Discover Datashelter
Technical

Deep dive: how does Datashelter secure your data

Malo Paletou

2 min read
Deep dive: how does Datashelter secure your data

At Datashelter, security is at the heart of our backup solutions. That's why we have designed our product to offer strong, auditable guarantees that set us apart in the market for outsourced backup services.

This article will detail the main features Datashelter offers to ensure the security and integrity of your backups.

No SSH Access Required

Firstly, we've taken a different approach compared to most of our competitors. While many competing solutions require SSH access to the machine to schedule your backups, this will never be requested at Datashelter.

Thanks to the control we have over our CLI tool, snaper, we've implemented a push-only model. This means that your servers push (or pull) data to/from Datashelter, but the reverse is not possible. In addition to ensuring maximum security "by design" this also means you don't need to configure special permissions on your firewall to perform your backups.

Furthermore, all communications between your servers and Datashelter are conducted through an S3-compatible API encrypted with TLS. In summary, you do not need to give us access to your server to perform your backups!

AES-256 Encryption

With our in-house tool, snaper, we have implemented native data protection features. This includes AES-256 encryption of your data. Your data is encrypted with AES-256 using your own key before even being sent to us.

So, we are not misleading you when we say that not even Datashelter can access your data.

Maximum Access Segmentation

Moreover, we have generalized an essential principle of security right from the stage of creating your servers. Indeed, we generate a pair of S3 credentials (access & secret key) and a dedicated bucket for each of your servers configured on our platform.

This significantly reduces the potential attack surface in case one of your machines is compromised.

Immutable S3 Storage

Lastly, I must tell you about how we store your data at Datashelter.

We have developed a unique technology that prevents any alteration of your previous backups. We call this immutable S3 storage.

You may have noticed, your servers communicate with Datashelter through a custom S3 gateway. This gateway allows us to implement additional security rules.

We can mention two of them here:

  • Deletion request blocking: you do not have the ability to delete your backups directly. Only Datashelter lifecycle rules have the ability to do so.
  • Prevention against object rewriting: our gateway exposes a standard S3 API, while we use versioned S3 buckets in the backend. So if you try to rewrite data (you or an attacker who has seized your S3 credentials), we will accept the request but we also retain the previous version of that object (which, as a reminder, cannot be deleted).

In this way, you have the ability to restore your backups even in the event of a compromise of the credentials used for your backups.

With this step now complete, your data is finally stored on our infrastructure. We currently rely on the infrastructure of our partner OVHcloud to offer you multi-certified storage (ISO 27011, HDS & soon SecNumCloud).

Your data remains safe at Datashelter, and will be there when you need it most!