The project “European Security Certification Framework” (EU-SEC) will aim to create a European framework for certification schemes and evaluation concepts to secure cloud infrastructures. Within this framework, existing national and international certifications can co-exist. EU-SEC will improve the business value as well as the effectiveness and efficiency of existing cloud security certification schemes.
The EU-SEC project aims to contribute to the trustworthiness, security and compliance of cloud infrastructures. To achieve this goal, the following requirements must be met:
- Existing national and sector-specific certification schemes must be considered and balanced.
- At the same time, costs of certification for Cloud Service Providers (CPS) must be reduced.
- Certification and evaluation activities that can be handled automatically by machines (e.g. collecting data) should not have to be done manually by humans.
- Accurate and reliable information should be made available to authorized persons using automated means.
Key aspects of the development of the framework are:
- mutual recognition of certifications,
- reusability of already certified components,
- continuous auditing and monitoring,
- reducing the overall duration and cost of cloud certification processes.
The EU-SEC framework will provide a validated reference architecture with appropriate tools. Furthermore, it will develop a governance structure to integrate new requirements into the framework. The framework will enable stakeholders in the ICT security ecosystem to improve the efficiency and effectiveness of their current IT security risk management, assurance and compliance.
The EU-SEC project supports the strategy of the European Union implementing the Digital Single Market Strategy, the European Cloud Initiative, the upcoming NIS Directive as well as the General Data Protection Regulation (GDPR).
Key elements of EU-SEC
EU-SEC deals with problems of various security certification schemes in order to improve their effectiveness and efficiency. These include the lack of automation in the auditing process and the lack of harmonized rules for bridging the gap between various certification schemes.
The project uses advanced tools and products (TRL 6 - TRL 9) to support and further develop automation.
The governance structure of the EU-SEC framework allows the agile implementation of new requirements and ensures provider transparency through continuous monitoring.
The contributed framework will be validated in two representative pilot projects:
- Multiparty recognition schemes for national/sectorial/international security,
- Continuous auditing based certification for the banking sector.
EU-SEC will gradually develop business plans to capture the economic value of developments.