Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EMERALD: Evidence Management for Continuous Certification as a Service in the Cloud

Christian Banse, Björn Fanta, Juncal Alonso, Cristina Martinez

TL;DR

This paper tackles the lack of cloud-specific, EU-focused security certifications and market fragmentation by proposing EMERALD, a Certification-as-a-Service (CaaS) framework for continuous cybersecurity certification. EMERALD centers on evidence management and a Certification Graph to automate data collection, modeling, and assessment across infrastructure, application, organizational, and data layers, with OSCAL-aligned controls and a Mapping Assistant (MARI) for cross-scheme compatibility. Key contributions include a machine-readable repository of controls and metrics, semantic evidence modeling, an orchestrated certification process, and a blockchain-enabled trust layer to ensure evidence integrity, enabling lean, continuous re-certification aligned with EUCS and future schemes. Validation is pursued through four pilots across private and hybrid multi-cloud environments to demonstrate feasibility, interoperability, and regulatory compliance, aiming to reduce certification time and bolster European cloud sovereignty in the secure cloud continuum.

Abstract

The conspicuous lack of cloud-specific security certifications, in addition to the existing market fragmentation, hinder transparency and accountability in the provision and usage of European cloud services. Both issues ultimately reflect on the level of customers' trustworthiness and adoption of cloud services. The upcoming demand for continuous certification has not yet been definitively addressed and it remains unclear how the level 'high' of the European Cybersecurity Certification Scheme for Cloud Services (EUCS) shall be technologically achieved. The introduction of AI in cloud services is raising the complexity of certification even further. This paper presents the EMERALD Certification-as-a-Service (CaaS) concept for continuous certification of harmonized cybersecurity schemes, like the EUCS. EMERALD CaaS aims to provide agile and lean re-certification to consumers that adhere to a defined level of security and trust in a uniform way across heterogeneous environments consisting of combinations of different resources (Cloud, Edge, IoT). Initial findings suggest that EMERALD will significantly contribute to continuous certification, boosting providers and users of cloud services to maintain regulatory compliance towards the latest and upcoming security schemes.

EMERALD: Evidence Management for Continuous Certification as a Service in the Cloud

TL;DR

This paper tackles the lack of cloud-specific, EU-focused security certifications and market fragmentation by proposing EMERALD, a Certification-as-a-Service (CaaS) framework for continuous cybersecurity certification. EMERALD centers on evidence management and a Certification Graph to automate data collection, modeling, and assessment across infrastructure, application, organizational, and data layers, with OSCAL-aligned controls and a Mapping Assistant (MARI) for cross-scheme compatibility. Key contributions include a machine-readable repository of controls and metrics, semantic evidence modeling, an orchestrated certification process, and a blockchain-enabled trust layer to ensure evidence integrity, enabling lean, continuous re-certification aligned with EUCS and future schemes. Validation is pursued through four pilots across private and hybrid multi-cloud environments to demonstrate feasibility, interoperability, and regulatory compliance, aiming to reduce certification time and bolster European cloud sovereignty in the secure cloud continuum.

Abstract

The conspicuous lack of cloud-specific security certifications, in addition to the existing market fragmentation, hinder transparency and accountability in the provision and usage of European cloud services. Both issues ultimately reflect on the level of customers' trustworthiness and adoption of cloud services. The upcoming demand for continuous certification has not yet been definitively addressed and it remains unclear how the level 'high' of the European Cybersecurity Certification Scheme for Cloud Services (EUCS) shall be technologically achieved. The introduction of AI in cloud services is raising the complexity of certification even further. This paper presents the EMERALD Certification-as-a-Service (CaaS) concept for continuous certification of harmonized cybersecurity schemes, like the EUCS. EMERALD CaaS aims to provide agile and lean re-certification to consumers that adhere to a defined level of security and trust in a uniform way across heterogeneous environments consisting of combinations of different resources (Cloud, Edge, IoT). Initial findings suggest that EMERALD will significantly contribute to continuous certification, boosting providers and users of cloud services to maintain regulatory compliance towards the latest and upcoming security schemes.

Paper Structure

This paper contains 23 sections, 3 figures, 1 table.

Table of Contents

  1. INTRODUCTION
  2. CONTINUOUS CYBERSECURITY CERTIFICATION
  3. Context and Need
  4. Challenges and Gaps
  5. TOWARDS CERTIFICATION-AS-A-SERVICE (CAAS): THE EMERALD APPROACH
  6. Representing Standards, Controls and Metrics
  7. Repository of Controls and Metrics
  8. Metric Recommendation and Mapping
  9. Extraction and Modeling of Evidence
  10. Infrastructure Layer
  11. Application Layer
  12. Organizational Layer
  13. Data Layer
  14. Orchestration, Assessment and Trustworthiness
  15. Ensuring Trust in the Approach
  16. ...and 8 more sections

Figures (3)

  • Figure 1: The EMERALD approach showing definition of controls and metrics as well as the collection and assessment of evidence in the certification graph.
  • Figure 2: Excerpt of the data model used by various EMERALD components.
  • Figure 3: Overview of the four EMERALD pilots, involving three cloud service providers (CSP1-3), one cloud service customer (CSC) as well as one technology provider (TP). The individual pilots are focused on different cloud service models, e.g., IaaS/PaaS/SaaS.