It is essential to draw a distinction between the security of our customers' data and the security of the infrastructure supporting our customers.
Security of Customers’ Data and Applications
Our customers are solely responsible for the security of their data and applications utilizing OVHcloud's Infrastructure as a Service (IaaS). OVHcloud offers specific tools and guidelines to assist our customers in securing their data and applications.
Infrastructure Supporting Our Customers
OVHcloud is committed to ensuring optimal security for its infrastructure. Infrastructure Security includes security policies for the information security management systems (ISMS) and compliance with AICPA standards, ISO certification, and other regulatory standards.
- ISO 27001, 27017, 27018 & 27701
- SSAE18 Type 2 SOC 1
- SSAE18 Type 2 SOC 2
- SSAE18 Type 2 SOC 3
- HIPAA Type 1 Attestation
- PCI DSS Attestation of Compliance (AOC)
You can find a list of these attestation reports, the ISO 27001 certification, and their respective scopes in the Attestations & Certifications section of OVHcloud's compliance website.
Table of Contents
- Information Security Management System (ISMS)
- Compliance and Certification
- Customer Audits
- Risk Management
- Monitoring Services and Infrastructure
- Incident Management
- Vulnerability Managemen
- Business Continuity Management
- Nature and Environment Risks
- General Physical Site Security Measures
- Physical Access Restrictions to OVHcloud Sites
- Area Access Management
- Managing Physical Access for Third Parties
- Security Awareness & Skill Development Training for Personnel
- Managing Logical Access to the OVHcloud IT System
- Workstation and Mobile Devices Security
- Network Security
- Business Continuity Management
- Monitoring Audit Logs
Information Security Management System (ISMS)
Commitments made by OVHcloud, as a cloud services provider, to ensure a security framework is in place for confidentiality, availability, and integrity.
OVHcloud has implemented ISMS policies to minimize security risks, protect our organization's sensitive data, and ensure business continuity. Our ISMS policies are updated annually or in response to material changes that warrant a policy update. External audits are conducted annually to attest to the security of our solutions in accordance with the ISMS framework by an independent audit firm.
Compliance and Certification
Commitments made by OVHcloud to benchmark its security framework for confidentiality, availability, and integrity as a cloud services provider.
To verify compliance and evaluate our systems' performance, OVHcloud conducts security audits on a periodic basis. These security audits include the following:
- External audits (certifications and attestations);
- Internal audits, carried out by internal or external auditors;
- Technical audits (penetration testing, vulnerability scans, and policy compliance audits), carried out by internal or external auditors; and
- Data Center audits are carried out by internal and external auditors.
If a non-compliance instance is identified, corrective measures are applied to action plans, as applicable. Corrective measures are tracked and regularly reviewed until resolution.
OVHcloud’s Terms of Service contains customers’ "Right to Audit” provisions.
Customers can elect to carry out technical audits (penetration tests) on their dedicated hosted services subject to the terms and conditions set forth in the Terms of Service.
OVHcloud is committed to a risk management assessment in its capacity as a cloud services provider.
OVHcloud has a formal risk assessment policy that is reviewed annually and/or in response to any material infrastructure changes. The risk management methodology includes the annual evaluation of risks associated with personally identifiable information (PII) and sensitive transactional data where OVHcloud is a data controller or processor.
Customers are responsible for their security measures relevant to their data and application risks associated with their OVHcloud Infrastructure as a Service (IaaS) configuration.
Monitoring Services and Infrastructure
OVHcloud is committed to monitoring its services and infrastructure in its capacity as a cloud services provider.
OVHcloud has a monitoring system for all its services and infrastructure. This program has the following objectives:
- Detect production and security incidents;
- Monitor for critical alerts being escalated;
- Communication to subject matter experts to trigger appropriate procedures;
- Ensure continuity of services of automated tasks; and
- Ensure the integrity of the systems being monitored.
OVHcloud is committed to maintaining an incident management process in its capacity as a cloud services provider.
OVHcloud has an incident management process to prevent, detect, contain, and resolve service and infrastructure issues. The incident management process includes:
- Classification of Security Events Guide;
- Handling Security Events Procedures;
- Incident Response Plans and Tests; and
- Customer Communication Procedures.
Customers are responsible for maintaining accurate contact information in order to allow OVHcloud personnel to notify them in the event an incident occurs. In addition, customers are responsible for their own incident management procedures impacting their infrastructures which possibly could include OVHcloud notifications.
OVHcloud is committed to managing vulnerability assessments in its capacity as a cloud services provider.
OVHcloud monitors for new vulnerabilities and their remediation via:
- Public security forums;
- Manufacturers / publishers' vulnerability alerts & patch management;
- Incidents identified by Operations teams, third parties, and/or customers; and
- Internal and external vulnerability scans performed periodically.
OVHcloud analyzes all vulnerabilities for their impact on systems and operations. Then, OVHcloud deploys mitigation measures to define and implement corrective action plans, as applicable. OVHcloud tracks all corrective action plans until resolution.
Business Continuity Management
OVHcloud is committed to maintaining its business continuity management in its capacity as a cloud services provider.
OVHcloud ensures continuity of its infrastructure services (availability of equipment, application, and operating processes) through:
- System administration redundancy for servers and equipment;
- Electricity supply continuity and redundancy;
- Capacity management of OVHcloud equipment and servers;
- Water and air-cooling continuity; and
- Customer technical support.
In addition, OVHcloud has the ability to restore services in the event of an incident (e.g. network equipment configuration backups).
Customers are responsible for their backup and restoration procedures either as part of their standard package and/or as an optional configuration depending on the backup services purchased.
Nature and Environment Risks
OVHcloud is committed to nature and environmental risk management in its capacity as a cloud services provider.
OVHcloud implements prevention measures to manage foreseeable natural events and environmental risks including:
- UPS (uninterruptible power source) for sufficient capacity management with automatic load-switching;
- Automatic switch electric generators with minimum autonomy of 48 hours;
- Water-cooling system used for servers (98% of server cooling is performed without air conditioning); and
- Fire detection and suppression systems.
General Physical Site Security Measures
OVHcloud is committed to maintaining physical site security measures in its capacity as a cloud services provider.
OVHcloud restricts physical access to sites based on proper segregation of duties. Each physical site is restricted based on the following:
- General office areas are accessible to employees and registered visitors;
- Confidential offices access is restricted to authorized personnel only;
- Data Center equipment areas are restricted to confidential access; and
- Data Center hosting areas are deemed critical access.
OVHcloud's physical site security measures to regulate access include:
- Data Center equipment areas have restricted access; and
- Physical barriers are between areas;
- Cameras at entrances and exits throughout the site;
- Secure access controlled via badge readers;
- Car traps are deployed for single vehicle access via badge readers.
- Security personnel monitor & control vehicular access 24/7/365.
- Data Center “Mantraps” are used to access the Data Hall ensuring authorized access only; and
- Security guards are monitoring 24/7/365 along with video surveillance.
Physical Access Restrictions to OVHcloud Sites
OVHcloud is committed to restricting access to OVHcloud sites in its capacity as a cloud services provider.
OVHcloud physical access controls utilize badge systems. The access restriction procedures include the following control mechanisms:
- When entering an OVHcloud site, all individuals are assigned badges associated with their identity;
- All personal identities are verified prior to being issued badge access to OVHcloud sites;
- Badges must be worn at all times and visible while on the OVHcloud premises;
- Visitors' badges are deactivated once their physical access is no longer required or authorized; and
- Employees' badges are active for the duration of their employment and deactivated during the off-boarding procedures.
Area Access Management
OVHcloud is committed to managing area access in its capacity as a cloud services provider.
Standard Badge Access Controls are:
- Doors are controlled by a centralized access management system;
- Persons must badge-in to enter a designated area; and
- Badge access at each door enables the automated verification of the individual's profile rights.
Key Door Access Controls are:
- Keys are stored in a centralized access restricted location;
- Keys' purpose is documented;
- Keys are inventoried; and
- Keys have traceable audit logs.
Access Controls to Data Centers via Mantraps are:
- Mantraps have tailgating sensors;
- Only one Mantrap door can be open at a time;
- Mantraps are controlled by badge access;
- Mantraps utilizes biometric multi-factor authentication (anti-piggybacking); and
- Mantrap cameras are installed outside the entrances & exits.
Access Controls to the Equipment Traps are:
- Equipment delivery vestibule is configured like the Data Center Mantrap entrances, except a larger area with no biometric multi-factor authentication;
- Equipment Trap is monitored by Security personnel 24/7/365, and there is no badge access within the Equipment Trap; and
- Cameras are installed in the delivery vestibule preventing blind spots.
Managing Physical Access for Third Parties
OVHcloud is committed to third-party access management in its capacity as a cloud services provider.
OVHcloud strictly supervises the movements of visitors and service providers when on OVHcloud sites. These persons are logged as soon as they arrive on-site and issued with a visitor badge. Visitors and service providers are subject to the following controls:
- All on-site visits must be scheduled in advance;
- Third-party vendors must be escorted by OVHcloud employees;
- All identities are verified with government-issued documents prior to gaining access;
- Badges must always be worn in a visible manner; and
- Badges are deactivated at the end of the visit.
Security Awareness & Skill Development Training for Personnel
OVHcloud is committed to providing security awareness and skill development training for all its personnel in its capacity as a cloud services provider.
Security awareness training is conducted during new hires’ onboarding and during an annual security awareness campaign for the entire organization. In addition, Security awareness announcements are communicated regularly to the organization.
OVHcloud Security and Compliance personnel complete continuing professional education (CPE) required for professional certifications. Technical training sessions are provided to IT System Engineering teams for their continuous job skills development.
Managing Logical Access to OVHcloud Systems
OVHcloud is committed to managing logical access to OVHcloud systems in its capacity as a cloud services provider.
OVHcloud applies a strict policy of access rights management. This policy includes the following provisions:
- Access authorizations are issued following the principle of "Least Privilege";
- Access rights should be based on roles versus individual access rights;
- Access grants to applications and systems are managed by provisioning procedures for the initial access, modification, and removal of access authorized by Human Resources, Managers, and IT Support.
- All employees utilize unique user ID accounts;
- Sessions systematically timeout after a period of inactivity;
- Use of generic and/or anonymous user accounts is prohibited;
- A strict password policy is applied;
- Passwords should be randomly generated;
- Endpoint devices have a minimum password length of 10 alphanumeric characters;
- Storing passwords in an unencrypted format, written down on paper, or saved in web browsers is prohibited;
- Local password management software must be authorized by IT Security;
- Remote access to OVHcloud IT systems must be via a VPN with a secure password and a client certificate configuration on their workstation.
Workstation and Mobile Devices Security
OVHcloud is committed to workstation and mobile device security in its capacity as a cloud services provider.
OVHcloud has workstation security controls in place including the following:
- Operating system updates are managed automatically;
- Endpoint devices' hard drives are systematically encrypted;
- Potentially compromised workstations are handled in accordance with Security Incident Procedures; and
- Terminated employees' devices are wiped and re-imaged.
OVHcloud has mobile device security controls in place for both employee or corporate-owned. These security control standards include the following:
- Mobile devices must be registered in a centralized device management (MDM) system before being granted access to internal systems;
- Security policies are enforced via MDM automation;
- Mobile devices can be remotely wiped if lost or stolen.
Customers must ensure their workstations and mobile devices accessing OVHcloud services have adequate security controls in place.
OVHcloud is committed to preserving network security in its capacity as a cloud services provider.
OVHcloud manages a high-performance fiber optic private network, connected to numerous operators and forwarding agents. OVHcloud manages its own internal network backbone. This backbone distributes connectivity to each US Data Center's local network as well to other international OVHcloud Data Centers.
All network equipment is secured using the following security measures:
- An inventory is kept within a configuration management database;
- A standard hardening process is in place, featuring parameter guidance set to ensure a secure configuration;
- Administrator access to network equipment is reserved to authorized staff;
- All equipment is administered via a bastion host, applying the principle of least privilege;
- All network equipment configurations are backed up;
- Audit logs are collected, centralized, and monitored by the network operations team; and
- Network configurations are deployed automatically, based on authorized templates.
Customers are responsible for encrypting data communications through the OVHcloud network.
Business Continuity Management
OVHcloud is committed to maintaining a business continuity plan in its capacity as a cloud services provider.
OVHcloud has implemented a Backup Policy for the servers and network equipment used to provide its services. Per the Backup Policy:
- All systems and data necessary for the continuity of services, reconstructing of IT systems, and /or audit logs are backed up (technical and administrative database files, activity logs, internal source code, server configurations, applications, and network equipment, etc.)
- The full and incremental backups are retained in accordance with their asset classification; and
- The backup process is monitored to ensure backups are successful.
Monitoring Audit Logs
OVHcloud is committed to monitoring audit logs in its capacity as a cloud services provider.
OVHcloud has implemented a Monitoring & Logging Policy for the servers and network equipment used to deliver its services. Per the Monitoring & Logging Policy:
- Logs are backed up and centrally retained;
- Logs are consulted and analyzed by a limited number of authorized personnel; and
- Logging Tasks are segregated between the IT teams responsible for monitoring the infrastructure and those responsible for service operations.
- The list of logging activities includes the following:
- Storage servers hosting customer data;
- Customer infrastructure machines;
- Infrastructure monitoring machines;
- Antivirus software logs on all infrastructure servers and employees endpoints;
- Integrity checks of logs and systems, where appropriate;
- Customers' task and event transactions performed in their infrastructure;
- Network intrusion detection logs and alerts, if appropriate;
- Surveillance cameras infrastructure;
- Time servers;
- Badge readers; and
- Bastion host(s).
Customers are responsible for their monitoring & logging policy and procedures for their own systems and applications.