This validation scenario will solve the following issues:
- Identify the technical and organizational measures to certify in a complex cloud supply chain for the three EU CSA’s levels of assurance (basic, substantial, and high). Elicited TOMs will be derived from international standards and real-world IoT verticals like Smart Home, Smart Mobility and Industry 4.0.
- Perform the empirical validation of the continuous certification scheme (i.e. high assurance in the EU CSA), including the gathering of relevant evidence, in a real-world cloud ecosystem.
- Identify the gaps, which need to be solved in order to adapt existing audit practices to fulfil the requirements of the EU CSA (for assurance levels basic and high).
- Develop a set of reference architectures for the deployment of MEDINA’s components e.g., SaaS based, Onpremises based, Hybrid-deployment based.
- Realize the real-world security requirements for onboarding MEDINA into a corporate environment.
Application where MEDINA will be used:
This use case will deploy a set of IaaS and PaaS services, commonly used for IoT backends, in at least three public CSPs. We refer to managed Kubernetes clusters, transactional SQL databases, raw virtual storage, virtual networks, virtual machines (e.g., as jump hosts), and serverless PaaS (e.g., functions).
The proposed system model looks like the one shown in the figure below.
Expected benefits/ improvements using MEDINA tools
- Provision of empirical feedback to international working groups/standardization activities on continuous certification (e.g., ENISA, DigitalEurope, ANSSI, US NIST, and BSI).
- Support the digital transformation of European SMEs by contributing with a blueprint to deploy the MEDINA framework (tools, techniques), in its different certification assurance levels/TOMs for cloud services (“audit once, certify many”).
- Benchmarking the contributed MEDINA framework with respect to state of practice/commercial solutions (e.g., Azure Policies, AWS Config Rules).