Infrastructure Provider Audit¶
This page will help you do your due diligence and ensure you choose a Infrastructure Provider that provides a solid foundation for Welkin and your application. Elastisys regularly uses this template to validate cloud partners, as required for ISO 27001 certification.
Rationale¶
Welkin is designed to build upon the security and compliance of the underlying Infrastructure Provider. If you cannot trust the underlying provider with controls such as physical security to the servers, safe disposal of hard drives, access control to infrastructure control plane, then no technical measure will help you achieve your security and compliance goals. Trying to take preventive measures in Welkin -- i.e., at the platform level -- is inefficient at best and downright dangerous at worst. Failing to due your due diligence will end up in security theatre, putting your reputation at risk.
Overview¶
The remainder of this page contains open questions that you should ask your Infrastructure Provider. Notice the following:
- Make sure you ask open questions and note down the answers. Burden of proof lies with the provider that they do an excellent job with protecting data.
- Ask all questions, then evaluate the provider's suitability. It is unlikely that you'll find the perfect provider, but you'll likely find one that is sufficient for your present and future needs.
- The least expected the answer, the more "digging" is needed.
- "You" represents the Infrastructure Provider and "I" represents the Welkin administrator.
Technical Capability Questionnaire¶
- Availability Zones:
- Where are your data centers located?
- How are they presented, i.e., single API vs. multiple independent APIs?
- Services:
- What services do you offer? (e.g., VMs, object storage)
- Are all your services available in all zones?
- Identity and Access Management (IAM):
- Do you offer IAM?
- How can I create roles? Via an API? Via a UI? Via a Terraform provider?
- What services can I configure role-based access control for?
- Can IAM be configured via API? Can IAM be configured via Terraform?
- Can one single user be given access to multiple projects?
-
Infrastructure-aaS:
- Which IaaS engine do you use? (e.g., OpenStack, VMware, proprietary)
- Do you have a Terraform provider for your API?
- Do you have pre-uploaded Ubuntu images? Which?
- Do these images have AutomaticSecurityUpdates by default?
- Do these images have NTP enabled by default?
- Do you have a Kubernetes integration for your IaaS?
- Can I use a cloud-controller for automatic discovery of Nodes and labeling Nodes with the right Zone?
- Can you handle large diurnal capacity changes, a.k.a., auto-scaling? E.g., 40 VMs from 6.00 to 10.00, but only 10 VMs from 10.00-6.00.
- Can I reserve VMs? How do you bill for reserved but unused VMs?
- What technical implementation do you recommend? E.g., pause/unpause VMs, stop/start VMs, terminate/recreate VMs.
- Do you support anti-affinity?
- If yes, what is the maximum number of VMs which can be part of an anti-affinity group?
- If not, how can we ensure that VMs don't end up on the same physical servers?
-
Storage capabilities:
- Do you offer Object Storage as a Service (OSaaS)?
- Can I use the object storage via an S3-compatible API?
- Can I create buckets via API?
- Can I create bucket credentials via API?
- Do you have a Terraform provider for your API?
- In which zones?
- Do you have immutable storage or object lock?
- Is OSaaS stretched across zones?
- Is object storage replicated across zones?
- Do you offer Block storage as a Service (BLaaS)?
- Which API (OpenStack, VMware)?
- In which zones?
- Can I use a Container Storage Interface (CSI) driver for automatic creating of PersistentVolumes?
- [For NFS] How did you configure User ID Mapping, specifically
root_squash
,no_root_squash
,all_squash
,anonuid
andanongid
? Mapping the root UID to values typically used by containers, e.g., 1000, will lead to permission denied errors. For example, OpenSearch's init containers dochown 1000
which fails withsquash_root
andanonuid=1000
. - Is BSaaS stretched across zones?
- Is block storage replicated across zones?
- Does the CSI driver support the Snapshot feature? This is needed for more consistent Velero backups.
- Do you offer encryption-at-rest?
- Encrypted object storage: Do you offer this by default?
- Encrypted block storage: Do you offer this by default?
- Encrypted boot discs: Do you offer this by default?
- If not, how do you dispose of media potentially containing personal data (e.g., hard drivers, backup tapes)?
- Do you offer Object Storage as a Service (OSaaS)?
-
Networking capabilities:
- Can the VMs be set up on a private network? Do you have a Terraform provider for your API?
- Is your private network stretched across zones?
- Do you trust the network between your data centers?
- Does the private network overlap:
- The default Docker network (
172.17.0.0/16
)? - The default Kubernetes Service network (
10.233.0.0/18
)? - The default Kubernetes Pod network (
10.233.64.0/18
)?
- The default Docker network (
- How can we peer private networks across projects?
- Firewall-aaS
- Are Firewall-aaS available?
- What API? (e.g., OpenStack, VMware)
- Do you have a Terraform provider for your API?
- Do you offer Load Balancer-aaS (LBaaS)?
- Can I create a LB via API?
- Do you have a Terraform provider for your API?
- Can I use a cloud-controller for automatic creation of external LoadBalancers?
- Can I set up a LB across zones? Via API?
- Can VMs see themselves via the load-balancers's IP address? (If not, then VMs need a minor fix.)
- Do your LBs preserve source IP addresses? Usually, this involves clever DNAT or PROXY protocol support.
- Do you offer IPv6 support? By default?
- Do you offer DNS as a Service? Which API?
- Can the VMs be set up on a private network? Do you have a Terraform provider for your API?
-
Network security:
- Do you allow NTP (UDP port 123) for clock synchronization to the Internet?
- If not, do you have a private NTP server?
- Do you allow ACME (TCP port 80) for automated certificate provisioning via Let's Encrypt?
- If not, how will you provision certificates?
- Do you allow NTP (UDP port 123) for clock synchronization to the Internet?
Organizational capabilities¶
- What regulations are your existing customers subject to? (e.g., GDPR, public sector regulations, some ISO 27001 profile)
- Can you show us your ISO-27001 certification?
- Which profile?
- Which organization made the audit?
- Can we get a copy of the Statement of Applicability (SoA)?
- Who is overall responsible with compliance in your organization?
- How do you implement regulatory and contractual requirements?
- How is a new requirement discovered?
- What is the journey that a requirement takes from discovery, to updating policies, to training employees, to implementation, to evidence of implementation?
- Do your data-centers fulfill physical security "skyddsklass 3" according to SSF 130 and SSF 200?
- If not, how do you comply with Directive (EU) 2022/2557 Resilience of critical entities Art. 13 p. 1(b)?
- If not, how is physical security handled?
- How do you handle incidents and deviations?
- What response times / time to resolution do you offer?
- What are your actual response times / time to resolution?
- What is your change management process?
- How do you handle technical vulnerabilities?
- How do you handle capacity management?
- In case of a breach, how long until you notify your customers?
- What SLA do you offer?
- What uptime do you offer?
- What is your measured uptime?
- Do you have a public status page?
- How do you handle access control?
- Does your operation team have individual accounts? How do you handle team member on-boarding / off-boarding?
- How do you communicate credentials to your customers?
- Do you have audit logs?
- How long do you store audit logs? Who has access to them? How are they protected against disclosure and tampering?
- How do you handle business continuity?
- How often do you test fail-over? How did the last test go?
- How do you handle disaster recovery?
- How often do you test disaster recovery? How did the last test go?
- What is your use of cryptography policy?
- How do you deal with DDoS attacks?
- Who are your colocation providers? Are they subprocessors? See Guidance from the Danish Data Protection Authority.
- Does your colocation provider have access to personal data, e.g. access to the server cabinet and can access the information that is processed on the servers or transferred via switches?
- Can your colocation provider replace hard drives, memory, etc.?
- Can your colocation provider move, restart or otherwise handle the servers?
- Does your colocation provider provide additional services beyond physical facilities as well as electricity and Internet?
- When did you perform the last penetration test? 1. Can you share anything about the major findings and how you resolved them?
For Elastisys Self-Managed Customers
Feel free to skip the questions below. They are designed for our Managed Service and might not be relevant for you. We share them here for the sake of full transparency.
Legal issues¶
- Do you fully operate under EU jurisdiction?
- Is your ownership fully under EU jurisdiction?
- Are your suppliers fully under EU jurisdiction?
- Even the web fonts and analytics code on your front-page?
- Do you have a DPO?
- Is this an internal employee or outsourced?
- Can you show us your Data Processing Agreement (DPA)?
- [HIPAA only] Are you familiar with Business Associate Agreements?
- Are you ready to sign one with us?
Collaboration¶
- How can we collaborate with your on-call team?
- What collaboration channels do you offer? (e.g., Slack, Teams, phone, service desk)
- What response times can we expect?
- Is your on-call team available 24/7?
- Are you open to having quarterly operations (engineering) retrospectives? Our engineering team wants to keep a close loop with vendors and regularly discuss what went well, what can be improved, and devise a concrete action plan.
- Are you open to having quarterly roadmap discussions?
Environment Management¶
- What environmental policies and certifications do you have?
- What energy sources are your data-centers using?
- How do you work to become more energy efficient?
- How do you recycle used/old equipment?
- Do you do any form of environmental compensation activities?
Evidence¶
The audit should conclude with gathering the following documents in an "evidence package":
- Filled questionnaire
- All relevant certificates, e.g., ISO 14001, ISO 27001, “green cloud”
- Latest version of the Terms of Service and Data Protection Agreement
- All relevant certificates from data-centre providers
- Signed and transparent ownership structure