An open trusted cloud that meets the very strictest security standards
Security in cloud computing – a must-have for all
In the early years of the cloud, one concern was voiced above all others: security. Many organisations – from start-ups to enterprise-level companies – were concerned that a virtualised infrastructure could never compare to an on-premises datacentre in terms of data security, particularly when it came to sensitive customer and business information. As late as 2018, 90% of cybersecurity experts were concerned about cloud security.
This is understandable. Companies handle more sensitive data than ever – often in a highly unstructured state. This data needs to be stored securely at all times, in full compliance with an increasingly complex range of data protection regulations. The struggle to maintain a secure cloud environment, however, is not a battle companies can win alone. They need a trusted partner, who constantly questions their tools, processes and methods, to respond more efficiently to dynamic cyberthreats.
Yet another iteration of cloud security
Put simply, cloud security is the protection of data, applications, and infrastructure that are part of the cloud computing environment. To deliver a secure cloud, a cloud provider needs to ensure that all parts of the value chain are secured with necessary measures. From datacentre barbed-wire fence, through access control systems and API interfaces, to automatic software patching – OVHcloud deliver comprehensive cloud protection.
A global presence built on transparency and control
Fundamental to our security approach is our supply chain, which we maintain complete control of – from the choice of hardware, to the location of our datacentres. We construct our datacentres from scratch and manufacture our full range of servers in house. This isn’t just a question of bringing our production in-house, it also allows us to locate our customers’ data as close to them and their end users as possible, while also ensuring it is stored in full compliance with the relevant data protection regulations.
Our approach is multi-local, as we are situated in multiple jurisdictions worldwide. With each new datacentre site, we strengthen our security protocols and practices to comply with various frameworks and meet each country’s legal and contractual requirements. This approach is backed by our own dark fiber backbone network, which connects our various datacentres worldwide and increases our control over in-transit data.
Our open, transparent approach is mirrored by the security systems we use. With in-house expertise we are able to build, assemble and operate our own security systems. Increased control over hardware, enables us to optimise systems to suit customer needs and better manage incidents if they arise.
A security-driven culture
OVHcloud is a proudly European company, and always will be. But regardless, we operate on a global scale, providing infrastructure to customers all over the world. In this global digital landscape, it is not enough to consider security as an afterthought, or as optional. Security should be central to any effective cloud computing operation.
An in-house team of security experts
As with our long-term commitment to open standards, our people play an active part in our security culture, both in terms of maintaining it, and ensuring it is constantly evolving to meet the latest threats. Without their efforts, even the most cutting-edge security measures will prove ineffective.
SOC (Security Operations Center)
Centralising all security tools and processes, our SOC unit is responsible for monitoring and organising the company’s security posture on a daily basis. Besides carrying out security tasks related to infrastructure, the SOC staff also focus on the human element, facilitating training sessions and security drills for all OVHcloud employees.
CSIRT (Computer Security Incident Response Team)
We employ a dedicated ‘CSIRT’ comprised of security experts, who work closely with other teams throughout OVHcloud. Their main focus includes threat detection, incident management, and forensic investigation.
The CSIRT team is able to anticipate emerging threats and vulnerabilities by executing a range of security strategies; such as real-time monitoring, mitigation and response development, as well as early-warning provision, and malicious activity detection and identification.
A security advisor is assigned to each major department or product unit within OVHcloud. They are responsible for ensuring security integrity, setting up and monitoring action plans, and conducting risk analysis.
These experts work closely with the CSIRT and SOC teams, ensuring optimal security measures and compliance with the OVHcloud’s Information System Security Policy (ISSP).
Employees - the strongest link
OVHcloud have a tailored training program aimed at transferring security best practices to new employees. As part of the on-boarding process, employees receive extensive courses in how to detect phishing and social engineering attacks, as well as password protection practices and protocol. The training is repeated regularly, as are cybersecurity drills and vulnerabilities alerts.
Security monitoring and transparency with our clients
At OVHcloud we believe our security processes should be our customers business, so we create all of our security tools from scratch and publish any developments. This not only drives continuous improvement and a culture of security, it also propagates openness and understanding – vital for so many of our customers.
Our security toolkit
Using and sharing our own tools, such as Cerberus, means we are not dependent on the same software or patch as other providers, and we have closer proximity to our own architecture. We know exactly what’s happening all the time, so we can adapt tools for our customer’s needs, and respond quickly and effectively to any issues that may arise.
To top this off, OVHcloud have implemented a top-level monitoring system for all services. The program detects production and security incidents, monitors critical features, and ensures continuity of service in the performance of automated tasks.
Arming our customers against security risks
While our technical teams may utilise the best tools in the industry – such as WAFs (Web Application Firewalls) and our Bastion server, which manages credentials and administrator activity in a secure way – we also make sure our customers do, too. For example, to administer a Hosted Private Cloud, a customer needs to pass through an SSL gateway which guarantees secure data transfer. For those who require enhanced security, the access can be limited to chosen IP addresses. Additionally, there are security features in the OVHcloud manager, through which customers can alter user permissions and security settings in an accessible way.
Cerberus is a toolkit to receive, parse, process and automate abuse reports handling received by ISP or hosting providers.
Putting all this into practice
A combination of intelligent automation and human expertise helps us put our security principles into action on a day-to-day basis. The elements of our security ecosystem include:
- Restricted-access datacentre equipped with video surveillance and motion detection systems.
- Our anti-DDoS solution is an industry standard, having successfully withstood the largest attack on record.
- Automated monitoring. All services are monitored 24/7, with any alerts automatically acted on by our security teams.
- Customer account monitoring. Logging unusual behaviours to prevent account hijacking. This is supported by additional security measures, such as two-factor authentication.
Data security while in use, on the move, and at rest
Our customers use dedicated servers to collect, store and process petabytes of data each day. With a number of technologies and services, we help them to secure data during transfer, while at rest, and recently, data that is in use. Confidential computing technology, such as Intel SGX (Software Guard Extensions), AMD SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualisation), are available with our dedicated servers, ensuring data is secure and encrypted against risks such as malicious intrusions, network vulnerabilities, without compromising the CPU performance.
Sending data over the Internet, from one server to another has always been a considerable risk. At OVHcloud, we’ve developed a private network solution, called vRack to limit public network transfer between customers’ servers. Now, they can connect their OVHcloud servers with a private and secure connection, even if they are on both sides of the ocean.
The OVHcloud stronghold
Rigorous security measures, isolated hardened zones, and third-party audits all confirm that OVHcloud services represent industry-leading security standards. This allows us to cater to our enterprise customers most demanding needs. For industries hosting strategic or regulated data, we propose a combination of customised premium dedicated servers, Hosted Private Cloud and a specific level of support – such as a tailored hosting solution with the highest levels of security, availability and resilience.
We’ve designed Hosted Private Cloud like a fortress, with security by design principles in mind. We adopt strict security measures to reach our three prime objectives: availability, integrity and confidentiality.
The importance of recognised standards and certifications
For cloud providers, recognised standards and certifications are no longer just a ‘nice to have’. They provide concrete evidence that the provider has achieved – or better, exceeded their expected standard of security. Such standards and certifications range from the universal to the highly specialised, including:
- ISO 27001. The IT industry’s baseline for data security, in place at all OVHcloud datacentres.
- SOC 1 Type II and SOC 2 Type II attestations. The international data protection standards, established by the American Institute of Certified Public Accountants.
- CISPE. OVHcloud applies the Code of Conduct promoting Security and data protection rules, as well as avoid vendor lock-in.
- PCI DSS. The industry-standard for companies storing and processing critical credit card data – essential for e-commerce businesses.
- EBA. Compliance with regulation for financial institutions using cloud services outsourcing applicable all over EU.
- Healthcare data hosting. Compliance for the hosting of healthcare data in various countries in Europe, for instance in France with HDS certification, or in USA with HIPAA compliance.
The range of industry compliance and independent certifications we offer is a key asset - it helps our customers speed up their move to the cloud and operate in freedom.
Partnership and collaboration for security
Building a trusted cloud computing environment requires collective work of many entities in the value chain, from hardware vendors, software platforms, to integrators and partners who help our customers succeed in the cloud.
Since 2014, when we joined the OpenStack Foundation, we share our experience and take an active role in developing an OpenStack software platform – used for our Public Cloud ecosystem. It’s the combined efforts of thousands of developers that allows us to provide a reliable and secure public cloud environment and resilient public cloud storage solutions.
Teaming up with organisations and companies who share our values of openness and cooperation has always been one of our goals. We believe that in this way we can deliver our simple, multi-local, accessible and transparent solutions more widely. Each day new companies, who like us believe that trust and loyalty cannot be built with a vendor lock-in, are joining our OVHcloud Partner Program.
In light of the recent healthcare crisis, solidarity and fellowship is now more important than ever. As an act of digital support, we encourage businesses to join us in the Open Solidarity initiative and deliver free of charge technical solutions for healthcare, remote working and collaboration.
Security has always been the primary point of concern regarding the cloud. And yet the flexibility and scalability inherent to the concept mean that it has faced these concerns head-on and established a standard of security that opens it up to even the most demanding sectors. To build on this, our industry must continue to foster a spirit of openness, transparency and collaboration - working towards a more secure cloud that provides the right foundation for future innovation.
Global Data Sentinel
“Data security needs to be a focus of every organisation. It’s a key platform for building successful businesses – because without it, one hack or data leak can undermine your whole operation. If that isn’t motivation enough to seek out strong data security, new legislation – such as the GDPR in Europe – has highlighted the need for data security in every organisation.”
“Partnering with OVHcloud allows us to build strong and secure environments for our customers with a high flexibility in the design in a short amount of time, to deliver complex environments. The OVHcloud SDDC offer and its powerful design relying on VMware tools, at a well-balanced costs, gives us a serious advantage when building secured architecture with NSX Gateway compared to other public cloud offers. The OVHcloud Partner Program is key to us for empowering our sales and technical team. The win/win approach is proving very successful!”