SecNumCloud Qualification by ANSSI: The Ultimate Guide
The growing trend of businesses migrating to the cloud combined with an exponential increase in cybersecurity risks has placed the subject of cloud security at the center of public debates in France.
To address these concerns, the SecNumCloud" initiative, drawn up by the French National Cybersecurity Agency (ANSSI), stands out as a reference. Distinguishing cloud providers that adhere to the strictest security standards, the SecNumCloud qualification currently represents the highest French standard in this regard.
At Scalingo, our teams are actively working on securing this qualification, with the aim of becoming the first SecNumCloud qualified Platform as a Service (PaaS)! As we are thoroughly examining all the available documents and articles out there, including the full "SecNumCloud Repository," we thought we would provide you with a summary of the essential information.
What is the SecNumCloud qualification?
SecNumCloud is a French security qualification developed by the French National Cybersecurity Agency (ANSSI), aiming to ensure the robustness of cloud solutions in the face of an increase in cyberattacks.
The SecNumCloud label holds a central spot in the French cloud ecosystem, and is awarded to cloud service providers that adhere to the highest security standards. These standards are detailed in what is called the "SecNumCloud repository", which we'll delve into shortly.
The SecNumCloud qualification is issued as a visa and is valid for a renewable period of three years.
❗ It's important to clarify that SecNumCloud is considered a *qualification** rather than a certification, as is sometimes misconstrued. The distinction between these terms is carefully regulated. While a company can receive a "certification" within a specific scope, it's more accurate to describe a service as being "qualified."*
What is the ANSSI?
The National Cybersecurity Agency (ANSSI), established in 2009, operates as a French government agency. Positioned under the authority of the General Secretariat for Defense and National Security (SGDSN), it plays a pivotal role in safeguarding critical and sensitive infrastructures against cyber threats, and is often referred to as "the gendarme of the French internet."
Beyond its reactive role in incident management, ANSSI is actively involved in awareness and prevention initiatives. It develops reference frameworks, standards, and certifications, with the SecNumCloud qualification being a product of these efforts.
Which cloud providers are eligible for the qualification?
Any cloud service provider eager to demonstrate compliance with the SecNumCloud security standards can apply for assessment through the qualification process facilitated by ANSSI. This includes:
PaaS (Platform as a Service) providers: Like Scalingo 🙌, these offer platforms for developers to effortlessly create, host, and deploy applications without the hassle of managing the underlying infrastructure. (If you haven't experienced the convenience of PaaS yet, give it a try and deploy your first app in minutes!)
IaaS (Infrastructure as a Service) providers: These provide developers with access to computing resources such as servers, virtual machines, storage, and networks, without the need to physically manage these infrastructures.
SaaS (Software as a Service) providers: They grant end-users access to applications without requiring installation and local maintenance of software on their devices.
CaaS (Container as a Service) providers: These platforms specialize in managing, deploying, and orchestrating containers.
The SecNumCloud qualification scope is service-specific and depends on the type of service offered by the provider. Therefore, the evaluation process for a PaaS differs from that of a CaaS, for example. 🤯
Image source : Redhat
What's the purpose of this label and why was it created?
To grasp the rationale behind it, let's go back a few years.
The SecNumCloud qualification came into existence in 2013, spurred by the enactment of the "Military Programming Law." If you're curious, you can delve into its contents here, although it's not crucial for the explanation that follows.
Discussions surrounding this law brought to light the risks associated with the French government and public services sharing sensitive data, especially in the event of a cloud service provider failure.
The SecNumCloud qualification then emerged as the ultimate solution to audit and guarantee a high level of security for the cloud solution providers used by public administrations and "Operators of Vital Importance."
🤓 For those wondering, "Operators of Vital Importance" are organizations identified by the French government as having activities essential to the survival of the nation or potentially dangerous to the population. There are about 250 in France, but for national security reasons, the list is not public, and these companies are prohibited from disclosing their status.
Fast forward ten years, and cloud usage has become ubiquitous. A diverse array of companies, both public and private, are now seeking this qualification. This includes players in finance, healthcare, energy, and defense managing critical projects or particularly sensitive data.
What are the prerequisites for applying for SecNumCloud qualification?
The ANSSI doesn't explicitly lay out prerequisites, but to streamline the process, it's recommended to check and confirm, at the very least, the following points:
Have your headquarters in France or Europe (with some specific cases of countries having mutual recognition agreements with France, so be sure to check if necessary).
Ensure that neither share capital nor voting rights exceed 24% (individually) and 39% (collectively) held by one or more companies not based in the European Union. This is often referred to as maintaining 'sovereignty.'
Strictly adhere to all existing data protection regulations and be able to demonstrate compliance.
Ideally, already possess the ISO 27001 certification, as the SecNumCloud reference is partially based on Annex A of this standard.
Have implemented a reliable Business Continuity Management System (BCMS) to oversee your Business Continuity Plan (BCP).
Have successfully deployed a Security Information and Event Management (SIEM) tool.
What does the SecNumCloud repository contain?
🤿 It’s time to dive into the specifics.
First and foremost, it's important to understand that the SecNumCloud repository continually evolves to stay abreast of the latest technological advancements and emerging threats. It ensures ongoing and updated protection of cloud services, and encompasses technical, operational, and legal standards. Over time, it has become increasingly 'protectionist' regarding data concerning non-European law.
As of its latest version, 3.2, the repository encompasses over 360 requirements, organized across 14 security themes, which include:
Information security and risk management: This involves implementing a stringent information security policy within the company, clear documentation of risks and associated commitments, and compliance with the highest level of the IT hygiene guide by ANSSI.
Cryptography: This entails implementing robust encryption mechanisms for stored data, passwords, and network flows, using electronic signatures, managing cryptographic secrets rigorously, and exclusively employing EU-approved cryptographic tools.
Incident management linked to information security: This requires exhaustive documentation and the strict application of a procedure enabling rapid and effective responses to security incidents.
Business continuity: This includes implementing strict procedures to ensure business continuity, maintaining or restoring service operation, and guaranteeing information availability in the event of an incident. It also necessitates providing a reliable data backup service.
Compliance: This involves identifying and continuously adhering (with justification) to all existing legal and contractual requirements, particularly regarding personal data protection. It also mandates organizing regular audits after the initial assessment.
We'll stop here to avoid getting lost in the details, but feel free to check the full SecNumCloud repository directly at the following link if you want to know more: SecNumCloud Repository
What are the key changes in the SecNumCloud 3.2 framework compared to previous versions?
The 3.2 version of ANSSI's SecNumCloud framework, launched in March 2022, introduces several significant updates and additions.
Among the major developments is a clearer definition of the 'service composition' concept, simplifying the qualification process for providers leveraging pre-qualified components or services. For instance, if a PaaS offers an already qualified IaaS solution (like Scalingo!), the focus shifts solely to the PaaS component and its interactions with the IaaS. No need to qualify the entire data processing chain up to the data center!
Another notable aspect is the inclusion of new requirements for specific categories of cloud services, such as Container as a Service (CaaS).
However, the most substantial change comes with the addition of specific protection criteria concerning non-European laws, particularly the Fisa (Foreign Intelligence Surveillance Act) and the Cloud Act. These are viewed as potential threats to the security of European data.
These new requirements aim to fortify the resilience of cloud service providers against U.S. legislative frameworks often perceived as risks to data privacy. Version 3.2 underscores the importance of avoiding submission to laws outside the European Union, emphasizing the necessity for a secure and sovereign approach in processing cloud data.
🤓 It is with this 3.2 version of SecNumCloud and the intent to no longer be subject to non-European laws that the "Cloud de Confiance" (Trusted Cloud) label was created, in 2022, by Bruno Le Maire. But let's not get sidetracked; we'll take the time to craft a comprehensive article on this topic soon.
Is getting the SecNumCloud qualification an easy process?
Is SecNumCloud just a casual 'courtesy qualification,' as it's sometimes labeled?
As you've probably gathered from reading this article, navigating the SecNumCloud framework is an incredibly intricate task, and cloud providers who have ventured through the process unanimously attest to its exceptional complexity (not to mention the associated costs!)
The multitude of rules and standards to adhere to and document makes SecNumCloud the most stringent qualification in Europe to date. In contrast, the German (C5) and Spanish (ENS) equivalents are notably more accessible.
Our CEO, Yann Klis, often underscores this complexity by drawing a comparison between the ISO 27001 certification (which we achieved in 2022) and the SecNumCloud qualification. In his words: 'If the complexity level to obtain ISO 27001 certification was a 1, achieving SecNumCloud qualification would be a 10.' This perspective certainly prepares us for the challenging qualification journey ahead.
The efforts and investments required, from certifications to licenses and a qualified workforce, are also substantial. However, this doesn't dampen our determination to become the first French PaaS qualified under SecNumCloud!
Four steps to Get the SecNumCloud Qualification
Getting the SecNumCloud qualification involves navigating a process known as "qualification." Far from a simple journey, it includes several rigorous steps, referred to as 'milestones' or "jalons" in French, ensuring strict compliance with the security standards set by ANSSI. Here's a general overview of the process:
📁 J0: Application Submission - The J0 milestone marks the beginning of the qualification process. The provider submits his application to the ANSSI, which reviews it for validation of eligibility. Only after this validation does the provider appear on the list of entities undergoing qualification.
🕵️♀️ J1: Definition of the Evaluation Process - Following the acceptance of the application by the ANSSI, the provider collaborates with the evaluation center in charge of the audit to devise an evaluation strategy aligned with the products and services offered. This is the J1 milestone.
🛠️ Operational Phases - Between J1 and J2, several crucial intermediary steps, known as "operational phases", take place. These include:
Initial Audit: The first audit assesses the conformity of the infrastructure and security procedures with the required standards. This may involve reviewing security policies, existing access control measures, encryption mechanisms, etc.
Security Upgrades: Based on the results of the initial audit, recommendations are made to enhance the infrastructure's security. The evaluated provider must then implement necessary upgrades to comply with the standards.
🤺 J2 Final Audit - Once these upgrades are in place, it's time for milestone 2, where a final audit is conducted to verify that all security requirements are now correctly implemented. This step is crucial to ensuring total compliance!
✅ J3 Validation by ANSSI - The audit results are submitted to ANSSI for validation. The agency evaluates the provided information and makes the final decision on granting the SecNumCloud Visa or not. If all goes well, a formal announcement is then made on the ANSSI website. This is milestone 3!
⏩ Maintaining Compliance - Getting the SecNumCloud qualification is just the start. You then have to consistently make sure you continue to comply with the SecNumCloud standards. An annual audit is also required. And remember, even with these continuous checkups and audits, the SecNumCloud qualification is only valid for 3 years, with the renewal process following the same four milestones described above!
Is Government Assistance Available?
The French government recognizes that the process of obtaining the SecNumCloud Visa can be demanding and costly, particularly for startups and SMEs, and has introduced a support program for businesses.
With a budget of 3.5 million euros, this program is part of France's "Cloud Strategy for 2030". The initiative aims to remove obstacles for startups and SMEs by providing support throughout the preparation for qualification.
This includes an initial audit to assess the company's maturity level, consulting services (developing a growth plan and preparing for qualification), as well as financial support for the qualification itself. The access portal to this program, launched on December 22, 2022, is managed by Bpifrance in collaboration with ANSSI and the Directorate General for Enterprises (DGE).
Startups and SMEs have been able to benefit from this support since February 15, 2023, with an initial focus on those aiming to commercialize a SecNumCloud-qualified offering within the next two years.
Are Any PaaS Providers Currently SecNumCloud-Qualified?
At this point in time, no Platform as a Service (PaaS) provider has secured the SecNumCloud qualification. However, if you think you've seen Scalingo associated with this label before, you're not mistaken... Let us clarify:
To put things simply, Scalingo currently holds two certifications: the **ISO 27001 certification, assessing the efficacy of our organization's overall security system, and the **HDS (Health Data Hosting) certification, ensuring our capability to securely host personal health data. Concurrently, we are actively engaged in the process of obtaining our own SecNumCloud qualification.
However, our provider, Outscale, already provides us access to an Infrastructure as a Service (IaaS) that is already SecNumCloud-qualified : specifically, the second region we offer to our users, known as osc-secnum-fr1. This means that even though Scalingo is not currently SecNumCloud-qualified, all our services can be delivered on an IaaS that holds the SecNumCloud qualification.
This option is currently used by many of our clients in the public sector and those operating in the healthcare industry.
When Will Scalingo get Its own Qualification?
Here at Scalingo, our teams are actively working on preparing our application, though due to the extensive and complex nature of the process, we can't pinpoint a specific date for now.
In the meantime, our HDS and ISO 27001 certifications already affirm our continuous dedication to data protection, extending even to the most sensitive information like health data.
Why Do We Want Our Own SecNumCloud Qualification?
Our ambition to achieve SecNumCloud qualification is part of a broader initiative to strengthen our clients' trust and guarantee a high level of security for all data hosted on our platform.
For us, this goes beyond mere compliance; it represents our dedication to ensuring optimal security for our users' data, whether it's sensitive or not.
This qualification would also open up opportunities for us in projects within highly sensitive sectors such as defense, where data protection is crucial, and SecNumCloud qualification is a prerequisite.
Will the SecNumCloud Qualification Become Obsolete in the Face of the Future European Certification 'EUCS'?
In the long run, it's possible that the EUCS (European Cybersecurity Certification Scheme for Cloud Services) may replace all current European qualifications, including the French "SecNumCloud" and "Cloud de Confiance." However, this doesn't mean that getting the SecNumCloud visa no longer makes sense; quite the opposite!
Since 2019, France has been actively engaged in the development of a European certification, and the SecNumCloud framework serves as a reference for the highest level of the EUCS qualification.
In essence, it is likely that companies will one day shift towards EUCS, and those that have already secured their SecNumCloud qualification would then have a significant head start.
Where can I find a List of SecNumCloud-Qualified Cloud Providers?
You can explore the complete list of currently SecNumCloud-qualified providers on the official government website at the following address: https://cyber.gouv.fr/produits-services-qualifies.
You will find our partner, Outscale, on the list, and very soon, Scalingo too!
Conclusion
We hope this article has addressed some of your questions regarding the SecNumCloud qualification! To delve deeper into specific points, we plan to write supplementary articles in the coming weeks. So stay tuned for more details and in-depth information.
