The terms "Cloud Souverain" and "Cloud de Confiance" raise questions, and the difference is not necessarily obvious. In this complex and fast-changing environment, we're here to help you understand the difference.
Perhaps your company is considering the use of the Cloud de Confiance, or has already implemented a Cloud strategy? Whether in a private cloud or with American hyperscalers, it's important to know where the regulations stand and how to position yourself. To support our analysis, S3NSE and OVH shared their views on the subject at our Cercle des DSI event dedicated to Cloud Souverain.
Cloud Souverain and Cloud de Confiance, what's the difference?
Cloud Souverain is a type of cloud computing that meets the specific digital sovereignty requirements of a country or organization. It aims to guarantee the protection of sensitive data against intrusion and unauthorized access, particularly by foreign states. The idea of a sovereign cloud was born around 10 years ago, and has become a strategic issue for companies and government agencies handling sensitive data. The name is, however, associated with the failure of the Andromeda project in the early 2010s. The project that launched Cloudwatt and Numergy.
Then came the concept of Cloud de Confiance, aimed at extending the scope of the Cloud Souverain to include non-European solutions that meet a certain number of technical and legal security criteria.
What are the existing reference frameworks for the Cloud Souverain?
The sovereign cloud domain is governed by a number of reference frameworks that define security and compliance requirements. Here is an overview of the main standards in force:
ISO 27001: An international standard for information security, it provides a global framework for managing information security risks. It applies to all types of organization, and is not specifically focused on the cloud.
C5 et ENS: German and Spanish standards that complement ISO 27001 by focusing on data protection against non-European laws. They define specific requirements for the sovereign cloud, including data localization and operator nationality. Each European country now offers a more or less equivalent standard.
SecNumCloud: French standard for the security of sensitive data. Version 3.1 corresponds to C5 and ENS. Its version 3.2, now in force, also aims to protect against extraterritorial laws by guaranteeing that data is subject to French laws and regulations. It is mandatory for French administrations and organizations handling sensitive data. It is issued by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) after a rigorous evaluation of the service during a technical and legal audit.
EUCS: A European standard currently under development, it aims to harmonize sovereign cloud security requirements on a European scale. It should offer several levels of certification, based on existing standards. France wishes to include elements of sovereignty in this European regulation, which poses difficulties. In the absence of precise criteria, SecNumCloud could be preferred.
Market offerings for Cloud Souverain: where do we stand?
Identifying comparison criteria
|
Provider |
Certifications |
Service offerings |
Geographical availability |
|
AWS |
C5 & equivalent |
IaaS, PaaS (SaaS) |
Par pays |
|
Azure |
C5 & equivalent |
IaaS, PaaS, SaaS |
By country |
|
Bleu |
SecNumCLoud (25Q1) |
IaaS, PaaS, SaaS |
France |
|
GCP |
C5 & equivalent |
IaaS, PaaS, SaaS |
By country |
|
NumSpot |
SecNumCLoud |
IaaS, PaaS |
France |
|
Oodrive |
SecNumCLoud |
SaaS |
France |
|
Outscale |
SecNumCLoud |
IaaS |
France |
|
OVHcloud |
SecNumCLoud |
Datacenter expansion |
France |
|
OVHcloud |
SecNumCLoud (24Q4) |
IaaS, PaaS |
France |
|
S3NS |
C5 |
IaaS, PaaS, SaaS |
France, Netherlands |
|
S3NS |
SecNumCLoud (24Q4) |
IaaS, PaaS, SaaS |
France |
The full list of SecNumCloud 3.2 certified suppliers is available on the government website.
Witness 1: OVH, a major player in European cloud computing
OVH's continuous growth over the last few years is due to its competitive and innovative cloud services, as well as to the trust customers place in OVH's security and reliability.
OVH emphasizes its ability to scale its services, to offer standardized services and to rely on partners to meet its customers' specific needs, particularly in terms of business services.
OVH offers the sovereign repository of the country in which it operates. In most European countries, a standard similar to C5 applies. In practical terms, the audit system is based on SOC, which means that other useful standards can be passed at the same time, for example in finance. The number of certified services is lower in France than for other suppliers, because the ANSSI technical audit is particularly rigorous.
Witness 2: S3NS, a joint venture between Google and Thales
The aim is to set up the Google Cloud Platform (GCP) service offering on French soil, operated in France by S3NS, a company incorporated under French law. This project is in line with Google's strategic vision: to set up local offerings that meet the requirements of sovereignty and compliance with local laws. According to Google, the future of the cloud depends on the ability to adapt to these requirements.
The structure of the joint venture (61% European capital) is designed to minimize extra-territorial risks.
The offer is built around three pillars:
- A "Local Controls" offer, which enables the use of GCP services by outsourcing the management of security policies and certificates to S3NS. This offer is already available.
- A SecNumCloud 3.2 certified offering where GCP services are deployed and operated by S3NS in S3NS-owned datacenters. Applications built on GCP services can thus be implemented directly in SecNumCloud environments. This offer will be available in early 2025.
- Continuity of the offering, with three levels of confidentiality, from resale of GCP services, to local controls, to SecNumCloud. This offering enables the construction of services that take into account all corporate constraints.
The offering is committed to offering the same APIs as GCP, and to enabling customers to manage their encryption keys externally.
What are the challenges and prospects of the Cloud de Confiance?
The Cloud de Confiance is a response to the growing challenges of IT security and data protection. Two major challenges define it:
- Increased security guarantees: The Cloud de Confiance enables the implementation of enhanced security measures to protect sensitive data against cyber-attacks and foreign interference.
- Protection against extraterritorial laws: The Cloud de Confiance offers greater protection against extraterritorial laws, such as the U.S. CLOUD Act, which authorizes authorities to access data stored on foreign servers.
The questions that arise from these discussions concern trends and prospects. Sovereignty is a divisive issue in Europe today: France is the only country on the continent to defend itself against foreign interference.
At the same time, while European regulations are unlikely to become stricter in terms of the constraints imposed on B2B service providers, they are tending to impose an obligation of result in terms of consumer protection. This trend is particularly evident in regulations concerning artificial intelligence.
Finally, while the question of sovereignty must be analyzed in the light of foreign powers' capacity to interfere, that of trust is simply a question of perception and will. When this choice is based on a conscious analysis of the risks involved, sovereignty becomes secondary. As is often the case, knowing whom and under what conditions to trust, at European level, is an eminently political choice.
Addendum
Since the cercle des DSI, several events have marked the digital sovereignty news. First, on April 3, Reuters published an article based on a working draft of the EUCS, according to which this European regulation would abandon the idea of legal protection stemming from the French SecNumCloud standard.
On April 8, Guillaume Poupard, the former director of ANSSI who initiated SecNumCloud, published an analysis on LinkedIn stating that such a decision would mean assuming that Europe would no longer have digital sovereignty in the future. He has since been joined by a number of French manufacturers and by Cigref.
There are two opposing views on this subject. The first is based on the principle that regulations must impose sovereignty criteria for certain sensitive activities. The second is based on the pragmatic principle that hyperscalers have more to lose by obeying regulations that run counter to data protection.
In the meantime, Joe Biden has made up his mind: if Tiktok does not change shareholders by the end of the year, he intends to ban the Chinese service.
