RfP for Selection of Service Provider for Cloud Services and Managed Services

Technical Requirement - Format T1

Sr No A. Cloud Infrastructure Indicate 1 / 0
1 = Yes, 0 = No
1
Biidders ability to provide managed cloud services. The primary data Centre should
be owned / managed & opreated by the bidder/ consortum partner by themselves or
through third party (with full responsibility vesting with the bidder).

2 Data-center shall be Tier III - TIA 942 compliant.

3
Data-center well equipped with intrusion detection & protection systems, firewalls,
system management solutions & tools, back-up & restore solutions, monitoring tools,
network load balancer for applicable servers and network layer security to isolate the
CGTMSE production & test environment from other customers.

4
The data-center's ability to scale up or down the servers/compute resources on-
demand/ as desired without significant technical down time and pay as per usage

The IT infrastructure should be hosted on cloud. The cloud should have following
capabilities:
5  All the virtual machines should be auto scalable in terms of RAM and CPU.

6 The cloud platform should ensure high availability across virtual machines.
7 Cloud platform to support horizontal load balancing along with vertical load balancer to
balance network traffic.
8 Cloud provider should provide dashboard of all virtual machines to monitor resources
allocated and used by the applications deployed.
9 Cloud dashboard should permit generation of reports for trend analysis of system
usage.
10
There should be provision to generate historical reports of resources utilization.
11
There should be admin panel to create, delete, start, stop, and copy virtual machines.
12 There should be provision to take snapshots of machines so that working images of
machines can be taken.

B. Disaster Recovery Management

13
The DR site should be owned / managed & opreated by the bidder/ consortum partner
by themselves or through third party (with full responsibility vesting with the bidder)

14
Disaster Recovery Services to ensure continuity of operations in the event of failure of
primary data centre to meet the RPO and RTO requirements as specified by CGTMSE.

15 RPO should be less than or equal to 30 minutes and RTO shall be less than or equal to
4 hours
16 During the change from Primary DC to DR or vice-versa (regular during drill or
restoration after disaster), there should not be any data loss.
17 There shall be asynchronous replication of data between Primary DC and DR and the
Cloud Service Provider will be responsible for sizing and providing the DC-DR
replication link so as to meet the RTO and the RPO requirements.
18
Normally Primary Data Center will be the active server. The Disaster Recovery Site will
remain on standby with minimum possible compute resources required for a functional
DR as per the solution offered. The application environment shall be installed and ready
for use. DR Database Storage shall be replicated on an ongoing basis and shall be
available in full (100% of the PDC) as per designed RTO/RPO and replication strategy.
The storage should be 100% of the capacity of the Primary Data Center site.

19 In the event of a site failover or switchover, DR site will take over the active role, and all
requests should be routed through DR site.
20 During failover from primary DC to secondary (DR), compute environment for the
application at DR site shall be equivalent to DC including all the security features and
components of DC, without the failover components.
21
The installed application instance and the database shall be usable and the same level
of uptime of 99.5% as stipulated for DC shall be provided, when DR is activated.
22
The bandwidth at the DR shall be scaled up to the level of Data center when DR is
activated and other times it shall be adequate only to ensure replication of DC at DR.

23
The service provider shall conduct live DR drill for two days at the interval of every six
months of operation wherein the Primary DC has to be deactivated and complete
operations shall be carried out from the DR Site. However, during the change from DC
to DR or vice-versa (regular planned changes), there should not be any data loss. The
pre-requisite of DR drill should be carried out by 3rd party security testing company as
selected by CGTMSE and bidder jointhly. Certificate for DR drill should be submitted to
CGTMSE for compliance. Cost of such drill by 3rd party, needs to be borne by bidder.

24
The service provider shall clearly define the procedure for announcing DR based on the
proposed DR solution. The service provider shall also clearly specify the situations in
which disaster shall be announced along with the implications of disaster and the time
frame required for migrating to DR. The service provider shall plan all the activities to be
carried out during the Disaster Drill in consultation with CGTMSE.

25 The disaster recovery plan needs to be provided by the service provider which needs to
be updated half-yearly.
26
On successful award of the cobtract, the bidder will submit BCP plan to CGTMSE.

C. Cloud Service Provisioning Requirements

27
The Service provider should offer cloud service provisioning portal for CGTMSE in
order to provision cloud services either via portal, mobile app or automated using API.

28 Cloud service provider should enable CGTMSE to provision / change cloud resources
through self service provisioning portal.
29
The user admin portal should be accessible via secure method using SSL certificate.
30
CGTMSE should be able to set threshold of cloud resources of all types of scalability.
31 CGTMSE should be able to provision all additional storages required for cloud services.

32 CGTMSE should be able to predict his billing of resources before provisioning any
cloud resources.
33
CGTMSE should be able to get list of all cloud resources from provisioning portal.
34 CGTMSE should be able to set the scaling parameters.
35 CGTMSE should be able to set percentage / quantity of RAM consumption to trigger
new virtual machines.
36 CGTMSE should be able set percentage / quantity of CPU consumption to trigger new
virtual machines.
37 CGTMSE should be able to set percentage / quantity of network bandwidth to trigger
new virtual infrastructure.

D. Data Management
38 Service provider should always ensure that data is destroyed whenever any cloud
virtual machine is recycled or deleted.
39
Service provider should clearly define policies to handle data in transit and at rest.
40 Service provider should not delete any data at the end of contract period without
consent from CGTMSE.
41
In case of scalability like horizontal scalability, the service provider should ensure that
additional generated data is modified/deleted with proper consent from CGTMSE.

42 Service provider should ensure secure data transfer between Primary Data Center and
Disaster Recovery site.
43 Service provider should ensure data leakage protection and prevention.

E. Operational Management
44
Service provider should upgrade its hardware time to time keeping in tune with EOL of
the hardware to recent configuration to deliver expected performance for CGTMSE.
45 Investigate outages, perform appropriate corrective action to restore the hardware,
operating system, and related tools.
46 Service provider should manage their cloud infrastructure as per standard ITIL
framework in order to deliver appropriate services to CGTMSE.
47 Service provider should deliver cloud resources with system for real time detection of
resource requirement and automatic adjustments.

F. Cloud Network Requirement

48 Service provider must ensure that cloud virtual machine of CGTMSE is tenanted in a
separate network and virtual LAN.
49 Service provider must ensure that cloud virtual machines are having private IP network
assigned to cloud VM.
50
Service provider must ensure that all the cloud VMs are in same network segment
(VLAN) even if they are spread across multi data centers of Service provider.

51 In case of scalability like horizontal scalability, the Service provider should ensure that
additional requirement of network is provisioned automatically of same network
segment.
52 Service provider must ensure that there is console access to cloud VMs, if CGTMSE
requires to access it using IPSEC/SSL or any other type of VPN.
53
Service provider should ensure that cloud VM network is IPV6 enabled and all public
facing devices are able to receive and transmit IPV6 data in addition to IPV4.

54 Service provider should have provision of dedicated virtual links for data replication
between their multiple datacentre in order to provide secure data replication for DR
services.
55 Service provider should ensure use of appropriate load balancers for network request
distribution across multiple cloud VMs.

G. Datacenter specifications
56 The primary and DR Site data-centers must be in India. No data should be transferred
out side India by the hosting service provider.
57 The primary and DR site datacentres should be located in different seismic zones and
not on same fault lines.
58 The data centre (both primary and DR) should be MEITY empanelled.
59 Proper Data Leak Prevention policies and processes must be in place
60
The datacentres should have adequate physical security in place.
61 The data-centers should conform to at least Tier-3 standards (certified under TIA942 or
Uptime Institute certifications by a 3rd party) and implement tool-based processes based
on ITIL standards.
62 Data Centres should allow the access to physical audit of the data centres by CGTMSE
or any other third party authorised by CGTMSE.
63 Data Centres have to be PCI/DSS compliant.

H. Cloud Storage Service Requirements

64 Service provider should provide scalable, dynamic and redundant storage.
65
Service provider should offer to auto allocate more storage as and when required based
on storage utilization threshold and also offer to provision from self-provisioning portal
to add more storage as and when required by CGTMSE.

I. Application / Portal Hosting Security

66 Applications deployed should maintain a secure Password policy
67 Applications deployed should be secured by using Intrusion detection system (IDS) and
Intrusion prevention system (IPS) at network level.
68 Have current vulnerability assessments and PCI (Payment Card Industry) scanning
performed for all the applications hosted on the cloud.
69 The Applications deployed should be secured through a Web Application Firewall
(WAF) as a service.
70
Bidder will have sole responsibility for fool-proof security of the applications and needs
to provision all tools / real time monitoring to ensure the security of the application.
71 Applications / Software Solutions shall comply with ISO 27001 Information Security
Standard
72 Applications / Software Solutions and infrastructure shall have Authentication –
Authorization – Access audit trails
73 Applications / Software Solutions shall be protected from security breaches,
vulnerabilities
74 All Service end-points- exposed over internet or internal shall be secured with at least
128 bits (desired 256 bits) SSL Certificates
75 All Servers, Services, Applications / Software Solutions shall have hardened security
and reviewed regularly.
76 Any unauthorized access / attempt shall be reported immediately
77 The entire data-center network shall have multiple levels of physical, logical, and
network security systems for information protection including but not limited to IPSEC
Policies, Firewalls, IDS / IPS protection Systems.
78 Data center and its security should be compliant with RBI guidelines issued from time to
time.
79 The bidder should ensure application penetration testing twice in a year and reports to
be shared with CGTMSE

J. Cloud Hosting Security

80 Service provider should ensure there is multi-tenant environment and cloud virtual
resources of CGTMSE are logically separated from others.
81 Service provider should ensure that any OS provisioned as part of cloud virtual machine
should be patched with latest security patch.
82 Service provider should implement industry standard storage strategies and controls for
securing data in the Storage Area Network so that users are restricted to their allocated
storage
83 webService provider should deploy public facing services in a zone (DMZ) different
from the application services. The Database nodes (RDBMS) should be in a separate
zone with higher security layer.
84 Service provider should have built-in user-level controls and administrator logs for
transparency and audit control.
85 Service provider cloud platform should be protected by fully-managed Intrusion
detection system using signature, protocol, and anomaly based inspection thus
providing network intrusion detection monitoring.
86 Service provider would be responsible for proactive monitoring and blocking against
cyber-attacks and restoration of services in case of attacks.

K. Cloud resource and Network monitoring

87 Service provider should give provision to monitor the network traffic of cloud virtual
machine.
88 Service provider should offer provision to analyze of amount of data transferred of each
cloud virtual machine.
89
Service provider should provide network information of cloud virtual resources.
90 Service provider should offer provision to monitor latency to cloud virtual devices from
its data center or CGTMSE should be able to set monitoring of latency to cloud VMs
from outside world.
91 Service provider must offer provision to monitor network uptime of each cloud virtual
machine.
92 Service provider must make provision of resource utilization i.e. CPU graphs of each
cloud virtual machine.
93 Service provider must make provision of resource utilization graph i.e. RAM of each
cloud virtual machine. There should be provision to set alerts based on defined
thresholds. There should be provision to configure different email addresses where
alerts can be sent.
94
Service provider must make provision of resource utilization graph i.e. disk of each
cloud virtual machine. There should be graphs of each disk partition and email alerts
should be sent if any threshold of disk partition utilization is reached.

95 Service provider should give provision to monitor the uptime of cloud resources. The
report should be in exportable form.
96 Service provider should make provision to monitor the running process of
Linux/Windows servers. This will help CGTMSE to take the snapshot of processes
consuming resources.
97 Service provider must ensure that there should be historical data of minimum 6 months
for resource utilization in order to resolve any billing disputes if any.
98 Service provider must ensure that audit logs of scalability i.e. horizontal and vertical is
maintained so that billing disputes can be addressed.
99 Service provider must ensure that log of reaching thresholds used to trigger additional
resources in auto provisioning are maintained.
100 Service provider must ensure that there are sufficient graphical reports of cloud
resource utilization and available capacity.
101
Service provider should provide network information of cloud virtual resources.
102 Service provider should offer provision to monitor latency to cloud virtual devices from
its datacenter or CGTMSE should be able to set monitoring of latency to cloud VMs
from outside world.
103 Service provider must offer provision to monitor network uptime of each cloud virtual
machine.
104 Service provider must provide utilization reports for Internet bandwidth, load balancers
etc.

L. Application Performance Monitoring (APM)

105 APM should be able to provide Overview of database server like Database details,
version etc.
106
APM should be able to provide host details which are connected to database Server
107 APM should be able to provide session details of all active database sessions.
108 Monitoring & management of network link proposed as part of this solution.
109 APM should be able to provide server configuration details.(All configurations,
advanced Configurations, Memory Configurations) Bandwidth utilization, latency,
packet loss etc.

M. Backup Services
110
Service provider must provide backup of cloud resources. Backups should be
maintained at both off-site and on-site locations in secure fire proof and environmentally
controlled environments so that the backup media are not harmed.

111 Service provider should perform backup and restore management in coordination with
CGTMSE’s policy & procedures for backup and restore, including performance of daily,
weekly, monthly, quarterly and annual backup functions (full volume and incremental)
for data and software maintained on the servers and storage systems using Enterprise
Backup Solution.
112 Backup and restoration of Operating System, application, databases and file system
etc. in accordance with defined process / procedure / policy.
113
Monitoring and enhancement of the performance of scheduled backups, schedule
regular testing of backups and ensure adherence to related retention policies

114 Ensuring prompt execution of on-demand backups & restoration of volumes, files and
database applications whenever required.
115
Real-time monitoring, log maintenance and reporting of backup status on a regular
basis. Prompt problem resolution in case of failures in the backup processes.

116 Media management including, but not limited to, tagging, cross-referencing, storing
(both on-site and off-site), logging, testing, and vaulting in fire proof cabinets if
applicable.
117 Generating and sharing backup reports periodically
118 Coordinating to retrieve off-site media in the event of any disaster recovery
119 Periodic Restoration Testing of the Backup
120 Maintenance log of backup/ restoration

N. Database Support Service

121
Installation, configuration, maintenance of the database (Cluster & Standalone).
122 Regular health checkup of databases.
123 Regular monitoring of CPU & Memory utilization of database server, Alert log
monitoring & configuration of the alerts for errors.
124 Space monitoring for database table space, Index fragmentation monitoring and
rebuilding.
125 Performance tuning of Databases.
126 Partition creation & management of database objects, Archiving of database objects on
need basis.
127 Patching, upgrade & backup activity and restoring the database backup as per defined
interval.
128 Schedule/review the various backup and alert jobs.
129 Configuration, installation and maintenance of Automatic Storage Management (ASM),
capacity planning/sizing estimation of the Database setup have to be taken care by the
Bidder.
130 Setup, maintain and monitor the ‘Database replication’ / Physical standby and Asses IT
infrastructure up-gradation on need basis pertaining to databases.
131 Tuning of high cost SQLs and possible solution to application development team for
tuning in order to achieve optimum database performance.

O. Managed Services
Network and Security Management: Monitoring & management of network link
proposed as part of this solution.
132 Bandwidth utilization, latency, packet loss etc.
133
Call logging and co-ordination with vendors for restoration of links, if need arises.
134 Redesigning of network architecture as and when required by CGTMSE
135
Addressing the ongoing needs of security management including, but not limited to,
monitoring of various devices / tools such as firewall, intrusion protection, content
filtering and blocking, virus protection, and vulnerability protection through
implementation of proper patches and rules. vi) Ensuring that patches / workarounds for
identified vulnerabilities are patched / blocked immediately

136
Ensure a well-designed access management process, ensuring security of physical and
digital assets, data and network security, backup and recovery etc.

137 Adding/ Changing network address translation rules of existing security policies on the
firewall
138 Diagnosis and resolving problems related to firewall, IDS /IPS.
139 Managing configuration and security of Demilitarized Zone (DMZ) Alert / advise
CGTMSE about any possible attack / hacking of services, unauthorized access /
attempt by internal or external persons etc

Server Administration and Management:

140 Administrative support for user registration, User ID creation, maintaining user profiles,
granting user access, authorization, user password support, and administrative support
for print, file, and directory services.
141 Setting up and configuring servers and applications as per configuration documents/
guidelines provided by CGTMSE
142
Installation/ re-installation of the server operating systems and operating system utilities
143 OS Administration including troubleshooting, hardening, patch/ upgrades deployment,
BIOS & firmware upgrade as and when required/ necessary for Windows, Linux or any
other OS proposed as part of this solution whether mentioned in the RFP or any new
deployment in future.
144 Ensure proper configuration of server parameters, operating systems administration,
hardening and tuning
145 Regular backup of servers as per the backup & restoration policies stated by CGTMSE
from time to time
146 Managing uptime of servers as per SLAs.
147 Preparation/ updation of the new and existing Standard Operating Procedure (SOP)
documents on servers & applications deployment and hardening

P. Helpdesk Support from Cloud Service Provider

148 Service provider should provide flexibility of logging incident.
149 The interface console of the incident tracking system would allow viewing, updating and
closing of incident tickets
150 Allow categorization on the type of incident being logged
151 Provide classification to differentiate the criticality of the incident via the priority levels,
severity levels and impact levels
152 Provide audit logs and reports to track the updating of each incident ticket
153 It should be able to log and escalate user based requests.
154 Service provider should allow ticket logging by email, chat or telephone.

Q. Hosting Infrastructure Technical Requirements

155 Information Access / Transfer Protocol - HTTPS, REST over HTTPS
156 Encryption - 256 bits, SHA2 support
157 Interoperability - SOA, Web Services, Open Standard
158 Scanned Documents - TIFF/ JPEG and/ or PDF for storage
159 Document Encryption -PKCS Specifications
160 Information Security - ISO 27001
161 Operational Integrity and Security Management - ISO 27001
162 Web / Portal Content - WCAG Level II compliant
163 Service Management - ITIL v3 / ISO 20000
164 Project Documentation - IEEE specifications for documentation
165 Internet Protocol - IPv4 and IPv6 Compliant
166 Device Supportability - Desktops/Laptops, Tablets (future provision for phone should
also exist)
167 Web Browsers - Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, Apple
Safari
168 Mobile Browsers - Microsoft Internet Explorer, Google Chrome, Android Web Browser,
Apple Safari (iPhone/iPad), Mozilla Firefox All Web Browser backward compatible up
to n-2 or HTML5 support
169 Web standards - HTML5 Compliant, CSS, Java Script, JQuery / JQueryUI, Responsive
Web
170 Web Services - XML, REST, ODATA
171 Database with ability to access ADO/ODBC / JDBC or equivalent based on the DB
proposed
172 Accessibility - As per Government of India Government of India, Section 280 for
Accessibility Compliance
173 Web Usability - As per Government of India Website/application design Guidelines,
Bilingual Support (English/Hindi) for user input forms titles.
174 Up time - Application uptime - 99.50% Data Center Availability– 99.50%
175 Email System - SMTP, IMAP, POP3, Push Email, Directory Services Integrated
176 Security, Penetration and Vulnerability Testing - A detailed test reports covering
protection levels and vulnerable areas, and mitigation plan
177 Application related - The protocols and middleware as per the delivered application
should be supported seamlessly

R. Miscellenous
178
The Bidder should have the capability to provide various other services like Database,
Cache, Search, Analytics, Mobile, Backend, Queues, Tables, Backup, Identity
Management, CDN, Client Application Analytics as a Service on pay as per usage
mode backed by monthly SLAs of minimum 99.5% availability.
179
The Bidder should support auto scalability to increase or decrease the compute
resources as per demand in order of minutes based on CPU/RAM utilization and
charge only for resources being used on a per minute, hourly or daily basis.
180
The Bidder should provide mechanisms to allow provisioning/de provisioning of Virtual
Machines on demand and should not charge for them when de provisioned.
181 The Bidder will support and allow users to encrypt their data at rest using customer’s
own key
182 The Bidder should ensure that their network is protected against DDOS attacks at no
extra cost
183 The Bidder should support logical separation of the infrastructure pieces provisioned on
the cloud in multiple setups
184 The Bidder should publish the real-time status of all the services refreshed atleast at a
frequency of 5 min
185 Bidder must provide a UAT (User Acceptance Test) for the failover/failback scenarios
after the deployment
186
The DR automation software should be provided as a part of the overall DR-as-a-
Service. The software must be provided under a usage model or subscription model
 187 Any server/storage networking/security requirement to support the DR solution at the
DR Site should be provisioned by the Bidder and billed to CGTMSE on a "Per Usage
Model" Only.
188 Bidder should be able to provide High IOPS Storage (greater than 50,000 IOPS per
VM).
189
Integrated media streaming services for on-the-fly conversion of the video content to
multiple video formats required for various devices: MP4 (HTML5 Web Browser), HLS
(iOS and Android), HDS (Flash/ Adobe AIR), Smooth Streaming (iOS and Windows),
MPEG-DASH (Windows). This will insure consumption of video across PC
(Windows/Mac), Android, iOS and window devices
190
The replication should be application-consistent for single or N- Tier applications
191

The proposed DR software should take care of the pre-storing and automation of all
network configurations specific to the protected servers during the failover/failback
scenarios. These network configurations should include:a) Reserving new IP addresses
for the failover servers (physical or VM's). Bidder must explicitly mention whether the
proposed solution will ensure inheritance of the same IP addresses as that of the
primary servers. Bidder should also mention the permitted IP ranges that can be used
for the DR servers. b)Configuration of load balancers, Firewalls etc at the DC & DR site
192
Failover scenario: The proposed solution should allow pre-built of recovery plans for
various servers which includes target server configuration, IP configurations, network
configuration etc. Test DR failover scenario should not affect the primary server at all.
193 Failback Scenario: The proposed solution should ensure failback to original DC and
should take care of replication of only delta (changed data after failover) from DR to DC.
This need to be confirmed by the bidder.
194
The proposed application cloud environment should provide flexibility to scale the
environment vertically and horizontally: a. Vertically: Upscale/downscale the
solution to higher configuration Virtual Machines (i.e. VMs with different combinations of
CPU and Memory) b. Horizontally: Add more Virtual Machines of the same
configuration to a load balanced pool.
195
Bidder be compliant to the following security standards - ISO 27001, SOC1 and SOC2
196
Offer LDAP authentication services on cloud which can scale up to millions of users
197 Should use virtualization platform in public cloud which can be deployed on-premises
and the VMs can be moved from Public cloud to on-premises/private cloud seamlessly
without reformatting.
198 The cloud data center must have assured protection with security built at multiple levels
and 24x7 monitoring by provisioning physical security, biometric identification and close
The Bidder should provide mediacircuit monitoring
streaming services as a native cloud capability; It
199 should support both Live
Secure Web administration interface, which andmust
on-demand streaming.
be provided to remotely administer
200 Allow to copy or clone virtual machines images for archiving, for
the virtual instances: RDP for Windows instances and SSH Linux instances.
troubleshooting, and
201 testing.
These storages can be dynamically scalable on-demand and Virtual Machine instances
202 should be able to mount it as OS drives
203 The Bidder should deploy VM such that every virtual core should be mapped to physical
core. No hyper threading or turbo boost allowed
204 The infrastructure elements including server, storage (including backup storage) and
network of the Cloud should provide strong tenant isolation, provide granular identity
and access management capability and encryption and be logically separate from other
tenants.
205 Bidder should enable encryption of data both in rest and transit
206 The cloud service offering shall support Network and security with virtual firewall and
virtual load balancer integration for auto-scale functions
207 Bidder should have Separate VLAN provision with dedicated virtual firewall between the
VLANs and for each and every client
208
The Bidder should provide a multi-tenant, Identity management (User Authentication &
Authorization) and Directory service as a cloud service (as a native platform feature)
backed by SLA.The Identity service should allow single sign-on (SSO).

1. Each point carries one (1) mark. Bidder has to score 75% from this form to qualify technically. Additionally,
Bidder also needs to comply of getting at least 60% in each of the Blocks Mentioned above From "A to R".
2.Bidder needs to produce and submit relevant certificates and documents for the above mentioned cells where
they have put "1" as yes. 3. Bidder needs to mark "1" against all the services which it has delivered or can
deliver (With a self-declaration) 4. Bidder needs to produce all the relvant certificates/documents related to
above mentioned "Yes" at the time of presentation
 1. Each point carries one (1) mark. Bidder has to score 75% from this form to qualify technically. Additionally,
Bidder also needs to comply of getting at least 60% in each of the Blocks Mentioned above From "A to R".
2.Bidder needs to produce and submit relevant certificates and documents for the above mentioned cells where
they have put "1" as yes. 3. Bidder needs to mark "1" against all the services which it has delivered or can
deliver (With a self-declaration) 4. Bidder needs to produce all the relvant certificates/documents related to
above mentioned "Yes" at the time of presentation