IT:AD:Continuous Delivery:SAD:11. Accreditation View

(UP) – Previous (Operations View) – Next (Appendices)

The purpose of this View is to list information relevant to providing a Risk based assessment of the Security, Performance, Functionality, Supportability and Maintainability Qualities of the Project.

The Cloud based ALM Service - Visual Studio Team Services – has achieved third-party evaluation of our data security procedures.

ISO 27001:2013,
HIPAA (Health Insurance Portability and Accountability Act)
BAA (Business Associate Agreeement),
EU Model Clauses,
SOC 1 Type 2 and
SOC 2 Type 2

The SOC audit for Team Services covers controls for data security, availability, processing integrity, and confidentiality.

Certification Comparison with other ALM Tools

It is important to note that JIRA products, whether hosted in the cloud, or on site, do not offer anywhere near this level of certification and therefore protection from risk.

"ISO27001 - We follow many of the principles of ISO27001/2 in our security practice  but have 
no current plans to certify. You can read more about the structure of  our 
Security Management Program.

Cloud Security Alliance - We have completed our Cloud Control Matrix CAIQ Self Assessment 
for the CSA Security, Trust, & Assurance Registry.

HIPAA / HITECH – For our Cloud products, we are not able to sign a Business Associate 
agreement and we recommend our Server products for  companies that need to comply."

Src: https://www.atlassian.com/trust/faq

Within the scope of this project no Data is manipulated.

Therefore the Data Classification is UNCLASSIFIED.

Access to the VSTS Project is limited to the Project's Team Members - neither the rest of the Organisation or Public have access.

Access to Visual Studio Team Services is controlled by VSTS' Role Based Access Controls (RBAC) capabilities.

Microsoft developed the VSTS and the Azure stack it depends on following Microsoft's Security Development Lifecycle (SDL), implementing Security in Depth, investing in the prevention of security holes, include threat modeling during service design and following design and code best practices.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

The Service is managed in compliance with Microsoft's Operational Security Assurance (OSA) which include constant verifying security with standard tooling and testing, limiting access to operational and customer data, and gating rollout of new features through a rigid approval process.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

In the event of a breach, Microsoft use security response plans to minimize data leakage, loss or corruption. Relevant progress state is reported publicly.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

Team Services relies on Azure's DDoS defense system to prevent attacks against the service. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting and connection limits. The system is designed not only to withstand attacks from the outside but also from within Azure. For application-specific attacks that are able to penetrate the Azure defense systems, Team Services establishes application and account level quotas and throttling to prevent any overuse of key service resources during an attack or accidental misuse of resources.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

To protect data in the case of hardware or service failures, Microsoft Azure storage geo-replicates customer data between two locations within the same region that are hundreds of miles apart; for instance, between North and West Europe or between North and South United States.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

Visual Studio Team Services leverages many of the Microsoft Azure storage features to ensure data availability in the case of hardware failure, service disruption, or data center disasters.

Additionally, the Microsoft has procedures to protect data from accidental or malicious deletion.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

The Azure platform on which Visual Studio Team Services runs has sufficient BCPs in place to support this Organisation's needs.

Src: https://www.visualstudio.com/en-us/articles/team-services-security-whitepaper

As described within the Organisation View, Tools are available to either * port data from VSTS to an IaaS based instance of Team Foundation Services (TFS), or * extract the data for preparation for another suite of DevOps relevant Services.

That stated, for discussion purposes only, Visual Studio Team Services is the online hosted version of Microsoft's Team Foundation Services (TFS). Being identical products it would be possible to stand up an in-house or cloud-hosted Virtual Machine on which to run TFS and regularly export/import data between the two systems.

It is recommended that until a credible risk which this effort would mitigate is defined the above effort not be undertaken.