1. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 952633
MEDINA: Expert Stakeholder Group Meeting
Cristina Martinez Martinez (Tecnalia, Spain)
Jesus Luna Garcia (Robert Bosch GmbH, Germany)
4. ESG Members
5/4/2022
MEDINA ESG Meeting
Name Affiliation Country
Andreas Weiss GAIA-X Germany
Clemens Doubrava /
Patrick Grete
BSI Germany
Eric Vetillard ENISA Greece
Jim de Haas ABN Amro Netherlands
Machiel Bolhuis Oracle / CEN CENELEC Netherlands
Meghan Hester GRC Expert US
Michaela Iorga U.S. NIST US
Roberto Cascella ECSO Italy
Ronit Reger Microsoft Azure US
Thomas Niessen GAIA-X Germany
Volkmar Lotz SAP Research France
5. MEDINA in a Nutshell
Recap / Progress After 18 Months
5/4/2022
MEDINA ESG Meeting
6. MEDINA Project Objective
5/4/2022
Provide a holistic framework that enhances cloud customers’ control and
trust in consumed cloud services, by supporting CSPs (IaaS, PaaS and SaaS
providers) towards the successful achievement of a continuous
certification aligned to the EU Cybersecurity Certification Scheme for
Cloud Services (EUCS).
MEDINA ESG Meeting
7. EU Cybersecurity Act
The EU Cybersecurity Act (EUCSA, April-2019), proposes the
creation of EU-wide cybersecurity certification schemes in order
to:
provide an EU-wide cybersecurity baseline (requirements, audit
methods)
enable customers to make risk-based decisions about cybersecurity
enable continuous cybersecurity compliance
Two EUCSA-derived certification schemes are under preparation:
EUCC – Cybersecurity Certification Scheme for Common Criteria
EUCS - Cybersecurity Certification Scheme for Cloud Services
MEDINA ESG Meeting
8. EUCS at a glance – Continuous
Monitoring
Source: https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme
MEDINA ESG Meeting
10. MEDINA At a Glance
1st November 2020 – 30th
October 2023
EU Budget 4,480,308.75€
5/4/2022
MEDINA ESG Meeting
11. Paving the Road for EUCS-
Continuous
Existing Certifications Approach in MEDINA
Assurance based on point-in-time assessments Continuous audit-based certification.
Tamper-proof evidence stored in DLT.
Mostly manual/time consuming assessment
processes
NLP to ease assessment of organizational measures.
OSCAL automation for CSP-agnostic assessments.
Lack of transparency in cloud security posture Role-based visualizations provide different levels of
granularity and assurance for EUCS certificates.
High customization effort in commercial CSPM tools
(Cloud Security Posture Management)
Automated generation of compliance assessment
rules based derived from EUCS catalogue.
5/4/2022
MEDINA ESG Meeting
13. MEDINA After 18 Months
Work Package Keywords Highlights at M18
WP2 Security controls framework, metrics, risk
management, NLP
Initial prototypes, draft catalogue of metrics,
NLP leverage, OSCAL experimentation
WP3 Evidence management, organizational
measures
Initial prototypes available, NLP for assessing
organizational measures, DLT deployment
WP4 Certificate lifecycle management, operational
effectiveness, dynamic risk assessment
Initial prototypes available, SSI leverage for
CAB
WP5 Integrated architecture, toolset,
development/testing
Initial integrated tools / UI available, overall
architecture and workflows in draft
WP6 Validation use cases, real-world
experimentation, multicloud
Initial deployments at Fabasoft/Bosch, NLP
testing real organizational measures,
validation methodology
WP7 Exploitation, communication/dissemination,
standardization
Engagement with exploitation “booster”
(HRB), participation in relevant events,
standardization roadmap
5/4/2022
MEDINA ESG Meeting
14. Generic MEDINA Workflows
5/4/2022
MEDINA ESG Meeting
Workflow Comment Other/Dependency
WF1 - Preparation of Target of
Certification (ToC)
Setup, configure and deploy the cloud service to certify (ToC) on top of the
chosen hyperscaler(s). This process includes configuring the underlying
PaaS/IaaS.
Prerequisite
CSP Responsibility
Dependencies: None
WF2 - Preparation of MEDINA
components
Setup, configure and deploy the MEDINA components. Only related to those
components under the responsibility of the CSP.
Prerequisite
CSP Responsibility
Dependencies: WF1
WF3 - EUCS deployment on
ToC
Setup, configure and deploy the corresponding EUCS framework (for the
chosen assurance level basic/substantial/high) on the ToC.
Prerequisite
CSP Responsibility
Dependencies: WF1, WF2
WF4 - EUCS Preparedness –
ToC Self Assessment
Self-assess preparedness for EUCS certification based on the chosen
assurance level. This is a risk-based approach.
Optional workflow
CSP Responsibility
Dependencies: WF1, WF2, WF3
WF5 - EUCS – compliance
assessment
Performs a point-in-time (discrete) EUCS compliance assessment for the ToC.
When such discrete assessment is periodically executed, then we achieve the
MEDINA notion of “continuous”.
Mandatory workflow
CAB Responsibility
Dependencies: WF1, WF2, WF3
WF6 - EUCS – maintenance of
ToC certificate
Start certificate maintenance life-cycle for the ToC. Based on current EUCS,
the maintenance process comprises the following stages: (issuance), renewal,
continuation, update, re-issuance (new certificate), withdrawal, suspension.
Mandatory workflow
CAB, CSP Responsibility
Dependencies: WF1, WF2, WF3, WF5
WF7 - EUCS –report on ToC
certificate
Reports on EUCS certificate status for a ToC. The report can be obtained by
the CAB and the CSP, in which case the level of provided details might vary.
Optional workflow
CAB, NCCA, CSP Responsibility
Dependencies: WF1, WF2, WF3, WF5, WF6
18. Summary and Next Steps
MEDINA aims to facilitate the adoption of EUCS, specifically
for automated monitoring, while paving the road for
continuous certification.
What comes next?
Full MEDINA validation with Fabasoft and Bosch
Scalability to different CSPs and Certification Schemes is underway
Plan for exploitation and sustainability of results
Execution of standardization roadmap
5/4/2022
MEDINA ESG Meeting
20. Summary and Next Steps
We appreciate your expert feedback!
General aspects of MEDINA
Tools & validation
Dissemination & standardization activities
Of course, please feel free to reach us for in-depth technical
discussions!
5/4/2022
MEDINA ESG Meeting
22. MEDINA – Further Reading
Further details are
available in our public
reporting (deliverables) at
https://medina-
project.eu/public-delivera
Communication materials
are available at
https://medina-
project.eu/communication-
materials
5/4/2022
MEDINA ESG Meeting