Cloud services have become the backbone of digital infrastructure. Ensuring that they are implemented securely and in compliance with regulations is of paramount importance for companies, public authorities, and critical infrastructures alike. However, traditional certification procedures are coming under increasing pressure: They are only able to record security statuses selectively, are complex, and have limited scalability. Meanwhile, technological development is advancing rapidly – examples include AI-based services and hybrid cloud-edge architectures.
It is against this backdrop that the EU-funded project EMERALD (Evidence Management for Continuous Certification as a Service in the Cloud) is developing a novel concept for continuous cloud certification. Instead of static audits, a dynamic process is used that integrates technical, organizational, and AI-specific security evidence into a semantic model, and evaluates it automatically. At its core is a knowledge graph, which acts as a structuring and connecting entity that combines all of the evidence into a digital model.
Complexity and fragmentation in cloud certification
Various factors complicate the security certification of cloud services. One issue is that the market is fragmented by a number of competing standards. International standards such as ISO 27001 compete with national frameworks such as the German BSI C5 or the Spanish ENS. The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a promising approach for Europe, but it has not yet been finalized and does not offer any concrete implementation guidelines for high levels of trust.
Another issue is that the tools and frameworks used lack technical interoperability, which makes it harder to automate and integrate certification processes. Moreover, both cloud providers and users often face significant hurdles in demonstrating compliance with security requirements – whether due to limited resources, lack of transparency, or lack of integration into existing operational processes. The increasing integration of AI technologies into cloud services further complicates the situation, as there are currently no fully developed and accepted certification procedures for this.
Architecture and components of the EMERALD framework
EMERALD addresses these challenges by using a modular platform architecture based on a cross-domain knowledge graph. The objective is to implement security certifications not as one-time tests, but as a continuous, data-based process.
The central element is a repository of security metrics that combines requirements from various certification schemes in machine-readable form. This forms the basis for automatically evaluating and updating certificates. This system allows existing security catalogs to be combined flexibly. For example, a cloud service can simultaneously meet requirements from the Cloud Computing Compliance Criteria Catalog (BSI C5) and refer to criteria from an AI-specific criteria catalog such as the Artificial Intelligence Cloud Service Compliance Criteria Catalog (AIC4). An intelligent mapping assistant (MARI) facilitates the selection of appropriate metrics by analyzing semantic similarities between control specifications and suggesting suitable links.
The collection of security-related evidence takes place on four different levels. Tools like Clouditor analyze the technical infrastructure, retrieving the configurations, policies, and statuses of the cloud resources used. Information about the behavior and structure of software components is processed at the application level. Code property graphs or static analysis tools such as Codyze are used to identify potential security risks.
Organizational evidence – such as guidelines, procedural instructions, or process descriptions – is extracted using natural language processing methods. The goal is to systematically capture even unstructured documents and integrate them into the certification assessment. Lastly, the fourth level involves the handling of data and AI models. This level analyzes whether a model meets certain requirements for fairness, robustness, or vulnerability.
All collected evidence is semantically structured in a central graph. This forms the foundation for automated evaluation. A central service coordinates the evaluation of the metrics and uses this as a basis for making decisions about certification status
Implementation and pilot projects in the context of application
The EMERALD platform is implemented as a distributed system, with the individual components in the form of microservices with standardized interfaces (REST/gRPC). The source code is openly accessible and allows for continued development by external partners.
Four pilot projects were designed in order to validate it, simulating real application scenarios. Three of these pilots aim to certify private cloud services in the form of Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service. They draw on the foundations laid in the predecessor project MEDINA and aim to achieve conformity with the “high” EUCS level.
The fourth pilot focuses on hybrid cloud-edge infrastructures in the financial sector. In this highly regulated domain, continuous certification is particularly important – especially in light of the Digital Operational Resilience Act (DORA). In this context, EMERALD is utilized as a platform for real-time assessment, which verifies that both centralized and decentralized services comply with their security requirements. The focus is on transparency, traceability, and the secure integration of external providers into existing systems.
A step towards dynamic cybersecurity certification
EMERALD is helping to put cloud certification on a new methodological and technological footing. The combination of semantically structured evidence management, automated evaluation, and integrity-assured evidence opens up new possibilities for security testing in dynamic system landscapes.
There are still unanswered questions, such as the standardization of underlying metrics, the harmonization of procedures across national borders, and the complete integration of AI-specific requirements. Nevertheless, the pilot project shows that the approach is fundamentally viable and addresses real challenges.
Fraunhofer AISEC invites interested parties from industry, research, and administration to familiarize themselves with the concepts that have been developed, evaluate them, and work together to continue developing them. The future of cloud certification will be dynamic, data-driven, and interoperable – EMERALD is a step in that direction.
Author
Contact: christian.banse@aisec.fraunhofer.de
