(carried out at the TU Munich)
The outsourcing of business processes and data to cloud service providers leads to increased customer demand in terms of quality, data protection and data security provided by the cloud service provider. Certificates are a proven means - not only in the IT industry - to provide customers with quick, simple, transparent and comparable information about protective measures, standards complied with and internal quality processes (e.g. EuroCloud Star Audit or "Trusted Cloud" certificate from TÜV). A certificate is the result of extensive tests carried out in an intensive collaboration between cloud service provider and certification company. The certificate, which is awarded after passing the test, is usually valid for one to three years. The high level of dynamism and rapid technological progress within the cloud service industry and the underlying technologies lead to the assumption that such certificates suggest a high level of security, although the requirements are not met, e.g., in the event of changes to the IT systems after configuration.
NGCert is part of the "Secure Cloud Computing" initiative of the German Federal Ministry of Education and Research (BMBF). This initiative builds on the "Trusted Cloud" technology program. The "Value4Cloud" research project funded in this program focused on the question of how cloud customers can make a suitable choice of cloud service providers for their needs. Based on defined criteria (Cloud Service Check), cloud services could be analyzed and compared to make an objective selection for the right cloud services. This catalog helps cloud customers to consider the relevant criteria when selecting cloud services. However, the cloud customer does not yet have the opportunity to verify to what extent the cloud service provider meets the selected customer requirements in terms of data quality, data protection and service quality. For this reason, NGCert's project goal is to develop principles and methods for dynamic certification. This can provide the cloud customer with the necessary transparency. In the future, the cloud customer will be able to check at any time whether the cloud service provider meets the specified requirements.
The aim of NGCert is to provide an accurate statement about the validity of an existing certificate. This is achieved by using dynamic processes that check continuous, (partially) automated and critical certificate requirements (based on standards such as CSA CCM, ISO 27001/27017, ISAE 3000 / ISAE3402) and monitor the current result of the check. Such dynamic certification is a process that provides continuous feedback on whether the cloud service provider meets the quality requirements of the certificate. Dynamic certification thus enables the transfer of their trust-building processes within the dynamic and rapidly changing world of cloud services.
The project objectives are worked through one after the other and implemented step by step in three successive iterations, each of which is divided into 8 work packages. This procedure enables a continuous comparison between practice and science and ensures the fulfillment of recognized project criteria (relevance, effectiveness, efficiency, impact and sustainability).
- Further development of requirements for dynamic certification
- Analysis of existing industry information (current audit procedures, certification requirements, preventive measures for risk minimization (CSA Cloud Control Matrix), etc., and scientific results (successes of the "Trusted Cloud" technology program)
- Development of new methods and procedures to enable dynamic certification
- Development of a prototype for dynamic certification
- Continuous comparison and evaluation of practice and science
All results of the NGCert project are summarized in the book "Management sicherer Cloud Services: Entwicklung und Evaluation dynamischer Zertifikate ". A concept for dynamic certificates to promote trust, legal security, quality and benefits of cloud services on the German market is developed. A prototype shows the exemplary use of the developed tools in practice.