Next Generation Certification (NGCert)
The outsourcing of business processes and data to Cloud Service Providers leads to heightened customer demand in terms of quality, data protection and data security supplied by the Cloud Service Provider. Certificates are a proven means - not only within the IT sector - to provide the customer with fast, simple, transparent and comparable information about protective measures, maintained standards and internal quality processes (e.g. EuroCloud Star Audit or "Trusted Cloud" certificate from TÜV). A certificate is the result of extensive testing, which takes place in an intensive collaboration between Cloud Service Provider and Certification Company. The certificate, which is awarded for a passed test, is usually valid for a period of one to three years. High dynamics and fast technological progress within the cloud service industry and the underlying technologies lead to the assumption that such certificates suggest a high level of safety despite the requirements, e.g. post-configuration changes of IT systems, having not been met.
The aim of NGCert is that an accurate conclusion to the validity of an existing certificate be drawn. This will be achieved by use of dynamic processes, which check continuous, (partially) automated and critical certificate requirements (based on standards such as CSA CCM, ISO 27001/27017, ISAE 3000 / ISAE3402) and monitor the current result of the review. Such a dynamic certification is a process, which provides continuous feedback as to whether the Cloud Service Provider meets the certificate’s quality requirements. The dynamic certification thus enables the transmission of it’s confidence-building processes within the dynamic and rapidly changing world of cloud services.
The project goals are processed consecutively and gradually implemented by use of three successive iterations, each subdivided into 8 work packages. This procedure allows for a continuous comparison to be made between practice and science and ensures the fulfillment of recognized project criteria (relevance, effectiveness, efficiency, impact and sustainability).
- Advancement of requirements for a dynamic certification
- Analysis of existing industry information (current audit procedures, certification requirements, preventive measures to minimize risk (CSA Cloud Control Matrix), ect.) and scientific results (achievements of the technology program "Trusted Cloud")
- Development of new methods and procedures to enable a dynamic certification
- Development of a prototype for a dynamic certification
- Continuous comparison and evaluation of practice and science
NGCert is part of the initiative "Sicheres Cloud Computing" by the Federal Ministry of Education and Research (BMBF). This initiative builds on the technology program "Trusted Cloud". The research project "Value4Cloud", which was supported in this program, focused on how the Cloud Customer could make a suitable choice of Cloud Service Provider to meet their needs. Using set criteria (Cloud Service Check), cloud services could be analyzed and compared in order to make an objective selection for the right cloud services. This catalog helps cloud customers to consider the relevant criteria when selecting cloud services. However the Cloud Customer still has no possibility to review the extent to which the Cloud Service Provider fulfills the selected customer requirements, in terms of data quality, data protection and service quality. For this reason, NGCert has set the project goal to develop principles and methods for dynamic certification. As a result, the necessary transparency can be offered to the Cloud Customer. In the future the Cloud Customer will be able to check at any given time, whether the Cloud Service Provider is meeting the predetermined requirements.
All findings of the project NGCert are summarized in the book “Management sicherer Cloud-Services: Entwicklung und Evaluation dynamischer Zertifikate“ (German only). A concept for dynamic certification to promote trust, legal compliance, quality and benefits of cloud services in the German market is being developed. A prototype shows the exemplary use of the developed tools in practice.
Technische Universität München, Chair for Information Systems (Prof. Dr. Krcmar)
Universität zu Köln, Information Systems and Information Systems Quality (Juniorprofessor Dr. Sunyaev)
Universität Kassel, provet (Prof. Dr. Roßnagel)
Universität Passau, Computer Science and Mathematics (Prof. de Meer)
Fraunhofer AISEC (Prof. Dr. Eckert)
Bundesministerium für Bildung und Forschung (BMBF)