Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
This whitepaper reports on lessons learned related to the experimentation performed by the MEDINA team on the topic of continuous (automated) monitoring, just as required by the High Assurance baseline of the draft version of the European Cybersecurity Certification Scheme for Cloud Service (EUCS). Besides the reported process and obtained results, we also provide a set of recommendations to relevant stakeholders (in particular Cloud Service Providers and Auditors) with the goal of supporting the uptake of EUCS for High Assurance.
This document discusses penetration testing of the SerIoT system funded by Horizon 2020. It describes an approach to penetration testing that includes 1) unified modeling of security requirements and vulnerabilities, 2) implementing specific test cases that simulate attacks, and 3) generating code-based security tests. The overview explains that the testing involves defining a secure model and vulnerability model, analyzing vulnerabilities, implementing test cases as scripts, executing the test cases on SerIoT components, and reporting results. An example shows how an SQL injection vulnerability test case verifies a security requirement.
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
The document discusses increasing the security posture of Janet-connected organizations. It proposes updating the Janet Security Policy to block high-risk inbound traffic by default, require annual security reviews, and allow proactive vulnerability scanning. A maturity model is suggested to help with reviews. It also proposes a Jisc Cyber Threat Intelligence Sharing Group using the open-source MISP platform to enable threat information sharing between participating organizations.
Cognitive Packet Network with Software Defined Networks using the Random Neur...SerIoT project
Presentation of Cognitive Packet Network with Software Defined Networks using the Random Neural Network developed during the SerIoT project. More: https://www.seriot-project.eu
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
This whitepaper reports on lessons learned related to the experimentation performed by the MEDINA team on the topic of continuous (automated) monitoring, just as required by the High Assurance baseline of the draft version of the European Cybersecurity Certification Scheme for Cloud Service (EUCS). Besides the reported process and obtained results, we also provide a set of recommendations to relevant stakeholders (in particular Cloud Service Providers and Auditors) with the goal of supporting the uptake of EUCS for High Assurance.
This document discusses penetration testing of the SerIoT system funded by Horizon 2020. It describes an approach to penetration testing that includes 1) unified modeling of security requirements and vulnerabilities, 2) implementing specific test cases that simulate attacks, and 3) generating code-based security tests. The overview explains that the testing involves defining a secure model and vulnerability model, analyzing vulnerabilities, implementing test cases as scripts, executing the test cases on SerIoT components, and reporting results. An example shows how an SQL injection vulnerability test case verifies a security requirement.
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
The document discusses increasing the security posture of Janet-connected organizations. It proposes updating the Janet Security Policy to block high-risk inbound traffic by default, require annual security reviews, and allow proactive vulnerability scanning. A maturity model is suggested to help with reviews. It also proposes a Jisc Cyber Threat Intelligence Sharing Group using the open-source MISP platform to enable threat information sharing between participating organizations.
Cognitive Packet Network with Software Defined Networks using the Random Neur...SerIoT project
Presentation of Cognitive Packet Network with Software Defined Networks using the Random Neural Network developed during the SerIoT project. More: https://www.seriot-project.eu
The document discusses challenges with third party access to business information and proposes a new framework called the Common Assurance Maturity Model (CAMM) to address these challenges. CAMM aims to provide a standardized way to objectively measure a third party's information risk management maturity using predefined controls. It would leverage existing standards and audit spending, allow third parties to showcase their maturity levels for transparency, and help businesses incorporate risk management into procurement decisions. The framework is intended to be modular to suit different business needs and remove duplicate auditing of third parties.
The Knowledge Transfer Networks (KTNs) were set up in the UK to facilitate knowledge sharing and collaboration between business, government, and academia. The Digital Systems KTN focuses on key digital technologies and brings together experts to address challenges like cybersecurity, cloud computing, and smart transportation. Collaboration is important for tackling issues in a digital society by sharing expertise, innovations, and understanding of problems. The KTN promotes collaboration through events, funding, special interest groups, and knowledge sharing to help overcome challenges like data security and privacy. There is potential to expand this model internationally to form a coordinated global response to cybersecurity threats.
This document discusses the ARIES project, which aims to create a reliable European identity ecosystem. The project received funding from the European Union's Horizon 2020 program to address identity management, strengthen the link between physical and virtual identities, and address all aspects of identity-related crimes. The consortium includes large companies, SMEs, research institutions, law enforcement agencies, and online service providers. The project will develop use cases around identity virtualization and secure e-commerce and validate results through a vision for a secure identity ecosystem.
The document summarizes the 5G-PPP Success project. It received €7.6M in funding over 2 years from November 2015 to October 2017. The project aims to develop trust and security models for the 5G infrastructure using semantic modeling approaches. These models will then be used to create "trust enablers" or tools to help stakeholders such as researchers, network designers and operators, and application developers manage security risks in 5G networks. The IT Innovation Centre will contribute 62 person-months and €553k to the project to develop these semantic models and tools.
This document discusses standardization activities related to the ACTIVAGE project. It describes contributions to standards for body area networks, sensor integration, and data modeling. It discusses the development of an extension to the SAREF standard for eHealth and aging well domains. It also covers the IEEE P2510 standard for establishing quality of data sensor parameters, and the opportunities for digital innovation hubs around this standard. The document concludes that data quality is crucial for industries like health, and that certification processes for vendors will be important to integrate as work continues.
13th International Conference on Network Security & Applications (CNSA 2020)IJNSA Journal
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures and establishing new collaborations in these areas.
SerIoT Traffic Generator and Detector of malicious traffic patternsHITSerIoTProject
This document discusses the creation of an annotated dataset for malicious network traffic patterns using the Secure and Safe Internet of Things (SerIoT) project. It describes how a bot network with multiple virtual machines was used to generate both benign and malicious (SYN TCP attack) network traffic. The raw packet captures were analyzed and segmented into 5-second windows annotated with the number of half-open TCP connections to create a labeled dataset for training artificial intelligence models to detect malicious traffic patterns. Random neural networks were found to more accurately detect denial of service attacks compared to other models like LSTM when trained on this dataset. The attack detector is being deployed in use cases of the SerIoT system to help inform its routing engine of malicious activity.
13th International Conference on Network Security & Applications (CNSA 2020)pijans
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless
networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures
and establishing new collaborations in these areas.
Call for papers - 13th International Conference on Network Security & Appli...IJNSA Journal
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures and establishing new collaborations in these areas.
Authors are solicited to contribute to the conference by submitting articles that illustrate research results, projects, surveying works and industrial experiences that describe significant advances in the areas of Security & its applications.
This document provides an overview of federated identity management for the ARCHIVER project. It discusses key concepts like identity providers, service providers and protocols. It recommends that ARCHIVER select a service provider proxy, research institutes ensure they have SAML identity providers, and services support SAML or OIDC. Next steps include deciding on a service provider proxy, ensuring identity providers and services support federated protocols, and complying with policies to encourage attribute sharing. Testing tools and further help are also referenced.
Communication and collaboration solutions from Safeguard IT LtdRussell Pearson
Safeguard IT Ltd are experts in delivering software solutions to clients across EMEA:
• Corporate Communications
• Business Continuity Software
• Emergency Communications
• Mass Notification Software
• Staff Notification
• Incident Management
• Cloud Telecoms
• Technical Support
• Automated Notification
Learn more about how our solutions help our customers!
This presentation contains the information regarding the outcomes from the scalability and replicability analysis conducted in InteGrid. Additionally, the replication roadmap identified in InteGrid is presented through its replication paths based on the lessons learned and the best practices (recommendations) identified.
Call for Papers - 8th International Conference of Security, Privacy and Trust...IJNSA Journal
8th International Conference of Security, Privacy and Trust Management (SPTM 2020) looks for significant contributions to Trust management for networks. Original papers are invited on Security, Privacy and Trust Management of wireless and wired networks. The goal of this Conference is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
This document provides an introduction to GÉANT and its Cloud Peering service. GÉANT operates a pan-European research and education network that interconnects National Research and Education Networks (NRENs) across Europe. It also manages a portfolio of services to support collaboration. The Cloud Peering service allows cloud providers to connect directly to GÉANT's network or through local NRENs to reach research communities. Options for connection include going through an NREN, direct peering at a GÉANT point of presence, or at an internet exchange. Costs vary depending on the connection method and capacity.
RCauth.eu is an online PKI service that provides access to secured services through client certificates and delegation capabilities without exposing the complexity of PKI to users. It has three components - a web frontend based on US-CIlogon software, a backend CA based on myproxy-server with an HSM, and a filtering WAYF connected to eduGAIN. The service is supported by various European organizations and provides credentials that comply with IGTF assurance levels to qualified users who meet REFEDS and Sirtfi requirements.
The document discusses the Cloud Security Alliance (CSA) Cloud Trust Protocol (CTP) and the A4Cloud project. The CTP is designed to allow cloud service clients to request and receive security-related information from cloud providers to promote transparency and trust. The A4Cloud project focuses on accountability in the cloud and developing mechanisms and tools to help cloud providers demonstrate compliance and allow for effective governance. The CSA and A4Cloud are working to standardize security attributes, integrate the CTP into frameworks like the Open Certification Framework, and establish a CTP working group to further define and implement the protocol.
The E-CRIME project received EU funding to research cybercrime over three years with 10 partners across 8 countries. The project aims to measure the economic impact of cybercrime, develop deterrence measures, and increase awareness among policymakers and the public. Key outputs include a cybercrime taxonomy, training programs, economic models, and policy recommendations to help businesses prevent cybercrime.
This project called MEDINA aims to develop a security framework to help cloud service providers continuously achieve and maintain compliance with the EU Cloud Security Certification Scheme. The framework will include tools, techniques and processes to support continuous auditing and certification where security and accountability can be measured over time. This will help cloud customers gain more control and trust in the cloud services they use. The framework is meant to provide guidance to help cloud providers more easily implement security controls and collect evidence of compliance, reducing the costs and efforts of certification.
This project called MEDINA aims to develop a security framework to help cloud service providers continuously achieve and maintain compliance with the EU Cloud Security Certification Scheme. The framework will include tools, techniques and processes to support continuous auditing and certification where security and accountability can be measured over time. This will help cloud customers gain more control and trust in the cloud services they use. The framework is intended to provide guidance to cloud service providers on implementing security controls and collecting evidence of compliance, making the certification process more efficient.
The MEDINA project aims to provide continuous, real-time certification for secure cloud computing services in compliance with EU standards. It develops tools to automate evidence collection, assessment, and management to streamline the certification process. This allows cloud services to continuously monitor controls, metrics, and security risks to maintain certification more efficiently.
The document discusses challenges with third party access to business information and proposes a new framework called the Common Assurance Maturity Model (CAMM) to address these challenges. CAMM aims to provide a standardized way to objectively measure a third party's information risk management maturity using predefined controls. It would leverage existing standards and audit spending, allow third parties to showcase their maturity levels for transparency, and help businesses incorporate risk management into procurement decisions. The framework is intended to be modular to suit different business needs and remove duplicate auditing of third parties.
The Knowledge Transfer Networks (KTNs) were set up in the UK to facilitate knowledge sharing and collaboration between business, government, and academia. The Digital Systems KTN focuses on key digital technologies and brings together experts to address challenges like cybersecurity, cloud computing, and smart transportation. Collaboration is important for tackling issues in a digital society by sharing expertise, innovations, and understanding of problems. The KTN promotes collaboration through events, funding, special interest groups, and knowledge sharing to help overcome challenges like data security and privacy. There is potential to expand this model internationally to form a coordinated global response to cybersecurity threats.
This document discusses the ARIES project, which aims to create a reliable European identity ecosystem. The project received funding from the European Union's Horizon 2020 program to address identity management, strengthen the link between physical and virtual identities, and address all aspects of identity-related crimes. The consortium includes large companies, SMEs, research institutions, law enforcement agencies, and online service providers. The project will develop use cases around identity virtualization and secure e-commerce and validate results through a vision for a secure identity ecosystem.
The document summarizes the 5G-PPP Success project. It received €7.6M in funding over 2 years from November 2015 to October 2017. The project aims to develop trust and security models for the 5G infrastructure using semantic modeling approaches. These models will then be used to create "trust enablers" or tools to help stakeholders such as researchers, network designers and operators, and application developers manage security risks in 5G networks. The IT Innovation Centre will contribute 62 person-months and €553k to the project to develop these semantic models and tools.
This document discusses standardization activities related to the ACTIVAGE project. It describes contributions to standards for body area networks, sensor integration, and data modeling. It discusses the development of an extension to the SAREF standard for eHealth and aging well domains. It also covers the IEEE P2510 standard for establishing quality of data sensor parameters, and the opportunities for digital innovation hubs around this standard. The document concludes that data quality is crucial for industries like health, and that certification processes for vendors will be important to integrate as work continues.
13th International Conference on Network Security & Applications (CNSA 2020)IJNSA Journal
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures and establishing new collaborations in these areas.
SerIoT Traffic Generator and Detector of malicious traffic patternsHITSerIoTProject
This document discusses the creation of an annotated dataset for malicious network traffic patterns using the Secure and Safe Internet of Things (SerIoT) project. It describes how a bot network with multiple virtual machines was used to generate both benign and malicious (SYN TCP attack) network traffic. The raw packet captures were analyzed and segmented into 5-second windows annotated with the number of half-open TCP connections to create a labeled dataset for training artificial intelligence models to detect malicious traffic patterns. Random neural networks were found to more accurately detect denial of service attacks compared to other models like LSTM when trained on this dataset. The attack detector is being deployed in use cases of the SerIoT system to help inform its routing engine of malicious activity.
13th International Conference on Network Security & Applications (CNSA 2020)pijans
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless
networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures
and establishing new collaborations in these areas.
Call for papers - 13th International Conference on Network Security & Appli...IJNSA Journal
13th International Conference on Network Security & Applications (CNSA 2020) focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and counter measures and establishing new collaborations in these areas.
Authors are solicited to contribute to the conference by submitting articles that illustrate research results, projects, surveying works and industrial experiences that describe significant advances in the areas of Security & its applications.
This document provides an overview of federated identity management for the ARCHIVER project. It discusses key concepts like identity providers, service providers and protocols. It recommends that ARCHIVER select a service provider proxy, research institutes ensure they have SAML identity providers, and services support SAML or OIDC. Next steps include deciding on a service provider proxy, ensuring identity providers and services support federated protocols, and complying with policies to encourage attribute sharing. Testing tools and further help are also referenced.
Communication and collaboration solutions from Safeguard IT LtdRussell Pearson
Safeguard IT Ltd are experts in delivering software solutions to clients across EMEA:
• Corporate Communications
• Business Continuity Software
• Emergency Communications
• Mass Notification Software
• Staff Notification
• Incident Management
• Cloud Telecoms
• Technical Support
• Automated Notification
Learn more about how our solutions help our customers!
This presentation contains the information regarding the outcomes from the scalability and replicability analysis conducted in InteGrid. Additionally, the replication roadmap identified in InteGrid is presented through its replication paths based on the lessons learned and the best practices (recommendations) identified.
Call for Papers - 8th International Conference of Security, Privacy and Trust...IJNSA Journal
8th International Conference of Security, Privacy and Trust Management (SPTM 2020) looks for significant contributions to Trust management for networks. Original papers are invited on Security, Privacy and Trust Management of wireless and wired networks. The goal of this Conference is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
This document provides an introduction to GÉANT and its Cloud Peering service. GÉANT operates a pan-European research and education network that interconnects National Research and Education Networks (NRENs) across Europe. It also manages a portfolio of services to support collaboration. The Cloud Peering service allows cloud providers to connect directly to GÉANT's network or through local NRENs to reach research communities. Options for connection include going through an NREN, direct peering at a GÉANT point of presence, or at an internet exchange. Costs vary depending on the connection method and capacity.
RCauth.eu is an online PKI service that provides access to secured services through client certificates and delegation capabilities without exposing the complexity of PKI to users. It has three components - a web frontend based on US-CIlogon software, a backend CA based on myproxy-server with an HSM, and a filtering WAYF connected to eduGAIN. The service is supported by various European organizations and provides credentials that comply with IGTF assurance levels to qualified users who meet REFEDS and Sirtfi requirements.
The document discusses the Cloud Security Alliance (CSA) Cloud Trust Protocol (CTP) and the A4Cloud project. The CTP is designed to allow cloud service clients to request and receive security-related information from cloud providers to promote transparency and trust. The A4Cloud project focuses on accountability in the cloud and developing mechanisms and tools to help cloud providers demonstrate compliance and allow for effective governance. The CSA and A4Cloud are working to standardize security attributes, integrate the CTP into frameworks like the Open Certification Framework, and establish a CTP working group to further define and implement the protocol.
The E-CRIME project received EU funding to research cybercrime over three years with 10 partners across 8 countries. The project aims to measure the economic impact of cybercrime, develop deterrence measures, and increase awareness among policymakers and the public. Key outputs include a cybercrime taxonomy, training programs, economic models, and policy recommendations to help businesses prevent cybercrime.
This project called MEDINA aims to develop a security framework to help cloud service providers continuously achieve and maintain compliance with the EU Cloud Security Certification Scheme. The framework will include tools, techniques and processes to support continuous auditing and certification where security and accountability can be measured over time. This will help cloud customers gain more control and trust in the cloud services they use. The framework is meant to provide guidance to help cloud providers more easily implement security controls and collect evidence of compliance, reducing the costs and efforts of certification.
This project called MEDINA aims to develop a security framework to help cloud service providers continuously achieve and maintain compliance with the EU Cloud Security Certification Scheme. The framework will include tools, techniques and processes to support continuous auditing and certification where security and accountability can be measured over time. This will help cloud customers gain more control and trust in the cloud services they use. The framework is intended to provide guidance to cloud service providers on implementing security controls and collecting evidence of compliance, making the certification process more efficient.
The MEDINA project aims to provide continuous, real-time certification for secure cloud computing services in compliance with EU standards. It develops tools to automate evidence collection, assessment, and management to streamline the certification process. This allows cloud services to continuously monitor controls, metrics, and security risks to maintain certification more efficiently.
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...MEDINA
This document discusses the EU-funded MEDINA Project, which aims to address challenges around continuous monitoring and certification of security compliance for dynamic cloud environments. The project is developing an open-source framework with components like a repository of metrics and measures, tools for continuous evidence management and evaluation, and a risk-based auditor tool. Upon completion, the framework will help cloud service providers and auditors more easily ensure frequent infrastructure changes remain compliant with security policies. The goal is to leverage automation to enhance trust for hybrid cloud approaches.
Automation-based Certification for Cloud Services in EuroMEDINA
This document discusses automation-based certification for cloud services in Europe. It provides an overview of the MEDINA project, which aims to enable continuous audit-based certification for cloud services through automation. The MEDINA framework collects technical evidence, assesses compliance automatically, and manages certificates in order to streamline the certification process defined in the EUCS standard. After MEDINA concludes, the lessons learned may be applied to the new COBALT project focusing on certification of AI-enabled systems and quantum computing.
Paving the road towards continuous auditbased certification for cloud service...MEDINA
This document summarizes a presentation about the MEDINA project, which aims to facilitate the adoption of the EU Cybersecurity Certification Scheme (EUCS) for cloud services. The MEDINA project is developing a security framework and tools to support continuous, automated certification based on evidence management. This will help address challenges with the current point-in-time certification approach and high costs of certification. The MEDINA framework collects evidence, assesses compliance, and manages certification, with the goal of easing the process of continuous certification as required by EUCS. While progress has been made, challenges remain around regulating automated certification and sustaining the project's tools after its completion.
The MEDINA project aims to help stakeholders achieve continuous compliance with the European Union's cloud security certification scheme (EUCS) through automation. It provides a set of tools and techniques that can be accessed through a unified user interface or API to fully manage the certification status of cloud services. Early adopters can implement generic workflows comprising scenarios and roles to streamline the EUCS certification process through guidance and evidence management automation.
MEDINA: Standardization to enable continuous cloud cybersecurity certificationMEDINA
This project called MEDINA received funding from the EU Horizon 2020 programme to develop standardization to enable continuous cloud cybersecurity certification. MEDINA aims to provide a security framework and tools to achieve continuous audit-based certification aligned with the EU Cybersecurity Certification Scheme for Cloud Services. The project runs from November 2020 to October 2023 with a budget of over 4 million euros. One of MEDINA's objectives is to engage standard development organizations to adopt requirements for continuous compliance assessments and automation in line with the EU certification scheme. Achievements so far include supporting the development of the EU certification scheme and contributing to related standards.
The document discusses a security framework called MEDINA that aims to provide a holistic framework supporting cloud service providers' (CSPs) continuous certification in compliance with the EU cloud security certification scheme. The framework will include a repository of security metrics and measures, tools for selecting controls based on risk levels, a certification language, evidence management tools, a certificate evaluator, and a risk-based auditor tool. This will help CSPs more easily achieve and maintain certification, reducing costs and efforts. Two example use cases are provided for Bosch regarding IoT solutions and Fabasoft regarding SaaS solutions for the public sector.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMEDINA
The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
This document summarizes the results of an experiment conducted to test requirements for continuous monitoring and certification from the European Union's Cloud Services (EUCS) certification scheme. The experiment found that:
1) Existing tools can automate assessment of some EUCS requirements, but coverage is currently limited.
2) A machine-readable format like NIST's OSCAL shows promise for specifying and reporting on automated assessments.
3) While some level of automation is possible now, auditors will still need to review evidence to ensure trustworthy compliance. Standardization of audit processes could help leverage the full potential of automation in the future.
The document describes a metric recommender system developed as part of the MEDINA project. The system uses natural language processing techniques to automatically associate metrics with security requirements. It plays a key role in the MEDINA framework by translating requirements expressed in natural language to measurable metrics. Initial validation results demonstrate the system's ability to efficiently recommend relevant metrics for requirements based on textual similarity.
This document summarizes an expert stakeholder group meeting for the MEDINA project. The meeting agenda included an introduction to MEDINA, demonstrations of two tools (SATRA and AMOE), and a discussion of next steps. MEDINA aims to facilitate adoption of the EU Cybersecurity Certification Scheme for continuous cloud certification. Progress after 18 months includes initial prototypes and testing of tools for self-assessment, evidence management, and certificate lifecycle management. Upcoming plans include full validation of MEDINA with industry partners and progressing standardization and exploitation activities.
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
In September 2017 the EU Cybersecurity Package was proposed by the European Commission. The European cybersecurity industry leaders (ECIL) had delivered valuable advice and input to the EU’S CS strategy. In its latest recommendation to the EU Commission ECIL demands a more harmonized cyber policy across the Union. To secure Europe’s Digital Sovereignty and efficient Single Market oriented digital capabilities, Europe needs a holistic platform approach. Technology elements like 5G, Cloud, IoT together should be part of such a platform.
This document summarizes research conducted by the University of Essex on securing Internet of Things (IoT) networks. It discusses research projects on (1) developing a service-based fog architecture incorporating concepts like Information-Centric Networking to provide flexible IoT services and network resilience, (2) using blockchain and machine learning techniques to improve security of software-defined networking (SDN) on the edge of IoT networks, and (3) building an experimental testbed to test and validate the proposed IoT security solutions.
This document describes the ARCADIA project, which developed a novel reconfigurable application development paradigm over programmable infrastructure. The ARCADIA framework allows applications to be built from micro-services that can communicate and be reused. It received over 3.5 million Euros in funding from the European Union and involves multiple partners. Three use cases are being developed around energy efficiency, high-performance communications for IoT, and security/privacy support on the FIWARE platform.
This document summarizes the ARCADIA project, which aims to design and validate a new paradigm for developing highly distributed applications that can dynamically reconfigure based on changes to programmable infrastructure. The project received over 3.5 million Euros in funding from the European Union's Horizon 2020 program and will last 36 months. It involves developing new approaches for application deployment and management over distributed systems while maintaining network reliability, security, and efficiency.
Trust is built based on guarantees, previous successful experiences, transparency and accountability. Yet, to-date, the technologies and frameworks necessary to raise confidence on cloud and Big Data applications is still lacking. It is crucial to create this confidence to encourage different business sectors to take up this technology and ultimately improve business efficiency and competitiveness. The ATMOSPHERE project focuses on this issue.
ATMOSPHERE will provide a solution to assess trustworthiness of cloud applications dealing with data and support the development of more trustworthy cloud applications.
Goal
Provide a solution to assess trustworthiness of cloud applications dealing with data and support the development of more trustworthy cloud applications
Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...MEDINA
This document provides an overview of the MEDINA framework for continuous life cycle management of cloud security certifications. It describes the key components, including the Continuous Certification Evaluation component that aggregates assessment results, the Risk Assessment and Optimization Framework that evaluates risk, and the Automated Certificate Life Cycle Manager that determines certificate status and publishes certificates using a self-sovereign identity system. The framework aims to enable automated, continuous assessment and management of certifications to address the dynamic nature of cloud environments.
The document provides an overview of the MEDINA Controlled Natural Language (CNL) which was designed to facilitate the automated assessment of compliance with cybersecurity certification schemes for cloud services. It discusses how CNLs can bridge the gap between natural language security requirements and machine-readable representations. The MEDINA CNL builds upon an existing CNL called CNL4DSA and allows expressing cloud security certification requirements from schemes like EUCS in a formal way using fragments consisting of resource types, metrics, operators, and target values. This enables automated compliance checks for certifications.
The document introduces EUROSCAL, an initiative to promote the use of NIST's Open Security Controls Assessment Language (OSCAL) for automating cloud security certification processes in Europe. OSCAL aims to standardize how security controls and frameworks are represented, making it easier to assess compliance and monitor controls continuously. The EU-funded MEDINA project is exploring how OSCAL could help address challenges in achieving continuous monitoring and certification as envisioned by the European Union's cloud security certification scheme. EUROSCAL seeks to influence stakeholders to adopt OSCAL standards to fully realize automation benefits for certification.
Dr. Jesus Luna Garcia discusses assessing the trustworthiness of AI systems. He notes that while AIoT systems are growing, consumer trust in them has declined in recent years. There are challenges to defining and measuring AI trustworthiness as well as developing risk management frameworks for AI. Current work includes collaborating with standards bodies to help pave the road to establishing trustworthy AI and certification methods.
The document provides an architecture proposal for the MEDINA framework, which aims to provide continuous certification of cloud services aligned with the EUCS. It describes the main components of the MEDINA framework, which include a catalogue of controls and metrics, natural language processing techniques, risk assessment, continuous evaluation, an orchestrator, evidence collection, certificate management, and a user interface. The document also provides an overview of the MEDINA architecture, roles, workflows, and integration approach.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Medina general presentation
1. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 952633
MEDINA: Security framework to achieve a
continuous audit-based certification in compliance
with the EU-wide cloud security certification scheme
Leire Orue-Echevarria, PhD, PMP (TECNALIA)
2. MEDINA At a Glance
1st November 2020 – 30th
October 2023
EU Budget 4,480,308.75€
24/03/2021
MEDINA General Presentation
3. Context
Low adoption of cloud services in Europe
Why? According to Eurostat (2018)
24/03/2021
MEDINA General Presentation
Risk of a
security
breach
Legal jurisdiction
Data storage
localization
Insufficient skills Lack of interoperability
4. Context
Can certification be a solution? There are many certification
schemes…
24/03/2021
MEDINA General Presentation
Compliance with Member States’ initiatives by the Top
50 CSPs (XaaS) – Source: SMART 2016/0029. Data from
2018
Accredited certifications by the Top 50 CSPs (XaaS) –
Source: SMART 2016/0029. Data from 2018
5. Context
And with different
coverage in the
controls, as well as
Different
assessment
methods
24/03/2021
MEDINA General Presentation
% in each scheme (source: SMART 2016/0029)
6. Context
Several regulations and initiatives have been launched by the
European Commission to promote the adoption of cloud
computing and avoid fragmentation in certification
approaches
24/03/2021
MEDINA General Presentation
2012
European
Cloud
Strategy
Sept. 2017
Data economy package
(09.2017)
FFD & Cybersecurity
package (09.2017)
Dec. 2017
Creation of
two WGs
(SWIPO and
CSPCERT)
June 2018
22.06.2018
Political agreement on FFD
between Council and
Parliament
Oct. 2018
Trialogues on the
Cybersecurity Act
March 2019
12.03.2019
Cybersecurity Act is
adopted
June 2019
Cybersecurity Act is published
CSPCERT delivers the
recommendations to ENISA
and EC
Nov. 2019
European Commission
sends letter to ENISA to
start working on the
scheme for cloud services
March 2020
ENISA AHWG for
cloud services is
launched
Beginning 2021
EU CSCS will be
published and enter
into force
ECCG and SCCG dialogues
Feb. 2019
EU Data strategy is
published
7. MEDINA Project Objective
24/03/2021
MEDINA General Presentation
Provide a holistic framework that enhances cloud customers’ control and
trust in consumed cloud services, by supporting CSPs (IaaS, PaaS and SaaS
providers) towards the successful achievement of a continuous
certification aligned to the EU Cybersecurity Act (EU CSA). […] The
proposed framework will be comprised of tools, techniques, and
processes supporting the continuous auditing and certification of cloud
services where security and accountability are measurable by design. As
the MEDINA framework is leveraged into a cloud supply chain, it will
support continuously assessing the efficiency and efficacy of security
measures to ultimately achieve and maintain a certification.
10. Benefits
Guidance on the implementation of the controls, measures
to be applied and evidences to be collected, reducing the
time
Support for an automatic compliance of the controls of
existing certification schemes, reducing the effort, cost and
risk of achieving and maintaining a certification
Ease the effort in the collection and evaluation of evidences
Ensure the Audit Trail of the evidences, and that no one has
tampered with them
24/03/2021
MEDINA General Presentation