Why You Might Need BSI C5 Compliance for Your Cloud Infrastructure

With numerous cloud security best practices and standards available on the market, Germany's Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) launched its cloud security standard called Cloud Computing Compliance Criteria Catalogue (C5). This post will help you understand what BSI C5 is and how it might benefit your cloud if you comply with it.

Overview of BSI C5

BSI C5 was first launched in 2016 to support the security aspect of the digitalization wave using cloud computing to secure the cloud infrastructure and confidential information and operations running on it. It is built on established information security standards, such as ISO 27001 and Cloud Security Alliance's Cloud Control Matrix (CCM). Its latest version was published in 2020 to respond to the rapid development in cloud computing in recent years.

Aims

The C5  standard consists of criteria catalogues from various vital aspects of ensuring secure cloud infrastructures, such as cryptography, monitoring, identity and access management. It primarily aims at three main targets: cloud providers, auditors, and customers operating in Germany.

• When cloud providers would like to comply with BSI C5, they could implement the criteria catalogues directly to their service-related internal control systems, or they will test their internal control systems if they provide the same level of control as the specified catalogues.
• Independent third-party cloud auditors will check the cloud providers if their internal control systems for their offered cloud services and cloud resources to the cloud customers comply with BSI C5's security requirements. Once everything has been checked, the cloud providers will achieve the attestation for BSI C5.
• Cloud customers could use the cloud provider's attestation result for compliance verification and security assessment needs as they use the cloud or are looking for a suitable cloud.

The Difference with BSI IT-Grundschutz

Although BSI also has another information security standard called IT-Grundschutz, it is very different from the C5 standard. IT-Grundschutz applies to information security management systems (ISMS) that help to provide and maintain safeguards for information in the organization's personnel, business process, IT systems, and applications. Meanwhile, C5 helps to ensure cloud infrastructure is secure for cloud customers to build their infrastructures, run their applications and services, and store their data on the cloud.

Why BSI C5 Compliance Could Be Good for You

BSI C5 is voluntary, meaning cloud providers and you, as cloud customers,  do not have to comply with it.

Cloud providers might comply with cloud security standards and best practices, including BSI C5, as part of the shared responsibility model in cloud computing. It shows cloud customers their commitment that their cloud infrastructures, including their offered cloud services and available resources, are secure and standardized. Cloud customers would then be confident to store their confidential data and build their infrastructure on the provided cloud.

Although it is optional for cloud customers to comply with BSI C5, there are some arguments for why this could be good for you (and your cloud):

1. First, as cloud customers, you are responsible for securely configuring your cloud infrastructure as part of the cloud provider's shared responsibility model. Complying with cloud security standards and best practices, such as BSI C5, would help you ensure no misconfigured cloud resources that unauthorized users can exploit.
2. Suppose your organization operates in critical infrastructure or financial areas in Germany. In that case, it might be required to use cloud providers that have BSI C5 attestation to host your (customer) data and applications. Achieving compliance with BSI C5's criteria catalogues for your cloud infrastructure would help with the necessary German regulations and increase the cloud customer's confidence in you securing your cloud.

However, there are several things that you need to be aware of when you are trying to achieve compliance with BSI C5.

• Cloud providers' BSI C5 attestation results might not apply to all regions of cloud providers. This means only the cloud resources exist in the BSI C5 attested region to be applicable for its criteria catalogues. So, for example, only Frankfurt, Ireland, London, Paris, Milan, Stockholm and Singapore regions of Amazon Web Services are in scope for BSI C5 attestation.
• Not all of BSI C5's criteria catalogues apply to you as cloud customers. This is because several criteria catalogues are aimed at cloud providers where they are more focused on the operational or physical infrastructure.

How Mitigant Can Help to Achieve BSI C5 Compliance

Mitigant helps organizations to continuously achieve and monitor the compliance of their cloud with cloud security best practices and standards, such as Center for Internet Security (CIS) benchmarks, Payment Card Industry Data Security Standard (PCI-DSS), and BSI C5. Ensure your cloud resources are permanently securely configured and compliant with an easy and fast onboarding process in a unified and easy-to-use interface.

Read more about Mitigant's continuous compliance management at https://www.mitigant.io/compliance.