The role of standardization in MEDINA (part I – Introduction)
3 Feb, 2022
By Jesus Luna Garcia (Bosch)

The topic of standardization plays a very important role in H2020 research projects like MEDINA. On one hand, projects are expected to constantly survey the standardization landscape in order to facilitate early adopters the integration of contributed frameworks into their own ecosystems. On the other hand, projects can contribute their outcomes to relevant standards as a mean to support their sustainability (even after the project’s lifetime). In this context, it is important to adopt a broad notion of “standardization”, as referred not only to the activities of established Standards Developing  Organizations (SDOs like ISO/IEC and ETSI), but also to those taking place within Standards Setting Organizations (SSOs e.g., Cloud Security Alliance). In both cases, a fruitful/efficient collaboration can be only built if the project develops the right strategy for interacting with relevant SDOs and SSOs.

Which are the elements to develop such an strategic approach to standardization? When is the right point for projects to start working on the standardization topic? Despite there is no easy answer to both of these questions, in an upcoming series of blogposts we will discuss some lessons learned from the MEDINA perspective to maximize the benefits of standardization, in particular related to the topic of continuous certification. For the time being, needless to say that every standardization strategy should first provide an answer to the question: why standards are relevant for our project? This is not just a rhetorical question, but it should really provide awareness to the different Work Packages about their expectation (and potential contribution) to the standardization field. Let us take a quick look on how MEDINA’s technical work packages approach this question:

Technical Work Package What we get from SDO/SSO? (Example) What we contribute to SDO/SSO? (Example)
WP2 – Certification Metrics and Specification Languages Catalogues of industrial-recommended metrics like this one from CSA, which are then analyzed both from the EUCS perspective and MEDINA’s framework-side. The set of metrics elicited by the MEDINA team (derived from EUCS), is expected to be contributed to relevant standardization bodies like CEN CENELEC. This activity is expected to last even after the project’s lifetime.
WP3 – Tools to Gather Evidences for High-Assurance Cybersecurity Certification Terminology and conformance assessment processes based on ISO/IEC 17065:2012, which are then interpreted from a “continuous” perspective in the development of the MEDINA framework. The EUCS notion of “continuous” is not only disrupting the way Cloud Service Providers implement cybersecurity, but also the methodologies applied by Conformance Assessment Bodies to assess those implementations as scale. The relevant methodologies are an expected MEDINA contribution, which will be targeting specific standardization activities like the referred ISO/IEC 17065:2012.
WP4 – Continuous Life-Cycle Management of Cloud Security Certifications Alignment to the core EUCS requirements (December-2020 draft) related to the design of the maintenance lifecycle for certificates. The criteria to be defined by MEDINA in order to manage the EUCS certificate’s lifecycle, will be contributed to the implementation guidelines to be documented by ENISA after the release of EUCS.

The table above shows basic examples about how MEDINA creates synergies with the relevant standardization landscape as driven by corresponding activities in WP7. There is more than meets the eye behind MEDINA’s standardization, and this will be in the focus of this ongoing series of blogposts related to such an interesting topic. Stay tuned!