WP 2 Certification Models and Processes
WP2 will focus on the definition of a conceptual framework and specifications of basic, hybrid and incremental certification models for cloud-based processes, applications, and services. WP2 will identify security properties of interest for certification, define the types of evidence used for certificate issuing (e.g., testing, monitoring, formal reasoning), and specify the relevant mechanisms for generating the evidence supporting a security property. The certification models to be produced in WP2 will also provide ways of combining certificates of different types in an integrated framework, which will include a solution for monitoring at run time the validity of certified properties in dynamic cloud scenarios. WP2 will also be aimed at developing the basis for combining trust based on the above certification mechanisms with trusted computing proofs from the lower layers of the cloud software stack, and will establish the foundations for hybrid, multi-layer, and incremental certification models for CUMULUS, and the definition of conceptual framework for implementing them in cloud infrastructures. The certification models to be produced in this WP will also cover certificate management issues, such as the actions for issuing, verifying the validity, revoking and/or extending certificates. It is expected that some of these actions will be applicable to all certification models as for example, the creation and distribution of certificates. Other actions, however, will depend on certification models of particular types as for example, actions changing the evidential base of a certificate after acquisition of additional monitoring data or the revocation of a hybrid certificate that is based on test and monitoring evidence following the capture of monitoring evidence that contadicts some test results.
Certifying cloud-based applications and services will allow service consumers and providers to ascertain that the service properties provided in the certificates guarantee continuous compliance with their own requirements. This will increase consumers’ and providers’ confidence that their required level of assurance will be kept, before becoming involved in service design, deployment, and access on cloud.
Description of work and role of partners
Task 2.1 – Development of security properties specification scheme and security dependency models [Leader: CSA] (M1 – M12): This task will be concerned with the definition of the security properties of interest as part of cloud service level agreements and security models expressing the effects of different cloud mechanisms on security properties. For the former, our focus will be to define security properties as part of existing SLA specification languages (e.g. SLA* language). For the latter, we will identify suitable architectural patterns, defining specific interactions between all layers of the cloud architecture and all involved parties as cloud providers, certifiers, and users. The work will also take into account specifications arising from industry coalitions such as the Cloud Controls Matrix.
Task 2.2 – Test-based certification models [Leader: UMIL] (M1 – M24): This task will define certification models for test-based certification of cloud IaaS, PaaS, and SaaS services. The task will provide cloud–specific descriptions of test–based procedures, enabling detailed specification of testing practices and outcomes. It will also define the artefacts representing the information and results of the testing activities used in certificate generation. Test-based certificates will be based on a model of the system under test; empirical testing will be available only in case the above system model is not available. The work in this task will take into account specifications arising from industry coalitions such as the GRC Stack.
Task 2.3 – Monitoring-based certification models [Leader: CITY] (M1 – M24): This task will define monitoring-based models for certification of cloud IaaS, PaaS, and SaaS services. Task 2.3 will address three main goals: (i) to enrich test-based certification in Task 2.2, providing a means to check the validity of the operational conditions under which a certificate was issued, and eventually support the production of an extended certificate based on testing and monitoring evidence; (ii) to certify a set of properties that require both online and offline monitoring functionalities, such as, reliability and availability certification based on performance monitoring, and (iii) to define certification models which require monitoring of cloud services in more than one layers of the cloud stack. The work in this task will take into account specifications arising from industry coalitions such as the Cloud Controls Matrix, Cloud Audit, and the Cloud Trust Protocol.
Task 2.4 – Trusted computing-based certification models [Leader: ATOS] (M1 – M24): This task will provide an approach for trusted computing-based certification. In particular, it will specify models based on trusted computing to generate proofs supporting properties on the lower layers of the software stack and the function set of the Trusted Platform Module (TPM). Moreover, Task 2.4 will analyze the possibility of trusted computing-based certification of cloud-based applications with formal models of the lower layers of the cloud infrastructure. This task will also provide the foundations for combining trust based on the work in Tasks 2.2 and 2.3 (higher levels) with trusted computing proofs on the lower layers of the software stack.
Task 2.5 – Incremental certification models [Leader: UMIL] (M15 – M32): This task will investigate and define models supporting the incremental certification of cloud services. Incremental certification models will be used to manage changes at any layer in the cloud stack that could affect certified security properties without the need to (re-)certify artefacts from scratch. Incremental certification will be provided by monitoring the services and their interactions, and by verifying the validity of previously verified properties following changes in the stack.
Task 2.6 – Hybrid certification models [Task Leader: CITY] (M15 – M32): This task will explore the problem of combing different bases of evidence in producing cloud service certificates, including test and monitoring data, formal proofs and other existing certificates. Existing certificates will be particularly important in the case of service compositions or dependencies across services and layers in the whole cloud stack. Composition may happen along the following three main axes: composition of services, horizontal composition of different certificate types, and vertical composition of certificates at different cloud layers. Certificate composition will be based on investigating schemes for analyzing the composability of different certificate types. For instance, a trusted monitor service needs to provide two certificates (one monitoring-based, the other trusted computing-based) which need to be combined in a single one for the service. In addition, the composition issue will consider vertical composition integrating certificates at different layers of the cloud stack. As an example, suppose that a cloud supplier wants to certify that a given service is always operated within EU. Here WP2 will integrate a certificate based on trusted computing that the virtual machine is deployed in a hardware located in EU, and another certificate based on monitoring and/or testing proving that the service is executed on the above-mentioned virtual machine.