Cloud Security is not only a mayor topic for companies, customers in the public sector but also for the politicians. Since there is still no EU-wide uniform regulation of corresponding safety standards, the individual member states rely on their own laws and regulations. That means: The compliance of the companies must also adjust to the existing differences.
C5: supporting decision makers in Germany in the selection process
In Germany there are five ‘Cs’ for the corresponding requirements: The criteria catalog C5 (Cloud Computing Compliance Criteria Catalog) of the Federal Office for Information Security (BSI) that specifies the minimum requirements for secure cloud computing and is aimed equally at cloud providers and their customers.
A selected few number of companies have already been able to secure the C5 certification – among them OVHcloud, one of the leading providers in this area. The certification not only stands for the proove that the respective provider is well positioned. It is also and above all a guide for companies and organizations when it comes to choosing a suitable cloud provider – highly relevant, not least for public tenders.
BSI’s C5 set of rules primarily consists of a list of security control mechanisms that were developed by the federal authority. First published in 2016 and revised in 2019, the catalog of requirements has now enjoys a high level of acceptance – more than a dozen attestations have been issued to date and thus ensure reliable compliance with safety-relevant standards. C5 was developed and implemented as an alternative or successor to a large number of different sets of rules that were supposed to ensure the security of the cloud beforehand. This included the ISO regulations 27001, 27002 and 27017 as well as the Cloud Control Matrix (CCM) of the Cloud Security Alliance (CSA).
With C5, a uniform compendium of the relevant safety requirements has been available for five years – one that is becoming increasingly relevant. In view of the fact that in 2020 the overwhelming majority of companies will use the cloud (over 80 percent) and half of them will spend an average of more than one million euros on corresponding services each year, the question of maximum security and data protection is one of the most urgent. C5 gives the answers. Those who are C5 certified can present themselves here with a clear conscience as a secure and data-discrete company. C5 offers customers the option of their own qualified risk management when selecting cloud providers.
And in France: SecNumCloud is the local answer
For internationally active companies in particular, however, the different regulations in the individual countries can be a problem. C5 certification in Germany is difficult to use as a selection argument for customers abroad. What about in Italy or France, for example? Or even in a non-EU country like Great Britain?
In France, the SecNumCloud regulation of the Agence nationale de la sécurité des systèmes d’information (ANSSI) applies accordingly. Those who comply with these rules demonstrate their compliance with IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service). The SecNumCloud certification stands for security through resilience and the ability to ward off even sophisticated cyber-attacks, as well as for trust through long-term data protection compliance. The regulation is aimed at public corporations, essential suppliers, and providers of digital services – and of course at the corresponding software / SaaS providers and system integrators.
Not to forget Italy: AGID-Compliance as proof of resilience
In Italy, the provisions of the Agenzia per l’Italia Digitale (AGID), the national IT supervisory authority, focus primarily on two types of requirements: company-specific and otherwise specified. The company or organization-specific conditions include the proven ability to master critical situations confidently, efficient quality management, 24/7 customer service and the adaptation of defined processes – including in the areas of change, configuration and incident management – and maximum transparency when concluding contracts.
The otherwise specified requirements of the Italian regulation include security and data protection rules, conditions for performance and scalability, a service quality guarantee over the entire life cycle as well as interoperability and portability.
And finally the United Kingdom: G-Cloud mainly for public sector customers
Finally, in Great Britain there is the government initiative G-Cloud, in which the ‘G’ stands for ‘Government’. This is aimed primarily at authorities and governmental institutions. It applies to four core areas: “Data in Transit Protection”, “Asset Protection and Resilience”, “Separation between Consumers” and “Governance Framework”. Through these core areas, the set of rules covers the essential security aspects when adapting cloud solutions by public institutions – with the aim of promoting this nationwide and making cloud computing the standard for the authorities. The regulations were revised and adapted in 2014 – together with a simplified classification into three instead of the previous six categories: ‘Official’, ‘Secret’ and ‘Top Secret’.
In summary each of these sets of rules contains its own characteristics, focal points and detailed solutions, so that in the pan-European plan view there is more of a patchwork quilt than a cross-border minimum standard. For providers, this means that what is decisive in one country does not necessarily have to be in another – so that in many cases complex adaptation measures are required in order to obtain the relevant certifications in the various markets. It is of course a great advantage if a company itself has high requirements for its cloud offering. As long as there is no European standard that internationally active customers can rely on, when choosing a provider they must ensure that the cloud solutions used have certifications in all relevant markets. This is the only way to ensure that compliance and security are guaranteed everywhere