Wasabi operates under a shared responsibility model, which outlines the security and management responsibilities between Wasabi and its customers. Understanding this model is crucial for maintaining the security, privacy, and integrity of your data in the Wasabi cloud.
Customer Responsibilities: Security “In” The Cloud
As a Wasabi customer, you are responsible for the security of the data and configurations you control within the Wasabi environment. This includes:
Customer Data
Identity and Access Management (IAM)
Object Lock (Immutability)
Covert Copy (Ransomware Recovery)
Encryption Controls
Customer Data
You are responsible for managing and protecting the data you store in Wasabi, including classification, access, retention, and deletion.
Identity and Access Management (IAM)
Manage user identities, roles, and permissions. You define who can access what data and what actions they can perform. Refer to the Inline IAM Policy With Wasabi to learn how to use inline IAM policies to create least privilege access within Wasabi.
Multi-Factor Authentication (MFA)
Strengthen access security by requiring a second factor during login (such as an authenticator application or hardware token).Multi-User Authorization (MUA)
MUA is a Wasabi feature that enforces multi-user approvals for sensitive actions (such as for Object Lock configuration changes).Single Sign-On (SSO)
Leverage enterprise identity providers to centrally manage authentication with Wasabi using industry-standard protocols (such as SAML 2.0).
Object Lock (Immutability)
Enable the Object Lock feature to make data tamper-proof using WORM (Write Once, Read Many) protection. This is critical for compliance, ransomware defense, and legal hold.
Wasabi’s Object Lock and MUA features provide effective protection against malicious encryption threats, such as ransomware, by preventing unauthorized modification or deletion of critical data.
Refer to Malicious Encryption Protection.
Covert Copy (Ransomware Recovery)
Enable the Covert Copy feature to maintain an isolated recovery copy of critical data for ransomware events. Covert Copy provides:
A logically isolated copy for ransomware recovery.
Hidden buckets that are not visible through standard bucket listing operations.
Enforced MUA for access.
Protection against modification, overwrite, or deletion.
Covert Copy complements Object Lock by providing a secure recovery mechanism if primary data is encrypted or unavailable.
Encryption Controls
Wasabi uses Server Side Encryption (SSE) to automatically encrypt every object uploaded to our platform with a unique key. You have other options as well.
Client-Side Encryption (Optional)
Encrypt data before uploading to Wasabi for maximum control. You retain full ownership and management of your encryption keys.Server-Side Encryption with Customer-Provided Keys SSEC
Leverage Wasabi’s server-side encryption service using your own encryption keys. Refer to SSE-C Encryption With Wasabi.Bucket and Object Configuration (Bucket Policies)
You configure access control using:Bucket policies
IAM policies
Versioning
Lifecycle rules
These policies define how your data can be accessed or managed.
Network Connectivity & Customer-Side Security
You are responsible for ensuring:Secure data transfers
Endpoint and API key protection
Proper firewall and VPN configurations
Refer to Wasabi Direct Connect to learn more about secure connection options at Wasabi.
Recommended General User Security Best Practices
Wasabi recommends that you follow these practices:
Enforce MFA and strong password policies.
Regularly rotate access keys.
Review access logs and usage reports.
Use IAM roles instead of root credentials.
Apply the principle of least privilege.
Refer to Wasabi's recommended general user security best practices.
Wasabi's Responsibilities: Security “Of” The Cloud
Wasabi is responsible for securing the infrastructure that delivers its storage services. This includes:
Automatic Server-Side Encryption at Rest
Core Infrastructure
Data Durability
Data Centers
Hardware
Physical Security and Compliance
Automatic Server-Side Encryption at Rest
All data stored in Wasabi is automatically encrypted using AES 256-bit encryption. No action is required by the user to enable this.
Data Durability
Wasabi ensures 11x9s (99.999999999%) durability through:
Redundant object storage
Integrity validation
Automatic repairs
Core Infrastructure
Wasabi secures and maintains the infrastructure stack, including:
Compute—Compute resources powering the storage platform.
Storage—Object storage systems and associated services.
Database—Systems that manage structured information.
Networking—Secure and high-availability network fabric.
Data Centers
Wasabi operates out of highly secure, geographically dispersed data centers with:
Redundant power and cooling
Access controls and biometric scanners
24/7 surveillance and monitoring
Hardware
Wasabi owns and maintains the hardware stack, including:
Servers
Storage devices
Networking gear
This allows for tighter control and optimization.
Physical Security and Compliance
Wasabi's products and physical data center locations are ISO 27001 compliant. Wasabi is deployed worldwide in top-tier data centers that are SOC 2 compliant and certified for PCIDSS.
Wasabi maintains compliance with industry standards, including, but not limited to:
ISO 27001
HIPAA
GDPR/UK GDPR
Security & Exchange Commission (SEC)
Wasabi undergoes regular audits to ensure alignment with evolving security, compliance, and privacy frameworks.