Our latest security improvements — and what they mean for your projects

At Scaleway, we are heads-down building all the Compute, Storage and AI products that European companies need to thrive in the cloud. This means we rarely take the time to look back at all the progress we made — especially in core and transversal features like security, whose impact can be felt across an entire organization.

Security has only become more of a focus for us over time. In the past few months alone, we have been working on so many Security products and features that we can hardly count them! This makes now the perfect opportunity to review them.

Our latest updates can be broken down into four main pillars:

1. Access Management: securing who can access your infrastructure
2. Secured Network: isolating communication inside your network
3. Data Protection: making your information confidential and available
4. Auditability & Compliance: monitoring any action performed in your Organization

With that in mind, let’s unpack each pillar and how the latest changes help make your projects more secure across the board.

1. Access Management

Access management misconfiguration remains the #1 threat in the cloud, according to the Cloud Security Alliance. The more complex your projects and the more stakeholders are involved, the more granular your access management should be.

With our latest releases on Identity Access Management (IAM) and other products, you can ensure that only authorized users and systems can access your resources, thus reducing the risk of unauthorized entry inside the Organization.

• Organization Members: Over the past 12 months, our IAM team has been busy refactoring the multi-user management in Scaleway Organizations. Switching from a Guest system, where everyone had to own an Organization, to a modern and secure system of Organization members was challenging to say the least. However, IAM admins have far more control on user authentication, with more features to come. More info here
• IAM conditions: Using the industry standard Condition Expression Language (“CEL”), IAM power users can now refine policies using parameters of the requests (timestamp, user agent, and IP address). We plan to use the same system to bring more granularity, with resource-level permissions. More info here
• Login improvements (SSO, Webauthn): As authentication remains a main vector of attack, we remain dedicated to transitioning from a secret-based log-in to an Owner-base one. New SSO workflows have been released for both Owners and members through OAuth2. Moreover, Webauthn is also now supported as a second factor of authentication for Owners — meaning that you can now use fingerprint of even Fido2 keys to authenticate. More info here
• SAML support for members: Authentication through a SAML-compatible Identity Provider is now possible for any member of an Organization. With an easy set-up, administrators can rely on their own internal tool for login workflows of their employees into Scaleway. More info here
• IAM support of Kubernetes RBAC: Combine Scaleway IAM and Kubernetes RBAC to improve access control on your clusters. This new feature allows clients to assign roles to users, groups or ServicesAccount via RoleBindings and ClusterRoleBindings. More info here
• Multi-user on MongoDB: Various users can now use our MongoDB instances. In addition, global as well as specific roles are available in MongoDB instances to refine permissions of multi-users. More info here

2. Secured Network

By nature, the public cloud is by default accessible on the Internet, meaning your infrastructure can be accessed not just by your employees, but indeed by anyone. Our new and improved Network portfolio lets you more finely control traffic flow and monitor activity to protect your environments from external and internal threats.

• Web Application Firewall (“WAF”): On top of our Edge services, providing caching for our Load Balancers and buckets, we rolled out a Web Application Firewall service to protect those services against malicious requests. Paranoia levels and specific exclusions can be defined to adapt to your network specificities. More info here
• Interlink: InterLink lets you create a secure, private connection between your external infrastructure, and your Scaleway VPC. This allows you to direct your traffic safely from your Scaleway infrastructure to your on-premises infrastructure, away from the public internet. More info here
• VPC Network ACLs: Thanks to Access Control Lists inside VPCs, traffic flow can be configured to be restricted between certain sources and destinations within the VPC, depending on rules set by the client. More info here
• VPC integrations: All our products are available on the Internet, but some clients require a fully private connection between the various components of the architecture. To answer that need, our Functions, Containers, Apple Silicon and MongoDB products have been integrated with Private Networks. More info here
• Site to Site Virtual Private Network (“S2S VPN”) in Private Beta: This feature allows you to connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private tunnel. More info here

3. Data protection

Data protection aims to safeguard your most sensitive information through encryption, backups, and secure storage, ensuring the Confidentiality, Integrity, and Availability of all your data — the infamous CIA triad. This year, a big focus has been put on confidentiality, especially on Encryption at rest for our most important products.

• Key Manager: Key Management Service (KMS) has been released in General Availability, with the ability to create, rotate, protect and delete keys. Both symmetric and asymmetric algorithms are supported for encryption and signing use cases. More info here
• SSE-C Object Storage: Server-Side Encryption (“SSE”) with a customer-provided key has been added as a main feature of our Object Storage offering. If an encryption key is provided during a put or get action, your objects will be encrypted (or decrypted) using best-in-class encryption. More info here
• Secret Manager integrations: Like any good ecosystem products, one of the goals for our Secret Management offer is to get natively integrated with our other products. This year, we released integrations with Serverless Jobs (as the unique way to reference secrets in jobs), Site-to-site VPN (for the pre-shared key) and Edge Services (for the certificate). More info here
• Encryption at rest of Managed DB: Similarly to Object Storage, we improved the protection of data sorted in PostgreSQL and MySQL instances by allowing you to encrypt at rest all data stored. More info here

4. Auditability & Compliance

Last but not least, we have heard from a growing number of clients that they require real-time, granular visibility into which actions are taken inside their Organizations, as well as built-in compliance with the latest regulatory standards. The following updates aim to help you on this front.

• Audit Trail creation and integration with 7 products: Auditability of all actions performed on the infrastructure is paramount for security and compliance teams. Audit Trails lets you track who performed which action in the Organization, in a centralized space to correlate all actions on all products made by all principals. Various products are tracked (Kubernetes, Secret Manager, Apple Silicon…), with more on the way. More info here
• HDS on Dedibox and Elastic Metal: The French certification for hosting health data (“Hébergement de Données de Santé”, or HDS) has been obtained for both our Bare Metal offers: Dedibox and Elastic Metal. Sales team can be contacted to initiate a discussion and set up an architecture compliant with even the most demanding requirements. Contact sales to learn more
  

What's next for Security at Scaleway

Access Management, Secured Network, Data protection, and Auditability and Compliance — with our latest updates, your projects and Organizations just got more secure across all four of these areas.

And we’re not stopping here. Scaleway’s product and engineering teams remain focused on providing the best security experience. Over the next few months, we plan to work on highly expected features including SSE-KMS for Object Storage, SecNumCloud compliance, or even VPC peering, to name just a few. Expect more updates like this one in the near future!