The MEDINA Cloud Certification Language
27 Sep, 2022
By Marinella Petrocchi (CNR)

Cloud security certification schemes consist of a set of rules, technical requirements, standards and procedures to strengthen the cybersecurity of ICT services and products. Terms and conditions of such schemes are published in natural language. This is the case, e.g., of the EUCS draft candidate Cloud Certification Scheme [1]. Thus, a rigorous translation procedure is required to produce a machine-readable format out of textual Natural Language (NL) requirements. This translation should minimise as much as possible human intervention – which is prone to errors and time consuming.

The MEDINA consortium is developing a Cloud Certification language for expressing rules for cloud certification, in a uniform way and without the ambiguity of natural language (the latter being natively more complex). The MEDINA Cloud Certification language will be machine readable and will be the input of the MEDINA Assessment Tools.

For a lean and seamless trait d’union between what is dictated by official documents of the European Commission in terms of certification and the definition of the MEDINA language, the consortium is working as follows:

  1. Semi-automatically translate Natural Language (NL) cloud certification terms and conditions, as they appear on official documents of EUCS, into policies expressed in a Controlled Natural Language (CNL).
  2. Visualize and possibly revise the generated CNL via a CNL Editor Tool, to verify the generated policy statements before proceeding with the mapping to the certification language.
  3. Map the CNL to a runtime-enforceable language that can be used by the MEDINA assessment tools to check the compliance status of the certification terms and conditions.

Controlled natural languages (CNLs) are a subset of natural languages, specifically conceived to make language processing simpler. A CNL is, in essence, a developed language that is based on natural language, but it is more restrictive in terms of lexicon, syntax, semantics, while at the same time retaining most of its natural properties. CNLs prevent quality problems in requirements documents, while maintaining the flexibility to write and communicate requirements in an intuitive and universally understood manner [2].

We are developing the components of the MEDINA architecture that constitute the building blocks to achieve the Cloud Certification Language.

  • The CNL translator translates EUCS NL requirements into their MEDINA CNL representation.
  • The CNL editor is the user interface that allows users to visualize and possibly revise  the translation of the requirements into the MEDINA CNL.
  • The mapper is the MEDINA component that maps the yet not executable MEDINA CNL into the MEDINA Certification Language, whose statements are instead machine-readable.

[1] ENISA, “EUCS – Cloud Services Scheme,” https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme .

[2] T. Khun, “A Survey and Classification of Controlled Natural Languages,” Computational Linguistics, vol. 40, no. 1, pp. 121-170, 2014.