Our latest security improvements — and what they mean for your projects

Our latest security improvements — and what they mean for your projects Scale • Cyril Petel • 14/10/25 • 6 min read

At Scaleway, we are heads-down building all the Compute, Storage and AI products that European companies need to thrive in the cloud. This means we rarely take the time to look back at all the progress we made — especially in core and transversal features like security, whose impact can be felt across an entire organization.

Security has only become more of a focus for us over time. In the past few months alone, we have been working on so many Security products and features that we can hardly count them! This makes now the perfect opportunity to review them.

Our latest updates can be broken down into four main pillars:

Access Management : securing who can access your infrastructure

Secured Network : isolating communication inside your network

Data Protection : making your information confidential and available

Auditability & Compliance : monitoring any action performed in your Organization

Our latest Security updates run across four distinct pillars: Access Management, Secured Network, Data Protection, and Auditability & Compliance.

With that in mind, let’s unpack each pillar and how the latest changes help make your projects more secure across the board.

1. Access Management

Access management misconfiguration remains the #1 threat in the cloud, according to the Cloud Security Alliance. The more complex your projects and the more stakeholders are involved, the more granular your access management should be.

With our latest releases on Identity Access Management (IAM) and other products, you can ensure that only authorized users and systems can access your resources, thus reducing the risk of unauthorized entry inside the Organization.

Organization Members : Over the past 12 months, our IAM team has been busy refactoring the multi-user management in Scaleway Organizations. Switching from a Guest system, where everyone had to own an Organization, to a modern and secure system of Organization members was challenging to say the least. However, IAM admins have far more control on user authentication, with more features to come. More info here

IAM conditions : Using the industry standard Condition Expression Language (“CEL”), IAM power users can now refine policies using parameters of the requests (timestamp, user agent, and IP address). We plan to use the same system to bring more granularity, with resource-level permissions. More info here

Login improvements (SSO, Webauthn) : As authentication remains a main vector of attack, we remain dedicated to transitioning from a secret-based log-in to an Owner-base one. New SSO workflows have been released for both Owners and members through OAuth2. Moreover, Webauthn is also now supported as a second factor of authentication for Owners — meaning that you can now use fingerprint of even Fido2 keys to authenticate. More info here

SAML support for members : Authentication through a SAML-compatible Identity Provider is now possible for any member of an Organization. With an easy set-up, administrators can rely on their own internal tool for login workflows of their employees into Scaleway. More info here

IAM support of Kubernetes RBAC : Combine Scaleway IAM and Kubernetes RBAC to improve access control on your clusters. This new feature allows clients to assign roles to users, groups or ServicesAccount via RoleBindings and ClusterRoleBindings. More info here

Multi-user on MongoDB : Various users can now use our MongoDB instances. In addition, global as well as specific roles are available in MongoDB instances to refine permissions of multi-users. More info here

2. Secured Network

By nature, the public cloud is by default accessible on the Internet, meaning your infrastructure can be accessed not just by your employees, but indeed by anyone. Our new and improved Network portfolio lets you more finely control traffic flow and monitor activity to protect your environments from external and internal threats.

Web Application Firewall (“WAF”) : On top of our Edge services, providing caching for our Load Balancers and buckets, we rolled out a Web Application Firewall service to protect those services against malicious requests. Paranoia levels and specific exclusions can be defined to adapt to your network specificities. More info here

Interlink : InterLink lets you create a secure, private connection between your external infrastructure, and your Scaleway VPC. This allows you to direct your traffic safely from your Scaleway infrastructure to your on-premises infrastructure, away from the public internet. More info here

VPC Network ACLs : Thanks to Access Control Lists inside VPCs, traffic flow can be configured to be restricted between certain sources and destinations within the VPC, depending on rules set by the client. More info here

VPC integrations : All our products are available on the Internet, but some clients require a fully private connection between the various components of the architecture. To answer that need, our Functions, Containers, Apple Silicon and MongoDB products have been integrated with Private Networks. More info here

Site to Site Virtual Private Network (“S2S VPN”) in Private Beta : This feature allows you to connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private tunnel. More info here

3. Data protection

Data protection aims to safeguard your most sensitive information through encryption, backups, and secure storage, ensuring the Confidentiality, Integrity, and Availability of all your data — the infamous CIA triad . This year, a big focus has been put on confidentiality, especially on Encryption at rest for our most important products.

Key Manager : Key Management Service (KMS) has been released in General Availability, with the ability to create, rotate, protect and delete keys. Both symmetric and asymmetric algorithms are supported for encryption and signing use cases. More info here

SSE-C Object Storage : Server-Side Encryption (“SSE”) with a customer-provided key has been added as a main feature of our Object Storage offering. If an encryption key is provided during a put or get action, your objects will be encrypted (or decrypted) using best-in-class encryption. More info here

Secret Manager integrations : Like any good ecosystem products, one of the goals for our Secret Management offer is to get natively integrated with our...