OVHcloud announces new examinations and the ISO 27001 certification

The idea of entrusting your sensitive data to a third party was still unthinkable just a few years ago. Today, many companies are externalizing their information system to cloud providers. However, with the wide range of offerings on the market, choosing a provi

By Jeremiah Morrow

OVHcloud has obtained several new attestations and the ISO certification for its product offerings in the east and west coast Data Centers. Hosted Private Cloud, Dedicated Servers and Public Cloud services within the US Data Centers are now officially compliant with ISO 27001, Type 2 SSAE 18 SOC 1&2 I, and Type 1 HIPAA frameworks. This is great news for any customers who are hosting financial or sensitive/ critical data on our servers, and particularly for customers in regulated industries like healthcare.

Our legal, security & compliance, and Data Center teams have been hard at work ensuring that we meet the standards to protect our customers’ data, but they took some time to share a few quick facts about these attestations and the ISO certification and the process for obtaining them.

What are all of those certifications?

ISO/IEC 27001 is an international standard that describes the “requirements for establishing, implementing, maintaining and continuously improving an information security management system.” It describes the organizational method which ensures confidentiality, integrity, availability and traceability of an information system.

American Institute of Certified Public Accountants (AICPA) SSAE 18 “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.”

In other words, SSAE is used to regulate how companies conduct business, and it defines how companies report on compliance controls. There are 3 different reports:

• SOC 1 is a control report for service organizations which pertains to internal control over financial reports
• SOC 2 is a report that evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy.
• SOC 3 is a report that is mainly used as marketing material. It doesn’t go as in-depth as SOC 2.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is is a US federal mandate that requires protections regarding security and privacy on Protected Health Information.  OVH US’ HIPAA clients will have additional trust for its customers via a signed Business Associate Agreement (BAA) validating that OVH US will appropriately safeguard protected health information.

The purpose of the Type 1 HIPAA examination is assurance OVH US conforms with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)  Security Standards for the Protection of Electronic Protected Health Information (“HIPAA Security Rule”), and the Notification in the Case of Breach of Unsecured Protected Health Information enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH Breach Notification Requirements”), as described in Part 164 of CFR 45.

What was the process for obtaining these certifications?

This was truly a team effort for OVHcloud. A team of security experts worked with teams in charge of the design and operation of the service, customer support, sales teams and management to prioritize improvements to meet and exceed compliance standards. We chose Schellman & Company LLC to perform a third-party audit, which included onsite interviews, data center visits,  documentation reviews and systems observation over a period of months..

What does this mean for customers?

Data is the most important asset our customers possess today, and it will be even more important going forward. We take our role in the protection of our customer’s infrastructure and data seriously, and we are constantly looking for ways to improve.

Meeting these standards is a testament to how important information security and availability is to OVHcloud. Regardless of which infrastructure services you are consuming, your data is safe in our data centers.

For more information about our certifications, visit our compliance and certifications page. If you want to learn more about how OVHcloud manages data security in general, visit our data security page.

der rapidly becomes a challenge. To help guide you through this choice, Mehdi Bekkai, product manager of cloud computing at OVHcloud, shares his expert opinion on the right way to adopt the Cloud.

I am gradually developing, testing, and building up my activity…

A VPS (Virtual Private Server) is one of the simplest solutions on the market for trying out the cloud. Users benefit from ‘root’ access to the VPS and can manage the service like a dedicated server, the difference being that it's administered by the service provider. This server is just as suitable for developing applications as it is for hosting a standard website or a small e-commerce site. Ideal for new businesses, VPS is a major step in transitioning to the cloud and represents an opportunity to test out cloud conditions on a virtual server at the best value for the money.

The OVH extra: “VPS allows you to focus on your project by freeing you from administrative constraints and the challenge of choosing applications and environments. At OVHcloud, we offer performance-oriented (SSD), high availability (cloud), and enhanced RAM VPS options with triple replicated data. To all this, we add a Plesk offering, which includes many pre-installed services like WordPress and PrestaShop.”

I have made up my mind; I am going into the industry…

Public Cloud operates through a network of physical servers, forming the base of an infrastructure in which several dozen instances (or virtual servers) can be deployed within a few minutes.

Oriented toward engine or ‘compute’ performance, this offer is well suited to large-scale data processing, high-performance calculation (HPC), streaming, or hosting bigger e-commerce sites. The fast deployment of instances means it can deal with high traffic on a website and ensure high availability.

The OVH extra: “With the pay-as-you-go payment model of Public Cloud, you pay for each of your instances by the hour or by the month, and you can deploy or deactivate them quickly as, and when, you need to. Virtualization is done by OpenStack technologies, so it can be automated (API) and reversed. This means the customer can migrate their infrastructure and configuration to Public Cloud whenever they choose to do so.”
 

I need to store, protect, and retain access to my data…

Beyond data processing, the cloud also represents an excellent way to store data, independently or as part of a ‘compute’ offering. There are two different types of storage depending on your needs: 

“At OVHcloud, Public Cloud Storage is focused on data storage or backup in the cloud. It exists in two forms: if you need an unlimited data storage and require access to your data at any time (for an e-commerce site for instance), Object Storage is for you. For long-term archiving with deferred retrieval (data access is not immediate), the less costly Cloud Archive is ideal. Cloud Archive is suitable for occasional (multimedia, old catalog, etc.) or regular (balance sheet, dematerialized admin, etc.) archiving needs,” adds Mehdi Bekkai.

The OVH extra: “With the Object Storage offers, your data is triple replicated and highly protected.”

I want to administrate my own data center remotely…

Private Cloud is recommended for companies that want to place their critical/sensitive productions or applications in the cloud. In a ‘single tenant’ configuration, each customer is the sole user of a scalable infrastructure that is completely dedicated to guaranteeing an optimum security policy.

This configuration allows you to build and control your own infrastructure according to your specific needs: hosting websites, applications, Software as a Service (SaaS), software packages (management tools for companies), etc.

“OVHcloud Private Cloud exists in two packages: first with Dedicated Cloud, a versatile solution that offers the best price/performance ratio. Meanwhile, Software Defined Data Center (SDDC) is a high-performance cloud for building and managing your own cloud, integrating a network management solution (NSX). This package is available on an international basis, identical in all OVH data centers.”

The OVHcloud extra: “Access to the VMware hypervisor (licenses included) allows you to create unlimited virtual machines. The starter packages are delivered within 30 minutes, and additional physical resources are in 5 minutes. What's more, Private Cloud even has the certification required to host bank data (PCI DSS).”

I cannot decide between Public and Private…

Performance and/or storage, data sensitivity, traffic fluctuation, and more: there are so many variables that make each cloud infrastructure unique. It can be hard to decide between Public and Private Cloud. “With vRack, OVHcloud allows you to mix and match these different technologies in a unified infrastructure, so you can optimize the way you use each product. For example, many OVHcloud customers place their core business in a dedicated cloud, and manage burst by deploying instances on the public cloud.”

The OVHcloud extra: “This package benefits from multiple perimeters and multiple products. On the vRack (the OVHcloud private network), you can connect different packages from different data centers, wherever they are in the world, and stay closer to your customers.”
 

And what about my existing network in all this?

Some companies have their own infrastructures and want to keep them while expanding on-cloud infrastructures via an on-premise/off-premise configuration. “To respond to this specific need, we have developed vRack Connect. This works for companies that want to keep part of their production or their data on their own network and externalize the rest to the cloud in order to benefit from the on-demand scalability and resources. In sum, vRack Connect represents the best compromise for keeping a foot in your physical network while enjoying the elasticity of the Cloud.”

The OVHcloud extra: “With shared or dedicated connection (up to 10 Gbps guaranteed), vRack Connect is available via the worldwide PoP (Points of Presence) network. In addition to this network, OVHcloud is developing an ecosystem of partners like Equinix Cloud Exchange so we can more easily activate interconnections with our data centers.”