Skip to main content
European Commission logo
English English
CORDIS - EU research results
CORDIS
CORDIS Web 30th anniversary CORDIS Web 30th anniversary

Security framework to achieve a continuous audit-based certificationn in compliance with the EU-wide cloud security certification scheme

CORDIS provides links to public deliverables and publications of HORIZON projects.

Links to deliverables and publications from FP7 projects, as well as links to some specific result types such as dataset and software, are dynamically retrieved from OpenAIRE .

Deliverables

Tools and techniques for the management and evaluation of cloud security certifications-V3

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

Methodology and tools for risk-based assessment and security control reconfiguration-V1

Lastly this deliverable comprises the methodology as well as the prototype implementation of the riskbased auditor component To follow the approach taken in other tasks there will be three iterations of the tool integration an initial prototype showcasing the methodology a second release which will be based on a refinement of the technical architecture and finally the third iteration which will reflect the implementation of the use cases This deliverable is the result of Task 44

MEDINA Requirements, Detailed architecture, DevOps infrastructure and CI/CD and verification strategy-v1

This deliverable has a threefold goal Firstly it will contain the requirements of the MEDINA framework in close collaboration with Task 61 Secondly the detailed design of MEDINA its components modules interfaces Thirdly it will also detail the realization of the DevOps infrastructure namely the set of tools and services to support all continuous integration and deployment phases in order to follow a DevOps approach as well as the CICD strategy to be followed for the continuous integration of the MEDINA Framework Two releases of the document are planned In the second one the feedbacks received from the use cases implementation will be managed to update the design This deliverable is the result of Tasks 51 and 52

Risk-based techniques and tools for Cloud Security Certification-v1

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

Risk-based techniques and tools for Cloud Security Certification-v3

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

Tools and techniques for collecting evidence of technical and organisational measures-v3

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Tools and techniques for the management of trustworthy evidence-v1

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Specification of the Cloud Security Certification Language-v2

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

Tools and techniques for the management and evaluation of cloud security certifications-V2

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

MEDINA integrated solution-V2

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

MEDINA Requirements, Detailed architecture, DevOps infrastructure and CI/CD and verification strategy-V2

This deliverable has a threefold goal. Firstly, it will contain the requirements of the MEDINA framework in close collaboration with Task 6.1. Secondly, the detailed design of MEDINA: its components, modules, interfaces. Thirdly, it will also detail the realization of the DevOps infrastructure, namely the set of tools and services to support all continuous integration and deployment phases in order to follow a DevOps approach, as well as the CI/CD strategy to be followed for the continuous integration of the MEDINA Framework. Two releases of the document are planned. In the second one the feedbacks received from the use cases implementation will be managed to update the design. This deliverable is the result of Tasks 5.1 and 5.2.

Specification of the Cloud Security Certification Language-v3

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

Tools and techniques for the management and evaluation of cloud security certifications-v1

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

Tools and techniques for collecting evidence of technical and organisational measures-V2

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Specification of the Cloud Security Certification Language-v1

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

MEDINA integrated solution-v3

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

Risk-based techniques and tools for Cloud Security Certification-v2

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

MEDINA integrated solution-V1

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

Tools and techniques for collecting evidence of technical and organisational measures-V1

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Tools and techniques for the management of trustworthy evidence-v2

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Tools and techniques for the management of trustworthy evidence-V3

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Methodology and tools for risk-based assessment and security control reconfiguration-V2

Lastly, this deliverable comprises the methodology as well as the prototype implementation of the risk-based auditor component. To follow the approach taken in other tasks, there will be three iterations of the tool integration, an initial prototype, showcasing the methodology, a second release, which will be based on a refinement of the technical architecture and finally the third iteration, which will reflect the implementation of the use cases. This deliverable is the result of Task 4.4.

Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v1

This set of deliverables will present the definition of the technical and organizational measures relevant for CSPs along with a set of security metrics both quantitative and qualitative for such security objectives These measures will be expressed also in the form of a catalogue of comprehensible cloud security metrics These deliverables are the result of Task 22 and part of 21

Dissemination and Communication Report-v1

This deliverable will explain the dissemination and communication activities followed during the reporting periods as well as the results from these activities and will update projects dissemination and communication plan respectively This report will also contain the relevant activities executed to foster a close collaboration with projects related to MEDINA as well as future networking plans

Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v2

This set of deliverables will present the definition of the technical and organizational measures relevant for CSPs along with a set of security metrics both quantitative and qualitative for such security objectives These measures will be expressed also in the form of a catalogue of comprehensible cloud security metrics These deliverables are the result of Task 22 and part of 21

Dissemination and Communication Strategy

This deliverable has a threefold goal Firstly it will define the way in which the different communities scientific commercial general public will be targeted as well as the social media will be used Secondly it will detail the specific plan for networking activities with external entities including the specific working group this project will participate Finally it will describe the project dissemination strategy to be adopted throughout the project lifetime The release of the respective report is considered one of the key milestones of the project

Standardization Roadmap-v1

This deliverable will present all the relevant activities performed in the context of standardization and standards observation

Market, Innovation and Applicability Analysis

This document will report surveys and analysis about solutions trends and initiatives in the fields relevant to MEDINA The report will be updated to accommodate future trends and competence analysis in D74

Standardization Roadmap-v2

This deliverable will present all the relevant activities performed in the context of standardization and standards observation

Training materials

This deliverable will compile the different training materials generated in the course of the project

Dissemination and Communication Report-V2

This deliverable will explain the dissemination and communication activities followed during the reporting periods as well as the results from these activities and will update projects dissemination and communication plan respectively This report will also contain the relevant activities executed to foster a close collaboration with projects related to MEDINA as well as future networking plans

MEDINA brochure and public website

The initial version of the brochure and project website will include at least project objectives and contact details MEDINA website will be setup by the Project Leader TECNALIA and continuously enhanced by all partners to include public downloadable results and links to related news and initiatives

Publications

EUROSCAL – Paving the Road Towards Interoperable and Automated Compliance Monitoring in Europe

Author(s): Jesus Luna, Bosch
Published in: 2023
Publisher: white paper

MEDINA: First Impressions on Experimenting with Automated Monitoring Requirements of the Upcoming EU Cybersecurity Certification Scheme for Cloud Services .

Author(s): Jesus Luna Garcia, Bosch, Thomas Ruebsamen, Bosch Patrick Weiss, Bosch Valentin Acker, Bosch Tatu Suhonen, Nixu Jarkko Majava, Nixu
Published in: 2021
Publisher: white paper

Metric Recommender System and the use of Natural Language Processing

Author(s): Fazzolari, Michela
Published in: Issue 51, 2023
Publisher: white paper
DOI: 10.5281/zenodo.10200736

Continuous Life-Cycle Management of Cloud Security Certifications

Author(s): FhG, XLAB, CNR, NIXU, TECNALIA
Published in: 2023
Publisher: white paper

The MEDINA Controlled Natural Language

Author(s): Marinella Petrocchi and Michela Fazzolari
Published in: 2023
Publisher: white paper

An architecture proposal for the MEDINA framework

Author(s): TECNALIA, Bosch, CNR, FhG, HPE, NIXU
Published in: 2023
Publisher: white paper

Data Sovereignty in the Cloud-Wishful Thinking or Reality?

Author(s): Christian Banse
Published in: Proc. of 2021 Cloud Computing Security Workshop, 2021
Publisher: IEEE
DOI: 10.1145/3474123.3486792

Runtime security monitoring by an interplay between rule matching and deep learning-based anomaly detection on logs

Author(s): Jan Antić, Joao Pita Costa, Aleš Černivec et al.
Published in: International Workshop on Design of Reliable Communication Networks (DRCN), 2023
Publisher: IEEE
DOI: 10.1109/drcn57075.2023.10108105

Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis

Author(s): Christian Banse Immanuel Kunz Angelika Schneider Konrad Weiss
Published in: Proc. of IEEE International Conference on Cloud Computing 2021, 2021
Publisher: IEEE
DOI: 10.1109/cloud53861.2021.00014

A Semantic Evidence-based Approach to Continuous Cloud Service Certification

Author(s): Christian Banse Immanuel Kunz Nico Haas Angelika Schneider
Published in: SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing March 2023 Pages 24–33, 2023
Publisher: ACM
DOI: 10.1145/3555776.3577600

Patient Community -- A Test Bed for Privacy Threat Analysis

Author(s): Immanuel Kunz; Angelika Schneider; Christian Banse; Konrad Weiss; Andreas Binder
Published in: CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security November 2022 Pages 3383–3385, 2022
Publisher: ACM
DOI: 10.1145/3548606.3564253

Representing LLVM-IR in a Code Property Graph

Author(s): Alexander Küchler, Christian Banse
Published in: International Conference on Information Security ISC 2022: Information Security pp 360–380, 2022
Publisher: Springer
DOI: 10.1007/978-3-031-22390-7_21

Privacy Property Graph: Towards Automated Privacy Threat Modelling via Static Graph-based Analysis

Author(s): Immanuel Kunz (Fraunhofer AISEC), Konrad Weiss (Fraunhofer AISEC), Angelika Schneider (Fraunhofer AISEC), Christian Banse (Fraunhofer AISEC)
Published in: Popets 2023, 2023
Publisher: published under a Creative Commons Attribution 4.0 license
DOI: 10.56553/popets-2023-0046

Security in DevSecOps: Applying Tools and Machine Learning to Verification and Monitoring Steps

Author(s): Matija Cankar et al. (XLAB)
Published in: ICPE ’23 Companion, Companion of the 2023 ACM/SPEC International Conference on Performance Engineering, 2023
Publisher: ACM
DOI: 10.1145/3578245.3584943

Medina: Improving Cloud Services trustworthiness through continuous audit-based certification

Author(s): Leire Orue-Echevarría, Juncal Alonso (TECNALIA) Jesus Luna (Bosch) Christian Banse (FhG
Published in: CEUR- WS.org, ISSN 1613- 0073 Vol 2878, 2021
Publisher: CEUR-WS online

Application-Oriented Selection of Privacy Enhancing Technologies

Author(s): Immanuel Kunz, Andreas Binder
Published in: Annual Privacy Forum APF 2022: Privacy Technologies and Policy pp 75–87, 2022
Publisher: Springer
DOI: 10.1007/978-3-031-07315-1_5

AMOE: a Tool to Automatically Extract and Assess Organizational Evidence for Continuous Cloud Audit

Author(s): Deimling, Franz; Fazzolari, Michela
Published in: DBSec 2023: Data and Applications Security and Privacy XXXVII, 37th Annual IFIP WG 11.3 Conference, 2023
Publisher: Springer
DOI: 10.48550/arxiv.2307.16541

A Continuous Risk Assessment Methodology for Cloud Infrastructures

Author(s): Immanuel Kunz, Angelika Schneider, Christian Banse
Published in: 22th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGRID), 2022
Publisher: IEEE
DOI: 10.1109/ccgrid54584.2022.00127

Understanding the challenges and novel architectural models of multi-cloud native applications – a systematic literature review

Author(s): Juncal Alonso; Leire Orue-Echevarria; Valentina Casola; Ana Isabel Torre; Maider Huarte; Eneko Osaba; Jesus L. Lobo
Published in: Journal of Cloud Computing: Advances, Systems and Applications, Issue 62, 2023, ISSN 2192-113X
Publisher: Springer Science + Business Media
DOI: 10.1186/s13677-022-00367-6

Searching for OpenAIRE data...

There was an error trying to search data from OpenAIRE

No results available