It is essential to draw a distinction between the security of our customers' data and the security of the infrastructure supporting our customers.
Security of Customers’ Resources and Applications:
Our customers are solely responsible for the security of the resources and applications utilizing OVHcloud's services. OVHcloud offers specific tools and guidelines to assist our customers in securing their data.
OVHcloud is committed to ensuring optimal security for its infrastructure. Infrastructure Security includes security policies for the information security management systems (ISMS) and compliance with AICPA standards, ISO certification, and other regulatory standards.
- SSAE18 Type 2 SOC 1
- SSAE18 Type 2 SOC 2
- SSAE18 Type 2 SOC 3
- HIPAA Type 1 Attestation
- PCI DSS AOC for US Data Centers
You can find a list of these attestations, the ISO 27001 certification, and their respective scopes in the Attestations & Certifications section of OVHcloud's compliance website.
Table of Contents
- Information Security Management System (ISMS)
- Compliance and Certification
- Customer Audits
- Risk Management
- Monitoring Services and Infrastructure
- Incident Management
- Vulnerability Management
- Business Continuity Management
- Nature and Environment Risks
- General Physical Site Security Measures
- Access Restrictions to OVHcloud Sites
- Area Access Management
- Managing Physical Access for Third Parties
- Security Awareness Training for Personnel
- Managing Logical Access to the OVHcloud IT System
- Workstations and Mobile Equipment Security
- Network Security
- Business Continuity Management
- Audit Logging
Commitments made by OVHcloud, as a hosting provider, to ensure a security framework is in place for confidentiality, availability and integrity.
OVHcloud has implemented ISMS policies to minimize security risks, protect our organization's sensitive data, and ensure business continuity. Our ISMS policies are updated at least annually, or in response to material changes that warrant a policy update. Annual external audits are conducted to attest to the security of our solutions in accordance with the ISMS framework by an independent audit firm.
Commitments made by OVHcloud to benchmark its security framework for confidentiality, availability and integrity as a hosting provider.
To verify compliance and evaluate our systems' performance, OVHcloud conducts security audits on a periodic basis. These security audits include the following:
- External audits (certifications and attestations);
- Internal audits, carried out by internal or external auditors;
- Technical audits (penetration testing, vulnerability scans, and policy compliance audits), carried out by internal or external Auditors;
- Data Center audits carried out by internal and external auditors
If an instance of non-compliance is identified, corrective measures are applied to action plans, as applicable. Corrective measures are also tracked and regularly reviewed, to verify their effectiveness.
OVHcloud's Terms of Service address customers' audit of technical and organizational measures.
Customers can elect to carry out technical audits (penetration tests) on their dedicated hosted services subject to the terms and conditions set forth in the Terms of Service.
OVHcloud commits to risk management in its capacity as a hosting provider.
OVHcloud has a formal risk management methodology, which is reviewed annually, or more frequently in response to a material change. The risk management methodology also evaluates risks associated with personally identifiable information (PII) and sensitive transactional data.
Customers are responsible for their security measures relevant to the risks associated with their OVHcloud infrastructure as a service (IaaS) configuration.
OVHcloud commits to monitoring services and infrastructure in its capacity as a hosting provider.
OVHcloud has a monitoring system for all its services and infrastructure. This program has the following objectives:
- Detect production and security incidents;
- Monitor for critical alerts being escalated;
- Communicate to responsible personnel to trigger appropriate proceduress;
- Ensure continuity of service of automated tasks;
- Ensure the integrity of the resources being monitored.
OVHcloud commits to maintaining an incident management process in its capacity as a hosting provider.
OVHcloud has an incident management process to prevent, detect, contain, and resolve service and infrastructure issues. The incident management process includes:
- Classification of Security Events Guide;
- Handling Security Events Procedures;
- Incident Response Plans and Tests;
- Customer Communication Procedures.
Customers are responsible for maintaining up-to-date and accurate contact information to allow OVHcloud to notify customers in the event there is an incident. In addition, they are responsible for their own incident management procedures which impact their infrastructures and could possibly include OVHcloud alert notifications.
OVHcloud commits to managing vulnerability assessments in its capacity as a hosting provider.
OVHcloud monitors for new vulnerabilities and their remediation via:
- Public security alert sites;
- Manufacturers / publishers' vulnerability alerts & patch management;
- Incidents identified by Operations teams, third parties and/or customers;
- Internal and/or external vulnerability scans performed periodically.
OVHcloud analyzes all vulnerabilities for their impact on systems and operations. Then OVHcloud deploys mitigation measures to define and implement corrective action plans, as applicable. OVHcloud tracks all corrective action plans until their resolution.
OVHcloud commits to maintaining business continuity management in its capacity as a hosting provider.
OVHcloud ensures continuity of its infrastructure services (availability of equipment, application and operating processes) through:
- System administration redundancy for servers and equipment;
- Electricity supply continuity and redundancy;
- Capacity management of OVHcloud equipment and servers;
- Water and air-cooling continuity;
- Customer technical support.
In addition, OVHcloud has the ability to restore services in the event of an incident (i.e. network equipment backups configurations).
OVHcloud recommends our customers have backup and restoration functionality either as part of their standard package, and/or as an optional configuration, depending on the services purchased.
OVHcloud is committed to nature and environmental risk management in its capacity as a hosting provider.
OVHcloud implements prevention measures to manage foreseeable natural events and environmental risks including:
- UPS (uninterruptible power source) for sufficient capacity management and emergency transformers with automatic load-switching;
- Automatic switch electric generators with minimum autonomy of 48 hours;
- Water-cooling system used for servers (98% of our hosting rooms have no air conditioning);
- Fire detection systems.
OVHcloud commits to maintaining general physical site security measures in its capacity as a hosting provider.
OVHcloud restricts physical access to sites based on proper segregation of duties. Each physical site is restricted based on the following:
- General office areas accessible to employees and registered visitors;
- Confidential offices for authorized personnel only;
- Data Center equipment areas – confidential; and
- Data Center hosting areas – critical services.
OVHcloud's physical site security measures to regulate access include:
- Access Authorization Policy;
- Physical walls (or equivalent) between areas;
- Cameras at entrances and exits throughout the site;
- Secure access controlled via badge readers;
- Pressure sensor "Car Traps"
- Data Center "Mantraps" laser barriers;
- Security guards 24 / 7 / 365 along with video surveillance;
- Surveillance center monitoring when entrance and exit doors are opened.
OVHcloud commits to restricting access to OVHcloud sites in its capacity as a hosting provider.
OVHcloud physical access controls utilize badge systems. Each badge is associated to a user account identifying the individual. The access restriction procedures include the following control mechanisms:
- When entering an OVHcloud site, all individuals are assigned badges associated with their identity,
- All personal identities are verified prior to being issued badge access to OVHcloud sites,
- Badges must be worn at all times and visible while on the OVHcloud premises,
- Visitors' badges are deactivated once their physical access is no longer required or authorized,
- Employees' badges are active for the duration of their employment and deactivated during the off-boarding procedures.
OVHcloud commits to managing area access in its capacity as a hosting provider.
Standard Badge Access Controls are:
- Doors are controlled by a centralized access management system;
- Persons must badge-in to enter a designated area;
- Badge access at each door enables automated verification of the individual's profile rights.
Key Door Access Controls are:
Some areas or items are locked by key locks; thus, the key access controls, including the following, are in place:
- Keys are stored in a centralized access restricted location;
- Keys' purpose is documented;
- Keys are inventoried; and
- Keys have traceable audit logs.
Access to Data Centers via Mantraps:
OVHcloud Data Centers are exclusively accessed via Mantraps. The Mantrap access controls are:
- Mantraps have tailgating sensors;
- Only one Mantrap door can be open at a time;
- Mantraps are controlled by badge access;
- Mantraps utilizes biometric multi-factor authentication (anti-piggybacking); and
- Mantrap cameras are installed outside the entrances & exits.
Access to the Equipment Mantraps:
Equipment loading areas are controlled by an Equipment Mantrap. The Equipment Mantrap access controls are:
- Equipment delivery vestibule is configured like the Data Center Mantrap entrances, except a larger area with no biometric multi-factor authentication;
- Personnel cannot enter the Data Center via the Equipment Mantrap; there is no badge access within the Equipment Mantrap;
- Cameras are installed in the delivery vestibule preventing blind spots.
OVHcloud is committed to third party access management in its capacity as a hosting provider.
OVHcloud strictly supervises the movements of visitors and service providers when on OVHcloud sites. These persons are logged as soon as they arrive on-site and issued with a visitor badge. Visitors and service providers are subject to the following controls:
- All on-site visits must be scheduled in advance;
- Third Parties must be escorted by OVHcloud employees;
- All identities are verified with government issued documents prior to gaining access;
- Badges must always be worn in a visible manner;
- Badges are deactivated at the end of the visit.
OVHcloud commits to providing security awareness training for all its personnel in its capacity as a hosting provider.
OVHcloud personnel complete annual security awareness training, as well as continuing professional education (CPE) required for its personnel’s certifications reinforcing their job duties. Technical training sessions are provided to IT System Engineering teams for their continuous job skills development.
Security Awareness Training is conducted during the on-boarding process for new hires; and security awareness training communications are regularly distributed to all personnel.
OVHcloud commits to managing logical access to OVHcloud IT systems in its capacity as a hosting provider.
OVHcloud applies a strict policy of logical access rights management. This policy includes the following provisions:
- Access authorizations are issued following the principle of "Least Privilege";
- Access rights should be based on roles versus specific individual unit rights;
- Access grants to a user or to a system are managed based on provisioning procedures for the initial access, modification and removal involving their Managers, IT Support/ Core Services, and Human Resources;
- All employees utilize unique user ID accounts;
- Sessions systematically timeout after a period of inactivity;
- Use of generic and/or anonymous user accounts is prohibited;
- A strict password policy is applied;
- Passwords should be randomly generated;
- Endpoint devices have a minimum password length of 10 alphanumeric characters;
- Storing passwords in unencrypted files, on paper or in web browsers is prohibited;
- Local password management software approved by IT Security is mandatory;
- Remote access to OVHcloud IT systems must be via VPN, using a password solely known to the user and a client certificate configured on the workstation.
OVHcloud is committed to workstation and mobile equipment security in its capacity as a hosting provider.
OVHcloud has standard workstation security controls in place for its personnel including the following:
- Operating system updates are managed automatically;
- Endpoint devices' hard drives are systematically encrypted;
- Potentially compromised workstations are handled in accordance with Security Incident Procedures;
- Terminated employees' devices are wiped and re-imaged.
OVHcloud has standard mobile device security controls in place for its personnel whether the device is owned by the employee or corporate owned. These security standards include the following:
- Mobile devices must be registered in a centralized device management (MDM) system before being granted access to internal systems;
- Security policies are enforced via MDM automation;
- Mobile devices can be remotely wiped, if lost or stolen.
Customers must ensure their workstations and mobile equipment used to access OVHcloud services has adequate security controls in place.
OVHcloud commits to preserving network security in its capacity as a hosting provider.
OVHcloud manages a high-performance fiber optic private network, connected to numerous operators and forwarding agents. OVHcloud manages its own internal network backbone. This backbone distributes connectivity to each US Data Center's local networks as well to other international OVHcloud Data Centers.
All network equipment is secured using the following security measures:
- An inventory is kept within a configuration management database;
- A standard hardening process is in place, featuring parameter guidance set to ensure a secure configuration;
- Administrator access to network equipment is reserved to authorized staff;
- All equipment is administered via a bastion host, applying the principle of least privilege;
- All network equipment configurations are backed up;
- Audit logs are collected, centralized and monitored by the network operations team;
- Network configurations are deployed automatically, based on authorized templates.
Customers are responsible for encrypting data communications through the OVHcloud network.
OVHcloud commits to maintaining a business continuity plan in its capacity as a hosting provider.
OVHcloud has implemented a backup policy for the servers and equipment used to provide its services. Per this Backup Policy:
- All systems and data necessary for the continuity of services, reconstructing of IT systems, and/or analysis purposes following an incident are backed up (technical and administrative database files, activity logs, internal source code, server configurations, applications and equipment, etc.);
- The full and incremental backups are retained in accordance with their asset classification;
- The backup process is monitored to ensure backups are successful.
OVHcloud commits to audit logging in its capacity as a hosting provider.
OVHcloud has implemented a logging policy for the servers and equipment used to deliver its services. Per the Audit Logging Policy:
- Logs are backed up and centrally retained;
- Logs are consulted and analyzed by a limited number of authorized personnel, in accordance with the authorization and access management policy; and
- Tasks are divided up between teams responsible for monitoring the infrastructure and those responsible for service operations.
- The list of logging activities includes the following:
- Storage servers hosting customer data;
- Customer infrastructure machines;
- Infrastructure monitoring machines;
- Antivirus software logs on all equipped machines;
- Integrity checks of logs and systems, where appropriate;
- Customers' task and event transactions performed in their infrastructure;
- Network intrusion detection logs and alerts, if appropriate;
- Surveillance cameras infrastructure;
- Time servers;
- Badge readers; and
- Bastion host(s).
Customers are responsible for their audit logging policy and procedures for their own systems and applications.