opinion | Trusted Cloud labels: finally better protection for users?

By Sylvain Planchon (Director of Information Systems and R&D at Xelians)

Published on Jul 8, 2021 at 9:43 amUpdated on Jul 8, 2021 at 9:44 am

Since the creation of the American Cloud Act, a solution like the Cloud of Trust label has been eagerly awaited to ensure the data sovereignty of French citizens and companies. The government has become clear about France and Europe’s ability to offer viable alternatives to Gafam’s Cloud solutions in the short term. This label is therefore pragmatic and perfectly suited to its time.

However, this solution does not seem sustainable in SaaS / PaaS, as this label will largely make it possible to make software solutions of foreign publishers (mainly American) “Cloud Act-free” in by exemplifying the ability of French hosts. to run licensed foreign cloud solutions directly in their own datacenters. The data will therefore not be subject to the Cloud-Act (as it is operated in France by a French company) but the solution will remain American.

In the longer term, Europe must find a way to be competitive with PaaS and SaaS by allowing the emergence of its own Gafam.

For users, this label is a guarantee of sovereignty added to the security level verification provided by SecNumCloud. So it is very interesting for the maintenance of the most sensitive data, as in the State, but also for private companies, which are asking for more and more guarantees at this level.

Like any label or certification, it is also an important marketing element for those who earn it. Its usefulness only makes sense if it is recognized and demanded. Such is the case of the State’s “cloud at the center” initiative that imposes this brand for the safekeeping of administrations ’sensitive data. This label will therefore have value in the public market from its creation.

On the other hand, it is surprising that this label is a French and non-European initiative, like the Gaia-X project, for example. However, it was clarified that this approach must meet the requirements of Gaia-X. Some details therefore need to be provided to clarify France’s position regarding the European initiative.

But far from being alone

However, this new label only brings the notion of sovereignty to SecNumCloud, making it possible for the latter to prove a high level of data security.

In any case, certifications are just one of the solutions available in the arsenal of defense against risks. This label will not exclude data owners from having proper security management of their information systems, whether internal or in the cloud, by setting up a security management system, specifying of security policy and above all by ensuring the day-to-day maintenance of their services and data in safe conditions.

Moreover, there does not seem to be any agreement or reflection at the European level in relation to this label so far, which could be problematic for some specific use cases.

Especially since, as for ISO 27001, the scope of application of the label is a priori variable and free. This does not necessarily apply to an entire company and therefore it will be the customer’s responsibility to verify that the entire service to which he or she has subscribed is covered by the label, or at least its essential parts. Now, we don’t yet know if this coverage should be explicitly communicated by cloud providers. Otherwise, there is a risk of abuse.

What does this really mean for data storage professionals

It all depends on the level of maturity and certifications that these professionals already have. For example, for French certified companies, where questions about sovereignty are at the heart of their concerns and in data centers on French territory, getting this label “simple” is consists of ensuring that their security measures exactly match the requirements. Moreover, like any label, they also need to make sure that it will actually be used and demanded by their customers.

For a cloud operator, labels and certifications also represent many constraints (heavy document management, adaptation of organizations and processes, regular audits, normative monitoring, etc.) and therefore costs that will be passed to the final value of the proposed solution. customers. Therefore, we need to place ourselves among the top products that should be different from other unlabeled solutions such as Gafam.

The announcement of this label is recent, the reference documents are not yet available, or the conditions for its acquisition. After all, it should be very close to SecNumCloud and will still be highly demanding, but highly achievable for a serious cloud solution provider who will need it.

Sylvain Planchon is Director of Information Systems and R&D at Xelians.

Leave a Comment