Article  | 

France creates a security certificate to achieve “clouds of trust”


Reading Time: 7 minutes

The European dilemma between wanting that the data of the companies and the consumers that the telecommunications operators host do not, in any case, leave the borders of the European Union and allowing, at the same time, that these operators subcontract their services in the cloud to big American technology has a very difficult solution. The supremacy in the services provided from the cloud by US companies such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud is undeniable, as well as claiming that the data and its subsequent treatment cannot be subject to information leaks or legal requirements of extraterritoriality of these data.

The French Government announced yesterday, after two years of work, its “Stratégie nationale pour le Cloud”, which advocates that data, at least those of public services, must always be safe from any extraterritorial interference, thanks to the use of a certificate that will be called “Cloud de Confiance”. The objective of this Strategy is clear: “Always better protect the data of French companies, administrations and citizens and affirm, at the same time, our sovereignty”, as stated by the Minister of Economy, Bruno Le Maire (in the lower image) at a press conference, which was accompanied by the Minister of Transformation and Public Function, Amélie de Montchalin, and Cédric O, French Secretary of State for Digital, to give more importance to the initiative.

This National Strategy for the Cloud is based on three pillars: the creation of the “Cloud de Confiance” label, which will allow you to enjoy the best global cloud-based services while protecting French data; place “le Cloud au center” based on modernizing public action thanks to cloud technologies; and thirdly, the “politique industrielle”, putting France Relance at the service of French sovereignty to accompany the construction of the new cloud services, as stated in the statement of the presentation of the Strategy.

France considers its National Strategy for the Cloud to be a balance between data protection and the competitiveness of French solutions, by ensuring the sovereignty of its data and legal protection against US laws.

The French Government wants companies and the Administration “to have access to the tools with the best benefits in the world and with the guarantee that the treatment of data is respectful of European values”, summarized Cédric O when presenting the National Strategy of the cloud. The Government wants to strengthen the requirements for public administrations by promoting “hybrid solutions” that allow French or European companies to use pieces of software from US groups and thus try to resolve the tension between contradictory demands, as highlighted yesterday by the evening newspaper Le Monde to report on the initiative of the French Government.

According to a circular that should be approved in the coming months, it is a question of “making the Cloud the method of hosting the State’s digital services by default”, in matters of the public sphere, but with the requirement that this cloud of information is “protected against all types of extra-community regulations”. The French Government wants to face requests for extraterritorial information that US laws such as the Cloud Act or the Foreign Intelligence Surveillance Act (FISA) may allow the US Justice or information services to access data stored outside the United States. Precisely, this risk is what caused the European Court of Justice to invalidate, in July 2020, the transfer of data to the other side of the Atlantic and to question whether Microsoft could host French health data through the Health Data Hub platform.

The “clouds of confidence”, a key piece

The creation of the “Cloud de Confiance” certificate is, therefore, the cornerstone of this entire strategy of having secure data and away from “extraterritorial” eyes. This trusted data certificate will be awarded to data service providers who meet a long list of criteria validated by ANSSI, the French Agence Nationale de la Securité des Systèmes d’Information. These recipients of the trusted cloud seal “must guarantee the maximum protection of data to companies and administrations that choose it” and the SecNumCloud certificate will have a security level “among the highest in the world” to fight against cyberattacks, more and more numerous, wants the Government.

This technical protection will be accompanied by legal protection, which is equally or more important, “because the United States has laws that allow them to recover extraterritorial data and we want to guarantee total independence with respect to these laws”, as is done today echoes the wish of the French Minister of Economy the newspaper Le Figaro. To achieve this, the servers must operate in France and the companies that sell this cloud must be European and managed by Europeans. The triple requirement mentioned above is considered indispensable to escape the scope of US jurisdiction.

The problem, as is obvious, is that this “sovereign cloud” cannot be conceived without having access “to the best cloud services”, which “are American”, as Bruno Le Maire acknowledges. The French Ministry of Economy, Bercy, has devised for this a licensing system that allows Europeans to use the technologies of Google Cloud or Microsoft Azure, with which an agreement has already been reached, and be outside the radius action of the dreaded American Cloud Act. These licenses would only be a first step, while the French and the Europeans manage to recover their delay on the issue of the Cloud, as revealed at the press conference.

The advancement of cloud services in Europe is seen as unstoppable and should create numerous jobs and a unique opportunity for Europe and France, provided that data sovereignty is maintained

For now, France has approved a budget of 107 million euros for this data security project, which is part of the European Gaia X plan, led by France and Germany and approved in June last year. Last December, the European Commission presented two bills, the Digital Services Act (DSA) and the Digital Market Act (DMA), which also respond to the desire to control the technological giants, but which have yet to pass the parliamentary process and after they are really effective.

France will lead the “cloud of trust”

The French Government will lead the use of this cloud of trust. Within twelve months, all the new IT projects of the French Administration are wanted to be within clouds with security certification. The French State will have only two internal clouds, one for the Ministry of the Interior and the other for the Ministry of Finance. In a somewhat laconic way, however, the economic newspaper Les Echos points out that, although Bercy claims to have found the point of balance between data protection and the competitiveness of French solutions, “this certainly pragmatic commitment has the risk of reducing from French suppliers to simple resellers of American solutions ”.

The example to follow to achieve this square of the circle is a hybrid cloud, like the alliance announced last November between the main French cloud company, OVH, and Google. In this initiative, OVH “fully manages and exploits” the hybrid cloud, but integrates a Google software platform. Le Mondeassures, based on government sources, that there are negotiations, in some cases very advanced, between French actors and US leaders and that Google assumes that the hybrid cloud is a “strategic axis”. Microsoft, contacted by Le Monde, has no comment, and neither does Amazon. It is recalled, however, that last November AWS, Amazon’s cloud services subsidiary, closed an agreement with Orange, the main French telecommunications operator, to “accelerate the innovation of companies in the cloud.”

And the fact is that the advancement of cloud services in Europe is considered unstoppable, with an average annual growth of 27% until the end of this decade, as revealed in a study last April by the consulting firm KPMG and included in the press release of the National Strategy for the Cloud, as seen in the graph below. It should go from the 63,000 million euros estimated to have been the European Cloud market in 2021 to almost ten times more, 560,000 million euros in 2030. “This increase in the market should create numerous jobs and be a unique opportunity for Europe and for France ”, is highlighted in the statement.

Precisely, in a KPMG report co-financed by several French companies, including OVH, it is proposed to strengthen the security of data hosted in the cloud but also interoperability, so that users can move seamlessly from one cloud service to another. The creation of a national authority to regulate the cloud, the report noted, would force US companies to “Europeanize” and “functionally separate” their cloud services subsidiary from their other activities.

Another avenue to explore would be for a broad agreement to be reached between the US Administration and the European Commission on transatlantic data transfer. The commitment released yesterday by the European Union to put aside its plans to increase tariffs on US products to initiate an understanding on both sides of the Atlantic could also facilitate an agreement on the thorny issue of data sovereignty.

The data stored by the operators, in the air

This Strategy, although it will work as planned in a short period of time, leaves the security of the data held by telecommunications operators in the air, which increasingly reach more agreements with the US technology giants to manage their services from its clouds. Last Tuesday, Telefónica Tech, the holding company of the Telefónica group, announced an alliance with Microsoft to provide the industrial sector with 5G connectivity and local Edge Computing and today Telefónica Tech has launched Google Cloud by Acens that will allow companies to access simple way to Google Cloud technology.

The use by Telefónica of the cloud services of the big US technology companies is not unusual, far from it. Vodafone signed a strategic alliance with Google Cloud in early May to create, among others, a joint data analysis platform. Also Deutsche Telekom, which until now wanted to be free from American technology companies, seems to have rethought its strategy, at least with its subsidiary T-Systems, which is experiencing profitability problems. And the other major European telecom operator, France’s Orange, has approached AWS, as mentioned. The sovereignty of the data of the European users of these telecommunications operators and by extension of all the European cloud services remains, for the moment, to be clarified.