In the last years, European Commission has been moving towards a shared multicloud infrastructure that is already benefiting many research and innovation ecosystems in Europe. Though, the recent security challenges worldwide, also related to digitalisation across industries, demand for a common European strategy that must engage certification. In this blog, we describe MEDINA’s contribution towards the continuous evaluation of security assessments of cloud services. This includes an approach for continuously aggregating assessment results which represents a certification as a tree-like structure that is evaluated based on its leaves—the assessment results.
The evaluation of security compliance in MEDINA starts with the gathering of evidence by different tools and techniques. Security assessment components assess this evidence based on the target values as configured for the specific requirement and provide their output (assessment results with the state of fulfilment of a specific metric for a specific monitored resource) to the Continuous Certification Evaluation (CCE) component. If the assessment result value represents the lowest-level information about the certification state, the role of the CCE component is to combine the received assessment results into information about the fulfilment of higher-level certification objects: requirements, controls, control groups, and the selected certificate scheme in its entirety. This information does not directly determine the cloud service’s eligibility for a certificate, but serves as input for other components, the Risk Assessment and Optimisation Framework and the Certificate Lifecycle Management, as well as for easy visualisation of the certificate state for the users (Content Security Policy – CSPs – and auditors).
The methodology used in the CCE component is thus based on building the evaluation tree with assessment results in its leaves, aggregated according to the standard’s hierarchy. The aggregation can be done with weighted arithmetic means. Additionally, since the goal is to also present intermediate fulfilment values in all levels of the aggregation tree (not only at its root for the entire certification fulfilment), thresholds can be set to determine the fulfilment in individual tree nodes (controls, control groups, etc.). These thresholds and the aggregation weights of the nodes can be set by the user or the auditor (e.g., based on the importance of evaluated resources or controls). On the other hand, the evaluation tree can be easily simplified to an AND tree by setting the thresholds in all nodes to 1, meaning that all the assessment results must indicate fulfilment for the evaluation to be positive, irrespective of the assigned weights (as long as they are positive). This is current setup used.
Beside the calculation of the current state of the evaluation tree nodes, the CCE also provides information about the evaluation history supported by metrics of operational effectiveness, through the button “Current tree state”. These are metrics that measure, in various ways, how well a particular requirement or control was established (fulfilled) in a certain period of time. If a control is unfulfilled for a small amount of time, this is typically not a big issue for the entire certificate state. On the other hand, if the problem has not been mitigated for a long time, the certificate may be revoked.
While the main development of the CCE is generally finished, the current work in the project is focused mainly on additional improvements regarding integration into the MEDINA framework and the UX.