BSI defines when a cloud is truly sovereign

Contents

The dependency on non-European cloud providers is not a new topic, especially since the beginning of Donald Trump's second term, and whether it is too great - from hyperscalers like AWS and Azure as well as from Alibaba or Huawei Cloud. This is particularly true for security-critical applications in public administration and for operators of critical infrastructures and services: When searching for high-performance and independent solutions, there are many promises - but there is often little clarity on the criteria. Is a cloud solution sovereign if it is technically operated securely within the EU? Independent of the infrastructure of a US company? Without dependence on instances outside? Technical IT security is one thing, technical sovereignty is a requirement profile that does not always match.

The closer security properties of cloud services are already defined by the recently updated Cloud Computing Compliance Criteria Catalogue (C5). The proposal now presented by the Federal Office for Information Security (BSI) addresses the second term: The experts at the federal authority in Bonn have presented a proposal with their “Criteria Enabling Cloud Computing Autonomy” (C3A) published today. Users should be able to check from the outset whether a service actually matches their respective sovereignty risk. The authority has been accompanying discussions for many years as an IT security service provider for the federal administration. Above all, it wants to achieve one thing: “We are concerned with technically viable solutions that formulate concrete conditions,” says Thomas Caspers, Vice President of the BSI.

Interpreted less diplomatically: Instead of discussing the independence of a provider politically for a long time, the authority wants to enter the debate about the consequences of the Cloud and AI Development Act (CADA) with a concrete proposal. The EU Commission plans to present CADA on May 27; subsequently, member states and the European Parliament will deliberate on it. Observers expect EU Vice-President Henna Virkkunen to set clearer criteria for cloud sovereignty with CADA - and the discussion and lobbying will only really begin with the presentation of the project in May.

Practical experience and EU criteria

The BSI builds, among other things, on six of the eight criteria that the Directorate-General DIGIT, which is actually only responsible for the EU Commission's own IT, defined last year and specifies them with broader experience. In particular, the French IT security authority ANSSI and the BSI have extensive experience with various dependency variations - in Germany, for example, with the SAP-Microsoft cooperation DelosCloud, with Stackit from Schwarz-Digits or the T-Systems Sovereign Cloud in cooperation with Google, with requirements for “Polizei 2020” (P20) or for Amazon's European Sovereign Cloud offering. In parallel, the authority subordinate to the French Prime Minister tested another path, in which French companies are always involved for public administration - for example, the arms manufacturer Thales with S3NS, which was certified in December according to the French SecNumCloud requirements and is operated together with Google, or SAP on OVH hardware.

Precisely such experiences are now to become relevant for the future. The fact that the BSI has not developed the C3A system in a vacuum, but has also spoken with providers, is also shown by closely related own assessment standards from the industry. “Using the example of AWS European Sovereign Cloud, among others, we have seen how many mechanisms play a role in keeping a cloud operational,” explains Caspers. “However, you won't be able to operate such offerings completely decoupled for years to come.”

Criteria from Disconnect to Defense Case

In the C3A, this looks like this, for example: SOV-4-09-C of the C3A defines what must be guaranteed in the event of a disconnect - i.e., decoupling from the non-European operator cloud: In essence, operation must continue without availability, integrity, authenticity, and confidentiality suffering. In addition, there must be a documented process for the procedure and execution of the decoupling, and the operator must have tested and documented this at least once a year, including the results of the test. Those who want to meet the further criterion SOV-4-09-AC must also share their documentation with the responsible IT security authorities at the location of the data center upon their request.

The specifications are similarly concrete in legal terms, for example, when it comes to providers not being subject to any non-EU jurisdiction or regarding the question of from where employees carry out the essential IT maintenance measures. And there are also correspondingly tiered criteria for the selection of employees: SOV-4-01-C1 requires that all employees who have logical or physical access to the cloud service provider's operating resources must have EU citizenship and an EU residence - the requirement according to SOV-4-01-C2 is even stricter: then all employees must not only be EU citizens but also have their residence within Germany.

This criterion is particularly relevant for high-security applications, for example, for security authorities or the Bundeswehr. The BSI does not have direct legal responsibility for these. However, in case of emergency, the C3A also contains audit criteria. Because what should be fulfilled in the case of defense, which is regulated by the Basic Law, is now also clearly defined: according to the pattern of all emergency legislation, cloud service providers must be able to hand over operations to the federal authorities - “including the necessary materials and personnel”.

Potentially far-reaching effects

Just as originally with the C5 catalog, which, however, was temporarily declared binding by law for health IT in the Social Code, this is not directly the case with the C3A. “The Criteria Enabling Cloud Computing Autonomy are not binding in themselves,” explains Caspers. “However, they can of course be declared minimum requirements within the framework of legislation or in tenders.” The C3A can, however, according to the Vice President of the Federal Office for Information Security, “become the benchmark for the federal administration.”

This is also due to an interaction of the requirements. “Federal agencies are obliged to implement the BSI's IT-Grundschutz,” explains Martin Bierwirth, Head of Cloud Security at the BSI. “If they use external cloud services, they must also apply and fulfill the OPS 2.2 module within this framework.” The minimum standard for the use of external cloud services (MST-NCD) also builds on this. The C3A, in turn, would build on the C5 and supplement its information security criteria with the topic of digital sovereignty. Therefore, anyone who must meet not only secure but also sovereign requirements will hardly be able to avoid it in Germany in the foreseeable future. Whether large hyperscalers can meet these is likely to depend on the respective customer requirements - and on the pressure to choose sovereign solutions.

Depending on how the European discussion develops, the new criteria could also play a significant role beyond the Rhine and Oder. Should such criteria be incorporated into the annexes of IT security laws such as NIS2 or the Cybersecurity Act with the Cloud and AI Development Act of the EU, there would hardly be a way around the German proposal.

(dmk)