How to choose the cloud that suits your needs ?
They are internationally recognized attestations that guarantee that we have put in place procedures and monitoring that allows us to provide a Dedicated Cloud service that is secured and of high availability.
SOC 1 Type I (SSAE 3402) guarantees that our monitoring goals are correctly defined and that what we have established to protect our clients’ data is well in place. On the other hand, SOC 2 Type I reviews our monitoring and compares it to the international standard provided by the AICPA (American Institute of Certified Public Accountants) according to its "Trust Services Principles".
We have been audited by KPMG in Canada on the Beauharnois (BHS) data center and the offices in Montreal, then in France on Strasbourg and Paris data centers (SBG1 and P19) as well.
These attestations were requested by many of our clients. They are now essential for any company looking for a provider in Europe, and also – if not more- in America. Every entity that is quoted at the NYSE is obligated to hire subcontractors to publish their SOC 1 reports (formerly SAS 70). Likewise, more and more European companies ask for SOC attestations to be at ease with their provider’s security level.
In other words, these attestations insure a relationship of trust between OVH.com and its clients. A large number of professionals ask us if they can come and audit our sites, and that request often comes from their final clients. We usually do not offer this tour of our facility because our installations do not need to be visited on a daily basis for security matters. However, they can now ask OVH.com to provide their SOC attestations that can then be used as a guarantee of security.
Yes. The value of SOC 1 and 2 is highly regarded because the audits are not only made on the description of our security protocol, but detailed examinations are also conducted on our monitoring and service model. Every single procedure is scrutinized. The credibility of such reports is also due to the fact that independent auditors, who have no personal interest in the company, oversee them. In the end, the audit is done through a client’s perspective, a user who takes service very seriously.
Security policies, access to data and physical access, service availability, data confidentiality, backups, human resources, training, etc.
The auditors are also required to analyze our records, what they call “evidence”, to make sure that what we do equates to what we say we do. They have therefore seen the records, the screenshots and over 200 pieces of evidence in addition to the on-site audit.
For example, they have closely screened our physical access rights management. Who can give access rights? How are our gates and levels of security managed according to the different zones? Who has the right to give rights to those who can give rights? The whole rights management chart was checked to make sure that we have complete control over the procedures and that there is no way of getting around them. Of course, they have also tested security components such as badges. Regarding HR, the auditors checked if the associates have the necessary training and abilities for their positions, if the recruiting process is well defined, if safety training is completed, if we follow an iterative model of training, etc. It is an in-depth examination, with a wide range of parameters and strict methodology.
For instance, it is not only about having fire extinguishers in our data centers; they have to be functional, tested on a regular basis and we need to have maintenance contracts for them. The same thing goes for detection.
No. At OVH.com, security has always been an important aspect of innovation, our number 1 priority. We do not simply adapt to what is new; our main goal is for each of OVH.com’s clients to be able to experience a continually high level of performance in complete safety. As for us, in the quality department, we make sure that there is nothing in the way of those working on innovation.
They are the logical next step in our certifications and attestations process.
Today, we have reached a new stage, but we are not done. Our next objective is to get type II attestations and, finally, SOC 3 for the marketing department. SOC 1 and 2 type II are attainable through the auditing of our procedures over a period of 6 to 12 months and would confirm the efficiency of our security protocol, which is a step above type I reports. This would be the third phase of our strategy. There is no time frame as for the length of validity for the SOC, or any obligations to redo the audits. We have decided to make this whole process a recurrent one because our clients need to have access to up-to-date reports.
* Service Organization Controls
** Cet audit remplace le rapport Statement on Auditing Standards N° 7
How to choose the cloud that suits your needs ?
OVH to participate to a call for presentation for the OpenStack Summit in Sydney!
The Cloud is the future. But what is the future of the Cloud? (Part 1)