Learn about the security measures implemented for the Cloud (also called Managed) Databases services.
In addition to the Cloud Databases - Responsibility Model, this security fact sheet describes security features and functions associated to the service. It also includes best practices that customers can adopt to secure their database(s).
Best practices to be deployed on the service
Recommendations once the service is delivered
Once you have subscribed to your first database engine and reset the default passwords to access the service, you must filter connections using iptables.
You can also activate a private connection by using the vRack option.
Vulnerability scans
You are authorized to perform vulnerability scans on your subscribed service. OVHcloud doesn't have to be previously informed.
Security measures deployed by OVHcloud (especially network protection) are enabled because such an audit's purpose is to demonstrate a clear vision of the security level of the customer's infrastructure.
You are not authorized to use your service to scan other infrastructures.
Backups
Technical backups
Technical backups are backups made by OVHcloud to maintain the Service Level Agreement. These backups can be deactivated at the customer's request.
Customer data backups
Customer data (DB) is backed up, automated, and operated following different frequencies. Those backups are encrypted and uploaded to a remote, replicated storage backend, in a different data center from the one that the database service is hosted on. More details can be found in our Cloud Databases - Automated Backups guide.
Customer data backup health status is checked daily by OVHcloud.
If you need to restore your data using a backup, you can follow this guide and create a new service.
Logs
| Content | Documentation |
|---|---|
| 1000 last logs for service usage | See Sheet 'log' in the Control Panel - or via API: /cloud/project/{serviceName}/database/{serviceType}/{clusterId}/logs |
API
| Name | Capacity | Link |
|---|---|---|
| Control Panel and service | Manage customer accounts and services to which each account has access rights. | https://api.us.ovhcloud.com/console/#/dbaas/logs |
Accounts - User
Control panel
If a customer has multiple databases and analytics subscriptions, OVHcloud uses another internal account to view those subscriptions.
To enforce security access to your account on the Control Panel, we recommend activating a two-factor authentication mechanism or SSO (Single Sign-On) authentication.
You can also create your own IAM policy on the service, with a user interface or via API, and manage your users and groups.
You can troubleshoot your IAM policy configuration and analyze actions by using API calls to get logs.
Data plane
Once a VM is created by OVHcloud, on which the customer Database engines run, a TLS certificate is generated and used by the customer to access his DB. The certificate is renewed every three months.
Features and options available at service delivery
High availability
Three plans are made available on the service: Essential, Business, and Enterprise plans.
You can choose a "Business" or "Enterprise" offer to benefit from a high-availability service as your data will be replicated across two or three nodes following the chosen plan.
For MongoDB, high availability is offered with "Production" and "Advanced" plans.
Data encryption
Encryption made by the OVHcloud teams
All network traffic on the infrastructure managing the Databases service is encrypted. Databases volumes are also encrypted with a unique key specific to each customer project.
These operations are made, by default, by the OVHcloud operation team.
Currently, OVHcloud does not offer KMS as a service, you cannot bring your own keys. KMIP is managed by OVHcloud.
For a MongoDB engine:
- Nodes: service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key for each instance and each volume. The key is never re-used and will be trashed at the destruction of the instance, so there’s a natural key rotation with roll-forward upgrades. We use the LUKS2 mode aes-cbc-essiv:sha256 with a 512-bit key.
- Backups: backups are encrypted with a randomly generated key. This key is Asymmetric RSA4096.
For all the database engines such as MySQL, PostgreSQL, Caching, and so on, at-rest data encryption covers both active service instances as well as service backups in cloud object storage :
- Nodes: service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key for each instance and each volume. The key is never re-used and will be trashed at the destruction of the instance, so there’s a natural key rotation with roll-forward upgrades. We use the LUKS2 default mode aes-xts-plain64:sha256 with a 512-bit key.
- Backups: backups are encrypted with a randomly generated key per file. These keys are in turn encrypted with an RSA key-encryption key-pair and stored in the header section of each backup segment. The file encryption is performed with AES-256 in CTR mode with HMAC-SHA256 for integrity protection. The RSA key pair is randomly generated for each service. The key lengths are 256-bit for block encryption, 512-bit for integrity protection, and 3072-bits for the RSA key.
In-use encryption on client side
Currently, OVHcloud does not offer a KMS as a service, you cannot bring your own keys. KMIP is managed by OVHcloud.
Currently, we do not provide in-use encryption with our Managed Databases.
Data can be encrypted client-side with customer-controlled encryption keys, before being sent, stored, or retrieved from the database.
Client-Side Field Level Encryption (FLE) is an in-use encryption capability that enables a client application to encrypt sensitive data before storing it in the MongoDB database. Sensitive data is transparently encrypted, remains encrypted throughout its lifecycle, and is only decrypted on the client side.
CVE monitoring
The OVHcloud operation team in charge of the maintenance of Public Cloud Databases services is constantly monitoring CVE on the different DBMS available. This monitoring is done through different channels, official mailing lists, security community, internal security checks, etc.
We are also in constant communication with the MongoDB team, to provide a fast and smooth transition to the latest security version of MongoDB.
vRack option
You can activate the vRack option at the subscription step or afterward and have your private network for your Database project. Learn how to configure your private network in our Cloud Databases - Configure Your Private Network guide.
Reversibility
You can import and export your data following recommendations provided by editors for each Database engine technology. Here are some examples:
- For MongoDB, you can refer to this link: https://www.mongodb.com/docs/compass/current/import-export/
- For Caching, you can refer to this link: https://docs.redis.com/latest/rs/databases/import-export/
Erasure of customer data
All allocated resources are released automatically.
As the encryption keys are unique for each project, they will be deleted after service decommissioning. Data can not be retrieved after.
Go further
For more information and tutorials, please see our other Managed Databases & Analytics or Platform as a Service guides. You can also explore the guides for other OVHcloud products and services.