OVH NEWS | THE LATEST ON IT INNOVATIONS AND TRENDS


Discover. Understand. Anticipate.












28/01/2014
Share

Report written by Sophie Lavergne


SOC 1 and 2 Type 1 strengthens the trust between OVH.com and Dedicated Cloud users


The security level of OVH.com’s dedicated Cloud was recognized through the SOC* 1 Type I (SSAE 16 and ISAE 3402)** and SOC 2 Type I attestations for 1 of its data centers in Canada and 3 in France. Further explanations with Thibaud Saudrais, Quality Director.

“SOC 1 Type I (SSAE 16 and ISAE 3402) and SOC 2 Type I”, what are those?

They are internationally recognized attestations that guarantee that we have put in place procedures and monitoring that allows us to provide a Dedicated Cloud service that is secured and of high availability.





Could you go into more details?

SOC 1 Type I (SSAE 3402) guarantees that our monitoring goals are correctly defined and that what we have established to protect our clients’ data is well in place. On the other hand, SOC 2 Type I reviews our monitoring and compares it to the international standard provided by the AICPA (American Institute of Certified Public Accountants) according to its "Trust Services Principles".


Which data centers have been certified?

We have been audited by KPMG in Canada on the Beauharnois (BHS) data center and the offices in Montreal, then in France on Strasbourg and Paris data centers (SBG1 and P19) as well.


Why did OVH.com need to meet this standard?

These attestations were requested by many of our clients. They are now essential for any company looking for a provider in Europe, and also – if not more- in America. Every entity that is quoted at the NYSE is obligated to hire subcontractors to publish their SOC 1 reports (formerly SAS 70). Likewise, more and more European companies ask for SOC attestations to be at ease with their provider’s security level.
In other words, these attestations insure a relationship of trust between OVH.com and its clients. A large number of professionals ask us if they can come and audit our sites, and that request often comes from their final clients. We usually do not offer this tour of our facility because our installations do not need to be visited on a daily basis for security matters. However, they can now ask OVH.com to provide their SOC attestations that can then be used as a guarantee of security.


It essentially acts as an assurance policy for your clients.

Yes. The value of SOC 1 and 2 is highly regarded because the audits are not only made on the description of our security protocol, but detailed examinations are also conducted on our monitoring and service model. Every single procedure is scrutinized. The credibility of such reports is also due to the fact that independent auditors, who have no personal interest in the company, oversee them. In the end, the audit is done through a client’s perspective, a user who takes service very seriously.




What did the auditors specifically check upon?

Security policies, access to data and physical access, service availability, data confidentiality, backups, human resources, training, etc.
The auditors are also required to analyze our records, what they call “evidence”, to make sure that what we do equates to what we say we do. They have therefore seen the records, the screenshots and over 200 pieces of evidence in addition to the on-site audit.
For example, they have closely screened our physical access rights management. Who can give access rights? How are our gates and levels of security managed according to the different zones? Who has the right to give rights to those who can give rights? The whole rights management chart was checked to make sure that we have complete control over the procedures and that there is no way of getting around them. Of course, they have also tested security components such as badges. Regarding HR, the auditors checked if the associates have the necessary training and abilities for their positions, if the recruiting process is well defined, if safety training is completed, if we follow an iterative model of training, etc. It is an in-depth examination, with a wide range of parameters and strict methodology.
For instance, it is not only about having fire extinguishers in our data centers; they have to be functional, tested on a regular basis and we need to have maintenance contracts for them. The same thing goes for detection.


Are stricter security constraints slowing down technological performance and innovation?

No. At OVH.com, security has always been an important aspect of innovation, our number 1 priority. We do not simply adapt to what is new; our main goal is for each of OVH.com’s clients to be able to experience a continually high level of performance in complete safety. As for us, in the quality department, we make sure that there is nothing in the way of those working on innovation.


In what way are these new attestations part of a global strategy?

They are the logical next step in our certifications and attestations process.
Today, we have reached a new stage, but we are not done. Our next objective is to get type II attestations and, finally, SOC 3 for the marketing department. SOC 1 and 2 type II are attainable through the auditing of our procedures over a period of 6 to 12 months and would confirm the efficiency of our security protocol, which is a step above type I reports. This would be the third phase of our strategy. There is no time frame as for the length of validity for the SOC, or any obligations to redo the audits. We have decided to make this whole process a recurrent one because our clients need to have access to up-to-date reports.

* Service Organization Controls
** Cet audit remplace le rapport Statement on Auditing Standards N° 7