Towards secure and trustworthy European Cloud Marketplace: MEDINA and DOME symbiosis
12 Oct, 2023
By Juncal Alonso (TECNALIA)

DOME is the European initiative to create a Federated European Marketplace Ecosystem for Cloud and Edge services. DOME project was launched in January 2023 and the first protype is about to be released with baseline capabilities for the Marketplace such as: Create a new offer, endorse a service (or a federated marketplace) in DOME and the like.

To generate trust in the services offered on the marketplace by the cloud providers, said services must be compliant with the EU regulations, codes of conduct, standards and certification schemes, before being on-boarded and while residing on the marketplace.

As part of the roll-out activities, DOME is addressing the certification of the services inside the Marketplace in accordance to the European regulatory framework, and the upcoming EU Cloud Rulebook, which provides a single European framework with relevant binding and non-binding rules for cloud service customers and providers in Europe. At certification level, DOME proposes:

  1. A formal process to verify the compliance against reference standards,.a methodological framework supported by existing and new tools to evaluate the compliance of the cloud services when being on-boarded in DOME,
  2. The necessary tools to automatically continuously monitor that the certificates attained are valid (e.g., by checking the ENISA’s public registry).
  3. Tools to continuously monitor that the security requirements from the EUCS (European Cloud Security Certification), especially those of assurance level high are always being fulfilled and to support the conformity assessment of the reference standards.

To this respect, the outcomes of MEDINA project can leverage the implementation of the certification approach in DOME, through the MEDINA framework for EUCS certification. MEDINA framework proposes a tool supported methodology for the implementation of the Continuous Monitoring approach defined in the EUCS level high, including:

  • Continuous audit-based certification.
  • Tamper-proof evidence stored in Distributed Ledger Technologies (DLT).
  • Natural Language Processing (NLP) techniques to ease assessment of organizational measures.
  • Role-based visualizations to provide different levels of granularity and assurance for EUCS certificates.
  • Automated generation of compliance assessment rules based derived from the EUCS catalogue.

Figure 1. MEDINA Continuous Monitoring approach for EUCS high requirements

All the cloud services that will be included in the DOME federated marketplace ecosystem will have to warranty some security requirements before being included. MEDINA tools are being considered from the beginning of the project to be incorporated as a mechanism to demonstrate that any cloud service included fulfils the EUCS requirements:

  1. As added value services for the CSPs which want to achieve the EUCS or other certification to be able to be endorsed in DOME, or to gain competitive advantage and transparency to their customers.
  2. As the methodological and technical baseline to define the certification and security compliance approach in DOME.

MEDINA and DOME collaboration already started in 2023 and will continue happening applying the outcomes and lessons learnt from MEDINA towards the implementation of the DOME marketplace with secure and certified European Cloud and Edge services.