ANSSI publishes recommendations on cloud hosting of sensitive information systems. – Digital Economy Blog

In a report published on July 9, 2024, the National Information Systems Security Agency provides information on cloud hosting of sensitive information systems. In this simple yet impactful report, the French agency reviews the opportunities and challenges of the cloud, identifies the need for decision support tools and their recommended application, reviews the preventive measures used by entities, and gives examples of their recommended application.

For French institutions, the cloud is both an opportunity and a challenge. Cloud computing is an IT service that provides users with permanent access to web applications, data and all kinds of IT resources through the Internet. The technology works by storing information on remote servers, making each connected object an access point to that data. This advantage of use still raises questions regarding the security of information systems. In its recommendations, ANSSI highlights cyberattacks that specifically target cloud infrastructures. It is therefore necessary to adapt the security level to the sensitivity of the data.

To address these issues, ANSSI has developed a decision support tool that allows organizations to choose the type of cloud product to adopt based on their information systems (IS), different levels of sensitive data, and associated threats. The target IS is divided into several levels:

• Limiting diffusion level IS
• Sensitive information systems of vital operators and key operators
• Yes, it is crucial

However, ANSSI recalls in its recommendations that its provisions can only be effective if organizations take precautions in migration projects, such as risk analysis, and choose cloud security mechanisms based on relevant certifications and train their teams on the correct use of cloud technologies.

To achieve a safe migration, the French agency’s recommendations are based on three pillars that vary depending on the type of IS. Organizations must then consider: the type of cloud offering (commercial or non-commercial), the type of threat (strategic, systemic, offensive or isolated) and the nature of the IS.

The document also recalls that the SecNumCloud repository presents high-level technical, legal and operational requirements. Developed by the agency itself, the framework allows the assessment of the security level of IT systems and good “IT hygiene” practices. The benchmark makes it possible to evaluate Paas, Iaas and Saas products, providing a high level of confidence in the different certified cloud products. Note that customers still have to secure their sites, as this certification is only for cloud organizations.

To find cloud products that are SecuNumCloud certified, all you have to do is visit the ANSSI website, which lists all the organizations that hold this certification.

In this report, we can learn that public commercial cloud products can host sensitive information systems if there are solutions that provide an adequate level of protection. ANSSI also confirms that IS can only meet the “National Center” cloud principles if the cloud product is certified by SecNumCloud.

This certification can help cloud users switch to organizations that provide high security levels, thus ensuring quality services.

source: