On March 14, OVH obtained ISO/IEC 27001:2013 certification for the Information Security Management System of Dedicated Servers.
This certification obtained after an independent audit by LNE company, provides strong reassurance to customers and users of the services hosted on these servers.
What is the ISO 27001 standard and certification?
ISO/IEC 27001 is an international standard that describes the “requirements for establishing, implementing, maintaining and continuously improving an information security management system” (ISMS). It describes the organisational method which ensures the confidentiality, integrity, availability and traceability of an information system.
Daily security
Since the beginning of OVH, security has been one of the main objectives of the teams that design, operate and develop the services. The ISMS aims to ensure the systematic, comparable and demonstrable functioning of the means implemented to ensure security.
The ISMS is an approach to establishing, maintaining, monitoring, and ensuring continuous improvement of the tools and processes to:
- Identify and consolidate OVH’s obligations and commitments in terms of information security.
- Set appropriate, understandable and consistent information security objectives.
- Implement a risk-based approach to define and prioritise security enhancements.
- Establish, industrialise and use security measures.
- Communicate and coordinate with all internal and external stakeholders involved.
On a day-to-day basis, ISMS consists of managing all risky activities for the service, such as access rights, system and equipment configurations, software updates, infrastructure upgrades, data deletion, partitioning between environments, monitoring and incidents. Ensuring absolute security is not a realistic goal, but the ISMS helps identify vulnerabilities, errors, and malfunctions faster and more reliably. The ISMS ensures the rapid implementation of corrective actions and these actions are followed over time.
A team effort
A team of security experts work with the teams in charge of the design and operation of the service, customer support, sales teams and OVH management to prioritise these improvements. Coordinating these different perspectives within a product-lifecycle, risk-based approach ensures rapid, pragmatic and industrial adaptation of systems and processes to a quickly evolving threat environment.
The certificat audit
The certification audits are carried out by accredited companies, in this case by LNE, accredited by COFRAC. The audit itself follows a strict format and is based on formal requirements. The audit is a challenge for the teams but also for the auditor. On the basis of office and datacentre visits, team interviews, in-depth documentation reviews and systems observation over a period of a few weeks, the auditor must formulate his/her opinion on the relevance of the implemented activities, their effectiveness and of course their compliance with all the requirements of the ISO 27001 standard. The auditor also identifies opportunities for improvement to be considered at the end of the audit.
What is the scope?
The scope of the Information Security Management System covers the provision, connectivity, operational support and decommissioning of Dedicated Servers allocated to customers, the resources provided to customers for the configuration, use and monitoring of allocated infrastructure and service management by OVH teams. The ISMS is therefore firmly designed to focus on the service supplied to the customer.
Security as code
The ISMS covers all the physical servers managed by OVH, i.e. several hundred thousand servers across the group’s datacentres. Apprehending and managing security in an efficient and sustainable way over such a wide scope means aligning each decision with the principles of standardisation and automation of OVH’s industrial model. In the OVH value chain, all repetitive tasks undertaken by staff are to be phased out over the long term . As a result, the ISMS and security is improved via the automation of daily activities and the development of tools to manage the service in a secure way. Human intervention should be limited to cases requiring in-depth analysis or complex coordination. This model allows an exponential scale up of the management system while limiting the resources needed for its operation.
A modular Information Security Management System (ISMS)
To some extent all OVH products use the information systems in support of the service and they are themselves hosted on Dedicated Servers, just like all other OVH products. Defining the graph of dependencies and internal responsibilities is somewhat of a mise en abyme. It was, however, a prerequisite for defining a clear and understandable security organisation that enabled ISMS to function effectively. A modular approach has been put in place to segment and structure the responsibilities of each team involved. These relationships are driven by a set of internal service agreements defined and monitored in the ISMS.
Datacentres, for example, have a separate ISMS to ensure the physical security of hosting sites and the security of datacentre operations. This ISMS is independently certified and provides a solid foundation for service compliance.
The Dedicated Server ISMS certification is based on datacentre certification and covers the servers hosted in these certified datacentres. To date, the datacentres concerned are those in Roubaix (RBX 2,3,5,6,7), all datacentres in Strasbourg, Beauharnois, Singapore and Sydney. The Paris datacentre (P19) hosting part of the information system in support of the service is also concerned, although it does not host any Dedicated Servers allocated to clients. Although all of the company’s servers are covered by the ISMS, certification only concerns these datacentres.
What next?
ISO 27001 is a general standard that addresses the concerns of most of our customers and sets a framework and organisation for ensuring service security. However, it does not consider compliance with requirements linked to a specific business sector. The ISO 27001 standard provides for the possibility of adding additional requirements and the Dedicated Servers ISMS is also designed for this purpose. The ISMS will therefore gradually integrate new specific measures to cover, for example, the needs for hosting personal health data, the requirements of the banking sector or the regulatory specificities of the public sector in the different countries where OVH provides services.
In parallel, the teams are working on the extension of the certification perimeter to include all of the group’s datacentres and in particular those in Erith (UK), Limburg (DE), Ozarow (PL) and Gravelines (FR). The goal is to provide all OVH customers with a uniform level of security assurance regardless of the datacentre region chosen.
Finally, the teams will continue to work with the other product teams to complete the catalogue of certified products and gradually extend it to all OVH’s Infrastructure-as-a-Service offerings.