OVHCloud ticks most of the boxes

Sovereign Cloud comparison: OVHCloud ticks most of the boxes

What are the criteria for a sovereign cloud? How do the main suppliers position themselves among themselves? Overview.

How do you define what a sovereign cloud is today? The JDN put the question to Philippe Latombe, deputy Modem, member of the Legal Committee of the National Assembly and expert on the subject. Here is his answer: “It is a cloud located and managed by a French company. A company that has no affiliations with a foreign parent company and is therefore protected by extraterritorial regulations such as the American Cloud Act ”. The Cloud Act allows the US federal state to access data hosted by a US actor, regardless of their location in the world, with a simple court decision (see US law firm Greenberg Traurig LLP).

“A sovereign cloud must also be supported by servers and network equipment designed and assembled in France and whose key components are also made in France, such as processors or memory,” adds Philippe Latombe. A precautionary measure that limits the risk of loopholes that can be used by the CIA under the FISA (Foreign Intelligence Surveillance Act). “To prevent outside interference, the vendor will finally offer a way to encrypt customer data by giving them the ability to use their own encryption keys,” added the deputy.

On the basis of this definition, the JDN below makes a comparison between the French and non-French cloud providers present on our soil, evaluating for each of them all the mentioned sovereignty criteria.

Comparison of clouds in France according to sovereignty criteria
Detailed encryption where the customer manages the keys Isolated offer of extraterritorial legislation Own software platform produced in France Servers and network equipment designed in France Servers assembled in France Processor made in France According to Nuvola
Google Cloud In project In project
Microsoft Azure X In project In project
Orange flexible cloud X X
OVH Cloud X X X X
trace of the scale X X X
3DS out of scale X X X

Of the 7 criteria analyzed, OVHCloud is the most satisfactory, ie 4. In France, Octave Klaba’s group obviously offers a legal structure that isolates its offer from extraterritorial regulations. He designs his servers himself and assembles them at his factory in Croix, in the north. An industrial infrastructure that produces more than 80,000 a year. This internalization policy allows OVH to optimize and, above all, secure a large part of its supply chain. The Roubaix group, on the other hand, does not build the electronic components of its machines. It therefore remains dependent on the whims of this market, especially in the critical microprocessor segment. Not to mention the back door that could slip in there.

To sovereign processors?

As for processors, the French sovereign cloud sector could regain color in the wake of the Electronique France 2030 plan. Nano-sized processors. With the IoT as a target, but also the cloud, it is part of the second Project of Common European Interest (PIIEC). A program that also includes 10 billion euros of expenditure for France for fifteen research and development projects in the field of electronics and telecommunications, in addition to the construction of a dozen new factories or production lines of components. The combined ambition of PIIEC and the Electronics France 2030 plan? Increase semiconductor manufacturing capacity in France by around 90% by 2027.

“The success of the Bleu and S3NS projects will depend on how their services are organized and structured”

Among the French semiconductor champions there is the indispensable STMicroelectronics, but above all Soitec, which focuses mainly on the edge computing segment. A positioning that will become increasingly important with the trend of increasing cloud decentralization. On the side of French server manufacturers is the essential 2CRSI. A technology chosen by OVHCloud to equip its Asian data centers.

“Illusory” Sovereign Offerings.

“The issue of the sovereign cloud, which raises the question of the integrity of the security of data entrusted to suppliers, is an essential issue recognized by all market players, be they American, European or French,” he explains. Olivier Iteanu, attorney at the Paris Bar and expert in digital law. Some US cloud service providers have even gone so far as to appropriate the term sovereign cloud and integrate it into their marketing policies. This is particularly the case with Microsoft or Oracle, both of which have launched so-called “sovereign” European offerings. In particular, solutions that guarantee the localization of data in the customer’s country, the support of local teams or even isolation from the other cloud regions of the supplier (“not sovereign”).

“Here the promise is an illusion. It goes without saying that these services are not immune to the Cloud Act, which takes precedence over any contract. With this legislation, the US provides a legal tool that legalizes industrial espionage and data acquisition. “Insists Olivier Iteanu.” As a French aircraft manufacturer had plans for one of its future models stolen on a US cloud , will turn against the latter, but then will be able to benefit from the protections of the Cloud Act “.

Clouds of trust instead of sovereign

For the lawyer, SecnumCloud certification from the National Information Systems Security Agency could be the solution everyone agrees on. In version 3.2, released in October 2021, SecnumCloud includes new requirements to ensure that the provider and the data it processes cannot be subject to non-European regulations. Data localization, human resources, access control, information encryption, risk management, real-time incident detection… Anssi’s repository is very detailed and specifies the requirements for the physical security of data centers.

By deploying their cloud through French third parties, Microsoft and Google want to win the famous sesame. The first goes through Bleu, a joint venture of Orange and Capgemini, to launch its Azure cloud in France. As for the second, he turned to Thales to create a joint venture (called S3NS) under French jurisdiction. “The success of the Bleu and S3NS projects will depend on the way their services are organized and structured. In both cases, such as cloud infrastructures, the teams will have to be completely isolated from that of the publisher, as well as being attached to various legal structures aimed at guaranteeing total impermeability with the Cloud Act “, warns Olivier Iteanu. The Azure offer, marketed by Bleu, it is expected to be launched at the end of September. As for S3NS, it has already been beta tested by some companies. Both qualify their future cloud offerings by trust and not by the sovereign cloud. A model that does not tick all the boxes .

Leave a Reply

Your email address will not be published. Required fields are marked *