EU-SEC’s Workshop on Continuous Auditing Based Certification was held in Barcelona on 9 April 2019. Participants included representatives of high-profile companies from the fields of finance, cloud service, and auditing.
The aim of the workshop was to show how Continuous Auditing Based Certification can address concerns about security, privacy and regulatory requirements, which are known to hinder cloud adoption. This included showing participants how to perform a Continuous Auditing Based Certification which allows them to retrieve information on applied controls in an automated and near real time way. In addition, the workshop demonstrated the technical architecture proposed to provide this service, its preliminary testing, the evaluation already undertaken and the different approaches deployed in the framework of EU-SEC project.
The workshop was split into several parts:
Introduction to EU-SEC
To start the event, Jürgen Großmann, EU-SEC Project Coordinator and Senior Scientist and Project Manager from Fraunhofer, introduced the EU-SEC project, its goals, as well as the challenges and activities involved in developing the continuous auditing-based tool.
Description of the pilot and continuous auditing theoretical model
Ramon Martin del Pozuelo, Project Manager at CaixaBank, presented the motivations behind the development of the model, in particular the concern that “Point-in-time” approaches to security certification do not provide the high assurance and transparency required by cloud stakeholders with a high risk profile. In addition, cloud service customers do not have an up-to-date status on the
fulfilment of the requirements required by the certification. EU-SEC’s continuous audit approach addresses these issues by providing a way of continuously assessing compliance status. The models, methodology and definition of the certification scheme were presented and followed by a description of the pilot architecture and approach. The section on value proposition and benefits for scheme owners, auditors, cloud service providers and cloud customers was particularly well-received.
Continuous Auditing Technical Architecture and Demo
The technical architecture including IaaS and SaaS approaches were presented. Key parts of the presentation were:
- The role of Fraunhofer’s Clouditor continuous cloud assurance tool within EU-SEC
- The use of SixSq’s Nuvla as evidence store.
- The role of CSA’s StarWatch and STAR Registry in continuous certification
This was rounded off by a hands-on demonstration of the tool.
The workshop rounded off with a Q&A session with participants posing very pertinent questions about the scope, implementation and scalability of the continuous auditing certification tool. They also contributed their valuable experience regarding the use of sensitive data and security requirements within their organisations, as well as what they would expect from the pilot. Suggestions made regarding potential improvements to the scheme were taken on board by the consortium, including that trust in the Cloud Service Providers is still needed and that continuous auditing-based certification still does not remove completely the need for point-in-time revisions, as well as the need of including the architecture technical assessment and certification in the process.
The main outcome of the workshop was the clear validation of the requirement for a continuous auditing-based scheme. Based on participants’ comments, there is a clear requirement to ensure the training material and documentation comprehensively covers the ‘how to’ process.
To inform the project’s work, participants were invited to complete one of the following surveys. We would encourage all cloud stakeholders to take 2 minutes to contribute to the cloud security landscape by participating in the appropriate survey.
Cloud Service Providers https://www.surveymonkey.com/r/5K58TV8
Cloud Customers https://www.surveymonkey.com/r/58B8T5X
The results and feedback from the workshop will be included in EU-SEC’s report on pilot results and will be reflected in the content of the next workshop, planned take place in Berlin in October 2019.
We look forward to keeping you up to date with the most recent developments of the EU-SEC Project and invite you to join us at our upcoming events. A series of training events and webinars is planned for 2019, so if you would like to stay informed, we invite you to register for updates https://www.sec-cert.eu/eu-sec/newsletter