The President of Cigref, Bernard Duverneuil, spoke recently of Cigref’s commitment over the past two and a half years to developing the doctrine of the trusted cloud and bringing the needs of companies and public administrations into line, publishing in particular a trusted cloud reference document, the aim of which is to inspire the various works in this area, both at national and European level.
At a time when states are presenting their trusted cloud strategy, and Gaia-X is working on labels to categorise its offers, we feel it is important to reconcile the initiatives to ensure their convergence at European level. We believe it is essential that this reference document meets the needs of users of digital solutions and services.
We invite you to send us your comments and remarks in order to enrich this reference document by 15 June. We will draw up a consolidated version with the feedbacks that we will share in June.
Cigref warmly thanks the working group leader Vincent Niebel, director of information systems at the EDF group, and the 40 participants, with the support of the Magellan Consulting team.
Participate in the construction of state-of-the-art, economically accessible offers that comply with the trusted cloud label
Although we have taken an important step with the announcement of the French national cloud computing strategy, the most complicated part remains to be done, starting with the construction of state-of-the-art, economically accessible offers compliant with the trusted cloud label. The industry is preparing for this and several players are expected to make substantial announcements in this direction in the short term. Cigref itself will continue to work to make clear the needs of its members, all users of digital services, both public and private, in particular with this trusted cloud reference document, the aim of which is to inspire the various works in this area, both at national and European level.
Presentation of the Cigref Trusted Cloud Reference Document
This reference document is based on three pillars: security, immunity to non-European legislation and control of users’ dependence on their cloud solution and service providers.
By working collectively around these three pillars, a list of requirements for cloud providers to demonstrate their ability to comply with the trusted cloud has therefore been drawn up by Cigref members. These come from several standards, both French and European (SWIPO Codes of Conduct, Cloud Computing Compliance Controls Catalog (C5), SecNumCloud, GAIA-X Policy rules, etc.), to which legal and geopolitical immunity requirements are added. The requirements placed on the cloud provider are both operational and contractual. Any operational requirement must therefore also be contractually enforceable.
Concerning the reading of the framework:
To simplify reading of the reference document and with the aim of defining a minimum foundation and a complete target, the requirements have been divided into two levels:
- A first level of trust ensuring a “Safe Cloud”: this reflects a high level of IT security and transparency of applicable legal rules and potential dependencies so that the customer is fully informed
- A higher level of trust ensuring a “Trusted Cloud”: this level, combining the requirements of the 2 levels, targets high security, immunity to non-European laws and a strong degree of control over the level of dependency.
Position and backgrounds :
However, in order to clarify the status of this reference document, it is essential to remember that it is neither a label nor a certification, and that it is not Cigref’s role to operate such a system. It is up to the organisations that wish to do so to use this reference document, which presents the needs of users, and adapt it to the approach for labelling or certifying trusted cloud solutions and services. In addition, users of these solutions and services will be able to draw inspiration from them to enrich their contractual approaches with their providers.
Trusted cloud & reference document: objectives
A trusted cloud is a cloud which, in addition to offering services, IaaS and SaaS (as a minimum), which respect the technical, technological, control, security, reversibility, portability, interoperability and transparency requirements imposed by the market and the public authorities, also allows for protection against:
- The legal risks related to the application of non-European laws to French and European customers of cloud service operators;
- The impact of a geopolitical crisis on the business of cloud service operators’ customers.
The trusted cloud reference document therefore meets several objectives:
- Clarifying the code of conduct between the cloud service provider (CSP) and the cloud service customer (CSC).
- Listing all IT requirements (security, reversibility, interoperability, portability), and integrating all the cross‑functional requirements (legal, geopolitical) that are essential for a trusted cloud.
- Consulting the players in the cloud computing market, mainly Cigref members using cloud services, on the necessary and sufficient requirements for a reference document to ensure a maximum level of trust in the cloud.