Secure and resilient ICT infrastructure, supply chains and workflows are being set as priorities in the process of digital transformation of many industries. And in that context, certification is fundamental to empower standards and gain back the trust in the digital workflows of tomorrow. In this blog post we discuss the complementary approaches to ensuring security and certification compliance of ICT infrastructure from IoT to Cloud from two EU projects: MEDINA and FISHY.

The MEDINA project[i] tackles the issue of cloud security performance and audit evidence management, to create a security framework for achieving a continuous audit-based certification. It thus addresses the problem of trustworthiness in cloud services in the EU, the continuous monitoring of cloud services and the certification issues, aiming to provide Cloud Service providers (CSPs) with a tool that allows them to audit and certify Cloud Services in an automated and near real-time manner, aligned with the European Cybersecurity Certification Scheme for Cloud Service (EUCS)[ii] from the European Union Agency for Cybersecurity (ENISA).

The MEDINA security framework is based on the following main pillars for the continuous and automated monitoring of EUCS certification:

1. METRICS CATALOGUE: While the EUCS draft provides a set of security requirements, it currently does not define the concrete guidelines or “compliance metrics” to be used to assess the requirements. To overcome the need for the CSPs to leverage their custom metrics for implementing/assessing EUCS requirements, MEDINA has defined a catalogue of metrics associated with technical and organizational measures (TOMs) in EUCS, covering topics such as system security and integrity, operational security, business continuity and incident management.
2. RISK-BASED APPROACH FOR SECURITY CONTROLS: A risk-based, tool-supported methodology for the selection of EUCS complementary controls and associated TOMs based on the CSP’s risk appetite, addressing the concrete needs of a CSP.
3. CERTIFICATION LANGUAGE: The security control frameworks – and EUCS is not an exception – are in practice defined in natural language. MEDINA framework transforms the natural-language specification into a machine-readable expression using NLP (Natural Language Processing) techniques.
4. EVIDENCE COLLECTION AND CONTINUOUS AUDIT: The collection of actual, technical evidence related to automated monitoring is essential for achieving continuous audit-based certification. In this regard, MEDINA has developed a framework for managing digital evidence related to EUCS that are, as well as risks, continuously monitored and evaluated.

The aim of the FISHY project[iii], on the other hand, is to provide a coordinated cyber-resilient platform for establishing trusted supply chains of ICT systems through novel evidence-based security assurance methodologies and metrics as well as innovative strategies for risk estimation and vulnerabilities forecasting.

The ICT systems in the supply chain encompass the whole computing (IoT to Edge to Cloud) continuum and must be adequately prepared as well as proactively enforce security properties[iv]. Among many tools to achieve this FISHY platform uses a Security Assurance Certification Module (SACM) that includes two major components: the evidence collection engine and the auditing mechanism.

The evidence collection engine is the tool that, based on the collected data and triggering events, formulates a rule or a set of rules and pushes the latter towards the auditing mechanism module for evaluation. This tool is thus essential for the evidence auditing mechanism functionality because it collects and feeds the essential information from the ICT assets as events. The auditing tool, on the other hand, monitors those security properties that are set and produces a cybersecurity posture notion to ensure that these properties are well applied and interconnected with each other. It performs the former tasks by indicating the flaws in the applicability and by notifying the organization (e.g. enterprise) of its cybersecurity status. After completing the process of conducting multiple assessments and reaching the requirements, the organization may be ready to initiate the certification process. The Security & Privacy Assurance Platform (SACM) was extended in the lifetime of FISHY to address the challenges of supply chain security and resilience, and is based on the commercial IP brought into the project.

Both MEDINA and FISHY frameworks share a similar approach to collecting evidence from the ICT infrastructure and using it for the auditing process as a basis for certification compliance. While MEDINA is focused on cloud services and their compliance with the concrete certification scheme (EUCS), SACM in FISHY assesses the security statuses of ICT assets in a wider computing continuum of the supply chain while it doesn`t focus on the particular certification scheme. In this regard, there is a space for future complementary between the two projects, moving in the direction of providing representative continuous audit-based certification for the whole computing continuum based on automatic evidence collection. This is especially true when taking into consideration the increasing adoption of cloud and edge computing and the incorporation of regulations on specific topics or domains, such as AI, which put significant strain on organisations in different sectors to comply with a multitude of different security schemes (see J. Antić et al 2023).

Antić, J., Costa, J.P., Černivec, A., Cankar, M., Martinčič, T., Potočnik, A., Elguezabal, G.B., Leligou, N. and Boigues, I.T., 2023, April. Runtime security monitoring by an interplay between rule matching and deep learning-based anomaly detection on logs. In 2023 19th International Conference on the Design of Reliable Communication Networks (DRCN) (pp. 1-5). IEEE.

[i] MEDINA | Security framework to achieve a continuous audit-based certification in compliance with the EU-wide cloud security certification scheme (medina-project.eu)

[ii] EUCS – Cloud Services Scheme — ENISA (europa.eu)

[iii] A coordinated framework for cyber resilient supply chain systems over complex ICT infrastructures | FISHY (fishy-project.eu)

[iv] Example of the use case: WBP TRUST use case | FISHY (fishy-project.eu)