C5 Attestation: What It Is and Why It Matters for UCaaS Security

The need to extend real-time communication and collaboration technologies to employees and partners across broad geographic areas has sparked increased adoption of cloud-based Unified Communications-as-a-Service (UCaaS) solutions. Studies suggest that more than two-thirds of U.S. companies have moved significant portions of their communications infrastructure to the cloud.

UCaaS Can Increase the Potential for Cyberattacks

However, the transition to UCaaS can increase the potential for cyberattacks or unauthorized access to sensitive company information. The move from a private, on-premises network to cloud-based infrastructure requiring Internet connectivity greatly expands an organization’s attack surface. It’s why 70 percent of IT decision-makers in a new IDG study say security is the top challenge with UCaaS solutions hosted on hardware in a cloud provider’s data center.

To minimize risk, organizations must take the time to evaluate any cloud provider’s security practices. That can be a challenging endeavor considering the vast number of cloud providers you may be considering. Depending on the type of services they offer, cloud providers may have widely different levels of security controls such as identity federation, authorization, authentication, encryption, privilege management and disaster recovery.

Standards-Based Security

Government-backed security standards serve as valuable tools for vetting potential providers. Compliance with these standards proves that a cloud provider has met best-practice recommendations for securing cloud environments. This gives organizations greater confidence that the solutions they’re evaluating have been transparently and professionally checked for security by an independent third party.

One standard that carries a good deal of weight in the industry is the most recent version of the Cloud Computing Compliance Criteria Catalog, also referred to as C5. Developed by the German Federal Office for Information Security (BSI), C5 establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions.

First published in 2016 and updated in 2020 as C5:2020, the catalog is based on internationally recognized IT security standards such as ISO 27001, 27002 and 27017, the Cloud Security Alliance’s Cloud Control Matrix, and the European Union’s Cybersecurity Act. It is one of the most comprehensive compliance criteria catalogs in the cloud services market, comprising 114 requirements across 17 separate areas, including basic cloud security policies, physical security, employee responsibilities, identity and access management, cryptography, incident management and business continuity.

The C5 Roadmap

The C5 criteria offer benefits to cloud providers and customers alike. Providers can use the catalog as a reference for establishing robust security policies and procedures, while customers can use it as a checklist for verifying the provider’s commitment to security. The C5 criteria also help define both provider and customer security obligations under the cloud’s shared responsibility model. In general, cloud providers are responsible for securing the cloud infrastructure while customers must protect their data and applications within the cloud.

The borderless nature of the cloud makes internationally accepted standards such as C5 increasingly important. It is not uncommon for providers and the customers they serve to operate in several countries. A C5 attestation report provides transparency about a provider’s security practices, which makes it easier for customers to evaluate providers across broad geographic boundaries.

Adopt Strategies to Mitigate Cybersecurity Risks

Migrating to a cloud-based communications solution can produce a number of operational, management and cost benefits, which is why analysts say UCaaS adoption rates will continue to rise over the next few years. However, there are clear risks with having key business communication applications in the cloud, which is why providers and customers should maintain a strong focus on cloud security. As you expand your cloud communications environment, call us to learn more about using international standards such as C5 to guide your efforts.