Continuous security certification for cloud services

The new EU Cybersecurity Act aims to improve customer confidence in the European ICT market

The MEDINA research and innovation action, supported by the European H2020 programme, creates a security framework for continuous audit-based certification for CSPs, taking into account the EU Cybersecurity Certification Scheme for cloud services. It addresses challenges in areas such as security validation and testing, machine-readable certification languages, cloud security performance, and audit evidence management to:

• Steer the implementation of the EUCS controls, including the measures to be applied and the evidence to be collected, thus reducing the certification processing time.
• Support automated verification of control compliance across leading cloud security certification schemes, reducing the effort, cost, and risk of achieving and maintaining certification.
• Reduce effort in the collection and evaluation of digital evidence.
• Ensure a record of evidence that can be audited to ensure that it has not been tampered with during the validity of the certificate.

MEDINA's approach and toolkit will be evaluated in two real-world cloud use cases covering the three service models: IaaS, PaaS, and SaaS. On the one hand, Bosch will deploy a scenario for European certification of multicloud backends for IoT solutions and, on the other hand, Fabasoft will validate an ongoing audit of SaaS solutions for the public sector.

MEDINA will also raise awareness of the benefits of the security framework provided in the context of the EU Cybersecurity Act, supporting activities related to training, awareness raising and relevant standardization activities at a European level (e.g. ENISA EUCS).

CSPs, cloud service providers, often rely on security certifications as a means of improving transparency and reliability. European CSPs continue to face multiple difficulties in certifying their services; fragmentation of the certification market and lack of mutual recognition.

European Cybersecurity Certification Scheme for Cloud Services

The new EU Cybersecurity Act aims to improve customer confidence in the European ICT market through a European Cybersecurity Certification Scheme for Cloud Services (EUCS). This certification scheme raises new technology challenges due to its notion of "warranty levels" that must be resolved in order for suppliers and customers to obtain all of the expected benefits.

THE MEDINA consortium, led by TECNALIA, brings together a balanced set of academic and industrial partners who play key roles in the cloud security certification ecosystem: research centres; TECNALIA, Consiglio Nazionalle delle Ricerche, Fraunhofer, cloud providers; Bosch, Fabasoft, technology providers; Hewlett Packard Enterprise, XLAB and auditors; Nixu.

More about MEDINA

The MEDINA project contributes to the European Cloud Security Certification Policy, improves service reliability through compliance with security certification schemes, cooperates with stakeholders and helps Europe prepare for security challenges.

The MEDINA consortium has completed the first half of this 36-month project and is moving rapidly toward its next milestones. So far, the work has focused on defining MEDINA's general architecture, as well as developing the integrated framework (both technologies and processes) that will be validated by the Bosch and Fabasoft use cases.

The tools developed by MEDINA include the risk-based certification preparation service and the catalogue of requirements and security metrics, which are essential enablers for continuous and automated monitoring as defined in the EUCS and other certification schemes.

* This project has received funding from the Horizon 2020 EU research and innovation program, in accordance with agreement No. 952633.