To consider a cloud system from multiple perspectives (for example, source code, runtime environment, policy documents) during certification, multiple evidence extractors are used, each specializing in a specific domain. The extracted evidence will then be linked together to obtain a holistic view on the whole system.

We propose the CertGraph Ontology as an extensible approach to model evidence, which consists of multiple sub-ontologies. Two ontologies form the base: Core and Security Feature, which focus on the evidence itself and modeling security concepts. On top of the base, we propose four extensions, which cover different domains of a cloud system and each extension will be used by at least one evidence extractor:

• Application, used by Codyze and eknows and focuses on source code.

• Cloud, used by Clouditor-Discovery and focuses on resources deployed in the cloud.

• Document, used by AMOE and focuses on natural language documents.

• ML, used by AI-SEC and focuses on machine learning models.

One security concept (Transport Encryption with TLS) has been selected to illustrate the ontology in a real-world example. It is shown, how evidence collected from two independent tools can represented.

At the end of July, the EMERALD consortium is going to release the deliverable D2.1, which will explain our approach in detail.