Cloud security is everyone's business. Scaleway works to implement the most relevant security bricks on a daily basis - in our data centers, on our application stack, and with a set of services and functionalities made available in our ecosystem.

Each of these three layers are links in the same security chain, articulated around the "principle of shared responsibility in the cloud", and this chain will only be as solid as the weakest link, hence the importance of grasping, as a user, this founding principle.

19% of malicious breaches are caused by compromised credentials and cloud misconfigurations.
Source: Cost of a Data Breach Report 2020, IBM.

In this article, we'll give you 5 quick and easy tips to improve your account security. To be implemented without further delay!

Quick win #1 - keep your information up-to-date

The first step to take when securing your account is not as technical as you might expect, and for good reason: keep your account information up-to-date!

This information is vital for our teams who might need to contact you in case of an issue potentially impacting the security of your account (suspicious activity, a sudden increase to your invoice, to verify your identity if required, security patch alerts…) or the availability of your services (expired payment methods, VAT issues, the end of life of products…).

In particular:

  • A current email address, that you and your teams check regularly. We will favor the following type of email address providing the recipient is up-to-date, and that the emails sent here are read - Also, we will be careful to avoid spamming this mail with repeated alerts - such as easily-triggered monitoring.
  • A current phone number, one that preferably will not change. We prefer to avoid using personal phone numbers, or numbers which can change over time, for example if your business changes address.

The best practice we recommend is to create a sort of “on-call” phone number linked to a response management system such as Pagerduty. This tool can escalate alerts from your monitoring tools such as Pingdom, Grafana and Datadog amongst others, as well as calls from your infrastructure service providers and hosting services.

An example of how on-call escalations are managed between multiple teams.‌‌Illustration: Pager Duty community forums

To update your information, log in to the Scaleway Console, then click on “My Profile”:

Quick win #2 - use the Multi-User feature

Once your information has been updated, you should configure access to your account, and more specifically user roles.
The aim is to avoid a security nightmare - usernames and passwords being shared between multiple people via instant messaging services, by email or even written on Post-it notes! Besides the risk of this vital information being intercepted, it’s impossible for you to know who is logging in, and worse still, who is not or no longer logging in: former employees, outside suppliers, freelancers, etc.

59% of cloud account holders have been subject to a spear phishing attack attempting to obtain their credentials.
Source: Report “Oracle and KPMG Cloud Threat Report 2020”, KPMG

With Scaleway’s Multi-User feature, you can revoke access when an employee leaves your company, when an outside supplier completes their contract, or should one of your employees lose their login details or fall victim to a phishing attack that obtains their login information.

You can split your users into the following 4 categories:

  • Owner: the account Owner has full access to the account and can delete the account. We recommend that you keep the credentials for the Owner account safely, and that you do not use it on a daily basis - it should be the last resort and only used if specifically needed. Remember to activate 2FA (the third section of this white paper) before double locking the access codes to your Owner account in your safe!
  • Administrator: the Administrator can manage and access projects and billing information, and has the same permissions as the Owner except for user role modification or deletion, support plan management and organization deletion permissions. The Administrator account is a privileged account for IT managers who manage teams and projects.
  • Editor: the Editor account is perfect for your developers or DevOps engineers. This access allows for users to create and manage most of the company’s resources, to create API keys, but does not give access to billing information or to manage user permissions or modify support plans.
  • Billing Administrator: as the name suggests, the Billing Administrator account is ideal for financial and project management

Setting up your account in such a way, and managing the access to your account and resources, allows you to increase your protection against potential human error or ill-intentioned actions.

To activate the multi-user feature, log in to the Scaleway Console, and click on “Organization”, then on the “Members” tab:

Quick win #3 - activate Multi-Factor Authentication (or “2FA”)

In the Multi-User section we mentioned the option of activating “2FA” for the members of your organization, but didn’t go into further detail. Let’s take a closer look at that now.

49% of users do not activate multi-factor authentication (MFA) for their most critical cloud services.
Source: “Oracle and KPMG Cloud Threat Report 2020”, KPMG.

2FA, also known as two-factor authentication, is a straightforward way to improve the security of your account. Once activated, you will need to provide a single-use code to connect to the Scaleway console. The goal is to prevent an attacker from accessing your account using a compromised password.

There are many ways to identify yourself with 2FA, but we recommend using Google Authenticator as a 2FA application available both on iOS and Android.

When you activate two-factor authentication on your account, a list of tokens will appear. Carefully save these tokens in a safe place as they will be the only way to access your account should you have any issues with your two-factor authentication.

To activate two-factor authentication with Scaleway, log in to the Scaleway Console, and go to “My Profile:

Quick win #4 - make the most of the Scaleway Project feature

Project is Scaleway’s resource management feature which allows resources to be isolated and grouped into specific projects. The Project feature provides web console-based management and the ability to create API and SSH keys according to the specific scope of your workspaces.

From now on, your projects and Business Units can all be developed in isolated environments - giving you greater control over access rights. This feature is particularly recommended for development agencies with many clients or teams (mobile and web for example).

Source: Scaleway Documentation

In terms of best practices for SSH keys - even if the “passphrase” setting is optional, we strongly recommend using this, and saving the passphrase in a safe place!

To activate Scaleway Project, see:

Quick win #5 - ensure you have the right level of support

Assistance is often underestimated. Users often choose to not sign up for a plan, even though it meets all of their needs. Just like with insurance policies, we all too often realize just how important they are when it’s already too late!

At Scaleway, we have completely overhauled our support plans in order to best meet your needs and expectations in the most efficient way possible. Our plans give you exclusive access to Technical Account Managers and Cloud Solutions Architects for balanced and predictable, usage-independent, fixed prices.

To see Scaleway’s support plans, log in to the Console, and click on “Support”:

Now you are safer than you were when you started reading this article!

Do you want to go further? Don't miss our White Paper: Understanding Cloud Security Issues. You will learn in particular:

  • The principle of shared responsibility in the Cloud
  • How this principle is implemented at Scaleway
  • Scaleway's best practices in terms of architecture that you can benefit from to further strengthen the security of your infrastructure