Security framework to achieve a continuous audit-based certificationn in compliance with the EU-wide cloud security certification scheme

Tools and techniques for the management and evaluation of cloud security certifications-V3

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

Methodology and tools for risk-based assessment and security control reconfiguration-V1

Lastly this deliverable comprises the methodology as well as the prototype implementation of the riskbased auditor component To follow the approach taken in other tasks there will be three iterations of the tool integration an initial prototype showcasing the methodology a second release which will be based on a refinement of the technical architecture and finally the third iteration which will reflect the implementation of the use cases This deliverable is the result of Task 44

MEDINA Requirements, Detailed architecture, DevOps infrastructure and CI/CD and verification strategy-v1

This deliverable has a threefold goal Firstly it will contain the requirements of the MEDINA framework in close collaboration with Task 61 Secondly the detailed design of MEDINA its components modules interfaces Thirdly it will also detail the realization of the DevOps infrastructure namely the set of tools and services to support all continuous integration and deployment phases in order to follow a DevOps approach as well as the CICD strategy to be followed for the continuous integration of the MEDINA Framework Two releases of the document are planned In the second one the feedbacks received from the use cases implementation will be managed to update the design This deliverable is the result of Tasks 51 and 52

Risk-based techniques and tools for Cloud Security Certification-v1

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

Risk-based techniques and tools for Cloud Security Certification-v3

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

Tools and techniques for collecting evidence of technical and organisational measures-v3

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Tools and techniques for the management of trustworthy evidence-v1

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Specification of the Cloud Security Certification Language-v2

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

Tools and techniques for the management and evaluation of cloud security certifications-V2

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

MEDINA integrated solution-V2

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

MEDINA Requirements, Detailed architecture, DevOps infrastructure and CI/CD and verification strategy-V2

This deliverable has a threefold goal. Firstly, it will contain the requirements of the MEDINA framework in close collaboration with Task 6.1. Secondly, the detailed design of MEDINA: its components, modules, interfaces. Thirdly, it will also detail the realization of the DevOps infrastructure, namely the set of tools and services to support all continuous integration and deployment phases in order to follow a DevOps approach, as well as the CI/CD strategy to be followed for the continuous integration of the MEDINA Framework. Two releases of the document are planned. In the second one the feedbacks received from the use cases implementation will be managed to update the design. This deliverable is the result of Tasks 5.1 and 5.2.

Specification of the Cloud Security Certification Language-v3

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

Tools and techniques for the management and evaluation of cloud security certifications-v1

This deliverable will entail tools and techniques for and managing technical evidences with the aim to evaluate them according to a certifications’ chosen conformity method. This will be accompanied by research into novel approaches to establish a digital audit trail of both the collected evaluated evidence as well as the certification target. Additionally, components need to be designed and implemented maintain the life-cycle of a continuous certificate in an automated way, i.e. using smart contracts. An early prototype will be delivered as the first iteration of the deliverable. The prototype will be updated and refined based on the implementation of the use cases (see Task 6.2). This deliverable is the result of Task 4.1, Task 4.2 and Task 4.3.

Tools and techniques for collecting evidence of technical and organisational measures-V2

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Specification of the Cloud Security Certification Language-v1

This set of deliverables will detail the domain-specific language for a cloud security certification. The first version will include the background information and the vocabulary, as well as the design of the “Certification Language” component, while the second and third versions will present the implementation of such language and component. The software will be complemented with a technical specifications report detailing the functional description, architecture, technical specification, user manual and installation instructions. These deliverables are the result of Tasks 2.3, 2.4, 2.5. The editors for the different versions will be specifically CNR, HPE and CNR.

MEDINA integrated solution-v3

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

Risk-based techniques and tools for Cloud Security Certification-v2

This set of deliverables will contain the risk-based cost-benefit analysis for the selection of security controls. This deliverable will describe the core model of the risk-based framework (M15) and its implementation as an integral part of the MEDINA solution (M24, M30). These deliverables are the result of Task 2.6.

MEDINA integrated solution-V1

This deliverable will integrate all the components developed by the other technical WPs in the MEDINA Framework. Different versions of the solution will be provided following an incremental approach. The first version will be an initial prototype with the core functionalities implemented (at M15); the second version (at M27) will augment these functionalities taking into consideration the feedback coming for the use cases and the final version (M33) will include corrections and feedback coming from the implementation of the use cases. The software will be accompanied by a Technical Specification Report. This set of deliverables is the result of Task 5.3 and 5.4.

Tools and techniques for collecting evidence of technical and organisational measures-V1

This deliverable will deliver tools and techniques for the evidence collection of technical measures, such as security assessment of virtual machines, containers and server less functions or based on the analysis of information and data flows as well as organisational measures through the use of machine-learning and NLP. There will be three iterations of the tool integration, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.2, Task 3.3 and Task 3.4.

Tools and techniques for the management of trustworthy evidence-v2

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Tools and techniques for the management of trustworthy evidence-V3

This deliverable will encompass techniques how to integrate different tools to gather and manage trustworthy evidences on various levels as well as how to ensure the trustworthiness of evidences across the life-cycle, i.e. using blockchain/DLT. There will be three iterations of the deliverable, an initial prototype, reflecting an early stage of integration in the technical framework (D3.1.x), the second release will be based on a refinement of the technical architecture, finally the third iteration will reflect the implementation of the use cases. This deliverable is the result of Task 3.1 and Task 3.5.

Methodology and tools for risk-based assessment and security control reconfiguration-V2

Lastly, this deliverable comprises the methodology as well as the prototype implementation of the risk-based auditor component. To follow the approach taken in other tasks, there will be three iterations of the tool integration, an initial prototype, showcasing the methodology, a second release, which will be based on a refinement of the technical architecture and finally the third iteration, which will reflect the implementation of the use cases. This deliverable is the result of Task 4.4.

Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v1

This set of deliverables will present the definition of the technical and organizational measures relevant for CSPs along with a set of security metrics both quantitative and qualitative for such security objectives These measures will be expressed also in the form of a catalogue of comprehensible cloud security metrics These deliverables are the result of Task 22 and part of 21

Dissemination and Communication Report-v1

This deliverable will explain the dissemination and communication activities followed during the reporting periods as well as the results from these activities and will update projects dissemination and communication plan respectively This report will also contain the relevant activities executed to foster a close collaboration with projects related to MEDINA as well as future networking plans

Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v2

This set of deliverables will present the definition of the technical and organizational measures relevant for CSPs along with a set of security metrics both quantitative and qualitative for such security objectives These measures will be expressed also in the form of a catalogue of comprehensible cloud security metrics These deliverables are the result of Task 22 and part of 21

Dissemination and Communication Strategy

This deliverable has a threefold goal Firstly it will define the way in which the different communities scientific commercial general public will be targeted as well as the social media will be used Secondly it will detail the specific plan for networking activities with external entities including the specific working group this project will participate Finally it will describe the project dissemination strategy to be adopted throughout the project lifetime The release of the respective report is considered one of the key milestones of the project

Standardization Roadmap-v1

This deliverable will present all the relevant activities performed in the context of standardization and standards observation

Market, Innovation and Applicability Analysis

This document will report surveys and analysis about solutions trends and initiatives in the fields relevant to MEDINA The report will be updated to accommodate future trends and competence analysis in D74

Standardization Roadmap-v2

This deliverable will present all the relevant activities performed in the context of standardization and standards observation

Training materials

This deliverable will compile the different training materials generated in the course of the project

Dissemination and Communication Report-V2

This deliverable will explain the dissemination and communication activities followed during the reporting periods as well as the results from these activities and will update projects dissemination and communication plan respectively This report will also contain the relevant activities executed to foster a close collaboration with projects related to MEDINA as well as future networking plans

MEDINA brochure and public website

The initial version of the brochure and project website will include at least project objectives and contact details MEDINA website will be setup by the Project Leader TECNALIA and continuously enhanced by all partners to include public downloadable results and links to related news and initiatives