How to optimize Object Storage security and reliability
Let's explore how you can leverage Scaleway Object Storage to fortify your data protection strategy!
In today's digital landscape, where data is often hailed as the new currency, securing that data is more critical than ever. As organizations increasingly rely on cloud storage solutions, the need for robust security measures that not only protect but also empower users to manage their data securely has never been greater. At Scaleway, we understand this need intimately, and we’ve been on a journey to continuously improve the security level of our Object Storage service.
From the early days of access controls to more advanced security features and encryption types available today, Scaleway has consistently evolved to meet the growing demands of our customers.
Let us take you through our security journey, showcasing where we started, the significant strides we’ve made, and the exciting developments on the horizon. Whether you’re a long-time user or new to Scaleway, you’ll find that our commitment to securing your data is stronger than ever.
In the early days of Scaleway's Object Storage, our primary focus was on delivering reliable and scalable storage solutions to our customers. Security, while always a priority, was primarily built around fundamental features such as basic Access control lists (ACL). ACLs which are subresources attached to buckets and objects define which type of access is permitted onto these ressources, and thus our initial offerings included basic API checks, providing a solid yet rudimentary layer of security for users managing their data.
Resilience is inseparable from security and offering the best data protection. Hence, as part of our foundational strategy, Scaleway introduced the Standard Multi-AZ (Availability Zone) class for Object Storage in Paris Region in February 2022, which marked a significant leap in our resiliency towards local threats or outbreaks. With Multi-AZ, data is automatically replicated across multiple availability zones within the same region, ensuring high availability and fault tolerance. This means that even in the event of an entire availability zone failure, your data remains safe, timely accessible, and unaffected. This resiliency was crucial in building trust with our users, and we rolled out the Multi-AZ class as the Standard class in all Scaleway Regions in 2023.
As part of our commitment to offering the best S3-compatibility, we integrated early on into the product journey critical security features like Versioning, and Object lock that allow users to protect their data from unintentional and external threats.
More recently, in 2023 we completed the integration of IAM with Bucket policy to offer fine-grained access management at the resource level, and deployed access logs into Cockpit to give more visibility on actions performed onto buckets.
Fast forward to today, and Scaleway has significantly enhanced its security features, ensuring that our customers' data is more secure than ever. The latest updates include:
As we said, each object is physically stored across different nodes and datacenters, and the likeliness of someone intruding into Scaleway datacenters to gather the exact and multiple disks necessary to rebuild a single object is near to zero, customers have always been caring and waiting for at rest encryption. This feature has especially been solicited for compliance reasons and preventing very specific security breaches. Available early October in all regions, SSE-C (Server-Side Encryption with Customer-provided keys) allows customers to manage their own encryption keys. This gives users greater control over their data security, ensuring that only they have access to the keys that encrypt their objects. This level of encryption provides an added layer of security by allowing customers to keep their encryption keys separate from their data storage provider.
Previously, managing bucket policies required using the API or CLI, which could be complex and time-consuming, also was leading more easily to human errors into this critical path to securing data. With the introduction of the bucket policy generator directly in the Scaleway Console, users can now easily create and manage their bucket policies with a user-friendly interface. This tool simplifies the process of combining IAM (Identity and Access Management) and bucket policies for detailed access control, and the centralized bucket policies overview helps users quickly visualize and manage security settings across their storage buckets.
These enhancements reflect our commitment to making advanced security features more accessible and user-friendly, enabling our customers to effortlessly secure their data.
Looking ahead, Scaleway is committed to continuing its journey of innovation in data security. Here are some of the upcoming features and certifications planned for the near future:
At the core of our storage resiliency, erasure coding ensures that each object is stored into chunks plus additional parity chunks, all split across at least three different nodes or area zones in the case of Multi-AZ. Even if the algorithm resiliency is designed for 99,999999999s (11 9s) of durability for all objects written since February 2022, we wanted to deepen our durability promise. In 2024, we developed a distributed daemon, internally known as workerbee, designed, among other things, to proactively rebuild missing data chunks of objects. Workerbee creates and reads tasks from a queue and executes preventive rebuilds as part of an automated, periodic routine to ensure data integrity. This routine will be rolled out in all Regions and AZs by mid-2025. This should significantly boost objects durability especially for old objects and long term storage use cases such as Archiving.
By Q4 2024, Scaleway Object Storage will be ISO 27001 certified, ensuring compliance with one of the most rigorous international standards for information security management systems. Additionally, we are pursuing HDS (Hébergement Données de Santé) certification for early 2025, which will further enhance our capabilities in securely storing and managing health data, meeting stringent regulatory requirements.
The next phase of our encryption strategy involves integrating Server-Side Encryption with Scaleway Key Management Service. Planned for S1 2025, SSE-KMS will provide even more robust encryption options, leveraging advanced key management services to enhance the security and manageability of encryption keys.
Many of our users asked for expanding bucket policy capabilities, which will be achieved thanks to the addition of IAM groups, a more adequate way to grant access into large and moving organizations.
More Console integration is planned for easier Security, with upcoming revamp of the Versioning console experience, plus the integration of Object lock in Console early 2025.
At Scaleway, we understand that security is a journey, not a destination. Our continuous efforts to enhance security features and obtain industry-leading certifications demonstrate our unwavering commitment to protecting our customers' data.
Scaleway Object Storage has come a long way from its initial security offerings, consistently evolving to meet and exceed the security needs of our customers. With our latest enhancements and upcoming features, we are ensuring that our platform remains at the forefront of data security, providing our customers with the tools and confidence they need to securely manage their data.
Stay tuned for more updates as we continue to innovate and enhance the security of Scaleway Object Storage, empowering you to store and manage your data with unparalleled peace of mind.
Let's explore how you can leverage Scaleway Object Storage to fortify your data protection strategy!
In this article, we will present the internal architecture of Scaleway Object Storage.
In this article, we will go through the infrastructure design on which our object storage service runs. The first challenge was to find the right balance between the network, CPUs and IOPS.