GlobalProtect Cloud Service
Global expansion, mobile workforces, and cloud computing are changing the ways organizations implement and deploy applications. You can get the protection you need, where you need it, with GlobalProtect Cloud Service. A generational step towards cloud-delivered security, it uses global architecture to connect users and applications while delivering full protection.
- Next generation firewall
- Intrusion Prevention System (IPS)
- URL Filtering
- Application Visibility
- Bandwidth management
- Near-Real-time Sandboxing
- DNS Security
- User based access control
- Securing remote locations
- Securing mobile users
- Reduced attack surface
- Consistent security policy across entire estate
- Preventing known and unknown threats
- Scalable and resilient architecture
- Data protection
- Secure inter-branch communications
- Cloud based architecture with no capital investment required
£132.69 per user per year
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
|Email or online ticketing support||Email or online ticketing|
|Support response times||1 hour|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Business Hours (0900-1700), weekdays excluding Bank Holidays. Extended Business Hours (0800 - 1800), weekdays excluding Bank Holidays. 24x7x365, including Bank Holidays.|
|Support available to third parties||Yes|
Onboarding and offboarding
Onsite training will be provided to the administrators wishing to access the service for configuration, report generation or troubleshooting.
Short end user manual can be provided in the event that end user interaction is required to resolve any issues, e.g. users wish to override the geolocation settings and retain their home country language and settings whilst travelling.
|End-of-contract data extraction||All customer data that is held on request, would be handed back at the end of the contract in digital format.|
Organization remote networks and remote users will no more be protected by GlobalProtect Cloud Service at the end of the contract and depeding on the contract obligations, following may or may not be followed to offboard organization from GlobalProtect Cloud Service.
1. The method that was initially used to onboard remote networks into GlobalProtect Cloud Service will be used to offboard remote networks.
2. The packaging tool that was used to deploy GlobalProtect agent application on the end point devices will be used to remove the agent.
Any other contractual obligations will be followed at the end of the contract.
Using the service
|Web browser interface||Yes|
|Using the web interface||Configuration, reporting and logging (providing access has been granted by Exponential-e, on request by the Buyer).|
|Web interface accessibility standard||None or don’t know|
|How the web interface is accessible||
Web interface is useful for administrators of the service and is accessible by https - a secure channel for access. Administrators can configure the service, generate reports and look at logs for troubleshooting purposes.
Users using the service will have no requirement to access the web interface of the service.
|Web interface accessibility testing||None|
|What users can and can't do using the API||
Administrators can configure GlobalProtect Cloud Service using XML API and access pre-defined reports.
Users will have no access to the API.
|API automation tools||
|Other API automation tools||XML API|
|API documentation formats||
|Command line interface||Yes|
|Command line interface compatibility||Other|
|Using the command line interface||
Administrators can manage configurations using CLI interface and check status of the service.
End users are generally not provided access to the CLI interface.
|Independence of resources||GlobalProtect Cloud Service has dedicated instances to the organizations consuming the service and hence it cannot be affected by non-organization users.|
|Infrastructure or application metrics||Yes|
|Other metrics||Service availability information is available at https://status.paloaltonetworks.com/#|
|Reporting types||Real-time dashboards|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Palo Alto Networks|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Encryption of all physical media|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||
|Backup controls||Scheduled configuration backups as per the requirement e.g. weekly, monthly etc. For log backup, this information needs to be transferred into an "on-premise" backup solution.|
|Datacentre setup||Multiple datacentres with disaster recovery|
|Scheduling backups||Supplier controls the whole backup schedule|
|Backup recovery||Users contact the support team|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||Other|
|Other protection within supplier network||The data centers used for the Logging Service are secured and protected with state-of-the-art physical and network security, the latter provided by Palo Alto Networks Next-Generation Security Platform. Palo Alto Networks has also achieved SOC 2 certification for its Logging Service to demonstrate its strong security policies and internal controls environment. Furthermore, the service is hosted in SOC 2 Type II certified data centers.|
Availability and resilience
|Guaranteed availability||The Service Level Objectives are available on this link - https://www.paloaltonetworks.com/resources/datasheets/service-level-objects|
|Approach to resilience||
The GlobalProtect Cloud Service infrastructure is resilient. Detailed information on internal infrastructure resiliency can be made available to customers on request.
Customers can onboard in to this cloud service with in-region and cross-region resiliency.
|Outage reporting||At the moment of this writing, outages are available on public dashboard. Further outage notification methods such as email alerts are in planning phase and may be available in future once released as a part of next version.|
Identity and authentication
|User authentication||Identity federation with existing provider (for example Google apps)|
|Access restrictions in management interfaces and support channels||
Administrators can be assigned different roles using roles based access management and can be restricted to the permissions required for their role.
Authentication to management interface can be managed with two factor authenticatin methods such as OKTA, Duo, RSA etc.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Identity federation with existing provider (for example Google Apps)|
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||13/4/2018|
|What the ISO/IEC 27001 doesn’t cover||N/a|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||13/4/2018|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||N/a|
|Who accredited the PCI DSS certification||Blackmores UK|
|PCI DSS accreditation date||19/3/2019|
|What the PCI DSS doesn’t cover||
Hosting Provider – Applications, Storage, Security Services, shared hosting, Online Hosting,
Managed Services – System Security, IT Support, Backup, Cloud Services
Payment Processes – All payment services
|Other security certifications||Yes|
|Any other security certifications||CAS(T) NCSC-264868406-1689|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
The security of our Network is fundamental to our business and have implemented a wide range of security measures. Our network has undergone rigorous security assessments - undertaken by BSI - and has achieved ISO 27001 (tested every six months) and PCI-DSS (tested annually) certifications to ensure security standards.
Most recently we became accredited to CAS-Telecommunications by the National Cyber Security Centre (NCC). This certifies our Connectivity (Smartwires - WAN, VPLS, Internet) and augments our HSCN status for Public Sector contracts. Exponential-e were the first HSCN Stage 2 supplier to also have attained CAS-T, and are actively progressing to Stage 3 accreditation.
To become accredited, NCC had to conduct an IT Health Check across our Network and all Engineers were “CHECK” approved. The test took 25 days.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Details available on request.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Details available on request.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Details available on request.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Details available on request.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Third-party|
|Third-party virtualisation provider||AWS, Google (GCP)|
|How shared infrastructure is kept separate||GlobalProtect Cloud Service deploys dedicated set of virtual firewall instances for each customer. No firewall instance serves multiple customers. Any data stored on or processed by Palo Alto Networks systems is secured with state-of-the-art technologies, and Palo Alto Networks operate rigorous technical and organizational security controls. Palo Alto Networks has achieved SOC 2 certification for GlobalProtect cloud service to demonstrate its strong security policies and internal controls.|
|Description of energy efficient datacentres||
• All our Data Centres are ISO14001 accredited organisations with robust environmental management systems
• Procuring consumed energy from sustainable energy sources wherever possible
• Ensuring the use of hot/cold aisle cooling design in our Data Centres, which reduces energy consumption as the cooling is more efficient and helps our customers to reduce their carbon footprint
|Price||£132.69 per user per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||The service will be provided in a free trial for a period of 60 calendar days.|
|Link to free trial||Trial license provided on request.|