Azure Germany Gets C5 Attestation by BSI
The German Federal Office for Information Security (BSI) issued an attestation to the Microsoft’s cloud solution “Azure Germany”, according to the requirements specification “Cloud Computing Controls Catalog” (C5). Assessed were the services of the cloud platform Azure Germany and the data custodian model of the Microsoft’s German cloud.
In contrast to other security standards, the BSI catalog considers environmental parameters, like location of data, service provision, place of jurisdiction, existing certifications, and obligations of investigation or disclosure towards public authorities.
In a press release, BSI president Arne Schönbohm explained: “Issuing the attestation to Microsoft Azure Germany is another proof for the acceptance of the C5 catalog by the market. The cloud companies have recognized that IT-security is a sales argument, becoming more and more important for the users in order to meet the challenges of digital transfer.”
With its attestation according to the C5 catalog, BSI wants to help companies to evaluate, if their public cloud services comply with legal provisions and their own policies, or if they may be exposed to the treat of economic espionage. After Amazon Web Services, Box and Fabasoft, is Microsoft the fourth company that has gotten the attestation.
In addition to the C5, selected cloud services of Azure Germany were also tested according to security measures based on the Cloud Controls Matrix (CCM), designed by the Cloud Security Alliance (CSA). CSA is a neutral third party that is offering tools to cloud service providers, which help to implement security concepts and to perform safety assessments that are based on additional certifications.
With the Microsoft Cloud Germany, the US company provides corporate customers with public cloud services that are hosted in Frankfurt/Main and Magdeburg. The data custodian “T-Systems International GmbH” has the exclusive right to control access to customer data, if access has not been initiated by the customer himself or by end users of this customer.