#	Pagina
attuale pagina	/open-h2020/projects/207439/results.html

Report

Teaser, summary, work performed and final results

Periodic Reporting for period 1 - EU-SEC (The European Security Certification Framework)

Teaser

Summary

The EU-SEC project has the ambition to make the current cloud security and privacy certification landscape more effective and efficient. This will be mainly reached by the creation of a multiparty recognition framework for third party audit-based certification and a new approach for better cloud assurance based on continuous auditing-based certification.
The validation is accomplished using two real-world pilots of mutual recognition of certification schemes for national/sectorial/international security, and continuous certification for the banking sector.
Adopting the EU-SEC framework, stakeholders in the ICT security certification ecosystem will be equipped with a validated governance structure, an EU-SEC reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of existing security certification schemes. EU-SEC will address the issues related to security governance, risk management and compliance in the cloud while also enhancing trustworthiness and transparency in the ICT supply chain through positive results and business cases developed by industrial partnersâ€™ leaders in this sector.

A configurable reference architecture will be developed which allows to evaluate existing, mature technologies and tools with regard to their effectiveness and efficiency. To that end, methods will be provided which allow to evaluate how well existing security certification tools perform in the context of evolving cloud services.
Providing a framework to integrate tools to support effective and efficient security certification of cloud services is a two-step processes: At first, the framework has to allow to determine whether an existing tool, e.g. to support management of controls and evidence, satisfies the quality standard necessary to be used as a certification system component.

Work performed

A common methodology was defined for the collection and evaluation of the requirements which was composed of two phases: the requirements gathering in Phase 1, and the requirements consolidation in Phase 2. The method identified key certification scheme components and then criteria for comparing security certifications have been built.
The requirements were collected from several input documents and for every identified requirement we evaluated how they correspond with the security and privacy controls. The comparing and mapping was done using the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and following the CSA Standard Mapping Methodology. CCM is a cloud relevant information assurance control framework that gives a detailed understanding of security concepts and principles and is widely adopted by both cloud service providers (CSP) and cloud service consumers.
The work was based on a common methodology which included two phases. In the first phase, we selected the requirements from the identified input documents and provided the initial mapping to the security controls. The second phase was used to consolidate the requirements and to indicate the potential contributions to the EU-SEC requirements and controls repository. The methodology also included two existing components: the CSA Cloud Controls Matrix (CCM) was used as the security controls scheme, and the comparison between the requirements and the CCM controls followed the CSA mapping methodology.
The outcome provided 804 relevant requirements and their relationships with the CCM security controls.
The CCM controls already satisfied 71% of requirements (no gap). This showed well-regulated areas where the CCM itself covered requirements from different thematic domains.
An important tool within the EU-SEC framework, covering a missing component in the EU compliance landscape, that is, the lack of an EU certification scheme for privacy and data protection that is tailored to cloud computing market and that satisfies the requirements of the GDPR. The PLA CoC provides guidance to cloud service providers and customers (and other stakeholders) for ensuring compliance and transparency with respect to data protection privacy based on EUâ€™s regulatory landscape.
Equally important, the presented PLA CoC governance structure and its integrated management processes will assist towards the maintenance and constant alignment of the tool in two ways. First, internally to the EU-SEC framework, it will provide consistency and updates with respect to any changes to the EU-SEC privacy control/requirements repository. Secondly, it will establish a trust and compliance transparency with the various external stakeholders within the cloud computing industry by employing coherent communication management and adherence mechanisms.
The development of the governance structure within EU-SEC addresses the extensibility of the certification schema to privacy and security regulations. The governance structure aims to deploy continuous audit methods within an operational system, specifically driven by requirements regarding security, privacy and regulatory as well as quality of service requirements. T
The multiparty recognition framework will be validated and evaluated in three pilots at Slovenian Ministry of Public Administration and the Slovakian Ministry of Finance for an ISO 27-series audit and at Fabasoft for an ISAE type audit. Preparations for the audit are ongoing.

Final results

One of the main outputs of the EU-SEC project is a European recognition framework. To achieve this goal the EU-SEC will work on requirements normalization, standardisation of the concept of â€œacceptable evidenceâ€ and finally to principles and mechanisms for mutual recognition between certification.
The EU-SEC project proposes continuous certification as an enhancement of the current manual certification procedures by incorporating automated and continuous workflows for collecting and evaluating evidences. The existing tools provide support for continuous security audits of cloud services and operate with monitoring- and test-based techniques that produce evidences.
The design and implementation of the architecture ensures trustworthy, reliable and performant management of evidences. This includes storage of evidences as well as all the interfaces, data formats and protocols required to provide a seamless and generic transport of data from the evidence producer to the storage element, and from the storage element to data consumers and CSP end-users.
The continuous auditing certification scheme provides the necessary guidance to implement the required enabling processes for a continuous auditing. This is based on a method that lays out the breakdown of a control set to measurable attributes, and the model describing the relationships between control, objective, attribute and measurement.
The EU-SEC framework addresses, from a governance and technical perspective, the challenges of continuous monitoring and auditing as a foundation for cloud security certification. It covers the requirements of sectors requiring high level of security assurance.
The development of the governance structure within EU-SEC addresses the extensibility of the certification schema to privacy and security regulations.