French, European, and international legislations are rapidly evolving on the subject of data security and information systems. Organizations are increasingly vigilant about the compliance of the solutions they use… as well as the legal risks. In 2022, the CNIL (National Commission on Informatics and Liberty) recorded 12,000 complaints and imposed fines totaling 101 million euros.
Beyond technological challenges, choosing a cloud provider is closely linked to these regulatory issues. Several standards, certifications, and labels help organizations gain clarity on the guarantees offered by providers. We introduce them in this article to help you choose the cloud provider best suited to your compliance needs.
Validating the security level of your cloud provider
Several French, European, and global labels can verify the level of security offered by various market cloud providers.
The SecNumCloud qualification : The National Agency for the Security of Information Systems (ANSSI) awards the SecNumCloud certification to cloud providers who offer Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). To obtain this qualification, providers undergo a rigorous evaluation process that encompasses over 360 criteria. The SecNumCloud certification is built upon international sector standards like ISO 27001, ISO 27017, and ISO 27018, which outline security requirements. In its most recent iteration, version 3.2, the SecNumCloud certification introduces additional demands concerning service localization and provider nationality. These requirements are aimed at ensuring “immunity from non-community law” such as
- Hosting data in France,
- Managing services within a European country,
- Being a European company, majority-owned by European stakeholders.
This new version of SecNumCloud will serve as the basis for the “Cloud of Trust” label.
Providers that possess the SecNumCloud certification showcase their competence in ensuring the privacy, accuracy, and accessibility of customer information. They excel in managing secure access and demonstrate exceptional incident management skills. In essence, these providers offer unparalleled security to their clients. To discover which companies have already achieved this qualification or are currently pursuing it, you can refer to the ANSSI website.
- The Cloud of Trust label: As part of the national strategy presented in May 2021, ANSSI has also introduced the “Cloud of Trust” label. This label will serve as an indication to both public and private entities regarding cloud services that offer a satisfactory level of technical and legal security. The label will only be given to European entities who host their clients’ data within the European Union in accordance with GDPR regulations. By obtaining the “Cloud of Trust” label, a provider is exempt from any extraterritorial jurisdiction. The requirements for this label are based on SecNumCloud 3.2 standards. It should be noted that non-European players are not completely excluded from consideration, especially considering their technological advancements. However, they must adhere to strict requirements outlined in the updated version of the SecNumCloud standard mentioned above.
- The “Cloud at the Center” doctrine: This doctrine encourages large-scale adoption of cloud technology by administrations and designates it as the fundamental infrastructure for any new digital initiative involving these public sector entities. It is important to note that this is not simply a label or requirement, but rather an encompassing set of 15 guidelines that govern the behavior and practices of cloud providers chosen to work on government projects. A provider that demonstrates compliance with all these rules can be considered highly reliable in terms of security.
While embracing this doctrine, it is essential to prioritize the protection of sensitive data. To achieve this, such data should be stored either on internal clouds managed by state institutions like Nubo (General Directorate of Public Finances) and PI (Ministry of Interior), or on commercial clouds endorsed with qualifications such as SecNumCloud or labeled under Cloud of Trust. By adhering to these measures, public institutions can ensure optimal security for their valuable information while leveraging the benefits offered by cloud technology.
- The Gaia-X initiative A private French-German initiative gathering around 350 digital companies, including founding member Orange, Gaia-X aims to offer a “catalog” of standards for creating cloud services and to promote the creation of shared sectoral data spaces to help clients easily identify trustworthy technology providers. Each participant commits to respecting values of transparency, interoperability, sovereignty, security, data protection, reversibility, and portability. The initiative’s goal is to implement a Gaia-X label to certify providers’ compliance with these values. While non-European players are not excluded from participating in Gaia-X on principle grounds; they cannot be part of its governance structure.
- EUCS Scheme for Cloud Services: the European Cyber Security Organisation Scheme for Cloud Services is a label, still under development by the European Security Agency (ENISA), which draws inspiration from various certifications (such as SecNumCloud in France) to create a European certification framework for cloud services security.
ISO/IEC Standards 27001 – 27017 – 27018 – 27701 : These various ISO/IEC standards are certifications that attest to a cloud provider’s compliance with international standards regarding the security of cloud environments, personal data protection, and privacy.
- The revised ISO/IEC 27001 standard, from 2013, in particular, establishes a list of requirements to be followed for the establishment of an information security management system.
- ISO 27017, published in 2015 and specifically dedicated to the cloud, provides guarantees regarding the technical, legal, and organizational securities provided by providers.
- ISO/IEC 27701, published in 2019, complements ISO/IEC 27001 with specific requirements regarding personal data protection.
SOC Certifications: SOC (Service Organization Controls) certifications, divided into SOC 1, SOC 2, and SOC 3, attest to the security and reliability of a company’s control systems: physical and data center security, data security, identity and access management, business continuity in the event of an incident… The criteria for these certifications are defined by the American Institute of Certified Public Accountants (AICPA) and issued by independent auditors.
Ensuring data security
Beyond the security level offered by cloud providers, several labels provide organizations with additional guarantees regarding the security and confidentiality of their data.
– HDS Certification : which is required in France since April 1, 2028, for cloud service providers who want to host health data, is issued by an organization approved by the Ministry of Health. This certification ensures that strict security measures are in place to protect the sensitive health data. There are two types of HDS certificates available: one for physical infrastructure hosts and another for managed service hosts. The first type covers physical sites and hardware infrastructures, while the second type pertains to hosting platforms, software infrastructure, system administration and operation, as well as data backup.
– General Data Protection Regulation (GDPR):
The General Data Protection Regulation (GDPR) is a set of rules that oversees how organizations handle the personal data of individuals who are citizens of the European Union. Personal data refers to any information that can identify a specific person. In order to comply with GDPR, organizations must keep records of the personal data they hold on their customers, suppliers, employees, agents, etc. They must also document how they process this data and obtain consent from the individuals involved. If requested by these individuals, organizations are obligated to delete or return their personal data. The GDPR applies regardless of where the data is stored – whether it’s in a private cloud, public cloud or a dedicated data center.
After four years since its implementation, in October 2022, the European Data Protection Committee approved the first certification framework for GDPR compliance This framework was designed to enable companies to have their level of GDPR compliance recognized by an independent third party that is trusted within the industry and wider community. The goal was simple: provide reassurance and credibility for businesses who take privacy rights seriously and demonstrate their commitment towards protecting personal information under EU law.
- C.L.O.U.D Act: The Clarifying Lawful Overseas Use of Data Act is a law in the United States that enables American authorities, with a court order, to request a company offering electronic communication services to transmit data necessary for criminal or terrorist investigations. It applies to all cloud providers that have operations or ties to the United States. Importantly, the C.L.O.U.D. Act acknowledges that companies can dispute requests from authorities if they do not align with the laws of the country where the data is stored. Consequently, under GDPR regulations, there exists a legal avenue to challenge data hosted within the European Union.
- The PCI DSS Standard : this norm is a global standard designed to prevent online fraud. It is issued to organizations that handle payment card data and certifies their adherence to stringent security measures for protecting this information.
- HIPAA Standards: Similar to the HDS certification, the American HIPAA standards are for companies hosting health data. They establish rules to be followed regarding the security and confidentiality of data.
Monitoring the quality of cloud technology
Beyond security measures, other standards and labels allow you to assess the quality of service offered by cloud providers. Globally, we can, for instance, mention:
– ISO 20000-1 Standard: This global standard offers a structure for organizations to guarantee efficient IT management and embrace a culture of continual enhancement. Each service undergoes internal testing and monitoring, as well as regular audits from certification bodies. By adhering to this standard, cloud providers showcase their dependability and commitment to delivering high-quality services.
– ISO Standard 9001: This is an international standard that establishes the requirements for a quality management system (QMS). It provides a framework for setting up an effective management system and continuous quality improvement. It, therefore, allows clients to ensure that the cloud provider adopts processes and procedures in line with international standards.
There are multiple designations, criteria, accreditations and rules to evaluate the reliability of cloud service providers in relation to their security measures and level of service. These will assist you in identifying providers that comply with your company’s jurisdiction and can meet your industry-specific needs… as well as your desired level of performance.
Furthermore, Cloud Avenue boasts a 25% reduction in primary energy consumption compared to previous-generation solutions. This reduction is the result of a group-wide effort by Orange to optimize the environmental footprint of its products and services, achieved through lifecycle analysis of equipment, hardware, networks, and buildings housing data centers. Alongside the implementation of Cloud Avenue, adopting a FinOps approach proves advantageous in finding the perfect equilibrium between budget management, energy consumption, and meeting the required IT performance for business operations.