After three years of intensive work and outstanding collaboration with seven project partners, our amazing XLAB Research team has once again crossed the finish line. Leveraging our extensive expertise in cloud security, we are proud to have been a part of the MEDINA project, where we contributed to the development of the framework for achieving a continuous audit-based certification for cloud service providers.
MEDINA: Security framework for continuous cloud certification
In the last years, European Commission has been moving towards a shared multicloud infrastructure that is already benefiting many research and innovation ecosystems in Europe. Though, the recent security challenges worldwide, also related to digitalisation across industries, demand for a common European strategy that must engage certification.
The main objective of MEDINA was to provide an automated framework that facilitates Cloud Service Providers (IaaS, PaaS and SaaS providers) in the process to achieve a continuous audit-based certification in compliance with the EU Cloud Security Certification Scheme (EUCS), with the aim of enhancing stakeholders’ control and trustworthiness in consumed cloud services.
Achieving and maintaining EUCS certification can be a complex, expensive and time-consuming process, mainly due to the amount of manual work involved in the assessment process. The outputs of the MEDINA project thus include a set of automated metrics-based tools and techniques that support continuous compliance monitoring, seamless audit trail of evidence with traceability and tamper protection, and risk-based management of certification status. Use of the MEDINA framework results in more efficient and effective audits, with less manual effort needed to find and assess relevant evidence, while improving the trustworthiness of the certification process.
From evidence to certification
XLAB role in the project was contributing to metric-based evidence gathering and assessment. The evaluation of security compliance in MEDINA starts with the gathering of evidence about status of cloud services by different tools and techniques. Our team contributed by developing a Wazuh and VAT Evidence Collector component which gathers evidence from two tools, Wazuh and VAT (Vulnerability Assessment Tools), and sends the evidence to the security assessment components. The latter assess the evidence based on the target values as configured for the specific requirement and provide their output (assessment results with the state of fulfilment of a specific metric for a specific monitored resource) to the Continuous Certification Evaluation (CCE) component, another component developed by XLAB.
The role of the CCE component is to combine the received assessment results into information about the fulfilment of higher-level certification objects: requirements, controls, control groups, and the selected certificate scheme (EUCS) in its entirety. This information does not directly determine the cloud service’s eligibility for a certificate, but serves as input for other components, the Risk Assessment and Optimisation Framework and the Certificate Lifecycle Management, as well as for easy visualisation of the certificate state for the users (Content Security Policy – CSPs - and auditors) using evaluation tree and other additional information in the Web UI.
What have we learned
“By participating in the project, we were able to expand upon the existing knowledge and expertise about cloud security certification which is very useful for other areas XLAB is focused on, namely automation and cloud application modernisation,” explains Hrvoje Ratkajec, PhD, XLAB project manager. Our team was also able to build upon results of previous projects and improve the CCE tool to become one of the key components in the continuous compliance workflow. Lastly, it established excellent business and personal ties with other project partners TECNALIA, Bosch, CNR, Fabasoft, FhG, HPE and Nixu for new research and/or business opportunities.