The MEDINA approach can be summarized as follows:
Define a catalogue of metrics: Associated to technical and organizational measures out of the MEDINA catalogue.
Select controls: Taking into consideration the CSPs risk appetite and following a risk-based approach, the CSP shall select the security controls that are most convenient for it to certify. After that, assets of the cloud service and relevant IT threats shall be identified, and additional security controls proposed.
Specify the certification language: Currently certification schemes are expressed using natural language. MEDINA proposes to transform this certification language into a machinereadable expression, by using NLP, including aspects such as scope of the certification, assurance level and conformity assessment method so it can be traced in an accountable manner with what is actually implemented (by using DLT / Blockchain techniques).
Collect and evaluate evidences, Once the scope of the certification scheme is established, the evidences need to be collected at cloud service as well as code level, both at design and at operation time, that is, during the whole lifecycle of the cloud service.
Continuously audit: The collected evidences need to be continuously evaluated and the risks continuously monitored and updated, in order to have a secure operational service certifiable through the selected conformity assessment method. Furthermore, the lifecycle of the cloud security certificate shall be continuously managed and trailed through smart contracts using DLT.
MEDINA framework approach overview