The magazine > Security of sensitive information systems: ANSSI recommendations

The security of information systems (IS) is crucial to the protection of sensitive data, whether public or private. The French National Agency for Information Systems Security (ANSSI) has drawn up specific recommendations for hosting IS in the cloud, based on their sensitivity and the nature of the threats to which they are exposed. This article presents these recommendations and the criteria to be taken into account to ensure optimum security.

The tools needed to apply the recommendations

ANSSI's recommendations are based on three key elements:

  1. Types of cloud offerings
  2. Threat typology
  3. The nature of information systems

1. Types of cloud offerings according to ANSSI

The type of cloud offering is essential in determining the level of security required. Offers can be commercial (public, private, community) or non-commercial (internal, community).

Commercial cloud offers

  1. Public This offering is pooled for all customers. It offers a high degree of flexibility and scalability, but may present risks in terms of data security and confidentiality due to the pooling of resources.
  2. Private The private cloud offering is dedicated to a single entity, offering resources (processor, storage space) that are physically dedicated to the entity in question. This gives greater control over data security and management, but can be more expensive than shared solutions.
  3. Community : This type of cloud offering is deployed to meet the needs of a group of entities sharing common interests, whether state or private. Resources are pooled between members of the community, enabling costs to be shared and infrastructure use to be optimised.

Non-commercial cloud offers

  1. Internal This type of offering is deployed internally within the infrastructure of the user entity. The operation and supervision of the infrastructure can be carried out by the entity itself or by a subcontractor. This approach enables the entity to benefit from the advantages of the Cloud, such as flexibility and scalability, while retaining strict control over data security and management.
  2. Community : In certain specific cases, entities in the same business sector can pool their needs to create a community cloud infrastructure. This enables costs and resources to be shared while maintaining a certain level of control and security. Examples of this type of offering include initiatives such as Pi and Nubo.

2. Threat typology

Information systems can be exposed to different types of threats. ANSSI distinguishes three main categories of threat: strategic threats, systemic threats and hacktivist or isolated threats.

Strategic threat

Strategic threats take the form of persistent, targeted computer attacks, often financed by governments. These attacks use significant technical and organisational resources and are carried out with great discretion. These threats frequently aim to destabilise institutions or compromise national security, targeting critical infrastructures or strategic sectors.

Some countries may use extraterritorial laws or specific legislation to gain access to data hosted in the cloud without carrying out an attack. Hosting providers subject to these laws must pass on their customers' data to the authorities, often without any possibility of appeal or prior information for the customers concerned.

Systemic threat

Systemic threats can affect a large number of entities and mainly include the cybercrime threat, characterised by opportunistic and often lucrative computer attacks, such as ransomware and fraud.

These threats are also amplified by the growing availability of offensive tools and services marketed by private companies. These services can be used for economic intelligence, industrial espionage, or to enable certain states with limited resources to acquire offensive capabilities.

Hacktivist or isolated threat

Hacktivist or isolated threats are often motivated by political or social ideologies. Hacktivists seek to promote a cause or protest against specific actions by disrupting the information systems of their targets. Attacks can include website defacements, distributed denial of service (DDoS) or data leaks. Isolated threats, on the other hand, are often carried out by individuals or small groups with no affiliation to larger organisations.

Focus on SecNumCloud standards and qualifications
  • The SecNumCloud repository The ANSSI's SecNumCloud standard sets out security rules and best practices to guarantee a high level of security. SecNumCloud qualification ensures that cloud offerings comply with these requirements, from both a technical and operational point of view.

 

  • La SecNumCloud qualificationThe ANSSI awards this qualification to PaaS, IaaS or SaaS cloud offerings, ensuring confidence in the cloud offerings and operating practices of qualified operators. However, this qualification does not guarantee the security of digital services for customers using these offerings.

 

  • The "SecNumCloud" security visa enables users to identify cloud offerings designed to protect sensitive data and processing against cybercrime threats and extraterritorial laws. This qualification also facilitates the certification process for customers' digital services, offering them a certain level of guarantee on the underlying infrastructures.

3. The nature of information systems

The third key element of the ANSSI recommendations is the nature of the information systems concerned:

  1. Restricted Distribution (RD) information systems These systems process data classified as restricted, requiring specific protection measures to prevent unauthorised disclosure.
  2. Sensitive information systems covered by the cloud doctrine at the centre of the State These systems, which are not part of the SIIV, process sensitive data in accordance with the centre's cloud circular, and require special attention to ensure their security.
  3. Sensitive information systems of operators of vital importance (OIV) and operators of essential services (OSE) Although they are not regulated in the same way as IVIS, these systems are considered sensitive because of the nature of the data they process, requiring enhanced protection measures.
  4. Vital information systems (SIIV) These systems are crucial to national security, the economy and the nation's ability to survive. An attack on their security or functioning could seriously compromise these aspects, representing a significant danger for the population.

Application of ANSSI recommendations

ANSSI defines the following recommendations for the four information systems presented above, depending on the sensitivity of the processing and data, as well as the level of the associated threat:

Summary of ANSSI's cloud hosting recommendations by Cloud TempleDownload the summary

Sensitive DR-level IS

  • ANSSI recommends the use of SecNumCloud-qualified non-commercial cloud offerings (internal and community) as well as private commercial offerings. These options provide a dedicated infrastructure, reducing the risk of an attack spreading from one customer to another.
  • Commercial SecNumCloud-qualified cloud offerings, whether community or public, are also conceivable. However, they involve pooling IT resources between several customers (for example, storing data on the same physical resource or hosting websites on the same physical servers).
Hosting outsourcing

The decision to outsource hosting to a SecNumCloud-qualified commercial cloud offering must be taken by the entity concerned, based on a risk analysis demonstrating that the solution offers an adequate level of protection.
It is crucial to consider the location of the hosting and the nationality of the administrators when access to certain information is restricted by nationality (for example, Diffusion Restreinte information - Special France). In this case, a non-commercial cloud offering may be more appropriate to meet the requirements of IGI 1300.

Sensitive IS covered by the cloud doctrine at the centre of the State

  • In line with the State's "cloud at the centre" doctrine, these systems must be hosted exclusively in SecNumCloud-qualified cloud offerings (internal, private, community or public).

Sensitive IS of an operator of vital importance and sensitive IS of an operator of essential services (including essential information systems)

  • ANSSI recommends the use of any SecNumCloud-qualified offer for these systems.

Critical information systems (SIIV)

  • Because of the sensitivity of the processing and data they manage, IVIS require a reasoned decision from the head of the entity concerned.
  • For IVIS compatible with cloud technologies, ANSSI recommends SecNumCloud-qualified non-commercial (internal and community) and private commercial cloud offerings, which provide a dedicated infrastructure and minimise the risk of an attack spreading from one customer to another.
Conditions for other types of commercial cloud offers

ANSSI does not rule out the use of other types of commercial cloud offerings, provided that :

  • They are SecNumCloud qualified
  • The head of the entity bases his decision on a well-founded risk analysis concerning the outsourcing of the hosting of the IVIS and that all the regulatory obligations applicable to IVISs are respected.
Catégories
Tech culture
The magazine
Cookie policy

We use cookies to give you the best possible experience on our site, but we do not collect any personal data.

Audience measurement services, which are necessary for the operation and improvement of our site, do not allow you to be identified personally. However, you have the option of objecting to their use.

For more information, see our privacy policy.

Authorise Refuse