agefactories”(Bobbert&Ozkanli,2020). Thefieldofdigitaltransformationandtheassociatedriskisrapidlychangingduetoemerging technologiesandupcomingregulations.Organizationswanttoensurespeedandqualityoftechnology deliverytoservecustomers,citizens,andotherstakeholders(Forsgren,2018).Sofar,littleacademic researchisperformedinthisfield,whiletheavailableresearchisrarelyempirical(Bobbert,2017). ThisbookofferscomprehensiveDesignScienceResearchapproachesto,ontheonehand,extensively examinetheproblemand,ontheotherhand,offerpragmaticsolutions(artifacts)thatcanserveboth academiaandpractitioners.Everysectiondiscussesthestatusquoandcurrentchallenges.Itformulates coresuccessfactorsandapproachesthatacademicresearchersandbusinessescanuse.Thebookfollows thestructurebelow: Chapter 1: Problems in the Area of Business Platform Models – How Are Governments Adapting the Platform Model to Improve Citizen Services Forbothgovernmentsandenterprises,commonobstaclesblockdigitaltransformationprogress,in- cludinglegacyapplicationsandprocessesthatinvolveface-to-facevisitstoagovernmentcounter (withoftenirregularopeninghours).Businessmodelsshiftmoretowardstechnology-drivenindustries (OECD,2019).Inthisfirstchapter,weelaborateonthemultiplebusinessmodelsouttherewhichrely ontechnology,howthetechnologycontributestothebusinessgoalsof,inthiscase,governments.We specificallyzoomintoGovernmentalplatformservicesandtheessentialpracticestheyshouldapply togetmaximumvalueforcitizens.Wefocusonthissinceweseetech-borncompaniesalreadymaking thestepanddisruptotherbusinessmodels. Governmentsstillneedtomakethisstep;therefore,examiningwhatpracticestheyshouldapplyto becomerelevantforcitizensinapplyingthebusinessplatformmodelappearstobeasuitableresearchlens. Researchshowedthatmanygovernmentstakeadifferentroutetotheestablishmentofaplatform model.Mostarelateinadoptiontechnologyandthereforewillneverrealizethepotentialiftheplatform isnotdesignedcorrectly.Citizenswillbefavoringtouseatrustedandmanagedecosystemforrequesting andexecutinggovernmentservicesifthevalueisclearandgovernmentsvowforatransparentdesignof theplatformwheresafetyandprivacyofthecitizen’dataisguaranteed.Theauthordefineshowagovern- mentcanbuildupitstechnologystacktoensurecitizenservicesareenabledonaplatformmodel,using trustedproviders’eco-system.Literatureresearchisusedtounderpinthevariouslevelsandprocesses. Examplesareincludedtoshowcasethebestinclasstoday. Basedoninterviewsandresearch,astakeholderanalysisisincludedtoexaminewherethevalueis forpoliticians,governmentagenciesandentrepreneurswantingtobepartoftheplatformmodel.This analysisiscrucialtounderstand,astechnologyisnottheonlysolutiontoputasuccessfulbusiness platformmodeloutthere. viii Preface Chapter 2: Research Findings in the Domain of Business Platform Models – Defining the Practices to Design a Perfect Government Business Model TheauthorstartsbydefiningsomeofthebestpracticesfordefiningaGovernmentBusinessPlatform modelforcitizenservices.Basedonresearch,practicesweredefinedthatwillguidegovernmentstothe establishmentofasuccessfulplatformmodel.Onecanassumethatimplementingagovernmentbusi- nessplatformmodeldoesnotcomewithoutseveralchallenges.Theauthordefinesthesechallengesand givesrecommendations.Someofthechallengescanberelatedtotheusageandinstitutionalizationof theAgileapproachtodefine,designbutalsoreleasefunctionalityviatheplatformtothecitizens.This willbeaddressedinafurtherpartofthisbook,whereAgileMethodologieswillbediscussedindetail. Nexttothepractices,theassociatedgovernancemechanismswerealsodefinedtomakesurethe platformmodeliswellmanagementanddeliversuponthedefinedvisionandvalue.Governments,just likeenterprises,aredynamicsystemsthatneedastandardizedapproachtobeeffectiveinorganizing andexecutingwork.Entergovernancetomakesuretheorganizationeffectivelyandefficientlystrives toachieveitsstatedgoals.Alargesectionofthischapterisdevotedtodefiningagovernancemodelto supportdesigning,building,rollingoutandsustainingaplatformmodelforgovernments. Atthispoint,thepracticesandgovernancemodelareconsideredfoundationalandtheoretical.The authorthenprovidesasetofpracticalandreusablevalidationmethodslikeaplatformmaturitymodel andaplatformbalancedscorecard.Toproofthatthevalidationmethodsareuseful,effective,repeat- able,anddeliverconsistentdata,theauthordidadeepdivestudyatthreecaseorganizationsinFlanders (Belgium)thatareapplyingthebusinessplatformmodelasdefined. Thischapterthusprovidesusefulmethods,guidance,andrecommendationstoallreaders–basedon thoroughresearch–ondesigningandrollingoutasuccessbusinessplatformmodel.Thereaderscan applythesetounderstandwhatthestatusisoftheorganizations,howfartheyhavecome,howtheycan/ shouldapplythedefinedpracticesandgovernancemechanismandultimatelywhatthelessonslearned arefromreality. Chapter 3: Findings and Core Practices in the Domain of Business Platform Models – Overall Evaluation of the Practices Thischapterconcludeswithcriticalsuccessfactorsthatwehaveturnedintopracticeseveryorganiza- tioncanimmediatelyapply.Thereaderwilllearnhowthethreecaseorganizationsallwentthroughthe classicalnorming,storming,performingstagestogetthedesignright.Theauthorprovidesasummary howitispossibletoestablishaplatformmodelbasedonatrustedandmanagedecosystem.Next,the authorsummarizesallthesefindingsandconvertsthemintoasetofpracticalrecommendations.As such,thereadercannowconfidentlyengagewiththeir(government)organizationtodesign,buildand rolloutabusinessplatformmodel. Chapter 4: Problems in the Area of Agile Methodologies Whenestablishingtheseplatforms,thishappensmoreandmoreincollaborationwithmultipleteams producingproducts.AgilehasbecomethefastestgrowingITdevelopmentmethodology,withmost organizationsdoingagileimplementations,asstatedinHarvardBusinessReview.Achallengehereis toloseefficiencyandcreatewasteduetodistributedteamsworkingwithmultipleFrameworks(Less/ ix