Last November 22nd-23rd, took place in Brussels (Belgium) the winter edition of the EUCS summit organized by ENISA. For this meeting, the MEDINA team (Bosch, Tecnalia, and Fraunhofer AISEC) was invited by the organizers to live demo the integrated prototype (check out our video here) and discuss the following technical topics:
- The MEDINA ontology and its applicability to EUCS' guidance on asset management,
- MEDINA's feedback on EUCS' CS-Basic questionnaire, and
- Leveraging MEDINA for EUCS' vulnerability handling process.
Related to (1) above, partner Fraunhofer AISEC presented the ontology proposed by MEDINA and how the notion of associating Resources to Security Features could benefit the expected levels of transparency (e.g., Shared Responsibility) from EUCS. Our belief is that CABs and Cloud Service Customers would greatly benefit from knowing the security features available on the cloud services they audit or provision respectively.
About the feedback provided to the CD-Basic questionnaires (point 2 above), our partner TECNALIA presented to the AHWG the way MEDINA deals with the self-assessment in the developed framework. Major emphasis was put in aspects related to automation (opposite to the current leverage of spreadsheet-based checklists), and understandability of the questions to be answered by CSPs (in particular small ones, where security expertise might be limited). We hope that the MEDINA experience, including the empirical validation of the framework, will support the EUCS AHWG's efforts on simplifying the CS-Basic questionnaire.
Last in the discussion was the topic of leveraging MEDINA (or at least some specific components of the framework) for the purposes of vulnerability handling as proposed by EUCS. In particular we refer to the notifications which are expected to be given by the CSP in case of detecting vulnerabilities which impact its compliance or certification. This discussion took place after demonstrating to the group the MEDINA protype, so a context could be established and references to the MEDINA workflows could be given. Despite the topic of vulnerability handling is our of scope for MEDINA, it opens interesting possibilities for sustainability and exploitation of the framework after the project's lifetime.