Why have we chosen to undertake the qualification process?
Against a backdrop of global outsourcing of information systems, French companies have gradually become aware of the value of information, and now see it as a key factor in business performance.
Data is a product of the values generated by sharing and exchange, and must be both confidential and available. Under the combined influence of regulations and the demands of their own customers, French companies are adopting different strategies for managing the security of their information assets, depending on the nature of their business processes.
Information systems architectures are gradually becoming hybrid, combining public cloud infrastructures, private cloud infrastructures and in-house hosting.
However, over the last two years, the boundaries between the use of public and private clouds have gradually disappeared, and comparisons of security levels between the two are now a matter for expert debate. The reality of protecting corporate information in a complex international context means that private infrastructure providers need to offer highly differentiated levels of security. This is a necessity for both providers and customers.
Cloud Temple (formerly Intrinsec) believes that providing the market with a private infrastructure offering based on the SecNumCloud benchmark, of industrial quality, is an essential part of its strategy. This is reinforced by the government's announcements of 17 May 2021 on France's cloud policy, sovereignty and trusted clouds.
Continuing the tradition the ISAE 3402 and ISO 27001.2013 processesCloud Temple has decided to create its Secure Temple offering, with the aim of becoming a benchmark on the French market for the implementation of the SecNumCloud repository.
How did Cloud Temple achieve its qualification?
A highly sponsored qualification at the highest level of Cloud Temple
The SecNumCloud qualification process has been a strategic priority, reflecting a strong commitment on the part of Cloud Temple's General Management. The SecNumCloud qualification process has been a major priority for Cloud Temple, involving investment of hundreds of thousands of euros over a 3-year period.
The entire Temple Cloud offering is going from strength to strength!
The provision of the Secure Temple qualified service is not just another service in the Cloud Temple catalogue. It's part of a drive to transform the entire Cloud Temple offering and make it more rigorous.
As part of its qualification drive, Cloud Temple has upgraded its entire architecture to comply with SecNumCloud requirements, rather than creating an 'enclave' that complies with SecNumCloud constraints. Cloud Temple wishes to offer all its customers the opportunity to migrate their operations to its Secure Temple offering, transparently and at a controlled cost, given the volume of its qualified operations.
Qualification as proof of in-house talent and skills at Cloud Temple
The Cloud Temple Security team, reporting to the Director of Cyber Security, Giuliano IPPOLITI has been actively involved in the qualification project. The CISO and his in-house IS team report directly to General Management. The efforts of the ISS team have been matched by the teams responsible for the production, administration, evolution and maintenance of the infrastructure, as well as the internal development teams, producing all the projects enabling the Secure Temple offering to function and differentiate itself.
For Cloud Temple, it is vital that skills are in-house at all stages of the think/design/build/run process, both in terms of infrastructure and software development. The Secure Temple service (specifically) and Cloud Temple's operations (generally) depend almost entirely on external development.
Cloud Temple and the government's "Cloud at the centre" doctrine
Announced on 17 May 2021 by Bruno LE MAIRE, Minister for the Economy and Finance, Amélie DE MONTCHALIN, Minister for Transformation and the Civil Service, and Cédric O, Secretary of State for the Digital Transition and Electronic Communications, France's doctrine is called "Cloud at the Centre".
One of the key points of this new policy is that the cloud is now the default hosting method for government digital projects.
France's cloud strategy for public administrations and private companies will be based on 3 pillars aimed at creating a "trusted cloud":
- The technical protection of data hosting through SecNumCloud qualification, and the legal protection against extraterritorial foreign laws (particularly American) through the requirement for data to be hosted in France and to be owned by European companies. In particular, these provisions protect against the recovery of European data by foreign entities.
- Access to the best cloud services available on the global market via a licensing mechanism enabling French businesses and government departments to use American solutions while protecting their sovereignty. The aim of this approach is to get companies on board, unlike previous attempts to create a sovereign cloud, which ended in failure.
- Consistency with cloud initiatives at European level, and in particular with the GAIA-X European strategy.
The clouds capable of responding to this doctrine and strategy will be exclusively :
- The State's internal cloud.
- Private cloud providers qualified by ANSSI as SecNumCloud "protect against any extraterritorial rules".
This policy will apply to all projects already underway by public authorities, which will have 12 months to comply once the "trusted cloud" offers are in place.
These announcements have strengthened Cloud Temple in its qualification process launched in 2019 and its approach consisting of a profound transformation of its operations applicable to its entire IaaS offering.
Cloud Temple also has its eye on Europe
The investments made and Cloud Temple's approach to SecNumCloud qualification are a guarantee of medium-term competitiveness on a European scale, in anticipation of EU certification schemes such as the European Cybersecurity Certification Scheme for Cloud Services.
This certification scheme is one of the basic elements of the harmonised cybersecurity certification framework at European level, as defined in the Cybersecurity Act and supported by ENISA. A draft of this scheme has already been published in early 2021 and consists of three levels of assurance: basic, substantial and high.
The high level is intended for more sensitive applications, such as government applications or applications handling particularly sensitive personal data. This level is designed for services that need to withstand confirmed attackers with significant resources. In particular, it includes elements of the SecNumCloud repository, as well as more advanced automation requirements.
The SecNumCloud repository will be strengthened to provide overall confidence in the solutions, both from a technical and operational point of view, as is already the case, but also to clarify matters relating to the legal security of cloud offerings [...] Check in particular the immunity of solutions to non-European rights. This is one of the pillars of the trusted cloud.
Finally, Guillaume Poupard also confirms that SecNumCloud will be phased out in favour of a European scheme, "the day we have a high-level evaluation scheme for cloud services on a European scale".
These prospects once again confirm Cloud Temple's commitment to ensuring that all its operations are rigorously, securely and rigorously compliant with SecNumCloud, and to making this a 'Business As Usual' culture within its teams and for its customers. Trust and sovereignty are not luxuries, they're basics!