KR1: EXTRACT
Evidence extraction from cloud service: A framework to continuously extract knowledge on various layers of the cloud service (infrastructure, code, business processes) and prepare suitable evidence based on them. This result covers the improvements on existing evidence extraction tools and concepts of MEDINA, such as AMOE (Assessment and Management of Organisational Evidence). The framework works on utilizing information and verifies the implementation of technical and organisational measures. The tools enable different levels of abstraction – from low level such as source code to higher levels, such as policies and procedures.
KR2: CERTGRAPH
Certification graph: A graph-based structure, the certification graph, to consolidate all necessary information of the service and make it easily query-able. The graph-based approach allows storing and linking heterogeneous information extracted from different evidence sources. Furthermore, linking allows to create additional nodes in the graph that aggregate individual aspects and fragments of information to a higher-level of combined evidence, while maintaining traceability back to information sources.
KR3: OPTIMA
Optimized metric selection: An intelligent system to select an optimized set of metrics that can be measured to demonstrate compliance to the selected certification scheme. One of such optimizations could be the maximum amount of re-used evidence.
KR4: MULTICERT
Cloud certifications: A tool to assess chosen metrics based on information stored in the certification graph and to evaluate the final certificate decision.
KR5: AIPOC
Proof of Concept for AI-based certifications: By transferring the innovation results to upcoming AI certification schemes, EMERALD establishes a Proof of Concept (PoC) on how to scale the Certification as a Service (CaaS) approach to cloud-based AI systems.
KR6: EMERALD UI/UX
User experience for complexity reduction: A user interaction concept and conducted studies to show what information each user needs in an audit process. The concept shall lead to a user interface (UI), which is tailored to the users’ needs during all stages of an audit and guides them through the process of identifying problems top down – from high level requirements down to specific implementation in documents (e.g., policies) or technical specifications.
KR7: INTEROP
Interoperable assessment, evidence and catalogue data: EMERALD will provide an interoperability layer among the trustworthy systems, assessment results and catalogue data. Security schemes are prone to change and thus updates would be required. EMERALD aims to mitigate this by incorporating the scheme data in a standardized format such as OSCAL (Open Security Controls Assessment Language). To enable fast development and integration of external resources, a common data format can help. Furthermore, EMERALD aims at providing interoperability at the trustworthy evidence layer by evaluating usage of the European Blockchain Services Infrastructure (EBSI) for its trustworthiness system.
KR8: PILOTS
Industrial pilots: Involvement of realistic use cases by potential applicants of EMERALD. This is key to derive and validate the proposed contents of the project objectives. PILOTS is responsible for providing these real-world application examples and test data. The data will be forwarded to the evidence extraction stakeholders, so the components can be fine-tuned to improve quality of the results.
KR9: DECAS
Dissemination, exploitation, communication and standardization: Dissemination and communication of the project results via multiple channels, relevant conferences (e.g., ETSI security conference) and the scientific community. Exploitation of the project achievements by the technical and pilot partners. Standardization activities to discuss, verify and deepen the project findings with standardization bodies. Concepts for continuous use and deployment after the project has finished need to be prepared and documented.