Certification approach and qualification description

Certification approach in DOME
DOME certification baseline
DOME certification qualification process
How to qualify a product
How to check for a product qualification
How to recover an expired qualification

Certification approach in DOME

EU Cloud Rulebook will comprise different types of schemes, regulations and standards. DOME compliance model will focus on certification schemes and standards which cover the most relevant schemes and frameworks to be included in the EU Cloud Rulebook. The approach to be followed in DOME is incremental starting by supporting the certification compliance assessment to widely adopted schemes (ISO based in the first version) and incrementally supporting the rest of the schemes to be defined in the Cloud Rule book. The objective of is to automate as much as possible the compliance assessment process so that no "human" intervention is needed. Nevertheless, and due to a number of limitations on the CABs and other stakeholders to support the automation of some parts of the process (i.e. lack of available APIs to check and assess the existence and correctness of the certificates in a form of automatically exposed Register of Adherence, lack of support to verifiable credentials approach from the certificates issuers, etc) DOME foresees to implement different levels of support to the automatic checking of the certificates.

The main objectives of the compliance support in DOME are:

Develop a formal process to verify the compliance against reference standards.
Develop a methodological framework supported by tools to verify the compliance against reference standards during the on-boarding process.
Develop tools to automatically monitor the validity of the certificates.
Develop tools to continuously monitor that security requirements are being fulfilled through the continuous assessment of the validity of the certificates.

To this end, DOME will guarantee that services in the platform are certified checking the validity of the related certificates. It is worthy to note, that DOME won't certify services, but will rely on valid certificates from official certificates issuers.

DOME certification baseline

DOME marketplace will foster the adherence to the upcoming Cloud Rule Book. The EU Cloud Rulebook is envisioned as a "light" regulation with no strict obligation (based on voluntary adoption) and issued as a "Recommendation" but the Member States will have the power to enforce it in their jurisdictions, if they wish, or even make compulsory a subset or a superset of it . For more details please refer to the Cloud Rule Book.

Consistent to this approach, the DOME certification compliance functionality will allow the services providers to check which certification they own and to allow the customers to search/filter the catalog upon the kind of qualification they aim to achieve. In the EU Cloud Rulebook it is expected to have different compliance levels, i.e. Level 1, Level 2, Level 3. Similarly, DOME will also support the labeling strategy initially into 3 categories based on the number of verified certifications (from the supported ones). The services will be tagged (by different colors) accordingly into these categories: Red - Level 1 (No verified certifications), Yellow Level 2 - (Some supported certifications verified), and Green - Level 3 (All the certifications have been verified by a Certification Body accepted in DOME).

For the first version of the platform the certifications supported are the green ones in the following table :

STANDARDS	Mandatory
General
ISO/IEC 22123-1:2021	No
ISO/IEC 20000-1:2018	No
ISO/IEC 20000-2:2019	No
ISO/IEC 19944-1:2020	No
ISO/IEC 17826:2022	No
ISO/IEC 17788:2014	No

Interoperability and portability standards
ISO/IEC 19941:2017	No

Information security standards
ISO 22301:2019	No
ISO/IEC 27000:2018	No
ISO/IEC 27001:2022	No
ISO/IEC 27002:2022	No
ISO/IEC 27701:2019	No
ISO/IEC 27017:2015	No
Payment Card Industry Data Security Standard (PCI DSS) v4.0	No

Data protection and privacy standards
ISO/IEC 29100:2011	No
ISO/IEC 29101:2018	No
ISO/IEC 19086-4:2019	No
ISO/IEC 27018:2019	No

Service level agreement standards
ISO/IEC 19086-1:201	No
ISO/IEC 19086-2:2018	No
ISO/IEC 19086-3:2017	No

Characteristic / Tag to be included for each service:

DOME Level 1 - No verified certifications provided/achieved

DOME Level 2 - Some supported certifications have been verified

DOME Level 3 - All the supported certifications have been verified by DOME

VERIFIED (Certification validation passed)
IN VALIDATION (Evidences provided to the DOME Trusted Certification Authority which is in the process of validating them)
SELF-DECLARED (self-declaration of certification compliance, there is no assurance from DOME about the validity)
EXPIRED or NOT VALID (expired or not valid certificate)
NOT REQUIRED (no evidences provided)

DOME certification qualification process

The DOME platform will provide means to qualify products in the Marketplace with respect to their fulfillment against relevant reference standards.

Initial clarifications:

DOME won't certify services.
DOME will verify that services that want to be endorsed to DOME are compliant to the selected relevant schemes, from the EU Cloud Rulebook. To do so, DOME will verify the validity of the certificates provided by the CSPs for each of the services.
DOME will assess the "continuous validity of the certificate" during the lifecycle of the cloud service in DOME, monitoring possible expirations.

The certification qualification process is composed of 4 steps:

Step 1- Certification initialisation: The DOME operator sets up the certification level for the services, selecting which certifications/frameworks need to be provided when a service is endorsed into the DOME/federated marketplace. Each marketplace federated in DOME can have specific additional configurations for compliance: EUCR , Others: AI related ones, financial specific, health specific, environmental specific, etc.

Step 2- Certification accreditation:

A CSP that wants to be part of DOME provides the certificates, uploading the corresponding evidence (signed or not signed pdf files of the certificate ). As depicted in Figure 1, depending on the type of the provided evidence different methods need to be applied to validate it. DOME will accept the different certification types issued by the different agencies and authenticity will be assessed both in all the cases. When the evidence provided is a signed or unsigned pdf the authenticity will be assessed by the DOME Trust Service Provider for Certification, and the corresponding VC will be created for the CSP to be included in their DOME compliance profile.

DOME compliance approach is prepared to support the acceptance of VCs of the certificates issued by certification agencies as depicted in Figure 1.

Fig 1. Certification accreditation cases in DOME.

Step 3- Certification assessment: DOME assesses the validity of the certificate and if valid generates the related Verified Credential for the CSP to be stored in the wallet. The validation is done through the assessment of the provided certification by Trust Services for Certificactions Provider (TSCP). The certification assessment activity will be done in a continuous basis process.

Step 4- Service qualification and onboarding: The service is qualified in the DOME marketplace based on the valid certificates and the information is updated in the catalog. Once the product receives the validation it will be visible in the marketplace pages including the Certification profile achieved through the validation.There are 3 compliance levels based on the types of evidence provided for the supported certifications. These are the different compliance levels a service can be qualified to:

DOME Level 1 - No certifications provided/achieved.
DOME Level 2 - Some supported certifications have been verified.
DOME Level 3 - All the supported certifications have been verified by DOME.

How to qualify a product

The DOME certification qualification process is one of the steps in the Product Specification process and needs to be completed in the "Compliance profile step". The product needs to be created to be able to edit the compliance profile section.

In order to be able to get the DOME compliance profile the product owner needs to select the certificates to be included in the profile of the product offering.

Once the certificates have been uploaded these need to be verified by the provision of signed Verified Credentials (VCs) of the certificates.

To get the VCs of the supported certificates, DOME offers a validation service that generates the VCs of the certificates by a DOME Trust Service Provider for Certification. To do so the CSP needs to access the DOME compliance component (currently an email needs to be sent to dome-certification@listas.tecnalia.com with the certificates ) to get the related VCs and upload it to the compliance profile (see How to get the VC to the supported certifications). Until the VCs are uploaded the status of the product with respect to these certifications will be SELF-DECLARED

Only VCs from authorized entities by DOME will be accepted. The product owners can access the Compliance Module to get the certifications verified and get the related VCs.

When the VC of the certificate is uploaded to the profile the result of the validation will be updated.

Also the result of the certification validation will be updated in the portal and the product will be correspondingly classified to one of the the DOME compliance levels (see Dome Certification baseline). The service owner will get a notification about the compliance level achieved by the service.

How to get the VC to the supported certifications:

After logging (with a valid DOME user) in the Compliance Module the product owner will include the evidence of the supported certifications (i.e. signed certifications in pdf format).

The pdf for each of the certifications to be qualified needs to be uploaded through the data entry form and submitted.

The validation of the certification is a process that might take time. The owner of the product will receive the resulted Verified Credentials to the successful certifications, to be stored in the wallet (through the Credential Issuance component that DOME operates).

When the VC from the certification verification is received, the product owner shall enter the product specification, and edit the compliance profile, uploading the provided VC.

How to check for a product qualification

The information of the compliance profile will be available in the market place, including the DOME Compliance Level for each service.

To acquire more detailed information about the compliance profile 'view details' shall be clicked, and the detailed information will be shown . Check DOME certification baseline for the colour code.

How to recover an expired qualification

When any of the verified certifications is about to expire (2 months in advance) the service owner will receive (through email) a notification and can upload the new certification on the marketplace.

The certification can be renewed at any time, uploading a new VC validated by the DOME Trust Service Provider. If the certification is not re-newed by uploading a new VC the compliance profile will be automatically updated in the DOME platform. The service owner will get a notification about the new compliance level achieved by the service and this information will be updated in the Compliance Profile.