Data protection, moving towards new certifications
With exponential growth, data is becoming a resource at the centre of strategic, legal, and security issues. The volume of data is such that a new unit of measurement has been introduced: the zettabyte (ZB), trillions of megabytes. According to a study* published by IDC, the amount of data will increase 10 fold between 2013 and 2020 and will reach the astronomical amount of 44 zettabytes.
“Data is the oil of tomorrow”
“Data is the oil of tomorrow, this is the issue facing the future digital economy.” These were the opening words of the International Cybersecurity Forum (FIC), which placed data at the centre of its events. Today data is worth billions and its value continues to increase especially because of the Internet of Things (IoT) and big data.
The 2016 edition of FIC took place this past January 25th-26th in Lille, France. The theme, “Data Security and Privacy”, revealed that the exposition is centred on issues surrounding data and information security. “The FIC which was originally aimed towards law enforcement is beginning to open up more and more to the general public,” explains Romain Beeckman, head of OVH’s legal department. “Themes are much wider, the notion of information security is at the heart of debate, with an emphasis on data protection.”
You only need to walk the aisles of the event to see that computer security is starting to take precedence over police analysis. The Minister of Interior and Defense can still be found among the partners, but more and more businesses are present which specialise in enterprise systems security, data protection and management, and network infrastructures. It is for this reason that OVH was present and making its fourth appearance. “We are here as an international player in digital technologies and because we have a major role to play in these areas," adds Romain. Security is one of OVH’s natural priorities. Whether it is infrastructure, network or information system security policies, everything is done to ensure we meet the most demanding requirements.
Constantly evolving certificates
OVH is committed to a global certification strategy to recognise that its infrastructures and services conform to industry best practices and international standards. OVH facilities are protected and monitored, and receive the same level of protection regardless of a datacentre’s location. The idea is not only to guarantee reliability but to provide objective proof. This is the approach that OVH has taken to obtaining certification, which proves that it is a master in its field.
For several years, Dedicated Cloud has been ISO27001 certified and SOC 1 and 2 type II certified. “It is an important gauge of security, a gauge of trust,” explains Thibaud Saudrais, quality manager at OVH. “We must evolve every year because it is not definitive, we must maintain the level and constantly adapt. This is continuous improvement.”
New certifications are earned on a regular basis to acknowledge the efforts of the company and its expertise in security.
“For example, the latest certification to date is the PCI DSS(information security standard for credit card payments), which permits our customers to use our infrastructure to store bank and credit card numbers on Dedicated Cloud,” adds Thibaud. “This gives our customers the ability to offer their clients the possibility to store this type of data. Confidence is strengthened. It’s a win-win.”
Other projects are in development, notably a solution to store health care data: “Last summer, we submitted our application to ASIP (French governmental agency concerning health care data), a response will be given very soon”, announces Thibaud Saudrais.
At OVH, certifications extend to other services. Especially in the case of the Isolated Space solution, racks of Dedicated Cloud servers devoted to one customer are physically isolated within the datacentres. “This is a service centred on physical security. It is ISO27001 certified. If one of our customers requests 30,000 servers, we can construct a private datacentre for that customer that is ISO27001 certified, this is in the scope of our certification.”
Alongside these measures, a policy of awareness: PSSI defines the internal work processes of OVH employees. It provides the framework for the protection of the information system. “The security of the data of the OVH Group, of our customers, but also of our customers' customers is essential for the growth of the group and to maintain the infinite trust placed in us by our customers in protecting their data,” explains Laurent Allard, CEO of OVH.
The establishment of a very strict password management policy, hierarchy of rights policy on infrastructures, a partitioning policy, and the use of proxy servers for authentication, everything is done to lessen or eliminate risks. Romain also adds, “We must be proactive and capable of identifying all risks. If there is the slightest risk of the compromise of data, we need to know and understand what happened. Could it be our internal processes, could it be a failure, could it be negligence, could it be a hacker? ”The certification scheme in place today lets us identify the possible source of a problem very quickly. Romain continues to explain, “This also makes it possible for everyone to have the same alert level. This approach raises the alert level across the entire enterprise. It is especially through these certifications, through the PSSI and also through the daily support teams that we will acquire even more concrete methods.”
Another key piece in OVH’s security is that no activity is subcontracted. “Today it’s very simple,” adds Romain, “our customer’s data is never sold or exchanged. Data is stored with us, internally, and no subcontractors have access to any of it. ”Proof of this is that the only people that intervene on a server are employees’ of the group: support teams and technicians that manage the complete lifecycle of servers. “This allows us to guarantee the same level of security in all of our subsidiaries.”
Security is also a matter for our users
“On our side, we are working non-stop to reinforce all levels of security. We ensure this through these certifications,” Romain continues. “We secure the physical infrastructure, as well as the network and include anti-DDoS protection. Next, it is up to the customer to protect their structure incorporating authentication processes, monitoring, securing database access with strong passwords, and reviewing logs, looking for any possible intrusion attempts.” In effect, OVH does not have access to the content of hosted servers. The customer, as the administrator, will grant permission to OVH to intervene under specific circumstances. An OVH technician can then perform maintenance and the customer can restrict access after the scheduled work has been completed. All operations are transparent with the customers having total visibility of the intervention.
All actors in the chain are therefore concerned with security and each plays a major role. “It is up to the customer to guage the level of protection that they need,” explains Thibaud. “Some data are more sensitive than others and end user requirements are not the same.” It is necessary to achieve an adequate architecture and maximum protection with additional tools. “We guarantee infrastructure security but customers also have certain elements to secure.” They must adhere to best practices: management of administrator access, encryption of virtual machines, use of strong passwords… “There is shared responsibility, each party has their role but all have the same objective: security.” OVH Academy events are an excellent way for many clients to integrate good security practices. Previously focused on Dedicated Cloud, this year’s events will extend to dedicated servers. Indeed, it is through good security that data will transform into “oil”.
* Study IDC, April 2014