ETSI TR 103 603 V1.1.1 (2019-03)

ETSI TR 103 603 V1.1.1 (2019-03)






TECHNICAL REPORT
User Group;
User Centric Approach;
Guidance for providers and standardization makers

---------------------- Page: 1 ----------------------
2 ETSI TR 103 603 V1.1.1 (2019-03)



Reference
DTR/USER-0048
Keywords
IoT, user
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2019.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners.
®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 603 V1.1.1 (2019-03)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Introduction . 4
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 7
3.1 Terms . 7
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Provider Service Platform . 9
4.1 Open Service Platform . 9
4.2 Providers. 10
4.2.1 Provider services management . 10
4.2.1.1 From QoS to QoE . 10
4.2.1.2 The UX pyramid . 11
4.2.2 Security, data protection and privacy . 12
4.2.2.1 Security . 12
4.2.2.2 Data protection . 14
4.2.2.3 Privacy . 15
4.2.3 Provider offers (PaaS) . 16
4.3 Service composition . 19
5 Provider process for Smart Meter (functional model) . 19
6 Profiles (Information Model) . 21
6.1 User profile . 21
6.2 Resource profile . 22
6.2.0 Introduction. 22
6.2.1 Equipment profile . 23
6.2.2 Network profile . 24
6.2.3 Applicative service profile . 25
6.3 Data protection . 27
7 Recommendations . 28
7.1 End-to-end QoS . 28
7.2 Provider and digital Services . 28
7.3 Provider and data . 29
7.3.1 Knowledge base . 29
7.3.2 Security, Data protection and privacy . 29
7.3.2.1 Security . 29
7.3.2.2 Data protection . 30
7.3.2.3 Privacy . 30
Annex A: Additional Information for Security Recommendations . 31
A.1 Acronyms and definitions for table of Cybersecurity Implementation levels . 31
A.2 Offers and regulation for Data Protection . 32
Annex B: Bibliography . 33
Annex C: Authors & contributors . 34
History . 35
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 603 V1.1.1 (2019-03)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI User Group (USER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The present document has been produced by the STF 543 experts.
The concept of the full Project is to define a 5 dimension model called ACIFO. The 5 dimension model is based on
5 sub-models defined as:
• Architectural Model Acifo: defines the global structure, including semantics and is optimized for the stated
objectives.
• Communication Model aCifo: defines the exchange protocols, including APIs and HMIs, over three planes:
- Management (Monitoring).
- Control.
- Usage.
• Information Model acIfo: defines the information of the whole ecosystem (equipment, network, applications,
services, HMIs, User, etc.) from the offer to the availability of resources for Users, Providers and any other
partners. It is a knowledge data base representing the whole ecosystem.
• Functional Model aciFo: defines the functionalities (the process) to compose any service based on "micro-
services".
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 603 V1.1.1 (2019-03)
• Organization Model acifO: defines the role of any actor and which actor is responsible of each action. ("Who
is doing what?").
These five dimensions should be shared by the user and the supplier/provider. For the user, it should be possible to
define (or to choose) the level of autonomy and control for the personalized composition of services.
The four deliverables produced by STF 543 define the different dimensions:
• ETSI TR 103 438 [i.1] focuses on the Architecture and the Organization:
- It includes the use cases and the results of the survey.
• ETSI EG 203 602 [i.2] focuses on the information and the functionalities:
- It is dedicated to the user. It provides analysis and recommendations from the information and
functionalities.
• ETSI TR 103 603 (the present document) addresses all the dimensions to the supplier, in order to produce the
APIs according to the user expectations and whatever the number and types of additional suppliers.
• ETSI TR 103 604 [i.3] focuses on the communication and in particular on the HMIs.
For example, for Energy (production, distribution, consumption), the supplier will create an API for the user. The
information will be exchanged between the supplier and the user, but will not be used only by the supplier: the user will
have access to all the information and will be able to use this information to optimize their energy consumption. This
data base is a source to provide new services and new applications (for the user and for the supplier). One major
challenge and constraint is to ensure that all the private data may be checked and monitored by the user (the contract
needs to define clearly these points). The data are not used only by the supplier, the user should have access to the data
and may refuse that the data be used or known meaning that an interaction "cursor" between the user and the supplier
defines the freedom (GDPR [i.11]).

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 603 V1.1.1 (2019-03)
1 Scope
The present document defines guidance to the providers and standard makers to ensure that each service component is
provided with the information needed by the user to make an informed choice. It addresses all the dimensions of
ACIFO to the supplier, in order to produce the APIs according to the user expectations and whatever the number and
types of additional suppliers.
The present document is designed in conjunction with the user guide, ETSI EG 203 602 [i.2]. Each recommendation
which has been identified as important for the user finds its parallel for the supplier offer, as defined in the present
document.
For each need and expectation, by user categories, the present document recommends relevant service information and
functions. This is to facilitate, on the one hand, easy access for the user and on other hand, consistently create
manageable services that are easily incorporated into a service definition that can support Service Level Agreement
(SLA).
The recommendations are intended for the user to be able to compose own services according to the needs, the location
and activities. The concept of this new vision is detailed in ETSI TR 103 438 [i.1].
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 103 438: "User Group; User centric approach in Digital Ecosystem".
[i.2] ETSI EG 203 602: "User Group; User Centric Approach: Guidance for users; Best practices to
interact in the Digital Ecosystem".
[i.3] ETSI TR 103 604: "User Group; User centric approach Qualification of the interaction with the
digital ecosystem".
[i.4] ETSI EG 202 009-1: "User Group; Quality of telecom services; Part 1: Methodology for
identification of indicators relevant to the Users".
[i.5] ETSI TR 103 304: "CYBER; Personally Identifiable Information (PII) Protection in mobile and
cloud services".
[i.6] ETSI TR 103 309: "CYBER; Secure by Default - platform security technology".
[i.7] ETSI EN 301 549: "Accessibility requirements for ICT products and services".
[i.8] ISO/IEC 27001: "Information technology - Security techniques - Information security
management systems - Requirements".
[i.9] ISO/IEC 27002: "Information technology - Security techniques - Code of practice for information
security controls".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 603 V1.1.1 (2019-03)
[i.10] ISO 15408: "Information technology -- Security techniques -- Evaluation criteria for IT security".
[i.11] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
NOTE: Available at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[i.12] Arc Advisory Group: "Cybersecurity Maturity Model".
NOTE: Available at https://www.arcweb.com/industry-concepts/cybersecurity-maturity-model.
[i.13] Dan Blum: "How to Assess Security Maturity and Make Improvements", Security Architects
Partners.
NOTE: Available at http://security-architect.com/how-to-assess-security-maturity-and-roadmap-improvements/.
[i.14] Gregory White: "The Community Cyber Security Maturity Model", Research Gate.
NOTE: Available at https://www.researchgate.net/figure/Community-Cyber-Security-Maturity-Model-CCSMM-
5-Levels_fig1_235142909.
[i.15] NCSC: "Guidance B3 Data security".
NOTE: Available at https://www.ncsc.gov.uk/guidance/b3-data-security.
[i.16] Information Commissioner's Office: "Data protection by design and default".
NOTE: Available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/accountability-and-governance/data-protection-by-design-and-default/.
[i.17] NCSC: "General Data Protection Regulation (GDPR)".
NOTE: Available at https://www.ncsc.gov.uk/GDPR.
[i.18] Federal Trade Commission: "US-EU Safe Harbour Framework".
NOTE: Available at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-
framework.
[i.19] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
[i.20] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union (NIS Directive).
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
ACIFO: 5-dimension model, based on recommendations and common objectives for Users and Providers, giving the
capability for the User to compose the needed services
NOTE: The 5-dimension model creates one unique and integrated solution.
cloud: network of remote servers hosted on the Internet and used to store, manage, and process data in place of local
servers or personal computers
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 603 V1.1.1 (2019-03)
dew: programming model for enabling ubiquitous, pervasive, and convenient ready-to-go, plug-in facility empowered
personal network
NOTE: Dew computing is a new computing paradigm appeared after the widely acceptance of cloud computing.
Dew computing has two key features: first, local computers (desktops, laptops, tablets, and smart phones)
provide rich micro-services independent of cloud services; second, these micro services inherently
collaborate with cloud services. Dew computing concerns the distribution of workloads between cloud
servers and local computers, and its focus is the software organization of local computers. The goal of
dew computing is to fully realize the potentials of local computers and cloud services.
edge: distributed computing paradigm in which computation is largely or completely performed on distributed device
nodes
equipment (terminal): user and provider equipments, including terminals, gateways, boxes, routers
fog: provides close computation, data storage and application services
NOTE: Fog computing, also known as fog networking or fogging, is a decentralized computing infrastructure in
which data, processing, storage and applications are distributed in the most logical, efficient place
between the data source and the cloud. Fog computing essentially extends cloud computing and services
to the edge of the network, bringing the advantages and power of the cloud closer to where data is created
and acted upon.
micro-service: basic and simple service (with SoA properties) that be combined for the composition of services as
expected by the User
NOTE: The basic concept behind this term is that each service performs a unique feature (e.g. for security,
"authentication" is a micro-service, for discovery, "find" is a micro-service).
profile: information template (model) to provide or to access to personalized services
user-centric: user who is the heart of the ecosystem
NOTE: This means that the user constrains the whole environment, unlike other contexts where that is the
application (application-centric), or network (network-centric) or the system (system-centric) which
constrains the context.
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ACIFO Architecture, Communication, Information, Functionality, Organization
ACL Access Control List
AES Advanced Encryption Standard
AKA Also Known As
ANSSI Agence Nationale de la Sécurité des Systèmes d'Information/National Agency for Information
Security Systems (France)
API Application Programming Interface
BYOD Bring Your Own Devices
CES Customer Effort Score
CIA Confidentially, Integrity and Availability (Model)
COOP Continuity Of Operations Plan
CPU Central Processing Unit
CX Customer eXperience
DDOS Distributed Denial-Of-Service
DMZ DeMilitarized Zone
DPA Data Protection Agency
DPO Data Protection Officers
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 603 V1.1.1 (2019-03)
DRP Disaster Recovery Plan
EN European Standard
EU European Union
GDPR General Data Protection Regulation
HMI Human Machine Interface
ICE Interactive Connectivity Establishment
ICS Industrial Control Systems
ICT Information and Communications Technology
ID Identity Document
IoT Internet of Things
ISO International Organization for Standardization
IT Information Technology
KPI Keu Performance Indicator
M2M Machine to Machine
MVP Minimum Value Product
NCSC National Cyber Security Centre (UK)
NGN New Generation Network
NIS Network and Information Security
NIST National Institute of Standards and Technology (USA)
NPS Net Promoter Score
OTTS Over The Top Services
PaaS Platform "as-a-Service"
PC Personal Computer
PDA Personal Digital Assistant
POC Proof Of Concept
QoE Quality of Experience
QoS Quality of Service
RAID Redundant Array of Independent Disks
RSA Rivest-Shamir-Adleman (public-key cryptosystems)
SaaS Software as a Service
SECaaS Security-as-a-Service
SIEM Security Incident and Event Management
SLA Service Level Agreement
SLO Service Level Objective
Vapp Virtual application
VM Virtual Machine
VoIP Voice over Internet Protocol
WiFi Wireless Fidelity
UMTS Universal Mobile Telecommunications System
UX User eXperience
4 Provider Service Platform
4.1 Open Service Platform
The generic model, as defined in ETSI TR 103 438 [i.1] is to design autonomic services, easing service composition to
build a digital ecosystem where everything is offered in service.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TR 103 603 V1.1.1 (2019-03)

Figure 1: "User-Centric" Generic model
Nowadays cloud computing offers services over open platforms and changes the whole ecosystem of ICTs and
telecommunications. This is a strong desire to change the way to offer, to manage and to pay the digital services. These
systems are in an approach where "everything is service". They provide services accessible to a maximum of users who
only pay for what they consume.
Enterprises and organizations strive to adapt themselves to this new digital ecosystem, the objectives of which is to
provide services which are provided and managed in a transparent way with a relevant level of requested QoS.
The consumers' needs in QoS terms vary with their profiles (developer, service provider, final user), with the
application domain (business, IoT and M2M) and with their strategies (green, effective cost, etc.). These open platforms
need to have properties of elasticity, high availability, reliability, etc. to ensure SLAs (Service Level Agreements).
Furthermore, Quality of Service management all along service consumption needs a setting and dynamic adjustment of
resources when running. This dynamic process is possible only if the system is able to have and use pertinent
information to predict the relevant consumption of needed resources for the applications taken over. Monitoring
techniques are therefore needed to obtain measurements able to highlight a potential event of degradation or failure.
These measurements should also allow an autonomy of adaptation for each service.
The objective of the present document is to draw attention to expected properties for the management of user services
(clause 4.2.1), security (clause 4.2.2) and to characterize the PaaS which collects the applicative offers (clause 4.2.3).
Clause 4.2.3 is about analysis and modelling "as a service". It describes the structuring choices in terms of "cloud"
components to be built with functional and unfunctional parts. It presents a generic model to design autonomic services,
easing service composition to build a digital ecosystem where everything is offered in service.
4.2 Providers
4.2.1 Provider services management
4.2.1.1 From QoS to QoE
Quality in the service area can be evaluated from different perspectives and therefore using different measurement
methods:
a) the first is related to the reliability of the equipment and can be measured accurately via technical means,
although these measurements might be expensive because of both the dispersion of the test results and the size
of the sample to be tested;
b) the second is related to the service provision and is closely linked to the kind of use of the service. Therefore,
appropriate indicators have to be defined according to use;
ETSI

---------------------- Page: 10 ----------------------
11 ETSI TR 103 603 V1.1.1 (2019-03)
c) the last is intended to measure the subjective satisfaction of the customer and there is often no other means
than a survey to get it.
In the two first categories, technical means can be used to perform the measurements and in such cases, standards are
often useful to achieve a common approach; such standards are given as references where appropriate. They include a
precise definition of what is meant as a failure: total failure, poor performance, back-up situation, etc. Assessing these
different aspects is of paramount importance to the provider who endeavours to improve the offered QoS.
From a user viewpoint, the end-to-end QoS is the most relevant. Hence objective and subjective measurements may be
usefully combined for a better assessment and the whole user approach and is called Quality of Experience (QoE). The
subjective part is named User eXperience (UX) or Customer eXperience (CX).
The methodology for identification of indicators relevant to the users in order to measure the quality of telecom services
is giving in an ETSI guide produced by the User Group: ETSI EG 202 009-1 [i.4].
This ETSI guide describes the methodology for evaluating the quality of service throughout a customer's journey:
Pre-sales, Sales, Provisioning, Service Operation, Service Breakdowns & Interruptions, Claims, Billing/Payment and
Termination. The concepts of service and supply are specified as well as that of "Service Level Objective". Finally,
ETSI EG 202 009-1 [i.4] specifies the methods for analysin
...