Deli e able D3.3
E idence assessmen and Ce i ica ion – Implemen a ion
- 1
Edi o (s):
Nico Haas
Responsible Pa ne :
F aunho e AISEC
S a us-Ve sion:
Final – 1.0
Da e:
31.10.2024
Type:
OTHER (SW)
Dis ibu ion le el:
PU
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 76
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
D3.3 E idence assessmen and Ce i ica ion –
Implemen a ion- 1
Due Da e o Deli e y o he EC
31.10.2024
Wo kpackage esponsible o he
Deli e able:
WP3 - E idence assessmen and Ce i ica ion
Edi o (s):
F aunho e AISEC
Con ibu o (s):
Nico Haas, Angelika Schneide (FHG)
C is ina Reguei o, Iñaki E xaniz (TECNALIA)
Ma inella Pe occhi (CNR)
Re iewe (s):
Jo di Guija o (ONS)
C is ina Ma ínez Ma ínez (TECNALIA)
Juncal Alonso Iba a (TECNALIA)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2, WP4, WP5, WP6
Abs ac :
In e im e sions o he implemen a ion o he WP3
componen s.
Keywo d Lis :
Implemen a ion, E idence Assessmen , Assessmen
E alua ion, Ce i ica ion, Con ol Me ic Mapping,
T us wo hiness, O ches a ion
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 76
www.eme ald-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
05.09.2024
Added Table o Con en s
Nico Haas (FHG)
0.2
14.10.2024
Added con en
Nico Haas, Angelika Schneide
(FHG)
C is ina Reguei o, Iñaki E xaniz
(TECNALIA)
Ma inella Pe occhi
(CNR)
0.3
20.10.2024
QA Re iew
Jo di Guija o (ONS)
0.4
24.10.2024
Add ess in e nal QA e iew
commen s
Nico Haas (FHG)
0.5
29.10.2024
Final e iew
C is ina Ma ínez /Juncal Alonso
(TECNALIA)
0.6
30.10.2024
In eg a ion o he inal
e iew
Nico Haas (FHG)
1.0
31.10.2024
Submi ed o he EC
C is ina Ma ínez /Juncal Alonso
(TECNALIA)
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 76
www.eme ald-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 8
Execu i e Summa y ....................................................................................................................... 9
1 In oduc ion ......................................................................................................................... 10
1.1 Abou his deli e able .................................................................................................. 10
1.2 Documen s uc u e ..................................................................................................... 10
2 E idence assessmen and in eg a ion componen s in he EMERALD a chi ec u e ............ 11
3 Cloudi o -O ches a o ........................................................................................................ 13
3.1 Implemen a ion ........................................................................................................... 13
3.1.1 Func ional desc ip ion ....................................................................................... 13
3.1.2 Technical desc ip ion ......................................................................................... 15
3.2 Deli e y and usage ....................................................................................................... 17
3.2.1 Package in o ma ion .......................................................................................... 17
3.2.2 Ins alla ion ......................................................................................................... 18
3.2.3 Ins uc ions o use ............................................................................................ 18
3.2.4 Licensing in o ma ion ........................................................................................ 19
3.2.5 Download .......................................................................................................... 19
4 Cloudi o -Assessmen ......................................................................................................... 20
4.1 Implemen a ion ........................................................................................................... 20
4.1.1 Func ional desc ip ion ....................................................................................... 20
4.1.2 Technical desc ip ion ......................................................................................... 21
4.2 Deli e y and usage ....................................................................................................... 24
4.2.1 Package in o ma ion .......................................................................................... 24
4.2.2 Ins alla ion ......................................................................................................... 25
4.2.3 Ins uc ions o use ............................................................................................ 25
4.2.4 Licensing in o ma ion ........................................................................................ 25
4.2.5 Download .......................................................................................................... 25
5 Cloudi o -E idence S o e .................................................................................................... 26
5.1 Implemen a ion ........................................................................................................... 26
5.1.1 Func ional desc ip ion ....................................................................................... 26
5.1.2 Technical desc ip ion ......................................................................................... 27
5.2 Deli e y and usage ....................................................................................................... 29
5.2.1 Package in o ma ion .......................................................................................... 29
5.2.2 Ins alla ion ......................................................................................................... 30
5.2.3 Ins uc ions o use ............................................................................................ 30
5.2.4 Licensing in o ma ion ........................................................................................ 31
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 76
www.eme ald-he.eu
5.2.5 Download .......................................................................................................... 31
6 Mapping Assis an o Regula ions wi h In elligence (MARI).............................................. 32
6.1 Implemen a ion ........................................................................................................... 32
6.1.1 Func ional desc ip ion ....................................................................................... 32
6.1.2 Technical desc ip ion ......................................................................................... 33
6.2 Deli e y and usage ....................................................................................................... 37
6.2.1 Package in o ma ion .......................................................................................... 37
6.2.2 Ins alla ion ......................................................................................................... 37
6.2.3 Ins uc ions o use ........................................................................................... 38
6.2.4 Licensing in o ma ion ........................................................................................ 40
6.2.5 Download .......................................................................................................... 40
7 Cloudi o -E alua ion............................................................................................................ 41
7.1 Implemen a ion ........................................................................................................... 41
7.1.1 Func ional desc ip ion ....................................................................................... 41
7.1.2 Technical desc ip ion ......................................................................................... 42
7.2 Deli e y and usage ....................................................................................................... 43
7.2.1 Package in o ma ion .......................................................................................... 43
7.2.2 Ins alla ion ......................................................................................................... 44
7.2.3 Ins uc ions o use ............................................................................................ 44
7.2.4 Licensing in o ma ion ........................................................................................ 44
7.2.5 Download .......................................................................................................... 44
8 Reposi o y o Con ols and Me ics (RCM) ......................................................................... 45
8.1 Implemen a ion ........................................................................................................... 45
8.1.1 Func ional desc ip ion ....................................................................................... 45
8.1.2 Technical desc ip ion ......................................................................................... 47
8.2 Deli e y and usage ....................................................................................................... 50
8.2.1 Package in o ma ion .......................................................................................... 50
8.2.2 Ins alla ion ......................................................................................................... 53
8.2.3 Ins uc ions o use ............................................................................................ 55
8.2.4 Licensing in o ma ion ........................................................................................ 58
8.2.5 Download .......................................................................................................... 58
9 T us wo hiness Sys em ...................................................................................................... 59
9.1 Implemen a ion ........................................................................................................... 59
9.1.1 Func ional desc ip ion ....................................................................................... 59
9.1.2 Technical desc ip ion ......................................................................................... 61
9.2 Deli e y and usage ....................................................................................................... 68
9.2.1 Package in o ma ion .......................................................................................... 68
9.2.2 Ins alla ion ......................................................................................................... 68
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 76
www.eme ald-he.eu
9.2.3 Ins uc ions o use ............................................................................................ 69
9.2.4 Licensing in o ma ion ........................................................................................ 71
9.2.5 Download .......................................................................................................... 71
10 Conclusions .......................................................................................................................... 72
11 Re e ences ........................................................................................................................... 73
APPENDIX A: Examina ion o G aph DB Engines ......................................................................... 75
Lis o ables
TABLE 1. ORCHESTRATOR FUNCTIONAL REQUIREMENTS. ........................................................................ 14
TABLE 2. PACKAGE STRUCTURE OF CLOUDITOR WITH ORCHESTRATOR-RELEVANT PARTS .............................. 17
TABLE 3. PACKAGE STRUCTURE OF THE ORCHESTRATOR USED IN EMERALD ............................................. 17
TABLE 4. ASSESSMENT FUNCTIONAL REQUIREMENTS ............................................................................. 20
TABLE 5. ASSESSMENT PACKAGE STRUCTURE ........................................................................................ 24
TABLE 6. ASSESSMENT PACKAGE STRUCTURE IN THE EMERALD FRAMEWORK ........................................... 25
TABLE 7. EVIDENCE STORE FUNCTIONAL REQUIREMENTS ........................................................................ 26
TABLE 8. EVIDENCE STORE RELEVANT PACKAGE STRUCTURE .................................................................... 29
TABLE 9. EVIDENCE STORE PACKAGE STRUCTURE IN EMERALD FRAMEWORK ........................................... 30
TABLE 10. MARI FUNCTIONAL REQUIREMENTS. ................................................................................... 32
TABLE 11. MARI PACKAGE INFORMATION ........................................................................................... 37
TABLE 12. EVALUATION FUNCTIONAL REQUIREMENTS ........................................................................... 41
TABLE 13. EVALUATION RELEVANT PACKAGE STRUCTURE ........................................................................ 43
TABLE 14. EVALUATION PACKAGE STRUCTURE IN THE EMERALD FRAMEWORK ......................................... 44
TABLE 15. RCM FUNCTIONAL REQUIREMENTS ..................................................................................... 46
TABLE 16. TWS FUNCTIONAL REQUIREMENTS ..................................................................................... 59
Lis o igu es
FIGURE 1. OVERVIEW OF THE EMERALD COMPONENTS WITH SPECIAL FOCUS ON EVIDENCE ASSESSMENT AND
CERTIFICATION COMPONENTS .................................................................................................... 12
FIGURE 2. ROLE OF THE ORCHESTRATOR IN THE EMERALD FRAMEWORK ................................................. 15
FIGURE 3. THE PROTOTYPE ARCHITECTURE OF THE ORCHESTRATOR .......................................................... 16
FIGURE 4. VIEW OF AN AUDIT SCOPE FROM D4.3 [11] .......................................................................... 18
FIGURE 5. ROLE OF THE ASSESSMENT IN THE EMERALD FRAMEWORK ..................................................... 21
FIGURE 6. THE PROTOTYPE ARCHITECTURE OF THE ASSESSMENT .............................................................. 22
FIGURE 7. EXAMPLE OF A REGO POLICY [13] ........................................................................................ 23
FIGURE 8. EXAMPLE OF A REGO CONFIGURATION [13] ........................................................................... 23
FIGURE 9. EXAMPLE OF AN EVIDENCE [13] ........................................................................................... 24
FIGURE 10. ROLE OF THE EVIDENCE STORE IN THE EMERALD FRAMEWORK ............................................. 27
FIGURE 11. THE PROTOTYPE ARCHITECTURE OF THE EVIDENCE STORE ...................................................... 28
FIGURE 12. DIGITAL MOCK-UP FOR A RESOURCE GRAPH (D4.3 [11]) ....................................................... 31
FIGURE 13. FITTING MARI WITH OTHER COMPONENTS IN EMERALD ARCHITECTURE ................................ 33
FIGURE 14. OVERVIEW OF THE MARI ARCHITECTURE AND INTERACTIONS ................................................. 34
FIGURE 15. DETAILED ARCHITECTURE OF MARI COMPONENT ................................................................. 35
FIGURE 16. OUTPUT FILE PREVIEW OF THE ASSOCIATIONS BETWEEN CONTROLS AND METRICS ...................... 38
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 76
www.eme ald-he.eu
FIGURE 17. MARI - OVERVIEW OF CONTROLS AND MAPPED METRICS (D4.3 [11]) .................................... 39
FIGURE 18. MARI - MAPPING CONTROLS FROM EUCS TO BSI C5 (D4.3 [11]) ........................................ 39
FIGURE 19. ROLE OF THE EVALUATION IN THE EMERALD FRAMEWORK ................................................... 42
FIGURE 20. THE PROTOTYPE ARCHITECTURE OF THE EVALUATION COMPONENT ......................................... 42
FIGURE 21. FITTING OF THE RCM WITH OTHER COMPONENTS IN THE EMERALD ARCHITECTURE ................. 47
FIGURE 22. ARCHITECTURE OF THE REPOSITORY OF CONTROLS AND METRICS (RCM) ................................. 48
FIGURE 23. REPOSITORY COMPONENTS (GREEN BOXES) AND AUXILIARY ELEMENTS ..................................... 51
FIGURE 24. HOME PAGE OF THE EMERALD FRAMEWORK (D4.3 [11]) ................................................... 55
FIGURE 25. LIST OF SCHEMAS PAGE (D4.3 [11]) .................................................................................. 56
FIGURE 26. UPLOAD NEW SCHEME PAGE (D4.3 [11]) ........................................................................... 56
FIGURE 27. BROWSE SCHEME (EUCS CATEGORIES) (D4.3 [11]) ............................................................. 57
FIGURE 28. BROWSE SUB-CATEGORIES OF THE EUCS SCHEME (D4.3 [11])............................................... 57
FIGURE 29. CONTROLS OF AN EUCS SCHEME CATEGORY (D4.3 [11]) ...................................................... 58
FIGURE 30. FITTING OF THE TWS WITH OTHER COMPONENTS IN EMERALD ARCHITECTURE ....................... 60
FIGURE 31. TWS ARCHITECTURE ........................................................................................................ 61
FIGURE 32. TWS DATA MODEL ......................................................................................................... 64
FIGURE 33. TWS BLOCKCHAIN VIEWER ARCHITECTURE .......................................................................... 66
FIGURE 34. TWS BLOCKCHAIN VIEWER DASHBOARD FOR ADMINISTRATORS .............................................. 67
FIGURE 35. TWS BLOCKCHAIN VIEWER DASHBOARD FOR ASSESSMENT COMPONENTS ................................. 68
FIGURE 36. TWS SET-UP (D4.3 [11]) ................................................................................................ 70
FIGURE 37. CORRECT INTEGRITY VERIFICATION ..................................................................................... 70
FIGURE 38. INCORRECT INTEGRITY VERIFICATION .................................................................................. 70
FIGURE 39. INTEGRITY VERIFICATION DETAILS (D4.3 [11]) ..................................................................... 71
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 76
www.eme ald-he.eu
Te ms and Abb e ia ions
AI
A i icial In elligence
AI-SEC
AI Secu i y E idence Collec o
API
Applica ion P og amming In e ace
CaaS
Ce i ica ion-as-a-Se ice
CI/CD
Con inuous In eg a ion /Con inuous De elopmen
CLI
Command Line In e ace
CRUD
C ea e, Read, Upda e and Dele e
CSV
Comma-Sepa a ed Values
DB
Da abase
DoA
Desc ip ion o Ac ion
EAP
Ea ly Adop e s P og amme
EBSI
Eu opean Blockchain Se ice In as uc u e
EC
Eu opean Blockchain Se ices In as uc u e
EUCS
Eu opean Cybe secu i y Ce i ica ion Scheme o Cloud Se ices
EVM
E he eum Vi ual Machine
gRPC
Google Remo e P ocedu e Call
GUI
G aphical Use In e ace
JPA
Ja a Pe sis ence API
JWT
Ja a Web Token
KPI
Key Pe o mance Indica o
KR
Key Resul
HTTP
Hype ex T ans e P o ocol
HTTPS
Hype ex T ans e P o ocol Secu e
GUI
G aphical Use In e ace
IP
In e ne P o ocol
MARI
Mapping Assis an o Regula ions wi h In elligence
NDCG
No malised Discoun ed Cumula i e Gain
MVC
Model, View, Con olle
NLP
Na u al Language P ocessing
OPA
Open Policy Agen
OSCAL
Open Secu i y Con ols Assessmen Language
OSS
Open-Sou ce So wa e
P o obu
P o ocol Bu e s
RBAC
Role-Based Access Con ol
RCM
Reposi o y o Con ols and Me ics
Rego
Policy que y language o OPA
REST
Rep esen a ional S a e T ans e
SDLC
So wa e De elopmen Li e Cycle
SQL
S uc u ed Que y Language
SSI
Sel -So e eign Iden i y Sys em
TWS
T us wo hiness Sys em
UI
Use In e ace
URL
Uni o m Resou ce Loca o
WSGI
Web Se e Ga eway In e ace
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 76
www.eme ald-he.eu
Execu i e Summa y
This deli e able, he i s e sion o E idence Assessmen and Ce i ica ion – Implemen a ion,
p o ides an ini ial epo on he implemen a ion de ails o he WP3 componen s wi hin he
EMERALD amewo k. The goal o WP3 is o se e as he cen al in eg a ion poin o e idence
collec ion and knowledge ex ac ion ools, con ibu ing o he de elopmen o a Ce i ica ion-
as-a-Se ice (CaaS) amewo k o con inuous ce i ica ion o ha monized cybe secu i y
schemes by assessing he p o ided e idence o make app op ia e ce i ica e decisions. In
pa icula , WP3 and i s deli e ables add ess he key esul s CERTGRAPH (KR2) by implemen ing
he e idence s o e as a g aph da abase, OPTIMA (KR3) by p o iding he op imal se o me ics
o a gi en con ol o a secu i y scheme, MULTICERT (KR4) by p o iding ce i ica ion decision o
mul iple schemes, and INTEROP (KR7) by p o iding an in e ope abili y laye o us wo hy
sys ems, assessmen esul s, and ca alogue da a. These key esul s a e measu ed using he key
pe o mance indica o s (KPIs) de ined in he Desc ip ion o Ac ion (DoA) [1], which a e ou lined
below.
WP3 enables con inuous ce i ica ion decisions based on a cons an ly changing ce i ica ion
a ge . This deli e able in o ms abou he de elopmen and implemen a ion o WP3
componen s, including he Cloudi o -O ches a o , Cloudi o -Assessmen , Cloudi o -E idence
S o e, Cloudi o -E alua ion, Mapping Assis an o Regula ions wi h In elligence (MARI),
Reposi o y o Con ols and Me ics (RCM), and T us wo hiness Sys em (TWS).
We i s demons a e he place o he WP3 componen s in he EMERALD amewo k. To do his,
we show an o e iew o all componen s, in which bo h he languages used, and he connec ion
p o ocols a e isualized. Finally, he main pa o his documen del es in o each componen 's
implemen a ion, deli e y, usage, and associa ed documen a ion.
P o iding ce i ica e decisions by mee ing he ambi ious objec i es se in EMERALD equi es
a ious ools o wo k cohesi ely oge he : assessing e idence coming om he WP2 e idence
collec ion ools (KPI 4.1); s o ing e idence in a g aph-based da abase o enable sophis ica ed
assessmen o e idence dis ibu ed ac oss a ious laye s o a cloud se ice (KPI 2.1); he RCM
componen o s o e ca alogues and me ics in an in e ope able way (KPIs 7.1 and 7.2), he MARI
componen o p o ide me ics ha a e sui able o a gi en (se o ) secu i y schemes (KPIs 3.1
and 3.2), and he TWS componen o imp o e he audi o 's us in he e idence (KPIs 7.1 and
7.2). To implemen hese componen s in a manne ha ensu es cohesi e ope a ion, hey mus
be ca e ully designed and in eg a ed. The main con ibu ions o his deli e able o he p ojec
a e he e o e o ocus on he implemen a ion de ails o each WP3 componen , ensu ing ha
hey a e e ec i ely ealized wi hin he whole amewo k.
The s uc u e o he WP3 deli e ables closely esembles he so wa e de elopmen li e cycle
(SDLC) app oach. A e he i s WP3 deli e able (D3.1 “E idence Assessmen and Ce i ica ion
– Concep s- 1” M09 [2]), his deli e able desc ibes he ini ial implemen a ion (D3.3 “E idence
Assessmen and Ce i ica ion – Implemen a ion- 1” M12 ) and ou lines he nex s eps, which
include u he in eg a ion (D3.5 [3]). This cycle is hen epea ed wi h he inal e sions o
concep s (D3.2 [4]), implemen a ion (D3.4 [5]), and in eg a ion (D3.6 [6]), ensu ing con inuous
imp o emen and e inemen o he componen s (also conside ing changes occu ing in o he
wo k packages).
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 76
www.eme ald-he.eu
Figu e 3. The p o o ype a chi ec u e o he O ches a o
3.1.2.1.1 Componen s desc ip ion
The a chi ec u e o he O ches a o includes se e al key elemen s and unc ionali ies:
• Cloudi o 's REST Ga eway and Au ho iza ion: The O ches a o uses Cloudi o 's REST
Ga eway o allow REST calls om componen s no able o communica e ia gRPC. This
ensu es compa ibili y and lexibili y in communica ion p o ocols. Addi ionally, he
O ches a o le e ages Cloudi o 's Au ho iza ion implemen a ion o p o ide s a e-o -
he-a au hen ica ion mechanisms, such as OAu h2, which is used in EMERALD.
• Func ionali ies:
a. Assessmen Resul s: Responsible o handling assessmen esul s, e.g. coming
om he Assessmen componen . I p o ides CRUD (C ea e, Read, Upda e,
Dele e) ope a ions o assessmen esul s.
b. Audi Scope: Manages CRUD ope a ions o audi scopes (p e iously known as
a ge o e alua ion), which de ine a (pa o a) cloud se ice and he (pa s o )
he espec i e ce i ica ion schemes o check agains .
c. Ca alogues: Handles gene al CRUD ope a ions o ca alogues as well as mo e
speci ic ones, such as e ie ing a speci ic con ol o a ca alogue. In he con ex
o EMERALD, his unc ionali y is mainly used o ge ca alogues om he
Reposi o y o Con ols and Me ics (RCM).
d. Ce i ica es: Manages CRUD ope a ions o ce i ica es agains which a
ce i ica ion a ge is checked, including s a e his o y. I also o e s an ope a ion
o lis all cu en ce i ica ions wi hou s a e his o y.
e. Ce i ica ion Ta ge : Manages CRUD ope a ions o ce i ica ion a ge s
(p e iously known as cloud se ices).
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 76
www.eme ald-he.eu
. Me ics: Manages CRUD ope a ions o me ics (and me ic con igu a ions),
such as loading me ics locally o ia ne wo k. In he con ex o EMERALD,
me ics a e ecei ed om he RCM.
g. Compliance: Based on e alua ion esul s p o ided by he Cloudi o -E alua ion,
his module p o ides he inal ce i ica e decision.
h. O ches a o : The main class ha can ins an ia e an O ches a o ins ance
capable o unning he ope a ions desc ibed abo e.
3.1.2.2 Technical speci ica ions
The Cloudi o -O ches a o is implemen ed using Go, p o iding e icien concu ency suppo
and ease o deploymen in mic ose ice a chi ec u es. The main communica ion p o ocols used
a e REST and gRPC, ensu ing high-pe o mance in e ac ion wi h o he componen s.
• P og amming Language: Go
• Communica ion P o ocols: REST API and gRPC (including P o obu )
• Pos g es da abase o s o ing Assessmen Resul s and E alua ion Resul s
• Secu i y: OAu h and Role-Based Access
3.2 Deli e y and usage
This sec ion desc ibes he in o ma ion needed o he ins alla ion and use o he O ches a o .
Besides, i also de ails he licensing in o ma ion and ela ed packages and eposi o ies.
3.2.1 Package in o ma ion
Table 2 shows he O ches a o - ele an package s uc u e in he Cloudi o eposi o y and Table
3 shows he package s uc u e in he EMERALD amewo k, whe e he O ches a o pa s o he
Cloudi o ool a e used as dependencies.
Table 2. Package s uc u e o Cloudi o wi h O ches a o - ele an pa s
Folde
Desc ip ion
api/o ches a o /
This olde con ains code needed o he
communica ion wi h his componen . I mainly
consis s o au o-gene a ed P o obu and gRPC
iles.
cli/commands/se ice/o ches a o
This olde con ains he Cloudi o CLI based
sou ce code iles
cmd/o ches a o /
This olde con ains he main ile.
openapi/o ches a o /
This olde con ains he au o-gene a ed OpenAPI
iles o he O ches a o .
es /
This olde con ains he REST ga eway
implemen a ion.
se ice/o ches a o /
This olde con ains he sou ce code o he
O ches a o mic ose ice.
Table 3. Package s uc u e o he O ches a o used in EMERALD
Folde
Desc ip ion
modules/
This olde con ains he sou ce code o he EMERALD-speci ic
pa s o he O ches a o , e.g. he Compliance module o
making ce i ica e decisions.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 76
www.eme ald-he.eu
cmd/o ches a o
This olde con ains he main ile.
./ (Roo di ec o y)
Beside he olde s men ioned abo e, he oo di ec o y also
con ains a wo k low ile needed o con inuous in eg a ion
and deploymen (.gi lab-ci.yml), a README ile, a Go ile
o launching he EMERALD O ches a o and Go module iles
o handling dependencies (go.mod and go.sum).
3.2.2 Ins alla ion
In EMERALD, we use Gi Lab’s CI/CD pipeline o con inuous in eg a ion and deploymen . Fo his
pu pose, he e is a wo k low ile a each componen s oo le el (.gi lab-ci.yml).
Fo unning he O ches a o locally, he e is a docke ile (“Docke ile”) loca ed a he
componen s oo le el. Fo building and unning he O ches a o , use he ollowing commands:
docke build - cloudi o -o ches a o .
docke un -d -p 8080:8080 cloudi o -o ches a o
3.2.3 Ins uc ions o use
Wi hin he EMERALD p ojec , he EMERALD UI is used o access and manage he wo k low in he
amewo k. In he case o he O ches a o , he UI in e ac s wi h i by using he componen s API
endpoin s, e.g. o lis ce i ica ion a ge s.
Cu en ly, he EMERALD UI is wo k in p og ess, bu some clickable mock ups ha e been designed
in D4.3 [11], e.g. he audi scope o e iew in Figu e 4.
Figu e 4. View o an audi scope om D4.3 [11]
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 76
www.eme ald-he.eu
3.2.4 Licensing in o ma ion
The Cloudi o -O ches a o is o e ed unde Apache 2.0 license. The license iles and mo e
de ailed in o ma ion can be ound in he Gi Lab eposi o y.
3.2.5 Download
The Cloudi o sou ce code can be ound in he Cloudi o Gi Hub eposi o y
4
. The de elopmen
o he O ches a o can be ound in he public EMERALD Gi Lab eposi o y
5
.
4
h ps://gi hub.com/cloudi o /cloudi o
5
h ps://gi .code. ecnalia.com/eme ald/public/componen s/o ches a o
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 76
www.eme ald-he.eu
4 Cloudi o -Assessmen
The Cloudi o -Assessmen (in he ollowing Assessmen ) componen is esponsible o e alua ing
e idence based on p ede ined me ics wi hin he EMERALD amewo k. In he ollowing, we
p o ide in o ma ion abou he implemen a ion as well as he deli e y and usage o his
componen .
4.1 Implemen a ion
The Assessmen componen is based on he espec i e mic ose ice o Cloudi o and was al eady
used in MEDINA [9]. I will be u he de eloped in EMERALD o handle mul iple pieces o
e idence ha e lec esou ces on di e en laye s.
4.1.1 Func ional desc ip ion
The Assessmen is esponsible o assessing e idence based on p ede ined me ics wi hin he
EMERALD amewo k. I p ocesses he collec ed e idence o de e mine compliance wi h speci ic
secu i y equi emen s. The assessmen esul s gene a ed by his componen a e inspi ed by bu
decoupled om he ac ual con ols o secu i y ca alogues. These esul s a e hen used by he
Cloudi o -E alua ion componen (desc ibed in Sec ion 7) o de e mine compliance wi h he
ele an con ols.
The Assessmen e alua es e idence collec ed om a ious sou ces, ensu ing ha he e idence
mee s he p ede ined me ics necessa y o compliance. This componen ope a es wi hin he
b oade con ex o he EMERALD amewo k, whe e i plays a c i ical ole in he ce i ica ion
p ocess.
The mo i a ion behind he Assessmen is o au oma e he e alua ion o compliance, educing
manual e o and inc easing he accu acy o assessmen s. By p o iding a sys ema ic app oach
o e idence assessmen , i ensu es consis en and eliable esul s.
The main inno a ions o he Assessmen componen include:
• Au oma ed Assessmen : U ilizes p ede ined me ics o au oma ically e alua e e idence,
s eamlining he ce i ica ion p ocess.
• Scalabili y: Capable o handling mul iple pieces o e idence ha e lec esou ces on
di e en laye s, p o iding a comp ehensi e assessmen .
• In e ope abili y: In eg a es seamlessly wi h o he componen s o he EMERALD
amewo k, ensu ing e icien da a exchange and p ocessing.
Table 4 ou lines he unc ional equi emen s sa is ied by he cu en e sion o he Assessmen ,
as documen ed in D3.1 [2], and upda es he s a us o hei implemen a ion in he cu en
p o o ype in M12.
Table 4. Assessmen unc ional equi emen s
Req. ID
Desc ip ion
P io i y
Miles one
P og ess
ASSESS.01
Assessmen based on e idence: The assessmen
should assess e idence based on he knowledge
g aph.
Mus
MS6
(M30)
15%
ASSESS.02
Assessmen ules o 80% o he de ined me ics:
Assessmen ules mus exis o 80% o he me ics
de ined in KP4.1.
Mus
MS6
(M30)
15%
ASSESS.03
Display cause o assessmen esul : We wan o
know why an assessmen esul ails o passes.
Mus
MS6
(M30)
0%
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 76
www.eme ald-he.eu
4.1.1.1 Fi ing in o o e all EMERALD A chi ec u e
The connec ion o he Assessmen o o he componen s in he EMERALD amewo k can be seen
in Figu e 5. Ini ially, he Assessmen ecei es he me ics which include he ules o assessing
e idence. These me ics o igina e om he RCM bu a e ans e ed ia he cen al
O ches a ion componen .
E idence collec ed om he a ious collec o s is sen o and s o ed in he E idence S o e. The
E idence S o e hen o wa ds his e idence o he Assessmen componen . He e he e idence
(single ones o combined a ound di e en laye s) is assessed using he me ics he Assessmen
ecei ed in he beginning.
Then bo h he e idence as well as he assessmen esul s a e sen o he TWS o ensu e in eg i y
and, he e o e, enhance he us wo hiness o he whole p ocess. The assessmen esul s a e
also sen o he O ches a o which i s s o es hem in a da abase. The O ches a o can hen
use he espec i e assessmen esul s o e alua e hese (using he E alua ion componen ) and,
in he end, o make he inal ce i ica e decision.
Figu e 5. Role o he Assessmen in he EMERALD amewo k
4.1.2 Technical desc ip ion
The echnical desc ip ion o he Assessmen p o ides an in-dep h look a i s a chi ec u e,
componen s, and echnical speci ica ions. This sec ion ou lines he s uc u e o he Assessmen
componen , as well as he speci ic echnologies and me hods used in i s implemen a ion. The
ollowing subsec ions de ail he p o o ype a chi ec u e, componen s, and echnical
speci ica ions.
4.1.2.1 P o o ype a chi ec u e
The a chi ec u e o he Assessmen componen is shown in Figu e 6. I comp ises he co e
componen (assessmen .go in he code s uc u e) which is mainly esponsible o p o iding
and handling API eques s as well as o ins an ia ing an assessmen componen . Fo assessing
incoming e idence, he Assessmen le e ages he Cloudi o -in e nal lib a y Policies which
applies p ede ined ules o ge an assessmen esul .
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 76
www.eme ald-he.eu
Figu e 6. The p o o ype a chi ec u e o he Assessmen
4.1.2.1.1 Componen s desc ip ion
The Assessmen is mainly composed by he ollowing componen s:
• Cloudi o 's REST Ga eway and Au ho iza ion: The Assessmen uses Cloudi o 's REST
Ga eway o allow REST calls o componen s no able o communica e ia gRPC. This
ensu es compa ibili y and lexibili y in communica ion p o ocols. Addi ionally, he
O ches a o le e ages Cloudi o 's Au ho iza ion implemen a ion o p o ide s a e-o -
he-a au hen ica ion mechanisms, such as OAu h2, which is used in EMERALD.
• The Co e (assessmen .go):
o Func ion NewSe ice o ins an ia ing a new assessmen .
o Me ic-co esponding me hods (e.g. Me icCon igu a ion) ha implemen s he
Me icsSou ce in e ace o de ine whe e me ic in o ma ion is coming om. In
he case o EMERALD, in o ma ion abou me ics is ob ained om he
O ches a o (bu o igina ed om he RCM).
o API-co esponding unc ions ha implemen he assessmen se ice in e ace
( o all ele an API endpoin s see below), e.g. AssessE idences ha opens a
s eam o ecei e mul iple ins ances in one connec ion. When assessmen
esul s a e c ea ed, hey a e o wa ded o he O ches a o componen and,
oge he wi h e idence o he TWS o ensu e ha he da a is no ampe ed wi h
in he u u e.
• Policies:
o Used by he Co e (in AssessE idence and AssessE idence) o assess incoming
e idence wi h p e-de ined me ics (i.e. ules). The assessmen ini ially loads he
me ics om he O ches a o .
o Cu en ly, we use he OPA policy engine o assess he e idence ia he me ics
ha a e w i en in he OPA policy language Rego. Since we a e planning o mo e
o a g aph-based e idence s uc u e (see E idence S o e in Sec ion 5), we will
also conside al e na i e app oaches ha may i be e he equi emen o
assess mul iple e idence loca ed in di e en laye s (laye s a e, e.g., code,
con igu a ion and documen s). No e ha he e idence s uc u e is de ined by
he on ology [12]. The Rego ules mus be aligned wi h he on ology o wo k
co ec ly. A concise example is gi en below.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 76
www.eme ald-he.eu
In he ollowing, all API endpoin s a e lis ed accompanied by a sho explana ion (all API
endpoin s a e de ined in he Cloudi o eposi o y
6
):
• AssessE idence: Assesses he pieces o e idence included in he AssessE idenceReques .
This endpoin is exposed ia gRPC as well as REST.
• AssessE idences: Assesses s eam o e idence by opening a con inued connec ion wi h
he componen ha calls his endpoin . Because he connec ing componen does no
ha e o open a new connec ion o each single e idence, mul iple e idence can be
assessed much as e . In pa icula . in he case o EMERALD, his can esul in a majo
boos because complex dis ibu ed sys ems can lead o housands o pieces o e idence
ha ha e o be assessed (e.g. when checking con igu a ions o cloud sys ems). This
endpoin is only se ed ia gRPC and no a REST.
Example o he usage o Rego
Gene ally, using Rego comp ises an inpu (he e: e idence), a ule (policy) ha is applied on he
inpu , and a con igu a ion o se cus om alues o he ule
7
. In he ollowing, we show a simple
example o MEDINA, o u he e e ence see D3.5 o MEDINA [13].
Figu e 7 depic s a simple Rego policy which checks he enc yp ion algo i hm used in an a - es
enc yp ion (e.g. a block s o age in a cloud). Figu e 8 shows he con igu a ion s a ing ha he
enc yp ion algo i hm should be a leas 256 bi s. Figu e 9 shows an exempla y snippe o an
e idence (con igu a ion o a block s o age).
Figu e 7. Example o a Rego policy [13]
Figu e 8. Example o a Rego con igu a ion [13]
6
h ps://gi hub.com/cloudi o /cloudi o /blob/main/api/assessmen /assessmen .p o o
7
h ps://www.openpolicyagen .o g/docs/la es /
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 76
www.eme ald-he.eu
Figu e 9. Example o an e idence [13]
In his example, he block s o age has enabled enc yp ion a es and se he algo i hm o ha e
256 by es. Because he Rego policy and he con igu a ion ha e de ined ha he e idence has o
ha e a leas 256 by es, he assessmen succeeds and ou pu s ha his e idence is complian
(complian is se o ue).
4.1.2.2 Technical speci ica ions
The Cloudi o -Assessmen is implemen ed using Go, p o iding e icien concu ency suppo and
ease o deploymen in mic ose ice a chi ec u es. The main communica ion p o ocols used a e
REST and gRPC, ensu ing high-pe o mance in e ac ion wi h o he componen s.
• P og amming Language: Go
• Communica ion P o ocols: REST API and gRPC (including P o obu )
• Secu i y: OAu h and Role-Based Access
4.2 Deli e y and usage
This sec ion desc ibes he in o ma ion needed o he ins alla ion and use o he Assessmen .
Besides, i also de ails he licensing in o ma ion and ela ed packages and eposi o ies.
4.2.1 Package in o ma ion
Table 5 shows he Assessmen - ele an package s uc u e in he Cloudi o eposi o y and Table
6 shows he package s uc u e in he EMERALD amewo k, whe e he Assessmen pa s o
Cloudi o a e used as dependencies.
Table 5. Assessmen package s uc u e
Folde
Desc ip ion
api/assessmen /
This olde con ains code needed o he
communica ion wi h his componen . I mainly
consis s o au o-gene a ed P o obu and gRPC iles.
api/on ology
This olde con ains he on ology objec s (e idence
o ma ) de ined in ce i ica ion g aph in WP2.
cli/commands/se ice/assessmen
This olde con ains he Cloudi o CLI based sou ce
code iles
cmd/assessmen /
This olde con ains he main ile.
openapi/assessmen /
This olde con ains he au o-gene a ed OpenAPI
iles o he Assessmen .
policies/
This olde con ains he Go implemen a ion o using
he OPA engine and, he e o e, Rego ules. I will
also con ain he Rego policy iles pe me ic.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 76
www.eme ald-he.eu
es /
This olde con ains he REST ga eway
implemen a ion.
se ice/assessmen /
This olde con ains he sou ce code o he
Assessmen mic ose ice.
Table 6. Assessmen package s uc u e in he EMERALD amewo k
Folde
Desc ip ion
cmd/eme ald-assessmen
This olde con ains he main ile.
./ (Roo di ec o y)
Beside he olde s men ioned abo e, he oo di ec o y also
con ains a wo k low ile needed o con inuous in eg a ion
and deploymen (.gi lab-ci.yml), a README ile, a Go ile
o launching he EMERALD Assessmen and Go module iles
o handling dependencies (go.mod and go.sum).
4.2.2 Ins alla ion
In EMERALD, we use Gi Lab’s CI/CD pipeline o con inuous in eg a ion and deploymen . Fo his
pu pose, he e is wo k low ile a each componen s oo le el (.gi lab-ci.yml).
Fo unning he Assessmen locally, he e is a docke ile (“Docke ile”) loca ed a he
componen s oo le el. Fo building and unning he componen , use he ollowing commands:
docke build - cloudi o -assessmen .
docke un -d -p 8080:8080 cloudi o -assessmen
4.2.3 Ins uc ions o use
The Assessmen is only used by in e nal componen s and is no exposed ia he EMERALD UI.
In o ma ion ega ding he Asssessmen (e.g. me ics and assessmen esul s) a e ans e ed ia
he O ches a o .
To use he Assessmen , un he Docke image and se he a iable o he URL whe e he
assessmen esul s a e sen o (in EMERALD, his is he URL o he O ches a o ). When he
Assessmen is unning, i can ecei e me ics and me ic con igu a ions (in EMERALD his is done
by he O ches a o in he beginning). Now, he assessmen is eady and e idence can be sen
o i which will be assessed and he esul s sen o he URL which was se in he beginning.
4.2.4 Licensing in o ma ion
The Assessmen is o e ed unde Apache 2.0 license. The license iles and mo e de ailed
in o ma ion can be ound in he Gi Lab eposi o y.
4.2.5 Download
The sou ce code o he Assessmen in he Cloudi o oolbox can be ound in he Cloudi o
Gi Hub eposi o y
8
. The implemen a ion o he Assessmen componen in EMERALD can be
ound in he public EMERALD Gi Lab eposi o y
9
.
8
h ps://gi hub.com/cloudi o /cloudi o
9
h ps://gi .code. ecnalia.com/eme ald/public/componen s/assessmen
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 32 o 76
www.eme ald-he.eu
6 Mapping Assis an o Regula ions wi h In elligence (MARI)
MARI is an in elligen sys em capable o selec ing he op imal se o me ics o associa e wi h
one o mo e ce i ica ion schemes. The me ics can be measu ed o e alua e he cloud sys em’s
compliance wi h he ce i ica ion scheme. Ano he main ea u e o MARI is he abili y o
associa e con ols om di e en ce i ica ion schemes.
The MARI componen is based on he Me ic Recommende
13
ool de eloped in MEDINA [19].
6.1 Implemen a ion
The objec i e o MARI is o expe imen wi h Deep Lea ning and NLP ools o au oma ic
associa ions be ween:
• a secu i y con ol and one o mo e secu i y me ics;
• secu i y con ols coming om di e en ce i ica ion schemes.
6.1.1 Func ional desc ip ion
Da a inpu o MARI a e he con ols and me ics s o ed in he Reposi o y o Con ols and Me ics
(desc ibed in Sec ion 8). A e selec ing a se o con ols and me ics, MARI s a s he elabo a ion
o he associa ion ei he be ween con ols o be ween a con ol and one o mo e me ics. The
esul s a e isualised in he EMERALD UI.
Table 10 shows a collec ion o unc ional equi emen s ( om deli e able D1.3 [20]) ela ed o
he componen , oge he wi h a desc ip ion o how and o wha ex en hese equi emen s a e
implemen ed a ime o w i ing.
Table 10. MARI unc ional equi emen s.
Req. ID
Desc ip ion
P io i y
Miles one
P og ess
MARI.01
AI-based: MARI is a ool based on s a e-o - he-a
a i icial in elligence, e.g., uses a ans o me -based
a chi ec u e
Mus
MS6
(M30)
100%
MARI.02
Au oma ic associa ion: MARI akes as inpu cloud
secu i y con ols w i en in na u al language, me ics
ha alida e hose con ols, again w i en in na u al
language, and au oma ically e u ns as ou pu he
associa ion con ol/me ic(s) and he associa ion
con ol/con ol.
Mus
MS6
(M30)
50%
MARI.03
Pe o mance E alua ion: The pe o mance o MARI
should imp o e on he pe o mance o he Me ic
Recommende o EMERALD’s p edecesso p ojec ,
MEDINA. We can assume ha we measu e he
pe o mance o MARI wi h he same me ics used o
he Me ic Recommende , namely p ecision@k and
NDCG (No malised Discoun ed Cumula i e Gain).
Mus
MS6
(M30)
70%
MARI.04
Usage and Visualiza ion: MARI should be in oked
h ough EMERALD's buil -in in e ace, and MARI
esul s can be isualized h ough he same in e ace.
Mus
MS6
(M30)
15%
MARI.05
S a egies: MARI can ac acco ding o speci ic
s a egies, such as conside ing only echnical
con ols, o o ganiza ional con ols, o con ols o a
ce ain ca ego y, o con ols whose implemen a ion
Mus
MS6
(M30)
15%
13
h ps://gi .code. ecnalia.com/medina/public/nl2cnl- ansla o
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 33 o 76
www.eme ald-he.eu
cos s less in e ms o human esou ces, e c. The
s a egies will be de ined du ing he p ojec .
Rega ding inno a ion, in con as o i s p edecesso , he MEDINA Me ic Recommende [19],
MARI will suppo a wide ange o con ols om mul iple ce i ica ion schemes. A key
enhancemen is MARI’s abili y o au oma ically map con ols ac oss di e en ce i ica ion
schemes, a ask ha p e iously equi ed manual e o in he MEDINA p ojec . Use s will also
ha e he op ion o de ine speci ic s a egies o associa ing me ics wi h con ols and o
mapping con ols o each o he . Addi ionally, AI-based ools u ilising ans o me -based
a chi ec u es a e employed, enhancing bo h he pe o mance and accu acy o me ic- o-con ol
associa ions compa ed o he o iginal Me ic Recommende .
To e alua e he pe o mance, he me ic we conside a he ime o w i ing is he NDCG
14
.
Expe imen ing wi h he app oach based on sen ence ans o me s, wi h 70 equi emen s and
162 me ics conside ed, we ob ained NDCG@10 = 0.640, imp o ing he pe o mance o he
MEDINA Me ic Recommende by 0.146 poin s.
6.1.1.1 Fi ing in o o e all EMERALD A chi ec u e
Figu e 13 shows he in eg a ion o MARI wi hin he o e all EMERALD a chi ec u e. MARI is
expec ed o in e ac wi h he Reposi o y o Con ols and Me ics, which is i s main sou ce o da a
since i con ains he con ols and he me ics desc ip ions and he me ada a. Mo eo e , MARI
in e ac s also wi h he Eme ald UI, h ough which i is possible o isualize he associa ions. I
impo an o no e ha he in e ac ions wi h o he componen s ha e no ye been de ined in
de ail. We he e o e expec ha he e may be changes, and he nex e sion o his deli e able
(D3.4 [5]), due in mon h 24, will de ail MARI's in e ac ions wi h o he componen s.
Figu e 13. Fi ing MARI wi h o he componen s in EMERALD a chi ec u e
6.1.2 Technical desc ip ion
The MARI componen is w i en in Py hon 3.10.12 and o ganized as a Py hon no ebook, an
in e ac i e compu a ional en i onmen ha helps o manipula e and analyse da a using Py hon.
I con ains all he con en om a web applica ion session, including compu a ion inpu s and
ou pu s, ma hema ical unc ions, images, and explana o y ex , making wo k mo e anspa en ,
unde s andable, and ep oducible.
14
h ps:// owa dsda ascience.com/e alua ion-me ics- o - ecommenda ion-sys ems-an-o e iew-
71290690ecba
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 34 o 76
www.eme ald-he.eu
Figu e 14 shows he expec ed a chi ec u e o MARI, as well as he in e ac ions wi h he RCM
and EMERALD UI componen s. We emind he eade ha his is a d a o he a chi ec u e and
in e ac ions, and changes may apply du ing he p ojec li e ime due o be e a angemen s.
Figu e 14. O e iew o he MARI a chi ec u e and in e ac ions
The MARI modules a e o ganized in o wo componen s acco ding o he unc ionali ies hey
o e :
• API Se e : I se es as he API in e ace o a ious EMERALD componen s, acili a ing
communica ion and in e ac ion. In addi ion o his ole, i also plays a c ucial pa in
coo dina ing all ope a ions and managing he connec ions wi h o he componen s,
ensu ing seamless in eg a ion and unc ionali y ac oss he sys em.
• MARI: Gi en one con ol and a se o me ics, i p o ides he associa ion be ween he
con ol and ela ed me ics. Gi en wo ce i ica ion schemes -1 and 2-, i p o ides he
associa ion be ween one con ol om scheme 1 and one con ol om scheme 2, i any.
6.1.2.1 P o o ype a chi ec u e
The a chi ec u e o MARI includes subcomponen s ha map con ols o me ics (and con ols o
con ols). As he e alua ion p ocess analyses his in o ma ion, i gene a es ailo ed
ecommenda ions. The ou pu is ep esen ed by he con ols and associa ed me ics (and he
con ols and associa ed con ols). Fo each con ol, all o he mos ele an me ics (con ols)
a e displayed, in descending o de . A ows in he diag am indica e he low o in o ma ion,
showing how da a mo es o he analy ical componen and ul ima ely o he ou pu . Figu e 15
shows one use case: he con ols-me ics associa ion.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 35 o 76
www.eme ald-he.eu
Figu e 15. De ailed a chi ec u e o MARI componen
Con ols and me ics a e s o ed in wo sepa a e CSV iles. Bo h iles a e p ocessed using he
model mul i-qa-mpne -base-do - 1, which gene a es embeddings o all he i ems. The
cosine_simila i y unc ion om he sciki -lea n lib a y c ea es associa ions o each con ol7. The
esul ing associa ions a e anked by ele ance and sa ed in a CSV ile. The i s column con ains
he ID o he con ol, while he subsequen columns lis he associa ed me ics, o de ed by hei
ele ance. In he nea u u e, we will also expe imen wi h he con ol-con ol associa ions.
6.1.2.2 Technical speci ica ions
The MARI componen esponsible o c ea ing he associa ions is de eloped using Py hon
e sion 3.10.12. Below is a selec ion o he main lib a ies u ilised in he p ojec . A comple e lis
o all dependencies can be accessed h ough he Gi Lab eposi o y.
· pandas
· sen ence- ans o me s → mul i-qa-mpne -base-do - 1
· sklea n
· numpy
· ma plo lib
· numpy
The mul i-qa-mpne -base-do - 1 model is a sen ence ans o me designed o seman ic sea ch
asks, mapping sen ences and pa ag aphs o a 768-dimensional dense ec o space. I was
ained on 215 million ques ion-answe pai s om di e se sou ces such as WikiAnswe s, S ack
Exchange, MS MARCO, and mo e. The model in ends o encode bo h que ies and passages o
e icien e ie al o ele an documen s in a dense ec o space. Fo longe ex s, unca ion
occu s, which may a ec accu acy, bu his is no ou case since he ex o he me ics and
con ols does no each long dimensions
15
.
A he ime o w i ing, MARI’s de elope s a e expe imen ing wi h he ollowing sen ence
ans o me models:
• all-mpne -base- 2
16
• mul i-qa-mpne -base-do - 1
17
• all-dis il obe a- 1
18
15
Hugging Face, mul i-qa-dis ilbe -cos- 1, h ps://hugging ace.co/sen ence- ans o me s/
mul i-qa-dis ilbe -cos- 1, 2024. Online; accessed 12 Sep 2024
16
Hugging Face, all-mpne -base- 2, h ps://hugging ace.co/sen ence- ans o me s/
all-mpne -base- 2, 2024. Online; accessed 12 Sep 2024.
17
Hugging Face, mul i-qa-mpne -base-do - 1, h ps://hugging ace.co/sen ence- ans o me s/
mul i-qa-mpne -base-do - 1, 2024. Online; accessed 12 Sep 2024
18
Hugging Face, all-dis il obe a- 1, h ps://hugging ace.co/sen ence- ans o me s/
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 36 o 76
www.eme ald-he.eu
• all-MiniLM-L12- 2
19
• mul i-qa-dis ilbe -cos- 1
20
all-dis il obe a- 1, 2024. Online; accessed 12 Sep 2024
19
Hugging Face, all-MiniLM-L12- 2, h ps://hugging ace.co/sen ence- ans o me s/
all-MiniLM-L12- 2, 2024. Online; accessed 12 Sep 2024.
20
Hugging Face, mul i-qa-dis ilbe -cos- 1, h ps://hugging ace.co/sen ence- ans o me s/
mul i-qa-dis ilbe -cos- 1, 2024. Online; accessed 12 Sep 2024
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 37 o 76
www.eme ald-he.eu
6.2 Deli e y and usage
This sec ion desc ibes he in o ma ion needed o he ins alla ion and use o MARI. Besides, i
also de ails he licensing in o ma ion and ela ed packages and eposi o ies.
6.2.1 Package in o ma ion
The code in he eposi o y ollows he s uc u e ou lined in Table 11. The e is no Docke
con igu a ion o API access in he cu en e sion. The code ha gene a es he associa ions can
be un h ough he Jupy e No ebook ile code.ipynb, which akes wo CSV iles con aining
me ics and con ols as inpu and e u ns a ile in he same o ma wi h he associa ions be ween
hem, using a model based on sen ence ans o me s.
The in eg a ion unc ionali ies wi h he o he componen s, as well as he API and he use o
Docke will be de eloped in he cou se o he p ojec .
Table 11. MARI package in o ma ion
Folde / ile
Desc ip ion
code.ipynb
Jupy e no ebook wi h he code o associa ing con ols
and me ics
da ase /me ics.cs
CSV ile wi h he me ics da a (inpu )
da ase /con ols.cs
CSV ile wi h he con ol da a (inpu )
da ase / ecommenda ions.cs
CSV ile wi h associa ion da a (ou pu )
lib a ies. x
Lis o Py hon lib a ies and hei e sions
README.md
P ojec desc ip ion and se up ins uc ions
6.2.2 Ins alla ion
The p ojec equi es Py hon 3.10.12, which can be downloaded om he o icial Py hon
websi e10. The ins alla ion can be e i ied om he e minal by unning he ollowing command:
py hon -- e sion
The ou pu should con i m ha Py hon 3.10.12 has been co ec ly ins alled.
I is o en bene icial o c ea e a i ual en i onmen o he p ojec . A i ual en i onmen keeps
he p ojec 's dependencies isola ed om he sys em’s main Py hon ins alla ion. The command
is:
py hon -m en myen
To ac i a e he en i onmen :
Fo Windows, he command is:
myen Sc ip s ac i a e
Fo macOS o Linux:
sou ce myen /bin/ac i a e
The p ojec elies on se e al Py hon lib a ies, all o which a e lis ed in he lib a ies. x ile.
By na iga ing o he p ojec di ec o y and using he ollowing command, all necessa y lib a ies
can be ins alled wi h:
pip ins all - lib a ies. x
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 38 o 76
www.eme ald-he.eu
Once he se up is comple e, he Jupy e No ebook ile “code.ipynb” can be opened. This
no ebook con ains he code equi ed o he associa ions and can be accessed h ough Jupy e
No ebook o Jupy e Lab by unning he ollowing command:
jupy e no ebook code.ipynb
All hese s eps a e also explained in he eadme ile o he EMERALD public Gi lab eposi o y
21
.
6.2.3 Ins uc ions o use
To use he code in he ile code.ipynb, he wo CSV iles con aining he me ics and he con ols
mus be placed in he da ase olde ( hese iles a e included in he cu en e sion o he code).
A e his, execu ing all he cells in he no ebook gene a es he associa ions. The esul s a e
sa ed in a speci ic ile named ecommenda ions.cs , o ma ed as shown in Figu e 16. This ile
will con ain a lis o con ols associa ed wi h he me ics (Requi emen ID and Recommended
Me ics), o de ed by ele ance.
Figu e 16. Ou pu ile p e iew o he associa ions be ween con ols and me ics
Wi hin he EMERALD p ojec , he EMERALD UI is used o access and manage he wo k low in he
amewo k. In he case o MARI, he UI in e ac s wi h i by using he componen s API endpoin s.
Cu en ly, he EMERALD UI is wo k in p og ess, bu some clickable mock ups ha e been designed
in D4.3 [11], e.g. o p esen he esul s o he mapping o me ics o con ols, as shown in Figu e
17, o o p esen he mapping o con ols be ween wo secu i y schemes, as shown in Figu e
18).
21
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ma i
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 39 o 76
www.eme ald-he.eu
Figu e 17. MARI - O e iew o con ols and mapped me ics (D4.3 [11])
Figu e 18. MARI - Mapping con ols om EUCS o BSI C5 (D4.3 [11])
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 40 o 76
www.eme ald-he.eu
6.2.4 Licensing in o ma ion
The MARI componen is open sou ce, unde he Apache License 2.0.
6.2.5 Download
The sou ce code can be ound in public EMERALD eposi o y
22
.
22
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ma i
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 41 o 76
www.eme ald-he.eu
7 Cloudi o -E alua ion
The Cloudi o -E alua ion componen (in he ollowing E alua ion) is esponsible o e alua ing
(mul iple) assessmen esul (s) o show he compliance o speci ic con ols o a secu i y
ca alogue.
7.1 Implemen a ion
This componen is based on he espec i e mic ose ice o Cloudi o . I is inspi ed by he wo k
ha was done in MEDINA [10].
7.1.1 Func ional desc ip ion
Fo gi en con ols o a secu i y ca alogue and assessmen esul s he E alua ion decides i he
ce i ica ion a ge is complian wi h espec o a espec i e con ol. The O ches a o s a s he
E alua ion componen (see API endpoin S a E alua ion in Sec ion 7.1.2.1.1) wi h in o ma ion
o he Ce i ica ion Ta ge ID and he Ca alogue ID as well as an in e al. This in o ma ion is used
o e ie e he espec i e assessmen esul s and he con ols om he O ches a o and
agg ega e hem in o an e alua ion esul . The e alua ion is ca ied ou pe iodically, he ime
span depends on he in e al ha has been se (i no se , he de aul alue o 5 minu es will be
used).
Table 12 ou lines he unc ional equi emen s sa is ied by he cu en e sion o he E alua ion,
as documen ed in D3.1 [2], and upda es he s a us o hei implemen a ion in he cu en
p o o ype in M12.
Table 12. E alua ion Func ional Requi emen s
Req. ID
Desc ip ion
P io i y
Miles one
P og ess
EVAL.01
Display cause o ailing e alua ion esul : We wan o
know why he e alua ion esul ails o passes.
The e o e, i should con ain a lis o assessmen esul s
ha cause he e alua ion s a us o be non-complian .
Mus
MS6
(M30)
100%
EVAL.02
E alua ion based on assessmen esul s: The
e alua ion should assess he esul based on all
he equi ed assessmen esul s s o ed in he
da abase.
Mus
MS6
(M30)
100%
7.1.1.1 Fi ing in o o e all EMERALD A chi ec u e
The only connec ion o he E alua ion o ano he componen in he EMERALD amewo k is o
he O ches a o , see Figu e 19. I s only pu pose is he e alua ion o mul iple assessmen esul s
o a gi en con ol. The decoupling om he O ches a o allows o scale up as and easy i he e
is a need o highe pe o mance, e.g. because he e a e so many assessmen esul s and many
con ols, we need e alua ion o .
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 48 o 76
www.eme ald-he.eu
p oblems. Addi ionally, his app oach ge s e e y hing eady o he phases o exploi a ion and
sus ainabili y.
The RCM comp ises i e main sub-componen s, as illus a ed in Figu e 22. They a e b ie ly
ou lined as ollows:
• F on end: This sub-componen se es as he RCM's g aphical use in e ace, enabling
use s o il e he iew and choose he speci ic in o ma ion hey wish o e iew om he
exis ing schemes (e.g., con ols o a ce ain scheme, me ics ela ed o speci ic con ols,
e c). This sub-componen will be de eloped as pa o he EMERALD UI and will in e ac
wi h he backend h ough he API. The componen will also p o ide a second “in e nal”
on end, o de elopmen and managemen pu poses, ha makes i possible o use he
RCM alone.
• Backend: This is he cen al sub-componen o he RCM, esponsible o implemen ing
he APIs o manage he scheme da a based on he use -de ined il e s ia he UI o API
calls. In a gene al mic ose ices a chi ec u e, i can consis o mul iple specialized
applica ions, each con aining a ew ela ed en i ies and business ules.
• Con e e Backend, which is dedica ed o scheme con e sions o/ om OSCAL, and
o he possible impo /expo unc ionali ies.
• Regis y, which is an in e nal sub-componen p o ided by he amewo k ha acili a es
he c ea ion o a mic ose ices a chi ec u e componen ha in e connec s he o he
sub-componen s and enables hei communica ion.
• Fu he mo e, da a pe sis ence is acili a ed by a SQL da abase (MySQL) connec ed o
he backend.
Figu e 22. A chi ec u e o he Reposi o y o Con ols and Me ics (RCM)
8.1.2.1.1 Componen s desc ip ion
The componen s o he RCM a e de ailed in he ollowing pa ag aphs.
F on end
I is he g aphical use in e ace o he RCM. I s main pu pose is o se e as he in e ace o he
use o in e ac wi h he RCM. I will be cons uc ed based on wo main oci (i) he in o ma ion
con ained in he RCM, ha has o be made a ailable o he use ; and (ii) he use needs o wo k,
h ough he EMERALD wo k low, wi h ha in o ma ion. The esul is a se o sc eens ha will
se e p ima ily o p esen he in o ma ion con ained in he RCM o he use , and a se o
commands (menu i ems o bu ons) o p oduce ac ions o C ea e/View/Edi he elemen s on
he sc een.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 49 o 76
www.eme ald-he.eu
Rega ding he View ac ions, he on end should allow he use s il e ing and o de ing he se o
in o ma ion hey wan o iew. Fo example, con ols om a ce ain amewo k, o me ics
ela ed o a con ol.
Rega ding he C ea e/Edi ac ions, he use is qui e limi ed wi h he RCM, because i s main
objec i e is o s o e exis ing no ms o s anda ds ha , logically, should no be modi ied by he
use . Howe e , some ac ions a e pe mi ed like he c ea ion o pa icula se s o con ols o
c ea e a pe sonalised use -owned schema.
Backend
I is he co e sub-componen o he Reposi o y. I pe o ms he ac ual disco e y o he da a
en i ies like con ols, me ics, e c. om he secu i y schemes s o ed in he da abase. The
backend is a passi e sub-componen ha wai s he call o he API endpoin s. Whene e he
backend ecei es a call, i pe o ms he ollowing consecu i e s eps:
1. Recei es he API calls om he F on end.
2. T ans o ms he call hem in o SQL que ies.
3. The que ies a e execu ed agains he MySQL da abase.
4. The esul s (i any) a e packed in o he JSON da a schemas.
5. The in o ma ion is e u ned o he calle , wi h a code indica ing he success/e o o
he call.
The possible il e s es ablished by he use h ough he UI/API a e ansla ed di ec ly o que ies
o p oduce he desi ed esul s. The backend makes use o a MySQL da abase con aining he da a
o he s o ed schemas and he de ined me ics.
Con e e Backend
This is a new sub-componen ha deals wi h con e sion acili ies, no a ailable in he MEDINA
Ca alogue, ha ha e been in oduced in EMERALD. The Con e e Backend mission is o
“ ansla e” any scheme s o ed in he RCM o a s anda d language. The OSCAL language has been
selec ed as he main con e sion language, bu con e sion om/ o CSV iles will also be
implemen ed.
The Con e e is a s and-alone backend, which will be deployed as a sepa a e con aine , and is
coded in Py hon language. The ope a ion is ypical o a backend: when i ecei es an expo
o de om he on end, i will access he da abase, ex ac he scheme, apply he con e sion
logic and p o ide as ou pu he same in o ma ion bu adap ed o he schema o he OSCAL
in e change language. When dealing wi h an impo o de , he logic will ansla e he
OSCAL/CSV en y in o he in e nal schema o he da abase and p o ide as ou pu a new secu i y
scheme a ailable in he RCM.
Regis y
The Regis y in his e sion is Consul, p o ided by HashiCo p
28
. I has o be se up be o e he es
o he subcomponen s, as i s o es in e nal in o ma ion abou he F on end and Backend and
pe o ms checks o con ol ha he whole amewo k is up and unning. I gua an ees he
secu i y o he RCM componen .
28
h ps://www.consul.io/
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 50 o 76
www.eme ald-he.eu
8.1.2.2 Technical speci ica ions
On he se e side, he Backend and he Regis y will use Ma en, Sp ing MVC REST o he API,
Sp ing Da a JPA, Ne lix OSS
29
and Py hon - Flask REST API
30
.
The in e nal F on end will make use o Angula , Webpack, Yeoman, Ja aSc ip , and Boo s ap
echnologies on he clien side.
The API endpoin s o he RCM a e b ie ly desc ibed in he ollowing:
• Schema: Re ie es he in o ma ion abou a ce i ica ion schema (ca ego ies, con ols, sub-
con ols, me ics, e c) as needed. I includes il e s o ex ac only he equi ed da a, as well
as sea ch unc ionali ies. Exposed as a REST API.
• Mapping: Se s a con ol mapping among schemes, whe e con ols o wo di e en schemes
a e conside ed equi alen and hus linked. I will be called by he MARI componen . Exposed
as a REST API.
• Impo -expo : Manages impo /expo o secu i y schemes in OSCAL. I will accep as impo
a scheme w i en OSCAL, ollowing a p e-de ined empla e ha mus be de ined. The expo
unc ionali y will p o ide as ou pu he schema selec ed by he use om he RCM in he
men ioned OSCAL o ma . Exposed as a REST API.
8.2 Deli e y and usage
This sec ion desc ibes he main packages o he RCM. Some ins uc ions o ins alla ion and use
a e p esen ed and he sec ion inishes wi h in o ma ion abou licencing and download.
8.2.1 Package in o ma ion
The RCM con ains he ollowing main packages:
• The Backend package
31
, esponsible o implemen ing he logic o he RCM and manage
he pe sis ence o he da a used and gene a ed.
• The Con e e package
32
, esponsible o pe o ming he con e sions be ween he
di e en suppo ed ca alogue o ma s.
• The De elopmen F on end package
33
, esponsible o p o isioning he web in e ace
o use he unc ionali ies o he RCM.
Besides, he RCM equi es some addi ional packages (side se ices) om s a e o he p ac ice o
ul il i s ea u es (see Figu e 23):
• Consul package, esponsible o p o iding he con igu a ion o he RCM main
componen s and enabling he disco e y o he backend se ices om he on end
se ices.
• Ma iaDB
34
package, esponsible o p o iding he pe sis ence o he da a equi ed and
gene a ed by he RCM.
• Ga eway package, esponsible o p o iding ou ing o he eques s ecei ed in he
HTTPS po o he on end package and o he side se ices. Besides, i is also
esponsible o p o iding and main aining he HTTPS ce i ica es nego ia ed wi h online
29
h ps://www.jhips e . ech/mic ose ices-a chi ec u e/
30
h ps:// lask.palle sp ojec s.com/en/3.0.x/
31
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ cm/backend
32
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ cm/con e e
33
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ cm/ on end
34
h ps://ma iadb.com/
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 51 o 76
www.eme ald-he.eu
ce i ica e au ho i ies such as le ’s enc yp
35
. Fo his pu pose, RCM uses s a e o he
p ac ice componen s:
o T ae ik
36
in he local de elopmen en i onmen .
o Nginx
37
ing ess + Ce manage in he in eg a ion en i onmen .
• Keycloak
38
package, esponsible o p o isioning o he iden i ica ion se ice o he
usage o he RCM se ice.
Figu e 23. Reposi o y componen s (g een boxes) and auxilia y elemen s
The usage o s a e o he p ac ice componen s equi es he implemen a ion o con igu a ions
componen s o p epa e hose gene ic se ices wi h he equi ed in o ma ion o he RCM:
• ma iadb-se up-dbs package, esponsible o c ea ing he da abases equi ed by he RCM
main subcomponen s.
• ma iadb-se up-db package, esponsible o adding he ini ial in o ma ion o he
da abases o ha e some ini ial con en in he RCM main subcomponen s.
• consul-con ig-loade package, esponsible o adding he con igu a ion p ope ies
equi ed by he RCM main subcomponen s.
• keycloak-se up- ealms package, esponsible o c ea ing he eme ald ealm in local
de elopmen en i onmen s.
• keycloak-se up- ealm package, esponsible o adding he equi ed con igu a ion o he
RCM on keycloak.
35
h ps://le senc yp .o g/
36
h ps:// ae ik.io/
37
h ps://nginx.o g/
38
h ps://www.keycloak.o g
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 52 o 76
www.eme ald-he.eu
The code in cha ge o s a ing and con igu ing hese las se s o componen s ( he ones ha
p o ide he side se ices and he ones ha con igu e hem) a e con ained in he composi ion
eposi o ies. The main composi ion eposi o y is he CaaS F amewo k
39
ha will be eleased
la e in he p ojec . Besides, in he case o RCM we ha e a local composi ion o de elopmen
pu poses
40
. This composi ion elays in docke compose echnology because i is easie o be used
in an isola ed way.
8.2.1.1 Backend
The Backend subcomponen is di ided in o se e al subpackages. Being composed o Ja a
classes, each o hese subpackages has i s main pu pose and con ex wi hin he p o o ype as a
whole. They a e he ollowing:
• logging: This package consis s o he LoggingAspec .ja a class ha de ines he aspec
o logging execu ion o Sp ing se ice and eposi o y componen s.
• clien : This package consis s o he Use FeignClien In e cep o .ja aclass ha
implemen s Reques In e cep o .ja a. This class checks and adds a JWT oken o he
eques heade .
• con ig: This package con ains all he classes ela ed o con igu a ion pu poses.
• domain: This package con ains da a model classes.
• eposi o y: This package con ains Sp ing Da a SQL eposi o y classes.
• secu i y: This package con ains Sp ing Secu i y ela ed classes o secu i y
managemen .
• se ice: This package con ains backend se ices o CRUD ope a ions and o he
equi emen s needed.
• web: This package con ains classes o expose backend es end poin s.
8.2.1.1 Con e e
This package, as a REST API de eloped in Py hon – Flask, equi es he ins alla ion o he ollowing
packages as dependencies:
• c yp og aphy ( 3.3): This package p o ides c yp og aphic ecipes and p imi i es.
• Flask ( 2.0.0): This package consis s o a ligh weigh applica ion amewo k o expose
he componen as a REST API.
• Flask-JWT-Ex ended ( 4.4.1): This package p o ides JSON Web Tokens suppo o he
p e ious package.
• jsonschema ( 4.21.1): This package allows o alida e JSON objec s.
• pymysql ( 1.1.0): This package is used o manage he in e nal da abase.
• py hon-da eu il ( 2.9.0): This package consis s o an ex ension o he basic da e ime
package.
• py z ( 2024.1): This package allows accu a e and c oss pla o m ime zone calcula ions.
• We kzeug ( 2.2.2): This package is a comp ehensi e WSGI web applica ion lib a y.
8.2.1.2 De elopmen F on end
The F on end subcomponen is di ided in o se e al subpackages, including web esou ces and
Ja a packages.
The web is implemen ed wi h Angula echnology and includes se e al packages:
39
h ps://gi .code. ecnalia.com/eme ald/public/caas- amewo k
40
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ cm/docke -compose- cm
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 53 o 76
www.eme ald-he.eu
• admin: This package includes admin ocused ea u es such as heal h-checks, logs, o
me ics.
• con ig: This package manages he ga he ing o he con ig o he on end o adap o
di e en en i onmen s.
• co e: This package includes co e unc ionali ies such as au hen ica ion managemen o
e o managemen s.
• en i ies: This package is he mos impo an pa as i con ains he on ends o manage
he esou ces o he RCM.
• home: This package con ains he welcome page ela ed asse s.
• layou : This package con ains elemen s o cus omize he look and eel o he on end
o di e en en i onmen s.
• Login: This package con ains login ela ed asse s.
• sha ed: This package con ains u ili y unc ionali ies o be used by he p e ious elemen s.
I includes unc ions o manage da es, pagina ion, language, e c.
The ja a pa p o ides logic o manage use s, oles and access o he RCM backend asse s. I is
o ganized in a simila way o he backend.
• logging: This package consis s o he LoggingAspec .ja a class ha de ines he aspec
o logging execu ion o Sp ing se ice and eposi o y componen s.
• clien : This package consis s o he Use FeignClien In e cep o .ja a class ha
implemen s Reques In e cep o .ja a. This class checks and adds a JWT oken o he
eques heade .
• con ig: This package con ains all he classes ela ed o con igu a ion pu poses.
• domain: This package con ains da a model classes.
• eposi o y: This package con ains Sp ing Da a SQL eposi o y classes.
• secu i y: This package con ains Sp ing Secu i y ela ed classes o secu i y managemen .
• se ice: This package con ains on end se ices o CRUD ope a ions and o he
equi emen s needed.
• web: This package con ains classes o expose on end es end poin s.
8.2.2 Ins alla ion
The RCM has been de eloped o be used in a con aine -based en i onmen . Fo he ins alla ion
we conside wo scena ios:
1. De elopmen : This scena io is ocussed on he coding and es ing o he RCM on he
de elope side independen ly om he in eg a ion pla o m s a us.
2. In eg a ion: This scena io is ocussed on he p o ision o he CaaS F amewo k as a single
solu ion.
8.2.2.1 Ins alla ion in he De elopmen en i onmen
This ins alla ion is de ined by he use o docke compose echnology, which p o ides se e al
ad an ages:
• I can be un in he de elopmen compu e . This educes he need o acqui e and
con igu e ex e nal se e s sa ing ime and money.
• I allows o ins an ia e addi ional packages (Ma iaDB, keycloak, ga eway …) allowing o
iden i y and debug issues ha will appea in he in eg a ion en i onmen sa ing ime
and dependencies.
• I allows o p epa e au oma ic con igu a ion p ocedu es o hese addi ional se ices
sa ing ime du ing deploymen and p o iding eplicabili y.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 54 o 76
www.eme ald-he.eu
• I allows o easily des oy and c ea e he RCM allowing o simula e mig a ion scena ios
which a e expec ed o happen du ing he li e o he p ojec .
These a e he s eps o ins all and execu e he RCM in a de elopmen en i onmen :
1) Ful il hese ew equi emen s:
• The compu e should ha e docke and gi ins alled.
• The compu e should ha e a ae ik wi h ce i ica es con igu ed in a cus om ne wo k
called ae ik_ne wo k
• SERVER_HOST a iable poin ing o he name o he hos ha esol es he IP add ess o
he machine. E.g., 192.168.56.5.nip.io
• Al e na i ely, an ADMIN_PASSWORD a iable o o e w i e he de aul
ADMIN_PASSWORD speci ied in he .en .
2) Clone he eposi o y:
gi clone -- ecu si e
h ps://gi .code. ecnalia.com/eme ald/public/componen s/ cm/docke -
compose- cm
3) La e , o use he docke compose we ha e se e al op ions depending on wha we equi e
o do. The i s pu pose could be o check he RCM using he de elopmen on end.
docke compose -d
Once docke -compose is success ully deployed, and assuming he ollowing alue o
SERVER_HOST (192.168.56.5.nip.io), we will be able o access he Reposi o y se ices a :
h ps:// cm.192.168.56.5.nip.io Reposi o y
O he se ices ha a e deployed o help in he de elopmen phase a e a consul, Ma iaDB,
keycloak.
h ps://admine .192.168.56.5.nip.io Ma iaDB.
h ps://consul.192.168.56.5.nip.io Consul.
h ps://keycloak.192.168.56.5.nip.io keycloak.
8.2.2.2 Ins alla ion in he In eg a ion en i onmen
The ins alla ion in he in eg a ion en i onmen implies he deploymen o he CaaS amewo k,
which in ol es h ee undamen al s eps:
1) To ins all he de elopmen en i onmen he e a e ew equi emen s:
• C ea e/adqui e a Kube ne es clus e o ob ain access o exis ing one.
• Ge he cloud.yaml o use kubc l
2) Clone he eposi o y:
gi clone h ps://gi .code. ecnalia.com/eme ald/public/caas- amewo k
3) La e , use kubec l o s a he CaaS amewo k ha includes he RCM.
kus omize build . | en subs | kubec l apply - -
Once docke -compose is success ully deployed, and assuming he ollowing alue o hos name
(p ojec .domain), we will be able o access he Reposi o y se ices a :
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 55 o 76
www.eme ald-he.eu
h ps:// cm.p ojec .domain Reposi o y
O he se ices ha a e deployed o help in he de elopmen phase a e a Consul, Ma iaDB, and
keycloak.
h ps://admine .p ojec .domain Ma iaDB
h ps://consul.p ojec .domain Consul
h ps://keycloak.p ojec .domain keycloak
8.2.3 Ins uc ions o use
A g aphical use in e ace (GUI) is needed by he eposi o y o access and edi he a ious
en i ies s o ed in he da abase. Fo e e y p ima y en i y, a CRUD API
(C ea e/Re ie e/Upda e/Dele e) has been c ea ed; howe e , he ac i i ies ha may be
pe o med can a y acco ding o he ole o he use .
The GUI le s he use in e ac wi h he secu i y schemes by le ing hem u ilize bu ons, links,
and il e s, among o he g aphic componen s, on di e en sc eens. Typical asks could be, o
example, o show he me ics associa ed wi h a speci ic con ol; o selec he con ols o a
speci ic ca ego y; o o iew which con ols in a scheme co espond o a pa icula assu ance
le el.
The GUI ha in e ac s wi h he RCM will be in eg a ed in he EMERALD UI componen . A he
ime o w i ing, i has no been ye de eloped, bu some pape mock ups and digi al mock ups
ha e been designed in D4.3 [11] ha allow access he unc ionali y o he RCM. This sec ion
p esen s some o he a ailable mock ups, showing he p incipal in e ac ions wi h he RCM
in e ace. Mos o he sc eens a e dedica ed o na iga ion hough a scheme o in o ma i e
pu poses. In a u u e, speci ic mock-ups will also be de eloped o handle he EUCS
ques ionnai e.
The use accesses he RCM by clicking he “Ce i ica ion Schemes” menu op ion in he in he
EMERALD home page (see Figu e 24).
Figu e 24. Home page o he EMERALD amewo k (D4.3 [11])
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 56 o 76
www.eme ald-he.eu
When en e ing he “Ce i ica ion Schemes” a ea, a lis o all a ailable schemes is p esen ed, as
shown in Figu e 25.
Figu e 25. Lis o schemas page (D4.3 [11])
When clicking on he “Upload Scheme” bu on, a window opens ha allows o upload a new
scheme selec ing CSV o OSCAL iles (see Figu e 26).
Figu e 26. Upload new scheme page (D4.3 [11])
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 57 o 76
www.eme ald-he.eu
When clicking on he scheme i le o on he “ iew” bu on in Figu e 25, he de ails o he
espec i e scheme a e shown, as can be seen in Figu e 27. He e, he name, code and desc ip ion
o each ca ego y is shown.
Figu e 27. B owse scheme (EUCS ca ego ies) (D4.3 [11])
When clicking on one o he high-le el ca ego ies, a sub-lis wi h i s sub-ca ego ies a e open up
below, in a hie a chical way, as p esen ed in Figu e 28.
Figu e 28. B owse sub-ca ego ies o he EUCS scheme (D4.3 [11])
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 64 o 76
www.eme ald-he.eu
• id: This is he in e nal ID used o iden i y he assessmen componen wi hin TWS. I is
au oma ically gene a ed by he Sma Con ac based on he au ho ized use unique
Blockchain add ess.
• owne : This e e s o he au ho ized use Blockchain add ess who has egis e ed he
assessmen componen . I is au oma ically ob ained by he Sma Con ac .
• imes amp: This indica es he imes amp in seconds since he epoch o he assessmen
componen egis a ion p ocess. I is au oma ically ob ained by he Sma Con ac .
Once an assessmen componen is egis e ed, he unc ionali ies o he au ho ized use a e:
• Re ie ing he egis e ed assessmen componen ID.
• Re ie ing he associa ed assessmen componen owne (au ho ized use ) ID.
• Re ie ing he egis e ed assessmen componen egis a ion imes amp.
• Adding new e idence in o ma ion ollowing he us wo hy e idence da a model
shown in Figu e 32. This da a model is he i s e sion ha could be upda ed as equi ed
in he ollowing e sions o he TWS.
• Re ie ing speci ic e idence in o ma ion.
• Re ie ing all added e idence IDs associa ed o a gi en assessmen componen .
• Adding new assessmen esul in o ma ion ollowing he us wo hy assessmen esul
da a model shown in Figu e 32. This da a model is he i s e sion ha could be upda ed
as equi ed in he ollowing e sions o he TWS.
• Re ie ing speci ic assessmen esul in o ma ion.
• Re ie ing all added assessmen esul IDs associa ed o a gi en assessmen componen .
• Checking he in eg i y alidi y o a speci ic e idence.
• Checking he in eg i y alidi y o a speci ic assessmen esul .
• Checking he in eg i y alidi y o a speci ic assessmen compliance esul .
Figu e 32. TWS Da a model
E en s Gene a ion
E e y ime an ope a ion is execu ed in he Sma Con ac s, a Blockchain-based e en is
gene a ed o eed he Blockchain iewe . Ini ially, he e en s o be gene a ed include (bu a e
no limi ed o):
• Regis a ion o new adminis a o s.
• Remo al o an exis ing adminis a o .
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 65 o 76
www.eme ald-he.eu
• Au ho iza ion o a new use in he sys em.
• De-au ho iza ion o an exis ing au ho ized use in he sys em.
• Regis a ion o a new assessmen componen by i s owne (au ho ized use ).
• Regis a ion o new e idence in o ma ion.
• Regis a ion o new assessmen esul in o ma ion.
In his i s e sion, he e a e no e en s ela ed o eading/ e ie ing ac ions.
Blockchain clien
The unc ionali ies o he EMERALD TWS a e implemen ed h ough Sma Con ac s ha need
o be in oked by a Blockchain clien . In he ini ial e sion, he main unc ionali ies o he
Blockchain clien a e as ollows:
Blockchain Accoun Managemen
Each assessmen componen in e ac ing wi h he TWS equi es a Blockchain accoun . This
accoun consis s o a Blockchain add ess, which uniquely iden i ies he use wi hin he
Blockchain ne wo k, and an associa ed p i a e key, known only by he assessmen componen
and secu ely kep . The Blockchain accoun is secu ely managed by means o a “walle ” included
in he Blockchain clien , simpli ying use in e ac ion wi h he Blockchain ne wo k.
The unc ionali ies a ailable in he Blockchain clien ela ed o Blockchain accoun s include:
• C ea e a new Blockchain accoun : Au oma ically gene a es a new Blockchain add ess
and i s associa ed p i a e key.
• Ge he add ess associa ed wi h a speci ic p i a e key: Ob ains he add ess om a
p i a e key; o alida ion pu poses.
• Add a speci ic Blockchain accoun o he Blockchain clien walle : The p i a e key is
needed o s o e he Blockchain accoun in he in e nal walle o he Blockchain clien .
Ini ially, only one accoun can be s o ed.
• Ge he Blockchain add ess added o he walle : Re ie es he Blockchain add ess
in o ma ion p e iously added o he Blockchain walle o alida ion pu poses.
• Reques au ho iza ion: Ask he EMERALD adminis a o s o p o ide igh s o a speci ic
Blockchain add ess (associa ed wi h a speci ic assessmen componen ) o use he TWS
(au ho iza ion unc ionali y om adminis a o s).
Blockchain T ansac ions C ea ion
The assessmen componen needs o gene a e Blockchain ansac ions o send hem o he
Blockchain and be unde s ood by he Sma Con ac s deployed on i . The Blockchain clien
au oma ically c ea es he equi ed Blockchain ansac ions o execu ing all unc ionali ies
a ailable in he EMERALD TWS Sma Con ac s, using he Web3.js lib a y in e nally.
API REST o Ex e nal In e ac ion
The Blockchain clien exposes an API REST o allow assessmen componen s o easily in e ac
wi h he Blockchain clien o hei accoun managemen as well as o he p o ision o e idence
and assessmen esul s o be eco ded on he TWS.
Addi ionally, he au oma ic e i ica ion se ice desc ibed in Sec ion 9.1.2.1.1 in e ac s wi h he
Blockchain clien API o ob ain he e idence and assessmen esul s eco ded in he Blockchain,
necessa y o he au oma ic e i ica ion o he in eg i y o he cu en e idence and assessmen
esul s a ailable a EMERALD a a gi en ime.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 66 o 76
www.eme ald-he.eu
API desc ip ion
All API endpoin s a e lis ed below wi h a b ie explana ion:
• Accoun : This endpoin is ela ed o he Blockchain accoun (add ess and p i a e key)
managemen (c ea e, add accoun o walle , ge accoun om walle , ge add ess om
p i a e key).
• Regis a ion: This endpoin e e s o an au ho iza ion eques in he TWS.
• Admin: This endpoin e e s o he TWS managemen as adminis a o . Adminis a o s
can be c ea ed, upda ed, lis ed and emo ed; use s can be au ho ized o deau ho ized;
he o al numbe o adminis a o s and au ho ized use s can be lis ed; he egis e ed
assessmen componen s can be lis ed.
• Assessmen s: This endpoin e e s o he managemen o he assessmen esul s p oo s
o in eg i y ( egis e , ge , check).
• E idence: This endpoin e e s o he managemen o he e idence p oo s o in eg i y
( egis e , ge , check).
Blockchain iewe
The Blockchain iewe moni o s Blockchain-based e en s gene a ed by he Sma Con ac s,
p o iding no i ica ions abou new use s in he sys em, as well as new e idence o assessmen
esul s eco ded in he TWS. I o e s a mechanism o ex e nal use s (such as audi o s o secu i y
enginee s) o manually e i y e idence and assessmen esul s eco ded on he
Blockchain. Figu e 33 illus a es he in e nal a chi ec u e o he Blockchain iewe .
Figu e 33. TWS Blockchain iewe a chi ec u e
The Blockchain iewe consis s o i e componen s:
• E en eum
44
: This componen b idges he Sma Con ac s deployed in he Blockchain
wi h he Blockchain Viewe . As explained in Sec ion 9.1.2.1.1, Sma Con ac s
au oma ically gene a e Blockchain e en s ha E en eum lis ens o. To lis en o he
e en s, i is necessa y o subsc ibe o e en s om speci ic Sma Con ac add esses
(each Sma Con ac has a unique Blockchain add ess). Addi ionally, he o ma o he
speci ic e en s mus be indica ed o E en eum (e en id, pa ame e s o de , pa ame e s
ype).
• Apache Ka ka
45
: This in e media e pla o m dis ibu es Blockchain e en s be ween
E en eum and Logs ash. Ka ka uses message queues o p o ide asynch onous
communica ion, meaning he sende (E en eum) and he ecei e (Logs ash) do no
need o in e ac wi h he message queue simul aneously.
44
h ps://gi hub.com/e en eum/e en eum
45
h ps://ka ka.apache.o g/
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 67 o 76
www.eme ald-he.eu
• Logs ash
46
: A log managemen ool used in he Blockchain iewe o collec all e en s
ecei ed om E en eum ia Ka ka queues. I no malizes hese e en s in o a common
o ma be o e ou ing hem o Elas icsea ch o p ocessing.
• Elas icsea ch
47
: A dis ibu ed sea ch and analysis engine ha s o es, indexes, and
p ocesses he in o ma ion om he e en s. The in o ma ion s o ed in Elas icsea ch can
be ec ea ed om sc a ch in case o a secu i y inciden , ensu ing a ully eliable sou ce
o in o ma ion.
• Kibana
48
: Kibana is a g aphical in e ace ha displays in o ma ion om Elas icsea ch in
eal ime h ough cus omized dashboa ds. Access o Kibana dashboa ds equi es
au hen ica ion. Di e en oles need o be c ea ed o access di e en ypes o
in o ma ion in he TWS. Fo example, adminis a o s should ha e access o all egis e ed
e idence and assessmen esul s om di e en assessmen componen s. In con as ,
each au ho ized assessmen componen should ha e limi ed access only o i s
associa ed e idence and assessmen esul s o p e en in o ma ion disclosu e.
Addi ionally, di e en dashboa ds will need o be c ea ed o he di e en oles. Fo
example, Figu e 34 and Figu e 35 show wo examples o dashboa ds o adminis a o s
and assessmen componen s. These dashboa ds a e jus an example and will be upda ed
o he nex e sion o he TWS acco ding o he EMERALD equi emen s.
Figu e 34. TWS Blockchain iewe dashboa d o adminis a o s
46
h ps://www.elas ic.co/es/logs ash
47
h ps://www.elas ic.co/es/elas icsea ch
48
h ps://www.elas ic.co/es/kibana
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 68 o 76
www.eme ald-he.eu
Figu e 35. TWS Blockchain iewe dashboa d o assessmen componen s
Au oma ic e i ica ion se ice
Audi o s equi e an au oma ed me hod o e i y he in eg i y o e idence and assessmen
esul s, in addi ion o he manual access o hashes and addi ional in o ma ion o e ed h ough
he Blockchain iewe . The au oma ic e i ica ion se ice mee s his need by o e ing a g aphical
ool ha alida es e idence and assessmen esul s om he EMERALD e idence s o age agains
Blockchain eco ds. Thus, his se ice ensu es he in eg i y o e idence and assessmen esul s.
The e i ica ion se ice will be in eg a ed in he EMERALD UI allowing au oma ic in eg i y
e i ica ions. Mo e de ails abou he way o be in eg a ed a e p o ided in D4.3 [11].
9.1.2.2 Technical speci ica ions
The TWS is a so wa e solu ion deployable a bo h Windows and Linux ope a ing sys ems as long
as hey ha e ha dwa e i ualiza ion and docke suppo . I has been implemen ed using Solidi y
o he Sma Con ac s, Ja asc ip o he Blockchain clien , Reac and Nodejs o he e i ica ion
se ice and Go and Sc ip ing o he Blockchain moni o .
9.2 Deli e y and usage
This sec ion desc ibes he in o ma ion needed o he ins alla ion and use o he TWS. Besides,
i also de ails he licensing in o ma ion and ela ed packages and eposi o ies.
9.2.1 Package in o ma ion
The TWS is composed o he ollowing packages:
• TWS.sol and Assessmen .sol. These a e he Sma Con ac s ha need o be deployed
on he selec ed Blockchain ne wo k.
• One docke o he Blockchain clien , o be deployed on he EMERALD in as uc u e
associa ed o he assessmen componen .
• Two docke s o he e i ica ion se ice (one o he backend, and one o he on end),
o be deployed on he EMERALD in as uc u e.
• Eigh docke s o he Blockchain iewe (Oau h2 p oxy, e en eum, mongodb, zookeepe ,
ka ka, Logs ash, Elas icsea ch, kibana) o be deployed on he EMERALD in as uc u e
(o as a se ice om o he in as uc u e).
9.2.2 Ins alla ion
The deploymen o he Sma Con ac will depend on he speci ic Blockchain ne wo k o be
conside ed o he TWS.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 69 o 76
www.eme ald-he.eu
Fo he es o he se ices, as hey ha e been docke ized, he ins alla ion is as ollows:
• docke un {docke _image}, o he Blockchain clien and he e i ica ion se ice.
• docke -compose up, o he Blockchain moni o (as a docke -compose.yml ile has been
c ea ed).
9.2.3 Ins uc ions o use
Blockchain clien
The Assessmen componen om EMERALD is he componen ha uses he Blockchain clien o
p o ide e idence and assessmen esul s o he TWS. Once he Docke image is unning (a e
ollowing he ins alla ion s eps in Sec ion 9.2.2), he use needs o:
1. Gene a e and Add a Blockchain Accoun
Gene a e a Blockchain accoun and add i o he Blockchain walle (inside he Blockchain clien )
h ough a POST eques o he /clien /accoun endpoin and a POST eques o he
/clien /walle endpoin o he Blockchain clien API, espec i ely.
2. Reques Au ho iza ion:
Reques au ho iza ion o he use h ough a POST eques o he /clien / egis a ion
endpoin o he Blockchain clien API. The adminis a o s (ini ially, TECNALIA) will au ho ize he
Blockchain accoun (au ho ized use ).
3. Regis e he assessmen componen :
Once he use is au ho ized, egis e he assessmen componen h ough a POST eques o he
/clien /assessmen endpoin . F om his poin , all au ho ized use s’ unc ionali ies om he
TWS can be execu ed. Re e o Sec ion 9.1.2.1.1 o a ailable unc ionali ies: p o iding e idence
o assessmen esul s, e ie ing he lis o egis e ed e idence o assessmen esul IDs,
e ie ing in o ma ion o a speci ic e idence o assessmen esul ID, and checking he in eg i y
o speci ic e idence o assessmen esul s.
Blockchain iewe
In EMERALD, he e i ica ion se ice will be in eg a ed in he EMERALD UI. The e a e wo s eps
in he use o he TWS e i ica ion se ice:
1. Se -up o he componen
I is necessa y o de ine when and how o en he TWS should be au oma ically upda ed and/o
on demand, as shown in Figu e 36.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 70 o 76
www.eme ald-he.eu
Figu e 36. TWS se -up (D4.3 [11])
2. In eg i y check
The s a us o he in eg i y check is always isible a he uppe igh side o he EMERALD UI.
• I he in eg i y check o all e idence and assessmen esul s is ok, he TWS s a us symbol
is p esen ed in g een as shown in Figu e 37.
Figu e 37. Co ec in eg i y e i ica ion
• I he in eg i y check is no ok, he TWS s a us symbol is p esen ed in ed as shown in
Figu e 38. Addi ionally, i is possible o ge a epo wi h he de ails o he modi ied
e idence as shown in Figu e 39.
Figu e 38. Inco ec in eg i y e i ica ion
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 71 o 76
www.eme ald-he.eu
Figu e 39. In eg i y e i ica ion de ails (D4.3 [11])
Mo e de ails on he g aphical in e ace a e p o ided in D4.3 [11].
9.2.4 Licensing in o ma ion
P op ie a y. Copy igh by TECNALIA.
9.2.5 Download
This sec ion is no applicable as TECNALIA owns a p op ie a y license, so no sou ce code can be
p o ided.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 72 o 76
www.eme ald-he.eu
10 Conclusions
In his deli e able, we ha e p o ided a comp ehensi e o e iew o he ini ial implemen a ion o
he WP3 componen s wi hin he EMERALD p ojec . This includes de ailed unc ional and
echnical desc ip ions, deli e y and usage ins uc ions, and associa ed documen a ion o each
componen : Cloudi o -O ches a o , Cloudi o -Assessmen , Cloudi o -E idence S o e, Mapping
Assis an o Regula ions wi h In elligence (MARI), Cloudi o -E alua ion, Reposi o y o Con ols
and Me ics (RCM), and T us wo hiness Sys em (TWS).
The p ima y goal o his deli e able is o documen he implemen a ion o he WP3 componen s,
ensu ing ha hey a e e ec i ely in eg a ed and ope a ional wi hin he EMERALD amewo k.
By achie ing his, we aim o acili a e he de elopmen o a Ce i ica ion-as-a-Se ice (CaaS)
amewo k o con inuous ce i ica ion o ha monized cybe secu i y schemes.
The key con ibu ions o his deli e able include he ini ial implemen a ion o he WP3
componen s, add essing key esul s such as CERTGRAPH (KR2), OPTIMA (KR3), MULTICERT
(KR4), and INTEROP (KR7). This p og ess is measu ed using he key pe o mance indica o s (KPIs)
de ined in he DoA [1].
Looking ahead, he nex s eps in ol e u he de elopmen and e inemen o he WP3
componen s. This includes he in e im in eg a ion o he componen s wi hin he o e all
EMERALD sys em (D3.5 [3], M15), he eby comple ing he i s i e a ion o concep s,
implemen a ion and in eg a ion o WP3 componen s. Following his, he inal e sions o he
concep s (D3.2 [4], M18), implemen a ion (D3.4 [5], M24) and in eg a ion (D3.6 [6], M27) will
be comple ed. These s eps will ensu e con inuous imp o emen and alignmen wi h he
p ojec 's objec i es, ul ima ely enhancing he obus ness and e ec i eness o he EMERALD
amewo k.
D3.3 – E idence assessmen and Ce i ica ion-
Implemen a ion- 1 Ve sion 1.0 – Final. Da e: 31.10.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 73 o 76
www.eme ald-he.eu
11 Re e ences
[1]
EMERALD Conso ium, “EMERALD - Annex 1- Desc ip ion o Ac ion - GA101120688,” 2022.
[2]
EMERALD Conso ium, “D3.1 E idence assessmen and Ce i ica ion–Concep s- 1,” 2024.
[3]
EMERALD Conso ium, “D3.5 E idence assessmen and Ce i ica ion - In eg a ion - 1,”
2025.
[4]
EMERALD Conso ium, “D3.2 E idence assessmen and Ce i ica ion Concep s - 2,” 2025.
[5]
EMERALD Conso ium, “D3.4 E idence Assessmen and Ce i ica ion - Implemen a ion-
2,” 2025.
[6]
EMERALD Conso ium, “D3.6 E idence assessmen and Ce i ica ion - In eg a ion- 2,”
2026.
[7]
ENISA, “EUCS - Cloud Se ices Scheme,” [Online]. A ailable:
h ps://www.enisa.eu opa.eu/publica ions/eucs-cloud-se ice-scheme. [Accessed
Oc obe 2024].
[8]
B. e. al., A Seman ic E idence-based App oach o Con inuous Cloud Se ice Ce i ica ion,
P oceedings o he 38 h ACM/SIGAPP Symposium on Applied Compu ing, 2023.
[9]
MEDINA Conso ium, “D3.6 Tools and echniques o collec ing e idence o echnical and
o ganisa ional measu es - 3 (h ps://medina-p ojec .eu/public-deli e ables/),” 2023.
[10]
MEDINA Conso ium, “D4.3 Tools and echniques o he managemen and e alua ion o
cloud secu i y ce i ica ions- 3 (h ps://medina-p ojec .eu/public-deli e ables/),” 2023.
[11]
EMERALD Conso ium, “D4.3 Use in e ac ion and use expe ience concep – 1,” 2024.
[12]
EMERALD Conso ium, “D2.1 G aph On ology o E idence S o age,” 2024.
[13]
MEDINA Conso ium, “D3.5 Tools and echniques o collec ing e idence o echnical and
o ganisa ional measu es- 2 (h ps://medina-p ojec .eu/public-deli e ables/),” 2022.
[14]
EMERALD Conso ium, “D2.2 Sou ce E idence Es ac o - 1,” 2024.
[15]
EMERALD Conso ium, “D2.4 AMOE- 1,” 2024.
[16]
EMERALD Conso ium, “D2.6 ML model ce i ica ion- 1,” 2024.
[17]
EMERALD Conso ium, “D2.8 Run ime e idence ex ac o - 1,” 2024.
[18]
MEDINA Conso ium, “D3.3 Tools and echniques o he managemen o us wo hy
e idence- 3 (h ps://medina-p ojec .eu/public-deli e ables/),” 2023.
[19]
MEDINA Conso ium, “D2.3 Speci ica ion o he Cloud Secu i y Ce i ica ion Language- 3
(h ps://medina-p ojec .eu/public-deli e ables/),” 2023.
