Results 1 to 8 of 8

Thread: Vendor diligence and Security Review

  1. #1
    Join Date
    Jan 2022
    Beans
    3

    Lightbulb Vendor diligence and Security Review

    Hello everyone.

    Newbie with Ubuntu at the enterprise level and hoping someone may be able to direct me in the right path. I am part of a financial institution and we are looking at migrating our middleware solution from Windows to Linux/Ubuntu. One of the processes we need to go through is a vendor due diligence and security process. There are several sites out there that contain security documents, but typically we request certain documents such as NDA, pen tests SOC II compliance etc...

    I know Ubuntu is Open sourced, so it would be difficult for some of these things (like the NDA), but is there a number to call from an enterprise perspective for these types of requests? Or is it just what is out there is out there?

    Also - If anyone has gone through a similar process for their enterprise and know where to gather this sort of information, anything template wise or direction would be greatly appreciated.

    Thank you,
    Gregg

  2. #2
    Join Date
    Feb 2013
    Beans
    Hidden!

    Re: Vendor diligence and Security Review

    Have a look at Ubuntu Advantage.

  3. #3
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Vendor diligence and Security Review

    This is a user forum. We are users and not Ubuntu developers. Some of us are very experienced in using open sourced operating systems in an enterprise setting. But I suggest that you go to the web sites of the commercial organization that sponsors Ubuntu.

    https://ubuntu.com/security

    https://canonical.com/

    https://ubuntu.com/security/certifications

    There is a "contact us" button on these pages.

    https://ubuntu.com/security/certifications#get-in-touch

    Regards
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  4. #4
    Join Date
    Jan 2022
    Beans
    3

    Talking Re: Vendor diligence and Security Review

    Quote Originally Posted by grahammechanical View Post
    This is a user forum. We are users and not Ubuntu developers. Some of us are very experienced in using open sourced operating systems in an enterprise setting. But I suggest that you go to the web sites of the commercial organization that sponsors Ubuntu.

    https://ubuntu.com/security

    https://canonical.com/

    https://ubuntu.com/security/certifications

    There is a "contact us" button on these pages.

    https://ubuntu.com/security/certifications#get-in-touch

    Regards
    Completely understand grahammechanical. Users often these days are also the ones requesting the product and therefore would have had to put in requests if they work for something like a financial institution, so that's why I was posting here. Sorry if this was the wrong place, but it was not a developer question. I was asking for documentation, not how to harden the system or something like that. Just for any documentation I could provide the technical people.

    Also, I used the Contact Us form, but having a hard time getting someone to respond.

    Thanks,
    Gregg

  5. #5
    Join Date
    Jan 2022
    Beans
    3

    Re: Vendor diligence and Security Review

    Thank you @schragge. We are looking to having this in house. This looks like it is only for cloud, or am I reading it incorrectly?

  6. #6
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Vendor diligence and Security Review

    This would be the wrong place if we failed to provide the information you require. Which in my opinion is entirely possible. The only skill I have in this area is internet search.

    Non Disclosure Agreement - Canonical

    https://ubuntu.com/legal/data-privacy/unilateral-nda

    https://ubuntu.com/legal/data-privacy

    If I understand you correctly, you want information of the level of due diligence of the commercial organization that provides Ubuntu and that sells IT services. That organization is Canonical Group Limited. I would be surprised if anyone here was qualified to answer that question.

    https://find-and-update.company-info...mpany/06870835

    Regards
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  7. #7
    Join Date
    Mar 2007
    Beans
    1,325

    Re: Vendor diligence and Security Review

    Canonical will provide support for Individual Servers on a fee basis, but when I last checked a few years ago they would only provide it for hardware they approved and none of our hardware was approved. It is possible some of the larger OEMs like Dell or IBM could provide what you need in the way of certification of compliance. Perhaps someone here has some direct experience with that.

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Vendor diligence and Security Review

    Canonical can be engaged for large scale deployments. They will happily send an SE to your location if enough money is spent and the SoW requires it. Canonical is like every enterprise and likes to get paid by clients, especially enterprise clients. Of course, the amount of money would need to be non-trivial for that sort of engagement.

    When lots of money is on the line, more than server patching support is required.

    YMMV.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •