Cloud Computing Compliance Controls Management
German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)
Cloud Computing Compliance Controls Catalog (C5)
In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Controls Catalog (C5). C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.
The purpose of the C5 catalog of requirements is to provide a consistent security framework for certifying cloud service providers and to give customers assurance that their data will be managed securely.
C5 is based on internationally recognized IT security standards like ISO/IEC 27001:2013, the Cloud Security Alliance Cloud Controls Matrix 3.0.1, and BSI’s own IT-Grundschutz Catalogues. The catalog consists of 114 requirements across 17 domains, for example, the organization of information security and physical security, with security requirements basic to all cloud service providers, and other requirements for processing highly confidential data and situations requiring high availability.
The BSI also puts emphasis on transparency. As part of an audit, the cloud provider must include a detailed system description and disclose environmental parameters like jurisdiction and data processing location, provision of services, and other certifications issued to the cloud services, and information about the cloud provider’s disclosure obligations to public authorities. This helps potential cloud customers decide whether the cloud services meet their essential requirements such as compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
Requirements of the BSI C5
- Implement Strong Access Controls: Establish strict authentication and authorization measures to ensure that only authorized personnel can access cloud services and data. Multi-factor authentication, robust password policies, and the principle of least privilege should be standard practice.
- Maintain Transparency Over Data Processing: Cloud providers must document and disclose their data processing practices. This includes transparently reporting on where data is stored, how it is processed, and who has access to it. Providers should also support customers in meeting their audit and compliance requirements.
- Ensure Data Protection and Encryption: Protect data both at rest and in transit with state-of-the-art encryption techniques. Cloud providers should offer encryption methods that conform to recognized standards and allow customers to manage their encryption keys.
- Demonstrate Operational Security: Establish and maintain a comprehensive set of operational security processes. This includes incident management, monitoring systems for unusual activities, vulnerability management, and regular penetration testing to identify and remediate security weaknesses.
- Manage Security Architecture and Design: Create and maintain a secure cloud architecture. This involves segregating customer environments, employing secure coding practices, and ensuring that the infrastructure can withstand both digital and physical threats.
- Provide Reliability and Resilience: Implement backup and disaster recovery procedures to ensure continuity of operations. This includes regular backups, redundant systems, and detailed plans for restoring services in the event of an incident.