Periodic Reporting for period 2 - MEDINA (Security framework to achieve a continuous audit-based certificationn in compliance with the EU-wide cloud security certification scheme)
Período documentado: 2022-05-01 hasta 2023-10-31
Despite the evident benefits of cloud computing, its adoption is still limited partially because of EU customers’ perceived lack of security and transparency in this technology. Cloud service providers (CSPs) usually rely on security certifications as a mean to improve transparency and trustworthiness, however European CSPs still face multiple challenges for certifying their services (e.g. fragmentation in the certification market, and lack of mutual recognition).
In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer's trust in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme conveys new technological challenges due to its notion of “levels of assurance” which need to be solved in order to bring all of EU CSA’s expected benefits to EU cloud providers and customers.
The main scientific and technological objective of MEDINA is to provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs towards the successful achievement of a continuous certification aligned to the EU CSA. Such certification should fulfill the requirements of the EUCS in their basic, substantial and high assurance levels. The proposed framework will be comprised of tools, techniques, and processes supporting the continuous auditing and certification of cloud services where security and accountability are measurable by design. As the MEDINA framework is leveraged into a cloud supply chain, it will support continuously assessing the efficiency and efficacy of security measures to ultimately achieve and maintain a certification.
MEDINA contributes to the European Cloud Security Certification policy, enhances the trustworthiness of cloud services thanks to the compliance with security certification schemes, cooperates with relevant stakeholders, and helps Europe prepare for the cloud security challenges of tomorrow.
In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer's trust in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme conveys new technological challenges due to its notion of “levels of assurance” which need to be solved in order to bring all of EU CSA’s expected benefits to EU cloud providers and customers.
The main scientific and technological objective of MEDINA is to provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs towards the successful achievement of a continuous certification aligned to the EU CSA. Such certification should fulfill the requirements of the EUCS in their basic, substantial and high assurance levels. The proposed framework will be comprised of tools, techniques, and processes supporting the continuous auditing and certification of cloud services where security and accountability are measurable by design. As the MEDINA framework is leveraged into a cloud supply chain, it will support continuously assessing the efficiency and efficacy of security measures to ultimately achieve and maintain a certification.
MEDINA contributes to the European Cloud Security Certification policy, enhances the trustworthiness of cloud services thanks to the compliance with security certification schemes, cooperates with relevant stakeholders, and helps Europe prepare for the cloud security challenges of tomorrow.
-KR1 Repository of Metrics and Measures:The “Catalogue of Controls and Metrics” component provides a clear definition of the relevant technical and organizational measures for cloud service providers, together with the corresponding security metrics (both quantitative and qualitative) for security objectives/TOMs.
Exploitation for this result can be realized with the Freemium business model and follow-up projects like EMERALD.
-KR2 Risk-based selection of Controls to reach the Certification Assurance Levels:MEDINA realized a risk appetite-based methodology for the selection of controls and associated TOMs, which addresses the specific needs of a CSP taking into account the requested certification assurance level. This is implemented with the SATRA component to identify key assets, threats and existing weaknesses of the cloud system.
Exploitation opportunities for this result are executed in follow up projects like National Recovery and resilience plan for Italy and with Commercial engagements with a customer.
-KR3 Certification Language:MEDINA provides a Controlled Natural language which expresses the most relevant aspects of a security certification scheme in machine-readable format using a domain specific language (REGO). The components “Metrics recommender” and “CNL Editor” provide tools for compliance managers to interact with this result.
Exploitation opportunities for this result can be done in follow-up projects like EMERALD.
-KR4 Continuous evidence management tools:This result comprises tools and techniques to manage and collect trustworthy evidence validating the provided cloud security certification. The evidence is collected both at source code level and at cloud service level (Evidence collection components e.g. Codyze). Evidence collection is based on the metrics repository. Organizational measures are addressed by the use of semantic document analysis using NLP (AMOE component).
Blockchain technology provides trustworthiness (“Evidence Trustworthiness system” component) of the evidence collected throughout the entire life cycle and ensures that the evidence can be used at a specific EUCS assurance level.
The result will monitor the continuous compliance of the CSP with respect to the subset of EUCS High security controls (“Clouditor Orchestrator” component).
Exploitation opportunities for these results entail the creation of a spin-off company, leveraging from Freemium business model opportunities and follow-up projects like EMERALD and COBALT.
-KR5 Cloud Certificate evaluator:This result is responsible for evaluating the collected evidence and reaching the compliance decision for a particular certification target. The component “Continuous Certificate Evaluation, CCE” makes this decision and visualizes the result in a tree-like structure.
This result can be exploited by the open-source community. In the follow-up projects this functionality will be integrated into Clouditor.
-KR6 Risk-based Auditor tool:This result will manage the entire life cycle of cloud security certification in MEDINA e.g. the issuing and revocation of a certificate. The component "Certificate and Lifecycle manager, LCM" is responsible for lifecycle related functionalities.
KR6 follows a risk-based approach that provides flexibility to the certification. The component "Risk Assessment and Optimization Framework, RAOF" is responsible for the risk-based approach.
Exploitation opportunities of these results entail Freemium business model opportunities and additional RAOF project sales, and follow-up projects like EMERALD and COBALT.
Exploitation for this result can be realized with the Freemium business model and follow-up projects like EMERALD.
-KR2 Risk-based selection of Controls to reach the Certification Assurance Levels:MEDINA realized a risk appetite-based methodology for the selection of controls and associated TOMs, which addresses the specific needs of a CSP taking into account the requested certification assurance level. This is implemented with the SATRA component to identify key assets, threats and existing weaknesses of the cloud system.
Exploitation opportunities for this result are executed in follow up projects like National Recovery and resilience plan for Italy and with Commercial engagements with a customer.
-KR3 Certification Language:MEDINA provides a Controlled Natural language which expresses the most relevant aspects of a security certification scheme in machine-readable format using a domain specific language (REGO). The components “Metrics recommender” and “CNL Editor” provide tools for compliance managers to interact with this result.
Exploitation opportunities for this result can be done in follow-up projects like EMERALD.
-KR4 Continuous evidence management tools:This result comprises tools and techniques to manage and collect trustworthy evidence validating the provided cloud security certification. The evidence is collected both at source code level and at cloud service level (Evidence collection components e.g. Codyze). Evidence collection is based on the metrics repository. Organizational measures are addressed by the use of semantic document analysis using NLP (AMOE component).
Blockchain technology provides trustworthiness (“Evidence Trustworthiness system” component) of the evidence collected throughout the entire life cycle and ensures that the evidence can be used at a specific EUCS assurance level.
The result will monitor the continuous compliance of the CSP with respect to the subset of EUCS High security controls (“Clouditor Orchestrator” component).
Exploitation opportunities for these results entail the creation of a spin-off company, leveraging from Freemium business model opportunities and follow-up projects like EMERALD and COBALT.
-KR5 Cloud Certificate evaluator:This result is responsible for evaluating the collected evidence and reaching the compliance decision for a particular certification target. The component “Continuous Certificate Evaluation, CCE” makes this decision and visualizes the result in a tree-like structure.
This result can be exploited by the open-source community. In the follow-up projects this functionality will be integrated into Clouditor.
-KR6 Risk-based Auditor tool:This result will manage the entire life cycle of cloud security certification in MEDINA e.g. the issuing and revocation of a certificate. The component "Certificate and Lifecycle manager, LCM" is responsible for lifecycle related functionalities.
KR6 follows a risk-based approach that provides flexibility to the certification. The component "Risk Assessment and Optimization Framework, RAOF" is responsible for the risk-based approach.
Exploitation opportunities of these results entail Freemium business model opportunities and additional RAOF project sales, and follow-up projects like EMERALD and COBALT.
MEDINA provides an advance beyond the state of the art on the following topics:
-Cloud security certification schemes and conformity assessments: we provide tools to achieve and maintain a continuous certification in accordance with the EUCS.
-Continuous assessment, audit and certification: we provide a comprehensive repository of TOMs, a prototypical implementation of a framework to manage continuous certification in multiple Cloud service delivery models, and techniques for establishing the trustworthiness of technical evidence.
-Policies for certification language: we define a machine-oriented language that will serve as input for automatic compliance assessment and certification.
-Gathering evidences for continuous certification: we provide metrics and evidence collection techniques to identify common technical weaknesses in cloud applications. Machine-learning techniques and NLP will provide evidence collection techniques for organisational measures.
-Economic and risk aspects of certification: we provide a concrete framework for the quantitative risk-assessment of the certification.
MEDINA is one of the first practical implementations to achieve continuous cloud security certification based on the newly defined EUCS certification. The main impacts are:
- Increase the security and trustworthiness of European CSPs and trust and confidence in the Digital Single Market.
- Increase economic growth and social progress in the EU and contribute to setting a competitive EU digital economy.
- Create favorable conditions for SMEs to easily certify their cloud services and improve them to comply with demanding user requirements and high legal standards.
- Close the existing gap in CSP traditional audits between the exdcvidence collected and the auditor's trust in the evidence itself and its collection, and reduce the overall effort of technical staff in the audit process.
-Cloud security certification schemes and conformity assessments: we provide tools to achieve and maintain a continuous certification in accordance with the EUCS.
-Continuous assessment, audit and certification: we provide a comprehensive repository of TOMs, a prototypical implementation of a framework to manage continuous certification in multiple Cloud service delivery models, and techniques for establishing the trustworthiness of technical evidence.
-Policies for certification language: we define a machine-oriented language that will serve as input for automatic compliance assessment and certification.
-Gathering evidences for continuous certification: we provide metrics and evidence collection techniques to identify common technical weaknesses in cloud applications. Machine-learning techniques and NLP will provide evidence collection techniques for organisational measures.
-Economic and risk aspects of certification: we provide a concrete framework for the quantitative risk-assessment of the certification.
MEDINA is one of the first practical implementations to achieve continuous cloud security certification based on the newly defined EUCS certification. The main impacts are:
- Increase the security and trustworthiness of European CSPs and trust and confidence in the Digital Single Market.
- Increase economic growth and social progress in the EU and contribute to setting a competitive EU digital economy.
- Create favorable conditions for SMEs to easily certify their cloud services and improve them to comply with demanding user requirements and high legal standards.
- Close the existing gap in CSP traditional audits between the exdcvidence collected and the auditor's trust in the evidence itself and its collection, and reduce the overall effort of technical staff in the audit process.