The blog post Cybersecurity: Certifying cloud services with real-time data centered on Robert, the CTO of a major bank, and his quest for ongoing and automated auditing for cloud services. In this article, I highlight how compliance managers can now make a major leap towards this goal by using the MEDINA platform and its “compliance-as-code” approach.
What is compliance as code?
Compliance as code refers to software tools and practices that ensure adherence to the three basic aspects of compliance – prevention, detection, remediation – without requiring manual intervention.
- Prevention of compliance deviations by means of automated testing and monitoring of changes within IT environments.
- Automated detection of compliance problems in the IT infrastructure with notification to the appropriate persons.
- Remediation of circumstances that cause deviations from the compliance guidelines.
In short, compliance as code is the codification of compliance controls with the aim of making adherence to these controls, their application, and the remediation of problems fully automated.
To ensure that these principles have an impact, the MEDINA consortium is working with institutions such as ENISA (the European Union Agency for Cybersecurity) to develop and interlink practicable trust mechanisms.
What is a compliance manager?
Compliance managers perform a pivotal role in the certification process and serve as the liaison point for auditors. They organize the implementation of cybersecurity certifications and make sure that the required level of certification is achieved. To do this, they establish internal controls based on the impending cybersecurity certification. Experts from the relevant departments draw up the appropriate measures and put them into practice. The compliance manager is then responsible for monitoring and reviewing these steps, as well as gathering and cataloging all necessary verification again for the periodic re-certifications.
They need to consult with the company’s management regularly, prepare reports, and review the work of the experts (internal control owners) in defined internal audits of existing certifications. The duties assigned to compliance managers have expanded steadily in recent years and have risen in terms of their complexity and sheer number.
Alex, MEDINA, and the European Cybersecurity Scheme
Alex works in a small team at a European cloud service provider, where she serves as compliance manager and is responsible for ensuring compliance with various requirements catalogues. The Cloud Computing Compliance Criteria Catalogue, or C5 for short, published by the German Federal Office for Information Security deserves special mention. The general parameters defined in the catalogue ensure transparency with regard to system description, jurisdiction and locations of data storage, data processing and data backup, disclosure and investigation rights, as well as certifications. Going forward, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) will also be playing a significant role for Alex. As its name suggests, the EUCS addresses the issue of certifying the cybersecurity of cloud services.
Alex is pressed for time because, in addition to her work as a compliance manager, which involves following strictly prescribed procedures in (conventional) audit procedures, she also handles other tasks within the organization. As an example, a sizable banking customer would like to ensure real-time certification of the cloud services the company offers. Fortunately, while doing some research regarding the new EUCS, Alex discovered another approach that is being elaborated as part of the MEDINA project: A framework that automates ongoing certification and makes a number of efficient tools available in this context.
What is the MEDINA approach?
Fabasoft has joined forces with seven other European partners in the Horizon 2020 project MEDINA to provide companies with the ability to achieve automated, continuous certification, largely in real time. The current research activities are focused on the BSI C5 cybersecurity catalogs as well as further developing the EUCS.
How does MEDINA help compliance managers?
In the future, compliance managers and auditors will access the MEDINA framework through an application programming interface (API). As a result, automating certification processes and fulfilling requirements can be realized to a large extent.
In order to make this happen, the project participants are developing sample measures for selected EUCS controls, creating metrics and measurement targets, and defining assessment rules. These can then be adopted by a cloud service provider like Fabasoft and implemented and communicated using an API with the MEDINA platform. Because the cataloging of verifications and confidential content is managed locally, it remains completely under the control of the cloud service provider. Only accredited auditors with secured access can view the verification catalogs and required data.
Figure: MEDINA integration (design stage)
This framework is designed to help compliance managers like Alex manage the mounting complexity associated with audit processes and to meet customer needs like Robert’s in the future by providing continuous, real-time certifications that don’t require additional time.
Are you a compliance manager?
At MEDINA, we strive to solve practical real-world challenges. Contribute to the MEDINA project by sharing your everyday “pain points” with us. We are gathering and incorporating them into our work.
Feel free to send me your input by e-mail to: Bjoern.Fanta@fabasoft.com