SecNumCloud is an initiative by the French National Cybersecurity Agency (ANSSI), aiming to improve protection for public authorities and Operators of Vital Importance (OVIs). The certification was launched following the adoption of the Military Planning Act (Loi de Programmation Militaire or LPM) in 2013. The idea was to create a label that demonstrated the high level of security met by cloud solution providers. Five years down the line, the requirements have been made even more stringent, and Oodrive is the first provider to obtain the gold standard in cloud security labels.
According to an analysis carried out by cybersecurity management firm Advens, SecNumCloud has managed to plug the gap by producing a security standard specifically for cloud players. With more and more companies turning to cloud services to tackle the problem of , it is vital to know whether their service provider is one they can trust. Not least after the LPM highlighted the risks inherent in sharing data of national importance and what happens if a service provider goes down.
Initially known as Secure Cloud, the label seeks to set a high standard for security that must be reached by cloud service providers used by companies and government authorities.
No more fears about cloud security
Many businesses are still afraid to put their trust in the cloud, and security is usually the biggest factor. Outsourcing all or part of their infrastructure or data to an external data center managed by a third party is not a decision to be taken lightly. To help put their minds at ease, ANSSI created SecNumCloud – a label that guarantees strict standards and good practice in data security.
Following a public call for tender in September 2014, ANSSI chose nine cloud service providers to take part in a pilot period. “The label has been fine-tuned in response to what we learned during the pilot,” ANSSI announced. Over time, as legislation has evolved, SecNumCloud has been modified and refined. New requirements have been added since the GDPR entered into force. In collaboration with the French data protection authority (CNIL), ANSSI has continued to raise the bar on the level of data protection required in view of the needs of businesses, authorities, and associations.
In 2016, the label proposed having two levels of guarantee: SecNumCloud Essential and SecNumCloud Advanced. SecNumCloud Essential certified that ANSSI’s best security practices had been put in place – such as physical access control, strong authentication with password hashing and salting, software encryption, and data hosting in Europe. SecNumCloud Advanced took things up a notch and requires multi-factor authentication, hardware encryption through a hardware security module (HSM), and hosting in France. But developments have since culminated in a single SecNumCloud standard to “make things easier for potential users and take the requirements that they have expressed into account, doing away with the need for an advanced level”. Nevertheless, the SecNumCloud Private Cloud solution by Oodrive still incorporates aspects of the Advanced level.
Inspired by the ISO 27001 standard
SecNumCloud is built on a solid foundation. The companies that helped to develop the new label were admittedly inspired by the ISO 27001 standard. “The good news is that the label is not so new that it will take a while to get to grips with it. It’s simply a matter of taking the requirements that have already been identified and adapting them to the specific context of the cloud,” declared Advens, which conducts a large number of compliance audits based on these kinds of certifications.
Better protection for OVIs
SecNumCloud will offer better protection against attacks on Operators of Vital Importance (OVIs), whose service providers must be certified to store their data. The label complements the 2013 Military Planning Act, which aims to strengthen national defense and security in France.
A mark of confidence with Oodrive
Oodrive – a pioneer of cloud computing in France – is pleased to have been certified with the label, demonstrating the firm’s expertise in protecting sensitive data. The group offers three private cloud solutions certified by ANSSI’s SecNumCloud label: iExtranet, PostFiles, and BoardNox.
Chief Information Security officer et Data Protection Officer