Unit 3.5: Security and Compliance
Introduction
Imagine running a secure bank vault. The bank provides the building, the vault door, security guards, and alarm systems. But you are responsible for what you store inside, who gets the key, and how you organize your valuables. Cloud security works the same way: the provider secures the infrastructure, while you secure your workloads and data.
In this unit, you will learn how IONOS Cloud shares security responsibilities with you, what certifications and compliance standards IONOS maintains, and how the platform protects your data through encryption and audit trails. Understanding these security fundamentals helps you build compliant, secure applications while meeting regulatory requirements like GDPR, ISO 27001, and industry-specific standards.
1. Shared Responsibility Model
Cloud security operates on a shared responsibility model where both the cloud provider and the customer have distinct security duties. Understanding where IONOS's responsibilities end and yours begin is critical for maintaining a secure environment.
1.1 IONOS Responsibilities (Security OF the Cloud)
IONOS is responsible for maintaining the underlying cloud infrastructure, which includes:
- Physical Infrastructure and Data Centers
- Compute and Storage Infrastructure
- Platform Services
IONOS maintains these layers continuously, ensuring the foundation of your cloud environment remains secure without requiring customer intervention.
1.2 Customer Responsibilities (Security IN the Cloud)
As an IONOS Cloud customer, you are responsible for securing everything you deploy and configure within the cloud environment:
| Responsibility Area | IONOS (Provider) | Customer (You) |
|---|---|---|
| Physical data centers and infrastructure | Full responsibility | No responsibility |
| Network backbone and hardware | Full responsibility | No responsibility |
| Hypervisor and virtualization layer | Full responsibility | No responsibility |
| Managed service infrastructure | Full responsibility | Configuration and usage |
| Operating systems on VMs | Not responsible | Full responsibility |
| Applications and containers | Not responsible | Full responsibility |
| Data encryption and backups | Provides tools | Implements and manages |
| Identity and access management | Provides platform | Configures users and roles |
| Network security rules | Provides NSGs | Configures rules |
| Monitoring and logging | Provides services | Configures and analyzes |
1.3 Shared Controls
Some security controls involve both IONOS and the customer:
Network Firewalls
- IONOS provides Network Security Groups (NSGs) as a platform capability
- You configure the specific firewall rules that apply to your resources
Encryption
- IONOS provides encryption capabilities and infrastructure
- You decide what data to encrypt and manage application-level encryption keys where applicable
Monitoring and Logging
- IONOS provides Activity Logs, Flow Logs, and Monitoring Services
- You configure what to monitor, set up alerts, and respond to findings
Understanding this division of responsibility helps you identify security gaps and ensure complete coverage across all layers of your cloud environment.
2. IONOS Security Certifications and Compliance
IONOS Cloud maintains multiple internationally recognized security certifications and adheres to major compliance frameworks, providing assurance that the platform meets rigorous security and privacy standards.
2.1 ISO 27001 Certification
What It Is ISO 27001 is the international standard for Information Security Management Systems (ISMS). It establishes a systematic approach to managing sensitive data through risk assessment, security controls, and continuous improvement processes.
IONOS Compliance IONOS Cloud data centers are ISO 27001-certified across all locations, demonstrating that IONOS follows internationally recognized best practices for information security management. The certification scope is verified through regular independent audits at each datacenter.
What This Means for You When you run workloads on IONOS Cloud, you benefit from a platform built on ISO 27001 principles, providing a secure foundation for your own compliance efforts. Many organizations require cloud providers to hold ISO 27001 certification before they can host sensitive workloads.
2.2 SOC 2 Type II Certification
What It Is SOC 2 (Service Organization Control 2) Type II is a compliance framework that evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. Type II certification specifically demonstrates that these controls are operating effectively over time, not just designed properly.
IONOS Compliance IONOS Cloud holds SOC 2 Type II certification at select datacenter locations, which requires independent auditors to verify that IONOS's security processes and controls meet strict operational criteria consistently. The certification is renewed regularly through ongoing audits. Consult the IONOS Cloud Service Catalog for current SOC 2 coverage by location.
What This Means for You SOC 2 Type II certification provides assurance that IONOS Cloud operations are monitored, controlled, and audited against industry-standard criteria. This is particularly important for organizations in regulated industries (healthcare, finance, government) that must verify their vendors meet specific security requirements.
2.3 GDPR Compliance
What It Is The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that governs the processing of EU citizens personal data by organizations.
IONOS Compliance IONOS Cloud is fully GDPR-compliant, with data centers located in the European Union (Germany, Spain, and France). All data handling, encryption at rest and in transit, and data residency controls are designed to meet GDPR requirements. IONOS provides tools and features that enable customers to build GDPR-compliant applications.
What This Means for You If you process personal data of EU citizens, you can leverage IONOS's GDPR-compliant infrastructure and EU-based data centers to meet data residency and sovereignty requirements. IONOS's compliance framework helps you fulfill your own GDPR obligations.
2.4 PCI DSS Compliance
What It Is The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect payment card data during processing, storage, and transmission. Organizations that handle credit card information must comply with PCI DSS.
IONOS Compliance IONOS Cloud offers PCI DSS compliance at select datacenter locations for customers who need to process payment card data. This provides a compliant infrastructure foundation for e-commerce, payment processing, and other applications that handle credit card information. Verify PCI DSS availability at your chosen datacenter through the IONOS Cloud Service Catalog.
What This Means for You If you run applications that process credit card payments, you can leverage IONOS's PCI DSS-compliant infrastructure to simplify your own compliance efforts. However, PCI DSS is a shared responsibility: IONOS secures the infrastructure, while you must ensure your applications and data handling practices also meet PCI DSS requirements.
2.5 BSI C5 and IT-Grundschutz (German Federal Security Standards)
What They Are:
Germany maintains two key security frameworks through the Federal Office for Information Security (BSI). BSI IT-Grundschutz is a comprehensive information security methodology that provides detailed baseline security measures, going beyond ISO 27001 by specifying concrete, actionable controls. BSI C5 (Cloud Computing Compliance Criteria Catalogue) defines criteria for cloud computing security across 17 areas, from physical security to identity verification and interaction with law enforcement.
IONOS Compliance:
IONOS Cloud holds both BSI certifications for core cloud services. The ISO 27001 certificate based on IT-Grundschutz covers Compute Engine, Object Storage and Backup, and Managed Kubernetes in German data centers. The BSI C5 Type 1 attestation covers Compute Engine, Cloud Cubes, and Object Storage. As a German provider, IONOS is the first to hold both the C5 attestation and BSI IT-Grundschutz certification, reflecting a commitment to meeting the highest German security expectations.
What This Means for You:
If you work for the German public sector or in the area of critical infrastructure (KRITIS), BSI certifications are often a prerequisite for using cloud services. These certifications provide detailed transparency into IONOS's security controls, simplifying your own risk analysis and compliance audits. The BSI C5 attestation is particularly relevant for regulated industries such as healthcare, where demonstrating cloud provider compliance with BSI standards supports your own regulatory obligations.
2.6 Compliance Summary Table
The following table summarizes IONOS Cloud's key certifications and compliance standards:
| Certification / Standard | What It Covers | IONOS Status |
|---|---|---|
| ISO 27001 | Information Security Management System (ISMS) with systematic data security controls | Certified across all datacenter locations |
| BSI IT-Grundschutz | German federal IT baseline protection with concrete security measures | Certified for core services in German data centers |
| BSI C5 | Cloud Computing Compliance Criteria Catalogue for cloud computing security across 17 areas | Type 1 attestation for core cloud services |
| SOC 2 Type II | Security, availability, processing integrity, confidentiality, and privacy controls verified over time | Certified at select datacenter locations |
| GDPR | EU data protection regulation for personal data of EU citizens | Fully compliant (EU-based data centers, encryption, data residency) |
| PCI DSS | Payment card industry security standard for handling credit card data | Available at select datacenter locations |
Important: Certification coverage varies by datacenter location and service. For the current list of certifications at each location, consult the IONOS Cloud Service Catalog.
2.7 Digital Sovereignty: GDPR vs. US CLOUD Act
While IONOS Cloud meets all technical security requirements, the European legal framework offers a decisive advantage over non-European providers:
- Immunity to the US CLOUD Act: As a German company without a US parent entity, IONOS is not subject to the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Unlike US providers, who may be legally compelled to grant authorities access to data regardless of its physical storage location, IONOS operates exclusively under European jurisdiction.
- Digital Sovereignty: Customers retain exclusive legal control over their workloads and data. Access by government agencies is only possible through European legal processes and judicial orders, effectively eliminating the risk of foreign legal interference or secret data disclosure mandates.
3. Data Protection and Encryption
IONOS Cloud protects your data through comprehensive encryption strategies covering both data at rest (stored data) and data in transit (data moving across networks).
3.1 Encryption at Rest
Encryption at rest protects stored data from unauthorized access, ensuring that even if physical storage devices are compromised, the data remains unreadable without the proper encryption keys.
Block Storage Encryption
- All Block Storage logical volumes created on IONOS Cloud are automatically encrypted using AES-XTS 256-bit encryption
- Each volume receives a unique encryption key that is invisible to the storage server
- Even root users cannot access the raw encryption keys
- Optional drive-level encryption on SSD Premium and Standard volumes adds a second layer of AES-XTS 256-bit encryption using self-encrypting drives (SEDs)
- Physically removing a drive from the data center renders the data unreadable
Backup Service Encryption
- Server-side encryption uses AES-256 to protect backup data on storage devices
- Optional customer-side encryption allows you to encrypt backups using a password-derived key (AES-256)
- When using customer-side encryption, IONOS and the backup provider (Acronis) never store your encryption key
- This ensures only you can decrypt and restore your backup data
IONOS Cloud Object Storage Encryption
- Server-Side Encryption with IONOS-managed keys (SSE-S3) using AES-256
- Customer-Managed Keys (SSE-C) option also uses AES-256 encryption
- All data stored in Object Storage buckets is encrypted automatically
Private Container Registry Encryption
- Container images stored in the Private Container Registry are encrypted at rest using AES-256
- Encryption keys are managed by the IONOS platform
- Customers cannot supply their own encryption keys for container registry storage
3.2 Encryption in Transit
Encryption in transit protects data as it moves between your applications, IONOS services, and external systems, preventing eavesdropping and man-in-the-middle attacks.
TLS/HTTPS Encryption
- All IONOS Cloud API endpoints use TLS 1.2 or TLS 1.3 encryption
- IONOS Cloud Object Storage supports TLS 1.2/1.3 for all data transfers to and from S3-compatible endpoints
- Backup Service encrypts all backup traffic in real time using HTTPS/TLS with strong cipher suites (Diffie-Hellman and RSA key exchange)
- Management interfaces (Data Center Designer, API access) are protected by HTTPS/TLS
Network Service Encryption
- VPN Gateway connections encrypt traffic between your on-premises networks and IONOS Cloud
- Certificate Manager provisions and manages SSL/TLS certificates for Application Load Balancers, ensuring encrypted client connections
3.3 Key Management
Platform-Managed Keys For most IONOS services, encryption keys are managed automatically by the IONOS platform:
- Keys are stored securely within IONOS infrastructure and are never exposed to customers or administrators
- Access to encryption keys requires authenticated, authorized, and encrypted requests
- Keys are bound to the infrastructure, meaning physical drives removed from data centers remain encrypted and unreadable
Customer-Managed Keys (Limited Availability) Some services offer customer-managed encryption options:
- Backup Service supports password-derived encryption keys that IONOS never stores
- Object Storage supports Customer-Managed Keys (SSE-C) for bucket encryption
- Most other services use platform-managed keys exclusively
3.4 Secure Data Deletion
When you delete data from IONOS Cloud, secure deletion processes ensure the data cannot be recovered:
Volume and Backup Deletion
- Deleting a Block Storage volume or backup zeroes out metadata, destroying the encryption key
- Without the encryption key, the encrypted data becomes permanently unreadable
- Physical drives are wiped according to NIST SP 800-88 Rev 1 guidelines
- When wiping is not possible, drives are physically destroyed
Object Storage Deletion
- Deleting objects from IONOS Cloud Object Storage removes metadata and makes data unrecoverable
- Secure deletion follows the same NIST SP 800-88 guidelines as Block Storage
This comprehensive encryption approach (AES-256 for data at rest, TLS 1.2/1.3 for data in transit, secure key management, and NIST-compliant deletion) ensures your data remains confidential throughout its lifecycle on IONOS Cloud.
4. Audit Trails for Compliance
Audit trails provide a chronological, tamper-proof record of all actions performed within your IONOS Cloud environment. These records are essential for security investigations, operational troubleshooting, and meeting regulatory compliance requirements.
4.1 What Are Audit Trails?
An audit trail is a read-only, time-ordered log of significant events that captures:
- Who performed the action (user identity and contract number)
- When the action occurred (exact timestamp)
- Where the action originated (source IP address and service)
- What was affected (resource type, resource ID, and specific action taken)
IONOS Cloud provides audit trails through the Activity Log service, which records every API request, configuration change, user login, resource creation, modification, and deletion across your cloud environment.
4.2 Activity Log for Audit Trails
What Activity Logs Capture Activity Logs record all user activities and resource modifications, including:
- User authentication events (logins, logouts, failed login attempts)
- Resource provisioning and de-provisioning (creating VMs, storage volumes, networks)
- Configuration changes (modifying firewall rules, updating load balancer settings)
- Data access events (accessing Object Storage, database connections)
- Identity and access management changes (creating users, modifying roles, changing permissions)
- Security events (Network Security Group rule changes, certificate deployments)
Activity Log Data Structure Each Activity Log entry includes:
- Principal identity (user email, contract number, source IP, source service)
- Event type (e.g., RequestAccepted, ResourceCreated, ConfigurationChanged)
- Event resources (resource type, resource ID, action performed)
- Metadata (timestamp, audit log version)
Immutability and Retention Activity Logs are read-only and cannot be modified or deleted by users, ensuring tamper-proof audit trails. Logs are retained according to IONOS policies and compliance requirements, providing a historical record for investigations and audits.
4.3 Using Audit Trails for Compliance
Audit trails support multiple compliance and security objectives:
Regulatory Compliance Many regulations require audit trails of who accessed or modified data:
- GDPR requires logging of personal data access and processing activities
- HIPAA requires audit trails for healthcare data access
- SOX (Sarbanes-Oxley) requires audit trails for financial data
- PCI DSS requires logging of access to cardholder data
Activity Logs provide the necessary evidence to demonstrate compliance with these requirements during audits.
Security Investigations When security incidents occur, audit trails help you:
- Identify the source of suspicious activity (which user, from what IP address)
- Trace the sequence of events leading to a security breach
- Determine the scope of unauthorized access or data exposure
- Provide evidence for incident response and forensic analysis
Access Reviews Regular audit trail reviews enable you to:
- Identify excessive privileges granted to users or service accounts
- Detect orphaned accounts that should have been deactivated
- Monitor role and permission changes over time
- Revoke access promptly when users change roles or leave the organization
Operational Troubleshooting Beyond compliance, audit trails help with:
- Diagnosing configuration issues (what changed before the problem occurred?)
- Understanding resource usage patterns and trends
- Verifying that automation scripts and Infrastructure as Code deployments executed correctly
4.4 Accessing Activity Logs
Activity Logs can be accessed through:
IONOS Cloud API using GET requests to retrieve log entries programmatically (the Activity Log is a read-only API and has no browsing view in the Data Center Designer) Data Center Designer (DCD) to grant the "Access Activity Log" group privilege, which authorizes User accounts to read the log through the API (by default only Contract Owner and Administrator accounts have access) Automation and integration with external SIEM (Security Information and Event Management) systems for centralized log analysis
By regularly reviewing Activity Logs and integrating them into your security monitoring processes, you can maintain compliance, detect security threats early, and respond quickly to incidents.
Common Use Cases
Real-world scenarios where IONOS Cloud security and compliance features are used:
- Healthcare Application with GDPR and HIPAA Requirements: A healthcare provider builds a patient management system on IONOS Cloud. They leverage IONOS's GDPR-compliant infrastructure and EU-based data centers (Section 2.3) to meet data residency requirements. Block Storage encryption at rest (Section 3.1) protects patient records, while TLS encryption in transit (Section 3.2) secures data transfers. Activity Logs (Section 4.2) provide the audit trails required by HIPAA regulations, recording all access to patient data for compliance reporting.
- E-commerce Platform with PCI DSS Compliance: An online retailer processes credit card payments and must comply with PCI DSS. They deploy their payment processing application on IONOS Cloud's PCI DSS-compliant infrastructure (Section 2.4). Network Security Groups (referenced in Section 1.2) segment payment processing systems from other workloads. Certificate Manager (covered in Unit 2.6, referenced here for TLS termination) provides SSL/TLS certificates for secure payment transactions. Activity Logs track all configuration changes to payment systems, supporting PCI DSS audit requirements (Section 4.3).
- Financial Services Application with SOC 2 Requirements: A fintech company needs to demonstrate robust security controls to enterprise customers who require SOC 2 compliance. They build their application on IONOS Cloud's SOC 2 Type II-certified infrastructure (Section 2.2). The shared responsibility model (Section 1) clarifies which security controls IONOS manages versus which the company must implement. They implement customer-managed encryption for sensitive financial data using Backup Service's password-derived keys (Section 3.1), and they conduct monthly Activity Log reviews (Section 4.3) to identify any unauthorized access or privilege escalation attempts.
Summary
Security and compliance on IONOS Cloud operate through a shared responsibility model where IONOS secures the cloud infrastructure (physical data centers, network, hypervisor) while customers secure their workloads, data, and configurations. IONOS Cloud maintains multiple internationally recognized certifications including ISO 27001 (across all locations), BSI IT-Grundschutz and BSI C5 (for core services in German data centers), SOC 2 Type II, and GDPR compliance, with specific certifications varying by datacenter location and service.
Data protection is achieved through comprehensive encryption strategies: AES-256 encryption at rest for Block Storage, Backup Service, Object Storage, and Container Registry, combined with TLS 1.2/1.3 encryption in transit for all data transfers. Encryption keys are managed by the IONOS platform for most services, with optional customer-managed keys for Backup Service and Object Storage.
Audit trails provided by Activity Logs create tamper-proof records of all user activities and resource changes, supporting compliance requirements for GDPR, HIPAA, SOX, and PCI DSS. These logs capture who performed actions, when they occurred, where they originated, and what resources were affected, providing critical evidence for security investigations, access reviews, and regulatory audits.
Key Points:
- The shared responsibility model divides security duties: IONOS secures the infrastructure, customers secure their workloads, data, and configurations
- IONOS Cloud holds certifications including ISO 27001, BSI IT-Grundschutz, BSI C5, SOC 2 Type II, and GDPR compliance, with specific certifications varying by datacenter location and service
- Data is encrypted at rest using AES-256 and in transit using TLS 1.2/1.3 across all IONOS Cloud services
- Activity Logs provide immutable audit trails required for compliance with GDPR, HIPAA, SOX, and PCI DSS regulations
- EU-based data centers in Germany (Berlin, Frankfurt), Spain (Logroño), and France (Paris) support data residency and sovereignty requirements
- Audit trails enable security investigations, access reviews, and operational troubleshooting beyond compliance requirements
Important Terminology:
- Shared Responsibility Model: A cloud security framework dividing responsibilities between the cloud provider (infrastructure security) and customer (workload and data security)
- ISO 27001: International standard for Information Security Management Systems (ISMS) demonstrating systematic security controls
- SOC 2 Type II: Compliance framework verifying that security controls operate effectively over time, not just by design
- GDPR (General Data Protection Regulation): EU law governing personal data protection, requiring data subject rights, consent, and residency controls
- Encryption at Rest: Protecting stored data using encryption (AES-256) so it remains unreadable without decryption keys
- Encryption in Transit: Protecting data moving across networks using TLS/HTTPS to prevent eavesdropping and man-in-the-middle attacks
- Audit Trail: Chronological, read-only log of all actions in the cloud environment, capturing who, when, where, and what for compliance and security investigations
- Activity Log: IONOS Cloud's audit trail service recording all API requests, configuration changes, and user activities
Next Steps
Continue Learning: Course Completion
Related Topics:
- Unit 3.2: Identity and Access Management - Understanding user roles, permissions, and access controls
- Unit 3.4: Activity Logs and Monitoring - Deep dive into logging, monitoring, and observability services
- Unit 2.6: Security Services - Network Security Groups, DDoS Protect, and Certificate Manager