Data security

It is essential to draw a distinction between the security of the data stored by our customers and the security of the infrastructure that stores this information.

closed lock

Security of the data stored by our customers:

Our customers are solely responsible for ensuring the security of the resources and application systems that they use with OVH’s services. OVH offers tools to help customers secure their data.

dc icon

Security of infrastructure:

OVH is committed to ensuring optimal security for its infrastructure. This includes implementing a security policy for information systems and meeting the requirements for multiple standards and certifications (ISO/IEC 27001 certification, SSAE18 SOC 1 TYPE II and SSAE18 SOC 2 TYPE II attestations, HIPAA attestation etc.).

You can find a list of these attestations and the ISO 27001 certification and their scope in OVH US's compliance and certification section.

 

  1. Information Security Management System (ISMS)
  2. Compliance and certification
  3. Customer Audits
  4. Risk management
  5. Monitoring Services and Infrastructure
  6. Incident Management
  7. Vulnerability Management
  8. Business Continuity Management
  9. Natural and environmental risks
  10. General Security Measures for Physical Sites
  11. Access to OVH sites
  12. Area Access Management
  13. Managing Physical Access for Third Parties
  14. Security Awareness Training for Personnel
  15. Managing Logical Access to the OVH IT System
  16. Security for Workstations and Mobile Equipment
  17. Network Security
  18. Business Continuity Management
  19. Audit Logging
Information Security Management System (ISMS)

Commitments made by OVH in its capacity as a hosting provider

OVH has implemented certain ISMS policies to minimize security risk, protect our organization’s sensitive data, and ensure business continuity. Our ISMS policies are updated at least annually, or in response to material changes that warrant a policy update. Annual external audits are also conducted to verify the security of our solutions in accordance with the ISMS policy framework.

Compliance and certification

Commitments made by OVH in its capacity as a hosting provider

To verify compliance and to evaluate our systems’ performance, OVH conducts security audits on a regular basis. These security audits include the following:

  • external audits (certifications, attestations, customers);
  • internal audits, carried out by internal or external auditors;
  • technical audits (intrusion tests, vulnerability scans, code reviews), carried out by internal or external auditors;
  • audits of the activities of third parties, carried out by the person(s) responsible for managing third parties; and
  • Data Center audits carried out by internal auditors. Corrective measures are applied and added to action plans, as applicable, in the event that an instance of non-compliance is identified. Corrective measures are also tracked and regularly reviewed, to verify their effectiveness.
Customer audits

Options for customers in charge of processing

Customers can elect to carry out technical audits (penetration tests) on services hosted for them, as well as on service management blocks. The terms and conditions for carrying out audits are set out in each contract.

Commitments made by OVH in its capacity as a hosting provider

The terms and conditions for carrying out audits are set out in each contract.

Risk management

Requirements for customers in charge of processing

Customers must ensure that the security measures applied by OVH are relevant to the risks associated with the manner in which they use the infrastructure.

Commitments made by OVH in its capacity as a hosting provider

OVH has implemented a formal methodology for risk management, which it reviews at least annually, or in response to a material change. The risk management methodology also evaluates risks associated with personal information and sensitive data (health, payments, etc.).

Monitoring Services and Infrastructure

Commitments made by OVH in its capacity as a hosting provider

OVH has implemented a monitoring system and infrastructure for all OVH services. This program has the following objectives:

  • to detect production and security incidents;
  • to monitor critical features, with any alerts being escalated to the monitoring system;
  • to inform the persons responsible and trigger the appropriate procedures;
  • to ensure continuity of service in the performance of automated tasks; and
  • to ensure the integrity of the resources monitored.
Incident Management

Requirements for customers in charge of processing

Customers must ensure that their contact information is accurate, to enable OVH to notify them in the event of an incident. They must also implement incident management processes for incidents affecting their IT system, that include OVH as a potential source of alerts.

Commitments made by OVH in its capacity as a hosting provider/strong>

OVH has implemented an incident management process, which it uses to prevent, detect, contain, and resolve issues in the service and its infrastructure. This process includes:

  • a guide for classifying security events,
  • a procedure for handling security events,
  • tests of incident response plans, and
  • a procedure for customer communication.
Vulnerability Management

Commitments made by OVH in its capacity as a hosting provider

OVH monitors new vulnerabilities, which it identifies via:

  • public information sites;
  • alerts from the manufacturers and publishers of solutions deployed to correct vulnerabilities;
  • incidents and observations escalated by our operations teams, third parties or customers;
  • internal and external vulnerability scans performed on a regular basis.

If OVH detects a vulnerability, OVH analyzes it to determine the impact on systems and operations. OVH will then deploy mitigation measures, where necessary, and define and implement a corrective action plan as applicable. OVH also incorporates these steps into its action plans, which it tracks and regularly reviews to verify effectiveness.

Business Continuity Management

Requirements for the customer in charge of processing

Customers are responsible for the continuity of their own IT systems. They must ensure that the standard provisions implemented by OVH, the options they choose, and any additional controls they implement will enable them to achieve their business continuity objectives.

Commitments made by OVH in its capacity as a hosting provider

OVH ensures continuity of activity for its infrastructure (availability of equipment, application and operating processes) through:

  • continuity of water- and air-cooling,
  • continuity and redundancy of the electricity supply,
  • managing the capacity of the equipment for which OVH is responsible,
  • technical support for customers’ services,
  • and redundancy of the equipment and servers used for system administration.

Alongside this, OVH has other mechanisms to ensure the resumption of service in the event of an incident, such as backup of network equipment configurations.

Depending on the service, OVH may propose, as part of the standard package, or as an option, backup and restoration features that may be used by customers.

Natural and environmental risks

Commitments made by OVH in its capacity as a hosting provider

OVH implements measures to prevent foreseeable natural and environmental risks including:

  • uninterruptible power supplies (UPS) of a sufficient capacity and emergency transformers with automatic load-switching;
  • automatic switching to electricity generators with a minimum autonomy of 48 hours;
  • a water-cooling system, which is used for servers (98% of our hosting rooms have no air conditioning); and
  • a fire detection system.
General Security Measures for Physical Sites

Commitments made by OVH in its capacity as a hosting provider

OVH restricts physical access to OVH sites based on a restrictive security system.  Each site is divided up as follows:

  • private traffic areas,
  • offices accessible to all employees and to registered visitors,
  • confidential offices, for authorized personnel only,
  • areas containing Data Center equipment,
  • confidential areas in Data Centers, and
  • areas in Data Centers hosting critical services.

Security measures are taken to regulate access to OVH’s physical sites including:

  • an access permissions policy;
  • walls (or equivalent) between each area;
  • cameras located at the entrances and exits to installations, as well as in the server rooms;
  • secure access, controlled by badge readers;
  • pressure sensor “car trap”;
  • laser barriers in the Data Center mantraps;
  • intrusion detection mechanisms (security guards 24 hours a day and video surveillance); and
  • a permanent surveillance center monitoring when the entrance and exit doors are opened.
Access to OVH sites

Commitments made by OVH in its capacity as a hosting provider

OVH operates its physical access controls using a system of badges. Each badge is linked to an OVH account, which, in turn, is linked to an individual. This system makes it possible to identify all persons and to authenticate the following control mechanisms:

  • every individual entering an OVH site must have their own individual badge associated with their identity,
  • the identity of every person must be verified before any badge is issued,
  • within the installations, badges must be worn in a visible location,
  • badges are deactivated as soon as their holders are no longer authorized to have access the installations, and
  • OVH employees’ badges are active for the duration of their employment; for the other categories of person, badges are deactivated automatically after a defined period.
Area Access Management

Commitments made by OVH in its capacity as a hosting provider

Door access via badge

Below is the standard form of access control at OVH:

  • doors are connected to a centralized access rights management system;
  • people have to badge in using a dedicated badge reader to unlock the doors; and
  • access rights are verified when the badge is read, to ensure that the person in question has the required entry rights.

Door access via key

Some areas or items of equipment are locked using key locks. Keys are subject to the following controls:

  • the keys are stored in a centralized, access-restricted location on each site, with a reference document;
  • each key is identified via a label;
  • an inventory of the keys is kept; and
  • any use of the keys is traceable.

Access to Data Centers via Mantraps

OVH’s Data Centers are accessed exclusively via mantraps. These mantraps include the following controls:

  • each mantrap has two doors and a delimited area between the checks, to ensure that only one person gets through at a time;
  • each door will not open unless the other door is closed (mantrap);
  • the mantraps use the same system of badges as the other doors, and the same rules apply to them;
  • detection mechanisms verify that there is only one person in the mantrap (anti-piggybacking);
  • the system is designed to make sure badges cannot be used more than once in the same direction (anti-passback);
  • a second Biometric factor is used to prevent badge sharing; and
  • a camera placed next to the mantrap lock means that people entering are monitored.

Access to the equipment mantraps

Access to the equipment in Data Centers is allowed in accordance with the following controls:

  • the delivery vestibule is configured in the same way as a single-person mantrap, except larger in area and with no verification of volume or weight, and with badge readers on the outside only;
  • only the item being delivered passes through the vestibule - accompanying personnel must enter via the single-person mantrap; and
  • there is a camera in the vestibule, with no blind spot.
Managing Physical Access for Third Parties

Commitments made by OVH in its capacity as a hosting provider

OVH strictly supervises the movements of visitors and ad hoc service providers when on OVH premises. These persons are logged as soon as they arrive on site and are issued with a visitor or a service provider badge. Visitors and ad hoc service providers are subject to the following controls:

  • all visits must be announced ahead of time;
  • third parties are the responsibility of an OVH US employee and must be accompanied at all times;
  • all identities are verified prior to granting access to the site;
  • each third party is issued with a service provider badge, allocated to them for the day, which they must return before leaving the site;
  • all badges must be worn in a visible manner; and
  • badges are automatically deactivated at the end of the visit.
Security Awareness Training for Personnel

Commitments made by OVH in its capacity as a hosting provider

  • OVH US personnel complete security awareness training annually and continued professional education is required for personnel’s certifications in the performance of their job duties. Training sessions on the technical services are organized annually for the IT system engineering teams;
  • security awareness training is conducted for all new employees during the on-boarding process; and
  • messages about security awareness are regularly communicated to all personnel.
Managing Logical Access to the OVH IT System

Commitments made by OVH in its capacity as a hosting provider

  • OVH applies a strict policy of logical access rights management for employees. This policy includes the following provisions:

    • authorizations are issued and monitored by managers, following the principle of least privilege;
    • to the greatest extent possible, all authorizations should be based on roles rather than unit rights;
    • the access rights and authorizations granted to a user or to a system are managed based on a procedure of provisioning, and modification and removal involve their managers, internal IT and human resources;
    • all employees use unique user ID accounts;
    • connection sessions systematically have a timeout for inactivity suited to each application;
    • the use of default, generic and anonymous accounts is prohibited;
    • a strict password policy is applied;
    • passwords are randomly generated;
    • the minimum length for passwords is 10 alphanumeric characters;
    • storing passwords in unencrypted files, on paper or in web browsers is prohibited;
    • the use of local password management software, which has been approved by the security teams, is mandatory; and
    • any remote access to the OVH US IT system (IS) must be via VPN, using a password known solely to the user and a shared secret configured on the workstation.
Security for Workstations and Mobile Equipment

Requirements for customers in charge of processing

Customers must ensure their workstations and mobile equipment are secure in order to enable the administration of their service.

Commitments made by OVH in its capacity as a hosting provider

Protection of standard workstations

  • OVH employs measures to protect the standard workstations of OVH personnel including the following:

    • updates are managed automatically,
    • hard drives are systematically encrypted,
    • potentially compromised workstations are handled according to a specific procedure, and
    • there is a procedure for re-imaging/wiping workstations when employees leave the company.

Protecting Mobile Devices

  • OVH employs measures to ensure the security of mobile devices, whether belonging to personnel or supplied by OVH. These measures include the following:

    • mobile devices must be registered in a centralized mobile device management (MDM) system before they are granted access to internal resources (WiFi, email, calendars, people directory, etc.);
    • the security policy used on the mobile device is verified (unlock code, lock time, storage encryption); and
    • procedures are in place for wiping the mobile device remotely if it is lost or stolen.
Network Security

Requirements for customers in charge of processing

Customers are solely responsible for encrypting content communicated through the OVH network.

Commitments made by OVH in its capacity as a hosting provider

OVH manages a high-performance fiber optic private network, connected to numerous operators and forwarding agents. OVH manages its own backbone internally. This backbone distributes connectivity to each Data Centers’ local networks and connects to other OVH Data Centers.

All this equipment is secured using the following measures:

  • an inventory is kept within a configuration manager database;
  • a tightening process is in place, featuring guides that describe which parameters need to be modified in order to ensure a secure configuration;
  • access to the administrator features for equipment is reserved to staff listed on control lists;
  • all equipment is administered via a bastion host, applying the principle of least privilege;
  • all configurations for network equipment are backed up;
  • the logs are collected, centralized and monitored on a permanent basis by the network operations team; and
  • configurations are deployed automatically, based on validated templates.
Business Continuity Management

Commitments made by OVH in its capacity as a hosting provider

OVH has implemented a backup policy for the servers and equipment used by OVH to provide its services. Per this policy:

  • all systems and data necessary for continuity of services, reconstructing the IT system, or analysis purposes following an incident is backed up (technical and administrative database files, activity logs, source codes for applications developed internally, configurations for servers, applications and equipment, etc.); and
  • the intervals, conservation periods and manner of storing backups are defined in accordance with the requirements of each asset backed up; the backup process is covered by a monitoring process, and by an alert and error management process.
Audit Logging

Requirements for customers in charge of processing

Customers are solely responsible for the audit logging policy of their own systems and applications.

Commitments made by OVH in its capacity as a hosting provider

OVH has implemented a logging policy for the servers and equipment used by OVH to deliver its services. Per this policy:

  • logs are backed up and centrally conserved;
  • logs are consulted and analyzed by a limited number of authorized personnel, in accordance with the authorization and access management policy; and
  • tasks are divided up between the teams responsible for operating the monitoring infrastructure and the teams responsible for operating the service. The list of activities that are logged includes the following:
    • logs of storage servers hosting customer data;
    • logs of the machines managing the customer’s infrastructure;
    • logs of the machines monitoring the infrastructures;
    • logs of the antivirus software installed on all equipped machines;
    • integrity checks of logs and systems, where appropriate;
    • tasks and events carried out by the customer on their infrastructure;
    • network intrusion detection logs and alerts, if appropriate;
    • logs of network equipment;
    • logs of the infrastructure of the surveillance cameras;
    • logs of administrator machines;
    • logs of time servers;
    • logs of badge readers; and
    • logs of bastion hosts.