CommunityDEENDEENProductsCore ServicesRoadmapRelease NotesService descriptionCertifications and attestationsPrivate CloudManaged ServicesBenefitsSecurity/DSGVOSustainabilityOpenStackMarket leaderPricesPricing modelsComputing & ContainersStorageNetworkDatabase & AnalysisSecurityManagement & ApplicationsPrice calculatorSolutionsIndustriesHealthcarePublic SectorScience and researchAutomotiveMedia and broadcastingRetailUse CasesArtificial intelligenceHigh Performance ComputingBig data and analyticsInternet of ThingsDisaster RecoveryData StorageTurnkey solutionsTelekom cloud solutionsPartner cloud solutionsSwiss Open Telekom CloudReferencesPartnerCIRCLE PartnerTECH PartnerBecome a partnerAcademyTraining & certificationsEssentials trainingFundamentals training coursePractitioner online self-trainingArchitect training courseCertificationsCommunityCommunity blogsCommunity eventsLibraryStudies and whitepaperWebinarsBusiness NavigatorSupportSupport from expertsAI chatbotShared ResponsibilityGuidelines for Security Testing (Penetration Tests)Mobile AppHelp toolsFirst stepsTutorialStatus DashboardFAQTechnical documentationNewsBlogFairs & eventsTrade pressPress inquiriesCommunity

0800 3304477 24 hours a day, seven days a week

Write an E-mail 

Book now and claim starting credit of EUR 250
ProductsCore ServicesPrivate CloudManaged ServicesBenefitsPricesPricing modelsPrice calculatorSolutionsIndustriesUse CasesTurnkey solutionsSwiss Open Telekom CloudReferencesPartnerCIRCLE PartnerTECH PartnerBecome a partnerAcademyTraining & certificationsCommunityLibraryBusiness NavigatorSupportSupport from expertsHelp toolsTechnical documentationNewsBlogFairs & eventsTrade pressPress inquiries
  • 0800 330447724 hours a day, seven days a week
  • Write an E-mail 
Book now and claim starting credit of EUR 250
HomeBlogBenefits of the Open Telekom CloudBSI minimum requirements for external cloud deployment

BSI minimum requirements for external cloud deployment 

by Redaktion
Digital cloud illustration
In accordance with the BSI, public administration must ensure certain minimum requirements for cloud use.
 

In this article you will read about,

  • what the minimum requirements of the Federal Office for Information Security (BSI) mean,
  • which issues public-sector customers have to consider when using external cloud services
  • and how the Open Telekom Cloud meets these minimum requirements.


With the minimum requirements for external cloud use, the Federal Office for Information Security (BSI) has created binding principles for the use of cloud solutions in public administration. Cloud providers such as Open Telekom Cloud must be measured according to these requirements.

IT security meets cloud usage

IT security has always been one of the most prominent topics for users of IT services. With the increasing use of the cloud, however, the topic of IT security has once again increased in importance. However, it must not be forgotten that security always rests on two shoulders: Both the provider and the user of cloud services must make their own contributions to IT security. For example, the user must regularly check the provider in terms of security and fulfill his duty of supervision. The provider must regularly inform the user about relevant changes – it is a mutual give and take.

BSI: Binding requirements for public institutions

For public administration institutions, the German Federal Office for Information Security (BSI) repeatedly makes specific specifications about how these supervisory duties should be performed with regard to IT providers. Most recently, in December 2022, the BSI published version 2.1 of the minimum standard for the use of external cloud services. This contains binding specifications for public institutions that use cloud providers.

Minimum standards provide the framework

These minimum standards are based on IT-Grundschutz, but do not expect the cloud provider to be fully certified according to IT-Grundschutz.

 
Daniel Fussy
Daniel Fussy, security and certification expert at Open Telekom Cloud.
 

We are sometimes asked about such basic IT protection certifications. But the BSI does not prescribe the certificate. It merely stipulates that the basic IT protection questions must be answered.

In detail, a reference table with approx. 90 criteria covers the minimum requirements that the contracting authorities must ensure are complied with.

Specifically, the following 19 topics are covered:

  • Strategy for cloud usage
  • Security guidelines for external cloud use
  • Security concept for the (specific) external cloud service
  • Emergency and continuity management
  • Implementation of security requirements
  • Dealing with subcontractors and other external third parties
  • Jurisdiction
  • Location of data processing
  • Obligation to report security-related incidents
  • Termination of the contractual relationship
  • Regulation of data return and data deletion
  • Integration into the ISMS
  • Evaluation of security proofs
  • Verification of performance
  • Information requirements
  • Multi-factor authentication
  • Data return upon termination
  • Data deletion upon termination
  • Sharing of external cloud services

BSI C5 certification is decisive

The Open Telekom Cloud has a wealth of different certifications to prove that it meets the requirements of the BSI for public-sector customers. The C5 Type 2 certification of the BSI is decisive here. In addition, the Open Telekom Cloud offers further certificates and test certificates such as DIN ISO 27001, 27017, 27018 as well as the listing at trusted-cloud.de with all current and tested certificates for German law. A complete list of existing certificates is available here. With the obligations on StGB §203 and SGB §35, the Open Telekom Cloud is even suitable for processing social data and for use by professional secrecy holders. Some of the BSI requirements are also reflected in the Open Telekom Cloud contracts, such as the return and deletion of customer data when the contractual relationship is terminated.

Open Telekom Cloud: Minimum standards included

The Open Telekom Cloud can fulfill the minimum requirements of the BSI without any gaps. It is therefore a suitable cloud for all public sector applications; category 1, 2 and 4 data can be processed with it per se. This covers private, official, company and business secrets in accordance with German Criminal Code (StGB) §§ 203 and 353b, personal data in accordance with the General Data Protection Regulation (GDPR) Art. 4 No. 1 and other data. For category 3 data alone (classified information in accordance with the Classified Information Directive - VSA), specific concepts beyond the standards of the Open Telekom Cloud are required.

This content might also interest you
 

Server in a data center

GDPR-compliant Cloud

Maximum safety for carefree working: The Open Telekom Cloud fully meets the stringent requirements of GDPR.

 
Paragraph sign in luminous font

Open Telekom Cloud opens up to professional secrecy holders

Professional secrecy holders can use the Open Telekom Cloud for storing and processing data without hesitation within the meaning of § 203 of the German Criminal Code (StGB).

 
A woman and a man are holding a tablet on which an evaluation can be seen.

Secure cloud for social service providers

Social service providers can host data that falls under the social service data secrecy law in the Open Telekom Cloud as standard.

Benefits of the Open Telekom CloudData Protection / IT-Security

The Open Telekom Cloud Community

This is where users, developers and product owners meet to help each other, share knowledge and discuss.

Discover now

Free expert hotline

Our certified cloud experts provide you with personal service free of charge.

 0800 3304477 (from Germany)

 +800 33044770 (from abroad)

 24 hours a day, seven days a week

Write an E-Mail

Our customer service is available free of charge via E-Mail

Write an E-Mail

AIssistant Cloudia

Our AI-powered search helps with your cloud needs.

In order to use our AI-powered seach you must first accept the cookies for services by other companies.

Accept the cookies for services by other companies