Discover Datashelter
Technical

How Datashelter Protects Your Data: A Deep Dive

Malo Paletou
· 4 min read
Send by email

At Datashelter, security is at the heart of everything we do. We have designed our product to offer robust and auditable security guarantees, setting us apart in the market for outsourced backup services.

This article will detail the security features developed by Datashelter, which ensure maximum security for your data backups.

How Snaper (CLI) Works

Backup security starts with the tool responsible for performing your backups and sending them to Datashelter. We have identified four major features that guarantee the security of this process:

  • Communications exclusively via the S3 API
  • Push-only model
  • No SSH access required
  • Client-side encryption with AES-256

Communications Exclusively via the S3 API

As mentioned in the introduction, Snaper is responsible for performing backups and sending them to Datashelter. During its design, we asked ourselves several key questions: Should we communicate with our own API to authenticate client servers with Datashelter? Is it possible to communicate exclusively via standard protocols such as S3 to limit risks?

After careful consideration, we decided to restrict communications with Datashelter to the S3 API only. This means that Snaper manages configuration synchronization logic through files sent via S3 while leveraging the robustness of S3 v4 authentication.

This authentication mechanism has become a standard in the object storage world, securing access to the buckets of major organizations (Dropbox, Netflix, etc.). In the event of a flaw, a significant portion of the Internet would be at risk.

Thus, Snaper cannot make any external calls other than to our API, which complies with the standard S3 protocol. This security guarantee is also auditable at any time by our clients. You can analyze network traffic during backups using tools like Wireshark to confirm it.

Push-Only Model

By extension, the exclusive implementation of the S3 communication protocol enforces a push-only communication model. Your servers access the Datashelter infrastructure through Snaper, but the reverse is not possible. Datashelter cannot initiate a connection to your servers.

This constraint requires creative solutions to make the backup process intuitive, such as asking you to execute a command on your server to synchronize scheduled tasks. However, it also provides several advantages:

  • Datashelter works even if your server is behind a NAT.
  • No specific firewall configuration is needed to use Datashelter.

No SSH Access Required

As a result of the push-only model, unlike most of our competitors, Datashelter does not require SSH access to your servers.

Most competing solutions require you to grant their infrastructure access to your servers via SSH. This approach has two major drawbacks:

  1. You must place absolute trust in your backup provider since they have access to your servers.
  2. You must allow SSH connections from the Internet, which can be problematic if your server operates in a private network.

We believe this design choice poses a significant risk to server and backup security. That’s why we opted for a different approach than our competitors.

Native Client-Side AES-256 Encryption

Finally, let’s discuss Snaper’s built-in encryption capabilities. Your backup data is automatically encrypted with AES-256 using your own key, on your own server, by your own server (client-side).

This ensures that all data leaving your infrastructure is encrypted using an algorithm globally recognized for its robustness, guaranteeing complete confidentiality. No one but you—not even Datashelter—can read your backups.

Data Storage at Datashelter

Now that you know how Snaper secures your backups, let’s focus on the safeguards we’ve put in place for the infrastructure hosting your backups. We will discuss access segmentation, immutable storage, the backup deletion process, and the physical storage of your data.

Access Segmentation

As you may have noticed, each server backed up with Datashelter has its own set of credentials (Access Key/Secret Key) and its own storage bucket. This minimizes the potential attack surface in case one of your machines is compromised.

Each of your servers is treated as an independent actor in its interactions with the Datashelter infrastructure.

Immutable S3 Storage

Beyond access controls, let’s examine the specific characteristics of Datashelter’s backup storage, starting with immutable storage. Immutable storage is essential for protecting backups against ransomware attacks.

At Datashelter, we’ve developed proprietary technology to prevent the alteration of your backup data. Your servers communicate with our custom S3 gateway, which features two key protection mechanisms:

  1. Block deletion requests: File deletion requests (DeleteObject) sent to our S3 gateway are ignored. This ensures that no data is deleted following a server compromise. You can read and write data but cannot delete it.
  2. Prevent object overwrites: To prevent overwriting an existing file, we accept the request but retain the previous version of the file for potential restoration. This ensures data integrity and allows you to recover healthy data.

In summary, your server cannot alter existing data, even if the access key used for your backups is compromised.

Backup Deletion

This raises the question: is it possible to delete outdated backups? If Datashelter truly offers immutable storage, will my storage consumption skyrocket?

The answer lies in nuance. While it’s impossible to delete data using the S3 credentials associated with a server, you can request backup deletion (via Snaper or your dashboard).

At Datashelter, backup deletion is handled automatically and exclusively in two scenarios:

  1. Manual deletion requests: When a user deletes a "service" using the snaper delete command, the service disappears from the user interface but is retained for 14 days before being permanently deleted by our systems.
  2. Retention policy: When backups exceed their associated retention policy, they are automatically deleted according to predefined rules.

Multi-Certified Storage (ISO 27001 & HDS)

Lastly, we’d like to provide more details on how your data is stored. We have partnered with OVHcloud to offer a cost-effective solution across multiple geographic zones while delegating some infrastructure responsibilities.

Your data is stored in a single geographic region but replicated across multiple data centers. The storage we use is certified to meet the highest European security standards, including ISO 27001, its HDS extension for healthcare data, and soon SecNumCloud (SNC).

Thanks to this partnership, you can choose from five different locations to host your data (or more if you connect your own bucket):

  • Gravelines (France) 🇫🇷
  • Frankfurt (Germany) 🇩🇪
  • Beauharnois (Canada) 🇨🇦
  • London (United Kingdom) 🇬🇧
  • Warsaw (Poland) 🇵🇱

Conclusion

We hope this article has helped you better understand how Datashelter ensures the security of your backups at every stage of the process.

If you’d like to learn more, our team is available to assist with any inquiries. Additionally, we recommend reading our article on the Six Golden Rules for Reliable Data Backups, based on our experience as a provider of outsourced backup solutions.

Written by Malo Paletou

Keep reading