At Scalingo, data protection and user privacy are the core of our values. We work tirelessly to provide our users with an experience that makes them serene and trouble-free when it comes to the privacy and the security of their data.
In this article, our goal is to dig a bit deeper into the subject and clarify our policy when it comes to data protection and security, our strategy concerning the various standards and certifications, and our upcoming goals for Scalingo.
TL;DR: We aim at obtaining ISO 27001 for Scalingo as an organization, and HDS simultaneously, for our services. That takes part of our next goal which is SecNumCloud, the highest tier certification in this field that we can obtain at the moment.
Before digging into our strategy, let’s define some terms by asking the most common questions on the subject.
Standards and certifications act as an intermediate between Scalingo and the final user. It is a validation from a third party, that will demonstrate that our practices in terms of system security and data privacy are coherent with the expected standards.
For the layman, Information Security is about being hacked and your data leaking outside. That’s a confidentiality incident.
Information Security goes far beyond confidentiality.
The pillars of Information Security are commonly known as the “CIA Triad”:
If you have an issue related to one of those pillars, you have an information security issue.
ISO standards are internationally valued and recognized by multiple experts, and they are built by the International Organization for Standardization.
ISO 27001 is the Information Security Management standard, and it aims at providing requirements for organizations when it comes to their Information Security Management System (ISMS).
An ISMS can be defined as a written set of rules in the form of policies, procedures, or other documents, to enforce Information Security (remember the “CIA Triad”?).
Building an ISMS requires to work on many topics deeply linked to your company: risk management, security policies, asset management, cryptography, physical and environmental security, suppliers relationship, etc.
For our fellow developers, don’t be afraid! An Information Security Management System is just code running on paper.
The HDS certification stands for “Hébergeur de Données de Santé” in French and can be translated to “Health Data Hosting” certification.
HDS is a french certification focused on the protecting privacy of personal data, especially health data.
One of the main focuses of this certification is to guarantee the quality and continuity of service.
This type of data is sensitive and its hosting implies considerable responsibilities, therefore, certifications such as HDS allow health organizations to ensure that their provider meets the security, availability, and confidentiality standards required for this type of practice. It is also mandatory in France to use an HDS certified provider to host health data.
ISO 27001 is part of the requirements in order to obtain the HDS certification.
When it comes to cloud-specific certifications, SecNumCloud is the latest certification delivered by the ANSSI (French National Agency for the Security of Information Systems).
The main difference between SecNumCloud and ISO 27001, is that in this case, the referential defines the targeted measures, for operating Cloud services in a secure manner, to enforce, while ISO 27001 enforces the implementation of processes based on the standard.
In other words, ISO 27001 would act as a foundation in terms of defining and identifying the process that must be implemented, and SecNumCloud gives technical requirements for operating Cloud services securely.
SecNumCloud is the highest tier certification obtainable in the field in France, and therefore, the process of obtaining this certification is difficult.
Parts of SecNumCloud (and also ISO 27001) certification is the evaluation of the security of a product and the competency of a provider involving commitments such as confidentiality and data protection of user’s data, vulnerabilities assessment and correction of weaknesses, and constant maintenance of the level of competency with a focus on the sovereignty of providers and keeping data processing under European law.
Despite SecNumCloud being a certification created by a public French organization, we can see the emergence of interest in the certifications related to the Cloud industry at the European level.
The most recent example is the work of ENISA (European Union Agency for Cybersecurity) to create EUCS label for European Cybersecurity Certification Scheme for Cloud Services. This label is targeted at European Cloud providers to enable the European market access to entrusted and reliable providers.
From our understanding SecNumCloud, will be a foundation of the European EUCS label. It will serve as the basis for the highest standard of the EUCS label. This allows us to say that investing in SecNumCloud today also serves to advance towards a future European certification.
To better understand our strategy and what implies for Scalingo and its users, we will get a bit more in-depth into our strategy as a European cloud provider.
Scalingo aims at obtaining ISO 27001 and HDS together as they are 2 close standards.
As for SecNumCloud, it will be the next step of this strategy, and it will be our priority as soon as we obtain ISO 27001 and HDS.
To understand our strategic choice for the certifications, we have to take into account the nature of each standard and certifications first.
We consider that ISO 27001 would be the most valuable standard to provide to our user-base due to the international nature of the standard, and the fact that it’s the certification that can provide value to pretty much all users.
It’s also a mandatory certification to obtain HDS and considering that we think that ISO 27001 should be our first step towards the certifications strategy that we aim for.
For HDS, although it may not concern most of our users, we think it’s a valuable addition to Scalingo for users who may need it, especially knowing that it’s very hard to find a PaaS who is HDS certified!
It also represents an extra layer of validation from a third party for Scalingo, meaning that despite most users won’t be hosting any health-related data, they will still be hosting their data on a service that is considered secure for health data hosting.
Finally, concerning SecNumCloud, which is our next step in this certification strategy. We think that it can only improve our standards in terms of ISMS and risk assessment, and we consider it to be a valuable certification to obtain as Scalingo is aiming to host more sensitive government data. Obtaining the ISO 27001 certification is an integral part of our SecNumCloud roadmap.
ISO 27001 will apply to Scalingo as an organization, while HDS and SecNumCloud will apply to the various services that we provide.
The user experience will remain the same, and these certifications and standards are for us an opportunity to shape a new level of trust and security for our users.
Despite Scalingo not being certified ISO 27001 and SecNumCloud yet, our provider Outscale is in fact providing an IaaS that is already certified:
osc-fr1is based on an IaaS provided by Outscale which is certified ISO 27001 and HDS.
osc-secnum-fr1also provided by Outscale, is based on an IaaS certified ISO 27001, HDS, and SecNumCloud.
This means that although Scalingo is not certified ISO 27001 (yet), all our services are on an IaaS provided by Outscale which is certified ISO 27001.
And for our users who need it, Scalingo PaaS offers a region based on a SecNumCloud certified provider, and you can already host your apps and data on this certified infrastructure.
Our certifications strategy revolves around four main aspects, which are: security, trust, transparency, and sovereignty.
Our goal is to obtain ISO 27001 and HDS as a first step, followed by SecNumCloud as the next goal.