Cloud Computing is not only about moving Cloud resources capabilities to gain competitivity and sovereignty, but also about security and resilience. Cloud security can be adopted and enhanced from many perspectives and angles. In this blog post we analyse how the complementary approaches of MEDINA and PIACERE H2020 projects can enhance the security, trustworthiness and resilience of Cloud based systems, from the infrastructure to the processes and policies, setting up the basis for the next generation of Trusted Execution Environments.
Open PIACERE Secure DevOps framework enhances the automation of creation, configuration, and management of complex infrastructural set ups in the Computing Continuum considering security in all the steps of the Infrastructure as Code development and operation tool chain. It provides an IDE (Integrated Development Environment) to create and manage secured heterogeneous infrastructural elements from a single IDE boosting the IaC (Infrastructure as Code) paradigm and providing tools to leverage the security capabilities of the created environment to the next level. In concrete, the PIACERE DevSecOps framework addresses security and trustworthiness in the following steps of the IaC development and operation phases:
- Infrastructure modelling: PIACERE offers a domain specific modelling language to design and model the infrastructural layer in an abstract level. From the very beginning in the DevOps loop, security aspects are taken into account to verify the correctness and correctness of the model through the DOML (DevSecOps Modelling Language) checker tool.
- Infrastructure code generation: The PIACERE IaC Code Security Inspector is an analyser of the IaC and the application code (when available), using Static Analysis Security Testing (SAST) tools and checking the IaC code against the known cybersecurity issues (misconfigurations, use of non-secure libraries, and non-secure configuration patterns). It also performs consistency checks and other quality verifications according to identified best practices.
- Infrastructure operation: In the operation phase, PIACERE security monitoring offers the capacity to inspect real time logs and detect security-related events and incidents in the deployed application’s environment. It is deployable automatically and notifies users about security alerts.
Figure 1. PIACERE DevSecOps approach
MEDINA framework provides a set of tools to support the implementation of the “continuous monitoring” concept stablished in the certifications of the EU Cybersecurity Act (EU CSA) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS) high assurance level. To this end, MEDINA components address the need to bring more agility to the cybersecurity certification process of cloud-based services providing new approaches and tools for continuous monitoring and assessment:
The main objective of the MEDINA framework is to support a continuous audit-based security certification of cloud services in compliance with the EU Cloud Certification Scheme. Several tools collaborate to implement this approach from the Catalogue of Controls and Metrics, the Certification Language tools, to the evidence (technical and organizational) gathering and management tools, or the Continuous Cloud Certification Evaluation to collect assessment results and continuously determine compliance with the different controls. Other supporting components like the Evidence Management, to assure the trustworthiness of evidence, or the Lifecycle manager to support the lifecycle of the certificate, compose an holistic approach to support the certification process and its different stakeholders, leveraging automation, ensuring compliance and enhancing trust.
Figure 2. MEDINA Continuous Monitoring approach for EUCS high requirements
Both PIACERE and MEDINA projects contribute to improve the trustworthiness and security of Cloud based systems contributing to leverage Trusted Execution Environments in Europe.
PIACERE and MEDINA, two sides of the same coin.