CNR is partner of the MEDINA project to create a secure certification system inspired by the European Cyber Security Certification Scheme for Cloud Services (EUCS)
Despite the evident benefits of cloud computing, its adoption is still limited partially because of EU customers’ perceived lack of security and transparency in this technology. Cloud service providers (CSPs) usually rely on security certifications as a mean to improve transparency and trustworthiness, however European CSPs still face multiple challenges for certifying their services (e.g., fragmentation in the certification market, and lack of mutual recognition).
In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer’s trust in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme conveys new technological challenges due to its notion of “levels of assurance” which need to be solved in order to bring all of EU CSA’s expected benefits to EU cloud providers and customers.
MEDINA is a Research and Innovation Action supported by Europe’s H2020 program, with the objective to create a Security framework to achieve a continuous audit-based certification for CSPs based on the EU Cybersecurity Certification Scheme for Cloud Services. For this purpose, MEDINA will tackle challenges in areas such as security validation/testing, machine-readable certification languages, cloud security performance, and audit evidence management to provide:
– Guidance on the implementation of the EUCS controls, including the measures to be applied and evidences to be collected, therefore reducing the certification process’ time.
– Support for automatic compliance checks of the controls in major cloud security certification schemes, reducing the effort, cost and risk of achieving and maintaining a certification.
– Ease the effort in the collection and evaluation of digital evidences.
– Ensure an audit trail of the evidences, to guarantee that no one has tampered with them during the certificate’s validity period.
The MEDINA consortium, led by TECNALIA, assembles a balanced set of academic and industrial partners, which play key roles in the EU cloud security certification ecosystem, which includes research centres (TECNALIA, Consiglio Nazionale delle Ricerche, Fraunhofer), cloud providers (Bosch, Fabasoft), technology providers (Hewlett Packard Enterprise, XLAB) and auditors (Nixu).
MEDINA approach and toolset will be assessed in two real-world cloud use cases covering the three cloud service models (IaaS, PaaS and SaaS). On one hand, Bosch will deploy an scenario for European certification of multi-cloud backends for IoT solutions, and on the other hand, Fabasoft will validate a continuous audit of SaaS solutions for the public sector.
MEDINA will also raise the awareness on the benefits of the contributed framework in the context of the EU Cybersecurity Act by supporting activities related to European training, awareness and relevant standardization activities (e.g., ENISA EUCS).
In summary, MEDINA contributes to the European Cloud Security Certification policy, enhances the trustworthiness of cloud services thanks to the compliance with security certification schemes, cooperates with relevant stakeholders, and helps Europe prepare for the cloud security challenges of tomorrow.
MEDINA has completed the first half of this 36 months long project and is progressing rapidly towards achieving its next milestones. Thus far, work has been focused on the definition of the MEDINA general architecture, as well as on developing the integrated framework (both technology and processes) that will be validated by the use cases from Bosch and Fabasoft. Among the developed tools we can highlight MEDINA’s risk-based certification preparedness service, and the catalogue of security requirements and metrics, which are essential enablers for continuous (automated) monitoring as defined in the EUCS and other certification schemes.
Within MEDINA, the IIT-CNR researchers (all part of the Trust, Security and Privacy Research Unit: Marinella Petrocchi, Artsiom Yautsiukhin, Michela Fazzolari, Fabio Martinelli) are responsible for:
– coordination of the Work Package on the Medina Certification Language, for a universal machine-readable language that meets the requirements of the main cloud certification schemes;
– development of tools for quantifying the risks to which cloud providers are exposed if they do not meet the requirements;
– coordination of dissemination activities.