How the C5 Standard Supports Cloud Security Efforts
Most organizations are accelerating their migration to the cloud in order to ensure that their distributed workforces have reliable access to the applications, data and services they need. IT decision-makers believe that up to 95 percent of all enterprise workloads will be in the cloud by 2025, according to one recent survey.
This transition can introduce a variety of security risks, however. Moving data and applications from a private, on-premises environment to cloud-based infrastructure broadens an organization’s attack surface. Nearly three-quarters of all cybersecurity incidents in 2020 involved external cloud assets, according to the latest Verizon Data Breach Investigations Report. It marked the first time that cloud security incidents outnumbered on-premises ones.
Nevertheless, there’s no putting the genie back in the bottle. The cloud presents too many cost and operational benefits to pull everything back to in-house data centers. Instead, organizations must focus on ensuring the consistent application of security policies and processes across all their services.
Take a Closer Look
One way organizations can improve their cloud security posture is with third-party audits that evaluate the security controls of potential cloud providers. An audit can help customers understand which security measures are included with a provider’s standard offering, which are available as supplements, and which are the customer’s obligation under the cloud’s shared responsibility model.
Cloud audits are typically based on security requirements outlined in various government-backed security standards. Compliance with these standards is a solid indicator that providers are meeting best practice recommendations for securing cloud environments. The auditing process gives customers confidence that cloud security controls have been transparently evaluated by an independent third party.
One standard that carries a good deal of weight in the industry is the most recent version of the Cloud Computing Compliance Criteria Catalog, also referred to as C5. Developed by the German Federal Office for Information Security (BSI), C5 establishes a mandatory baseline of security controls for public cloud solutions.
First published in 2016 and updated in 2020, the catalog is based on internationally recognized IT security standards such as ISO 27001, 27002 and 27017, the Cloud Security Alliance’s Cloud Control Matrix and the European Union’s Cybersecurity Act. It is one of the most comprehensive compliance criteria catalogs in the cloud services market, comprising 114 requirements across 17 separate areas, including basic cloud security policies, physical security, employee responsibilities, identity and access management, cryptography, incident management and business continuity.
The C5 Framework
Providers and customers alike benefit from compliance with the C5 criteria. The catalog gives providers a framework for establishing robust security policies and procedures. Customers can use it to verify the provider’s security practices. In addition, the C5 criteria help eliminate any misunderstandings about provider and customer security obligations. Under the shared responsibility model, cloud providers are generally responsible for securing the cloud infrastructure while customers must protect their data and applications within the cloud.
The borderless nature of the cloud makes internationally accepted standards such as C5 increasingly important. Many cloud providers — and many of their customers — have operations in more than one country. As a result, they may be subject to different laws and regulations regarding the transferring of information over national boundaries. A C5attestation report will address such issues, making it easier for customers to evaluate providers across broad geographic regions.
It is almost universally accepted that cloud computing is the ideal IT model for businesses. Studies show that most companies use multiple cloud providers to achieve demonstrable business benefits in terms of flexibility, scalability, collaboration and market reach. However, cloud migration comes with some significant security risks. Third-party audits based on international standards such as the C5 catalog can provide important insights to a cloud provider’s security controls.