Application Security (SaaS)

• Provide details on how multi-tenanted applications are isolated from each other - a high level description of containment and isolation measures is required to implement a secure cloud.
• What assurance do you provide that the access to your data is restricted to your enterprise users and to the applications you own?
• How do you ensure that your platform sandbox is monitored for new bugs and vulnerabilities?
• Do your security features include user authentication, single sign on, authorization (privileged management) and SSL/TLS (made available via an API)?
• What administration controls are provided and can these be used to assign read and write privileges to other users?
• Is the SaaS access control fine grained and can it be customized to our organizations policies and procedures and requirements for your secure cloud?
  
  

Identity and Access Management Systems - Requirements for secure cloud solutions

• Is an Identity Management System in place?
• Does the system allow for a federated IDM (identity management) infrastructure which is interoperable both for high assurance (one time password systems, where required) and low assurance (e.g. username and password)?
• Are you interoperable with third party IDM identity providers?
• Is there the ability to incorporate single sign-on?
• Does our credential system allow separation of roles and responsibilities and for multiple domains (or single key for multiple domains, roles and responsibilities)?
• How do you manage access to our system images – and ensure that the authentication and cryptographic keys are not contained within in them?
• How do you authenticate yourself towards our company (i.e. mutual authentication when we send API Commands, when we log into the management interface)?
• Do you support a federated mechanism for authentication?

Network Architecture Controls & Security

• Define the controls used to mitigate DDoS attacks.
• Describe the concepts you have implemented for defence in depth (deep packet analysis, traffic throttling, packet black-holing, etc.)
• Do you have defences against “internal” (originating from your own network) attacks as well as external (originating from the Internet or customer networks) attacks?
• What levels of isolation are used (for virtual machines, physical machines, network, storage, management networks and management support systems, etc.)?
• Is your virtual network infrastructure (in Private VLANs and VLAN tagging 802.1q architecture) secured to vendor and/or best practice specific standards (e.g. are MAC spoofing, ARP poisoning attacks, etc. prevented via a specific security configuration)?
• What guarantees do you offer for full isolation of resources (e.g. separate virtual instances, separate VPNs, separate physical machines…?
  

   

Patch Management

• Provide details of the patch management procedure
• Can you ensure that the patch management process covers all layers of the cloud delivery technologies –i.e. network (infrastructure components, routers, switches, etc.), server operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc.)?
  
  

Resource Provisioning

• In the event of resource overload (processing, memory, storage, network) what information is given about the relative priority assigned to our request in the event of a failure in provisioning?
• Is there a lead time on service levels and changes in requirements?
• How much can you scale up? Do you offer guarantees on the availability of supplementary resources within a minimum period?
• What processes are in place for handling large-scale trends in resource usage (e.g. seasonal effects)?
• Will location of the data be switched/changed depending on capacity of free storage space?
  
  

Legal Requirements

• In what country are you located?
• Is your infrastructure located in the same country or in different countries?
• Do you use other companies whose infrastructure is located elsewhere?
• Where will the data be physically located?
• Are you compliant to data protection/privacy requirements according to the European Union regulations?
• Is your company safe harbor certified?
• Will jurisdiction over the contract terms and over the data be divided? Please describe how.
• Will any of your services be outsourced?
• How will the data owned by us or our customers be collected, processed and transferred?
• What happens to the data sent to you upon termination of the contract?
• Is it possible to audit your company on-site?
• Who holds the rights to content stored on your cloud infrastructure with regard to intellectual property rights?
• Who is liable for data loss and integrity?
• Is any of our direct competitors as well your customer?
• Have you obtained all applicable registration/permit/licenses for providing this internet based service according to local laws and regulations especially in the data storage and data handling in Germany, e.g.:
  • No storage of data of official institutes outside Germany
  • Local Data protection requirements
  • Special data handling requirements
• Please list all obtained registration/permit/licenses for e.g. Germany.
• Please highlight and explain how and confirm that you can manage these special requirements.