By Sylvain Blanchon (Director of Information Systems, Research and Development at Xelians)
Posted on Jul 8, 2021 at 9:43amUpdated Jul 8, 2021 at 9:44am
Since the creation of the US Cloud Act, a solution like the Cloud of Trust brand has been eagerly awaited in order to ensure the sovereignty of data for French citizens and companies. The government has been clear about France and Europe’s ability to offer viable alternatives to Gafam’s cloud solutions in the short term. So this label is practical and perfectly timed.
However, this solution does not appear to be sustainable on SaaS / PaaS, because this mark will make it possible above all to make software solutions for foreign publishers “cloud-free” (mostly Americans) by giving the ability to eg French hosts to run their own solutions The foreign cloud licensed themselves in their data centers. Thus the data will not be subject to the law of the cloud (because it will be operated in France by a French company) but the solution will remain American.
In the long term, Europe must find a way to be competitive in PaaS and SaaS by allowing its own Gafam to emerge.
For users, this label is a guarantee of sovereignty added to the security level check provided by SecNumCloud. So it is very interesting to keep the most sensitive data, such as state data, as well as for private companies, which are asking for more and more guarantees at this level.
Like any sign or certificate, it is also an important marketing element for whoever receives it. Its usefulness only makes sense if it is recognized and claimed. This is already the case with the state’s “cloud at the center” initiative that enforces this designation for keeping sensitive data for departments. So this label will have value in the general market since its inception.
On the other hand, it is surprising that this designation is a French and non-European initiative, as is the case for the Gaia-X project, for example. However, it was clarified that this strategy must meet the requirements of Gaia-X. Therefore, certain details must be provided to clarify France’s position regarding the European initiative.
But far from being the only one
However, this new poster only brings the concept of sovereignty to SecNumCloud, the latter actually making it possible to verify a high level of data security.
In any case, certifications are just one of the solutions to your arsenal of defense against risks. This designation will not absolve data owners from having to properly manage the security of their information systems, whether on-premises or in the cloud, by setting up a security management system, defining a security policy and above all by ensuring the daily maintenance of their services and data in secure conditions.
Furthermore, there does not appear to be any European-level agreement or reversal regarding this nomenclature at present, which may present a problem for certain use cases.
Especially that for ISO 27001, the label’s scope of application is a preset and free variant. It does not necessarily apply to an entire company, and therefore it will be the customer’s responsibility to verify that the entire service he is subscribing to is covered by the mark, or at least its essential parts. Today, we don’t yet know if this range should be clearly communicated by cloud providers. If not, there is a risk of abuse.
What this really means for data storage professionals
It all depends on the level of maturity and certifications that these professionals already possess. For example, for already certified French companies, which have issues of sovereignty at the heart of their concerns and with data centers on French soil, obtaining this designation will “simply” involve ensuring that their security measures fully comply with the requirements. Moreover, as with any label, they will also have to ensure that it will actually be used and requested by their customers.
Pour un opérateur cloud, les labels et certifications représentent aussi de nombreuses contraintes (gestion documentaire laurde, adaptation des organizations et des processus, audits réguliers, veille normative, etc.) et donc des coûts qui seront répercutés final sur de la solution coûpos to customers. So we necessarily position ourselves on top of products that have to be different from other unclassified solutions like those of Gafam.
This designation is newly announced, the reference documents are not yet available, nor the conditions for obtaining it. Despite everything, it should be very close to SecNumCloud and would be very demanding anyway, but totally achievable for the serious cloud solutions provider that needs it.
Sylvain Blanchon He is the Director of Information Systems and Research and Development at Xelians.