Continuously certifiable Technical and Organizational Measures and Catalogue of Cloud Security Metrics
21 Feb, 2023
By Iñaki Etxaniz (TECNALIA)

The second version of the public deliverable D2.2 Continuously certifiable technical and organizational measures and Catalogue of cloud security metrics , coordinated by TECNALIA, was successfully submitted to the European Commission last January. This deliverable presents the second version of the Catalogue of Controls and Metrics, defined as the KR1 in MEDINA project.

It contains updated versions of the security controls, adapted to the evolution of the EUCS scheme since the version presented in D2.1, new and updated TOMs (Technical and Organizational Measures, which is how we call in MEDINA to EUCS requirements), as well as new and updated metrics. It also includes the final version of the Catalogue of Controls and Metrics software component.

The document starts with a comparative analysis of five security schemes:  EUCS, ISO/IEC 27000 family (27002, 27017), BSI C5, SecNumCloud, and Cisco CCF. This comparison is based on different dimensions such as categories, structure, levels and conformity assessment method, as well as on the mapping of the controls. The aim of this mapping is to allow a smoother transition from one scheme to another and to facilitate the reuse of evidence whenever possible.

Mapping of EUCS 2022 security controls with C5:2020, SecNumCloud, ISO/IEC 27002, ISO/IEC 27017 and Cisco CCF (fragment)

The second goal of the document is to presents an updated version of what we call “the 34“, that is, the 34 high-level assurance requirements of the EUCS that require “continuous (automated) monitoring“.  After that, we provide the Reference TOMs for them. A Reference TOM is a sort of implementation guidance that is vendor and technology agnostic. They are addressed at small and medium CSPs aiming at the assurance level high, and are used as input by the MEDINA certification language for the creation of their corpus of data.

The third goal is the definition of the MEDINA Metrics. More than 150 metrics have been elicited at this stage, coming from literature and other European projects, but also from the MEDINA partners themselves. All metrics have been described following the same structure, which includes the defined data type, data range, interval, and formula. Although most metrics are directly linked to a “high” assurance level requirement, there are some that have a more general purpose or fulfil a lower assurance level requirement. The chapter finishes with the coverage of the 34 high level EUCS requirements by the MEDINA Evidence Management Tools, namely Clouditor, Codyze, VAT, Wazuh, AMOE and GEC.

List of Metrics implemented in MEDINA (fragment)

Finally, the document includes the functional and technical design of the second version of the Catalogue of Controls and Metrics, which lies at the basis of the project, as other MEDINA tools rely on them. It details how it fits into the MEDINA framework, its architecture, data model, and installation instructions. An user manual is also included.

The Catalogue

To measure the compliance with a standard, you need first to decide which of the existing  security standards you want be certified against. MEDINA focuses in the EUCS (European Cybersecurity Certification Scheme for Cloud Services). The EUCS is managed and published by the European Union Agency for Cybersecurity, ENISA. The EUCS is still in a draft version, that is being updated periodically[1].

The MEDINA Catalogue stores the structure and contents of the certification scheme. This component acts as a database storing all the required information about the controls and requirements of EUCS, as well as the metrics defined in MEDINA to automatically monitor the compliance with it.

Apart from this, the Catalogue includes reference implementations for “the 34” requirements (aka TOMs, in MEDINA). Additionally, the catalogue provides equivalencies among controls in different schemes, a functionality we called “similar controls”.

The Catalogue also contains a first implementation of a Questionnaire that allows a CSP to perform a self-assessment of the fulfilment degree of the EUCS standard. It covers the requirements of EUCS 2022 for all levels of certifications (Basic, Substantial and High), defining one or more questions for each requirement.

The Catalogue provides an user interface that makes this data available for review to human users, as well as an API to other MEDINA components to access the data.

The Catalogue user interface: List of Security Controls.

[1] MEDINA has adopted the EUCS draft version of August 2022 as the final working version in the project.