[throwaway382985]

I worked at scaleway.

This whole post is basically bullshit, "secure" transporation meant taking a random electric car (renault zoe) at the company headquarters or at DC5 and throwing hardware in the trunk.

No security in place whatsoever, servers laying in datacenter hallways fully loaded with disks, accessible to anyone.

Most of the company had access to the back office where they could just access customers' data without any kind of logging. (Internally this was called sudo mode on the online console, we had basically to click on a button to log as any customer).

The "funniest" was the corporate vpn network being shared by the internal datacenter network which meant any employee had, for instance, full access to all the home made switches management interfaces which had no access control whatsoever, it happened that employees stumbled accross this and wondering what it was (LOL), there was even a button to upload and flash (!) a firmware.

The upper-management was terribly incompetent and would discard any kind of issue that was not affecting sales in the immediate term as not important (security or otherwise).

[Abishek_Muthian]

There was a post in the scaleway user forum(~2020) asking 'Who has access to the data on the disk' to which the founder or CEO replied that the Engineers do have access but the datacenters are very secure as it's thoroughly monitored.

I remember this because I used fscrypt after seeing the post, Scaleway seems to have removed the entire user forum sometime last year.

I stopped using their service after they removed their ARM severs with short notice, But this is more scary.

Unfortunately this is the reality when it comes to AWS[1] or other top-tier cloud providers vs inexpensive ones. The cost saving has to happen somewhere.

[1] https://aws.amazon.com/blogs/security/importance-of-encrypti...

[madaxe_again]

But they’re ISO27001 certified? Didn’t they have security controls for transit of protected information? What about human resource security?

What about their access control policy and network access control policy?

Do you know who their certifier is, as they don’t say, so I can ensure I never, ever trust them?

[throwaway293290]

Another person that worked at scaleway here.

The whole ISO27001 thing is false advertisement, the scope is very restricted and scaleway, online.net, dedibox or whatever are NOT ISO27001 certified.

The certification only applies to a very restricted range of products which are not even pubicly available.

> What about their access control policy and network access control policy?

A joke, many critical services were only firewalled to the outgoing ip address of their corporate wifi network which practically anyone entering the building was given the password.

The private network on online.net dedibox offering was just ACLs that were applied with a loop on every switch without much error handling it happened that what was displayed on the console was not the real configuration applied to a switch. What a joke.

And this is just a starter, this kind of things goes on and on. Scaleway is a terrible company.

[emteycz]

What about GDPR, did it change anything?