Renowned for its fortresses built by Vauban, Luxembourg now wants, alongside EBRC, to be the fortress of Europe in order to protect its data. The Grand Duchy’s reputation in the field of risk management and data confidentiality in the areas of finance and international institutions, among others, is well known, as the market’s international vocation is also well established and many other sectors (Biotechnologies, Space, Health, Defence, etc.) value the country’s central position and know-how. Yves Reding, EBRC CEO, explains this specific positioning on the European market: “We aim to be a centre of excellence for the management and protection of sensitive data. Our philosophy is as follows: in order to protect companies’ most critical data, it is necessary to control the entire processing chain from hosting to operations, and to ensure its continuous security and continuity by identifying and mitigating each risk. That is what we call Cyber-Resilience.”
End-to-end control remains essential
To ensure that Cyber-Resilience, EBRC’s managers believe that it is essential to control all of the services involved in the information management, as emphasized by Yves Reding. “Controlling the chain of services from end-to-end is of crucial and paramount importance when it comes to ensuring cyber-protection. The approach involves the least possible subcontracting as we now know that this component is a major vector for cyber-attacks”, as Guillaume Poupard, General Director of the ANSSI, emphasized at the last FIC.
The first component in the chain is the Data Centre. EBRC has extensive expertise in this area as it operates five Data Centres, three of which are Tier IV certified (15,000 m² of server space), offering the highest level of availability currently possible. The infrastructures are interconnected and supplemented with business resilience solutions (800 user positions), in order to be able to resume the entirety of a business in the event of a loss. These first-class services, which form the basis of all the IT outsourcing, European “sovereign” cloud, security and consulting services (EBRC Trusted Services Europe), make it possible to offer the most demanding international customers a complete end-to-end support service enabling them to develop in cyberspace with an easy mind. “It is necessary to be able to manage security with an internal team that continuously monitors threats” added the CEO. “This is why we have our own CERT to assess the new threats that continuously appear, our own SOC, a team operating 24/7 that is responsible for detecting threats and remedying attacks on our customers’ infrastructures, work which is jointly carried out with our CERT. We are able to ensure that Cyber-Security in a full-managed mode, with a consulting team using the preliminary risk analysis to implement the security policy for our customers, and even using the services of ethical hackers to validate the security architecture implemented.”
Designed and operated to host digital data
The exponential growth of digital has enabled companies to develop new value-added activities. Nevertheless, the protection of the data they manage can make them easy and ultra-exposed prey in cyberspace if they fail to take this “new world” into account. EBRC positions itself on that market with consulting offers; the aim is to deliver an adapted and tailored response covering the entire spectrum from data hosting, whether dedicated or in the cloud, to data management and protection. Adapting the resources makes it possible to select the responses offering the best effectiveness considering regulatory and business constraints using standardized processes able to guarantee overall traceability and auditability. Yves Reding’s desire was to apply these broad principles to EBRC before offering them to its customers. This is why he implemented an ambitious certification policy based on the ISO 27001 (information security), ISO 22301 (business continuity), PCI DSS (electronic payments), ISO 20000 (Service Management), and health data host (HDH) standards for the French market. “We expect the European Commission to push other Cyber-Security certifications to ensure that companies’ partners are trusted partners and we will continue this systematic certification strategy” explained the CEO. Philippe Dann, EBRC Head of Risk & Business Advisory, added: “Cyber-Resilience is mix of Cyber-Security and Business Continuity, both of which must be considered as an inseparable whole; this is what motivated us to adopt this certification strategy for our infrastructures and our organisation to prepare ourselves for this approach before offering it to our customers. This is how we set ourselves apart from the other Cloud stakeholders.” The expert favours a risk management approach which encourages EBRC’s teams “to approach and exchange with the professional entities and the company’s management in order to identify critical activities and applications and link them with IT implementation. This resolutely pragmatic approach based on large amounts of customer feedback makes it possible to contextualise the response for each customer based on their area of business. We apply the ANSSI’s (French National Information System Security Agency) EBIOS Risk Manager methodology, and to this end we have selected the EGERIE solution developed by the French company EGERIE Software with which we have a strong partnership.”
A response to the fragmentation of the European Data Centre market
According to Yves Reding, this end-to-end vision of Cyber-Resilience is a response to the hyper-fragmentation of the European market: “On the one hand we have Data Centre operators which simply host servers in infrastructures, only taking charge of their physical security. On the other hand, we have the major ICT outsourcers focusing on the outsourcing of infrastructures and applications, as well as Business Continuity specialists that focus on that niche. Finally, many Cyber-Security stakeholders remain focused on consulting. In addition, most stakeholders use a chain of subcontractors to deliver their services, and subcontracting has become the weakest link in the field of security. We are one of the few, and possibly the only European stakeholder to use an integrated, end-to-end, highly certified and 100% European approach. Positioning oneself on the most critical applications requires positioning oneself end-to-end as the weakest link will determine the level of security of the whole. Subcontracting one of the links in the IT services value chain leads to a loss of control over the whole, regardless of the SLAs defined by the contracts.”
European by nature
EBRC has 400 customers and over 500 for its French subsidiary Digora. The customers from the various international institutions account for 20% of EBRC’s turnover, but the Franco-Luxembourgish company has customers all over the world and obviously on the European continent. “We are located halfway between Frankfurt and Paris, which positions us at the heart of Europe, providing EBRC with major international exposure and enabling us to offer excellent latency with respect to the major European capitals” explained the CEO of EBRC. “We therefore naturally have a European vocation.”
The customers to which EBRC provides support with respect to the management and protection of critical data obviously include banks, major insurance companies, stakeholders in France and Luxembourg’s health sector, transport sector, industry, and space sector. EBRC operates major international stakeholders and smaller structures such as major law firms, and around forty FinTechs in a "full managed" mode. The common denominator among EBRC’s customers is not size but rather the criticality of the information.
The Luxembourg-based company cultivates this ability to propose tailored offers unlike the ultra-standardized offers put forward by Hyper-Cloud stakeholders. “Customers provide us with their specifications and business objectives and ask us to build and operate the technical infrastructure that will support their business. Our end-to-end control enables us to provide the most adapted response to our customers’ constraints” said Yves Reding, EBRC CEO.