S3NS: France’s Sovereign Cloud by Google & Thales

by Priyanka Patel
written by Priyanka Patel

Google and Thales Achieve Landmark Cloud Security Certification in Europe

A new joint venture, S3NS, has become the first company certified for SecNumCloud, offering a cloud solution designed to shield sensitive data from foreign legal access, marking a important step towards European digital sovereignty.

After more than three years of development, Google and Thales have achieved a major milestone in cloud security. their collaborative effort, S3NS, was officially granted SecNumCloud certification this Friday, a validation for an offering that integrates infrastructure, platform, and containerized computing. This certification is especially crucial in guaranteeing the protection of hosted data from extraterritorial laws, such as the US Cloud Act.

The S3NS offering, branded as Premi3ns, aims to rival the scale of Google Cloud Platform (GCP) in terms of service provision. Despite leveraging American technologies, S3NS operates as a subsidiary predominantly owned by French firm Thales. “Google has good capital, but well below the 24% threshold required by certification,” explained a senior official at S3NS. The company’s leadership structure further solidifies Thales’ control, with all five directors originating from the French company, granting them full decision-making authority.

The broader cloud market is currently dominated by Amazon,Microsoft,and Google,raising concerns about European dependence on American tech giants. This new venture directly addresses those concerns by providing a secure alternative for organizations handling sensitive data, enabling them to embrace cloud technology – and its associated innovations – without compromising data security.

The architecture of Premi3ns ensures a high degree of isolation. While GCP provides the underlying source code, it undergoes rigorous auditing before being deployed to S3NS customers through data centers owned and operated by the joint venture. “No one at Google has control over the system, whether it’s the infrastructure or the software,” a company representative stated.”Google becomes a simple technology supplier,like so many in tech!”

While S3NS aims to eventually match the breadth of GCP’s service catalog,customers should anticipate a cost increase of 15% to 20%,alongside a delay in accessing the latest google Cloud innovations. “For simple updates, there will be a delay of around a week between GCP and S3NS,” cautioned a Google Cloud vice-president. “For new products or new services, it will be necessary to verify that they meet the SecNumCloud criteria, which will involve a longer delay.”

This achievement positions Google Cloud favorably against competitors like Microsoft Azure, whose technology underpins the Bleu joint venture between orange and Capgemini, currently lagging in the certification race. Amazon, simultaneously occurring, is pursuing a different strategy with its European sovereign cloud (ESC), aiming for a “photocopy” of AWS operating with complete autonomy from its global infrastructure.

According to a technical director at AWS france, “This cloud is not connected to any other cloud outside Europe, and is operated by European citizens, residents of the EU and who only have access to the ESC when they are on European territory.” The company’s Nitro technology further isolates customer data from AWS infrastructure, theoretically preventing unauthorized access.

However, the level of true sovereignty offered by Amazon’s approach has been questioned. A senior official at S3NS contested that “In the case of Amazon, the cloud remains operated by the subsidiary of an American group, thus required to respond to American justice.” This sentiment was echoed, albeit reluctantly, by an AWS vice-president who, when asked about responding to a US government request for ESC data, stated, “I don’t think AWS can say no.”

To further safeguard data security, S3NS intends to limit its expansion within Europe, citing concerns raised by a recent case involving French OVHcloud in Canada, where Canadian authorities demanded access to data hosted in France and the United Kingdom.

The increasing presence of American tech giants in the European market is not without its critics. Hexatrust, a professional association of French and European cybersecurity firms, recently called for an end to “sovereign-washing” and a clearer definition of sovereignty based on “data sovereignty, operations and technological sovereignty.”

One industry strategist grumbled that “S3NS and Bleu do not meet the pillar of technological sovereignty. If the Chinese Alibaba were certified following the same logic, this would raise questions.” However, this strategist also acknowledged that these projects demonstrate a growing interest in the rigorous SecNumCloud certification, established by ANSSI and considered more demanding than the emerging EUCS certification.

The S3NS offering is already attracting customers, including EDF, MGEN, and Matmut, demonstrating a clear market demand. according to a company director, the objective is to address data security needs that were previously unmet by traditional cloud solutions, potentially encompassing 50% to 60% of sensitive data for some customers, and 5% to 10% for others.

Currently, French cloud providers are primarily certified for infrastructure, lacking platform-level certification. as one industry president noted, “We would like to have European Azures, but this is not currently the case.” These hybrid offerings, like S3NS and Bleu, represent a step forward in addressing the growing need for data sovereignty, though many hope for the eventual emergence of fully European-owned and operated cloud solutions.

Priyanka Patel – Technology Editor

Former software engineer turned tech reporter. Explores AI, cybersecurity, gadgets and start-up culture.

Leave a Comment