Skip to main content

The European Security Certification Framework

Periodic Reporting for period 2 - EU-SEC (The European Security Certification Framework)

Reporting period: 2018-07-01 to 2019-12-31

Third-party audits and certifications provide assurance and promote trust regarding a cloud service provider’s approach to security and privacy. The number of existing national, international and sectorial standards, laws and regulations has drastically increased in recent years, leading to increased complexity. Moreover, for customers working with highly sensitive data, concerns about security, privacy and regulatory requirements still hinder the adoption of cloud services. Third-party certification and attestation play a key part in a cloud assurance program, but they don’t go far enough. Traditional point-in-time auditing doesn't completely allay fears, due, amongst other things, to the lapse of time between audits and lack of automation. As a consequence, the process of adhering to different standards, laws and regulations for CSPs is inefficient, with a lot of duplicated work that unduly increases costs and complexity.
The EU-SEC project has worked on addressing these issues by the creation of EU-SEC framework that covers two main innovations, (i) a multiparty recognition framework for third party audit-based certification and (ii) a new approach for cloud assurance especially in the context of high-risk applications based on continuous auditing-based certification. The framework's development and innovations focus on automation, systematic governance, mutual recognition of certifications, reusability of already certified components, continuous audit, and monitoring to ultimately increase confidence in cloud certification while reducing the overall duration and cost of cloud certification processes.
The EU-SEC framework and both innovations have been developed and validated using two real-world pilots. In addition, the EU-SEC Project supported the initial effort from CSA for creating a Code of Conduct for GDPR compliance. The Privacy Level Agreement (PLA) Code of Conduct (CoC) provides guidance and support to CSPs as they work towards demonstrating compliance with the requirements of GDPR. Compliance can be achieved via PLA CoC Self-Attestation and PLA CoC Third-Party Certification.
Adopting the EU-SEC framework, stakeholders in the ICT security certification ecosystem will be equipped with a validated governance structure, an EU-SEC reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of existing security certification schemes. The EU-SEC framework addresses the issues related to security governance, risk management and compliance in the cloud while also enhancing trustworthiness and transparency in the ICT supply chain through positive results and business cases developed by industrial partners.
Based on the extensive requirements analysis the EU-SEC partners have defined and set-up the EU-SEC framework. The EU-SEC framework comprises a governance model for the EU-SEC framework with roles and responsibilities to support the maintenance and operation of the framework, a reference architecture and its respective set of methods and tools that will support the implementation of the EU- SEC framework and training and awareness means to support the market uptake of the EU-SEC results.
The two main innovations realized within the EU-SEC framework are the EU-SEC Multi-Party Recognition Framework (MPRF) and the EU-SEC Continuous Auditing based Certification (CACS). While the MPRF enables the mutual recognition between different cloud security certification schemes, CACS allows continuous assurance by addressing the lack of regularity and proactivity of traditional “point-in-time” certifications. As part of the two EU-SEC main innovations, further tools, facilities and methods have been developed, extended and tested in the course of the project and as part of the EU-SEC reference architecture. These tools, facilities and methods, namely the EU-SEC requirements repository, EU-SEC Audit API, Nuvla Extension for Evidence, STARwatch registry Extension are an essential part of the EU-SEC framework and are further exploited by individual partners. The EU-SEC framework and its architecture and tools have been validated within two pilots and reached TRL Level 7+ as envisioned in the DoA..
After conducting the two pilots, the EU-SEC project started into an extensive dissemination and fast exploitation phase by discussing the project’s main innovations with a broader audience. For both innovations, the project has elaborated a trainings and awareness plan as well as training material finally leading to so called EU-SEC Training and Awareness Packages that contain explanation videos, how-to documents, white papers and training slides and are available at the project web site. Following the business canvas method, the relevant stakeholder groups were identified for both innovations in order to subsequently derive stakeholder-specific exploitation strategies. The results of the Business Canvas workshops were discussed and sharpened in the public workshops with a broader audience and the EU-SEC Advisory Board in order to be subsequently integrated into the individual exploitation strategies of the partners. Finally, both innovations could be presented to ENISA representatives and integrated into the process of shaping the European Cyber Security Act through initiatives such as CSP CERT.
The EU-SEC framework represents a major advance over the state of the art in terms of the effectiveness and efficiency of cloud security certification. Especially the MPRF pilot has shown that that the framework offers considerable benefits for all stakeholders in the cloud computing security and privacy compliance arena by facilitating mutual recognition of security certificates of highly relevant European certification schemes. The MPRF has been shown to streamline the compliance process and to significantly reduce the time and resources involved in preparing for an audit. Thus, EU-SEC finally leads to a situation that European ICT products and services become more compliant with relevant European security and/or privacy regulations and standards. In addition, the EU-SEC framework addresses, from a governance and technical perspective, the challenges of continuous monitoring and auditing as a foundation for enhanced cloud security certification. The Continuous Auditing-based Certification pilot has shown that the EU-SEC framework covers the requirements of sectors requiring high level of security assurance like the banking industry. To our knowledge, the EU-SEC framework defines the only procedure to date that combines tool-supported auditing with the requirements of continuous certification. Based on European standards and technologies, the EU-SEC framework opens up the opportunity for specifically European cloud products offering a higher level of assurance compared to non-European Cloud products and services. Finally, the EU-SEC Code of Conduct serves the purpose of defining the GDPR requirements applicable to the cloud industry, providing a high level guidance on what is expected to satisfy them, as well as defining how the requirements should be verified and monitored over time. The Code will serve both CSPs seeking for support in achieving GDPR compliance, and the cloud customers, who will use the Code as a tool to assess and compare the GDPR posture of their providers. The EU-SEC code is currently under the evaluation of the Regulators.