Securing Your Data
A Comprehensive Guide to Security in Impossible Cloud Storage
Overview
Security is a paramount concern when it comes to cloud storage solutions, and Impossible Cloud Storage is committed to providing robust security measures to protect your valuable data. In this guide, we will delve into the various aspects of security offered by Impossible Cloud Storage, ensuring a comprehensive understanding of the measures in place to safeguard your information.
Operational security
Ensuring the security of your user accounts is essential, and Impossible Cloud Storage offers support for Multi-Factor Authentication (MFA) to add an extra layer of protection. While enabling MFA is available for the root account, subusers can also leverage this feature for enhanced security. Furthermore, root users can mandate MFA for their subusers, enhancing the overall security of the accounts.
Containerisation
Containerisation provides an added layer of security for clients' data in Impossible Cloud Storage. By running the application in isolated containers, the risk of data exposure or compromise is significantly reduced. Each application container is independent and isolated from others, as well as from the underlying host operating system, ensuring that even if the security of one container is compromised, the integrity and confidentiality of other containers and data remain intact.
Authenticating requests
Impossible Cloud supports both Amazon S3 Signature Version 2 and Version 4 for API requests. For better security, we recommend using Signature Version 4, as it uses a signing key instead of your secret access key. Please avoid using Version 2 if possible.
Compliance and Certifications
Impossible Cloud Storage takes data safety seriously, and as part of our commitment to maintaining high standards, our datacenters hold certifications such as ISO 27001 and AICPA SOC 2. These certifications validate our adherence to stringent security protocols, assuring users of the safety and protection of their data.
Client-Side Encryption
To ensure end-to-end encryption and give users full control over their data, Impossible Cloud Storage fully supports client-side encryption. This means that you can encrypt your data on the client side using your preferred encryption algorithms or tools, and Impossible Cloud Storage seamlessly integrates with the encrypted data without interference.
In-Transit Encryption
As part of our commitment to data security, Impossible Cloud Storage exclusively supports HTTPS/TLS encryption for data transmission. This ensures that data moving between your devices and our storage infrastructure remains encrypted and protected, mitigating the risk of unauthorised access or data interception. Supported versions of TLS are 1.2 and higher.
As part of this commitment, HTTP, the unencrypted counterpart, is not supported. By enforcing HTTPS/TLS encryption, all data exchanged between your devices and the storage infrastructure is encrypted, significantly reducing the risk of unauthorised access or interception of sensitive information.
Server-Side Encryption
Server-side encryption in Impossible Cloud refers to the automatic encryption of your data before it is stored and the decryption of your data when it is accessed. This process is conducted on the individual objects within your bucket.
If you have enabled SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys) on a bucket, this encryption becomes the default setting for all objects in the bucket. This means that any data placed in the bucket is automatically encrypted.
Even if you have not enabled SSE-S3 on a bucket, it's still possible to apply encryption to individual objects during the 'put-object' or 'copy-object' operations. This can be done using the AWS Command Line Interface (CLI).
Regardless of whether your data is encrypted or unencrypted, accessing your data remains consistent. As long as you have authenticated your request and possess the necessary permissions, you can retrieve your data seamlessly. For instance, if you share your data via a presigned URL, it will function the same way for both encrypted and unencrypted objects.
Additionally, when you request a list of objects in your bucket, all objects will be returned, regardless of their encryption status.
Please note that:
Currently, Impossible Cloud only supports 'SSE-S3' for server-side encryption. Other encryption methods, such as SSE-KMS (Server-Side Encryption with AWS Key Management Service) and SSE-C (Server-Side Encryption with Customer-Provided Keys), are not supported.
SSE-S3 is supported in the following regions only:
eu-central-1
At-Rest Encryption
At Impossible Cloud Storage, we prioritise the security of your data at rest. To achieve this, we implement keys managed by Impossible Cloud which are used for server-side encryption, protecting your data while it is stored in our infrastructure.
Object Lock (WORM)
In line with industry standards and compatibility with AWS S3, Impossible Cloud Storage supports Object Lock functionality. Object Lock enables you to enforce retention periods, ensuring data immutability and compliance with regulatory requirements. Whether you need to preserve data for regulatory compliance, legal holds, data preservation, ransomware protection, disaster recovery, immutable backups, or auditing purposes, Object Lock provides the necessary governance and compliance features to meet your needs.
Data Resilience
Bit-Rot Protection
Impossible Cloud Storage is designed to provide robust data resilience. At the time of upload (PUT) to the primary storage, data integrity measures are in place to ensure that your data remains intact and protected. The signature algorithm is SHA256 with RSA. Additionally, our infrastructure incorporates bit-rot protection, safeguarding against data corruption or loss due to hardware failures.
Protection from Disk Failure
To mitigate the risks associated with disk failure, Impossible Cloud Storage leverages advanced data protection techniques. Our backend employs erasure coding, a data redundancy method that distributes data across multiple drives, ensuring data integrity and resiliency in the event of a disk failure.
Protection from Datacenter Failure
To enhance data availability and protect against datacenter failures, Impossible Cloud Storage employs asynchronous georedundant data backup. This means that your data is securely backed up to another geographically located datacenter, ensuring redundancy and minimizing the risk of data loss in the event of a disaster or datacenter failure.
Ongoing Security Monitoring and Updates
Security is an ongoing process, and Impossible Cloud Storage continuously monitors and updates its security measures to stay ahead of emerging threats. Through regular security assessments, vulnerability scanning, and proactive monitoring, we strive to ensure the integrity, confidentiality, and availability of your data.
Conclusion
Security is of utmost importance when it comes to cloud storage, and Impossible Cloud Storage takes comprehensive measures to safeguard your data. By implementing features such as MFA support, client-side encryption, in-transit and at-rest encryption, object lock functionality, data resilience, and protection against disk and data center failures, we prioritize the confidentiality, integrity, and availability of your data. With our commitment to compliance, ongoing security updates, and robust network security measures, you can trust Impossible Cloud Storage to provide a secure and reliable storage solution for your valuable data.
Last updated