Ampliphae

SaaSGuard Govern

SaaS Management platform that: Automates regular SaaS discovery, deriving the balance between risk and reward of using SaaS (SaaS Balance); Presents an ongoing view of SaaS Balance, offering counsel on deciding SaaS usage policies ; Provides a conduit for collaboration between business/governance teams to better gain net benefit from SaaS.

Features

• Probes: Automated collection of SaaS usage data from systems estate
• Analyser: Automated, inspection of usage to determine SaaS penetration
• Appraiser: Collaborative interaction with third party risk management marketplaces
• Appraiser: Automated scrutiny of factors to derive SaaS risk
• Ledger: Automated generation of risk-adjusted view of SaaS balance
• Dashboard: Automated presentation of risk adjusted benefit for SaaS employed
• Counsellor: Collaborative process to refine risk-adjusted benefit for specific SaaS
• Compendium: Collaborative targeting of SaaS sanctioned by the organisation

Benefits

• Optimise SaaS Balance for Service, Data and IT Asset management
• Increases the risk-adjusted benefit of adopting SaaS
• Increases effectiveness and reduces cost of SaaS risk mitigation
• Probes: Reduces cost of SaaS discovery via SaaS usage
• Analyser: Provides a more complete view of SaaS penetration
• Appraiser: Reduces cost and improves understanding of SaaS risk factors
• Ledger: Provides more effective collaboration to manage SaaS Balance
• Dashboard: Provides a more effective view of risk-adjusted SaaS benefit
• Counsellor: More effective way of risk-adjusting SaaS adoption
• Compendium: More complete mechanism to discover risk-adjusted SaaS

£3.60 to £16.42 a person a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Framework

G-Cloud 12

Service ID

118474046885379

Contact

Trevor Graham
02032890121
info@ampliphae.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The SaaSGuard Govern service requires the deployment of data collection probes in order to collate the information required for its analysis. The appropriate type and number of probes is buyer-dependent.; Where one or more network probes is to be deployed, it is necessary that the buyer has technical capability and authority to connect the probe(s) in the appropriate network locations.
• System requirements:
  • Integration to Buyer identity data, for example Active Directory
  • Authorised users require Microsoft AD account to access the Service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Questions can be submitted through our website or via email, and will be responded to during Business Hours (9am-5pm UK time, Mon-Fri excluding Public Holidays). Target response time for questions is 1-3 business days depending on the priority
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Registered Ampliphae customers have access to our online support knowledgebase and incident handling website. Incidents can be raised 24x7 via the our website, and will be responded to during Business Hours (Mon-Fri 9am-5-pm UK time, excluding Public Holidays). Incidents will be prioritised, with target response and resolution times dependent upon impact and priority. ; Additional support options including telephone, out of hours, and on-site assistance are available at additional cost, charged according to the SFIA rate card supplied. "
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: At Ampliphae we want our customers to get the most out of using our service from the beginning, and as such we provide a comprehensive set of planning and onboarding services. ; Prior to deployment our customer success team will engage with the buyer technical team to gain an understanding of the buyer's infrastructure, and with our deployment guide, help to size and scope the deployment. ; We provide a simple self-deployment process for the buyer technical team to get up and running quickly, and we have a suite of documentation to enable customers to deploy and start using the product effectively. ; If required we can provide telephone support to assist with self-install, on-site installation and deployment services at extra cost.; At additional cost, Ampliphae consultants can design a bespoke service offering for the buyer, for example: helping to assess their SaaS environment and processes, interpreting the insights provided by the Ampliphae application, assisting with development of appropriate processes and a target operating model for management of SaaS, and training staff in safe and effective use of SaaS.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted in PDF or Excel format using the application reporting user interface.; Data can be extracted using Microsoft PowerBI.
• End-of-contract process: Ampliphae will remove access to all Ampliphae Platform applications.; Ampliphae will securely delete all customer data from the Ampliphae Platform.; All physical probes can be returned to Ampliphae for secure wiping and destruction of all buyer data.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The Ampliphae dashboards are accessed via a web browser, are fully adaptive and can be accessed from mobile devices as well as tablets and desktop machines. Look and feel and operations adapt to the smaller screen sizes.
• Service interface: Yes
• Description of service interface: The Ampliphae administrative interface enables the customer to self-serve for key administrative tasks, for example adding or removing service users or control of data collection probes.
• Accessibility standards: None or don’t know
• Description of accessibility: Not applicable
• Accessibility testing: None
• API: No
• Customisation available: No

Scaling

• Independence of resources: Ampliphae's application and dashboards are served from Microsoft's public Azure cloud service, which is inherently elastically scalable to any forseeable demand level, and so system performance will be unaffected by other users.

Analytics

• Service usage metrics: Yes
• Metrics types: Key service metrics available include: ; - number and month-on-month trends of SaaS applications in use; - number of SaaS Application users; - breakdown of SaaS applications by approval status; - breakdown of SaaS Application users by department or location; - traffic volumes transferred for SaaS Applications
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: Data in Azure is stored in Azure Storage and the Azure SQL (PaaS) Database. ; Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption(FIPS 140-2 compliant).; Transparent Data Encryption (TDE) encrypts Azure SQL Server data using real-time I/O encryption/decryption of data/log files using a database encryption key (DEK), a symmetric key, secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects. ; Microsoft Azure Cloud is compliant with ISO 27001, CSA CCM. ; All data collected is stored in encrypted storage, with keys held securely within the Ampliphae platform.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The raw analysis data held within the Ampliphae system is not human-readable and cannot be exported in a usable form. The results of the analyses carried out can be exported via PDF reports, which are customisable by the end-user through PowerBI integration. Certain subsets of the analysed data can exported to Excel format for use outside the platform.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • Microsoft PowerBI
  • Microsoft Excel
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Data for analysis is collected via one or more Ampliphae probes, which can be deployed as software or hardware. In either case, raw data collected from within the buyer's network must be transferred to the Microsoft Azure Cloud for further analysis, collation and display to the administrative users. ; For Ampliphae hardware probes on buyer premises, all raw data collected and cached for analysis is stored in encrypted storage, with decryption keys held securely within the Ampliphae Cloud platform. ; The Ampliphae platform and applications are accessed by buyer administrative users via a web-browser, using secure connections.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Buyer data transmitted to Ampliphae is held only within Microsoft Azure Cloud, not within the Ampliphae corporate network. Microsoft Azure Cloud (PaaS and IaaS) has many layers of protection for client data, including encryption of data transiting between Azure components, and it is compliant with ISO 27001, 27017 and 27018. Ampliphae's use of the Microsoft Azure IaaS and PaaS offerings is aligned with the Microsoft blueprint for UK OFFICIAL data classification, which is a shared responsibility model.

Availability and resilience

• Guaranteed availability: The Ampliphae application is cloud-hosted in Microsoft's Azure cloud datacentres which are engineered for 99.999% availability. The Ampliphae service will be generally available for use in managing SaaS on a 24x7 basis, and any planned outages will be notified in advance. In the event of failure of the cloud application, up to and including loss of a complete Microsoft Azure availability zone, service will be manually restored with a target maximum restoration time of 2 working days.
• Approach to resilience: The Ampliphae cloud platform is made highly available by leveraging Microsoft Azure PaaS capabilities. Microsoft Azure datacentres are engineered to very high levels of availability (details available from Microsoft on request). The Ampliphae application and data is backed up across Microsoft Azure UK datacentres and in the unlikely event of complete loss of the primary Microsoft Azure datacentre, the system can be manually restored to an alternate UK zone from geo-redundant backups. ; ; The Ampliphae system also includes a deployment of data collection probes. Where physical network probes are utilised, the deployment can be made resilient in line with the buyer's existing network architecture, by deploying additional probes at additional cost. The data collection design will be agreed with the buyer during the onboarding process to ensure that the level of resilience meets buyer requirements.
• Outage reporting: Outages and other service-affecting events for Microsoft Azure are reported online via Microsoft's web site. Outages to the Ampliphae service are notified via email distribution list and/or via announcement on the Ampliphae website.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Other
• Other user authentication: Users of the Cloud platform are authenticated using federation with Microsoft Azure AD authentication, under the buyer's control. Optionally the buyer can configure multi-factor authentication for their Microsoft accounts.
• Access restrictions in management interfaces and support channels: Ampliphae uses federated Microsoft Azure AD for user authentication and role-based access control. Access to management interfaces and support channels is enabled only where appropriate permissions have been granted to an individual user.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Other
• Description of management access authentication: Management Users of the Cloud platform are authenticated using federation with Microsoft Azure AD authentication, under the buyer's control. Optionally the buyer can configure multi-factor authentication for their Microsoft accounts.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: Ampliphae has an extensive set of security policies, including Information Security, Data Protection and Physical Security. An Information Security Coordinator role has been appointed with specific responsibilities for security governance, and the Information Security Response Team includes a sponsor at Board level. ; Ampliphae is certified to Cyber Essentials and is currently working towards ISO 27001 certification. ; Ampliphae operates an Information Security Management System which has been constructed to align with the requirements of ISO/IEC 27001:2005. Compliance audit internally on an annual basis. Non-conformances are recorded within our corporate risk management log and resolved appropriately. The Operations Lead and CEO are notified of any non-conformances and the action taken to resolve them.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All Ampliphae software assets are stored and developed using commercial configuration management and software development tools, within a software development process that includes change management procedures.; All software changes and deployment of software to production is tightly controlled, and authorised by Ampliphae's change control board. Version control on all software components allows audit tracking of software changes and deployments into production environments. Customer data is protected and preserved when the application is upgraded.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Ampliphae can be made aware of vulnerabilities through a number of routes, including partner alerts via email (for example from Microsoft) or by published alerts from (for example) the NIST National Vulnerability Database. The Ampliphae test team run weekly security audits of the third party packages that are used in the product to check for known vulnerabilities. This check is also performed as part of the normal software CI/CD process. When vulnerabilities which may affect Ampliphae products are notified, the issues are logged in our internal ticket system and managed appropriately, with security patches deployed if required.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Ampliphae's use of Microsoft Azure IaaS and PaaS offerings is compliant with the Microsoft blueprint for UK OFFICIAL data classification - which specifies a series of protective monitoring processes. Further information on the extensive protective monitoring can be obtained from Microsoft or Ampliphae.
• Incident management type: Supplier-defined controls
• Incident management approach: Ampliphae uses an ITIL-based process for Incident Management which can be summarised as:; - Incident is identified and logged in our ticket management tool ; - Support Team perform initial triage/investigation and diagnosis/resolution where possible; - If required, Support Team escalate for further investigation and diagnosis/resolution; - Incident is Resolved and then transitions to Closed; The customer will be kept informed by ticket updates, email or telephone throughout.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £3.60 to £16.42 a person a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF