Due to the increasing requirements for data protection and security, cloud providers, users and auditors are facing major challenges in the development, integration and testing of new cloud services and applications. For instance, the increased use of AI-supported systems requires a more flexible certification process for cybersecurity, for example through continuous monitoring and evaluation.
The EU research project "EMERALD" within the "Horizon Europe" program aims to improve the security and efficiency of cloud-based services through a digitally supported certification process. The main task is to pave the way for "Certification as a Service" (CaaS) in order to enable continuous certification of cloud services according to various catalogs of requirements.
What role Fabasoft is playing in the EU research project is explained by Björn Fanta, Head of Research at Fabasoft, and Robin Schmeisser, Managing Director of Fabasoft Contracts, in the following interview.
What is the objective of the EMERALD research project?
BJÖRN FANTA: EMERALD essentially pursues four core objectives:
- Providing advanced evidence gathering tools for cloud vendor certification based on a next generation knowledge graph approach.
- Simplifying the approach to multi-schema cloud certifications through supported metric mapping¹.
- The introduction of a new user experience for supported audits of all user groups involved.
- The promotion of interoperability² with other frameworks, security assessment tools and repositories.
How are the findings from the research project being implemented?
BJÖRN FANTA: The implementation and verification of the practical applicability of the research results will take place in a total of four pilot projects. The aim is to develop software components to ensure efficient working methods with maximum transparency and traceability, and in particular to evaluate and assess the risk of audit-relevant content. A particular focus is on user interaction to ensure the consistent execution of audits and to promote the reusability of created content. The focus is on methods for developing cybersecurity requirements and interoperable metrics to support the largely standardized certification of cloud services.
The risk assessment of cloud services is particularly relevant in the European financial sector, see DORA, among others. Are these new regulatory requirements also taken into account in the research project?
BJÖRN FANTA: One of the pilot projects focuses on the financial sector and the challenges faced by banks and other financial companies under the new DORA regulation. CaixaBank is playing a key role in this. As a member of the consortium³, it plans to use the project to make progress in the integration of SaaS (Software as a Service) and IaaS (Infrastructure as a Service) in conjunction with its existing on-premises services. EMERALD's approaches are crucial in order to comply with the strict security standards and regulations of the EU and central banks. The aim is to continuously monitor and validate the security and compliance of services in real time across data center and cloud edge domains.
What role is Fabasoft playing in this?
BJÖRN FANTA: As one of Europe's leading software product and cloud service companies, Fabasoft is supporting the project as a technology and use case partner. We contribute expertise in secure process management and optimization and use our experience in implementing research results in innovative products and services.
What technology is the research team planning to use to implement EMERALD in the DORA pilot project?
ROBIN SCHMEISSER: As for the pilot project, the research team is using the software "Fabasoft DORA", which specializes in the EU regulation. CaixaBank defines requirements for the digital process to be developed, which the financial institution follows when evaluating and assessing a potential outsourcing to a cloud service provider and during ongoing monitoring. Fabasoft will subsequently realize these requirements with the software.
Why is a digital process needed? What challenges arise with conventional methods?
ROBIN SCHMEISSER: In practice, we often receive due diligence questionnaires as email attachments in Excel format, which generally results in a high level of manual processing for both parties. Apart from the use of resources, this approach also involves considerable security risks. Some of the requirement catalogs ask for highly sensitive information that we do not answer, as this knowledge would provide significant attack vectors. This presents a barrier to exchange. Both companies need information and proof of sufficient security from the other, but neither wants to disclose their own details.
How does Fabasoft DORA help to overcome this hurdle?
ROBIN SCHMEISSER: Fabasoft DORA offers a standardized solution for the DORA-compliant management of ICT service providers all the way through to the automated calculation of the register of information. The collection of information and collaboration with external parties play a central role in the relevant processes. Fabasoft DORA's approach here is for financial companies to obtain all the necessary information from their ICT service providers in a controlled and secure manner in a protected, digital environment. Templates for due diligence questionnaires and risk assessments reduce manual effort and the risk of errors. Once stored digitally, the data is available for analysis at any time in an audit-proof way. Digital workflows are used to automatically integrate the information for evaluation by the respective stakeholders. The outsourcing managers or main process owners can track progress at any time. The software also supports ongoing monitoring by means of automatically initiated recurring checks. Electronic workflow signatures verifiably document the control activities carried out.
For more information about Fabasoft DORA follow www.fabasoft.com/dora
¹ Data mapping refers to the linking and assignment of fields from different data sources.
² Ability to interact with different systems, techniques or organizations. (Interoperability | European Data Protection Supervisor (europa.eu))
³ Tecnalia, Fraunhofer, Fabasoft, Consiglio Nazionale delle Ricerche, Software Competence Center Hagenberg, Know Center, CaixaBank, IONOS, CloudFerro, OpenNebula und Nixu.
