Critical infrastructure-level protections for YesWeHack cloud after switch to SecNumCloud-qualified service

July 4, 2024

YesWeHack has migrated its platform architecture to a private cloud service that is fully compliant with SecNumCloud, a super-stringent security qualification overseen by France’s cybersecurity agency.

This effectively means YesWeHack now enjoys protections for sensitive data, and against downtime, at elevated levels intended for government agencies and critical infrastructure.

Moreover, our customers’ data will continue to be stored only within the EU thanks to SecNumCloud’s rigorous rules around data sovereignty.

The SecNumCloud-qualified service is now provided by Infrastructure-as-a-Service (IaaS) specialist OVHcloud, which was named the European leader in the hosted private cloud market in 2020 by market research firm Forrester.

SecNumCloud evolution

The SecNumCloud initiative was launched in 2013 by ANSSI, the French cybersecurity agency, to protect the data being outsourced to third parties in increasing volumes by government entities and critical national infrastructure.

Public authorities have been instructed to choose only SecNumCloud (or other European equivalent)-qualified providers when seeking commercial cloud storage for highly sensitive data.

As such, the qualification has extremely demanding criteria that offers high levels of assurance to any customer, whatever their sector or risk profile.

SecNumCloud could soon be succeeded by an equivalent EU-wide scheme, the proposed EUCS (European Cybersecurity Certification Scheme for Cloud Services). However, since the EUCS has been partly modelled on the French scheme, SecNumCloud-qualified providers will have a huge head start on non-qualified providers in gaining EUCS qualification.

Strict criteria, exhaustive audits

SecNumCloud criteria (PDF) comprises 360 security requirements, covering areas such as information security and risk management, encryption mechanisms, incident response and business continuity.

A multi-stage qualification process begins with a rigorous audit of security policies and controls. The cloud provider must then implement any recommendations made after the audit. Qualification is attained following a final audit and ANSSI validation.

This exhaustive process must be repeated every three years to renew qualification, with annual audits in between validating ongoing compliance. Only six providers have achieved qualification so far.

Data sovereignty

SecNumCloud prescribes that providers must be headquartered, and store and process data, within the EU. It also precludes majority foreign-owned providers from being SecNumCloud-qualified.

YesWeHack’s own strict compliance with the EU’s strict security and data privacy laws offers strong assurance to EU- and non-EU customers alike. YesWeHack also recently gained CREST accreditation for pentesting services and ISO/IEC 27017, the cloud security certification.

Europe’s leading cloud provider

Founded in France in 1999, OVHcloud provides secure, reliable and eco-friendly cloud services in 140 countries.

In a Forrester Wave 2020 study, OVHcloud notched the highest possible scores in role-based access control and several criteria specific to hosted private clouds. As a SecNumCloud-qualified provider, it offers strict EU data sovereignty, a zero-trust model and round-the-clock uptime through a disaster recovery plan.

YesWeHack's partnership with OVHcloud is not new since we already used other services provided by the company. Our positive experience with OVHcloud helped to make them the standout candidate among SecNumCloud-qualified providers.

Commitment to trust

While using a SecNumCloud-qualified service was not mandatory for YesWeHack, migrating our platform architecture to one aligns with our foundational commitment to trust.

“The YesWeHack platform processes and stores sensitive information about digital assets and vulnerabilities for customers in a wide range of industries, including government entities and critical infrastructure. Moreover, the modern threat landscape dictates that your supply chain must be as secure as your internally controlled infrastructure,” says YesWeHack CEO and founder Guillaume Vassault-Houlière.

“In this context, continuing to partner with OVHcloud was a no-brainer. OVHcloud’s Secnumcloud qualification and peerless reputation for security, uptime, agility and innovation significantly strengthens our security posture and validates the trust customers place in us.”

Will there be any disruption for YesWeHack customers?

A brief period of scheduled maintenance was sufficient to carry out the migration with minimal disruption to users, thanks to our Infrastructure-as-Code (IaC) and real-time data replication processes, which allowed every component supporting our platform to be quickly respawned and set up in the IaaS. Everything is now running normally.

Would you like to know more about the YesWeHack Bug Bounty and Vulnerability Management Platform? Feel free to contact our sales team or book a demo.