The Cloud: how do we renew trust?

“In a fast-paced world, having the right partner makes all the difference!“ Such is the slogan displayed on the website of the Greenberg Traurig law firm. Ranked 14^th in the United States, this world-class firm employs high-level experts, with a direct access to circles inside the Beltway. No one else has the ability to more effectively audit the real scope of US extraterritorial legislation on sensitive digital data hosted outside the United States by foreign companies. Moreover, when questioned by the Dutch government this summer, their conclusions – which conveniently leaked – were a bombshell in the microcosm of French cyberspace, where major digital providers announced the launch of a “trustworthy cloud” for businesses and governments, which would combine the “best of both worlds.”

As far as we know, their solutions seem to meet an urgent need of these major organizations: access to decentralized infrastructure as powerful and high-performance as Big Tech’s offer, but safe from the well-identified security excesses of the American system. Since 2018, the Cloud Act allows US courts to seize digital data anywhere in the world as soon as an offense is committed on American soil. According to experts, the real danger in the US comes from the freedom Congress has granted major intelligence agencies to monitor cyberspace, since FISA in 1978, and further by the Patriot Act in 2001. They do not expect much from the White House’s recent decree to better regulate data transfer between the European Union and the United States.

However, the decision of American lawmakers has one advantage, according to lawyer Maxime Molkhou, a specialist in these complex issues. “It has dispelled the legal fog the European community made the best of: we have confirmation that the location of datacenters and the contractual relationship provide data owners no guarantee. At this stage, only encryption and system audits can contribute to secure them. But, ultimately, the best way to keep data safe is to implement the strategy that distinguishes between nonvital data, which can be stored in the public cloud, and data that is worth protecting in private, closed off infrastructure.”

After failing to foster the development of a “sovereign cloud” by 100% French teams Bull-SFR and Thales-Orange, the French government launched the downgraded concept of “trustworthy cloud” last spring. This refers to an infrastructure assembled with technological building blocks that can be foreign but that, once put together, meet the requirements of the French National Cybersecurity Agency’s SecNumCloud label. The major French digital providers rushed down this path. Orange and Capgemini, in association with Microsoft, launched the Bleu company, which should be operational by the end of the year. The digital defense giant, Thales, is working with Google to create S3NS, which will have ramped up by 2024. Its mission will be to “provide the sovereignty guarantees required in France, in particular by managing encryption keys, access and identities, and through cyber supervision”. As for Atos, which has a longstanding relationship with IBM and Amazon, the company recently confirmed it intends to develop a similar offer in partnership with Amazon Web Services (AWS).

Technological sovereignty is bound to be shared, argues Guillaume Poupard, Director General of the National Cybersecurity Agency. Indeed, the move sparked an outcry among typically French providers already certified by the agency, such as 3DS Outscale (a Dassault Systèmes subsidiary), Oodrive and OVHcloud. Rather than push major players to use this infrastructure, which would have sped up the emergence of powerful European standards, explains their spokesperson, the government caved into pressure from private sector behemoths beholden to Big Tech. Independent experts qualify this accusation: “It was in equal parts out of necessity, ease and a lack of an alternative that our major businesses’ digital infrastructure built up layers of American technology. And this has created a powerful standardization effect that it is futile to ignore, because their networks are naturally interlinked with Big Tech’s cloud space.” A reliable source admits that “major French providers could not have better torpedoed the SecNumCloud initiative if they had tried. But did they really have a choice? For them, the alternative was to join forces with American giants or be quickly and definitively squeezed out of this strategic market.”

“After the groupthink of the last ten years, now is the end of innocence and the time for disenchantment. But we will eventually have to pull through. Maybe these encapsulated solutions are a step in the right direction after all,” reveals Alain Bouillé, the CESIN (computer and digital security experts club) representative at last June’s International Cybersecurity Forum (FIC). Frédéric Malicki, spokesperson for Atos, defends the relevance of “a calibrated approach, according to the data’s level of sensitivity.” Thanks to the European initiative, Gaia-X, “which aims to build a common European technological frame of reference,” guarantees Julien Levrard, an expert with OVHcloud, “it will soon be possible to compare all the different available building blocks.” This will make it possible to knowledgeably split up one’s data between a public and a private cloud, located either remotely or at home.

Currently, 90% of digital data is stored in a public cloud that belongs to American pure play companies, according to converging estimates. However, there is a structural move, which experts deem inevitable, towards more balance in favor of private clouds. In the United States, the provider Dropbox, for example, announced its split from AWS and the creation of its own storage center. The good news is that, in France, “there is an entire ecosystem in which to build a real cloud continuum and enable businesses to move seamlessly between clouds,” maintains Charles Schulz, head of strategy at Vates. The host OVHcloud entered into a partnership with Sopra Steria to provide a “sovereign” cloud specifically intended for essential providers in Europe. It remains to be seen if these gems can garner enough demand to set off a virtuous circle, as they did in Japan, emphasize experts. And also if the frames of reference in education and training evolve so that up-and-comers are operational in any type of environment and not solely with American tools, as is currently the case.