Three years, ten European partners, and a number of significant innovations, coupled with an exceptionally positive project assessment by the European Commission as well as independent experts. Those are the cornerstones of the “European Security Certification Framework” (EU-SEC) project as part of Horizon 2020, an EU funding programme for research and innovation, in which Fabasoft also played a major role. The objective of the EU-SEC project was to create a European framework for cloud security and to boost confidence in cloud services. This process aimed at improving and standardising existing certification and auditing schemes and designing the cloud certification process to be more effective and efficient.
Fabasoft makes a valuable contribution to the European cloud certification framework
Within the context of the EU-SEC project, a consortium of ten renowned European research and commercial enterprises, as well as public administration institutions coordinated by Fraunhofer FOKUS, developed a European framework for the certification of cloud services.
As a leading software product company and cloud service provider, data protection, information security, and compliance with legal regulations are top priorities for Fabasoft. Consequently, collaborating on the EU-SEC project and achieving significant improvements in European security standards was a matter of particular importance to Fabasoft.
The starting point for EU-SEC was the fact that cloud computing requires a high level of trust. In recent years, a number of certification and auditing schemes have thus emerged that, because of their complexity, pose major challenges – both technically and financially – for cloud providers, cloud users, and auditors. Moreover, the demands placed on data protection and IT security are constantly growing, especially as a result of changes in the IT infrastructure, new security risks, and legal regulations. In this respect, the current auditing standards are reaching their limits. Due to their operations in different countries and the differing customer requirements, cloud service providers (CSPs) in particular are under pressure to obtain all the standard security attestations and hence to submit to disparate certification procedures.
The main EU-SEC innovations
As part of the EU-SEC project, the project partners conducted concrete case studies under real-life auditing conditions. Fabasoft processed all tests and project work in Fabasoft Business Process Cloud. The findings from these pilot applications yielded two main innovations: The Multiparty Recognition Framework (MPRF) created ways to merge and link the requirements from the various certification standards. From that, the consortium developed the Continuous Audit Based Certification (CABC), a basis for semi-automated real-time auditing of cloud services. A further result was the formulation of a Privacy Code of Conduct (PCoC), which stipulates requirements for compliance with the EU General Data Protection Regulation (EU-GDPR) for cloud services.
Multiparty Recognition Framework (MPRF)
Variances in terms of the emphasis, depth of testing, and auditing procedures impede the comparability of existing certifications and attestations. Existing certification systems were analysed in the context of the EU-SEC project, which determined that many of the audit criteria and objectives overlapped. The consortium succeeded in establishing a common denominator, the MPRF, to support reciprocal recognition of existing certification and attestation approaches and to provide for an efficient certification process.
Continuous Audit Based Certification (CABC)
The second main innovation was derived as a proof of concept from a case study in the business sector, conducted by the project partners Fraunhofer, CaixaBank, Nixu Cybersecurity, and Fabasoft. The aim of CABC is to facilitate a real-time certification process for cloud services in the future that ensures that the required standards are maintained throughout the validity of the certificate, not just at the time of the audit. To enable ongoing inspections at moderate cost, this needs to be automated in part. Continuously available proof of complete data and information security results in a marked improvement in terms of reliability, security, and transparency.
Conclusions and outlook
The success of the EU-SEC project is the result of validated findings derived from specific case studies. The European Union Agency for Cybersecurity (ENISA) has already received a mandate from the EU Commission to develop pan-European network and information security standards based on the reciprocal recognition of security certifications (MPRF) and continuous audit procedures for real-time certification (CABC).
Fabasoft’s first participation in a Horizon 2020 project for the EU has demonstrated that the company is a trusted partner and a pioneer in the field of cloud security. “Through active participation in the EU-SEC project, Fabasoft succeeded in making a valuable contribution to the European Digital Single Market strategy and the EU Cybersecurity Act. Furthermore, Fabasoft and its partners have been able to gain important insights in the area of continuous audit and will invest in further research”, says Andreas Dangl, Business Unit Executive Cloud Services at Fabasoft.
 Fraunhofer FOKUS, Fraunhofer AISEC, CaixaBank, Cloud Security Alliance (CSA), Fabasoft, Ministry of Finance Slovakia, Ministry of Public Administration Slovenia, Nixu Cybersecurity, PwC Deutschland, and SixSq.