CERTIFICATION APPROACH IN DOME (T4.3)

~~Objectives:~~EU Cloud Rulebook will comprise different types of schemes, regulations and standards. T4.3 will focus on certification schemes and standards which cover the most relevant schemes and frameworks to be included in the EU Cloud Rulebook. The approach to be followed in DOME is incremental starting by supporting the certification compliance assessment to widely adopted schemes (ISO based in the first version) and incrementally supporting the rest of the schemes to be defined in the Cloud Rule book. The objective of T4.3 is to automate as much as possible the compliance assessment process so that no ???human??? intervention is needed. Nevertheless, and due to a number of limitations on the CABs and other stakeholders to support the automation of some parts of the process (i.e. lack of available APIs to check and assess the existence and correctness of the certificates in a form of automatically exposed Register of Adherence, lack of support to verifiable credentials approach from the certificates issuers, etc) DOME foresees to implement different levels of support to the automatic checking of the certificates.

~~???~~The main objectives of the compliance support in DOME are:

Develop a formal process to verify the compliance against reference standards

~~???~~ Develop a methodological framework supported by tools to verify the compliance against reference standards during the on-boarding process

~~???~~ Develop tools to automatically monitor the validity of the certificates ~~(i.e., by checking ENISA???s public registry)~~

~~???~~ Develop tools to continuously monitor that security requirements ~~EUCS high~~ are being ~~fulfilled.~~fulfilled through the continuous assessment of the validity of the certificates

~~DOME~~

~~Project level assumptions:~~

~~???~~To ~~DOME~~this ~~won???t~~end, ~~certify services~~

~~???~~ DOME will guarantee that services in the platform are certified ~~(based on their verifiable credentials)~~

~~???~~ ~~DOME needs to support~~ ~~the EUCS level high that Continuously assesses~~checking the ~~certificates validity.~~

~~DOME certification approach, first insights:~~

~~???~~ ~~DOME will verify that services that want to be endorsed to DOME are compliant to the selected schemes: EUCS, Others: ISO 27001/17~~

~~???~~ ~~DOME will to assess the ???continuous compliance~~validity of the ~~EUCS???~~related ~~during the lifecycle of the service in DOME.~~

~~???~~ ~~DOME could also offer (some) services to help service providers to be EUCS compliant (adapted from MEDINA framework or others)~~

Other considerations:

~~Enlarging the scope of Certification verification in DOME: ???CSP???s posture 360???:~~ ~~Security, testing, financial, contractual framework. Added value services over these KPIs such as ranking of CSPs/CSs.~~

~~Provider security posture. See~~ ~~as an example.:~~ ~~Bitsight Security Ratings | Bitsight~~

~~Product testing.~~ ~~Qualification report~~

Contractual framework. Setting some contractual baseline like minimum contractual SLA, presence of a specific reporting, or something else, can be an additional control that we can propose in the validation process.

Provider service posture. What about creating a ???ranking??? function where customers of a specific service can provide some feedback that we can map as a ???ranking??? of the single provider ? And maybe later use it to set a minimum level to be qualified on the portal.

Provider financial posture. Dunno if there is some way to do some check on the posture of a specific provider, but this may be another qualification factor we could introduce in the ranking evaluation.

Certification compliance sub-processes in DOME:

~~Step 0:~~ ~~Certification initialization/configuration~~ ~~- Baseline (Theory: EUCS+Rulebook). Default.~~ ~~ISO27001 + ISO27017~~

~~Section~~	~~Description (TECNALIA)~~
~~Process id~~	~~CP00~~
~~Objective~~	~~Certification initialization/configuration~~
~~Description~~	The DOME admin/Market place admin set ups the certification level for the services, selecting which certifications/frameworks need to be provided when a service is endorsed into the DOME/federated market place. Some certification levels will be pre-configured i.e., Baseline/DOME and the mandatory certifications will be already included. Other levels to be initialized could be customize for each of the marketplaces to be federated. i.e., Advanced level. ~~- Baseline: ISO27001 + ISO27017~~ ~~- DOME: EUCS~~ ~~-Vertical: Automotive, Energy,Banking~~ ~~- Advanced: Testing, financial, Fiware etc.~~ ~~Based on this configuration the certification options to be provided may differ and thus it will impact the "3) verification of the compliance with DOME???s basic standards and criteria"~~ ~~(Theory: EUCS+Rulebook). Default. ISO27001 + ISO27017. Others: Testing frameworks, service posture, financial~~
~~Roles~~	~~DOME admin~~ ~~Market place admin~~
~~Pre-Conditions~~	~~The different certification levels need to be established in the DOME platform.~~
~~Comments~~	~~This process is part of the initialization of the Market place /configuration of whichcertification data is to be requested.~~certificates. It is ~~part~~worthy ofto ~~the characterization of the services (the certification part)~~note, that ~~needs~~DOME towon't becertify ~~defined~~services, inbut ~~DOME~~will rely on valid certificates from official certificates issuers. ~~How~~ ~~to manage the change of certification configuration?~~

~~Step 1:~~ ~~Certification accreditation~~ ~~- A CS that wants to be part of DOME provides the certificates (sail Statement of applicability)~~

~~Step 2-~~ ~~Certification assessment for endorsement~~~~- DOME assesses the certificate and provides an answer to the CSP.~~

~~Step 3-~~ ~~Continuous certification assessment (EUCS)~~ ~~. DOME continuously assess the certification~~

~~Step 4-~~ ~~Filtering / Looking /Ranking for services with a certain certification level~~ ~~.This is not directly related to the compliance process but~~ ~~it has an impact on the characterization of the services.~~