The SecNumCloud label is granted to cloud computing providers that fulfill a set of requirements, as determined by the French National Cybersecurity Agency (ANSSI). It is the fruit of a partnership between ANSSI, cloud service providers, and more recently the French data protection authority (CNIL). It takes into account the latest version of the GDPR, which entered into force onto May 25, 2018.
SecNumCloud: what the standard covers
The standard relates to the following services:
- Software as a service (SaaS)
This refers to applications hosted by the provider on a shared platform. The provider seamlessly manages all the technical aspects requiring IT skills for the customer. The customer does not control the underlying technical infrastructure. But the customer can adjust some of the parameters in the application.
- Platform as a service (PaaS)
This refers to application or data hosting platforms made available by the provider. The customer has no control over the underlying infrastructure, as the network, servers, operating system (OS), and storage are all managed by the provider.
However, the customer can control the applications used on this platform. It may also have control over some of the services provided by the platform or some configuration items, depending on the roles assigned within the service.
- Infrastructure as a Service (IaaS)
This relates to abstract computer resources, such as CPU power, memory, and storage. The IaaS model allows the customer to outsource resources and potentially even virtualize them. It has control over the OS, storage, applications used, and certain network components (firewall, for example).
How will the label benefit my business?
SecNumCloud ensures an optimal level of security and limits the effects of any incident for a business while storing or processing data. The label guarantees that good security and IT hygiene practices are adhered to, as described in a guide published by ANSSI.
According to the standard’s creators, a cloud services provider that is not qualified could increase a company’s or organization’s exposure to certain risks – in particular to confidential data leaks, and a compromise, loss or, unavailability of its IT system.
Although the qualification is based on the ISO 27001 standard, the security level demanded by SecNumCloud is far higher and requires firm, targeted measures to be implemented (e.g. WAF, SIEM, HSM, and OTP). ISO 27001 certification, covering a wide range of technologies, requires the necessary organization to be in place to provide security. The SecNumCloud qualification dedicated to cloud computing, raises the bar for security to the highest level ever known in cloud computing.
Freeing yourself from the burden of security requirements
By choosing a qualified solution, customers can rest assured that the security of their solution is guaranteed by a national cybersecurity agency – freeing yourself from the burden of security requirements and entrusting them to a trusted partner, while benefiting from the highest level of security recognized in France today. You will be complying with ANSSI recommendations and using a solution tested and audited by independent bodies. You will also save time not having to deal with compliance audits, since the solution has been certified by a national authority.