The "trusted cloud" label sets a framework to help companies choose a cloud that meets their criteria of security and legal protection. But where is the line between the standard of trust and the marketing argument?
Projects leading to the realization of a "trusted cloud" in France are starting to appear, like Capgemini and Orange, initiators of a new company called "Bleu" , guaranteeing cloud services based on Microsoft technology, but beyond the reach of US extraterritorial laws.
The notion of "sovereign cloud", weakened by the successive failures of CloudWatt and Numergy in France, operates a semantic transfer towards what is henceforth more commonly called "cloud of confidence". This label, supported by the government, lays the foundations for high technical and legal standards, while relying on licensing agreements to allow French operators to rely on more advanced hyperscaler technologies.
For Cigref, this label bodes well. Vincent Niebel, leader of the Cigref "cloud of trust" working group and director of information systems at EDF, declared after the announcement by the ministers of the cloud doctrine: "The need for a trust cloud having a large catalog of services has been clearly expressed by the members of Cigref, in order to guarantee the security of their sensitive data and associated processing, to clarify the legal regime to which they are subject and to protect them from extra-European legislation, and master their dependencies on their suppliers. "
Coincidentally, the association which brings together a network of large companies and public administrations has just published a trusted cloud repository. According to Cigref, these incentives push customers to sort out their most sensitive data, which deserves to be entrusted to trusted clouds, and those which are less and which can thus remain with American providers.
The sovereign argument
While it advocates best practices, this trust label is also synonymous with new business opportunities in France and in Europe, at a time when the Gaia-X initiative is emerging across the continent, the purpose of which is to stimulate the creation of sectoral data spaces in Europe and to allow companies to collaborate, exchange data and thus increase their productivity.
David Chassan, Director of Strategy at 3DS Outscale, has observed a “revival” of sovereignty in recent years.
“Customers are looking for the element of sovereignty,” the head of 3DSOutscale said. The “security value” is of course also one of the priority arguments. For David Chassan, playing the game of audits and best practices is proving to be a profitable strategy. It supports the logic of certification which acts as "proof". Remember that 3DS Outscale also has the certification qualified by Anssi SecNumCloud on its Public Sector Cloud offer, a "holy grail" prior to the award of the "trusted cloud" label.
For the Dassault Systèmes subsidiary, obtaining this security visa opens up a little more commercial prospects on the market for public bodies and operators of vital importance. “It has become a business argument,” admits David Chassan. “There are calls for tenders that mention this certification. We see that this is one of the criteria that are requested. "Especially since within the framework of the Outscale for Entrepreneurs acceleration program," start-ups can in turn take advantage of this business argument with their clients, and for their fundraising "he comments.
Does trust come at a price?
However, being SecNumCloud qualified requires "a lot of constraints", underlines David Chassan. Constraints which push to make it “a separate cloud” which costs “20% more expensive” he justifies. “We will have to be efficient and fight to be in line with AWS in terms of price,” warns David Chassan.
For the offers of cloud operators who would not be labeled a trusted cloud, without the SecNumCloud certification, the criterion of trust remains just as vital. The Scaleway cloud provider is in this case. The group has announced that it will provide the 18,000 state IT agents with nearly € 3 million in cloud credits until the end of 2022 to enable them to "train in the state of the art".
"This is a concrete way to support their transition to the public cloud and thus accelerate the digital transformation of trust carried by the government in its doctrine" said a press release. Scaleway claims to be "the only French player able to offer a complete and multi-cloud public cloud offer by design, including virtual instances, load balancers, managed databases, S3 compatible storage solutions and even innovations such as Kapsule Kubernetes”.
Yann Lechelle, CEO of Scaleway, recognizes the merits of the government's cloud doctrine, which comes at a “timely” he says. “The United States has a maturity level of 1, France of 4. We also feel that there is a real desire to work endogenously. "
However, he notes in an open letter that trust is "a fundamental notion" which "cannot be decreed". For him, "labeling trust" is certainly an ambition "laudable", but "still surrounded by vagueness".
The CEO of Scaleway wonders about the intrinsic value of this label of trust. Taking up the arguments one by one, he maintains that “the very 'high-level' character of these criteria does not seem able to assess with a sufficient level of granularity the immunity to extraterritorial laws, from the physical dimension to the software components that make up the cloud. "Regarding the partnerships between French and American players, he notes that" to encourage such a positioning seems problematic and paradoxical to us, because this solution does not establish a path that will last over time or provide legal certainty ".
Warning of the potential “side effects” of this label, Yann Lechelle adds: “We are more specifically concerned about the undesirable side effects that this label, as it stands, could cause on the market, by excluding from the scope of offers of trust a certain number of French players who nevertheless differentiate themselves by their sovereign credo at the cost of substantial investments”.