As the security and sovereignty of the cloud stir debates in the EUCS project, SecNumCloud qualification remains a benchmark in selecting a highly secure cloud solution.
SecNumCloud: A Security Qualification
In 2016, the ANSSI (National Agency for Information System Security) developed the SecNumCloud security qualification. Its aim is to ensure a high level of security for both operators and clients in cloud computing.
Audit Categories and Requirements
To obtain SecNumCloud qualification, a cloud service provider must demonstrate compliance with the security standards listed in the framework. These standards are divided into 6 audit categories and encompass more than 350 requirements.
Among these are:
- The implementation of an information system security policy and risk management,
- The encryption of stored data,
- The identification, management, and compliance in third-party relationships,
- The management of digital and physical assets and identities,
- Incident management and business continuity guarantees.
This qualification thus attests to both the technical excellence of the certified provider, its organizational rigor, and its compliance with current regulations.
Once obtained, the SecNumCloud qualification is akin to a recommendation for the service’s use by the French state.
SecNumCloud at the Center of Debates on EUCS and the SREN Law
The new SREN law for the regulation of the digital space, adopted on April 10, 2024, aims in particular to counter the influence of American cloud giants. It could thus favor the choice of sovereign cloud providers, qualified as SecNumCloud.
Moreover, the removal of the sovereignty criterion from the proposed EUCS certification framework has caused outrage in many EU countries. France is advocating for the inclusion of SecNumCloud certification at the highest level of the EUCS certification.
Why choose a SecNumCloud qualified operator?
Minimize security risks
A SecNumCloud qualified cloud operator strives to ensure a high level of security for user data. This includes robust IT security policies and risk management practices, with particular attention to internal governance organization, security of involved human resources, data backup, and maintenance.
SecNumCloud qualification thus provides strong guarantees regarding business continuity and service availability.
Additionally, relationships with third parties are subject to strict and specific security measures. Indeed, the SecNumCloud operator must clearly identify all stakeholders and monitor changes in these relationships while ensuring the confidentiality of exchanged data. This helps to limit security breaches from external sources, particularly in the context of increasing supply chain attacks.
Enhancing Sovereignty
In its version 3.2, released in 2022, the SecNumCloud certification incorporated measures to protect against extraterritorial laws with lenient data protection standards, such as the Cloud Act. It ensures that citizens and businesses can be confident their data will never be transferred to third parties without prior agreement and legitimate reason, in compliance with GDPR. SecNumCloud thus preserves the sovereignty of the French cloud landscape and limits the risks of industrial espionage.
Recently, the Superior Digital and Postal Commission (CSNP) requested the extension of obligations for hosting sensitive data in a sovereign cloud to all public administrations, in accordance with the NIS 2 Directive.
TixeoPrivateCloud: Secure Videoconferencing in the SecNumCloud-Qualified Cloud
In critical sectors where data digitalization is extensive, cloud attacks disrupt business stability. Videoconferencing tools are not exempt, and their data must receive the highest level of protection against espionage.
To enhance data security, Tixeo hosts its videoconferencing solution in a private cloud operated by 3DS Outscale. SecNumCloud-qualified, 3DS Outscale provides cloud services in France through a French legal entity, free from international interference.
FAQ :
SecNumCloud is a security qualification issued by ANSSI, ensuring a high level of security for cloud services in compliance with strict standards.
Cloud service providers must comply with over 350 requirements, covering aspects such as information system security, data encryption, incident management, and business continuity.
Choosing a SecNumCloud-qualified provider minimizes security risks and ensures enhanced data protection, while also guaranteeing the digital sovereignty of organizations and their compliance with GDPR.
It includes protective measures against extraterritorial laws, ensuring that data is not transferred to third parties without prior consent and is hosted in France.
With a SecNumCloud-qualified solution, critical sectors, such as defense and industries, benefit from maximum protection against industrial espionage and guaranteed availability and continuity of cloud services.