Anyone who is handing over their data to the Cloud wants it to be stored there securely and in a way that complies with the law. That's why many cloud providers get themselves checked against the BSI's “Cloud Computing Compliance Criteria Catalogue” (C5 for short) or in accordance with CSA (Cloud Security Alliance). This also allows them to assess and compare their cloud service's security and protection levels. In this article we show you how to assess a suitable, secure cloud provider using C5:2020.
The Cloud does not absolve companies of their responsibility
Cloud services offer favourable opportunities for implementing IT-based business processes in a flexible, efficient manner. However, cybersecurity and compliance always need to be taken into consideration. Companies have a duty to conduct a comprehensive assessment of these risks and to monitor them throughout the cloud service's usage cycle. Like IT outsourcing, procuring services from the Cloud is a specific type of IT outsourcing. For you as Cloud users, externally procured cloud services are regarded as your “own” processes and services, and they are therefore subject to the same IT governance and compliance requirements as your own internal processes and services.
How it all began and how it carries on
The BSI – in agreement with the ANSSI (Agence nationale de la sécurité des systèmes d'information (National Agency of Information System Security) – has published a catalogue of requirements for assessing cloud services security (Cloud Computing Compliance Controls Catalogue, C5). Uniform requirements for cloud services' information security are formulated on the basis of recognised IT security standards (e.g. ISO/IEC 27001) and the BSI's own extensions.
The C5 standard and the French SecNumCloud label standard have had a reciprocal influence on each other. Both standards are to be amalgamated in a common ESCloud label, and thereby achieve Europe-wide recognition. To a large extent, the draft is based on the C5 security standard, which is why we will be taking a closer look at the current version of C5:2020 below – because this will also help you in selecting suitable cloud service providers. The draft EU Cyber Security Certification Scheme for Cloud Services (EUCS) from the European Union Agency for Cyber Security (ENISA) is substantially based on the C5:2020 safety standard.
C5:2020 – Adapting security criteria to meet current trends.
The C5:2020 was fundamentally revised in January 2020 to respond to current developments and to increase safety even further. Each safety criterion contains information on whether and, if so, how to check it within the scope of continuous auditing. The following fundamental changes have been made since the previous version:
-
Extension of the criteria for the provision of cloud services to include product-specific aspects of information security. These are derived from the European Cybersecurity Act.
-
Extension of the criteria on the provision of Cloud services, which concern the cloud provider's handling of investigation requests from government agencies.
-
Updating the criteria with regard to new concepts, e.g. “DevSecOps”.
-
Including corresponding criteria that show where Cloud customers need to develop their own measures to ensure the cloud service's security.
-
Inclusion of additional notes and information to gain a better understanding of the criteria as well as for continuously examining them.
-
Addition to the existing audit procedure of the option of a direct IT audit.
You can find a detailed list of the criteria on the BSI website .
Two new areas for security criteria in C5:2020
Without doubt, the biggest change relates to the inclusion of the first two points mentioned above:
-
-
Unlike the other parts of the C5, the new product security section focuses on the security of the Cloud service itself. For example, cloud providers must describe how the latest information on how to securely configure the services is passed on to their customers and how they are informed about the cloud service's known vulnerabilities. Furthermore, appropriate mechanisms must be provided for error handling and logging, as well as to authenticate and authorise users of the cloud customers. The requirements from the product security area are derived from the EU Cybersecurity Act inter alia.
-
The area of investigation requests from government agencies is intended to ensure the appropriate handling of such requests in terms of legal scrutiny. As a result, cloud providers will certainly think twice in the future about whether they wish to carelessly give up the protection of the data entrusted to them that they have promised their customers.
-
Security, transparency and proof as basic requirements
C5 is made up of three parts: security requirements, transparency criteria and requirements for reliable proof of completion of claims.
-
-
Security: The C5 security requirements are based on accepted standards, for example ISO/IEC 27001, CSA Cloud Controls Matrix or ANSSI4 Framework Secure Cloud, but have been supplemented with BSI requirements. All of the C5 requirements have to be fulfilled as far as they are applicable. In addition, there are optional requirements that impose higher levels of confidentiality and availability.
-
Transparency: With C5, the Cloud provider must present important information to the user, for example a detailed system description, all subcontractors, data localisation and powers of investigation. These are important criteria for users when choosing a Cloud provider and are therefore probably the most important aspect of the C5:2020.
-
Proof: C5 is also based on established standards and methods for demonstrating compliance with criteria by means of audits, and in individual cases these are supplemented. Auditors conduct audits according to the international ISAE 3000 standard or according to national implementations. The C5 reports are based on SOC 2 or ISAE 3402 reports, which are also widely used now. Here, C5 calls for type 2 reports, which demonstrate not only the appropriateness of the measures but also their effectiveness.
-
C5 as a guide for evaluating suitable cloud providers
C5 aims to define a generally accepted baseline for Cloud security. These requirements have been embedded in the international ISAE 3000 audit procedure, so that cloud providers have the option of having their compliance with the requirements as specified in C5 certified by auditors. This is exactly what InfoGuard has done for the Cyber Defence and Operations Center Services .
Therefore, for you as a Cloud user, it is logical to also use C5 as a helpful guideline and the basis for your own management and control measures. This makes sense and is necessary, for example, if one of the following points exists:
-
-
The Cloud provider does not have a C5 certificate. You may also consider that the provider's other certificates (e.g. ISO/IEC 27001) are not sufficient.
-
The C5 audit certificate submitted is inadequate due to your own more stringent requirements.
-
Your internal audit programme generally provides for its own audits and control measures at the Cloud provider. Among the reasons for this can be industry and sector-specific requirements.
-
There are further regulatory requirements, for example in the context of data protection/commissioned data processing (ADV). Here it is essential that you satisfy yourself that certain measures have been implemented by the Cloud provider by conducting your own checks.
-
In addition, the C5 requirements catalogue provides guidance for cloud services' selection (due diligence) and procurement criteria. Hence, it serves as an important aid for guidance, for example as a concrete requirements document for the security concept. Even though the C5 defines a minimum level of security, it does not absolve the user of responsibility for its own processes and data – in keeping with the “shared responsibility model“. However, it does provide a basic guide for making good decisions when selecting a provider.
Alongside the C5 and the future ESCloud, the CSA Cloud Controls Matrix has also become almost standard and has been adopted by the professional hyperscalers. Hyperscaler environments are aware of their exposure. However, the C5 catalogue of requirements also applies to smaller cloud service providers (SaaS, IaaS, PaaS).
Any Questions about Cloud Security?
There are many facets to cloud security – starting with strategy, selecting the right providers and checking security to name but a few. What we frequently see is that many Cloud decisions are purely business-driven, which means that cyber security often falls by the wayside. How is it for you? We would be happy to assist you in setting up and implementing a secure cloud strategy to ensure that cyber security does not take a back seat for you.
Now is the right time to be examining your cloud environment
We are currently seeing a lot of cyber incidents in the hyperscaler environment. Again and again, it is evident that many IT administrators are overwhelmed by the complexity of Cloud solutions and their responsibilities. To ensure that you are not one of many victims, we offer a dedicated hunting session in your complete Cloud environment. You can find out here exactly what this involves and why you should be examining your Cloud configuration now.
