What are the criteria for a sovereign cloud? How do the major providers position themselves with respect to each? Here is an overview.
How to define today what is a sovereign cloud? JDN asked Philippe Latombe, a Modem deputy, a member of the National Assembly’s law commission and an expert on the cloud. Here is his answer: “It is a cloud located and operated by a French company. A company that has no connection with a foreign parent company, and which is therefore protected against extraterritorial legislation such as the American Cloud Act. The Cloud Act allows the US federal government to access data hosted by an American company, regardless of its location in the world (see the study by the American law firm Greenberg Traurig LLP).
“A sovereign cloud must also be backed by server and network equipment designed and assembled in france, with the main components also made in france, such as processors or memory,” adds Philippe Latombe. This is a precaution that will limit the risk of backdoors that could be used by the CIA under the FISA (Foreign Intelligence Surveillance Act). “To avoid any external interference, the supplier will finally propose a system to encrypt the customer’s data by giving him the possibility to use his own encryption keys”, adds the deputy.
Based on this definition, the JDN draws up below a comparison of the main cloud providers, French or not, present on our soil, by sifting for each of them all the criteria of sovereignty mentioned.
| Granular encryption service*. | Offering isolated from extraterritorial legislation | Proprietary software platform made in france | Servers and network equipment designed in france | Servers assembled in france | Processor made in france | Secnum-Cloud | |
|---|---|---|---|---|---|---|---|
| AWS | X | ||||||
| Google Cloud | X | In project | In project | ||||
| Microsoft Azure | In project | In project | |||||
| Oracle | |||||||
| Orange Flexible Cloud | X | ||||||
| OVHCloud | X | X | X | X | |||
| Scaleway | X | X | X | ||||
| 3DS Outscale | X | X | X |
* Encryption offering covering the main cloud services offered (virtual machines, storage, database services, container as a service, Kubernetes as a Service, Funtions as a Service…)
Of the 7 criteria analyzed, OVHCloud is the one that meets the most, i.e. 4. In france, Octave Klaba’s group obviously offers a legal structure that isolates its offer from offshore regulations. It designs its own servers and assembles them in its factory in Croix in the North of france. This industrial infrastructure manufactures more than 80,000 servers every year. This policy of internalization allows OVH to optimize and above all to secure its supply chain to a large extent. On the other hand, the Roubaix-based group does not build the electronic components of its machines. As a result, it remains dependent on the vagaries of this market, particularly in the critical microprocessor segment. Not to mention the back doors that can creep in.
OVHCloud has also obtained the very select SecnumCloud certification awarded by the French National Agency for Information Systems Security (Anssi). A certification voluntarily selected among the sovereignty criteria analyzed. Why was this chosen? Because it brings the recognition of the French State as to “the quality and robustness of the service, the competence of the provider, and the trust that can be given to him” (says Anssi). The fact remains that this is OVH’s private cloud service, which, unlike its public cloud offering (based on an open source foundation), is based on the proprietary American platform VMware. On the other hand, 3DS Outscale has obtained the precious sesame for its public cloud infrastructure. However, the cloud subsidiary of Dassault Systèmes has chosen the NetApp storage system and Cisco network equipment. These are also American technologies. “SecnumCloud requires us to use devices to detect third-party network traffic (from, for example, spy-oriented sniffers embedded in U.S. technologies under FISAeditor’s note),” says David Chassan, Director of Strategy at 3DS Outscale.
Towards sovereign processors?
In terms of processors, the French sovereign cloud sector could be on the rise again in the wake of the Electronique france 2030 plan. Unveiled by the government in July, it plans to inject $5 billion into semiconductors, including $800 million into the next generation of 10 nanometer processors. With the IoT as a target but also the cloud, it is part of the second project of common European interest (PIIEC). A program that includes, in addition for france, 10 billion dollars of spending targeting about fifteen R&D projects in electronics and telecoms, as well as the construction of a dozen new factories or manufacturing lines for components. The combined ambition of the PIIEC and the Electronics france 2030 plan? To increase semiconductor production capacity in france by around 90% by 2027.
“The success of the S3NS projects will depend on the way in which their services are organized and framed”
Among semiconductor champions, there is the unavoidable STMicroelectronics, but above all Soitec, which targets the edge computing segment in particular. This positioning will become increasingly important with the growing trend towards decentralized cloud computing. Among server manufacturers, 2CRSI is a key player. A technology chosen by OVHCloud to equip its Asian datacenters.
Sovereign offers “illusory
“The issue of the sovereign cloud, which raises the question of the integrity of the security of the data entrusted to providers, is an essential issue that is recognized by all the players in the market, whether American, European or French,” explains Olivier Iteanu, a lawyer at the Paris bar and an expert on digital legislation. Some American cloud providers have gone so far as to appropriate the term “sovereign cloud” and integrate it into their marketing policy. This is notably the case for Microsoft and Oracle, which have both launched so-called “sovereign” European offerings. These solutions guarantee the localization of data in the customer’s country, the attachment of support to local teams, and even isolation from the supplier’s other cloud regions (“non-sovereign”).
“Here, the promise is illusory. It goes without saying that these services are not impervious to the Cloud Act, which takes precedence over any contract. With this legislation, the US is proposing a legal tool that legalizes industrial espionage and data capture,” insists Olivier Iteanu. “If a French aircraft manufacturer had the plans for one of its future models stored on an American cloud stolen, it will be able to turn against the latter, but it will then be able to benefit from the protection of the Cloud Act.
Trusted rather than sovereign clouds
For the attorney, SecnumCloud certification may be the solution that puts everyone on the same page. In its version 3.2 released in October 2021, SecnumCloud incorporates new requirements to ensure that the provider and the data it processes cannot be subject to non-European laws. Data localization, human resources, access control, information encryption, risk management, real-time incident detection… The Anssi reference framework is very detailed, even specifying requirements for the physical security of data centers.
By seeking to distribute their cloud via French third parties, Microsoft and Google aim to obtain the famous sesame. Microsoft will use Bleu, a joint venture created by Orange and Capgemini, to market its Azure cloud in france. As for the second, it has joined forces with Thales to create a joint venture (called S3NS) under French jurisdiction. “The success of the Bleu and S3NS projects will depend on how their services are organized and framed. In both cases, the teams and the cloud infrastructures will have to be entirely isolated from those of the publisher, in addition to being attached to very distinct legal structures aimed at guaranteeing a total seal with the Cloud Act,” warns Olivier Iteanu. The Azure offering marketed by Bleu should be launched by the end of September. As for S3NS, it is already being tested by a few companies in beta. Both companies describe their future offerings as a trusted cloud, not a sovereign cloud. A model for which they are far from ticking all the boxes.