OVH is ISO 27017 Compliant

OVH has implemented a series of best practices to comply with the ISO 27017 standard for cloud security.This international standard specifies the best security practices for cloud service providers. Julien Levrard, who works on ISO 27017 compliance between OVH infrastructures speaks about this approach and how it benefits all the group’s customers.

What is ISO 27017?

ISO/IEC 27017 is an international standard concerning the security of cloud services. This standard is in-line with the ISO 27002 (1) standard which specifies and enhances the best security practices for cloud services. It outlines the specifications for each component linked to such services. Though this formalisation makes it possible for security and quality experts to integrate rapidly, others may find it more difficult to read.

ISO 27017 not only focuses on providers but on cloud security as a whole, in fact, the customer's perspective is taken into account. These requirements are complementary and make it possible to standardise the relationship between customer and cloud service provider.

Some of our customers ask if we are in compliance with ISO 27017 and ISO 27018. Can you tell us more? What is the link between ISO 27017 and ISO 27018?

ISO 27018 is a standard for vendors that handle personal data. It is designed on the some model as ISO 27017 and complements the security measures of ISO 27002(1) within the context of handling personal data. OVH takes the protection of customer data very seriously and in particular that of personal data, as we explained in an article published at the start of 2016. ISO 27018 security measures are centred on application services (SaaS) which handle personal data and therefore are of little relevance to our infrastructure services.

ISO 27001 already involves a formal relation between the certified company and its customers, what more does ISO 27017 bring with it?

In 2013 we obtained the first of our certifications, ISO 27001, which highlighted the importance of communication between companies and their customers for defining appropriate security management processes. This is a general standard, applicable to any type of organisation. In ISO 27017, the relationships between customer and cloud service providers are structured precisely. The standard describes what a customer should expect on the part of the provider and what information the provider should communicate to the customer. A relationship between the customer and the cloud provider that is in-line with ISO 27017 will ensure that all important security issues are taken into account in the management of the service.

"“Our certification auditors will inspect our best practices in the next surveillance audit. Therefore we will have an independent evaluation of how best practices are implemented within our processes.”"

Can we say that OVH is ISO-27017 certified?

There is not a certification for this standard. It is a catalogue of best practices which includes recommendations for improving the security of service and is not a reference for conformity. These recommendations naturally fit very easily in an ISO 27001 certified management system. Under the continued improvement of our management system, we have implemented the changes outlined by ISO 27017 into our security measures.

Why is communication between customers and cloud service providers so important?

By hosting their information systems on our infrastructures, our customers are trusting us with their data, sometimes even the most sensitive data. They can legitimately expect us to provide enough information about our infrastructures and procedures to assure that an adequate level of security is in place. However, we must control this information to avoid any risk of compromising our security procedures. Finding a balance between these two objectives is complicated. Our certifications help us to find the right compromise.

What information is concerned?

All the information that the customer needs in order to be reassured of of their risk cover is concerned. The cloud provider must inform its customers about the architecture, technologies used, measures in place and the features available and the context of its use. For example, providers must make known the encryption technologies used and the geographical location of datacenters.

The provider must also define the customer’s role in the operating process such as keeping up with updates and incidents. In the most general sense, the standard stresses the importance of clearly defining the roles and responsibilities of the customer and the provider on matters related to security.

"“Technically, the changes are anecdotal, our management systems have been built under the context of cloud service and for the most part, the measures put in place are already ISO 27017 compliant.”"

Specifically for OVH, what difference does it make?

Technically, the changes are anecdotal, our management systems have been built under the context of cloud service and for the most part, the measures put in place are already ISO 27017 compliant. Moreover, we already communicate a lot with our customers to help them understand our architectures and security measures put in place. Communication is made through contractual documents, our website, documents transmitted after signing an agreement of confidentiality and via our technical and commercial support. This is a very rich process which we are continuously improving. In this context, we will ensure compliance with all the recommendations of the standard.

And for the customer?

Reading the standard permits the buyer of the cloud service to identify important points and helps them to choose partners. CIOs (Chief Information Officer) want more flexibility and want to be able to appeal to the most appropriate vendor for each use case. Therefore the supply of information services evolves naturally from a chain model to a network model. An increase in commercial and technical relationships introduces a new complexity that we must learn to manage.
ISO 27017 standardises the relationships between customers and cloud service providers by creating a framework and facilitating management. By conforming to ISO 27017, users of OVH services benefit from guarantees in increased security safeguards. In the coming months, we plan to continue to increase the number of certifications that we hold, especially including certification permitting OVH to host healthcare data.

(1) – ISO/CEI 27002 is made up of a group of 113 measures called “best practices,” which are intended to be used by those responsible for putting in place or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard as the “preservation of confidentiality, integrity, and availability.”