Secure data exchange in the cloud requires decision makers to have extensive expertise in choosing the right cloud provider. This article explains what you need to pay attention to and what role the BSI C5 certificate plays in this.
More and more companies are using cloud services to be able to work more productively and efficiently as a team. But not all cloud is the same: With independent certifications and tests, cloud providers demonstrate a high level of security and optimal data protection. Such evidence is therefore increasingly mandatory or even required by law.
When selecting an appropriate provider, decision makers should therefore carefully examine which technical and safety-specific qualifications it has. Probably the most important component at the moment: a BSI C5 certificate.
BSI C5 certificate — comprehensive seal of approval
In addition to numerous other, internationally established certifications, the BSI C5 certificate has prevailed in Germany in recent years. It demonstrates the efficiency of the implemented security management system among cloud providers. This catalog of C5 requirements for management systems for information security (ISMS), published for the first time in 2016 by the Federal Office for Information Security Security (BSI), is divided into two different certificates.
While the Type 1 attestation certifies the existence of an appropriate safety management system at the time of testing and is therefore not significantly different from other certifications, the Type 2 attestation demonstrates the continued effectiveness of the safety management system throughout the audit period. The audit period ranges from six to twelve months. An initially received type 1 C5 certificate is a prerequisite for obtaining a type 2 certificate.
The audit of the C5 certificate not only deals with the management of internal security measures for information systems, but also includes external factors such as subcontractors. For C5 certificates that are to be used externally, for example by cloud providers as a reference for customers, the audit must be carried out by an independent auditor. He must also have a special qualification in order to be able to carry out the audit and issue the certificate. The C5 list of criteria also describes the qualification requirements for auditors.
BSI C5 in healthcare
The BSI C5 standard is becoming increasingly important in Germany. For example, cloud providers who want to provide their services in the healthcare sector must be able to present a valid C5 certificate from July 1, 2024.
A type 1 C5 certificate is sufficient until June 30, 2025. However, from July 1, 2025, a Type 2 certificate will be mandatory for such cloud service providers. These standards are enshrined by the Act to Speed up the Digitalization of Health Care — Digital Act (DigiG) for short — that came into force on March 26, 2024.
The corresponding regulations apply not only to service providers who only provide storage space in the cloud, but also providers of other solutions, such as SaaS platforms in healthcare, whose applications are used in the cloud. As a result, all organizations that operate in the medical sector and operate IT systems with a cloud connection are required to verify the corresponding C5 certification of their service providers. In case of doubt, they must switch cloud providers if they do not have a BSI C5 certificate.
BSI C5 in the public sector
In addition, the BSI C5 standard is now also having an effect in the public sector: If federal institutions use external cloud services, they must request proof of compliance with the C5 standard from the cloud provider. Providers that do not meet this criterion can therefore no longer provide their services to federal authorities.
In the area of public procurement, the Federal Government Commissioner for Information Technology (Federal CIO) based at the Federal Ministry of the Interior and Home Affairs has already published supplementary contract provisions for the procurement process of cloud services (EVB-IT Cloud) as of March 1, 2022. In addition to federal, state and some local authorities, they oblige them to take into account a corresponding BSI C5 certificate from the provider when procuring cloud services.
As part of information security management, the C5 certificate is also becoming increasingly important for subcontractors that provide cloud-based services for public sector contractors. This applies, for example, to data centers, as smaller cloud service providers generally do not host their services in their own data center, but rely on appropriate third-party providers. The C5 certificate is also increasingly mandatory for these.
BSI C5 in practice
While the C5 list of criteria deals with organizational and technical measures to ensure a minimum standard in IT security for cloud services and the corresponding monitoring systems, specific selection criteria come to the fore for decision makers in companies when choosing an external cloud provider:
➢ Has the cloud provider obtained a BSI C5 certificate or does it simply have certification in accordance with the various ISO 27000 specifications (here primarily ISO 27001/ISO 27002/ISO 27017/ISO 27018 standard)?
➢ Was the BSI C5 certificate issued by a renowned auditor?
➢ Is it a Type 1 or Type 2 certificate?
➢ Does the cloud service provider use third-party providers (e.g. external data centers) to host its services or does it operate the technical infrastructure entirely on its own?
➢ If external hosting partners are involved: Do they also have a BSI C5 certificate?
➢ Are clients' data inventories backed up geo-redundantly so that two or more data centers can independently guarantee services in clear geographical separation from each other?
➢ Does the provider guarantee end-to-end encryption that is based on open-source methods and algorithms so that there can be no backdoors as is possible with proprietary encryption methods?
Location question: Cloud providers from the USA pose risks
One criterion that should not be underestimated when choosing an external cloud service provider is its location.
The General Data Protection Regulation (GDPR) applies throughout the EU in the context of ensuring comprehensive data protection. Cloud providers who have their headquarters in the USA or even providers who have their data centers or servers located in the USA cannot offer their cloud services within the EU in compliance with data protection regulations.
US PATRIOT Act and CLOUD Act
The reason for this is the US Patriot Act and the CLOUD Act, which allow US authorities to access third-party data even without a court order if the company in question is either based in the USA or operates servers in the United States. Data from servers can also be spied on if they are distributed in data centers in Europe, but the cloud provider is based in the USA.
Every decision maker should therefore be aware that, due to the secret powers and activities of the US authorities, trade secrets or even business-relevant intellectual property may be spied on and exploited when data in the cloud comes into the sphere of influence of the United States of America. There are also other legal stumbling blocks when data from third parties is managed in the cloud on servers outside the EU.
In order to achieve a balance between the EU-wide General Data Protection Regulation and the US Cloud Act, a corresponding legal assistance agreement would be necessary. Only with such a contractually agreed adjustment of the two different legal views would it be possible to manage data stocks in the cloud in accordance with data protection regulations, even on servers subject to US jurisdiction. The EU has so far failed to negotiate such an agreement.
On the safe side with SecureCloud
SecureCloud's technical infrastructure and organizational measures meet all these requirements and ensure legal planning and security:
➢ The data centers where SecureCloud hosts its servers and services are all located in Germany. They are operated by German companies, and we store databases georedundantly.
➢ SecureCloud is a German company with no connections to US organizations.
➢ The data centers are certified in many cases in accordance with various internationally recognized security standards. SecureCloud successfully completed the audit process for the BSI C5 certificate. The audit was carried out by a renowned German auditing firm.
➢ We encrypt our clients' databases end-to-end without any ifs or buts and manages them on the basis of openly available specifications.
➢ With our sister company Exabackup GmbH, we also offer a backup platform for backing up cloud applications. Exabackup GmbH is of course subject to the same strict requirements as SecureCloud.
Decision-makers who are looking for a reliable productivity cloud for secure data exchange within the company are therefore in good hands with SecureCloud. We offer you all relevant services for online cooperation and data exchange from a single source — independently certified and therefore certainly secure.
CTA Headline
CTA text
