MEDINA Catalogue of Cloud Security controls and metrics: Towards Continuous Cloud Security compliance.

ABSTRACT

In order to address current challenges on security certification of European ICT products, processes and services, the European Comission, through ENISA (European Union Agency for Cybersecurity), has developed the European Cybersecurity Certification Scheme for Cloud Services (EUCS). This paper presents the overview of the H2020 MEDINA project approach and tools to support the adoption of EUCS and offers a detailed description of one of the core components of the framework, the MEDINA Catalogue of Controls and Metrics. The main objective of the MEDINA Catalogue is to provide automated functionalities for CSPs' compliance managers and auditors to ease the certification process towards EUCS, through the provision of all information and guidance related to the scheme, namely categories, controls, security requirements, assurance levels, etc. The tool has been enhanced with all the research and implementation works performed in MEDINA, such as definition of compliance metrics, suggestion of related implementation guidelines, alignment of similar controls in other schemes, and a set of self-assessment questionnaires, which are presented and discussed in this paper.

The European Agency for Cybersecurity, ENISA has developed a new cybersecurity scheme (EUCS-European Cybersecurity Certification Scheme for Cloud Services) that will become legislation in the upcoming years, with the objective of homogenize the current market fragmentation across Europe in the cybersecurity certification domain. organisations providing cloud computing services in Europe will need to become compliant with this upcoming and new certification. The software tool presented in this article, the MEDINA Catalogue of Controls and Metrics, provides automated functionalities to ease the certification process towards EUCS, through the provision of all information and guidance related to the scheme, namely categories, controls, security requirements, assurance levels, etc.