MEDINA: Security framework to achieve a continuous audit-based certification in compliance with the EU-wide cloud security certification scheme
Bilbao, Spain, October 2023
MEDINA is an EU-funded initiative that enables Cloud Service Providers (CSP) to achieve a continuous audit-based certification in compliance with the EU Cloud Security Certification Scheme (EUCS). In a nutshell, the MEDINA framework consists of tools, techniques, and processes supporting the continuous auditing-based certification of cloud services, where security is measurable by design.
The main objective of MEDINA is to provide an automated framework that facilitates Cloud Service Providers (IaaS, PaaS and SaaS providers) in the process to achieve an EUCS certification, with the aim of enhancing stakeholders’ control and trustworthiness in consumed cloud services.
Achieving and maintaining EUCS certification can be a complex, expensive and time-consuming process, mainly due to the amount of manual work involved in the assessment process. The outputs of the MEDINA project, which ends in October 2023, include a set of automated metrics-based tools and techniques that support continuous compliance monitoring, seamless audit trail of evidence with traceability and tamper protection, and risk-based management of certification status. Use of the MEDINA framework results in more efficient and effective audits, with less manual effort needed to find and assess relevant evidence, while improving the trustworthiness of the certification process.
The MEDINA framework has been validated in two real-world cloud use cases developed in the project, namely “European Certification of Multi-cloud backends for IoT Solutions” led by Bosch,
and “Continuous Audit of SaaS Solutions for the Public Sector” led by Fabasoft. On one hand, the Bosch use case leverages the MEDINA framework in a multi-cloud architecture (IaaS, PaaS and SaaS) using the MEDINA Integrated User Interface in a testbed comprising a set of resources deployed on two cloud hyperscalers. On the other hand, the Fabasoft use case leverages the MEDINA framework’s APIs (Application Programming Interfaces), to integrate the components into an in-house solution for the purpose of achieving continuous cloud certification.
Standardization in MEDINA has also played a key role in both supporting adoption of the overall framework (interoperability) and enabling the sustainability of the project’s key results. MEDINA has influenced the development of the forthcoming EUCS certification scheme, in particular the requirements related to automated cyber security compliance monitoring. Contributions around EUCS, metrics, and automation have also been made to relevant standardization bodies such as ENISA, ISO/IEC, US NIST, ETSI, and CEN CENELEC.
The MEDINA outcomes, published as open source, will serve as baseline for future research (such as the follow up Horizon Europe projects EMERALD and COBALT), and the community-driven initiative EUROSCAL, launched by MEDINA as a mean to leverage NIST’s OSCAL (Open Security Controls Assessment Language) in Europe.
The MEDINA consortium (TECNALIA, Bosch, CNR, Fabasoft, FhG, HPE, Nixu and XLAB), led by TECNALIA, has been supported by a group of experts that constitute the project’s External Advisory Board. The entire team has contributed to making MEDINA achieve the expected results, contributing to the European Cloud Security Certification policy, enhancing the trustworthiness of cloud services through compliance with security certification schemes, cooperating with relevant stakeholders, and helping Europe prepare for the cloud security challenges of tomorrow.
Leveraging automation, ensuring compliance, enhancing trust.