If you are familiar with the French cybersecurity ecosystem, you probably already know about the JSSI conference. Organized by the OSSIR (Observatoire de la Securité des Systèmes d’Information et des Réseaux), a non-profit founded in 1996 that regroups some of the most well-known French security practitioners, it is one of the must-attend conferences in Paris.
The 2025 edition of the event was settled in the legacy premises of the ESIEA engineering school and regrouped more than a hundred people on-site. This year’s topic was the cloud, and there is plenty to say about it for sure.
To cloud or not to cloud
Moving to the cloud or building a cloud-native company is not a decision to be taken lightly. Weighing the pros and cons of such a move was the topic of some discussions driven by Inti Rossenbach, a CISO with more than 25 years of experience in cybersecurity, and Stéphane Lermerle, Director of Security for Sovereign Projects at Orange.
While using the cloud presents some well-known advantages in terms of flexibility, maintenance, and availability management, there are strong negative counterparts to that. The supply-chain risk is one of those reasons. As the cloud providers, by their wide adoption, become primary targets for threat actors, our companies become targets too, even if only from collateral damages. The examples of such attacks are plenty. From the recent SnowFlake breach to the compromise of Microsoft Azure by Chinese actors in 2021, after a private key was leaked, we observed critical security incidents in the past.
Other often overlooked issues that should question going to the cloud include:
- The black box aspect of the provided services
- The bad default security that makes adoption easy but often puts our organizations at risk
- The difficulty of moving away from the cloud
- The shared responsibility model and its bad understanding from a consumer perspective
This last point brings its own lot of difficulties. Especially, from a contract review perspective. There are a lot of PitFalls one can face in cloud providers contracts that need to be thoroughly reviewed by legal teams to ensure the contractual security of our data. That said, negotiating contracts with cloud giants is often challenging and we are sometimes forced to accept conditions we don’t agree with.
Feedback on running cloud services
Three French cloud provider companies shared feedback on what running a cloud service requires from a security perspective. On the hosting side, Giuliano Ippoliti, from Cloud Temple, and Guillaume Gojard and Julien Levrard from OVH cloud both presented the challenges of running a secure cloud service.
While the SecNumCloud qualification, managed by the French governmental security agency ANSSI, requires a lot of effort to be obtained, it ensures a pragmatic and solid security posture from the provider side. However, for both Cloud Temple and OVH, getting in line with the qualification requirements required years of work and millions of euros of investment.
Ensuring a high level of security from cloud providers, including by requiring such qualification proofs, is a must. Indeed, from OVH feedback, those providers are the target of threat actors in an impressive measure and at a very high frequency. OVH figures on threat attacks are indeed alarming:
- DDoS attacks of up to 2.5Tb/s
- DoS attacks evolving into more complex layer 7 variations
- 1 serious attack per month requires crisis management
- 150 bug bounty reports are received every year
To monitor and stay alert on those threats, they have to process 16TB of data daily. Crazy.
Detection on cloud environment
Cloud consumers tend to use a lot of different providers and to store most of their data in the cloud. This has severe security implications when those services have a thin frontier between what is public and what is private.
GitGuardian cybersecurity researchers detailed how the cloud is both the #1 place of secrets leaks and the #1 provider of those secrets. The volume of those leaks (23M secrets found on GitHub in 2024) makes it hard to alert the companies about serious events. Using diverse filtering and attribution techniques, the team responsibly disclosed 26 critical secret leaks to companies, including high-profile ones. While some of those had an exemplary reaction and remediated the incident promptly, we still observe alert ghosting or push back which highlights the lack of consideration for secret incidents, despite the numerous yearly examples of secret-induced breaches.
Some easy and pragmatic steps can be followed to try and mitigate the secret leaks that will eventually occur. One crucial point is to monitor the activity on your cloud environment. Emilien Lasalle, from TotalEnergies CERT, presented how to perform such monitoring on GitHub enterprise and the limitations that exist.
Detecting leaked secrets used in attacks is generally challenging, and doing so is constrained by the monitoring features offered by the cloud providers. But it is not impossible to do and is something that should be part of the cloud security posture.
A Wrap-up
The security of the cloud is a very complex topic. The conclusion drawn during this edition of JSSI could feel a little depressing for us cloud consumers, especially considering the geopolitical situation and future uncertainties from a European point of view. Sovereignty is a hot topic currently but not a question that will be solved easily, and certainly not in this blog post.
To shed light on this darkness, it is very reassuring to see that people are working hard to make the cloud, sovereign or not, a safer place. We at GitGuardian take our part in this by responsibly disclosing critical secret leak events to companies and, of course, providing our products to help you detect and manage your secrets and other identities.
Guillaume Valadon
