IAM/IDAM (Identity & Access Management)
Condatis IAM/IDAM platform delivers identity and access management capabilities for authority staff, partners or citizens, supporting appropriate access to digital services / applications.
Features
- Federated Identity Management (FIdM)
- Extensible User Directory
- Self-Sovereign Identity and Decentralized Identity
- Authentication Broker Service
- Multi-Factor Authentication (MFA)
- Risk-Based & Behavioural Authentication
- RBAC (Role-Based Access Control)
- Managed Identity Access Management (IDAM)
- Identity Verification
- Audit, Reporting & Business Intelligence (BI)
Benefits
- Reduce time to provision users
- Increase security of user data
- Reduce time to on-board applications
- Secure applications against credential compromise
- Achieve / increase identity assurance
- Reduce risk of fraud, malicious error
- Enable self-sovereign identity
- Microsoft Gold Partner
- Decentralized identity and Verifiable Credentials implementation
Pricing
£10,000 to £3,000,000 a unit
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at sales@condatis.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 12
Service ID
1 6 1 0 9 4 3 2 0 6 0 5 3 6 8
Contact
Sitekit Systems Limited
Sales & Marketing
Telephone: 0800 538 5533
Email: sales@condatis.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- No - Condatis IAM platform is delivered via public cloud services, with constraints per that cloud and cloud service(s).
- System requirements
-
- Access to cloud services (at an organisational and procurement level)
- Appropriate cloud subscriptions supporting set-up and running
- Appropriate connectivity (internet access)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Condatis can deliver up to 24/7/365 support. Typical response times (ITIL definitions):
P1: 30 minutes
P2: 60 minutes / 1 hour
P3: 6 hours
P4: 24 hours - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
Indicative support levels:
1 (Major Incident): Complete loss of service at multiple sites. Response: 30 minutes; Resolution: 3.5 hours.
2 (Major Incident): Complete loss of service for all users at one site or partial loss of service at multiple sites. Response: 1 service hour; Resolution: 7 service hours.
3 Partial loss of service for all users at one site. Response: 6 service hours; Reasonable endeavours to achieve resolution in 12 service hours.
4 Complete loss of service for some users at one site, or partial loss of service for some users on one site, or slow running on multiple sites, or any incident affecting a single user. Response: 8 service hours; Resolution: Reasonable endeavours to achieve resolution in 32 service hours.
Supports costs are dependant on a number of factors including anticipated support volumes and support level (e.g., first line, second line, third line, fourth line) and support triage process (i.e., who does what).
Condatis provides support according to ITIL roles (Incident Manager, 1st Level Support, Service Request Fulfilment Group). - Support available to third parties
- No
Onboarding and offboarding
- Getting started
-
On-boarding activities could include:
• IAM on-boarding, includes setting up IAM platform in an organisation’s higher environments (e.g., Pre-Prod, UAT, Production) and would typically be delivered during deploy phase
• Application on-boarding, includes integrating relying party applications / services to the IAM platform and would typically be delivered during deploy phase - Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- Data stored in the platform can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
- End-of-contract process
-
Off-boarding could be delivered entirely by an organisation, and Condatis encourages organisations to take ownership of its IAM solution, however recognising this is not always practical, Condatis can support a number of off-boarding activities:
• Application off-boarding, includes removing an application / service from the IAM platform and would typically be delivered under SLA
• Platform retirement, includes work to plan and achieve moving from Condatis platform to a new solution and would include aspects such as user migration. Depending on the level of support required, this may be delivered under SLA
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Chrome
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Web experience is via adaptive templates. Experience is ultimately dependant on user's device, operating system and browser of choice.
- Service interface
- Yes
- Description of service interface
- Interface via web front-end or API(s)
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- Commissioning authority generally specifies and carries out accessibility testing, which Condatis will support.
- API
- Yes
- What users can and can't do using the API
-
Platform API functionality includes:
- CRUD operations on users
- integration with external data sources, e.g., attribute providers (databases) - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- ODF
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Commissioning authority would specify:
- use of identity providers (IdPs)
- user of attribute providers (AtPs)
- use of multi-factor authentication (MFA)
- authentication journey
- front-end experience
- BI requirements
- Audit requirements
Scaling
- Independence of resources
- Platform autoscales according to load.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Metrics include:
- Service uptime (downtime)
- Active users over period
- Active users at moment in time
- Authentication journey success (fail) - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2012
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- European Economic Area (EEA)
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Data stored in the platform can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
-
- Directory schema
- Database schema
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- Directory schema
- Database schema
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- Condatis SLA(s) guarantee service availability. This is backed by cloud provider's own SLA(s). Condatis offers service credits where SLA availability is not met.
- Approach to resilience
- Available on request
- Outage reporting
-
Outage reporting per SLA and can include:
- dashboard
- email alerting
- telephone alerting
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Username or password
- Access restrictions in management interfaces and support channels
- Access to management interfaces is restricted by username and password, and additional factors as may be required, or authority's own access technology (e.g., if access is federated).
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Centre for Assessment Limited
- ISO/IEC 27001 accreditation date
- 20/11/2018
- What the ISO/IEC 27001 doesn’t cover
- Condatis' ISO 27001 statement of applicability covers all the controls defined by ISO 27001 with the exception of 14.2.7 Outsourced development and 11.1.6 Delivery and Loading Areas because they do not apply to Condatis.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Per ISO 27001 standard
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Condatis maintains an ISO27001 accredited configuration and change management process, available on request. As part of Sitekit's SDL (Secure Development Lifecycle) software components / tooling are assessed for suitability - this is recorded in Condatis' Application Lifecyle Tool Records Report(s).
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Condatis maintains an ISO27001 accredited vulnerability management process, available on request. Condatis carries out threat-modelling as part of software design under the company's SDL (Secure Development Lifecycle); mitigation actions are then put in place. Condatis will deploy patches either as part of scheduled software maintenance or immediately when Condatis becomes aware of a Critical vulnerability. Condatis runs frequent training sessions on emerging internet security threats.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Condatis maintains an ISO27001 accredited protective monitoring process, available on request. Potential compromises are assigned the highest priority under Sitekit's SLA (Critical) and immediately investigated.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Condatis maintains an ISO27001 accredited incident management process, available on request. Users would raise a support request with Condatis' support desk; Condatis will investigate the support requests and categorise as an incident if appropriate to do so. Condatis maintains an ISO27001 compliant incident report template, available on request.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £10,000 to £3,000,000 a unit
- Discount for educational organisations
- No
- Free trial available
- No
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at sales@condatis.com.
Tell them what format you need. It will help if you say what assistive technology you use.