HomeTechnologySecNumCloud: ANSSI adapts its repository to the trusted Cloud, what is changing?

SecNumCloud: ANSSI adapts its repository to the trusted Cloud, what is changing?

Remarks ? Participate!

SecNumCloud : l'ANSSI adapte son référentiel au Cloud de confiance, qu'est-ce qui change ?

Credits: Filograph / iStock

David Legrand

By David Legrand

Monday 18 October 2021 To 05 : 22

    After several months of waiting, the National Information Systems Security Agency (ANSSI) delivers the revised version of its reference system of requirements applicable to service providers. cloud computing (SecNumCloud) to adapt it to a “trusted cloud” and isolate it from extraterritorial laws.

    Last May, the Government unveiled its news “ cloud doctrine ”, putting IT e in the cloud “at the center” of the administration’s choices. It also allowed French players to distribute foreign services under license within the framework of the “Cloud of confidence”, giving guarantees for sensitive data.

      Cloud of confidence: behind the sovereign varnish, the foot in the door of the Americans

    • Cloud of confidence: for Guillaume Poupard (ANSSI), a political issue
    • Confidence cloud: ANSSI tries to marry the goat and the cabbage

      A label based for the most part on the SecNumCloud qualification of ANSSI and therefore its reference system which explains the rules to be followed in terms of organization, governance, access to infrastructures , management of subcontractors, etc. It validates the existence of precise and binding procedures, and is only allocated service by service, which explains why it has for the moment only very few candidate companies.

      OVHcloud, for example, obtained it for its Hosted Private Cloud provided from Roubaix and Strasbourg, but not yet for its public cloud. Its customers can choose this offer, but that does not qualify them as SecNumCloud. They too must apply for this certification independently.

      This is what Scalingo, a French PaaS provider based on the 3DS Outscale infrastructure, is doing, SecNumCloud. He himself is in the process of being qualified, which he hopes to obtain in 2021.

      The modifications made by the new cloud doctrine naturally modify the ANSSI reference system. The latter now specifies how a company can organize itself to place itself outside the reach of extraterritorial laws. In sight: the American Cloud Act, but also FISA or the Executive Order 2022.

      Result, a document of 22 pages (plus 3 pages of ‘annexes) which promises in particular a “ clarification of the requirements relating to protection against any non-Community regulation ”. It also incorporates some changes, such as the inclusion of CaaS (Container-as-a-Service).

      It is now the subject of a public call. to comments. Everyone can therefore send their observations, remarks and proposals “ until 15 November 2021, by email, to the address qualification [at] ssi.gouv.fr and using the reading sheet. ANSSI would like to thank in advance all those who will respond to this call for comments 12333 ”.

      SecNumCloud: the change is now