It will not have escaped you that the majority of clouds do not come from the European Union. From Google to Microsoft, via Amazon, today 80% of services on the Internet go through a subsidiary of an American company.
Just look at the top 5 suppliers in France, there is only one French: OVH. And in Germany, there are no Europeans.
This “status quo” seemed incomprehensible and illogical to me 5 years ago. Today, he has a simple explanation for me: there is no good European public cloud.
That is to say a cloud that saves you time, is transparent and ensures the de-facto security of your data and systems. Currently, if you want the same level of requirement, you must do it yourself or with your teams. What we have done.
Is that changing?
Yes Fortunately ! But many of the services were either not around in 2021 or are still in beta with the risk of data loss.
Why did we choose French public clouds?
This section may seem counter-intuitive to you. Indeed, I just told you that there is no good European public cloud.
There is nevertheless an aspect that I have not mentioned and which is to their advantage. This is respect for private life and data confidentiality. Two critical points if we want to avoid extradition and preserve industrial secrecy.
Many companies keep their infrastructure at home to ensure this.
But let’s come back to our vision at Fenritec, the one that pushed us to go against the grain: When you use our services, you remain the owners of your data and we don’t use it. It is this ethical character that makes it necessary to find pragmatic alternative solutions.
A difficult start
To give you some dates: at the end of 2020, I left my job as a cyber security consultant, in February Fenritec was created and in March the OVH fire arrived. Whoops…
Have we lost any data?
No, we only had a few blocked servers.
Could we have lost some with customers?
Yes, and that’s the problem! Luckily we didn’t have any yet.
We had two file containers in test at OVH in Strasbourg: An archiving container and a standard which are both sold as replicated 3 times.
- Yippee !!!* you will tell me, there is no risk.
The archive container burned down and the data is therefore gone! Ouch!!
Address vulnerabilities
In the introduction I mentioned the concern for supplier transparency. This is an essential factor in understanding the risks associated with your data.
Here the triple replication was in the same building. When you subscribed to the service you did not know it.
Too bad for companies that thought they had good physical security and had customers.
Experts will tell me that at AWS, Microsoft and Google you have the notion of “Multi Availability Zones” which makes it possible to avoid these inconveniences. That is to say, a data center is separated into several buildings that are far enough apart to prevent the fire from spreading. And the data is replicated between these buildings.
However, in 2021 it did not exist in a European public cloud: i.e. the first French “Multi AZ” arrived this year in 2022 at Scaleway.
We initially thought of staying on a single data center for individual customers. After this event, we therefore set up a double replication as for professionals. There too with our solutions.
Our zero-trust multi-cloud approach
Faced with the adversity of our adventure, we therefore had two choices:
- Do OVH on several data centers,
- Take 3 suppliers considering that one of them is fallible.
Our choice was made based on the services provided and of course the risks. And there it went wrong…
To give you a list:
- At OVH no managed solution, multi data center (Kubernetes on a single site), no managed MongoDB database,
- At 1&1, the servers are in “Europe” but we don’t know where exactly,
- At Ikoula, almost no high-level management, just servers and virtual machines,
- At Scaleway, non-adjustable access rights (you gave all the rights, even to destroy virtual machines to your application which used another service),
- At Scaleway/Dedibox just the dedicated server, in short not too many choices.
Faced with this resplendent picture… We made the choice to do multi-cloud on dedicated servers because everything was our responsibility, whatever the scenario.
Our advantage is clear if OVH, Scaleway or Ikoula has a problem, we are not impacted. And, we don’t take reckless security risks.
On the other hand, it took us time, far too long.
15 years late
As you can see European public clouds are not too bad for dedicated servers and virtual machines. It’s borderline zero compared to what others offer when it comes to managing access and identities, etc.
Yes, it feels like the 2000s in 2022.
In short, I think that I will not have enough of a blog post to list all the galleys that we have gone through. In particular, to recognize certain IpV6 vulnerabilities specific to suppliers.
Nevertheless, by having persevered we got there and that’s the main thing here.
How it is with other startupers
The adage among other entrepreneurs I’ve met is often:
Because time is money. And that very often, we don’t really have any money, we go as quickly as possible. We’ll think about it later!
So it’s often AWS or Azure.
Right, where wrong?
Would you be ready to double / triple the time needed to have a French / European solution?
Thanks for reading me
If you have a question, comment, etc. You can leave a comment.