KR1: Repository of Metrics and Measures
This result entails a clear definition of the technical and organizational measures relevant for cloud service providers, along with the corresponding security metrics (both quantitative and qualitative) for security objectives/TOMs such as those related to system security and integrity, operational security, business continuity and incident management.
KR2: Risk-Based Selection of Controls to reach the certification assurance levels
MEDINA proposes a tool-supported methodology for the selection of controls and associated TOMs, which address the concrete needs of a CSP taking into consideration both its risk appetite and requested certification’s assurance level4. The tool shall be based on a risk-assessment methodology and in order to help CSP, as well as an editor, to identify the key assets, threats and existing weaknesses of the cloud system. Identification of those elements should support stakeholders in reflecting their chosen TOMs in accordance to their risk strategy, along with risk treatment options.
KR3: Certification Language
MEDINA will provide a language specification which expresses most relevant aspects of a security certification scheme in machine-readable format using a domain specific language (DSL). Transformation from textual representations of major standards will be done semi-automated using NLP(Natural Language Processing).
KR4: Continuous Evidence Management Tools
This result entails the provision of tools and techniques to manage and collect trustworthy evidence validating the provided cloud security certification, both at code and at service level based on the repository of metrics (see KR1) and depending on the selected Conformity Assessment Methods (CAMs). They analyse the security of the cloud applications’ source code using novel techniques from the field of static code analysis, such as code property graphs and analyse the configuration and log files of new computing paradigms such as serverless functions. Furthermore, organisational measures will be addressed by the use of semantic document analysis using NLP. Technologies such as Blockchain or DLT will be explored to provide trustworthiness of the gathered evidence across the whole life-cycle and guarantee that an evidence can be used in a specific CAM/EU CSA assurance level.
KR5: Cloud Certificate Evaluator
This result is responsible for defining the proper techniques and developing tools to evaluate the collected evidences (see KR4), with the needed properties to reach a particular certification target specified in a machine-readable way (see KR3) by evaluating the efficiency/efficacy of the chosen controls (cf., KR2).
KR6: Risk-based Auditor Tool
The auditor tool will manage the whole life-cycle of cloud security certification in MEDINA e.g., issuing and revocation, as well as publishing the certification result to a public registry (if provided by the certification body). It will monitor the continuous compliance of the CSP with respect to the security controls and conformity assessment methods. Similar to the selection of controls, it follows a risk-based approach which provides flexibility to the certification process: since an ever-changing threat landscape often requires timely reaction from the security team provoking changes in the security configurations. These could be efficient from the risk treatment point of view, but will affect the previously obtained certificate, in the worst case, invalidating it. Timely adjustment of the CSP’s risk profile and re-evaluation of efficiency of its security configuration is therefore crucial to align both compliance and security teams. The developed tools will explore the automation and management of cloud certifications based on smart contracts.
KR7: Use cases
Use cases will offer MEDINA partners the possibility to assess the usefulness and suitability of the MEDINA approach/toolset in real cases of CSPs. MEDINA use cases will cover IaaS, PaaS and SaaS.
KR8: Standardization roadmap
This entails activities performed in the context of standardization and standards observation.
KR9: Training and awareness activities
To disseminate the project results to a larger audience, dedicated training and awareness material will be produced. This, for example, includes materials for Massive Open Online Courses (MOOCs), social media and participation in workshops, conferences and other events. The scientific results of the projects will be published in scientific journals and conferences.