MEDINA supports Cloud Service Providers and Auditors in the certification process at various stages, including collection, assessment, storage, and management of evidences. Apart from this, we aim at automating the derivation of a certification decision based on the collected evidence. This automation is a delicate issue which we discuss in this blog post. In the following, we first review the MEDINA certification architecture and then discuss different options for automating the certification decisions.
MEDINA Certification Architecture
The architecture of the MEDINA framework is built so evidences are first assessed independently, for instance an evidence describing a block storage may be assessed regarding its relevant metrics like enabled encryption and backups. Then, the resulting assessment results are grouped per service and applied to the relevant certification framework, e.g. the EUCS, to see whether – or to what degree – the service complies with a given framework. Thereafter, a risk level is calculated by the Risk Assessment and Optimisation Framework, and finally, the Life Cycle Manager (LCM) derives a decision about the certificate state.
Connected to the LCM, a Self-Sovereign Identity (SSI) system issues the public, signed certificate. Yet, there are different possibilities to automate the decisions taken on the certificate state in the LCM. Note that we assume that an initial certificate has been issued in a manual audit before we take (semi-)automated decisions in the LCM.
Option #1: Complete Automation
One option is to aim at completely automating the certificate updates, e.g. suspending, withdrawing, and continuing the certificate. This requires the LCM to take decisions, e.g., based on the risk value reported by the Risk Assessment and Optimisation Framework (RAOF). The RAOF calculates such a value for the overall system based on the reported assessment results.
On the one hand, we can try to incorporate such information automatically by defining a threshold that determines the effect on the certificate. For example, we could define that a certificate should be suspended (temporarily) when the service’s risk value is higher than, say, 80.
On the other hand, there are risks in automating certification decisions in this way. First, it may be the case that there are bugs in the system that trigger a high risk value, resulting in a certification decision that can severely harm the CSP’s reputation. Second, the threshold or the components may be tampered with by attackers. Third, there is a general risk of neglecting important information about the cloud service due to focusing on one metric like the overall risk value.
Option #2: No Automation
The simplest option is to not automate certificate decisions at all. In this case, the MEDINA framework can still provide a large benefit to CSPs and auditors as it allows to present audit-ready evidences for the manual audits.
Yet, there are two reasons that speak for at least some amount of automation: First, new certification frameworks, like the EUCS, demand automatic monitoring of cloud services’ security – this also entails that assessment results are generated in high-frequency and analyzing these results manually can quickly become overwhelming. Second, using thresholds as described above, as well as other information to draft a certification decision is useful information for a CSP (and potentially for an external auditor) that can hint at underlying problems in the system quickly, and therefore improve overall security.
Option #3: Semi-Automation in Selected Cases
A third option would be to only automate certification decisions in selected cases in which there is high confidence in the correctness of the decision. The EUCS describes various conditions for certificate state changes. Consider the two following examples:
- "The maintenance evaluation activities have been performed and reviewed, have determined that the cloud service does not fulfil the requirements anymore, and action from the CSP is possible to maintain the certificate at the same assurance level and scope, though not immediately, or improper use of the certificate is not solved by suitable retractions and appropriate corrective actions by the CSP."
In the above case, the resulting decision is to (temporarily) suspend the certificate. However, it is difficult to determine what exactly constitutes the criterion that the service does not fulfil the requirements anymore, e.g. which requirements, or how many, and to which degree.
- "The periodic assessment has not been performed in due time."
The second case is much simpler – it requires to suspend the certificate if the periodic assessment has not been performed in the required interval, e.g. it has not been performed in six months. When a continuous monitoring is in place, it can easily be determined if a periodic assessment – at least to the degree of the continuous, automated monitoring – has been conducted or not and the certificate can be suspended (or continued) auotmatically as well.
Option #4: Preliminary Automation with Manual Verification
Finally, the certificate states can be automated completely, however, barring a manual verification. In this scenario, the LCM does automate certification decisions completely, but reports them to the certification authority which has to validate them manually before the official certificate is changed. Here, the advantage is that the CSP gets information about a possible certificate state change as early as possible and can investigate potential problems, while not risking the reputational damage mentioned above in Option #1.
Evidently, there are potential problems with this approach as well: since evidences are collected continuously, there could be a lot of state changes which may overwhelm the CSP and the certification authority. Also, it is still a delicate issue to balance the information about overall service risk, individual resource non-compliances, compliance information over time, etc., to derive a meaningful certification decision. In future work, these questions will be explored in MEDINA.
In summary, there are different options for automating certification decisions which all come with advantages and disadvantages. In MEDINA, we determined that a preliminary automation with manual verification combines the advantages of automation for CSPs with the safety of the manual verification by auditors.