EMERALD: Evidence Management for Continuous Certification as a Service in the Cloud

TL;DR

EMERALD introduces a cloud-based certification-as-a-service platform to enable continuous, agile cybersecurity certification for diverse cloud environments, enhancing trust and compliance.

Contribution

It proposes a novel EMERALD CaaS framework for continuous certification of European cloud security standards, addressing current gaps and integrating AI complexities.

Findings

Supports continuous certification in heterogeneous environments

Enhances transparency and trust in cloud services

Facilitates compliance with European cybersecurity schemes

Abstract

The conspicuous lack of cloud-specific security certifications, in addition to the existing market fragmentation, hinder transparency and accountability in the provision and usage of European cloud services. Both issues ultimately reflect on the level of customers' trustworthiness and adoption of cloud services. The upcoming demand for continuous certification has not yet been definitively addressed and it remains unclear how the level 'high' of the European Cybersecurity Certification Scheme for Cloud Services (EUCS) shall be technologically achieved. The introduction of AI in cloud services is raising the complexity of certification even further. This paper presents the EMERALD Certification-as-a-Service (CaaS) concept for continuous certification of harmonized cybersecurity schemes, like the EUCS. EMERALD CaaS aims to provide agile and lean re-certification to consumers that adhere to a defined level of security and trust in a uniform way across heterogeneous environments consisting of combinations of different resources (Cloud, Edge, IoT). Initial findings suggest that EMERALD will significantly contribute to continuous certification, boosting providers and users of cloud services to maintain regulatory compliance towards the latest and upcoming security schemes.