In an ever-changing digital landscape, where data security has become a major issue, what criteria should be used to choose the most reliable cloud service providers? Here's a closer look at 4 essential labels for guaranteeing the security of information systems outsourced to the cloud.
SecNumCloud qualification
The Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) awards the prestigious SecNumCloud qualification only to cloud service providers that meet the strictest security criteria. Whether technological, organisational or legal, there are more than 700 requirements listed in the ANSSI guidelines. By granting its security approval, ANSSI certifies that cloud services are designed and operated in such a way as to effectively protect information systems against cyber threats and foreign interference. Qualification of a cloud service by ANSSI is a long and demanding process, usually taking between 18 and 24 months. SecNumCloud is then awarded for a period of three years, with an annual surveillance audit.
For both private and public organisations, choosing a SecNumCloud qualified cloud guarantees best practice in :
- hosting sensitive data
- the security of data exchanges
- safety risk management
- immunity from foreign extraterritorial laws
ℹ️ Although other European countries have their own national cloud security certifications (C5 in Germany and ENS in Spain), the SecNumCloud qualification is considered to be the most demanding in terms of operational isolation. The SecNumCloud standard could therefore be the highest level of certification in EUCS, the future European certification scheme for cloud services.
HDS certification (health data hosting company)
La HDS certification is designed to strengthen the protection of French people's health data and build an environment of trust around eHealth and patient monitoring. Implemented by the French Digital Health Agency (ANS), it applies to all public or private entities that host, operate or back up health data. This certification attests that the service provider is able to guarantee the security and confidentiality of health data in accordance with the ISO 27001 standard (see below) and the regulations in force, in particular the European Data Protection Regulation (RGPD) and the French Data Protection Act (Loi Informatique et Libertés).
Depending on their area of activity, organisations and/or their hosting provider can obtain a certificate for one of two scopes:
- The term "physical infrastructure hosting provider" refers to the provision of physical space and equipment to host their customers' servers and hardware infrastructure.
- A "managed hosting provider" for the management/administration of virtual and software infrastructures, data administration/operations and outsourced data back-up.
ℹ️ An overhaul of the HDS reference framework is currently underway, which will strengthen sovereignty requirements in terms of data location and transparency regarding any transfers outside the European Union.
ISO 27001 certification
This international standard defines the requirements for establishing, implementing, maintaining and continuously improving an information security management system (ISMS) capable of ensuring the confidentiality, integrity and availability of information. It gives rise to an audit conducted by an independent third party. Phase 1 of the audit aims to assess whether the organisation has put in place the prerequisites, such as ISMS documentation, information security policy and risk assessment. It identifies any gaps or areas requiring improvement. The more in-depth phase 2 audit assesses the effectiveness of the ISMS, in particular the implementation of security controls, risk management and information security management processes. ISO 27001 provides for 114 security controls.
Awarded for a period of three years, ISO 27001 certification is confirmed by annual surveillance audits.
ℹ️ Compliance with the ISO 27001 standard is seen as a foundation that serves as the basis for other standards, such as SecNumCloud or HDS.
The ISAE 3402 report
Created by the International Auditing and Assurance Standards Board (IAASB), ISAE 3402 is an international assurance standard designed for service providers (such as cloud service providers or data centres) who want to demonstrate to their customers the reliability of the internal security controls they have put in place. This standard results in an assurance report produced by an external auditor, who assesses the organisation's internal controls in a specific way, depending on the services provided by the company.
ℹ️ There are two types of control levels:
- A Type I report, attesting to the implementation of appropriate internal controls.
- A Type II report, attesting to the operational effectiveness of internal control, with an assessment carried out over a 12-month observation period.
- A standard provides specifications and criteria to be met in order to guarantee the quality, safety, interoperability or other aspects of a product, service or system. Standards are drawn up by national or international standards bodies.
- La certification is based on an analysis of compliance with a repository and on penetration tests carried out by a third-party assessor at time T.
- La qualification is even more demanding. Through an in-depth audit, it certifies that products comply with regulatory, technical and security requirements over the long term. Through the SecNumCloud visa, ANSSI provides guarantees to cloud users.