Skip to main content

Security framework to achieve a continuous audit-based certificationn in compliance with the EU-wide cloud security certification scheme

Periodic Reporting for period 1 - MEDINA (Security framework to achieve a continuous audit-based certificationn in compliance with the EU-wide cloud security certification scheme)

Reporting period: 2020-11-01 to 2022-04-30

Despite the evident benefits of cloud computing, its adoption is still limited partially because of EU customers’ perceived lack of security and transparency in this technology. Cloud service providers (CSPs) usually rely on security certifications as a mean to improve transparency and trustworthiness, however European CSPs still face multiple challenges for certifying their services (e.g. fragmentation in the certification market, and lack of mutual recognition).
In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer's trust in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme conveys new technological challenges due to its notion of “levels of assurance” which need to be solved in order to bring all of EU CSA’s expected benefits to EU cloud providers and customers.
The main scientific and technological objective of MEDINA is to provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs towards the successful achievement of a continuous certification aligned to the EU CSA. Such certification should fulfill the requirements of the EUCS in their basic, substantial and high assurance levels. The proposed framework will be comprised of tools, techniques, and processes supporting the continuous auditing and certification of cloud services where security and accountability are measurable by design. As the MEDINA framework is leveraged into a cloud supply chain, it will support continuously assessing the efficiency and efficacy of security measures to ultimately achieve and maintain a certification.
MEDINA contributes to the European Cloud Security Certification policy, enhances the trustworthiness of cloud services thanks to the compliance with security certification schemes, cooperates with relevant stakeholders, and helps Europe prepare for the cloud security challenges of tomorrow.
MEDINA started with the definition of the requirements, the architecture, the workflow and data model. A mapping analysis of the controls of various schemes was done, and a set of metrics and TOMs (Technical and Organizational Measures) were defined covering the requirements identified as high in the EUCS.
All MEDINA Key Results have already a first prototype released and available on the project’s GitLab repository. The Catalogue of Controls and Metrics includes the EUCS controls and some selected metrics that the rest of the MEDINA tools can use. The NL2CNL Translator translates TOMs into a Controlled Natural Language (CNL) and automatically predicts the right association between requirements and metrics, exploiting NLP techniques. The Rego Language has been selected for the Domain Specific Language (DSL) to easily define policies to be assessed. The DSL Mapper is responsible for mapping the obligations associated with a requirement into Rego rules and sending them to the Orchestrator. The MEDINA ontology of cloud resources and security features has been created, as well as the risk assessment computational model, which defines the basis of the non-conformity assessment.
For the continuous gathering of evidence and assessment results, several existing tools have been extended (Clouditor, Wazuh, Vulnerability Assessment tool, and Codyze), and have been integrated into an Evidence Orchestrator. For the evidence and assessment results not to be tampered with, MEDINA implements a trustworthiness management system based on blockchain technology. For the assessment of organizational evidence, a first prototype of the organizational evidence collector tool, called AMOE, was developed following the NLP approach.
The first version of the certificate lifecycle manager was also developed, including the definition of a state machine for the certificate lifecycle and a digital representation of certificates. An analysis of the feasibility of applying Self-Sovereign Identity (SSI) philosophy to the certificate management has been developed, and a risk assessment component has been integrated for dynamically managing the lifecycle of an EUCS certificate.
The use cases have been defined and the final version of the elicited use case requirements has been inserted into a tracking Jira system. The proposed user-centric validation methodology of MEDINA has been refined thanks to its alignment to ISO/IEC 25010.
Several dissemination and standardization activities have been performed and the communication strategy is being implemented. The initial version of MEDINA’s standardization roadmap was developed to support sustainability of the produced project outcomes.
The project has already defined an initial version of its unique value proposition both a project level and at component (key result) level. The engagement with the Horizon Results Booster (HRB) has allowed to create a quantified Business Plan that contains an analysis of market potential, trends, players, and business scenarios tied to the individual partners’ exploitation strategies.
MEDINA will provide an advance beyond the state of the art on the following topics:
-Cloud security certification schemes and conformity assessments: we provide tools to achieve and maintain a continuous certification in accordance with the EUCS.
-Continuous assessment, audit and certification: we provide a comprehensive repository of TOMs, a prototypical implementation of a framework to manage continuous certification in multiple Cloud service delivery models, and techniques for establishing the trustworthiness of technical evidence.
-Policies for certification language: we define a machine-oriented language that will serve as input for automatic compliance assessment and certification.
-Gathering evidences for continuous certification: we provide metrics and evidence collection techniques to identify common technical weaknesses in cloud applications. Machine-learning techniques and NLP will provide evidence collection techniques for organisational measures.
-Economic and risk aspects of certification: we provide a concrete framework for the quantitative risk-assessment of the certification.

The Key Results (KR) expected at the end of the project are:
KR1:Repository of metrics and measures
KR2:Risk-based selection of controls to reach the certification assurance levels
KR3:Certification Language
KR4:Continuous Evidence Management Tools
KR5:Cloud Certificate Evaluator
KR6:Risk- based auditor tool
KR7:Use cases
KR8:Standardization roadmap
KR9:Training and awareness activities

MEDINA is one of the first practical implementations to achieve continuous cloud security certification based on the newly defined EUCS certification. The main impacts are:
- Increase the security and trustworthiness of European CSPs and trust and confidence in the Digital Single Market.
- Increase economic growth and social progress in the EU and contribute to setting a competitive EU digital economy.
- Create favorable conditions for SMEs to easily certify their cloud services and improve them to comply with demanding user requirements and high legal standards.
- Close the existing gap in CSP traditional audits between the evidence collected and the auditor's trust in the evidence itself and its collection, and reduce the overall effort of technical staff in the audit process.
Basic workflow of MEDINA
MEDINA Framework