Cloud and sensitive information systems: summary of ANSSI recommendations

cloud, News, quality, Sensitive Data

Cloud and sensitive information systems: summary of ANSSI recommendations

Whether for profit, espionage or destabilization, attackers’ growing mastery of cloud environments is leading to an increase in attack attempts.

Whether an organization wants to migrate to the cloud, or is already using it, it needs to be aware of the threats and measure the risks. A methodical approach to risk assessment is essential.

The summary published in February 2025 by ANSSI, “Cloud Computing – Etat de la menace informatique” (Cloud Computing – State of the IT threat), assesses the threats to the Cloud, and proposes security recommendations to remedy them. It follows on from the guide “Recommandations pour l’hébergement des SI dans le cloud” published by the same organization in July 2024.

What challenges do these ANSSI publications address?

The publication “Cloud Computing – State of the cyber threat” published by ANSSI in February 2025 takes place in a complex international legal framework where the protection of sensitive data is subject to various regulations and threats.

As such, it advocates the reinforcement of digital sovereignty and the independence of infrastructures so that they comply with European regulations, while being robust in the face of the cyber threat and preserved from attempts at foreign interference and risks linked to the extraterritoriality of the law.

In detail, European regulations, through Regulation (EU) No. 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD), impose strict obligations concerning the processing and transfer of personal data within the European Union and to third countries. Any organization using cloud services must ensure that its practices comply with the RGPD.

Now, pursuant to Articles 44 of the RGPD, in the absence of an ad hoc legal mechanism, transfers of personal data are not lawful where the data is transferred or accessed from countries outside the EU that do not ensure an adequate level of data protection, which may nevertheless be formally recognized by an “adequacy decision” adopted by the European Commission.

So, when choosing a cloud provider, organizations need to pay particular attention to the fact that some companies are subject to extraterritorial laws such as the U.S. Clarifying Lawful Overseas Use of Data Act, or CLOUD Act. This legislation enables US authorities to demand access to data stored by cloud service providers subject to US jurisdiction, even if the data is hosted outside US territory.

In any case, the CJEU’s Shrems II Ruling of July 16, 2020 clarifies that whatever the transfer vehicle used, it is now up to the exporter of the data to assess the legislation of the destination country, in order to determine whether the guarantees provided by the contractual clauses or other transfer tools put in place can be respected in practice. In other words, the exporter must check that the level of protection required by European law is respected.

The guide highlights a major issue: the security of cloud environments. Today, more and more organizations, both public and private, are relying on the cloud to host their services and data, yet this transition is leading to a significant increase in the attack surface. Whether intra- or extra-organizational, the threat weighs particularly heavily on cloud infrastructures, which centralize large volumes of sensitive data. Cyber espionage, data theft, service disruption… the threats are manifold.

The document stresses the importance of a clear understanding of the principle of shared responsibility between cloud service providers and their customers, with each playing a key role in ensuring the overall protection of information systems.

ANSSI’s recommendations take this dangerous environment into account, and call for greater security of information systems, which must guarantee the availability, integrity and confidentiality of data in the cloud. This guide is a reminder of the ANSSI’s role in supporting organizations in their digital transformation, with a reminder of best security practices and advice on how to raise team awareness.

The guide also highlights the need to effectively manage the risks associated with compromises, be they ransomware, ID theft or DDoS attacks, and addresses the challenges posed by extraterritorial legislation, which can impact the confidentiality of data hosted abroad.

What are the details of the threats?

The February 2025 publication reports on the cloud threat, differentiating it according to whether it targets cloud infrastructure providers and operators, cloud service customers, or virtualization applications and hardware management components. For each of these entities, it reports on the various attacks they are likely to suffer:

  • those targeting suppliers and operators for profit, espionage or destabilization,
  • those targeting customers, in particular by exploiting misconfigurations,
  • those targeting Virtualization Applications via vulnerabilities in hypervisors and remote management systems.
  • And, of course, the threat of malicious use of the cloud as an attack infrastructure.

What’s your take on the subject?

The cloud is a powerful tool, enabling us to provide a wide range of services in all fields. We believe that this guide, and the more detailed descriptions of the threats involved, will be very useful in assessing the risk of our own internal cloud solutions, as well as those we provide for our customers. As part of an information security management approach, the description of threats, the risk scenarios and the recommendations made in this guide can serve as guidelines to be integrated into an information systems security policy for the cloud. Publications to be used as references.