In this article you will read about,

• what the minimum requirements of the Federal Office for Information Security (BSI) mean,
• which issues public-sector customers have to consider when using external cloud services
• and how the Open Telekom Cloud meets these minimum requirements.

With the minimum requirements for external cloud use, the Federal Office for Information Security (BSI) has created binding principles for the use of cloud solutions in public administration. Cloud providers such as Open Telekom Cloud must be measured according to these requirements.

IT security has always been one of the most prominent topics for users of IT services. With the increasing use of the cloud, however, the topic of IT security has once again increased in importance. However, it must not be forgotten that security always rests on two shoulders: Both the provider and the user of cloud services must make their own contributions to IT security. For example, the user must regularly check the provider in terms of security and fulfill his duty of supervision. The provider must regularly inform the user about relevant changes – it is a mutual give and take.

For public administration institutions, the German Federal Office for Information Security (BSI) repeatedly makes specific specifications about how these supervisory duties should be performed with regard to IT providers. Most recently, in December 2022, the BSI published version 2.1 of the minimum standard for the use of external cloud services. This contains binding specifications for public institutions that use cloud providers.

These minimum standards are based on IT-Grundschutz, but do not expect the cloud provider to be fully certified according to IT-Grundschutz.

In detail, a reference table with approx. 90 criteria covers the minimum requirements that the contracting authorities must ensure are complied with.

Specifically, the following 19 topics are covered:

• Strategy for cloud usage
• Security guidelines for external cloud use
• Security concept for the (specific) external cloud service
• Emergency and continuity management
• Implementation of security requirements
• Dealing with subcontractors and other external third parties
• Jurisdiction
• Location of data processing
• Obligation to report security-related incidents
• Termination of the contractual relationship
• Regulation of data return and data deletion
• Integration into the ISMS
• Evaluation of security proofs
• Verification of performance
• Information requirements
• Multi-factor authentication
• Data return upon termination
• Data deletion upon termination
• Sharing of external cloud services

The Open Telekom Cloud has a wealth of different certifications to prove that it meets the requirements of the BSI for public-sector customers. The C5 Type 2 certification of the BSI is decisive here. In addition, the Open Telekom Cloud offers further certificates and test certificates such as DIN ISO 27001, 27017, 27018 as well as the listing at trusted-cloud.de with all current and tested certificates for German law. A complete list of existing certificates is available here. With the obligations on StGB §203 and SGB §35, the Open Telekom Cloud is even suitable for processing social data and for use by professional secrecy holders. Some of the BSI requirements are also reflected in the Open Telekom Cloud contracts, such as the return and deletion of customer data when the contractual relationship is terminated.

The Open Telekom Cloud can fulfill the minimum requirements of the BSI without any gaps. It is therefore a suitable cloud for all public sector applications; category 1, 2 and 4 data can be processed with it per se. This covers private, official, company and business secrets in accordance with German Criminal Code (StGB) §§ 203 and 353b, personal data in accordance with the General Data Protection Regulation (GDPR) Art. 4 No. 1 and other data. For category 3 data alone (classified information in accordance with the Classified Information Directive - VSA), specific concepts beyond the standards of the Open Telekom Cloud are required.