ANSSI has adapted its repository to the trust cloud, what are the changes? The new frame of reference is armed against extra-Community laws

SecNumCloud repository update work is complete. Last week the National Information Systems Security Agency (ANSSI) published the new version (3.2.a) of its repository of requirements applicable to cloud computing providers for SecNumCloud certification. This is done within the framework of a call for comments, which is likely to respond until November 15, 2021. ”.

ANSSI restricts the SecNumCloud qualification standard

SecNumCloud is a security qualification set up by ANSSI for cloud operators, offering PaaS (Platform as a Service), IaaS (Infrastructure as a Service) or Saas (Software as a Service) services. ). ANSSI explained that the goal is to offer a centralized approach rather than let client companies negotiate their security requirements with each service provider. To qualify as SecNumCloud, a service provider must prove that its service follows the best practices listed in the repository. Its compliance is verified by audit service providers also approved by ANSSI.

OVHcloud, the French cloud computing service provider, earned SecNumCloud qualification in January for its “Hosted Private Cloud” offer. Following ANSSI’s recommendations, OVHcloud has implemented strengthened physical, organizational and contractual security procedures for this new offer, which is guaranteed for the end customer. Hosted Private Cloud’s offer data sovereignty guarantees, to which Security Visa for SecNumCloud has now been added, making it suitable for hosting organizations ’sensitive data, such as health data, financial data , etc.

The first official version of SecNumCloud was launched in 2016. SecNumCloud is an evolution of the Secure Cloud label introduced by ANSSI in 2014. The label is based on the ISO 27001 standard, which defines requirements and best practices in terms of information security management. However, it adds new additional requirements specific to cloud players. SecNumCloud was modified in 2018 to achieve its version 3.1. This process also enabled ANSSI to make it compliant with the GDPR (General Data Protection Regulation). This is the version currently in use.

Version 3.2 of the framework is now available online and brings some changes, including guidance on how a company can organize itself to put itself out of reach of extraterritorial laws, such as the American Cloud Act, FISA or Executive Order 12333. The new version is a 53-page document (with 3 pages of appendices) that also considers CaaS (Container-as-a-Service). It is subject to a call until November 15, 2021 and comments and proposals will be sent by email to the address ““.

The standard of safety in extra-Community laws

Of the changes made to the repository, several sections (primarily new paragraph 19.6) specify the legal protections that companies wishing to benefit from SecNumCloud eligibility must guarantee. A new section entitled “Immunity to non-Community law” specifies that the registered office of the service provider must be established in an EU Member State. Similarly, the text specified that company shareholders must respect certain rules, in order to prevent companies outside the EU from having too many votes on the board of directors.

The registered office, central administration or principal establishment of the service provider must be established within the EU Member State. The share capital and voting rights in the service provider company shall not, directly or indirectly: individuals hold more than 24% and collectively hold more than 39% of third-party entities that hold their registered office, central administration or main establishment within a non-EU member state, the document says. Additionally, non-EU service providers are prohibited from accessing service-driven data.

Data is understood here in the broadest sense, including all technical data (infrastructure logs, directories, certificates, access configuration). The service provided by the service provider shall respect the law enforced in terms of fundamental rights and the values ​​of the Union relating to respect for human dignity, liberty, equality, democracy and the rule of law, document visualization. In addition, ANSSI also added a new section to the repository related to risk assessment. It now imposes two obligations on the service provider.

First, it must list, in a particular document, the remaining risks associated with the existence of extraterritorial laws aimed at collecting data or metadata from sponsors without their prior consent. And second, he must make available to the sponsor, at the request of the latter, the elements for assessing the risks associated with the submission of sponsor data to the law of a state that is not a member of the European Union.

Version 3.2 contains other major changes

In fact, SecNumCloud will be the workplace for the “Cloud of trust” labeling, which aims to provide French operators with services of American players such as EU-managed infrastructures and companies under of European law, such as Google or Microsoft. . The issue of anti-community law is not a new concern for managers, but it is back to the forefront with the advent of the “Cloud of Trust” label and the emergence of European cloud certification programs.

Behind this era, we see legislative devices such as the Cloud Act, which allows the American administration to access data provided by actors in America or on American soil. In addition, changes made to the repository also take into account new uses, and mainly CaaS (Container as a service) services.

These services are associated with providing implementation environments that enable the deployment and configuration of containers. These are in addition to Saas, PaaS, and IaaS services. In addition, the new document makes changes regarding the security of human resources. This strengthens the verification of personnel information.

A European certification program

SecNumCloud is expanding its rules to take into account this new scenario and prevent harmful user data, to allow French companies to offer a “trusted cloud” that connects American players such as Google or Microsoft. If the evolution of the French front is to be fixed, this matter has not yet been fully substantiated at the European level. Within the EU, the enactment of cybersecurity law has paved the way for the establishment of a European certification program requested by many players.

However, Union states have not yet complied with SecNumCloud’s European equivalent policies. For ANSSI, this is not a signal. For vital services and data, only European law applies, not European cloud or other law. If we can’t do that, it will be completely pointless to talk about European sovereignty, ”said ANSSI Director General Guillaume Poupard.

Source: SecNumCloud version 3.2.a (PDF)

And you ?

What is your opinion on the subject?
What do you think were the changes made to the SecNumCloud repository?

See also

ANSSI is reviewing its authentication recommendations and passwords, as hackers have been increasing their attacks since 2020

Specops Software has released the latest update to its hacked password protection list. Notably this version includes the addition of passwords observed in real attacks

OVHcloud earned the ANSSI security visa for its SecNumCloud qualification, enhanced security recognition for hosting sensitive and strategic data in the cloud

Cybersecurity: Generation Y skill level leaves something to be desired, according to a study

Leave a Comment