Difference between revisions of "DigitalOcean"

DigitalOcean

Industry	Cloud computing, Web services, Internet
Founder(s)	Moisey Uretsky Ben Uretsky Jeff Carr Alec Hartman Mitch Wainer
Headquarters	New York City, New York, United States
Area served	Worldwide
Key people	Yancey Spruill (CEO)
Products	IaaS, PaaS, DBaaS, SaaS
Revenue	$165.1 million (2023, Q1)[1]
Website	digitalocean.com

DigitalOcean is an American cloud computing company that provides public and private cloud solutions to enterprises, organizations, governments, and individuals. DigitalOcean has 14 data centers located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia.^[2] The company provides more than 30 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, developer support, and managed services.^[3][4]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.

1. What experience do you have working with laboratory customers in our specific industry?

The only publicly available information linking DigitalOcean with a laboratory is the fact that DigitalOcean's CFO Steve Senneff used to work as a senior financial analyst at Abbott Laboratories.^[5] You'll have to have a discussion with a DigitalOcean representative to determine what, if any, experience the provider has working with laboratories.

2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer tailored to your systems and business processes. DigitalOcean doesn't say a whole lot about integrations on the front- or backend. The company does have a page about integration tools, which you can use to "interact with your infrastructure the way you want to."^[6] This includes their command-line interface doctl for managing Droplets and other resources, as well as an API.^[6]

3. What is the average total historical downtime for the service(s) we're interested in?

Some public information is made available about historic outages and downtime. DigitalOcean has a systems status page with status history. You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. The company also claims to have improved its network monitoring strategy for "every single Droplet that runs" on their infrastructure.^[7] A follow-up on this question with a DigitalOcean representative may reveal more historical downtime history for the services you are interested in.

4. Do we receive comprehensive downtime support in the case of downtime?

DigitalOcean does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with DigitalOcean what downtime support they provide based on the services your organization are interested in.

5. Where are your servers located, and how is data securely transferred to and from those servers?

DigitalOcean describes its datacenter regions in its online documentation. As of this writing, they are located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia. DigitalOcean uses its Spaces Content Delivery Network, which "minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs" of requested content.^[8] However, DigitalOcean is light on details in regards to secure data transfers. On their security FAQ, they say the following: "Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader 'zero-trust' model for access to resources within our environment."^[9] The company also discusses data transfers under the scope of Privacy Shield and Standard Contractual Clauses on its trust center. DigitalOcean doesn't appear to discuss data localization on its site.

6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

DigitalOcean is not fully public with their physical access protocols. In a 2019 query, a potential customer asked about physical security, and they were told to review the legal literature for the company. The current data processing agreement says the following about physical access to systems^[10]:

DigitalOcean data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates. CCTV is used to monitor physical access to data centers and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.

As for credentials, certifications, and training, nothing is said. Discuss this with a DigitalOcean representative.

7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all DigitalOcean machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data. (Note that as of August 2023, DigitalOcean is reportedly not compliant with HIPAA; see #14.)

8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

DigitalOcean's public policy on physical separation vs. logical separation of data is unclear. This is a discussion to have with a representative.

DigitalOcean talks a little bit about tenant isolation in the context of a virtual private cloud (VPC), mentioning VPC networks, SSH keys, cloud firewalls, and service auditing. These are recommended protections for you, the cloud user. However, it's best to discuss DigitalOcean's approach to tenant isolation in full with a representative.

9. Do you have documented data security policies?

DigitalOcean documents its security practices in several places:

• DigitalOcean account security documentation
• DigitalOcean Data Processing Agreement
• DigitalOcean trust center

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with a DigitalOcean representative to obtain them.

10. How do you test your platform's security?

DigitalOcean doesn't appear to make this information public. They do state: "DigitalOcean shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm DigitalOcean's compliance with this DPA, provided that Customer shall not exercise this right more than once per year."^[10] You will have to discuss this with a representative. DigitalOcean also appears to have a bug bounty program, managed by HackerOne.^[11]

11. What are your policies for security audits, intrusion detection, and intrusion reporting?

In its Data Processing Agreement, DigitalOcean addresses security audits. In particular, if you, the customer, do not find DigitalOcean's documentation and audit reports sufficient, the customer can execute an audit of DigitalOcean's systems but at the customer's expense.^[10] Read the Data Processing Agreement for more.

12. What data logging information is kept and acted upon in relation to our data?

DigitalOcean's data logging tool for customers is Monitoring, a tool powered by DigitalOcean's own open-source agent. It is described as allowing the customer to simplify "your toolset to collect system-level metrics all in one place," including the ability to "view graphs, track performance, and set up alerts instantly within your control panel."^[12] However, DigitalOcean doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. Be sure a DigitalOcean representative is clear about what logging information they collect and use as it relates to your data.

13. How thorough are those logs and can we audit them on-demand?

You can of course manage and view logs related to your own activities. However, it's unclear if you are able to audit internal DigitalOcean logs on-demand. This is a conversation to have with a representative.

14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

As of August 2023^[update], DigitalOcean states that "DigitalOcean is not HIPAA compliant, therefore, healthcare organizations should consider an alternative."^[13]

15. What happens to our data should the contract expire or be terminated?

DigitalOcean only states: "Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent DigitalOcean is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data DigitalOcean shall securely isolate and protect from any further processing, except to the extent required by applicable law."^[10] This statement doesn't provide sufficient clarity, and you should have a DigitalOcean representative address this question in full.

16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how DigitalOcean would handle your data should they go out of business, nor do they mention anything about catastrophic loss on their site. Consult with a DigitalOcean representative about this topic.

17. Can we use your interface to extract our data when we want, and in what format will it be?

DigitalOcean has a page dedicated to data portability. On it, they give tutorials and documents to assist you with moving content and data from Droplets, Block Storage volumes, and Spaces. It doesn't address format, which may be an important question for a DigitalOcean representative.

18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a DigitalOcean representative.

Managed security services

DigitalOcean doesn't appear to provide managed security services for cloud customers.

Additional information

Documentation and other media

• DigitalOcean Documentation

External links

• DigitalOcean architecture framework or description
• DigitalOcean shared responsibility model
• DigitalOcean trust center

References