.png?width=432&height=358&name=Government%20(1).png)
.png?width=368&height=447&name=blog-icon%20(1).png)
Secure data exchange in the cloud requires decision-makers to have extensive specialist knowledge when selecting the right cloud provider. This article explains what you need to look out for and what role the BSI C5 certificate plays in this.
More and more companies are using cloud services to work more productively and efficiently as a team. But not all clouds are the same: cloud providers use independent certifications and test certificates to demonstrate a high level of security and optimum data protection. Increasingly, such evidence is therefore mandatory or even required by law.
When selecting a provider, decision-makers should therefore carefully check which technical and security-specific qualifications they can demonstrate. Currently, the most important component is probably a BSI C5 certificate.
BSI C5 certificate - comprehensive seal of approval
In addition to numerous other internationally established certifications, the BSI C5 certificate has become established in Germany in recent years. It proves the efficiency of the security management system implemented by cloud providers. This C5 catalog of requirements for information security management systems (ISMS), which was first published by the German Federal Office for Information Security (BSI) in 2016 and is regularly updated, is divided into two different certificates.
While the type 1 certificate certifies the existence of an appropriate security management system at the time of the audit and therefore does not differ significantly from other certifications, the type 2 certificate verifies the ongoing effectiveness of the security management system throughout the entire audit period. The audit period ranges from six to twelve months. An initial Type 1 C5 certificate is a prerequisite for obtaining a Type 2 certificate.
The C5 audit not only deals with the management of internal security measures for information systems, but also includes external factors such as subcontractors. For C5 certificates that are to be used externally, for example by cloud providers as a reference for customers, the audit must be carried out by an independent auditor. The auditor must also provide proof of special qualifications in order to carry out the audit and issue the certificate. The qualification requirements for the auditor are also described in the C5 criteria catalog.
BSI C5 in the healthcare sector
The BSI C5 standard is becoming increasingly important in Germany. For example, cloud providers who wish to provide their services in the healthcare sector must be able to present a valid C5 certificate from July 1, 2024.
A type 1 C5 certificate is sufficient until June 30, 2025. From July 1, 2025, however, a type 2 certificate will be mandatory for such cloud service providers. These standards are laid down in the Act to Accelerate the Digitalization of the Healthcare System - the Digital Act (DigiG) for short - which came into force on 26 March 2024.
The corresponding regulations not only affect service providers who only provide storage space in the cloud, but also providers of other solutions, such as SaaS platforms in the healthcare sector, whose applications are cloud-based. As a result, all organizations that are active in the medical sector and operate IT systems with a cloud connection are effectively obliged to check the corresponding C5 testing of their service providers. In case of doubt, they must change their cloud provider if they cannot provide a BSI C5 certificate.
BSI C5 in the public sector
In addition, the BSI C5 standard is now also having an impact in the public sector: if federal institutions use external cloud services, they must request proof of compliance with the C5 standard from the cloud provider. Providers that do not meet this criterion can therefore no longer provide their services to federal authorities.
In the area of public procurement, the Federal Government Commissioner for Information Technology (Federal CIO) based at the Federal Ministry of the Interior and Home Affairs has already published supplementary contract provisions for the procurement process of cloud services (EVB-IT Cloud) as of March 1, 2022. In addition to federal, state and some local authorities, they oblige them to take into account a corresponding BSI C5 certificate from the provider when procuring cloud services.
As part of information security management, the C5 certificate is also becoming increasingly important for subcontractors that provide cloud-based services for public sector contractors. This applies, for example, to data centers, as smaller cloud service providers generally do not host their services in their own data center, but rely on appropriate third-party providers. The C5 certificate is also increasingly mandatory for these.
BSI C5 in practice
While the C5 list of criteria deals with organizational and technical measures to ensure a minimum standard in IT security for cloud services and the corresponding monitoring systems, specific selection criteria come to the fore for decision makers in companies when choosing an external cloud provider:
➢ Has the cloud provider obtained a BSI C5 certificate or does it simply have certification in accordance with the various ISO 27000 specifications (here primarily ISO 27001/ISO 27002/ISO 27017/ISO 27018 standard)?
➢ Was the BSI C5 certificate issued by a renowned auditor?
➢ Is it a Type 1 or Type 2 certificate?
➢ Does the cloud service provider use third-party providers (e.g. external data centers) to host its services or does it operate the technical infrastructure entirely on its own?
➢ If external hosting partners are involved: Do they also have a BSI C5 certificate?
➢ Are clients' data inventories backed up geo-redundantly so that two or more data centers can independently guarantee services in clear geographical separation from each other?
➢ Does the provider guarantee end-to-end encryption that is based on open-source methods and algorithms so that there can be no backdoors as is possible with proprietary encryption methods?
Location question: Cloud providers from the USA pose risks
One criterion that should not be underestimated when choosing an external cloud service provider is its location.
The General Data Protection Regulation (GDPR) applies throughout the EU in the context of ensuring comprehensive data protection. Cloud providers who have their headquarters in the USA or even providers who have their data centers or servers located in the USA cannot offer their cloud services within the EU in compliance with data protection regulations.
US PATRIOT Act and CLOUD Act
The reason for this is the US Patriot Act and the CLOUD Act, which allow US authorities to access third-party data even without a court order if the company in question is either based in the USA or operates servers in the United States. Data from servers can also be spied on if they are distributed in data centers in Europe, but the cloud provider is based in the USA.
Every decision maker should therefore be aware that, due to the secret powers and activities of the US authorities, trade secrets or even business-relevant intellectual property may be spied on and exploited when data in the cloud comes into the sphere of influence of the United States of America. There are also other legal stumbling blocks when data from third parties is managed in the cloud on servers outside the EU.
In order to achieve a balance between the EU-wide General Data Protection Regulation and the US Cloud Act, a corresponding legal assistance agreement would be necessary. Only with such a contractually agreed adjustment of the two different legal views would it be possible to manage data stocks in the cloud in accordance with data protection regulations, even on servers subject to US jurisdiction. The EU has so far failed to negotiate such an agreement.
On the safe side with SecureCloud
SecureCloud's technical infrastructure and organizational measures meet all these requirements and ensure legal planning and security:
➢ The data centers where SecureCloud hosts its servers and services are all located in Germany. They are operated by German companies, and we store databases georedundantly.
➢ SecureCloud is a German company with no connections to US organizations.
➢ The data centers are certified in many cases in accordance with various internationally recognized security standards. SecureCloud successfully completed the audit process for the BSI C5 certificate. The audit was carried out by a renowned German auditing firm.
➢ We encrypt our clients' databases end-to-end without any ifs or buts and manages them on the basis of openly available specifications.
➢ With our sister company Exabackup GmbH, we also offer a backup platform for backing up cloud applications. Exabackup GmbH is of course subject to the same strict requirements as SecureCloud.
Decision-makers who are looking for a reliable productivity cloud for secure data exchange within the company are therefore in good hands with SecureCloud. We offer you all relevant services for online cooperation and data exchange from a single source — independently certified and therefore certainly secure.
Interessiert Sie die souveräne Cloud?
Unsere Experten erklären Ihnen gerne mehr.
