Cybersecurity: Certifying cloud services with real-time data

As the CTO of a major bank, Robert is responsible for ensuring that customer data is handled properly and securely. To keep costs in check and ensure on-demand scalability, he is looking to replace the existing in-house solution with a cloud-based approach.

Robert and the conventional test methods

Regulatory authorities place high demands on data security within the banking sector, and compliance with these demands has to be verified through certification. In the bank’s own data centers, Robert can prove that the security level required by the regulatory authorities is being achieved. Professional cloud vendors typically hold multiple certifications that attest that their products meet the security standards. However, these certifications only prove that the cloud products complied with the relevant criteria at the time they were certified. To be able to claim that the level of security offered by a cloud solution is sufficiently high from the standpoint of the regulatory authorities, this traditional method of certification isn’t adequate. As an additional requirement, information that is updated continuously has to be made available as well to ensure that the level of compliance has been achieved.

Robert’s challenge in detail

Cloud computing has become the de facto standard for the provision of IT services – not just within the banking sector, but in virtually all industries – resulting in benefits that include flexibility, cost efficiency, and reduced maintenance. Nevertheless, adopting cloud computing also entails a loss of control with regard to data security and data protection, which can be a barrier for potential cloud customers. Cloud service providers have responded to this issue by increasing the level of transparency in their security and data protection features and by conducting externally monitored audits for various certifications. These audits are typically conducted annually or semi-annually, which means that any interim changes to the cloud infrastructure aren’t reflected in the audit reports until the next official review.

Real-time certification is the solution for Robert

In principle, the solution is simple, but its implementation is complex. Instead of traditional, process-driven, and selective certification, what is needed is continuous, automated monitoring by means of data-driven, real-time certification.

That type of audit, based on a tightly timed evaluation of checks and controls, is in particular demand among cloud customers with sensitive data such as financial institutions or companies in the industrial sector. Implementing continuous certification dramatically improves the level of trust, transparency, and certainty. At present, however, there is no commonly established method for monitoring the compliance of cloud services in real time.

In 2020, the revision of the C5 catalogue of requirements (Cloud Computing Compliance Criteria Catalogue, which specifies the minimum requirements for secure cloud computing) of the German Federal Office for Information Security (BSI) highlighted the possibility of monitoring the requirements continuously. The technical feasibility of this kind of monitoring was, however, not addressed in detail.

The ideal scenario for CTOs like Robert is for the cloud service providers to be able to offer this kind of data-driven certification themselves. That would ensure compliance with security requirements at all times, which would in turn result in a significant increase in transparency. The status of compliance in this scenario is based on data that can be verified in near real time.

The idea behind it is a standardized evaluation of controls designed to make the security features of the information system comparable and to validate it. One conceivable approach is to view security controls as a set of service level objectives (SLO) or service quality objectives (SQO), similar to the definition of service level agreements (SLA). In other words, defining concretely quantifiable attributes and targets that delineate a given security check is the key component of an automated, continuous audit. These allow organizations to assess whether the associated objectives are being met and thus verify that a specific security check is in place.

This is the challenge that Fabasoft, together with an international team of partners, will address within the European project MEDINA starting in November 2020.