# Best Practices for IONOS Cloud Storage Products
Data is usually a company's highest asset. Customer data, intellectual property, research data, and so on may represent a competitive advantage against other market participants. Such data requires protection from unauthorized access, theft, and loss.
It is essential to implement robust security measures to protect sensitive information stored in Network Block Storage. [Best Practices for IONOS CLOUD Server Security Products](/cloud/security-safeguards/best-practice-guideline/best-practice-cloud-server-security-products.md) covered securing access to the data through the VM instances. This topic explores security best practices for Network Block Storage and space.vars.ionos\_cloud\_object\_storage in a public cloud environment, outlining the responsibilities of both the service provider and the service user.
Both Network Block Storage and space.vars.ionos\_cloud\_object\_storage provide scalable and reliable storage solutions in the public cloud, empowering organizations to store and access their data efficiently.
## Network block storage
Depending on the application requirement and the service provider offering, Network Block Storage is based on different storage technologies, such as Hard Disk Drive (HDD) or Solid State Drive (SSD) network storage, which is installed in a hardware server separate from the compute resources' Central Processing Unit (CPU) and memory. Also, the compute server hardware usually has an installed Nonvolatile Memory Express(NVMe)-based SSD.
The service provider is responsible for ensuring that no data gets lost at any time. Usually, service providers duplicate data within a storage server through RAID, so that if some storage discs fail, the entire data can still be recovered from the remaining data stored across other disks within the storage server. Additionally, you can create a replication to a second volume.
space.vars.ionos\_cloud goes even a step further. By default, every HDD and SSD block storage volume is [double-redundant provisioned](https://docs.ionos.com/cloud/support/general-information/service-catalog#block-storage). Firstly, the volume is redundantly created through RAID on one physical storage service. It creates resilience if several disks fail. In addition, the data of each volume is constantly synchronized with a volume on a second storage server within the same region. It is called a “two-leg” setup. Also, the data persists in a RAID configuration on the second server. Even when an entire storage server has an outage and disks of the second storage service are failing, it is still possible to provide the service and recreate the double-redundant setup in the background after fixing the disks and servers to restore maximum protection.
### Storage resilience
Although space.vars.ionos\_cloud already has double-redundant provisioned Network Block Storage, it also allows users to configure [availability zones](/cloud/backup-and-storage/block-storage/overview.md#availability-zones) for HDD and SSD storage. We recommend using this feature to create placement groups, ensuring that certain volumes do not share the same physical storage pair. Configuring zoning allows you to separate data, preventing it from operating on the same physical storage server or even on the same disk.
{% hint style="info" %}
**Note:** space.vars.ionos\_cloud will not create redundancy across regions. It is within the responsibility of the cloud service user to:
* distribute their workloads across different physical data center locations.
* create redundancy by synchronizing data between these locations themselves.
{% endhint %}
### Regular data backup and disaster recovery
Establish a comprehensive data backup and disaster recovery strategy for Network Block Storage.
Backups secure your data against multiple risk scenarios, data loss being one of them. It saves your data from external threats like exploits, ransomware attacks, or erroneous operations by employees.
Regularly back up critical data and test the restoration process. You can use replication or snapshot features provided by the cloud service provider to ensure redundancy and data availability.
{% hint style="info" %}
**Note:** Snapshots of your block storages usually contain a copy of your volume stored within the same region or availability zone as your infrastructure. Snapshots are recommended for temporary and short-term recovery points. For example, running an application update may require a rollback in case it does not succeed. For more information, see [Snapshots](/cloud/backup-and-storage/images-snapshots/snapshots.md).
{% endhint %}
Backup solutions are the recommended choice for disaster recovery. Data backup solutions are highly effective and offer various options to meet your needs. Most of them share the ability to control backup policies more granularly, like the frequency of backups, the type of backup policy (full backups or incremental backups), and the retention period of backups. They may also include features to encrypt backup data to protect sensitive information from unauthorized users.
Store backups in a separate location from your infrastructure to ensure data is not lost in serious events like fires or natural disasters. In such cases, you could recreate your infrastructure from this backup at a different location and continue your business after recovery.
space.vars.ionos\_cloud offers a [direct backup solution](/cloud/backup-and-storage/backup-service/overview.md) that gives full access to a series of backup features mentioned above and many more. Alternatively, service users can use [third-party solutions like Veeam](/cloud/backup-and-storage/ionos-object-storage/s3-tools/veeam-backup-and-replication.md) that create backups from volumes and persist data on an space.vars.ionos\_cloud\_object\_storage, thus enabling the combination of this storage type with several additional security features. For more information, see [IONOS CLOUD Object Storage](/cloud/backup-and-storage/ionos-object-storage.md).
In any case, it is the service user's responsibility to implement and manage regular data backups, test restoration processes, and leverage the provided backup, disaster recovery, and archival features to safeguard their storage data.
Backup data management solutions require secure user access management to ensure that the data is available only to authorized and qualified users. This is because the data could contain confidential or sensitive information.
Be aware that backups can be restored on different virtual instances in various locations, making them available to users who did not have access to the original instance from which the backup was retrieved.
### Key takeaways
Securing network block storage in a public cloud environment requires a collaborative effort between the service provider and the user. By adhering to these security best practices, including access control, network security, data backup, recovery, and security monitoring, organizations can enhance the protection of their sensitive data stored in network block storage. By understanding the respective responsibilities, the service provider and the service user can work together to ensure the security and integrity of network block storage in the public cloud.
## IONOS CLOUD Object Storage
S3 is a widely used object storage service that provides scalable and durable storage for various data types in the cloud. To ensure the security of your data stored in Object Storage, it is crucial to implement robust security practices. Object Storage is a stand-alone service and can be used independently of any other service offered by a public cloud service provider. Usually, Object Storage buckets are reachable from the public internet. This makes them a sensitive data store, and attention is required to apply essential security best practices. Following these practices helps you protect your data, maintain a secure storage environment, and meet compliance requirements. Therefore, it is required to have an isolated assessment of best practices for this particular service.
### Secure access control
As with any other service, it is essential to start by implementing strong access controls to restrict unauthorized access. This needs to be separated into multiple disciplines.
First, grant access to the space.vars.ionos\_cloud\_object\_storage. space.vars.ionos\_cloud has integrated its Object Storage into the [user management](/cloud/backup-and-storage/ionos-object-storage/get-started/setup-access.md#enable-object-storage-access). space.vars.ionos\_cloud Contract Owners and space.vars.ionos\_cloud users with the role "Administrator" have access to space.vars.ionos\_cloud\_object\_storage per default. Other users must receive access by receiving the respective privilege through the [group management](/cloud/set-up-ionos-cloud/management/identity-access-management/user-management.md#create-a-group) within the user management. As Object Storage has its own permission management, space.vars.ionos\_cloud will enable or revoke access for users that have either a respective role or a privilege assigned to their account. The concept helps you grant access to a least privileged concept, as mentioned multiple times throughout this guideline.
space.vars.ionos\_cloud\_object\_storage is based on a structure of data (objects) in a customer-defined structure (buckets). A bucket is owned by the user who created it. You cannot transfer ownership of buckets; hence, we recommend that you decide in your early planning who will own buckets and what your strategy will be when the objects or entire buckets are migrated to another Object Storage user account of your organization.
Second, it is about the access controls of buckets and objects. space.vars.ionos\_cloud\_object\_storage allows defining [fine-grained access policies](/cloud/backup-and-storage/ionos-object-storage/concepts/access-management.md).
Again, follow the principle of least privilege by granting only necessary permissions to users and roles. Review and configure bucket policies and ACLs carefully to prevent unintended public access or unauthorized permissions.
space.vars.ionos\_cloud\_object\_storage allows buckets and objects to be publicly available, meaning that even anonymous users can access objects within the bucket. It also includes permissions to anonymous users that read and write objects to buckets. It is highly recommended to implement regular security assessments and monitor access policies to ensure compliance so that only explicitly approved objects and buckets get published, and access control lists secure any other data to explicit users. Ensure that these users have access to objects and buckets according to their needs, like read or write/ delete permissions.
### Secure data transfers
Protect your data during transit to and from any Object Storage using secure protocols and mechanisms. [IONOS CLOUD Object Storage endpoints](https://docs.ionos.com/cloud/support/general-information/service-catalog#ionos-cloud-object-storage) use SSL/TLS encryption (HTTPS) to secure data transfer to and from space.vars.ionos\_cloud\_object\_storage.
As space.vars.ionos\_cloud\_object\_storage also offers publishing of URLs for particular objects, it is possible to enable HTTPS to the [static download link](/cloud/backup-and-storage/ionos-object-storage/how-tos/share-objects-pre-signed-urls.md), which you can share with users who are supposed to access the document through the respective link. In addition to enabling public URL access to objects, you can add additional security by limiting the maximum number of downloads of the object and setting an expiry date for the public URL. The access to the object automatically terminates when the number of downloads exceeds or the access time expires.
### Implement object versioning and logging
Enable [object versioning](/cloud/backup-and-storage/ionos-object-storage/settings/versioning.md) on space.vars.ionos\_cloud\_object\_storage to protect against accidental deletions or modifications. Versioning allows you to maintain multiple versions of an object and recover from unintended changes or deletions. Regularly test object versioning to ensure proper functionality and recovery.
space.vars.ionos\_cloud\_object\_storage can record [logs of all activities](/cloud/backup-and-storage/ionos-object-storage/settings/logging.md) within a bucket and store the data in an explicit destination bucket. It can be an effective audit trail to ensure that only authorized users have access to buckets and objects and to track which users have changed objects. In combination with versioning, it helps to create transparency on activities within your bucket and recover objects if needed.
### Utilize object lock
Object Lock, also called WORM (Write once, read many), is a bucket policy that allows you to lock objects for a period of time once written. If you implement an object lock policy for a bucket, users cannot alter or delete objects through Object Storage interfaces until the object age exceeds a specified retention period.
Object lock must be combined with versioning, as updating a locked object requires creating a new version of the respective object. Object lock is highly recommended to ensure that sensitive data is not deleted or changed. Examples include compliance-relevant data, financial information for yearly accounting audits, and legal requirements.
space.vars.ionos\_cloud\_object\_storage supports [Object Lock through Object Storage API](https://api.ionos.com/docs/object-storage/v2/), so it can be used directly or through third-party clients that support object lock. Configuring Object Lock through the space.vars.ionos\_cloud\_object\_storage console will be provided soon.
### Data resilience
S3 is a managed data storage service operated by a public cloud service provider. The provider is responsible for maintaining the Object Storage and installing updates and patches whenever required. They are also responsible for operating [secure data transfer](#secure-data-transfers) interfaces.
Data stored on an Object Storage must be protected from any loss by proper data replication. space.vars.ionos\_cloud runs its Object Storage clusters in an erasure coding setup, sharding an object across multiple nodes. An object's data is stored on different physical storage nodes within the storage cluster. Depending on the erasure coding setup, multiple storage nodes can fail. At the same time, the object is still reachable from the remaining storage nodes. High availability is recovered once the broken node gets fixed or repaired. Data is rebalanced to the new storage node.
While erasure coding is a local replication feature of data, space.vars.ionos\_cloud\_object\_storage also offers cross-region replication on the bucket level. This feature allows you to multiply any object added to a bucket to be replicated to a different bucket, which can be configured on a different Object Storage region. In case of major outages to the primary Object Storage location, you can switch to your secondary site that contains a similar bucket and objects. The feature of cross-region replication also benefits scenarios where you must interact with sensitive data frequently and fast, requiring an Object Storage location close to your infrastructure, for example, for low latency. However, new objects will still be stored at a remote location in case of major disasters within your primary location.
[IONOS CLOUD Status](https://status.ionos.cloud/) publishes the uptime status and availability of all data centers. You can retrieve the status of every service available in that respective location, such as Compute Engine or Object Storage. The website also includes information on scheduled maintenance and current incidents, including an expected resolution time. We recommend that you subscribe to the page to receive any updates.
### Security summary
By following these security best practices for space.vars.ionos\_cloud\_object\_storage, you can enhance the security of your data and protect against unauthorized access, data breaches, and accidental deletions. You can also secure access controls, secure data transfers, object versioning, monitoring, auditing, and data resilience. Careful management of bucket policies and ACLs is essential to maintaining a secure Object Storage environment. By incorporating these practices into your Object Storage implementation, you can ensure the confidentiality, integrity, and availability of your data stored in the Object Storage.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/security-safeguards/best-practice-guideline/best-practice-cloud-storage-products.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.