It is the most important certification in the area of public cloud computing: The C5 catalogue of requirements from the Federal Office for Information Security (BSI) certifies that cloud providers offer the maximum level of security. The Open Telekom Cloud fulfills all the requirements of this catalogue, according to the most recent certificate.
The requirements include the so-called environmental parameters: "They provide information on the data location, provision of services, place of jurisdiction, certifications and duties of investigation and disclosure towards government agencies and contain a system description," the BSI writes on its website. "The resulting transparency makes it possible for potential cloud customers to decide whether legal regulations (such as data protection), the customers’ own guidelines or also the threat scenario regarding industrial espionage make the use of the respective cloud service appear appropriate.”
The BSI C5 is regarded as the de facto standard in the cloud industry. Many companies wishing to use public cloud services will make a BSI C5 certification a requirement when choosing their provider. To obtain the certificate, the Open Telekom Cloud had to provide evidence in 17 thematic areas ranging from the organization of information security to physical security.
In addition, with the certificate for BSI C5, the Open Telekom Cloud has also fulfilled the requirements of the US test protocol SOC 2. SOC stands for Service Organization Control. The certificate complies with the requirements of the American Institute of Certified Public Accountants (AICPA). It assesses service providers with regard to security, availability, processes, integrity, confidentiality and data protection.
The Open Telekom Cloud currently meets the SOC 2 Type 1 requirements, which means that auditors have checked the platform for its design by means of guidelines or process descriptions. Next, Deutsche Telekom will strive for Type 2 certification. Cloud providers who receive a Type 2 certificate for their offer have demonstrated that the design of their product is efficiently and effectively implemented.
"Cloud providers that have been tested accordingly cannot rest on their laurels: Providers are only considered compliant with both the BSI C5 requirements catalogue and SOC 2 if they renew the corresponding proof at least every 12 months," says Daniel Fussy, IT security & privacy consultant at T-Systems. "We are proud that we have now reached BSI C5 and SOC 2 Type 1 certification with the Open Telekom Cloud. Now we are working hard to also attain SOC 2 Type 2 as soon as possible."