Traceable-Answer Reference / Infrastructure & Virtualization Security
IVS-05 — Production and Non-Production Environments
Separate production and non-production environments.
Every framework that asks this
Answer IVS-05 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.
| Framework | Equivalent control(s) | Confidence |
|---|---|---|
| ISO 27001 | A.8.31 | high |
| NIST CSF 2.0 | PR.IR-01, PR.PS-01, DE.CM-01 (domain-level) | high |
| NIST 800-53 | SC-7, SC-2, SC-3, AC-4, CM-7 (domain-level) | high |
| SIG | Cloud Services, IT Operations Management, Network Security, Server Security (domain-level) | medium |
Full provenance and NIST 800-53 mappings: the framework crosswalk.
What the reviewer is really checking
The reviewer is establishing that your infrastructure limits blast radius by design: that networks are segmented, hosts and images are hardened to a baseline, workloads are separated, and — in a shared environment — that one tenant cannot reach another's data. They want the isolation model described concretely: are tenants separated logically (row/namespace/schema with enforced scoping) or physically, and what stops a bug or a compromised tenant from crossing that boundary. They probe network controls (VPC/segment structure, security groups, ingress/egress restrictions, separation of production from corporate and non-production), hardening (baseline configuration standards, image provenance, patching), and administrative access to the infrastructure plane. The underlying worry is direct: in multi-tenant SaaS the isolation boundary is the primary control protecting the buyer's data from every other customer, so a vague answer means the reviewer cannot assess the single risk they care about most. They cross-check IVS against IAM (who can reach the infra) and against your encryption and logging answers. Generic 'hosted on AWS, which is secure' answers fail because cloud-provider security is shared-responsibility — the reviewer is asking about your half. The real question is: 'What actually stops another customer — or an attacker in one workload — from reaching our data?'
What a truthful, defensible answer contains
A defensible IVS answer describes your architecture's separation controls specifically. It states your tenant-isolation model — logical (enforced scoping at the data and application layer, e.g. per-tenant keys, namespaces, or row-level controls) or dedicated — and what enforces and tests that boundary, without overclaiming physical isolation you do not provide. It describes network segmentation: how production is separated from corporate and non-production, VPC/subnet structure, security-group or firewall posture, and ingress/egress restriction. It states hardening baselines: the configuration standard hosts and images follow, image provenance and build controls, and patch cadence for the infrastructure you own. It addresses the infrastructure control plane: who can administer it, how that access is restricted and logged, and how it reconciles with your IAM answer. Under shared responsibility, it is clear about which controls are the cloud provider's and which are yours, claiming only your own. A strong answer is honest about the isolation model's nature — logical isolation is legitimate and common, but calling it more than it is destroys trust. Every claim should map to an architecture diagram, a hardening standard, or configuration evidence a reviewer could request.
Make it traceable
Tie each IVS claim to inspectable proof. A tenant-isolation claim points to the architecture record describing the model plus, ideally, a penetration-test or isolation-test result exercising the boundary. A segmentation claim points to network-architecture diagrams and security-group/firewall configuration. A hardening claim points to the baseline standard and configuration-scan or benchmark output. A control-plane claim points to the infra access policy and logs, reconciled with IAM. This is Promise–Proof for infrastructure: 'tenants are logically isolated' resolves to an architecture doc and a test that probed the boundary, and 'hosts are hardened to a baseline' resolves to a scan against that baseline a reviewer can read. When architecture or baselines change, the answer should update from those records so the isolation and hardening claims track the real environment rather than a diagram from a year ago.
Answer patterns that hold up
- State the tenant-isolation model explicitly (logical scoping vs. dedicated) and what enforces and tests the boundary — never leave it undescribed in a multi-tenant product.
- Describe network segmentation: production vs. corporate vs. non-production separation, VPC/subnet structure, and security-group/firewall ingress-egress posture.
- State hardening baselines: the configuration standard for hosts/images, image provenance, and infrastructure patch cadence.
- Address the control plane: who administers infrastructure, how that access is restricted and logged, reconciled with IAM.
- Under shared responsibility, claim only your own controls — distinguish them from the cloud provider's rather than answering 'hosted on AWS, which is secure.'
Evidence that backs the answer
Red flags reviewers catch
- Multi-tenant SaaS with no description of how tenants are isolated from each other.
- 'Hosted on AWS/GCP/Azure, which is secure' offered as the whole infrastructure answer.
- Segmentation claimed with no diagram, VPC/security-group detail, or prod/non-prod separation.
- Hardening asserted with no baseline standard or scan evidence named.
- Logical isolation overstated as physical/dedicated separation the product does not actually provide.