Third-party audits and certifications provide assurance and promote trust regarding a cloud service provider’s approach to security and privacy. The number of existing national, international and sectorial standards, laws and regulations has drastically increased in recent years, leading to increased complexity. Moreover, for customers working with highly sensitive data, concerns about security, privacy and regulatory requirements still hinder the adoption of cloud services. Third-party certification and attestation play a key part in a cloud assurance program, but they don’t go far enough. Traditional point-in-time auditing doesn't completely allay fears, due, amongst other things, to the lapse of time between audits and lack of automation. As a consequence, the process of adhering to different standards, laws and regulations for CSPs is inefficient, with a lot of duplicated work that unduly increases costs and complexity.
The EU-SEC project has worked on addressing these issues by the creation of EU-SEC framework that covers two main innovations, (i) a multiparty recognition framework for third party audit-based certification and (ii) a new approach for cloud assurance especially in the context of high-risk applications based on continuous auditing-based certification. The framework's development and innovations focus on automation, systematic governance, mutual recognition of certifications, reusability of already certified components, continuous audit, and monitoring to ultimately increase confidence in cloud certification while reducing the overall duration and cost of cloud certification processes.
The EU-SEC framework and both innovations have been developed and validated using two real-world pilots. In addition, the EU-SEC Project supported the initial effort from CSA for creating a Code of Conduct for GDPR compliance. The Privacy Level Agreement (PLA) Code of Conduct (CoC) provides guidance and support to CSPs as they work towards demonstrating compliance with the requirements of GDPR. Compliance can be achieved via PLA CoC Self-Attestation and PLA CoC Third-Party Certification.
Adopting the EU-SEC framework, stakeholders in the ICT security certification ecosystem will be equipped with a validated governance structure, an EU-SEC reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of existing security certification schemes. The EU-SEC framework addresses the issues related to security governance, risk management and compliance in the cloud while also enhancing trustworthiness and transparency in the ICT supply chain through positive results and business cases developed by industrial partners.