1.1 Current situation There are different standards and certifications on
the market which are used and maintained in par- Cloud computing is a new paradigm in ICT (infor- allel with great effort by many cloud providers. It mation and communication technology). It con- is difficult for customers, however, to keep up an sists of IT services being adjusted dynamically to overview of the large number of different certifi- the customer needs and made available through cations. The present cloud computing compliance a network in a billable manner. These services are controls catalogue (hereafter referred to as “C5”) is offered and used by means of technical interfaces intended to be an aid for the customer providing and protocols. Moreover, the definition of cloud a better overview for a higher level of security and computing of the Federal Office for Information avoiding redundant audits. Security (Bundesamt für Sicherheit in der Infor- mationstechnik – BSI) (and the differentiation from IT outsourcing) applies as it is described on the BSI website1. 1.2 Uniform requirements based on existing standards Cloud computing is based on a high level of standardisation of the hard- and software as well The BSI uses C5 to present its current view of the as on the services build on it, details of which the mentioned informal consensus, and particularly customer is usually not very familiar with. As a to also facilitate an in-depth technical discussion. consequence, a particularly high degree of trust in The requirements were, wherever possible, taken the cloud service provider is required, which has from known security standards and specified if to be developed first. necessary. They were supplemented by the BSI’s own requirements only to the extent needed. The A possible solution is combining the high origin of the requirements is documented in a standardisation of cloud computing with a high transparent manner so that the cloud provider is standardisation of information security. There able to easily perform a comparison with his own is no lack of available information security security level. standards in the context of cloud computing. Examples include the ISO/IEC 27001 and ISO/ In cases considered appropriate, additional IEC 27017 standards, the rules of the CSA Cloud requirements were included in C5 for certain Controls Matrix and the BSI products like the basic requirements. It’s BSI’s professional point IT-Grundschutz Catalogues and security profiles of view that the basic requirements shall always for software as a service (SaaS). be met for secure cloud computing. Moreover, it is up to the cloud customer to decide for their Among security experts and cloud service pro- specific use case whether these basic requirements viders exists an informal consensus about the are sufficient or additional, optional requirements requirements that have to be met for secure cloud have to be met by the cloud provider. For this computing. A generally recognised requirements purpose, the additional requirements of C5 serve (or controls) catalogue on this, however, is not as a useful starting point. available yet. It remains the challenge to prove the cloud customer that the requirements of C5 are fulfilled by means of a transparent audit performed by an independent, trusted third party. As for the basic 1 https://www.bsi.bund.de/EN/Topics/CloudComput- requirements found in this catalogue, this audit ing/Basics/Basics_node.html