|Industry||Cloud computing, Web services|
|Key people||Michel Paulin (CEO)|
|Products||IaaS, DBaaS, DaaS|
|Revenue||Private (IPO planned)|
OVHcloud is a collection of public, private, hybrid, and multicloud cloud computing services offered by OVH, a private French information technology company. OVHcloud deploys to over 28 data centers—enhanced by the acquisition of VMware's vCloud Air business—in seven countries, largely represented by the North America, Europe, and Asia Pacific regions. (Though one data center is adversely affected as of April 2021, due to a fire.) Numerous products and services are associated with OVHcloud, representing computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, and developer support.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
Little information can be found regarding non-tech laboratories working with OVHcloud. One example, Pacific Rim Laboratories, was found. As for laboratory informatics companies that have deployed or are deploying their software in OVHcloud, ALTIK SAS (acquired by Limseo SARL) and BioAware were identified. An OVHcloud representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used OVHcloud.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
It will ultimately be up to your organization to get an answer from OVHcloud tailored to your systems and business processes. However, this much can be said about OVHcloud. The company recognizes that "enterprise solutions must integrate seamlessly with a company's existing environment to reduce any disruption and ensure prior investments in IT have not gone to waste. This is why OVHcloud bases its technology on open standards to guarantee portability and interoperability." OVHcloud also provides case studies, like that of Touchstone Solutions, and how they have integrated their cloud and on-premises hardware solutions with OVHcloud.
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. OVHcloud has a systems status page with status history (you have to scroll past all the planned maintenance items, down to the bottom, and click on the "History" link). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with an OVHcloud representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
OVHcloud does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with OVHcloud what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
OVHcloud has 28 data centers in seven countries, largely represented by the North America, Europe, and Asia Pacific regions. There are availability zones or areas associated with those regions, though OVHcloud doesn't appear to discuss these zones or areas much in its literature. As for the security of transferred data SSL certificates and other "security protocols and practices" are used. You'll have to discuss the specifics with an OVHcloud representative.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
OVHcloud says this about physical access:
Every staff member receives an RFID name badge, which is also used to restrict their access. Employee access rights are reassessed regularly, according to their remit. To access the premises, employees must hand in their badge for verification before passing through the security doors.
The company doesn't make clear who has acces to the servers where your data is located. As for credentials, certifications, and training, they note that "OVH personnel follow security awareness training and are trained in compliance rules for personal data processing." For more details, discuss this with an OVHcloud representative.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all OVHcloud machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
OVHcloud states "[t]he Storage Resources allocated to the Customer are logically isolated from those allocated to other OVHcloud customers, and are physically separated from the Infrastructure in which the Customer has set up their Hosted Private Cloud Premier." This statement coincides with its public, bare metal, and hosted private cloud solutions, giving the customer the option for running in a multitenant environment or on their own isolated machine. For more about the specifics based upon your needs for isolating data, contact a representative.
9. Do you have documented data security policies?
OVHcloud documents its security practices in several places:
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an OVHcloud representative to obtain them.
10. How do you test your platform's security?
On its data security page, OVHcloud states the following:
To verify compliance and evaluate our systems' performance, OVHcloud conducts security audits on a periodic basis. These security audits include the following:
- External audits (certifications and attestations);
- Internal audits, carried out by internal or external auditors;
- Technical audits (penetration testing, vulnerability scans, and policy compliance audits), carried out by internal or external Auditors;
- Data Center audits carried out by internal and external auditors
If an instance of non-compliance is identified, corrective measures are applied to action plans, as applicable. Corrective measures are also tracked and regularly reviewed, to verify their effectiveness.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
See the previous question in regards to security audits. As for intrusion detection and reporting, OVHcloud has a logging policy for its servers and equipment, which includes "[n]etwork intrusion detection logs and alerts, if appropriate." On the customer end, "[c]ustomers can carry out technical audits (intrusion tests) on services hosted for them, as well as on service management blocks. The terms and conditions for carrying out audits are set out in each contract, or handled on an ad hoc basis, on request." It's not clear what intrusion detection tools OVHcloud give the customer to help monitor intrusion on their cloud service. Discuss this with a representative.
12. What data logging information is kept and acted upon in relation to our data?
OVHcloud's data security page discusses its audit logging policy. It includes a list of all the logging activities it conducts, noting that "[l]ogs are consulted and analyzed by a limited number of authorized personnel, in accordance with the authorization and access management policy."
13. How thorough are those logs and can we audit them on-demand?
It's not clear exactly what data is included, let alone if you, the customer, are able to audit their logs on demand. Discuss this with an OVHcloud representative.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
OVHcloud discusses HIPAA and which services and data centers comply. However, nothing is said about a business agreement. You'll have to discuss this topic with a representative to learn more.
15. What happens to our data should the contract expire or be terminated?
OVHcloud doesn't elaborate on this in their public cloud agreement, only to say "[a]t the end of this Contract, regardless of the reason for termination, the Client’s Instances, Object Storage Containers and any associated components and stored data shall be deleted." This policy will need to be cleary explained by a representative before undertaking operations with OVHcloud.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how OVHc would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, one could turn to the March 2021 fire which destroyed one of OVHcloud's data centers. While they indicated that "all impacted US customers have been contacted individually and offered solutions to address their situation" in April, the hard reality is that, per their public cloud agreement:
OVHcloud does not backup specific data on the Instances or Object Storage Containers of the Client. It is therefore the responsibility of the Client to take all the necessary measures to back up their data in the event of data loss or deterioration of entrusted data, whatever the cause, including causes not expressly mentioned in this Contract. OVHcloud does not provide any guarantees related to the Client’s use of the Services, in particular guarantees related to the security and preservation of this data.
This policy was subtly alluded to in an April article in ComputerWeekly. The customer is ultimately responsible for having backups of their data.
17. Can we use your interface to extract our data when we want, and in what format will it be?
OVHcloud discusses migrating data to their service and migrating data from one data center to another, but they make little mention of extracting or migrating data out of their services. You'll have to have this conversation with a representative.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an OVHcloud representative.
Managed security services
OVHcloud doesn't appear to provide managed security services for customers.
Documentation and other media
- OVHcloud architecture framework or description
- OVHcloud shared responsibility model
- OVHcloud trust center
- Belezou, M. (11 September 2020). "French Cloud Hosting Provider OVH Plans IPO Next Year". Bloomberg Quint. https://www.bloombergquint.com/markets/french-cloud-hosting-provider-ovh-is-said-to-plan-ipo-next-year. Retrieved 28 APril 2021.
- "OVH Completes Acquisition of VMware’s vCloud Air Business". OVH. 8 May 2017. https://www.ovh.com/world/news/press/cp2456.ovh_completes_acquisition_of_vmwares_vcloud_air_business. Retrieved 28 April 2021.
- "OVHcloud: Expertise in Secure Data Center Design and Construction". OVH. https://us.ovhcloud.com/about/company/data-centers. Retrieved 24 April 2021.
- Donnelly, C. (8 April 2021). "The OVHCloud fire: Assessing the after-effects on datacentre operators and cloud users". ComputerWeekly. Archived from the original on 08 April 2021. https://web.archive.org/web/20210408103340/https://www.computerweekly.com/news/252498983/OVHCloud-datacentre-fire-Assessing-the-after-effects-on-datacentre-operators-and-cloud-users. Retrieved 24 April 2021.
- "Cloud solutions to meet all your needs". OVH. https://us.ovhcloud.com/solutions. Retrieved 28 April 2021.
- "Pacific Rim Laboratories". ZoomInfo. https://www.zoominfo.com/c/pacific-rim-laboratories-inc/86590452. Retrieved 24 April 2021.
- "ALTIK SAS". ZoomInfo. https://www.zoominfo.com/c/altik-sas/351858262. Retrieved 24 April 2021.
- Webmaster (15 March 2021). "Major hosting services issues". BioAware news. Archived from the original on 24 April 2021. https://web.archive.org/web/20210424154816/https://www.bio-aware.com/news. Retrieved 24 April 2021.
- "The Right Solutions and Products for your Business". OVHcloud. https://us.ovhcloud.com/enterprise/. Retrieved 24 April 2021.
- "Working with zones". OVHcloud. https://docs.ovh.com/us/en/load-balancer/zones/. Retrieved 24 April 2021.
- "How does the OVH SSL Certificate work?". OVHcloud. https://www.ovh.co.uk/ssl/how-ssl-works.xml. Retrieved 24 April 2021.
- "A reliable, open cloud with security standards you value". OVHcloud. https://www.ovhcloud.com/en/stories/open-cloud-security-standards/. Retrieved 24 April 2021.
- "OVHcloud Priority: Data Security and Confidentiality". OVH. https://us.ovhcloud.com/about/company/security. Retrieved 24 April 2021.
- "Data security and GDPR". OVHcloud. https://www.ovh.co.uk/personal-data-protection/security.xml. Retrieved 24 April 2021.
- "Service Specific Terms". OVHcloud. https://us.ovhcloud.com/legal/service-specific-terms. Retrieved 24 April 2021.
- "Data Security". OVHcloud. https://us.ovhcloud.com/resources/data-security. Retrieved 24 April 2021.
- "Specific Conditions for Public Cloud" (PDF). OVHcloud. https://www.ovh.com/world/support/termsofservice/specific_conditions_public_cloud.pdf. Retrieved 24 April 2021.
- "System Status Page". OVHcloud. Archived from the original on 24 April 2021. https://web.archive.org/web/20210424190835/https://status.us.ovhcloud.com/. Retrieved 24 April 2021.