The migration to the cloud is not a crisis. Not only is it a phenomenon that affects all sectors, including the most sensitive, but the share of data and applications stored in the cloud continues to grow. But the cloud remains a subject that inspires anxiety.
For 51% of the CISOs surveyed in the recently released 8th edition of the CESIN (Club of Experts in Information and Digital Security) annual barometer, the primary concern raised by migration to the cloud has to do with the lack of control over the hosting provider’s subcontracting chain.
Confidentiality of critical data: an issue of national sovereignty
Against this background, it is crucially important to make a list of all your organization’s sensitive information.
Your data should be broken down into four categories:
- Unclassified: this applies only to information that can flow freely outside a perimeter and does not require special protection.
- Internal use: this is the default categorization for information that can circulate freely within a given perimeter.
- Restricted distribution: this is not a classification level, but a protection label. It is designed to make the user aware of the discretion that should be exercised in handling the information contained in the document.
- Secret: this level is reserved for information whose disclosure to unauthorized persons could harm the organization’s strategic interests, its security, or even its very existence.
The limits of restricted distribution
French interministerial instruction no. 901/SGDSN/ANSSI (II 901) of January 28, 2015, defines the objectives and minimum security measures relating to the protection of sensitive information, particularly information in the Restricted Distribution category.
Applying the Restricted Distribution label to a document requires an ad hoc approval process that includes an analysis of the residual risks.
Simply indicating that content is for Restricted Distribution is not, in itself, a sufficient measure to affirm that a service is “Restricted Distribution compliant“.
Moreover, a service provider whose infrastructure is accredited for Restricted Distribution cannot pass that accreditation on to its clients.
It is up to the client company, acting as the certifying authority, to set out the accreditation process for the context in question.
The duration of that accreditation is determined by the certifying authority (from one to a maximum of three years, as the confidentiality value of information may change throughout its life cycle).
With a view to assisting affected administrations and organizations, the French Network and Information Security Agency (ANSSI) has published a guide that explains in detail how to construct Information Systems (IS) that can handle information bearing the “Restricted Distribution” label.
The implementation process is not straightforward, comprising 21 articles and some 190 measures!
Most importantly, the instruction written in 2015 does not address the issue of protecting “Restricted Distribution” data hosted in a cloud, as that practice was far from widespread at that time.
The benefits of the SecNumCloud accreditation
With the increase in sophisticated cyberattacks, it has become essential to protect content hosted in the cloud.
Initiated with an experimental phase in 2015 under the name SecureCloud, the SecNumCloud repository aims to foster the emergence of highly secure cloud service offers.
Compliance with the requirements of the SecNumCloud repository aims to achieve a level of security allowing the storage and processing of data for which a security incident would result in limited consequences for the client.
To meet the requirements of that standard, cloud computing service providers must implement and reinforce myriad security features, including measures that address physical, organizational, and contractual security.
In January 2019, Oodrive became the first SecNumCloud-accredited service provider for all its private cloud service offers.
That accreditation was awarded in recognition of a quality and safety approach undertaken over many years. No SaaS cloud service other than Oodrive is currently formally approved to perform that role.
Are the Restricted Distribution certification and the SecNumCloud accreditation compatible?
Consider a large energy company that needs to protect Restricted Distribution data and have a cloud infrastructure. As mentioned above, it will have to manage its own Restricted Distribution certification, which will take into account any third-party service provider, who must produce a number of guarantees.
For that large energy company, the process is simpler and faster if they use a SecNumCloud-accredited service provider.
That accreditation guarantees that not only the SaaS service is certified, but also the processes, context, and contracts, as well as its service agreements.
With SecNumCloud, the client receives an accredited service that has been verified from end to end. All aspects are covered during the audit. This approach allows for leaner Restricted Distribution risk analysis.
Reinforcing the security of your organization’s IS
The SecNumCloud accreditation ensures the secure processing of Restricted Distribution data in the cloud. But companies need to strengthen their security policies to keep up with changing digital threats.
To ensure greater harmonization of cyber risk management rules
in Europe, the draft European regulation DORA (Digital Operational Resilience Act) is being developed. In terms of IT risk management, the text will require entities to formalize maps of IT assets and associated risks, as well as governance adapted to cyber risk management.