In December 2020, the European Union Network and Information Security Agency (ENISA) launched a public consultation on a new candidate cybersecurity certification scheme. ENISA’s primary goal with this is to “enhance trust in cloud services across Europe”. The European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) is a first step to make this happen.
The short break over the winter holidays offered a perfect opportunity to read through the document and understand what it is all about.
At this point the EUCS on Cloud Services is still a draft that is open to comments and improvement.
Some chapters are still incomplete. However, we can already outline some main principles behind the scheme and the main topics that it aims to address.
To a large extent, the security requirements of the scheme are based on the C5 scheme (Germany) and the SecNumCloud scheme (France). Terminology and auditing principles are mainly based on the existing relevant standards such as ISO/IEC 17788, ISO/IEC 27000, ISO/IEC 17065 and ISO/IEC 17000.
EUCS takes a step beyond C5 and SecNumCloud. it offers three assurance levels defined in the EU Cybersecrity Act (EUCSA): basic, substantial and high. We will describe these three levels in a moment.
Topics covered by the scheme
The scheme draft is largely generic and discusses many aspects only on a high level. However, it nonetheless addresses a comprehensive list of topics.
We can broadly group them into three focus areas:
- Certification Scheme, including details of the assurance levels, evaluation methods and criteria, certificate management and certificate validity.
- Cloud Service Providers, including information for certification, managing new vulnerabilities, compliance monitoring and effects of non-compliance
- Conformance Assessment Bodies (CABs). They are in charge of the certification scheme on a local level. For example, this includes mutual recognition of certificates, requirements towards CABs, disclosure policy, and peer assessment of CABs
The EUCS-proposed Assurance levels
One of the more interesting aspects of the certification scheme is the ambition to define three distinct assurance levels: basic, substantial and high.
The assurance levels are meant to convey an increasing level of security of the certified cloud service. To help achieve this, the scheme must clearly define and distinguish the assurance levels. Unfortunately, that is a hard nut to crack since cloud services are complex systems and assessing their security is challenging to say the least.
Let us dive into what are the distinctions between the three assurance levels.
1. The Basic assurance level
The Basic assurance level provides very limited assurance. This is to show that cloud provider built and operates the cloud service known best practices.
Services at this assurance level may meet security requirements that minimize known basic risks of cybersecurity incidents.
The Adversary model for this level of assurance are “a single person with limited skills repeating a known attack with limited resources, not including the ability to perform social engineering attacks”, otherwise known as script kiddies.
The draft aims to increase the security requirements for this assurance level once the certification scheme get widely adopted. Until then, the basic certification level will be cold comfort to the users of such cloud services. Before anything else, compromise by one of these actors presents a major risk to an organisation’s reputation.
2. The Substantial assurance level
The Substantial assurance level aims higher.
According to the draft, “[…] the typical attacker profile for assurance level Substantial should be a small team of persons with hacking abilities and access to a wide range of known hacking techniques, including social engineering, but with limited resources, in particular to launch wide attacks or to discover previously unknown vulnerabilities”.
The assessment level for security requirements on this level are more thorough.
Beyond the basic requirements, assessment includes on-site audit (interviews and inspecting samples). It also includes a verification that the implementation follows the specified processes and design, including the validation of the functional tests performed on that implementation.
According to the scheme, assurance level Substantial is intended for cloud services suitable for business-critical data and systems.
In our view, the attacker profile for this assessment level should also explicitly include motivated individuals and especially rogue insiders.
Insider adversaries will often have information that can lead to very serious consequences. Knowing the vulnerabilities, processes and internal mechanisms may enable them to circumvent the defences at a low cost.
3. The High assurance level
The High assurance level aims to minimise or prevent cybersecurity risks and state-of-the-art cybersecurity attacks by actors with significant skills and resources.
Such an adversary could comprise a team of highly skilled persons with access to significant resources. This can be used to design and perform attacks, get insider access, discover or buy access to previously unknown vulnerabilities. Serious organised crime is one example of such highly capable and financially driven groups of attackers.
Requirements to this assurance level aim to ensure that controls are automatically monitored for continuous operation in accordance with their design, as well as are regularly reviewed and pen tested to validate their ability to prevent or detect security breaches.
According to the scheme, assurance level High is meant for cloud services suitable for mission-critical data and systems and designed to meet specific security requirements that exceed the assurance level Substantial.
In its current form, the certification scheme does not aim for any higher assurance level that would address threats from intelligence services and other state actors.
As the recent Solarwinds attack showed, state actors can bring huge resources and skill to attack a target. They have capabilities beyond that of any other actor. In practice it is very difficult to defend against these actors without stringent human and technical controls in place.
Security of cloud data and services is a core focus at CanaryBit.
We welcome ENISA’s initiative to devise a cybersecurity certification scheme for cloud services. The candidate scheme is a first step towards a very ambitious goal to create a comprehensive cybersecurity certification of digital products and services for the European Market.