Security overview for Analytics
12 viste
04.12.2025 
Common
Objective
In addition to the responsibility model for Analytics services, this security fact sheet aims at describing security features and functions associated to the service. It describes also best practices that customers can adopt to secure their services.
1.Certifications
- ISO/IEC 27001
- ISO/IEC 27701
- ISO/IEC 27017
- ISO/IEC 27018
- HDS
- SOC 1 type 1
- SOC 2 type 1
- CSA type 1
- C5 type 1
2.Best pratices to be deployed on the service
2.1 Recommendations once the service is delivered
Once you have followed these first steps to subscribe your service and reset the default password communicated to access to the service, you must filter connections by using iptables.
You can also activate a private connection by using the vRack option.
2.2 Vulnerability scans
You are authorized to perform vulnerability scans on the service you have subscribed to. OVHcloud doesn't have to be previously informed.
Security measures deployed by OVHcloud (especially network protection) aren't disabled, because such an audit's purpose is to demonstrate a clear vision of the security level of the customer's infrastructure.
You are not authorized to use your service to scan other infrastructures.
3.SLA
SLA are available only for "Business/Production" and "Enterprise/Advanced" plans of this service.
SLA for the Business/Production range in Single AZ are 99,90%.
SLA for the Enterprise/Advanced range in Single AZ are 99,95%.
SLA for the Production range in Multi AZ are 99,95%.
SLA for the Advanced range in Multi AZ are 99,99%.
The calculation method of SLA consists of the total number of minutes in the month in question deducted from the number of minutes of unavailability over the month in question. The total is divided by the total number of minutes in the month.
Service credits can be 10%, 25 % or 100% of the hourly cost per hour of unavailability of the affected Service. You can refer to the Particular Conditions of the service to get more details about the monthly available rate for each service range or plan and credits limitation.
4.Backups
4.1 Technical backups
Technical backups are backups made by OVHcloud to maintain the Service Level Agreement. These backups can not be activated at customer request.
4.2 Customer data backups
Customer data (DB) is backed up, automated and operated following different frequencies. Those backups are encrypted and uploaded to a remote, replicated storage backend, in a different datacenter from the one the analytics service is hosted on. Details about frequencies, RPO and locations are listed following type of services and ranges at this link.
Customer data backup health status is checked daily by OVHcloud.
If you need to restore your data using a backup, you can follow this guide and create a new service for this purpose.
5.Logs
| Source | Content | Documentation |
|---|---|---|
| Control Panel | Logs of interactions made by admin, technical or billing contacts in the Control Panel and services they have access to, using API calls. | - https://api.ovh.com/console/#/me (see /me/api/logs)- List of API calls done with your account - List of API calls done on services you have access to -Get your audit logs |
| Service | 1000 last logs for service usage | See sheet 'log' in the Control Panel - or via API (for Cassandra service as an example /cloud/project/{serviceName}/database/cassandra/{clusterId}/logs- /cloud/project/{serviceName}/database/{serviceType}/{clusterId}/logs |
6.API
| Name | Capacity | Link |
|---|---|---|
| Control Panel and service | Manage customer accounts and services on which each account has access rights. | https://eu.api.ovh.com/console/#/dbaas/logs) |
7.Accounts - User
7.1 Control plane
Using your customer account on the OVHcloud Control Panel, you are able to manage your service using three different contacts.
OVHcloud uses another account with an internal NIC to refer a customer having subscribed to several services.
To enforce security access to your account on the Control Panel, we recommend activating a two-factor authentication mechanism or SSO(Single Sign-On) authentication.
You can also create your own IAM policy on the service, with a user interface or via API, and manage your users and groups.
You can troubleshoot your IAM policy configuration and analyse actions by using API calls to get logs.
7.2 Data plane
Once a VM is created by OVHcloud, on which the customer Analytics engines run, a TLS certificate is generated and used by the customer to access his DB. The certificate is renewed every three months.
8.Features and options available at service delivery
8.1 High availability
Different plans are made available on the service: Essential, Business/Production and Enterprise/Advanced plans.
You can choose a "Business/Production" or "Enterprise/Advanced" offer to benefit from a high availability service as your data will be replicated across multiple nodes following the chosen plan.
8.2 Data encryption
8.2.1 Encryption made by the OVHcloud teams
All network traffic on the infrastructure managing the Analytics service is encrypted. Services volumes are also encrypted with a unique key specific for each customer project.
These operations are made, by default, by the OVHcloud operation team.
Currently, OVHcloud does not offer KMS as a service, you cannot bring your own keys. KMIP is managed by OVHcloud.
For a MongoDB engine:
- Nodes: service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key for each instance and each volume. The key is never re-used and will be trashed at the destruction of the instance, so there’s a natural key rotation with roll-forward upgrades. We use the LUKS2 mode aes-cbc-essiv:sha256 with a 512-bit key.
- Backups: backups are encrypted with a randomly generated key. This key is Asymetric RSA4096.
For all the Analytics engines such as Kafka, OpenSearch and so on, at-rest data encryption covers both active service instances as well as service backups in cloud object storage:
- Nodes: service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key for each instance and each volume. The key is never re-used and will be trashed at the destruction of the instance, so there’s a natural key rotation with roll-forward upgrades. We use the LUKS2 default mode aes-xts-plain64:sha256 with a 512-bit key.
- Backups: backups are encrypted with a randomly generated key per file. These keys are in turn encrypted with a RSA key-encryption key-pair and stored in the header section of each backup segment. The file encryption is performed with AES-256 in CTR mode with HMAC-SHA256 for integrity protection. The RSA key-pair is randomly generated for each service. The key lengths are 256-bit for block encryption, 512-bit for the integrity protection and 3072-bits for the RSA key.
8.2.2 In-use encryption on client side
Currently, OVHcloud does not offer a KMS as a service, you cannot bring your own keys. KMIP is managed by OVHcloud.
Currently, we do not provide in-use encryption except for MongoDB Advanced plans, based on MongoDB Client-Side Field Level Encryption.
Data is encrypted client-side with customer-controlled encryption keys, before being sent, stored, or retrieved from the service.
8.3 CVE monitoring
The OVHcloud operation team in charge of the maintenance of Public Cloud Analytics services is constantly monitoring CVE on the different DBMS available. This monitoring is done through different channels, official mailing lists, security community, internal security check, etc.
We are also in constant communication with the MongoDB team, in order to provide fast and smooth transition to the latest security version of MongoDB.
8.4 vRack option
You can activate the vRack option at the subscription step or afterwards and have your private network for your Analytics project.
8.5 HDS option
The HDS option can be activated on the service.
This option is available only for "Business/Production" and "Enterprise/Advanced" plans for this service.
The subscription to the Business support level is mandatory, at least to maintain necessary requirements.
9.Reversibility
You can import and export your data following recommendations provided by editors for each Analytics engine technology.
9.1 Erasure of customer data
Once you destroy your Public Cloud project (your Analytics project) in the OVHcloud Control Panel, all allocated resources are relased automtically, including used encryption keys.
As the encryption keys are unique for each project, they will be deleted after service decommissioning. Data can not be retrieved after.
Go further
Public Cloud Analytics documentation
Visit our dedicated Discord channel: https://discord.gg/ovhcloud. Ask questions, provide feedback and interact directly with the team that builds our databases services.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.
Responsibility model for Analytics
10