Continuous compliance: From traditional auditing to real-time certification

The blog post Cybersecurity: Real-time data for cloud service certification centers on Robert, the CTO of a major bank, and his quest for ongoing and automated auditing for cloud services. In the follow-up article MEDINA and EU cybersecurity – a new European approach to security?, Alex, compliance manager at a European cloud service provider, takes a major step toward this goal with the aid of the MEDINA platform and its “compliance-as-code” approach. In this post we’ll be exploring how one cloud provider is using MEDINA to finally fulfill Robert’s wish.

The traditional cloud certification process

Implementing the annual certifications that the cloud provider currently holds involves not only Compliance Manager Alex and her focus on the organization, it also involves a number of internal control owners as well. In this role, Julia and Christopher, together with other senior managers, are responsible for ensuring that the safety standards in their areas are complied with. To achieve this, they have to verify and demonstrate that their teams are performing certain control and inspection activities at regular intervals.

The audits themselves – be they internal or external – consume a great deal of the relevant staff’s working time. Time that – for Alex, Julia, and Christopher – eats into the time needed to complete their core tasks. During her research into the new EUCS (European Cybersecurity Certification Scheme for Cloud Services), Alex came across MEDINA – just the ticket Robert needed to gain access to secure, real-time certified cloud computing.

Working with MEDINA for continuous compliance

Looking forward, the MEDINA platform will ensure automated, continuous certification with a suite of efficient tools.

By integrating MEDINA, companies can use a so-called company compliance dashboard to import all inspection catalogs from compliance managers like Alex in no time at all. The controls, which have already been prepared for further processing, can then be distributed to the internal control owners. Alex can track the current status easily.

Afterwards, Christopher and Julia assign the individual controls in one go to their team or to themselves for execution. Predefined metrics and examples serve as a point of reference. It’s also possible to reuse existing metrics from other frameworks.

Just as before, an auditor inspects and approves the controls once they have been implemented. The routine control activities ensure that the cloud provider’s compliance status is maintained on an ongoing basis. The evidence collected by the cloud provider is stored centrally for the auditors to access on demand. The only time a fresh audit needs to be carried out is when the controls are modified, and thanks to the available evidence, that process is straightforward and much faster. Since the compliance status is being communicated continually, Robert is in a position to demonstrate and justify the cloud solution’s high level of security to regulators at any point in time.

Company compliance dashboard

Fabasoft has joined forces with seven other European partners in the Horizon 2020 MEDINA project to provide companies with the ability to achieve automated, continuous certification, largely in real time. As part of the Fabasoft use case, the Fabasoft (company) compliance dashboard will be deployed as a demo system. The user interface is being designed in collaboration with compliance managers and internal control owners with a view to addressing their needs.

By using standardized interfaces and a similar ontology of test metrics, this dashboard will also support automated verification for Gaia-X’s federated services.

You want to learn more about MEDINA, Gaia-X or Continuous Compliance? Contact me via E-Mail!