Generic Compliance Questions

[Mike_Scholes]

I emailed sales with 3 questions as our parent company wants some info on Proxmox, we have basic support subscription for 3 nodes, 6 CPUs. The questions were generic compliance questions.

a. Does Proxmox meet any of these standards?... SOC1/2, ISO 2230/27017/27001/27018/27001, CSA, PCI SSF, FFIEC, FedRAMP, NIST CSF, Shared Assessments, GDPR/CCPA/VCDPA.
b. Does Proxmox use AI to develop or deliver the product?
c. Is Proxmox member of CTPAT?

I would have thought sales would have had these answers to hand, I mean compliance questions are pretty common and required before buying a product.

These questions were given to me from the parent company. The answer to these generic, not support, questions was... "Thank you for reaching out. We cannot provide support for non enterprise customers, you current contract seems to be a Community product only."

So in order to find out if Proxmox is compliant with certain standards before we renew or add more licenses we have to pay to ask the question? That's very odd. What will our parent company respond to that, they won't care, they'll say use something else.

Does anyone know where I can get this info? I have looked.

 

[leesteken]

... I mean compliance questions are pretty common and required before buying a product.

You don't need to buy Proxmox VE; it is free (see the AGPL3.0 license). You can only buy different support subscription if you want to.

These questions were given to me from the parent company. The answer to these generic, not support, questions was... "Thank you for reaching out. We cannot provide support for non enterprise customers, you current contract seems to be a Community product only."

That's a little disappointing. I don't know any of the acronyms but I would then assume the answer to all three questions to be "no, not at this moment in time".

Does the software need to comply to all those things or must the locally implemented installation comply? Maybe you can also ask a (local) Proxmox partner about those questions?

 

[Mike_Scholes]

Thanks leesteken

Yeah it's free but we chose to buy community support to get access to the enterprise repos for updates. It's the fact that Proxmox won't answer generic questions about compliance, that should be pre-sale, unless we not just pay, but pay more, for the higher tier support.

I'm not sure what all those acronyms mean, I do know some, I also don't know if any/all (certainly not all) those compliances are required by our parent company. If my boss says the parent company are asking I got to ask. If I go back and say they won't answer compliance questions unless we pay them to how is that gonna go down?

 

[dietmar]

a.) we do not have those certifications
b.) no
c.) no

 

[Mike_Scholes]

Thanks dietmar

 

[gasherbrum]

Im assuming you are in a US govt adjacent area, just a couple tips for you as someone who used to work in that area

most of these certs you are asking for apply to SaaS or otherwise a vendor storing sensitive data on your behalf. proxmox is not storing your data, you are storing your data. if you picked another hypervisor vendor all the stuff is the same, the product itself is irrelevant to any certifications.

For example, if you used hyper-v, you can configure the storage without encryption, boom you are out of compliance. if you picked AWS and didnt encrypt your storage, out of compliance. Even though MS/AWS has these certifications for their datacenters, at the end of the day you are responsible for being compliant

if you want to outsource all this responsibility for a rubber stamp, gov cloud is probably the move

 

[Mike_Scholes]

Thanks gasherbrum

Reading further that makes sense. I see companies advertising ISO 27001 using Proxmox so I have to assume it's the environment and implementation that's certified and not the products within.

 

[janus57]

Hi,

I see companies advertising ISO 27001 using Proxmox so I have to assume it's the environment and implementation that's certified and not the products within.

Logical, since this is not for software or hardware; it's for compliance with how the enterprise manages their IT asset/security.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Source : https://www.iso.org/standard/27001

Best regards,

 

[Gilou]

I know you're not in France, because you missed HDS and SecNumCloud hahaha...
Generally, as pointed out, assume this is a Linux system, and apply whatever recommendations that are required, but basically, there's is not much that Proxmox themselves can do to "earn" those qualifications, it's open source, and a moving target.

Also, there are a few companies that are ISO27001 certified that run Proxmox happily, and I think that @spirit may have interesting view points on reaching compliance with Proxmox VE

 

[unsichtbarre]

a. Does Proxmox meet any of these standards?... SOC1/2, ISO 2230/27017/27001/27018/27001, CSA, PCI SSF, FFIEC, FedRAMP, NIST CSF, Shared Assessments, GDPR/CCPA/VCDPA.

These are, generically, compliance standards to which you adhere and then engage a relevant external firm to audit your compliance. There's no reason Proxmox could not be made compliant with any of the prevailing standards in USA or elsewhere, however the audit in on the end user, never the distributor of the platform. SOC is more policy based (password, employee, data retention, etc.) ISO is usually more technical. The rest are a mix.