CloudSphere Security FAQ

Please provide a brief description of the service(s) that your organization provides to <Customer-Organization>.

The SAAS solution CloudSphere’s Illuminate 360 platform provides actionable insights for hybrid and multi-cloud optimization, compliance and security, This functionality is provided by scanning the customer estate and storing relevant information about the estate in the SAAS solution datastores.

The Illuminate 360 platform then exposes this data to the <Customer-Organization> as visualizations to enable actionable items to be identified.

Who are the primary contact person(s) at <Customer-Organization> and CloudSphere? 

Customer Contact: To be provided by the <Customer-Organization>
CloudSphere Contact: customer-success-team@cloudsphere.com

What is the approximate number of employees in your organization?

10-99

Are information security policies and procedures made available to all personnel, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?

Yes

CloudSphere is SOC 2 Type II certified (AICPA) by an accredited third-party auditor in the following applicable security principles: security, availability, and confidentiality. The Report is available to customers and partners by request (under NDA)

Do you perform, at minimum, annual reviews to your privacy and security policies?

Yes

All Policies are updated/reviewed on an annual basis (at a minimum). Risk register is review on a six month cycle.

Does you organization maintain and review a company wide Risk register in order to document potential issues relating to the company activity.

The process of identifying and analysing risks should be a part of tactical decision-making and initial
planning. The worth of business plans can be improved significantly if the risks associated with
proposals are analysed and where necessary, mitigated.

Yes

CloudSphere is SOC 2 Type II compliant and the process of identifying and analysing risks is part of the strategic decision making process in order to quantify risks associated with business operations and where necessary allow them to be mitigated.

Does your organization collect, store, use, process, or transmit any <Customer-Organization> privacy protected information or have the ability to access such information even if you do not require it to perform your services?

Yes

This organization does not collect or access information unless it is required to perform our service. For data content break down see item 12.

Does your organization have a policy that addresses privacy compliance?

Yes

Will you notify <Customer-Organization> about data breaches that involve or are likely to involve <Customer-Organization> privacy data?

Yes

Who is the individual (or individuals) responsible for privacy compliance related matters at your organization?

The Customer Success team are the primary point of contact (customer-success-team@cloudsphere.com). All privacy compliance matters will be referred to the Director for Information Security and the CTO.

Does your organization process, access, maintain, transmit, transfer, dispose of, receive, or store any data used by <Customer-Organization>?

Yes

If “yes”, Describe the data processed, accessed, maintained, transmitted, transferred, disposed of, received, or stored by your organization.

• Data:

  • PII:  This is limited to contractual/financial obligations to support (offline) customer subscriptions. This information is collected as part of the manual on-boarding of the customer subscription as part of the establishment of legal agreements. This type of information is not collected or used by the SAAS tool. This data is only accessible CFO and relevant sales teams members.

  • Estate Information: the connectivity of the estate elements such as Business Services, Services, Servers, Containers, Cloud Services, Applications, Software Clusters, Operating System Clusters, VI Clusters and Cloud Configuration.

• Operations:

  • Access: Direct access to the customer estate is not available to CloudSphere staff. A copy of <Customer-Organization> estate (configuration and deployment) information is scanned and stored in the SAAS solution data stores. This data is accessible to the following groups within CloudSphere (note: teams members may be located in regional offices)

    • Operational Team: Administrators of the SAAS solution have access to the production environment and are able to read/modify customer information from SAAS data stores.

    • Customer Success Team: members have the ability to retrieve high-level information metrics (including licence usage) from SAAS data stores.

    • Support Team: members have the ability to view customer data from SAAS data stores as part of the normal customer support.

    • Development Team: members have the limited ability to track operational logs from SAAS data stores. When required and requested by Support to aid in problem diagnosis, members may be given read access to customer data.

  • Transfer:

    • Transfer (viewing of data): this operation is covered under the Access section

    • Transfer (downloading of data): This operation may be required as part of Customer Success or Support team for diagnosis, support purposes etc. There is no transfer of this data to external parties.

    • Transfer (backup): This operation is performed as part of Operational teams high-availability scenarios. All backup locations are cloud-based

  • Dispose:

    • Operational Team: Destruction of active SAAS data store and backups after specified retention period

    • Customer Success: Requests destruction (off-boarding) of customer account and data at termination of subscription.

What is the classification of <Customer-organization> data that will be shared with your organization?

• Scan Operations: Confidential

• Financial/Contractual: Restricted

What level of access does your organization have to <Customer-Organization> data?

Read

Does your organization allow subordinate vendors, partners, joint ventures, or other parties to store, process, access, maintain, transmit, transfer, dispose of, receive, or store <Customer-Organization> data?

No

Do employees of your organization act on behalf of <Customer-Organization> (appearing as if they are an <Customer-Organization> employee)?

No

Do employees of your organization have access to <Customer-Organization>'s information systems?

No

If "Yes," What <Customer-Organization> systems do your employees have access to?

N/A

Who is responsible for managing the access your employees have to <Customer-Organization>'s information systems?

N/A

How is <Customer-Organization>'s data provided/transmitted to your organization?

• Direct scan: scan operations of the <Customer-Organization> estate and configuration are transmitted over encrypted connections to the SAAS data store.

• UI: data visualisation is provided over HTTPS protocol.

Definition of Transfer:

• scan operations from a target machine to a secondary machine.

• The display/viewing of data in a UI

In which of your systems is <Customer-Organization>'s data stored?

CloudSphere SAAS base solution available in AWS deployments

AWS: Cloud Hosting Services (SOC 2 Type 2, SOC 3 audited, ISO 27001, 27017, 27018 Certified)  

What is the stated Recovery Time Objective in your contract with <Customer-Organization>?

RTO is specified as 6 hrs

What is the stated Recovery Point Objective in your contract with <Customer-Organization>?

RPO is specified as 24hrs

Will employees from your organization be working on <Customer-Organization>'s premises?

No

Has your organization experienced a security breach during the past 18 months?

No

If "Yes," Please Describe

N/A

An asset inventory is critical for assigning responsibility for controls and tracking control performance. Please indicate one type of asset for which you maintain an inventory.

Cloud Assets and On-Prem/Data Center Hardware

Are employees required to return information and information processing assets upon termination?

Yes

Is all employee access terminated within 24 hours of termination?

Yes

Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?

Yes

Our Access Control Policy covers all controls that are in place to control access to IT infrastructure

Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege?

Yes

Our Access Control Policy covers all controls that are in place to prevent unauthorized access.

Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function?

Yes

Monthly reviews are performed.

Does your organization have an information classification scheme that classifies all sensitive, proprietary and non-public information managed by the organization?

Yes

How long will your organization retain <Customer-Organization>'s confidential information?

• Financial/Contractual Information: Subject to TAX code in Ireland (typically 6 years)

• Active SAAS datastores: Subscription Keepalive period (60 days) + Data Deletion Period (30days)

• SAAS Backup deletion: 28 days after Active SAAS datastores period = 90days +28days = 118 days

The SAAS datastores are kept alive for 60 days after the end of a subscription (to allow renewal without data loss).

Do you require background checks of all your employees prior to working on <Customer-Organization> systems?

Yes

Do employees undergo security awareness training upon hire and at least annually thereafter?

Yes

How soon does your organization apply security patches to all systems following their publication?

30 days or less

How quickly after publication does your organization apply antivirus updates?

Daily

Are encryption ciphers in use by your organization to protect client confidential information in rest or in transit?

Yes

Encryption in transit is implemented using HTTPS over TLS1.2 
Encryption at rest is provided through a cloud-specific KMS.

Does your organization have a documented information security policy?

Yes

Does your organization have an incident response policy or process?

Yes

Does your organization have a formal business continuity plan?

Yes

Does your organization have a formal disaster recovery plan?

Yes

Do you audit and/or test your business continuity and disaster recovery plans at least annually?

Yes

Please identify all conditions under which policies are communicated to applicable staff.

Employees must read the Employee Handbook and Code of Conduct during employee hire and all policies are continuously available online.

Will you notify <Customer-Organization> about information security incidents that have or are suspected to have impacted <Customer-Organization> data?

Yes

Please identify your compliance obligations.

SOC 2 Type II (Aug 2023) and annually

Are you currently in compliance with all applicable regulations and standards?

Yes

Who is the individual (or individuals) responsible for compliance related matters?

Andy Trayler (Director of Information Security);
Paul Mansfield (CTO)

Do you have a backup data center/facility?

No

Where are your data centers located?

Dublin, Ireland

What type of physical access controls are used to limit access to your facilities?

Multiple controls

At Data center only

Please select the locations that are monitored by video cameras within and around your facilities.

Points of Authentication

At Data center only

Please describes the environmental controls you have in place in your data centers and other sensitive areas.

Alerting capabilities
Fire suppression
HVAC
Humidity controls
Backup generators
Redundant data circuits

At Data center only

Please select the response that best describes how you segregate your network from the Internet, including DMZs, and untrusted networks.

Stateful firewalls are used to segregate the network from the Internet

What method of wireless network security does your network support for worker access?

WPA2-PSK

Only Applies if office space is being used; Currently all workers are working remotely.

If you have any guest-accessible WIFI, is it adequately segregated from your corporate network?

Yes

Please select the response that best reflects your use of network-based Intrusion Detection (IDS) and/or Intrusion Prevention (IPS) solutions.

We have an IDS solution that detects but cannot prevent intrusion attempts.

Do you perform Internal network vulnerability scans?

Yes

Do you perform external network vulnerability scans?

Yes

Will SSO be configured for the SaaS tool? If not, can 2FA be used for user authentication?

• SSO is on the development plan for this year

• The Illuminate 360 portal provides two-factor authentication (2FA) for Users of MFA-Enabled Tenants.

  • First factor: Username & Password.

  • Second factor: A one-time password (OTP) generated by Google Authenticator or FreeOTP authenticator apps

• Role-based-Access-Policy (RBAC) is also provided to ensure policy of least privilege is applied to all logins.

• User accounts are frozen when there are too many incorrect logins.

If SSO is not available, do you have a password policy which is applied to the accounts? If so, what is this?

What penetration test was done at CloudSphere – was this White Box/Black Box

This was done as Black Box test by 3rd party. The 3rd party provided the following description of its approach: "Our approach will involve testing the application using [company's] web security penetration testing approach, which simulates an attack by a malicious entity, coupled with technology specific attacks targeting the underlying system. This shall assist with the identification of technical security vulnerabilities from an external (no login credentials) and “trusted” (legitimate login credentials) threat perspective. Our application security testing approach is performed using our proprietary testing methodology. Similar to the approach described above, this also includes both a manual approach and the use of software tools, which have been proven effective in identifying areas within websites that are most vulnerable to attack. API testing shall cover all standard tests such as injection, validation, output encoding etc in addition to API specific testing such as HTTP methods, API Rate Limits, XML parsing & Content-type Security. We perform the testing from the perspective of a skilled and determined attacker with no specific insider knowledge of the system, other than that which can be gathered from normal enumeration techniques and from publicly available information. The tests will examine the security of the application and infrastructure in relation to its ability to withstand malware attacks, input manipulation, session hijacking, session redirects etc. and shall focus on current leading practice guidance in relation to web application security, such as the OWASP Top 10; 2013 and the WASC Top 20

Does/How does this product link to Atlassian

CloudSphere Illuminate 360 product has no direct linkage to Atlassian products. The Atlassian suite of Confluence and JIRA is used as part of the internal documentation, project management and Sprint management operations within CloudSphere.

Is the data, which is housed in the CloudSphere portal, segregated from other company data?  If so, how do you do this?

The SAAS infrastructure is made up of mixed deployments:

• Shared Infrastructure with logical data siloes - All data access is prefixed with an associated customer access token.

• Customer specific database with physical data siloes - Data is stored in separate DBs.