Automated cybersecurity monitoring: the path to continuous compliance

As part of a private call for EUCS (European Union Cybersecurity Certification Scheme on Cloud Services) experimentations organized by ENISA (European Union Agency for Cybersecurity), Bosch, Fabasoft and Nixu worked on an experimental environment to address this issue: “How can the requirements of continuous (automated) monitoring for EUCS at the ‘high’ assurance level be fulfilled?”

What is EUCS level “high”?

The upcoming EUCS cybersecurity certification scheme is divided into three compliance levels:

  • Basic: “intended to minimize the known basic risks of incidents and cyberattacks”
  • Substantial: “intended to minimize the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources”
  • High: “intended to minimize the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources”

The “high” level mandates the continuous (automated) monitoring of selected security requirements:

EUCS-Definition of Automatic Monitoring
Requirements related to continuous monitoring typically mention “automated monitoring” or “automatically monitor” in their text. The intended meaning of “monitor automatically” is:
1. Gather data to analyse so me aspects of the activity being monitored at discrete intervals at a sufficient frequency;
2. Compare the gathered data to a reference or otherwise determine conformity to specified requirements in the EUCS scheme
 
Source: EUCS Draft Scheme Dec. 2020

The Experiment

The proof of concept (PoC) performed by the MEDINA team aimed to test the EUCS “high” level requirements for continuous in terms of its suitability for real-world use. This entailed observing a few selected security requirements from that catalog, and then assessing the extent to which automated monitoring meets those requirements over a defined period of time (something known as “operational effectiveness”).

 

The MEDINA team has already gained valuable insight into this approach through the MEDINA project.

 

Bosch and Fabasoft have the ability to set telemetry points and collect measurement data related to these metrics. To this end, internal monitoring applications (For example: Fabasoft app.telemetry) are used to gather specific information tailored to the requirements and specifications using programmed queries and filters, which serve as evidence in the audit process. Fabasoft analyzes up to five chosen EUCS “high”-level criteria using the metrics currently developed in the MEDINA project. A small team of experts implements sample scripts in each case and can collect usable data anonymously. The findings obtained as a result point to conclusions about how the metrics can be applied and also about the practical relevance of the EUCS requirements.

 

What does this mean for cloud service certification?

Automated (continuous) monitoring of cloud services, as mentioned by the EUCS, is a milestone required to make continuous certification possible. In the future, the status of an EUCS certificate might be monitored in near real time and updated to reflect the results of the automated assessment.

 

That said, this level of access does significantly alter the way certifications are maintained. In this context, keeping real people in the role of experts and decision-makers is key – because despite all the automation, the following questions must be critically examined:

  • What are the criteria for suspending certificates?
  • Who decides which nonconformities are serious and which are minor?
  • Is compliance suspended automatically after scoring negatively on a given metric?

The answers to these questions mark another MEDINA milestone on the path to continuous certification.

 

You want to learn more about MEDINA, Gaia-X or Continuous Compliance or do you have exciting project ideas? Please feel free to contact me via E-Mail!