Software Box Limited (SBL)

SBL Freja ID: Identity & Secure Access Management

Freja eID provides a strong identity solution to allow secure access to systems for customers and users. Multi Factor Authentication (MFA) and 2 Factor Authentication (2FA) improves user experience and removes fixed passwords. Enables compliance with GDPR and CoCo amongst other Cyber Security requirements. Supports Tokens and Soft Tokens.

Features

  • Cloud based security solution
  • Open APIs to link with single and multiple applications
  • OATH and OCRA compliant solutions
  • Licence covers internal and external users
  • Accredited European e-Identity
  • Compatible with Android and IOS apps
  • 24 hour support
  • Enables use of corporate credentials for cloud applications
  • Integrates with O365 and Google Authenticator
  • SAML2 compliant

Benefits

  • Simple sign on for end users
  • Reduces cost of service desk support
  • Unlimited user licence available
  • Supports Know Your Customer and GDPR compliance
  • One solution can be used across multiple applications and services
  • Integrates with all major applications
  • Identity managed by the end user supporting GDPR
  • Simple application install and registration
  • Use can be shared across organisations
  • Enhances cyber security

Pricing

£0.65 per user per month

  • Free trial available

Service documents

G-Cloud 10

121264707815838

Software Box Limited (SBL)

Danielle Connor

01347 812100

tenders@softbox.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints There are no foreseeable constraints to this service.
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 4 hours, 24x7
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible As the web chat functionality is currently in design, the features are yet to finalised.
Web chat accessibility testing As the web chat functionality is currently in design, this information is currently unavailable.
Onsite support Yes, at extra cost
Support levels Two services are currently offered:
1. Standard office hours support Monday to Friday 9-5.
2. Premium 24/7. Support calls are prioritised according to ITIL standards and actioned appropriately.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We can provide on-site and remote support as well as training for administrators and installers
Service documentation Yes
Documentation formats
  • HTML
  • Other
Other documentation formats In application instructions
End-of-contract data extraction The Freja solution does not store any data to extract.
End-of-contract process Any configuration no longer required is deleted and the service stops working. This is included within the price.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The secure nature of the product is that the end user installs in on a mobile device or hard token. The desktop management platform can be accessed on a mobile device with the same experience.
Accessibility standards None or don’t know
Description of accessibility The solution can be installed on specifically designed accessibility device.
Accessibility testing The service offering has options for users with disabilities, this includes a hardware token that reads out the one time password, the ability for the service to call a user and read out the one time password and Freja Mobile (the token on a mobile) has the ability for larger fonts and integration with other assistive technologies.
API Yes
What users can and can't do using the API The API is available for authentication integration and another API is available for the token provisioning service, Freja Self Service Portal. The Authentication API - allows developers to authenticate users according to currently configured mechanisms and query when Freja eID last authenticated a user.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can decide on the level of security required and appropriate for each service request

Scaling

Scaling
Independence of resources The standard Freja service with 10 million tokens in a single servers database has been tested to produce 1000 authentications per second. We are confident our solution has the ability to scale should a users environment require.

Analytics

Analytics
Service usage metrics Yes
Metrics types SBL provide detailed analytics relating to the:
- system uptime
- availability
- consumption
- support requests
- service maintenance

SBL will work with the customer to agree on the necessary format, content and schedule of these reports
Reporting types Regular reports

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Verisec Limited

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data cannot be exported as it is not stored within the solution
Data export formats Other
Other data export formats N/A
Data import formats Other
Other data import formats N/A

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks PSN assured and protected service, assured by CESG assured components. All communications with connections infrastructure can be configured to be secure and depending on the requirements will dictate the level of security applied.
Data protection within supplier network Other
Other protection within supplier network The token database is encrpyted using AES256. Each Freja component has a built in firewall. Each Freja component is only built with the services it needs to function. Further permieter firewalls and IPS are also utilised.

Availability and resilience

Availability and resilience
Guaranteed availability The service availability is 99.5%; guaranteed by contractual commitment
Approach to resilience We run multiple secure data centres with the capacity to serve 100m users worldwide 24x7.
Outage reporting Yes, email alerts can be configured and combined with appropriate SNMP monitoring allow the system to be suitably monitored.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Dedicated devices on a segregated network
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SGS
ISO/IEC 27001 accreditation date November 2016
What the ISO/IEC 27001 doesn’t cover N/A full scope is covered
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO9001
  • RLi & SLi connected datacentre

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach The system's security governance is managed in a way that is analogous to ISO27001:2015; the organisation is looking to be accredited to this in the medium term
Information security policies and processes The organisation operates in a manner that is analogous to ISO27001:2015; due to the sensitive nature of these processes, further details cannot be provided but will be upon request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Incident management processes follow the industry standard ITIL model, ISO27001 and industry best practice. SBL deploy a number of tools and processes to identify potential compromises, utilising market leading technologies and solutions.

Upon discover of a potential compromise mitigation steps are immediately taken to isolate the incident, minimise any risk and return normal status as soon as practicable. Due to the security sensitive nature of these processes and procedures, further information cannot be given at this time. Further details will be provided upon request.
Incident management type Supplier-defined controls
Incident management approach Reported compromises are monitored and if any compromises are found, they are assessed, and if considered severe enough then a fix is typically made available within 24-48hrs

Further details cannot be provided due to the security sensitive nature of these processes, at this stage; however, SBL will provide necessary details upon request.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.65 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial SBL can provide a proof of concept trial for 30 for evaluation purposes

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑