There has been no crisis as far as Cloud migration is concerned. Such migration is not only being implemented across the board, in the most sensitive industries, but the share of data and applications in the Cloud is also growing.
That said, the Cloud still provokes anxiety in people. As part of the seventh survey of the Club des Experts de la Sécurité de l’Information et du Numérique (CESIN), presented last January* 48% of the ISSDs indicated that the main risk factor concerns lack of control over the hosting provider’s subcontracting network (*note to reader: 2022).
Critical data confidentiality – a national sovereignty issue
Against this background, tracking all sensitive data is of paramount importance.
There are four categorisation levels:
- Unclassified:exclusively applies to information that can circulate freely outside a given scope, without requiring special protection.
- Internal use:default level gathering information that can circulate freely within a given scope.
- Restricted Distribution: this is not a classification level, but rather a statement of protection. Its objective is to make the user aware of the need for discretion in handling them.
- Secret:level for information whose disclosure to unauthorised persons could jeopardise the organisation’s strategic interests, its security and even its very existence.
Drawbacks of Restricted Distribution
The French Inter-ministerial Instruction No. 901/SGDSN/ANSSI (II 901) of 28 January 2015 sets out the objectives and minimum security measures to protect sensitive data, particularly with respect to Restricted Distribution (RD).
The roll-out of RD requires specific certification which is based on a review of residual risks. Stating that RD equipment is used is not sufficient to prove that a service is “RD-compliant”.
What’s more, a provider whose infrastructure has RD certification cannot pass on the related benefits to its customers. As the official certifying party, the company is solely responsible for defining the certification process for the context in question. Approval duration is determined by the official certifying party in question (from one to a maximum of three years, as the confidentiality value of information may change throughout its life cycle).
In an effort to support the affected administrations and organisations, the French National Cybersecurity Agency (ANSSI), has published a guidebook outlining the process for developing Information Systems (IS) likely to process information that is classified as for “restricted distribution”.
Frédéric Mecheti, Oodrive Information Security Officer, commented: “The practical deployment is difficult since there are 21 French legal articles and 190 measures that need to be introduced.
Above all, though, II 901 does not address the issue of RD data protection when hosted in a cloud, as this was far from widespread in 2015.
The strengths of SecNumCloud certification
The protection of Cloud-hosted content has become an absolute must in a context of accelerated and increasingly advanced cyber-attacks. Kick-started as ‘SecureCloud’ in an experiment in 2015, the SecNumCloud standard seeks to foster the emergence of highly secure Cloud-based solutions.
By complying with SecNumCloud standard requirements, the aim is to deliver a securitý performance enabling data storage and processing with minimal incident impact for customers and clients.
To ensure full compliance, Cloud computing companies must implement and strengthen multiple features, be they physical, organisational and/or contractual security. Oodrive became the first-ever qualified SecNumCloud player for all its private cloud offerings in January 2019. This is a testament to Oodrive’s long-standing commitment to security. To date, no other SaaS cloud service is officially certified to perform such a task.
Is RD certification compatible with SecNumCloud qualification?
Let’s focus on a case in point: a large energy corporation that needs to protect RD data and provide Cloud infrastructure. As previously mentioned, the corporation will have to manage its own RD certification, factoring in the service provided by a third party, which must provide a number of guarantees.
Frédéric Mecheti added: “The process is simpler and faster if the corporation in question collaborates with a SecNumCloud certified service provider. This certification not only guarantees a fully-qualified SaaS service, but also processes, context and contracts, not forgetting service agreements”.
Thanks to SecNumCloud, customers enjoy a fully qualified, end-to-end service. All aspects are considered during the auditing phase. This approach means that RD risk analysis can be facilitated.
Consolidating your IS security
The SecNumCloud qualification ensures the secure processing of RD data in the Cloud. However, companies must step up their security policies, taking account of developments as regards cyber threats.
In an endeavour to ensure more consistent cyber
risk management rules across Europe, the draft European Digital Operational Resilience Act (DORA) regulation is being developed. With regard to IT risk management, the text will require entities to formalise the mapping of IT assets and related risks, as well as governance in response to cyber risk management.