How Doctolib justifies the choice of the American giant Amazon to host the data of the French

How Doctolib justifies the choice of the American giant Amazon to host the data of the French

Are the health data of more than 40 million French people safe with Doctolib? To partially answer this question, the platform for making medical appointments, flagship of French Tech, had planned for several weeks to present its partnership with another Frenchman, Atos, in front of a handful of journalists. Coincidentally, a few days before this presentation, an article from the Franceinfo investigation unit pointed to an inconsistency in the company’s communication on an aspect of its cybersecurity, encryption.

If this last point was not enough to call into question the overall security of Doctolib’s data, the article had the effect of reviving a recurring criticism made of the platform: the hosting of its data at the American Amazon Web Services (AWS). Behind this reproach are the specters of the Cloud Act and the Foreign Intelligence Surveillance Act (Fisa), two American laws which allow the authorities of the country of Uncle Sam to seize data stored by any domestic company, including Amazon , subject to a mandate. And this, even if this data belongs to a French company.

In response to this reproach, Doctolib has always repeated that AWS offers the software services that best suit its business. And during the meeting attended by La Tribune, the startup went into detail about the protections put in place against possible abuses of American legislation.

The Amazon cloud, an efficiency choice according to Doctolib

When it started in 2013, Doctolib operated its own “hardware”, i.e. the servers on which the data is stored. But victim of its success and its need for additional computing capacity, the startup quickly no longer had the means to increase its number of servers itself. It therefore decided to move its IT infrastructure to a “99.99% cloudIn other words, with the exception of a handful of servers kept in-house, all of the company’s data is stored in Amazon Web Services’ data centers in Paris and Frankfurt.

The platform does not hesitate to advertise this all-cloud model, which allows it in particular to collect its huge peaks of activity, at more than 2 or 3 times its usual traffic. On the evening of the vaccine pass announcements, for example, Doctolib recorded 3 million appointments in 5 hours. “The elasticity of the cloud makes it possible to multiply its infrastructure by ten in about ten minutes“, figures Jean-Baptiste Voron, CTO cybersecurity at Atos, present at the press conference. Concretely, AWS, like other cloud providers, has thousands of servers that can be temporarily mobilized to absorb the peak in traffic, while if Doctolib managed its own infrastructure, it would be unable to install a large number of additional servers in a reasonable time. However, guaranteeing the availability of its services is essential for its economic model: taking its tools offline would have serious consequences in the organization of its client practitioners.

When switching to the cloud, Doctolib immediately turned to Amazon Web Services, which was the second company to obtain health data hosting certification after Microsoft. A more than satisfied customer, the startup has become a real VRP of American cloud security services, which it considers to be “very good quality” and “so far unequaled” in France – an observation necessarily discussed by French companies (OVHCloud, Scaleway, Clever Cloud, etc.). This relationship of trust is well maintained by the host: during the pandemic, AWS, for example, carried out tailor-made development for meet the needs of the French.

The problem with scaling the cloud is not to deliver additional computing capacity. Anyone can add servers. What is difficult is to add computing capacity while maintaining a constant level of security“, develops Jean-Baptiste Voron. And precisely, Doctolib believes that the software tools offered by AWS allow it to meet this promise.

The French Atos partner in data protection

If Doctolib therefore fully assumes its choice of AWS, it does not entrust it with 100% of its trust, a common best practice in cybersecurity. This is why he calls on the French company Atos to manage an essential component of data confidentiality: encryption.

Concretely, encryption consists in modifying the content of the data -through cryptographic algorithms- to make it unreadable to anyone who does not have the reading key. It is possible to encrypt data transit (against the risk of traffic interception), to encrypt data at rest (against the risk of hardware theft), or even to encrypt “server-side” data (against curiosity people who have virtual access to the data). A good encryption policy must therefore ensure that in the event of a leak at any point in the value chain, there is no compromise of the data. “If data repositories of large size and weight go into the wild but are unreadable and cannot be reassociated with the original data, then they will have no value“, recalls Jean-Baptiste Voron.

To read encrypted data, you must either have the key that was used for encryption – we will talk about decrypting the data – or break the encryption – we will then talk about decryption. But this last option requires significant computing capacity, and market standards make it difficult to achieve. One of the major cybersecurity challenges for companies therefore lies in the management (generation, distribution, revocation) and storage of encryption keys, so that they do not end up in the wrong hands.

Encryption key safes

Initially, cloud providers also provided the key manager, which meant that enterprise customers were putting their eggs in one basket. But since the mid-2010s the cloud industry has been turning to the concept “bring your own key” (literally, “bring your own keyIn other words, the customer of the cloud provider takes care of the encryption problem himself.

This is where Doctolib made the choice of a sovereign technology, the HSMs (Hardware Security Module or “Hardware Security Module”) from Atos. Concretely, it is a physical box, which encloses the master cryptographic key (a virtual mathematical formula). “The cryptographic key system takes the form of a pyramid with a top a master key which gives access to all the keys“, popularizes the cybersecurity manager of Atos.

Given the sensitivity of its contents, the box meets a whole list of international security standards. It has also obtained specific qualifications from Anssi, the benchmark public agency on cybersecurity, in particular on its way of generating keys. In cryptography, there is no tinkering. We rely on proven mechanisms, reviewed by the world of free software“, notes however Jean-Baptiste Voron.

Access to the enclosure is regulated by an algorithm known as “Shamir’s Secret Key Sharing”. Concretely, when setting up the HSM, seven people will be given a piece of the “secret” that secures the case. It will then be necessary for five of these seven people to come together and put their pieces together to open the HSM and access the key. Thus, a malicious individual alone, no more than a duo, a trio or even a quartet, cannot access the content. “It is the same principle as the procedures for launching nuclear missiles“, summarizes Jean-Baptiste Voron. If a person tries to open the box without authorization, the latter … self-destructs, and the key with it. This risk forces Doctolib to have at least two HSMs redundant, so as not to lose the encryption key forever.

According to several cryptography experts contacted by La Tribune, the system deployed by Doctolib drastically reduces the risk of loss of data confidentiality, even if zero risk does not exist.

“Amazon cannot access unencrypted data”

For Doctolib, deporting the management of its encryption to Atos also allows it to respond in large part to the threat represented by American legislation. Even in an extreme case where the American authorities would obtain from the European court of justice a warrant to seize data from Doctolib, these would be encrypted, since “Amazon Web Services cannot access unencrypted data“, defend Cédric Voisin, the director of information systems security (CISO) of the startup.

And for good reason: the encryption keys are in the HSMs of Atos, which, as a French company, is not subject to American legislation. Result: to read the data entered, the American authorities would have to work to break the encryption, a particularly difficult task, even doomed to failure with today’s technologies.

Cédric Voisin advances the use of Atos boxes as proof that the startup does not shun French technologies when it considers that it meets its criteria. “Of the that we can take sovereign technology, we do“, he says. He thus recalls that digital sovereignty does not depend solely on the choice of the data host.

But, despite the legitimate justifications, the choice of AWS by Doctolib remains a symbol of the stranglehold of the three American cloud giants (Google, Amazon, Microsoft) on the data produced by the flagships of French Tech. And the debate on the choice made by the French platform is far from over.