C5 is for all cloud providers that want to make use of the available test criteria to prove their compliance with security requirements put through independent audits. In 2016, the test criteria were adopted from the ISO/IEC 27001 standard and the Cloud Security Alliance’s cloud controls matrix amongst others.
Due to the continuing growth of cloud-based offers, their complexity and use in business- and security-critical areas, it has become necessary to update the C5 catalogue. What’s more, certain geo-political factors must be taken into account that all users of a cloud service may not be aware of.
Experts are now invited to discuss the community draft and propose optimisations until 22 November 2019. The final version is expected to be available by the end of January 2020. Here’s a rundown of the key changes:
- Change or extension of the criteria with regard to new concepts, e.g. DevOps;
- Extension of the criteria for the provision of cloud services to include product-specific aspects of information security;
- Additional guidance and information to better understand and continuously audit the criteria; and
- Complementing the existing audit engagement type ‘attestation engagement’ with the option for a ‘direct engagement’
The C5 catalogue can be employed by both cloud providers and cloud customers. As a provider’s own attestation is not very meaningful from a customer perspective and uneconomical from a cloud provider’s perspective, the BSI sees a uniform, independent audit as the most sensible approach. A central audit means more transparency and enables cloud customers to actually compare providers.
A secure road to the cloud.
Th C5 catalogue is a lot more than just a certificate that cloud service providers can boast after a successful audit. With it, the BSI defines basic criteria, which offer a suitable level of security for the majority of customers and applications, as well as additional criteria that are critical for customers or applications with a greater need for protection.
BSI also defined corresponding criteria for businesses who require customers to actively contribute to information security. Obviously, a certification alone cannot necessarily guarantee information is always protected in the cloud. Customers must be able to tell the extent to which their data and the services they use must be protected. They must understand their obligations and how to fulfil them.
In addition to the safeguards for cloud service detailed in the C5 catalogue, there is a particular focus on secure configuration and operation of services. In the field, my colleagues and I often see that even the simplest security measures such as two-factor authentication, password policies, personalised admin access and granular admin roles are not put into practice. A lot of cloud providers and third party vendors offer automated test tools to assess configuration security, but most people either don’t know about them or simply don’t use them.
A frequent cause of problems is lack of planning and errors of judgement when it comes to the need for security. For instance, mail services are run without sufficient mail protection, virtual servers without firewalls and database instances without data security.
To ensure the secure operation of cloud-based services, a cloud strategy to implement and operate services is essential along with picking the right cloud provider. On top of the secure configuration of primary services, other solutions for maintaining information security must also be taken into account, for example, e-mail protection, firewall, archiving and backup, and the integration of on-premise infrastructure.