Periodic Reporting for period 1 - EMERALD (Evidence Management for Continuous Certification as a Service in the Cloud)
Okres sprawozdawczy: 2023-11-01 do 2025-04-30
The EMERALD project aims to revolutionize the certification of cloud-based services in Europe by addressing key challenges such as market fragmentation, lack of cloud-specific certifications, and the increasing complexity introduced by AI technologies. At the heart of EMERALD lies the concept of Compliance-as-a-Service (CaaS) — an agile and scalable approach aimed at enabling continuous certification processes in alignment with harmonized European cybersecurity schemes, such as the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).
By focusing on evidence management and leveraging results from the H2020 MEDINA project, EMERALD will build on existing technological readiness (starting at TRL 5) and push forward to TRL 7. The project’s core innovation is the development of tools that enable lean re-certification, helping service providers, customers, and auditors to maintain compliance across dynamic and heterogeneous environments —including Cloud, Edge, and IoT infrastructures.
EMERALD directly addresses the critical gap in achieving the 'high' assurance level of EUCS by offering a technical pathway based on automation, traceability, and interoperability. This is especially relevant in light of the emerging need for continuous and AI-integrated certification processes, as AI becomes increasingly embedded in cloud services.
The project also fosters strategic alignment with European initiatives on digital sovereignty, supporting transparency and trust in digital services. By doing so, EMERALD promotes the adoption of secure cloud services across both large enterprises and SMEs, ensuring that security certification becomes a practical enabler rather than a barrier. Ultimately, EMERALD’s vision is to provide a robust, flexible, and forward-looking certification ecosystem, paving the way for more resilient, trustworthy, and user-centric digital infrastructures in Europe.
By focusing on evidence management and leveraging results from the H2020 MEDINA project, EMERALD will build on existing technological readiness (starting at TRL 5) and push forward to TRL 7. The project’s core innovation is the development of tools that enable lean re-certification, helping service providers, customers, and auditors to maintain compliance across dynamic and heterogeneous environments —including Cloud, Edge, and IoT infrastructures.
EMERALD directly addresses the critical gap in achieving the 'high' assurance level of EUCS by offering a technical pathway based on automation, traceability, and interoperability. This is especially relevant in light of the emerging need for continuous and AI-integrated certification processes, as AI becomes increasingly embedded in cloud services.
The project also fosters strategic alignment with European initiatives on digital sovereignty, supporting transparency and trust in digital services. By doing so, EMERALD promotes the adoption of secure cloud services across both large enterprises and SMEs, ensuring that security certification becomes a practical enabler rather than a barrier. Ultimately, EMERALD’s vision is to provide a robust, flexible, and forward-looking certification ecosystem, paving the way for more resilient, trustworthy, and user-centric digital infrastructures in Europe.
Summary of Key Achievements in EMERALD:
• WP1 Concept and Methodology: Defined the system architecture, requirements, and initial data model. DevOps infrastructure with integration and production environments was established using Infrastructure as Code. The first version of the EMERALD CaaS framework, including Keycloak for identity management, was implemented.
• WP2 Methodology for Knowledge Extraction: Designed the unified graph model and developed owl2proto for converting ontologies to Protobuf. Released the initial certification graph schema and enlarged the functionalities of eknows-e3 and Codyze. Enhanced AMOE and Clouditor-Discovery, and released a prototype of AI-SEC. Integration of evidence extraction tools into EMERALD began, along with UI requirement discussions.
• WP3 Evidence Assessment and Certification: Initial version of the tools (Orchestrator, Evaluation, Evidence-Store, Assessment, RCM, MARI, TWS) integrated into the Framework. Hybrid database approach using a relational database for the Certification Graph that allows graph database queries. EUCS, BSI-C5, and AIC4 security schemes are supported, and a Converter for OSCAL was developed. MARI introduced a transformer model and refined its API. TWS was deployed on an Alastria node with smart contracts .
• WP4 User Interaction and Experience: Gathered UI/UX requirements from previous projects and pilots. Developed audit processes, user scenarios, paper and clickable mock-ups, and implemented the EMERALD UI with integration mechanisms for the other components of the framework.
• WP5 Operational and Financial Pilots: Focused on defining and preparing pilots to validate EMERALD. Developed a validation approach and aligned business and technical requirements. Followed a “stage-gate” process covering pilot setup, data preparation, requirement alignment, test environments, and UX validation.
• WP1 Concept and Methodology: Defined the system architecture, requirements, and initial data model. DevOps infrastructure with integration and production environments was established using Infrastructure as Code. The first version of the EMERALD CaaS framework, including Keycloak for identity management, was implemented.
• WP2 Methodology for Knowledge Extraction: Designed the unified graph model and developed owl2proto for converting ontologies to Protobuf. Released the initial certification graph schema and enlarged the functionalities of eknows-e3 and Codyze. Enhanced AMOE and Clouditor-Discovery, and released a prototype of AI-SEC. Integration of evidence extraction tools into EMERALD began, along with UI requirement discussions.
• WP3 Evidence Assessment and Certification: Initial version of the tools (Orchestrator, Evaluation, Evidence-Store, Assessment, RCM, MARI, TWS) integrated into the Framework. Hybrid database approach using a relational database for the Certification Graph that allows graph database queries. EUCS, BSI-C5, and AIC4 security schemes are supported, and a Converter for OSCAL was developed. MARI introduced a transformer model and refined its API. TWS was deployed on an Alastria node with smart contracts .
• WP4 User Interaction and Experience: Gathered UI/UX requirements from previous projects and pilots. Developed audit processes, user scenarios, paper and clickable mock-ups, and implemented the EMERALD UI with integration mechanisms for the other components of the framework.
• WP5 Operational and Financial Pilots: Focused on defining and preparing pilots to validate EMERALD. Developed a validation approach and aligned business and technical requirements. Followed a “stage-gate” process covering pilot setup, data preparation, requirement alignment, test environments, and UX validation.
EMERALD Project Key Results:
EXTRACT: A framework for continuous knowledge extraction across cloud layers (infrastructure, code, business processes), enhancing MEDINA tools like AMOE. It verifies technical and organizational measures (TOMs) and supports multiple abstraction levels—from source code to policies.
CERTGRAPH: A graph-based certification model that consolidates and links heterogeneous evidence, enabling traceability and higher-level aggregation of information for efficient querying.
OPTIMA: An intelligent system that selects an optimized set of measurable metrics to demonstrate compliance, maximizing evidence reuse.
MULTICERT: A tool that evaluates selected metrics using the certification graph to support final certification decisions.
AIPOC: A proof of concept for applying EMERALD’s CaaS approach to AI certification schemes, enabling scalability to cloud-based AI systems.
EMERALD UI/UX: A user-centered interface concept based on studies identifying user needs during audits. It guides users from high-level requirements to specific technical or policy implementations.
INTEROP: An interoperability layer for assessments, evidence, and catalog data using standardized formats like OSCAL. It explores using EBSI for trustworthy evidence exchange.
PILOTS: Real-world industrial use cases that provide test data to refine evidence extraction tools and validate EMERALD’s practical application.
EXTRACT: A framework for continuous knowledge extraction across cloud layers (infrastructure, code, business processes), enhancing MEDINA tools like AMOE. It verifies technical and organizational measures (TOMs) and supports multiple abstraction levels—from source code to policies.
CERTGRAPH: A graph-based certification model that consolidates and links heterogeneous evidence, enabling traceability and higher-level aggregation of information for efficient querying.
OPTIMA: An intelligent system that selects an optimized set of measurable metrics to demonstrate compliance, maximizing evidence reuse.
MULTICERT: A tool that evaluates selected metrics using the certification graph to support final certification decisions.
AIPOC: A proof of concept for applying EMERALD’s CaaS approach to AI certification schemes, enabling scalability to cloud-based AI systems.
EMERALD UI/UX: A user-centered interface concept based on studies identifying user needs during audits. It guides users from high-level requirements to specific technical or policy implementations.
INTEROP: An interoperability layer for assessments, evidence, and catalog data using standardized formats like OSCAL. It explores using EBSI for trustworthy evidence exchange.
PILOTS: Real-world industrial use cases that provide test data to refine evidence extraction tools and validate EMERALD’s practical application.