Review of the ENISA cybersecurity cloud-certification scheme

}
6 January 2021

Just days before the end of 2020, the European Union Network and Information Security Agency (ENISA) launched a public consultation on a new draft candidate cybersecurity certification scheme. ENISA’s primary stated goal with this is to “enhance trust in cloud services across Europe”.

The short break over the winter holidays offered a perfect opportunity to read through the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) and understand what it is all about.

EUCS

At this point the EUCS on Cloud Services is still a draft that is open to comments and improvement.

While some chapters are still incomplete, we can already outline some main principles behind the scheme and the main topics that it aims to address.

To a large extent, the security requirements of the scheme are based on the C5 scheme (Germany) and the SecNumCloud scheme (France). Terminology as well as auditing principles and approaches are based to a large extent on the existing relevant standards such as ISO/IEC 17788, ISO/IEC 27000, ISO/IEC 17065 and ISO/IEC 17000.

EUCS takes a step beyond C5 and SecNumCloud in proposing three assurance levels defined in the EU Cybersecrity Act (EUCSA): basic, substantial and high. We will describe these three levels in a moment.

Topics covered by the scheme

The scheme draft is largely generic and discusses many aspects on a high level only. However, it nonetheless addresses a comprehensive list of topics.

We can broadly group them into three focus areas:

  • the Certification Scheme itself with details of the assurance levels, evaluation methods and criteria, certificate management and certificate validity
  • the Cloud Service Providers, providing necessary information for certification, managing new vulnerabilities, compliance monitoring and effects of non-compliance
  • the Conformance Assessment Bodies (CABs) in charge of the certification scheme on a local level (e.g. mutual recognition of certificates, requirements towards CABs, disclosure policy, peer assessment of CABs)

The EUCS-proposed Assurance levels

One of the more interesting aspects of the certification scheme and one that sets it apart is the ambition to define three distinct assurance levels: basic, substantial and high.

The assurance levels are meant to convey an increasing level of security of the certified cloud service. Since more is definitely better when it comes to security, these categories need to be clearly distinct and well defined. Unfortunately, that is a hard nut to crack since cloud services are complex systems and assessing their security is challenging to say the least.

Let us dive into what are the distinctions between the three assurance levels.

1. The Basic assurance level

The Basic assurance levels provides limited assurance that the cloud service is built and operated with procedures and mechanisms that follow known best practices.

Services at this assurance level may meet security requirements that minimize known basic risks of cybersecurity incidents.

The Adversary model for this level of assurance are “a single person with limited skills repeating a known attack with limited resources, not including the ability to perform social engineering attacks”, otherwise known as script kiddies.

The draft explicitly mentions the goal to increase the security requirements for this assurance level once the certification scheme get widely adopted. Until then, the basic certification level will be cold comfort to the users of such cloud services – before anything else, compromise by one of these actors presents a major risk to an organization’s reputation.

2. The Substantial assurance level

The Substantial assurance level aims higher.

According to the draft, “[…] the typical attacker profile for assurance level Substantial should be a small team of persons with hacking abilities and access to a wide range of known hacking techniques, including social engineering, but with limited resources, in particular to launch wide attacks or to discover previously unknown vulnerabilities”.

The assessment level for security requirements on this level are more thorough.

Beyond the basic requirements, assessment includes on-site audit (interviews and inspecting samples) and a verification that the implementation follows the specified processes and design, including the validation of the functional tests performed on that implementation.

According to the scheme, assurance level Substantial is intended for cloud services suitable for business-critical data and systems.

In our view, the attacker profile for this assessment level should also explicitly include motivated individuals and especially rogue insiders.
Insider adversaries will often have information that can lead to very serious consequences – knowing the vulnerabilities, processes and internal mechanisms may enable them to circumvent the defences at a low cost.

3. The High assurance level

The High assurance level aims to minimise or prevent cybersecurity risks and state-of-the-art cybersecurity attacks by actors with significant skills and resources.

Such an adversary could comprise a team of highly skilled persons with access to significant resources to design and perform attacks, get insider access, discover or buy access to previously unknown vulnerabilities. Serious organised crime is one example of such highly capable and financially driven groups of attackers.

Requirements to this assurance level aim to ensure that controls are automatically monitored for continuous operation in accordance with their design, as well as are regularly reviewed and pen tested to validate their ability to prevent or detect security breaches.

According to the scheme, assurance level High is intended for cloud services suitable for mission-critical data and systems and designed to meet specific security requirements that exceed the assurance level Substantial.

In its current form, the certification scheme does not aim for any higher assurance level that would address threats from intelligence services and other state actors.

As the recent Solarwinds attack showed, state actors can bring tremendous resources and skill to attack a target. They have capabilities beyond that of any other actor. In practice it is very difficult to defend against these actors without incredibly stringent human and technical controls in place.

Concluding remarks

Security of cloud data and services is a core focus at CanaryBit.

We welcome ENISA’s initiative to devise a cybersecurity certification scheme for cloud services. The candidate scheme is but a first step towards a very ambitious goal to create a comprehensive cybersecurity certification of digital products and services for the European Market.

by Nicolae Paladi

by Nicolae Paladi

Nicolae holds a PhD in computer security from Lund University. His research focus is primarily cloud computing security - including trusted computing, confidential computing and security of software-defined networks.