The vendors I have met so far are willing to meet all of them. They may need some time to achieve the target – they are learning as the industry grows. From the vendor’s point of view, wouldn’t they want to appear as a secure service for their customers?

There is no way any SaaS is going to agree to all of those points.

Or in other words have you successfully evaluated any any cloud computing provider against this checklist.

I would be interested to know them…

Thanks and Regards
Samir

All the best to you and your family.

Jeff

I’m assuming this isn’t a PCI requirement, as you are required for external scans to be 3rd party, but can do internal scans yourself.

I’m somewhat of a firm believer that while the external scans are important, they are by far the easiest to implement due to one device to many. I do personally believe that internal scans are very important. If a hacker can make it in much of the time it is free game on lets say a botnet cloud once he gets in. While many people harden the exterior they seen to forget most of the vulnerabilities internally. If you do get a 0day hacker, your external vulnerability scanning is hit and miss, it’s always a timing issue. If you only have the external scans and get exploited from a 0day, you might not notice the internal threat until it’s too late. This is obviously mitigated by devices that do profiling such as a Juniper IDP that detects internal anomalies. Your “internal” scanner though might not catch it immediately but it will see it after the vulnerabilities get posted a few days later which might be sufficient. I find 0day anomaly scanners to be very inconsistent in general anyway. While most of the vulnerability scanners are solid, you might have to wait a few days due to the signature discovery delay to be found. It really depends on network infrastructure and if you are utilizing profiling/IPS internally.

For remote sites I personally would like a scanner internally and not in the DMZ. I would utilize a scanner for DMZ things remotely, like from your base office. Imo, it doesn’t really need to be placed physically inside the remote sites DMZ’s. Theoretically what a hacker was seeing you could implement a scan remotely to see his perceptive on the situation – granted this isn’t ideal, but in theory people should not be able to make it down once they compromise the DMZ due to natting and a firewall in between internal resources . Your internal scanner however protects more things because it can find things after the initial hack, where your external scanner might not. Ideally you would have both a internal/external scanner for every site (yes we can all dream can’t we).

Whatever you do don’t bridge the streams (awesome ghostbusters reference I patted myself on the back as I typed this one handed). I’ve seen instances of people slapping a qualys with one port in the DMZ and one port internally. I’m a firm believer with physically seperating as much as possible DMZ/internal, unless you are really moving towards a cohesive model with DLP implemented (if you are not familiar with this, it’s the “new” buzz word of not having a perimeter but having overall security within the realm, it does away with layers models) personally I don’t think we are at that point with our security technologies. I also see alot of situations where people are using vlan, or other logical boundaries from DMZ to internal, especially with VM farms. It’s always a good rule of thumb that any backplane can usually be compromised if the hacker knows what they are doing, and it is completely out of our control.

At our current stage I think it becomes an issue on what your layers look like. Are your remote offices just logically vlaned from DMZ to internal? If that is the case, then having a scanner on multiple vlans is not that big of an issue, as they are considered hardened devices and you probably have less “hardened” devices. A internal scanner while doing the external scans from the home office would be more ideal imo though, and these obviously mitigated by good IPS/IDP as well. It really depends on how sensitive your data is at the remote sites as well.