Exponential-e Ltd

GlobalProtect Cloud Service

Global expansion, mobile workforces, and cloud computing are changing the ways organizations implement and deploy applications. You can get the protection you need, where you need it, with GlobalProtect Cloud Service. A generational step towards cloud-delivered security, it uses global architecture to connect users and applications while delivering full protection.

Features

  • Next generation firewall
  • Intrusion Prevention System (IPS)
  • Anti-Virus
  • Anti-Spyware
  • URL Filtering
  • Application Visibility
  • Bandwidth management
  • Near-Real-time Sandboxing
  • DNS Security
  • User based access control

Benefits

  • Securing remote locations
  • Securing mobile users
  • Reduced attack surface
  • Consistent security policy across entire estate
  • Preventing known and unknown threats
  • Scalable and resilient architecture
  • Data protection
  • Secure inter-branch communications
  • Cloud based architecture with no capital investment required

Service scope

Service scope
Service constraints No
System requirements
  • IPSec Enabled device on remote network perimeter
  • Supported endpoint device to install GlobalProtect Client

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 hour
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Business Hours (0900-1700), weekdays excluding Bank Holidays. Extended Business Hours (0800 - 1800), weekdays excluding Bank Holidays. 24x7x365, including Bank Holidays.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Onsite training will be provided to the administrators wishing to access the service for configuration, report generation or troubleshooting.

Short end user manual can be provided in the event that end user interaction is required to resolve any issues, e.g. users wish to override the geolocation settings and retain their home country language and settings whilst travelling.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All customer data that is held on request, would be handed back at the end of the contract in digital format.
End-of-contract process Organization remote networks and remote users will no more be protected by GlobalProtect Cloud Service at the end of the contract and depeding on the contract obligations, following may or may not be followed to offboard organization from GlobalProtect Cloud Service.

1. The method that was initially used to onboard remote networks into GlobalProtect Cloud Service will be used to offboard remote networks.

2. The packaging tool that was used to deploy GlobalProtect agent application on the end point devices will be used to remove the agent.

Any other contractual obligations will be followed at the end of the contract.

Using the service

Using the service
Web browser interface Yes
Using the web interface Configuration, reporting and logging (providing access has been granted by Exponential-e, on request by the Buyer).
Web interface accessibility standard None or don’t know
How the web interface is accessible Web interface is useful for administrators of the service and is accessible by https - a secure channel for access. Administrators can configure the service, generate reports and look at logs for troubleshooting purposes.

Users using the service will have no requirement to access the web interface of the service.
Web interface accessibility testing None
API Yes
What users can and can't do using the API Administrators can configure GlobalProtect Cloud Service using XML API and access pre-defined reports.

Users will have no access to the API.
API automation tools
  • Ansible
  • Other
Other API automation tools XML API
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility Other
Using the command line interface Administrators can manage configurations using CLI interface and check status of the service.

End users are generally not provided access to the CLI interface.

Scaling

Scaling
Scaling available No
Independence of resources GlobalProtect Cloud Service has dedicated instances to the organizations consuming the service and hence it cannot be affected by non-organization users.
Usage notifications No

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types Other
Other metrics Service availability information is available at https://status.paloaltonetworks.com/#
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Palo Alto Networks

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Backup the GlobalProtect Cloud Service configuration
  • Backup the relevant traffic, threat etc. log information
Backup controls Scheduled configuration backups as per the requirement e.g. weekly, monthly etc. For log backup, this information needs to be transferred into an "on-premise" backup solution.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network The data centers used for the Logging Service are secured and protected with state-of-the-art physical and network security, the latter provided by Palo Alto Networks Next-Generation Security Platform. Palo Alto Networks has also achieved SOC 2 certification for its Logging Service to demonstrate its strong security policies and internal controls environment. Furthermore, the service is hosted in SOC 2 Type II certified data centers.

Availability and resilience

Availability and resilience
Guaranteed availability The Service Level Objectives are available on this link - https://www.paloaltonetworks.com/resources/datasheets/service-level-objects
Approach to resilience The GlobalProtect Cloud Service infrastructure is resilient. Detailed information on internal infrastructure resiliency can be made available to customers on request.

Customers can onboard in to this cloud service with in-region and cross-region resiliency.
Outage reporting At the moment of this writing, outages are available on public dashboard. Further outage notification methods such as email alerts are in planning phase and may be available in future once released as a part of next version.

Identity and authentication

Identity and authentication
User authentication Identity federation with existing provider (for example Google apps)
Access restrictions in management interfaces and support channels Administrators can be assigned different roles using roles based access management and can be restricted to the permissions required for their role.

Authentication to management interface can be managed with two factor authenticatin methods such as OKTA, Duo, RSA etc.
Access restriction testing frequency At least every 6 months
Management access authentication Identity federation with existing provider (for example Google Apps)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 13/4/2018
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 13/4/2018
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover N/a
PCI certification Yes
Who accredited the PCI DSS certification Blackmores UK
PCI DSS accreditation date 19/3/2019
What the PCI DSS doesn’t cover Hosting Provider – Applications, Storage, Security Services, shared hosting, Online Hosting,
Managed Services – System Security, IT Support, Backup, Cloud Services
Payment Processes – All payment services
Other security certifications Yes
Any other security certifications CAS(T) NCSC-264868406-1689

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The security of our Network is fundamental to our business and have implemented a wide range of security measures. Our network has undergone rigorous security assessments - undertaken by BSI - and has achieved ISO 27001 (tested every six months) and PCI-DSS (tested annually) certifications to ensure security standards.
Most recently we became accredited to CAS-Telecommunications by the National Cyber Security Centre (NCC). This certifies our Connectivity (Smartwires - WAN, VPLS, Internet) and augments our HSCN status for Public Sector contracts. Exponential-e were the first HSCN Stage 2 supplier to also have attained CAS-T, and are actively progressing to Stage 3 accreditation.
To become accredited, NCC had to conduct an IT Health Check across our Network and all Engineers were “CHECK” approved. The test took 25 days.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Details available on request.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Details available on request.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Details available on request.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Details available on request.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider AWS, Google (GCP)
How shared infrastructure is kept separate GlobalProtect Cloud Service deploys dedicated set of virtual firewall instances for each customer. No firewall instance serves multiple customers. Any data stored on or processed by Palo Alto Networks systems is secured with state-of-the-art technologies, and Palo Alto Networks operate rigorous technical and organizational security controls. Palo Alto Networks has achieved SOC 2 certification for GlobalProtect cloud service to demonstrate its strong security policies and internal controls.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres • All our Data Centres are ISO14001 accredited organisations with robust environmental management systems
• Procuring consumed energy from sustainable energy sources wherever possible
• Ensuring the use of hot/cold aisle cooling design in our Data Centres, which reduces energy consumption as the cooling is more efficient and helps our customers to reduce their carbon footprint

Pricing

Pricing
Price £132.69 per user per year
Discount for educational organisations No
Free trial available Yes
Description of free trial The service will be provided in a free trial for a period of 60 calendar days.
Link to free trial Trial license provided on request.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑