In recent years, France has sought to establish robust cybersecurity measures and data protection standards, particularly in the cloud computing domain. The French Government has long advocated for the creation of a secure cloud environment that is designed to support French organisations. To this end, the ‘Cloud de Confiance’ concept was launched in 2021.
This initiative aims to enhance the security of business data and counterbalance the dominance of American tech giants in cloud computing. It encourages cloud service providers to adhere to strict technical and legal standards, including effective cybersecurity measures and compliance with French and European regulations.
What is Cloud de Confiance?
The Cloud de Confiance strategy was borne out of the need to protect cloud data from the application of extraterritorial laws that do not align with European directives, as well as secure cloud computing services within European borders.
Under the US Cloud Act, for example, the United States Government can request access to information stored on the cloud by companies like Google, Amazon, and Microsoft, who together hold 70% of the global cloud market.
Recognising the technological lead of these giants, the French government proposed a balanced strategy that does not compromise service quality for data protection.
Organisations can gain a trusted data certificate provided that they meet specific criteria demanded by the French Agence Nationale de la Securité des Systèmes d’Information (ANSSI). From a technical perspective, providers are expected to develop solutions that can better combat the risk of malicious threat actors. And legally, the cloud solution providers are subject to French and European standards.
Therefore, the solutions from tech giants can be labeled if they are operated under license by European actors. These actors are governed by European regulations, but offer French businesses and internet users cloud technology. One such partnership already in place is between Google and French cloud provider OVHcloud.
According to Stéphane Richard, Chairman and CEO of Orange, the Cloud de Confiance label is reflective of a growing need in the digital world and sets out standards around data protection and sovereignty.
“Orange, as a trusted partner for the digital transformation of businesses, operates, integrates and manages a range of trusted infrastructure services for its customers, whether they are public or private entities,” he added.
However, The broad scope of Cloud de Confiance can present challenges around exactly what data is being stored and which country it is stored or sent in. New legislation that requires strict data separation based on the nationality of data holders could also place a larger administrative burden on cloud firms, as well as increasing the monitoring and reporting requirements.
To ensure ample data protection of French data and compliance with regulations like Cloud de Confiance, many organisations are focusing on Zero Trust principles
Protecting French Data With Zero Trust
The Zero Trust security concept is a model that operates on the assumption that no user or device should be automatically trusted, regardless of whether they are within or outside the network perimeter. This model requires each request to be verified before granting access, effectively limiting the possibility of a successful attack.
According to a Forrester report, 66% of French organisations say embracing Zero Trust plans is a priority. However, the implementation of Zero Trust models is not without its challenges, particularly in terms of regulatory considerations.
Local privacy laws in various countries, including France, can pose difficulties for the deployment of Zero Trust initiatives. Therefore, an understanding of and compliance with these laws is crucial to successfully implement a Zero Trust model.
As cloud services become increasingly integral to companies of all sizes, French solutions are expected to increase in value and demand, particularly those bearing the Cloud de Confiance label.
The traditional perimeter defense model, which relies on securing the boundary between trusted internal systems and untrusted external systems, is becoming obsolete as cloud computing grows.
In contrast, the Zero Trust model is well-suited for the modern, cloud-centric IT environment. A key aspect of the Zero Trust approach in a cloud-first IT ecosystem is providing users with access to resources on a need-to-know basis, and reducing the implicit trust often found in current approaches. This means that user access is limited to the specific data and resources necessary for their tasks, and unnecessary access rights are eliminated, thus further reducing the potential attack surface.
As France continues to balance the rising use of cloud computing with the need for cybersecurity, initiatives like Cloud de Confiance and the adoption of the Zero Trust model mark important steps in ensuring data protection and managing the dominance of foreign tech giants.
Navigating these new measures will undoubtedly present challenges for businesses, particularly those with international operations. However, with a comprehensive understanding of these new regulations and a commitment to data security, businesses can successfully navigate this new landscape.
As we continue to adapt to a digital-first world, it is clear that the protection of data and the trust of users will remain paramount in our evolving digital landscape.