{"id":18608,"date":"2025-01-27T21:20:58","date_gmt":"2025-01-27T20:20:58","guid":{"rendered":"https:\/\/suadeo.fr\/2025\/01\/27\/sensitive-data-state-of-the-art-security-level-required\/"},"modified":"2025-01-29T17:09:21","modified_gmt":"2025-01-29T16:09:21","slug":"sensitive-data-state-of-the-art-security-level-required","status":"publish","type":"post","link":"https:\/\/suadeo.fr\/en\/2025\/01\/27\/sensitive-data-state-of-the-art-security-level-required\/","title":{"rendered":"Sensitive data: state-of-the-art security level required"},"content":{"rendered":"\n<p class=\"has-medium-font-size\"><strong>Data protection day is an opportunity to take stock of the regulations governing sensitive information systems and more specifically, Restricted Ditribution (RD). What are the technical practices to adopt if your organization or architectures host data at the \u201cRD\u201d level? Interdepartmental instruction II 901 in practice.  <\/strong><\/p>\n\n<p>Let\u2019s start by defining what is \u201c<strong>sensitive information<\/strong>\u201d. As specified by the ANSSI<a href=\"\" id=\"_ftnref1\">[1]<\/a>, this is information \u201cwhose disclosure to unauthorized persons, alteration or unavailability are likely to undermine the achievement of the objectives of the entities that implement them.\u201d <\/p>\n\n<p>The protection of this data is based on 3 pillars: confidentiality, integrity and availability, for example in case of an IS attack using a ransomware.<\/p>\n\n<p>As a subset of sensitive data, <strong>the RD (\u201cRestricted Distribution\u201d) information<\/strong> is specifically mentioned. It may be exploited by state administrations, organizations under the PPSTN (data that can be misused for terrorism or proliferation of weapons of mass destruction), or by service providers who collect this data and are qualified by ANSSI.  <\/p>\n\n<p>Access to RD information is strictly reserved for persons \u201cwith a compelling need to learn about it in the course of their duties or specific mission\u201d.<\/p>\n\n<p>RD information can only be processed on a <strong>RD-approved Information System <\/strong>and is subject to regulations that impose specific security measures.<\/p>\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"800\" src=\"https:\/\/suadeo.fr\/wp-content\/uploads\/2025\/01\/Patrimoine-informationnel-numerique.png\" alt=\"\" class=\"wp-image-18598\" style=\"object-fit:cover;width:400px;height:400px\" srcset=\"https:\/\/suadeo.fr\/wp-content\/uploads\/2025\/01\/Patrimoine-informationnel-numerique.png 800w, https:\/\/suadeo.fr\/wp-content\/uploads\/2025\/01\/Patrimoine-informationnel-numerique-480x480.png 480w\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 800px, 100vw\" \/><\/figure>\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\"><strong>Three classes of Information Systems<\/strong><\/h2>\n\n<p>L\u2019II 901 d\u00e9finit trois classes de Syst\u00e8mes d\u2019Information :<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Class 0 IS <\/strong>a public IS (e.g. Internet) or IS connected to a public IS that does not meet the requirements of Class 1<\/li>\n\n\n\n<li><strong>Class 1 IS<\/strong> is a sensitive IS (or RD) connected to the Internet through a secure gateway that meets the security requirements defined in II 901;<\/li>\n\n\n\n<li><strong>Class 2 IS<\/strong> a sensitive IS (or RD) physically isolated from the Internet<\/li>\n<\/ul>\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\"><strong>Sensitive or DR IS: technical and organizational security measures<\/strong><\/h2>\n\n<p>The II 901 recommendations and rules framed by the ANSSI are intended to guarantee the protection of sensitive IS, and in particular of IS classified as \u201cRestricted Distribution\u201d (RD).<\/p>\n\n<p>The main measures to be taken are:<\/p>\n\n<p><strong>1. Interconnections between IS:<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li>To prevent data intrusion and exfiltration, any interconnections must be <strong>inventoried and certified<\/strong>.<\/li>\n\n\n\n<li>Any interconnections must be secure:\n<ul class=\"wp-block-list\">\n<li>Use of <strong>VPN tunnels <\/strong>with <strong>equipment approved by the ANSSI <\/strong>to protect data flows,<\/li>\n\n\n\n<li>Application of <strong>confidentiality, integrity, anti-replay and mutual end authentication <\/strong>measures,<\/li>\n\n\n\n<li>Filtering upstream flows via external firewalls and downstream through internal firewalls.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Attack detection: the gateways are equipped with <strong>computing attack detection systems<\/strong>, with qualified probes.<\/li>\n<\/ul>\n\n<p><strong>2. Nomadic access:<\/strong><\/p>\n\n<p>Nomadic access is <strong>only allowed on business justification<\/strong>, and must:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Comply with II 901 safety measures.<\/li>\n\n\n\n<li>Be integrated into the risk analysis related to registration,<\/li>\n<\/ul>\n\n<p><strong>3. Ongoing safety supervision<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Internet access from a sensitive IS is prohibited<\/strong><\/li>\n\n\n\n<li>In case of operational necessity, a dedicated IS must be made available to users, ideally via bounce stations and otherwise via siloed proxy servers.<\/li>\n<\/ul>\n\n<p><strong>4. Sensitive file management<\/strong><\/p>\n\n<p>All files transiting through the Internet must be<strong> encrypted <\/strong>using RD-approved solutions or having an ANSSI security visa.<\/p>\n\n<ol class=\"wp-block-list\"><\/ol>\n<p><strong>5. Information Zone Partitioning<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li>The \u201csensitive\u201d and \u201ccommon\u201d information must be housed in <strong>separate, compartmentalized areas<\/strong>.<\/li>\n\n\n\n<li>The exchange systems between these zones are supervised: installation of dedicated security mechanisms, specific flow exchange directions according to IS classes, access to the system subject to strict authentication and a unique password.<\/li>\n<\/ul>\n\n<p><strong>6. Data protection and traceability<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li>Implementation of content filtering mechanisms,<\/li>\n\n\n\n<li>Protection against malicious code,<\/li>\n\n\n\n<li>Traceability of data in transit, attributable to an identified user.<\/li>\n<\/ul>\n\n<p>Naturally, <strong>access to RD applications is strictly reserved for RD Information Systems.<\/strong><\/p>\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\">Data platform: security mechanisms in accordance with II 901<\/h2>\n\n<p>All providers involved in a RD IS must comply with these rules. This is the case of Suadeo, which integrates advanced data security, integrity and confidentiality mechanisms into its Data platform:  <\/p>\n\n<ul class=\"wp-block-list\">\n<li>Advanced data <strong>encryption<\/strong> protocols for data <strong>in transit or at rest<\/strong>,<\/li>\n\n\n\n<li>Configuration of <strong>security tags<\/strong> (tagging) to categorize data and apply appropriate security rules based on the data handled,<\/li>\n\n\n\n<li><strong>Marking <\/strong>each data to indicate its level of <strong>sensitivity<\/strong>,<\/li>\n\n\n\n<li>Addition of <strong>metadata <\/strong>to further automate the sensitivity level,<\/li>\n\n\n\n<li><strong>Granular management and control <\/strong>of authenticators and access rights, coupled with <strong>single sign-on SSO<\/strong>,<\/li>\n\n\n\n<li><strong>Role-based <\/strong>permissions management, ensuring that only authorized people can access sensitive data,<\/li>\n\n\n\n<li>Managing <strong>user groups and access policies <\/strong>to ensure security policy consistency and automate access management, reducing non-compliant access related to human error<\/li>\n\n\n\n<li>Setting <strong>password complexity rules<\/strong>,<\/li>\n\n\n\n<li>Implementation of <strong>geographical restrictions <\/strong>on access to data,<\/li>\n\n\n\n<li>Limitation of the <strong>duration of user sessions<\/strong> with <strong>automatic lock<\/strong> in case of prolonged inactivity,<\/li>\n\n\n\n<li>Production of <strong>detailed logs <\/strong>for <strong>complete traceability<\/strong>: identification of users, nature of operations performed, contextual information related to the location of access,<\/li>\n\n\n\n<li><strong>Dynamic data masking <\/strong>restricting access to sensitive information according to user permissions,<\/li>\n\n\n\n<li><strong>Complete and time-stamped logging <\/strong>of the platform\u2019s uses (creation, modification, deletion, export of data),<\/li>\n\n\n\n<li>Recording of uses <strong>in real-time, unchanging audit logs<\/strong>, in accordance with the audit standards required by European and national regulations. This information is verifiable and can be reviewed in the event of an audit or incident, <\/li>\n\n\n\n<li><strong>Interoperability <\/strong>with monitoring tools and security event information systems (SIEM),<\/li>\n\n\n\n<li><strong>Automatic alerts <\/strong>(by email, integrated notifications or via APIs) to detect and report any unauthorized access attempt, any abnormal action on the platform or any technical incident (ingestion pipeline failures, anomalies in data flows&#8230;),<\/li>\n\n\n\n<li>Segmentation and<strong> partitioning <\/strong>of <strong>production, recipe and test environments <\/strong>to ensure isolation of sensitive data and prevent unauthorized interaction.<\/li>\n<\/ul>\n\n<p>The Suadeo Self Data Services platform includes <strong>a graphical administration interface<\/strong> dedicated to <strong>technical <\/strong>users. This interface is separate from the business user interface. The technical team uses it to centrally manage all services, access controls and platform settings.  <\/p>\n\n<p>All these integrated security mechanisms make <strong>the Suadeo Self Data Services\u00ae platform a reference solution<\/strong> for public and state administrations. <\/p>\n\n<p>In accordance with regulation II 901, the platform can be <strong>integrated into a RD environment, as is currently the case within the Ministry of the Interior.<\/strong><\/p>\n\n<p>As they are natively integrated, all these mechanisms are also criteria for choice in the Data projects of private organizations that are fundamentally committed to <strong>securing and protecting their data.<\/strong><\/p>\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p><a href=\"#_ftnref1\" id=\"_ftn1\">[1]<\/a> Source: ANSSI Guide &#8211; Recommendations for Architectures of Sensitive or Restricted Distribution Information Systems <a href=\"https:\/\/cyber.gouv.fr\/publications\/recommandations-pour-les-architectures-des-si-sensibles-ou-dr\">Recommendations for Architectures of Sensitive or RD IS | ANSSI<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Data protection day is an opportunity to take stock of the regulations governing sensitive information systems and more specifically, Restricted Ditribution (RD). What are the technical practices to adopt if your organization or architectures host data at the \u201cRD\u201d level? Interdepartmental instruction II 901 in practice. Let\u2019s start by defining what is \u201csensitive information\u201d. As [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":18603,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46],"tags":[570,408,584,421,568,588,470,593,117,567,581,104,563,575,580,569,571,582,576,383,585,591,596,573,592,579,456,578,586,566,125,574,587,178,595,589,572,119,75,583,590,471],"class_list":["post-18608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business-trends","tag-901-en","tag-administration-en","tag-alerts","tag-analytics-en","tag-anssi-en","tag-audits-en","tag-cio","tag-control","tag-data-en","tag-data-protection-day","tag-data-stream","tag-donnees","tag-droits-dacces","tag-encryption","tag-gdpr","tag-ii-901-en","tag-inter-ministerial-directive","tag-interconnexions-en","tag-interoperability","tag-is","tag-logging","tag-marking","tag-masking","tag-measures","tag-metadata","tag-private-organization","tag-protection-en","tag-public-administrations","tag-quality","tag-regulation","tag-restricted","tag-safety-rules","tag-safety-standards","tag-security","tag-security-policy","tag-security-tags","tag-self-data-analytics-en","tag-sensitive-data","tag-suadeo-en","tag-supervision-en","tag-tagging-en","tag-technique-en"],"meta_box":[],"_links":{"self":[{"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/posts\/18608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/comments?post=18608"}],"version-history":[{"count":4,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/posts\/18608\/revisions"}],"predecessor-version":[{"id":18645,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/posts\/18608\/revisions\/18645"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/media\/18603"}],"wp:attachment":[{"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/media?parent=18608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/categories?post=18608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/suadeo.fr\/en\/wp-json\/wp\/v2\/tags?post=18608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}