• About us
  • Newsroom
  • Careers
  • Become a partner
  • Search
Compute
High-performance, scalable computing resources for your critical workloads. Orchestrate your cloud-native applications with our modern container solutions.
Discover the Compute offer
Virtual machines
VM Instances
An on-demand, flexible and secure virtual machine solution on a shared infrastructure.
Dedicated servers
OpenSource IaaS
Open source virtualised infrastructure in a trusted SecNumCloud-qualified cloud environment for complete technological sovereignty.
VMWare IaaS
Your VMware virtual machines in a trusted SecNumCloud-qualified and HDS-certified cloud environment.
Bare Metal
Dedicated, fully customisable servers for total autonomy over your sovereign infrastructure.
Containers
Openshift PaaS
The unified platform for creating, modernising and deploying your large-scale applications in a sovereign cloud.
Managed Kubernetes
Managed container orchestration solution offering security, resilience and advanced automation on sovereign infrastructure.
Storage
Adaptable, high-performance storage solutions for all your needs. Optimise your data with our highly available block and object solutions.
Discover our Storage offer
Storage
Block storage
The adaptable block storage solution for optimum storage performance in a sovereign cloud.
Object storage
The scalable, cost-effective storage solution for your unstructured data in a sovereign cloud.
Backup
Backup solutions
Differentiated backup solutions tailored to your challenges and environments
Network
Advanced network solutions to connect and secure your infrastructures. Deploy your private networks automatically and securely.
Discover the Network offer
Network
Virtual Private Cloud
Deploy and manage your private networks 100% automatically and securely.
Private Backbone
Take full control of your network with extended Layer 2 connectivity, designed for hybrid architectures and bespoke configurations.
Firewall
Managed Firewall
Advanced security solutions for complete insulation and enhanced protection
Accommodation Dry
Housing - Dedicated space
Secure hosting for your equipment in a dedicated or shared environment, depending on your needs.
Security
Advanced security solutions to protect your critical infrastructures. Control access and defend against online threats.
Discover the Security offer
Security
Anti DDoS
The shield against online attacks
Bastion host
Transparent, centralised access control for robust protection of your infrastructure
Managed KMS
Sovereign cryptographic key management, with HSM hardware root of trust, to protect your most sensitive data on SecNumCloud infrastructure.
Managed SIEM
A centralised platform for collecting and correlating security logs, combining AI-based automation and advanced detection rules (MITRE ATT&CK).
AI
Artificial intelligence solutions to transform your data into insights and accelerate your business processes.
Discover the AI offer
AI
LLMaaS
Access cutting-edge language models on a sovereign, SecNumCloud-qualified and HDS-certified infrastructure for high-performance, secure AI applications.
GPU
NVIDIA GPU instances to accelerate your artificial intelligence and high-performance computing in a sovereign cloud.
Data
Data solutions to manage, analyse and exploit your critical data.
Discover the Data offer
Databases
Managed MariaDB
A fully managed MariaDB relational database and PITR backup on SecNumCloud sovereign infrastructure.
Managed PostGreSQL
The fully managed relational database solution on SecNumCloud sovereign infrastructure
Big Data
Managed Kafka
The open-source distributed platform for streaming data in real time
Managed File System
A managed, sovereign, high-availability distributed file system, accessible via NFS and SMB on the SecNumCloud infrastructure.
Management & Governance
Coaching and support services to help you with your cloud transformation.
Find out about our support services
Support
Support levels
Discover the 3 levels of support available to help you meet your challenges.
Professional services
From design to optimisation, Cloud Temple is with you every step of the way.
Governance
Console - API - Terraform Provider
A single interface for viewing and managing your products and services
Observability
Infrastructure metrics available in market standards
About us
The company
Who are we?
Management team
Locations
CSR commitments
Sectors
Public sector
Healthcare
Financial sector
Industry
Our approach
Our compliance procedures
Our SecNumCloud approach
Trusted AI
Interoperability & hybridity
Transparency in the processing of health data
Newsroom
The magazine
Events & Webinars
Press releases
In the media
Documentary database
Careers
Working at Cloud Temple
Join us
Become a partner
Software publishers
Managed Services Providers
FR AT FROM IT
Contact
The magazine > Security of sensitive information systems: ANSSI recommendations

The security of information systems (IS) is crucial to the protection of sensitive data, whether public or private. The French National Agency for Information Systems Security (ANSSI) has drawn up specific recommendations for hosting IS in the cloud, based on their sensitivity and the nature of the threats to which they are exposed. This article presents these recommendations and the criteria to be taken into account to ensure optimum security.

The tools needed to apply the recommendations

ANSSI's recommendations are based on three key elements:

  1. Types of cloud offerings
  2. Threat typology
  3. The nature of information systems

1. Types of cloud offerings according to ANSSI

The type of cloud offering is essential in determining the level of security required. Offers can be commercial (public, private, community) or non-commercial (internal, community).

Commercial cloud offers

  1. Public This offering is pooled for all customers. It offers a high degree of flexibility and scalability, but may present risks in terms of data security and confidentiality due to the pooling of resources.
  2. Private The private cloud offering is dedicated to a single entity, offering resources (processor, storage space) that are physically dedicated to the entity in question. This gives greater control over data security and management, but can be more expensive than shared solutions.
  3. Community : This type of cloud offering is deployed to meet the needs of a group of entities sharing common interests, whether state or private. Resources are pooled between members of the community, enabling costs to be shared and infrastructure use to be optimised.

Non-commercial cloud offers

  1. Internal This type of offering is deployed internally within the infrastructure of the user entity. The operation and supervision of the infrastructure can be carried out by the entity itself or by a subcontractor. This approach enables the entity to benefit from the advantages of the Cloud, such as flexibility and scalability, while retaining strict control over data security and management.
  2. Community : In certain specific cases, entities in the same business sector can pool their needs to create a community cloud infrastructure. This enables costs and resources to be shared while maintaining a certain level of control and security. Examples of this type of offering include initiatives such as Pi and Nubo.

2. Threat typology

Information systems can be exposed to different types of threats. ANSSI distinguishes three main categories of threat: strategic threats, systemic threats and hacktivist or isolated threats.

Strategic threat

Strategic threats take the form of persistent, targeted computer attacks, often financed by governments. These attacks use significant technical and organisational resources and are carried out with great discretion. These threats frequently aim to destabilise institutions or compromise national security, targeting critical infrastructures or strategic sectors.

Some countries may use extraterritorial laws or specific legislation to gain access to data hosted in the cloud without carrying out an attack. Hosting providers subject to these laws must pass on their customers' data to the authorities, often without any possibility of appeal or prior information for the customers concerned.

Systemic threat

Systemic threats can affect a large number of entities and mainly include the cybercrime threat, characterised by opportunistic and often lucrative computer attacks, such as ransomware and fraud.

These threats are also amplified by the growing availability of offensive tools and services marketed by private companies. These services can be used for economic intelligence, industrial espionage, or to enable certain states with limited resources to acquire offensive capabilities.

Hacktivist or isolated threat

Hacktivist or isolated threats are often motivated by political or social ideologies. Hacktivists seek to promote a cause or protest against specific actions by disrupting the information systems of their targets. Attacks can include website defacements, distributed denial of service (DDoS) or data leaks. Isolated threats, on the other hand, are often carried out by individuals or small groups with no affiliation to larger organisations.

Focus on SecNumCloud standards and qualifications
  • The SecNumCloud repository The ANSSI's SecNumCloud standard sets out security rules and best practices to guarantee a high level of security. SecNumCloud qualification ensures that cloud offerings comply with these requirements, from both a technical and operational point of view.

 

  • La SecNumCloud qualificationThe ANSSI awards this qualification to PaaS, IaaS or SaaS cloud offerings, ensuring confidence in the cloud offerings and operating practices of qualified operators. However, this qualification does not guarantee the security of digital services for customers using these offerings.

 

  • The "SecNumCloud" security visa enables users to identify cloud offerings designed to protect sensitive data and processing against cybercrime threats and extraterritorial laws. This qualification also facilitates the certification process for customers' digital services, offering them a certain level of guarantee on the underlying infrastructures.

3. The nature of information systems

The third key element of the ANSSI recommendations is the nature of the information systems concerned:

  1. Restricted Distribution (RD) information systems These systems process data classified as restricted, requiring specific protection measures to prevent unauthorised disclosure.
  2. Sensitive information systems covered by the cloud doctrine at the centre of the State These systems, which are not part of the SIIV, process sensitive data in accordance with the centre's cloud circular, and require special attention to ensure their security.
  3. Sensitive information systems of operators of vital importance (OIV) and operators of essential services (OSE) Although they are not regulated in the same way as IVIS, these systems are considered sensitive because of the nature of the data they process, requiring enhanced protection measures.
  4. Vital information systems (SIIV) These systems are crucial to national security, the economy and the nation's ability to survive. An attack on their security or functioning could seriously compromise these aspects, representing a significant danger for the population.

Application of ANSSI recommendations

ANSSI defines the following recommendations for the four information systems presented above, depending on the sensitivity of the processing and data, as well as the level of the associated threat:

Summary of ANSSI's cloud hosting recommendations by Cloud TempleDownload the summary

Sensitive DR-level IS

  • ANSSI recommends the use of SecNumCloud-qualified non-commercial cloud offerings (internal and community) as well as private commercial offerings. These options provide a dedicated infrastructure, reducing the risk of an attack spreading from one customer to another.
  • Commercial SecNumCloud-qualified cloud offerings, whether community or public, are also conceivable. However, they involve pooling IT resources between several customers (for example, storing data on the same physical resource or hosting websites on the same physical servers).
Hosting outsourcing

The decision to outsource hosting to a SecNumCloud-qualified commercial cloud offering must be taken by the entity concerned, based on a risk analysis demonstrating that the solution offers an adequate level of protection.
It is crucial to consider the location of the hosting and the nationality of the administrators when access to certain information is restricted by nationality (for example, Diffusion Restreinte information - Special France). In this case, a non-commercial cloud offering may be more appropriate to meet the requirements of IGI 1300.

Sensitive IS covered by the cloud doctrine at the centre of the State

  • In line with the State's "cloud at the centre" doctrine, these systems must be hosted exclusively in SecNumCloud-qualified cloud offerings (internal, private, community or public).

Sensitive IS of an operator of vital importance and sensitive IS of an operator of essential services (including essential information systems)

  • ANSSI recommends the use of any SecNumCloud-qualified offer for these systems.

Critical information systems (SIIV)

  • Because of the sensitivity of the processing and data they manage, IVIS require a reasoned decision from the head of the entity concerned.
  • For IVIS compatible with cloud technologies, ANSSI recommends SecNumCloud-qualified non-commercial (internal and community) and private commercial cloud offerings, which provide a dedicated infrastructure and minimise the risk of an attack spreading from one customer to another.
Conditions for other types of commercial cloud offers

ANSSI does not rule out the use of other types of commercial cloud offerings, provided that :

  • They are SecNumCloud qualified
  • The head of the entity bases his decision on a well-founded risk analysis concerning the outsourcing of the hosting of the IVIS and that all the regulatory obligations applicable to IVISs are respected.
Catégories
Cybersecurity & Compliance
The magazine
Cookie policy

We use cookies to give you the best possible experience on our site, but we do not collect any personal data.

Audience measurement services, which are necessary for the operation and improvement of our site, do not allow you to be identified personally. However, you have the option of objecting to their use.

For more information, see our privacy policy.

Authorise Refuse