Here are some of the frequently asked questions on CloudForge service and security:
1 Where is the solution hosted?
Dallas, Seattle, SF, and DC.
2 What type of data encryption is in use?
SSL, SSH (encryption at rest only available with Enterprise)
3 What type of web access security has been implemented?
SSL, Username, password
4 What auditing has been implemented?
PCI-DSS which includes third party security scans
5 Has your solution been through an external audit verification (eg SAS 70) and how often is this performed?
Our host provider is SSAE-16 certified, as is our full Enterprise solution
6 What Security Framework does Collabnet/CloudForge utilize (ISO/NIST) and are you current on your certifications/audits?
Yes, we are ITAR compliant. Our information program incorporates both the ISO series and NIST as we have international private sector and Federal customers.
We are not certified as either, although we are evaluating the resource requirements for doing so. We do maintain an annual SSAE 16 SOC1 Type II attestation as a demonstration of controls.
7 Explain the redundancy in place to protect both uptime of the system as well as the data? Please include any DR requirements
We continuously backup all data and each day a snapshot of the most recent data is moved to a different datacenter.
8 Should we terminate the service how would we extract the data within the system?
You can download all daily snapshots, use svn sync, svnrdump, or git clone for git.
9 Is the source code for the system in escrow?
10 Would you be happy with us performing security scans against the system and who would we escalate issues to?
Absolutely not. This is expressly forbidden by our terms of service and will result in legal action.
11 What are your security breach disclosure practices?
We immediately inform all users affected by any breach of privacy. If it is a security breach we are required by CA law to immediately notify all customers.
12 Please explain your patch management process and timeframes.
We practice continuous development and deploy new code for our SaaS application several times a week. SVN, Git, etc are patched when a release has been fully vetted in the open source community.
13 Please explain how clients environments are segregated
SVN is isolated in the file system with Apache security and a different auth file for each repository specific to the customer.
Git is isolated based on the ssh user.
14 Please explain your username and password policies
Usernames share a global namespace across the application except Professional plans have a unique namespace. Usernames must be alphanumeric. Passwords may contain special characters but we do not enforce password strength. However, advanced RBAC, password protection, and IP Whitelisting are available when you upgrade to our Professional Subscription plan.