Data protection, moving towards new certifications
Is data the oil of tomorrow? Carried by an exponential growth and the explosion of Big Data and the Internet of Things (IoT), data is becoming a resource at the center of strategic, legal, and security issues. The volume of data is such that a new unit of measurement has been introduced for it: the zettabyte (ZB), trillions of megabytes. According to a study* published by IDC, the amount of data will increase tenfold between 2013 and 2020 and will reach the astronomical amount of 44 zettabytes.
Driven by the explosion of the Internet of Things (IoT) and Big Data, the notion of information security is at the heart of the debates, especially with an emphasis on data protection. Number 3 worldwide in cloud and Internet infrastructure, with 250 000 servers hosted within 17 datacenters, OVH is on the frontline when it comes to security. Be it infrastructure, network or information system security policies, everything is built to meet requirements of the highest level.
Romain Beeckman, head of OVH’s legal department, concurs: “data security is one of OVH’s top priorities. It is natural for a key global actor in digital technologies to play a prominent role on this matter.
Certifications are constantly evolving
OVH is committed to a global certification strategy in order to get its infrastructures and services recognized as being compliant with the industry's best practices and international standards. OVH facilities are protected and monitored, and they receive the same level of protection regardless of a datacenter’s location. The objective is not only to guarantee that level of reliability but also to demonstrate it objectively. This is the approach that OVH has initiated by obtaining certifications, thereby proving themselves as experts in their field.
For several of years, Dedicated Cloud has been ISO27001 and SOC 1 and 2 type II certified. “It is an important guarantee of security, a sign of confidence,” explains Thibaud Saudrais, Quality Manager at OVH. “We have to evolve every year because nothing is set in stone, and we need to maintain our level of quality while constantly adapting. This is a continuous improvement process.”
New certifications are earned on a regular basis to acknowledge the efforts of the company and its expertise in security. “For example, the latest certification to date is the PCI DSS (information security standard for credit card payments) which allows our customers to use our infrastructure to store bank and credit card numbers on Dedicated Cloud,” adds Thibaud. “This gives our customers the ability to offer their clients the possibility to store this type of data. Trust is reinforced and it’s a win-win situation for us all.” Other projects are in development, notably a solution to store health care data that should happen very soon,” announces Thibaud Saudrais.
At OVH, certifications extend to other services. Especially in the case of the Isolated Space solution, made with racks of Dedicated Cloud servers devoted to one customer and physically isolated inside the datacenters. “This is a service centered on physical security and it is ISO27001 certified. If one of our customers requests 30,000 servers, we can build a private ISO27001 certified datacenter for him. It is included in the scope of our certification.”
Alongside these measures a policy of awareness was put in place: PSSI defines the internal work processes of OVH employees and provides a framework for the protection of information systems. “The security of the OVH Group's data, as well as our customers' data and their customers', is essential for us to grow and maintain the infinite trust our customers have put in OVH to protect their data,” explains Laurent Allard, CEO of OVH.
The establishment of a very strict password management policy, of a hierarchy of rights policy on infrastructures, of a partitioning policy, and the use of proxy servers for authentication, have all been done to reduce or eliminate risks. Romain also adds, “We must be proactive and capable of identifying all risks. If there is the slightest risk of a data breach, we need to know and understand what happened. Could it be due to our internal processes, could it be a failure, could it be negligence, could it be a hacker?” The certification scheme in place today allows to pinpoint very quickly the possible source of a problem. Romain goes on to explain: “This also makes it possible for everyone to get the same alert level and that approach raises the alert level across the entire company. It is particularly through these certifications and the PSSI, but also through the daily support of our teams that we will acquire even more concrete methods to reach our goal.”
Another key element in OVH’s security is that there is no subcontracting. “Today, it’s very simple,” adds Romain, “our customers' data is never sold or traded. Data is stored in our own facilities, internally, and no subcontractor has access to any of it.” Proof of this is that the only people to intervene on a server are employees of the group, including technical support teams and datacenter technicians. “This allows us to guarantee the same level of security and confidentiality in all of our subsidiaries.”
Security is also a matter for users
“We're currently working non-stop to reinforce all levels of security and getting them warranted through these certifications,” Romain continues. “We secure the physical infrastructure as well as the network and we include anti-DDoS protection. Then it's up to the customer to protect their structure by incorporating authentication processes and monitoring, securing database access with strong passwords, reviewing logs and looking for any possible intrusion attempts.” In effect, OVH does not have access to the content of hosted servers. The customer, as the administrator, will grant permission to OVH to intervene under specific circumstances. An OVH technician can then perform maintenance and the customer can restrict access after the scheduled work has been completed. All operations are transparent with the customers having total visibility of the intervention.
This is why everyone involved in the chain is concerned with security and each person plays a major role. “It is customer's responsibility to decide on the level of protection they need,” explains Thibaud. “Some data are more sensitive than others and the end user requirements are not all the same.” It is necessary to create an adequate architecture and to provide them with maximum protection by using additional tools. “We guarantee infrastructure security but customers also have certain elements to safeguard.” As such, they must adhere to best practices: management of administrator access, encryption of virtual machines, use of strong passwords… “There is a shared responsibility and each party has their role to play while keeping a common objective: security.” OVH Academy events are an excellent way for many clients to integrate good security practices. Previously focused on Dedicated Cloud, this year’s events will extend to dedicated servers. Indeed, it is through good security that data will transform into “oil”.
* Étude IDC, April 2014