As financial institutions like CaixaBank (CXB) expand their operations into public cloud environments, integrating SaaS and IaaS with existing on-premise services, they face significant regulatory and security challenges. These hybrid cloud-edge environments require continuous compliance monitoring and certification to meet the stringent standards imposed by the financial sector.

In this context, the EMERALD platform plays a pivotal role by providing real-time assessments of cloud services. This capability ensures that these services align with specific security frameworks, addressing the critical needs of institutions operating in highly regulated environments.

A key advantage of EMERALD is its ability to deliver Certification as a Service, offering a tailor-made assessment framework. This framework can combine controls from various existing certifications with CXB’s own specific controls, ensuring a customized and comprehensive compliance evaluation process.

Moreover, with the volume of cloud providers rising constantly, EMERALD addresses the growing demand for scalable cloud service assessments. The platform’s architecture and automation capabilities enable CXB to manage this increased workload efficiently, ensuring consistent and accurate compliance evaluations across a growing number of providers.

Key Challenges Addressed

1. Integration of Public Cloud Services: Validating SaaS and IaaS offerings while maintaining security across multi-domain hybrid architectures.
2. Regulatory Compliance: Ensuring alignment with sector-specific requirements, such as the European Cybersecurity Certification Scheme (EUCS).
3. Standardization Barriers: Tackling the lack of uniformity in certification processes across multi-provider environments.

Tools and Methodologies Leveraged
The EMERALD pilot for CXB integrates several advanced tools to streamline and enhance the certification process:

1. Evidence Collection and Analysis
   AMOE: Used to gather evidence from documents and policies, automating the extraction of relevant compliance data.
   Clouditor Discovery: Collects evidence directly from environments, endpoints, and configurations to validate security and operational compliance.
2. Provider Resource Agnosticism
   OpenNebula: Functions as a gateway to assess provider resources and endpoints in an agnostic manner, enabling seamless evaluation across various IaaS and PaaS providers, such as IONOS and CloudFerro.
3. Real-Time Compliance Monitoring
   EMERALD continuously evaluates cloud and edge service configurations to ensure they meet high-level security frameworks, providing dynamic assessments to address compliance gaps as they arise.
4. Tailored Metrics and Unified Criteria
   The platform employs a unified metric selection process to evaluate certification criteria objectively and consistently across different services and frameworks.
5. Secure Service Integration
   EMERALD ensures that all cloud and edge services are securely integrated into CXB’s existing infrastructure, addressing critical security and regulatory concerns.
6. Overcoming Standardization Challenges
   By addressing the lack of uniformity in certification processes, EMERALD facilitates streamlined compliance across multi-provider environments.

Pilot Objectives and Outcomes
The EMERALD pilot focuses on validating and optimizing the certification process for hybrid cloud-edge environments, with specific goals:

• Validate the key concepts and frameworks developed for cloud service certification.
• Demonstrate EMERALD’s effectiveness in monitoring and certifying hybrid cloud-edge environments in real-time.
• Simplify and optimize the certification process for CXB, enabling compliance with high-level EUCS standards.

Scalable Compliance for the Future
By incorporating tools like AMOE, Clouditor Discovery, and OpenNebula, EMERALD enables CXB to handle the increasing complexity and volume of cloud services efficiently. Its ability to provide real-time, scalable, and tailored assessments positions it as a robust solution for meeting the growing demands of the financial sector’s regulatory landscape.

This pilot underscores the importance of integrating advanced technologies to address sector-specific challenges, ensuring a secure and compliant hybrid infrastructure for financial operations while paving the way for scalable and efficient certification practices.