Best Practices for IONOS Cloud Storage Products

In almost all cases, data is a company's highest asset. If it is the data of its customers, intellectual property, research data, etc., it might be a competitive advantage against other market participants and requires protection from unauthorized access and data loss.

It is essential to implement robust security measures to protect sensitive information stored in Network Block Storage. Best Practices for IONOS Cloud Server Security Products covered securing access to the data through the VM instances. This topic explores security best practices for Network Block Storage and IONOS Object Storage in a public cloud environment, outlining the responsibilities of both the service provider and the service user.

Both Network Block Storage and IONOS Object Storage provide scalable and reliable storage solutions in the public cloud, empowering organizations to store and access their data efficiently.

Network Block Storage

Depending on the application requirement and the service provider offering, Network Block Storage is based on different storage technologies, such as Hard Disk Drive (HDD) or Solid State Drive (SSD) network storage, which is installed in a hardware server separate from the compute resources' Central Processing Unit (CPU) and memory. Also, the compute server hardware usually has an installed Nonvolatile Memory Express(NVMe)-based SSD.

The service provider is responsible for ensuring that no data gets lost at any time. Usually, service providers duplicate data within a storage server via RAID, so that if some of the storage discs fail, the entire data can still be recovered from the remaining data that is stored across other disks within the storage server. Additionally, you can create a replication to a second volume.

IONOS Cloud goes even a step further. By default, every HDD and SSD block storage volume is double-redundant provisioned. Firstly, the volume is redundantly created via RAID on one physical storage service. It creates resilience if a number of disks fail. In addition, the data of each volume is constantly synchronized with a volume on a second storage server within the same region. It is called a “two-leg” setup. Also, the data persists in a RAID configuration on the second server. Even when an entire storage server has an outage and disks of the second storage service are failing, it is still possible to provide the service and recreate the double-redundant setup in the background after fixing the disks and servers to restore maximum protection.

Resilience

Although IONOS already has double-redundant provisioned Network Block Storage, it also allows users to configure availability zones for HDD and SSD storage. We recommend using this feature to create placement groups, ensuring that certain volumes do not share the same physical storage pair. Configuring zoning allows you to separate data, preventing it from operating on the same physical storage server or even on the same disk.

Regular data backup and disaster recovery

Establish a comprehensive data backup and disaster recovery strategy for Network Block Storage.

Backups secure your data against multiple risk scenarios, data loss being one of them. It saves your data from external threats like exploits, ransomware attacks, or erroneous operations by employees.

Regularly back up critical data and test the restoration process. You can use replication or snapshot features provided by the cloud service provider to ensure redundancy and data availability.

Backup solutions are the recommended choice for disaster recovery. Data backup solutions are highly effective and offer various options to meet your needs. Most of them share the ability to control backup policies more granularly, like the frequency of backups, the type of backup policy (full backups or incremental backups), and the retention period of backups. They may also include features to encrypt backup data to protect sensitive information from unauthorized users.

Backups should be stored in a separate location from your infrastructure to ensure data is not lost in catastrophic events like fires or natural disasters. In such cases, you could recreate your infrastructure from this backup at a different location and continue your business after recovery.

IONOS Cloud offers a direct backup solution that gives full access to a series of backup features mentioned above and many more. Alternatively, service users can use third-party solutions like Veeam that create backups from volumes and persist data on an IONOS Object Storage, thus enabling the combination of this storage type with several additional security features. For more information, see IONOS Object Storage.

In any case, it is the service user's responsibility to implement and manage regular data backups, test restoration processes, and leverage the provided backup and disaster recovery features to safeguard their storage data.

Backup data management solutions require secure user access management to ensure that the data is accessible only to authorized and qualified users. This is because the data could contain confidential or sensitive information.

Be aware that backups can be restored on different virtual instances in various locations, making them accessible to users who did not have access to the original instance from which the backup was retrieved.

Conclusion

Securing Network Block Storage in a public cloud environment requires a collaborative effort between the service provider and the user. By adhering to these security best practices, including access control as mentioned in the paragraphs above, network security, data backup and recovery, and security monitoring, organizations can enhance the protection of their sensitive data stored in Network Block Storage. By understanding the respective responsibilities, the service provider and the service user can work together to ensure the security and integrity of Network Block Storage in the public cloud.

S3 Object Storage

Simple Storage Service (S3) is a widely used object storage service that provides scalable and durable storage for various data types in the cloud. To ensure the security of your data stored in S3 Object Storage, it is crucial to implement robust security practices. S3 Object Storage is a stand-alone service and can be used independently of any other service offered by a public cloud service provider. Usually, S3 Object Storage are accessible from the public internet which makes it a sensitive data storage and requires attention to apply essential security best practices, enabling you to protect your data and maintain a secure storage environment. Therefore, it is required to have an isolated assessment of best practices for this particular service.

Secure access control

As with any other service, it is essential to start by implementing strong access controls to restrict unauthorized access. This needs to be separated into multiple disciplines.

First, grant access to the IONOS Object Storage. IONOS has integrated its S3 Object Storage into the user management. IONOS Cloud Contract Owners and IONOS users with the role "Administrator" have access to IONOS Object Storage per default. Other users need to receive access by receiving the respective privilege through the group management within the user management. As S3 Object Storage has its own permission management, IONOS will enable or revoke access for users that have either a respective role or a privilege assigned to their account. The concept helps you grant access to a least privileged concept, as mentioned multiple times throughout this guideline.

IONOS Object Storage is based on a structure of data (objects) in a customer-defined structure (buckets). A bucket is owned by the user who created it. You cannot transfer ownership of buckets; hence, we recommend that you decide in your early planning who will own buckets and what your strategy will be when the objects or entire buckets are migrated to another S3 user account of your organization.

Second, it is about the access controls of buckets and objects. IONOS Object Storage allows defining fine-grained access policies.

Again, follow the principle of least privilege by granting only necessary permissions to users and roles. Review and configure bucket policies and ACLs carefully to prevent unintended public access or unauthorized permissions.

IONOS Object Storage allows buckets and objects to be publicly available, meaning that even anonymous users can access objects within the bucket. It also includes permissions to anonymous users that read and write objects to buckets. It is highly recommended to implement regular security assessments and monitor access policies to ensure compliance so that only explicitly approved objects and buckets get published, and access control lists secure any other data to explicit users. Ensure that these users have access to objects and buckets according to their needs, like read or write/ delete permissions.

Secure data transfers

Protect your data during transit to and from any S3 Object Storage using secure protocols and mechanisms. IONOS Object Storage endpoints utilize SSL/TLS encryption (HTTPS) to secure data transfer to and from IONOS S3 Object Storage.

As IONOS Object Storage also offers publishing of URLs for particular objects, it is possible to enable HTTPS to the static download link, which you can share with users who are supposed to access the document via the respective link. In addition to enabling public URL access to objects, you can add additional security by limiting the maximum number of downloads of the object and setting an expiry date for the public URL. The access to the object automatically terminates when the number of downloads exceeds or the access time expires.

Implement object versioning and logging

Enable object versioning on IONOS Object Storage to protect against accidental deletions or modifications. Versioning allows you to maintain multiple versions of an object and recover from unintended changes or deletions. Regularly test object versioning to ensure proper functionality and recovery.

IONOS Object Storage can record logs of all activities within a bucket and store the data in an explicit destination bucket. It can be a useful audit trail to ensure that only authorized users have access to buckets and objects and to track which users have changed objects. In combination with versioning, it helps to create transparency on activities within your bucket and recover objects if needed.

Utilize object lock

Object Lock—also called WORM (Write once, read many)—is a bucket policy that allows you to lock objects for a period of time once written. If you implement an object lock policy for a bucket, users cannot alter or delete objects through S3 interfaces until the object age exceeds a specified retention period.

Object lock must be combined with versioning, as updating a locked object requires creating a new version of the respective object. Object lock is highly recommended to ensure that sensitive data is not deleted but also not changed, such as compliance-relevant data, financial information for yearly accounting audits, or legal requirements or regulations.

IONOS Object Storage supports Object Lock via S3 API, so it can be used directly or through third-party clients that support object lock. Configuring Object Lock via the IONOS S3 Object Storage console will be provided soon.

Data resilience

S3 is a managed data storage service operated by a public cloud service provider. The provider is responsible for maintaining the S3 object storage and installing updates and patches whenever required. They are also responsible for operating secure data transfer interfaces.

Data stored on an S3 object storage must be protected from any loss by proper data replication. IONOS Cloud runs its S3 object storage clusters in an erasure coding setup, sharding an object across multiple nodes. An object's data is stored on different physical storage nodes within the storage cluster. Depending on the erasure coding setup, multiple storage nodes can fail. At the same time, the object is still accessible from the remaining storage nodes, and high availability can be recovered once the broken node gets fixed or replaced. Data is rebalanced to the new storage node.

While erasure coding is a local replication feature of data, IONOS S3 Object Storage also offers cross-region replication on the bucket level. This feature allows you to multiply any object added to a bucket to be replicated to a different bucket, which can be configured on a different S3 Object Storage region. In case of major outages to the primary S3 Object Storage location, you can switch to your secondary site that contains a similar bucket and objects. The feature of cross-region replication is also useful when you need to interact with sensitive data often and fast so that an S3 Object Storage location close to your infrastructure is required, for example, for low latency. However, new objects will still be stored at a remote location in case of major disasters within your primary location.

IONOS Cloud Status publishes the uptime status and availability of all data centers. You can retrieve the status of every service available in that respective location, such as Compute Engine or S3 Object Storage. The website also includes information on scheduled maintenance and current incidents, including an expected resolution time frame. We recommend that you subscribe to the page to receive any updates.

Conclusion

By following these security best practices for IONOS Object Storage, you can enhance the security of your data and protect against unauthorized access, data breaches, and accidental deletions. You can also secure access controls, secure data transfers, object versioning, monitoring, auditing, and data resilience. Careful management of bucket policies and ACLs is essential to maintaining a secure S3 environment. By incorporating these practices into your S3 implementation, you can ensure the confidentiality, integrity, and availability of your data stored in S3.