It is essential to draw a distinction between the security of our customers' data and the security of the infrastructure supporting our customers.
Security of Customers’ Resources and Applications:
Our customers are solely responsible for the security of their data and applications utilizing OVHcloud's Infrastructure as a Service (IaaS). OVHcloud offers specific tools and guidelines to assist our customers in securing their data and applications.
OVHcloud is committed to ensuring optimal security for its infrastructure. Infrastructure Security includes security policies for the information security management systems (ISMS) and compliance with AICPA standards, ISO certification, and other regulatory standards.
- ISO 27001, 27017, 27018 & 27701
- SSAE18 Type 2 SOC 1
- SSAE18 Type 2 SOC 2
- SSAE18 Type 2 SOC 3
- HIPAA Type 1 Attestation
- PCI DSS AOC for US Data Centers
You can find a list of these attestation reports, the ISO 27001 certification, and their respective scopes in the Attestations & Certifications section of OVHcloud's compliance website.
Table of Contents
- Information Security Management System (ISMS)
- Compliance and Certification
- Customer Audits
- Risk Management
- Monitoring Services and Infrastructure
- Incident Management
- Vulnerability Managemen
- Business Continuity Management
- Nature and Environment Risks
- General Physical Site Security Measures
- Access Restrictions to OVHcloud Sites
- Area Access Management
- Managing Physical Access for Third Parties
- Security Awareness Training for Personnel
- Managing Logical Access to the OVHcloud IT System
- Workstations and Mobile Equipment Security
- Network Security
- Business Continuity Management
- Audit Logging
Information Security Management System (ISMS)
Commitments made by OVHcloud, as a hosting provider, to ensure a security framework is in place for confidentiality, availability, and integrity.
OVHcloud has implemented ISMS policies to minimize security risks, protect our organization's sensitive data, and ensure business continuity. Our ISMS policies are updated annually or in response to material changes that warrant a policy update. External audits are conducted annually to attest to the security of our solutions in accordance with the ISMS framework by an independent audit firm.
Compliance and Certification
Commitments made by OVHcloud to benchmark its security framework for confidentiality, availability, and integrity as a hosting provider.
To verify compliance and evaluate our systems' performance, OVHcloud conducts security audits on a periodic basis. These security audits include the following:
- External audits (certifications and attestations);
- Internal audits, carried out by internal or external auditors;
- Technical audits (penetration testing, vulnerability scans, and policy compliance audits), carried out by internal or external auditors; and
- Data Center audits are carried out by internal and external auditors.
If a non-compliance instance is identified, corrective measures are applied to action plans, as applicable. Corrective measures are tracked and regularly reviewed until resolution.
OVHcloud's Terms of Service address customers' audit of technical and organizational measures.
Customers can elect to carry out technical audits (penetration tests) on their dedicated hosted services subject to the terms and conditions set forth in the Terms of Service.
OVHcloud commits to risk assessment management in its capacity as a hosting provider.
OVHcloud has a formal risk assessment methodology that is reviewed annually or in response to any material changes. The risk management methodology includes the evaluation of risks associated with personally identifiable information (PII) and sensitive transactional data where OVHcloud is a data controller or processor.
Customers are responsible for their security measures relevant to their data and application risks associated with their OVHcloud Infrastructure as a Service (IaaS) configuration.
Monitoring Services and Infrastructure
OVHcloud commits to monitoring its services and infrastructure in its capacity as a hosting provider.
OVHcloud has a monitoring system for all its services and infrastructure. This program has the following objectives:
- Detect production and security incidents;
- Monitor for critical alerts being escalated;
- Communicate to responsible personnel to trigger appropriate procedures;
- Ensure continuity of services of automated tasks; and
- Ensure the integrity of the resources being monitored.
OVHcloud commits to maintaining an incident management process in its capacity as a hosting provider.
OVHcloud has an incident management process to prevent, detect, contain, and resolve service and infrastructure issues. The incident management process includes:
- Classification of Security Events Guide;
- Handling Security Events Procedures;
- Incident Response Plans and Tests; and
- Customer Communication Procedures.
Customers are responsible for maintaining up-to-date and accurate contact information to allow OVHcloud to notify customers in the event an incident occurs. In addition, customers are responsible for their own incident management procedures impacting their infrastructures which possibly could include OVHcloud alert notifications.
OVHcloud commits to managing vulnerability assessments in its capacity as a hosting provider.
OVHcloud monitors for new vulnerabilities and their remediation via:
- Public security alert sites;
- Manufacturers / publishers' vulnerability alerts & patch management;
- Incidents identified by Operations teams, third parties, and/or customers; and
- Internal and/or external vulnerability scans are performed periodically.
OVHcloud analyzes all vulnerabilities for their impact on systems and operations. Then, OVHcloud deploys mitigation measures to define and implement corrective action plans, as applicable. OVHcloud tracks all corrective action plans until resolution.
Business Continuity Management
OVHcloud commits to maintaining business continuity management in its capacity as a hosting provider.
OVHcloud ensures continuity of its infrastructure services (availability of equipment, application, and operating processes) through:
- System administration redundancy for servers and equipment;
- Electricity supply continuity and redundancy;
- Capacity management of OVHcloud equipment and servers;
- Water and air-cooling continuity; and
- Customer technical support.
In addition, OVHcloud has the ability to restore services in the event of an incident (e.g. network equipment configuration backups).
Customers are responsible for their backup and restoration functionality either as part of their standard package and/or as an optional configuration, depending on the services purchased.
Nature and Environment Risks
OVHcloud is committed to nature and environmental risk management in its capacity as a hosting provider.
OVHcloud implements prevention measures to manage foreseeable natural events and environmental risks including:
- UPS (uninterruptible power source) for sufficient capacity management with automatic load-switching;
- Automatic switch electric generators with minimum autonomy of 48 hours;
- Water-cooling system used for servers (98% of server cooling is performed without air conditioning); and
- Fire detection and suppression systems.
General Physical Site Security Measures
OVHcloud commits to maintaining physical site security measures in its capacity as a hosting provider.
OVHcloud restricts physical access to sites based on proper segregation of duties. Each physical site is restricted based on the following:
- General office areas are accessible to employees and registered visitors;
- Confidential offices access is restricted to authorized personnel only;
- Data Center equipment areas are restricted to confidential access; and
- Data Center hosting areas are deemed critical access.
OVHcloud's physical site security measures to regulate access include:
- Access Authorization Policy;
- Physical walls (or equivalent) between areas;
- Cameras at entrances and exits throughout the site;
- Secure access controlled via badge readers;
- Pressure sensor "Car Traps";
- Data Center "Mantraps" laser barriers;
- Security guards 24 / 7 / 365 along with video surveillance; and
- Surveillance center monitoring when entrance and exit doors are opened.
Access Restrictions to OVHcloud Sites
OVHcloud commits to restricting access to OVHcloud sites in its capacity as a hosting provider.
OVHcloud physical access controls utilize badge systems. The access restriction procedures include the following control mechanisms:
- When entering an OVHcloud site, all individuals are assigned badges associated with their identity;
- All personal identities are verified prior to being issued badge access to OVHcloud sites;
- Badges must be worn at all times and visible while on the OVHcloud premises;
- Visitors' badges are deactivated once their physical access is no longer required or authorized; and
- Employees' badges are active for the duration of their employment and deactivated during the off-boarding procedures.
Area Access Management
OVHcloud commits to managing area access in its capacity as a hosting provider.
Standard Badge Access Controls are:
- Doors are controlled by a centralized access management system;
- Persons must badge-in to enter a designated area; and
- Badge access at each door enables the automated verification of the individual's profile rights.
Key Door Access Controls are:
Some areas or items are locked by key locks; thus, the key access controls, including the following, are in place:
- Keys are stored in a centralized access restricted location;
- Keys' purpose is documented;
- Keys are inventoried; and
- Keys have traceable audit logs.
Access to Data Centers via Mantraps:
OVHcloud Data Centers are exclusively accessed via Mantraps. The Mantrap access controls are:
- Mantraps have tailgating sensors;
- Only one Mantrap door can be open at a time;
- Mantraps are controlled by badge access;
- Mantraps utilizes biometric multi-factor authentication (anti-piggybacking); and
- Mantrap cameras are installed outside the entrances & exits.
Access to the Equipment Mantraps:
Equipment loading areas are controlled by an Equipment Mantrap. The Equipment Mantrap access controls are:
- Equipment delivery vestibule is configured like the Data Center Mantrap entrances, except a larger area with no biometric multi-factor authentication;
- Personnel cannot enter the Data Center via the Equipment Mantrap; there is no badge access within the Equipment Mantrap; and
- Cameras are installed in the delivery vestibule preventing blind spots.
Managing Physical Access for Third Parties
OVHcloud is committed to third-party access management in its capacity as a hosting provider.
OVHcloud strictly supervises the movements of visitors and service providers when on OVHcloud sites. These persons are logged as soon as they arrive on-site and issued with a visitor badge. Visitors and service providers are subject to the following controls:
- All on-site visits must be scheduled in advance;
- Third-party vendors must be escorted by OVHcloud employees;
- All identities are verified with government-issued documents prior to gaining access;
- Badges must always be worn in a visible manner; and
- Badges are deactivated at the end of the visit.
Security Awareness Training for Personnel
OVHcloud commits to providing security awareness training for all its personnel in its capacity as a hosting provider.
OVHcloud personnel complete annual security awareness training, as well as continuing professional education (CPE) required for personnel's certifications reinforcing their job duties. Technical training sessions are provided to IT System Engineering teams for their continuous job skills development.
Security Awareness Training is conducted during new hires' onboarding and an annual security awareness campaign for the entire organization. Security awareness communications are regularly distributed to all personnel.
Managing Logical Access to OVHcloud Systems
OVHcloud commits to managing logical access to OVHcloud systems in its capacity as a hosting provider.
OVHcloud applies a strict policy of logical access rights management. This policy includes the following provisions:
- Access authorizations are issued following the principle of "Least Privilege";
- Access rights should be based on roles versus individual access rights;
- Access grants to a user or to a system are managed based on provisioning procedures for the initial access, modification, and removal involving their Managers, IT Support/ Core Services, and Human Resources;
- All employees utilize unique user ID accounts;
- Sessions systematically timeout after a period of inactivity;
- Use of generic and/or anonymous user accounts is prohibited;
- A strict password policy is applied;
- Passwords should be randomly generated;
- Endpoint devices have a minimum password length of 10 alphanumeric characters;
- Storing passwords in unencrypted files, on paper or in web browsers is prohibited;
- Local password management software approved by IT Security is mandatory; and
- Remote access to OVHcloud IT systems must be via VPN, using a password solely known to the user and a client certificate configured on the workstation.
Workstations and Mobile Equipment Security
OVHcloud is committed to workstation and mobile equipment security in its capacity as a hosting provider.
OVHcloud has standard workstation security controls in place for its personnel including the following:
- Operating system updates are managed automatically;
- Endpoint devices' hard drives are systematically encrypted;
- Potentially compromised workstations are handled in accordance with Security Incident Procedures; and
- Terminated employees' devices are wiped and re-imaged.
OVHcloud has standard mobile device security controls in place for its personnel whether the device is owned by the employee or corporate-owned. These security standards include the following:
- Mobile devices must be registered in a centralized device management (MDM) system before being granted access to internal systems;
- Security policies are enforced via MDM automation;
- Mobile devices can be remotely wiped if lost or stolen.
Customers must ensure their workstations and mobile equipment used to access OVHcloud services have adequate security controls in place.
OVHcloud commits to preserving network security in its capacity as a hosting provider.
OVHcloud manages a high-performance fiber optic private network, connected to numerous operators and forwarding agents. OVHcloud manages its own internal network backbone. This backbone distributes connectivity to each US Data Center's local network as well to other international OVHcloud Data Centers.
All network equipment is secured using the following security measures:
- An inventory is kept within a configuration management database;
- A standard hardening process is in place, featuring parameter guidance set to ensure a secure configuration;
- Administrator access to network equipment is reserved to authorized staff;
- All equipment is administered via a bastion host, applying the principle of least privilege;
- All network equipment configurations are backed up;
- Audit logs are collected, centralized, and monitored by the network operations team; and
- Network configurations are deployed automatically, based on authorized templates.
Customers are responsible for encrypting data communications through the OVHcloud network.
Business Continuity Management
OVHcloud commits to maintaining a business continuity plan in its capacity as a hosting provider.
OVHcloud has implemented a backup policy for the servers and equipment used to provide its services. Per this Backup Policy:
- All systems and data necessary for the continuity of services, reconstructing of IT systems, and/or analysis purposes following an incident are backed up (technical and administrative database files, activity logs, internal source code, server configurations, applications, and equipment, etc.);
- The full and incremental backups are retained in accordance with their asset classification; and
- The backup process is monitored to ensure backups are successful.
OVHcloud commits to audit logging in its capacity as a hosting provider.
OVHcloud has implemented a logging policy for the servers and equipment used to deliver its services. Per the Audit Logging Policy:
- Logs are backed up and centrally retained;
- Logs are consulted and analyzed by a limited number of authorized personnel, in accordance with the authorization and access management policy; and
- Tasks are divided up between teams responsible for monitoring the infrastructure and those responsible for service operations.
- The list of logging activities includes the following:
- Storage servers hosting customer data;
- Customer infrastructure machines;
- Infrastructure monitoring machines;
- Antivirus software logs on all equipped machines;
- Integrity checks of logs and systems, where appropriate;
- Customers' task and event transactions performed in their infrastructure;
- Network intrusion detection logs and alerts, if appropriate;
- Surveillance cameras infrastructure;
- Time servers;
- Badge readers; and
- Bastion host(s).
Customers are responsible for their audit logging policy and procedures for their own systems and applications.