BSI C5 Status Quo. Dr. Clemens Doubrava, BSI,

Transcription

1 BSI C5 Status Quo Dr. Clemens Doubrava, BSI,

2 Expectations Cloud Service Provider Customers, more customers, An Everything-is-secure -Certification Preferably including data protection (GDPR) Standardized security agreements No additional security agreements Restricted liability Control audit planning Cloud Service User Highest usability and seamless integration A secure cloud service and an everything is secure -certification Preferably including data protection (GDPR) Security via binding requirements in contract Significant evidence of security Dr. Clemens Doubrava BSI C5 - Status Quo Page 2

3 Reality Information security An Everything-is-secure-Certification is impossible Security has to be appropriate and not perfect Defining an appropriate security level is the responsibility of the customer or regulatory bodies Compliance Information security is an important building block for compliance standards Data protection is defined by the corresponding independent authorities and regulatory bodies. Assessments on information security must be integrated easily in compliance standards Dr. Clemens Doubrava BSI C5 - Status Quo Page 3

4 C5 in a nutshell Information Security 114 controls structured in 17 sections defining a baseline security Based on ISO 27001, CSA CCM, BSI, ANSSI, Special attention on cloud issues (IAM, Operations, ) Mapping to several other standards available Audit and Report Audit according to ISAE 3000 (or analogue national standards) Report analogue to ISAE 3402 or SOC 2 (SOC 2+) Qualification of the audit team Performed by public accountants and IT security experts Transparency Surrounding parameters for transparency Dr. Clemens Doubrava BSI C5 - Status Quo Page 4

5 Facts Timeline C5 published at CeBIT 2016 December 2016: 1 st attestation for Amazon Web Services for services from region Frankfurt February 2017: 2 nd attestation for Box March 2017: 3 rd attestation for Fabasoft Cloud May 2017: BSI publishes minimum standard for cloud usage for federal public sector August 2017: 4 th attestation for Microsoft Azure (Microsoft Cloud Deutschland) November 2017: 5 th attestation for Dropbox Business and Dropbox Education December 2017: 6 th attestation for Alibaba Cloud Services from Frankfurt and Singapore Characteristics International, European and national cloud services Attestation so far from 4 different financial audit companies (PwC, EY, KPMG, Deloitte) Dr. Clemens Doubrava BSI C5 - Status Quo Page 5

6 C5 is NOT just a new standard Business relation Cloud service user Maps the security requirements with C5 Read and understands C5 report Evaluates surrounding parameters Demands C5 + delta in a contract Just has to negotiate delta Cloud service provider Has an internal control system Holds a C5 attestation Gives C5 report to customers C5 controls are part of the contract Just has to negotiate delta C5 serves as a baseline AND a catalyzer for DSM Dr. Clemens Doubrava BSI C5 - Status Quo Page 6

7 Minimum standard for secure cloud usage Minimum standards of BSI are mandatory for federal authorities in Germany (comparable to compliance rules or corporate binding rules in enterprises) BSI published a minimum standard for the use of external cloud services Defines prerequisites, a process and 20 requirements Information security requirements are based on C5 The user still needs to decide the appropriate security level based on information and processes A more elaborated process is defined in the publication: Secure use of cloud services Dr. Clemens Doubrava BSI C5 - Status Quo Page 7

8 Check with reality Cooperation with data protection Mapping to TCDP (Trusted Cloud Data Protection) (delta is data protection only) Both audits done at the same time (e.g. Box) Public procurement Body cams for the federal police in Germany with cloud storage attached Negotiations were fast (due to catalyzer C5) Market enabler Alibaba cloud uses C5 attestation to develop European market Is it a fundament Fundament for 1 st and 2 nd -party audits (ISACA) Future regulations for professional secrets and even financial market is in progress Dr. Clemens Doubrava BSI C5 - Status Quo Page 8

9 Take Home Messages C5 defines a baseline for secure cloud services CSP can easily add C5 to their compliance management (mapping) C5 is international by design Any country can adopt or expand C5 (no problem for attestation) There is no Everything-is-secure-certification Cloud service provider and customers remain accountable and C5 will not change this C5 serves as a catalyzer for a secure DSM in the EU: Baseline? Check! Take care of the delta C5 is part of the contract Periodical audit report builds trust between customer and provider Data protection is (and will be) a remaining issue BUT overlap to C5 is large (and audit processes can be coordinated) In addition: German data protection authority recognizes C5 Most important: C5 works! Dr. Clemens Doubrava BSI C5 - Status Quo Page 9

10 Thank you very much for your attention! (German) (English) Kontakt Dr. Clemens Doubrava Head of Section Information Security in the Cloud and in Applications Bundesamt für Sicherheit in der Informationstechnik Referat B34 Postfach D Bonn Dr. Clemens Doubrava BSI C5 - Status Quo Page 10