Despite the evident benefits of cloud computing, its adoption is still limited partially because of EU customers’ perceived lack of security and transparency in this technology. Cloud service providers (CSPs) usually rely on security certifications as a mean to improve transparency and trustworthiness, however European CSPs still face multiple challenges for certifying their services (e.g. fragmentation in the certification market, and lack of mutual recognition).
In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer's trust in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme conveys new technological challenges due to its notion of “levels of assurance” which need to be solved in order to bring all of EU CSA’s expected benefits to EU cloud providers and customers.
The main scientific and technological objective of MEDINA is to provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs towards the successful achievement of a continuous certification aligned to the EU CSA. Such certification should fulfill the requirements of the EUCS in their basic, substantial and high assurance levels. The proposed framework will be comprised of tools, techniques, and processes supporting the continuous auditing and certification of cloud services where security and accountability are measurable by design. As the MEDINA framework is leveraged into a cloud supply chain, it will support continuously assessing the efficiency and efficacy of security measures to ultimately achieve and maintain a certification.
MEDINA contributes to the European Cloud Security Certification policy, enhances the trustworthiness of cloud services thanks to the compliance with security certification schemes, cooperates with relevant stakeholders, and helps Europe prepare for the cloud security challenges of tomorrow.