Secure Information Assurance Ltd

SecureIA Private Cloud

SecureIA owns and operates a Secure UK Private Cloud infrastructure that enables the sharing and hosting of Tier 1, OFFICIAL/OFFICIAL-SENSITIVE systems and information between HMG Departments, and stakeholders. The infrastructure services provide Internet, RLI/SMI, PSN and HSCN connectivity accredited by Defence Assurance and Information Security (DAIS) and Pan Government Accreditation.

Features

  • Secure UK Data Centres and SC cleared staff
  • Host virtual machines at Tier 1, OFFICIAL/OFFICIAL-SENSITIVE
  • Connect hosted services across RLI/SMI and Internet
  • Multiple access methods via: browser, thick client, SSH or RDP
  • Customisable levels of service, machine size, storage and support
  • We provide a fully managed service to support your environment
  • Formally accredited to OFFICIAL/OFFICIAL-SENSITIVE
  • Connect hosted services across PSN and Internet
  • Connect hosted services across HSCN and Internet

Benefits

  • Partnership approach to IaaS (more than just a hosting provider)
  • Users can collaborate across Private Government WANs and the internet
  • Simple, transparent pricing model
  • Build user-centric services across organisations and networks
  • Increase productivity and operational effectiveness by remote working
  • Over 18 years experience of working with HMG Departments

Pricing

£250 per virtual machine per month

  • Free trial available

Service documents

G-Cloud 11

171153785749141

Secure Information Assurance Ltd

Stephen Jewell

0161 215 3788

steve.jewell@s-ia.co.uk

Service scope

Service scope
Service constraints The provision of the Services from the Private Cloud includes planned maintenance activities, which are documented within a Service Level Agreement. SecureIA work with our customers to ensure that systems are regularly patched and maintained, whilst minimising impact on the User community and business requirements.
System requirements
  • End Point Devices to be approved for OFFICIAL use
  • Code of Connection provides specific requirements for the project services

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Calls are responded to within 3 rings.
Service Ticket response time is dependent on the criticality:
1. Critical - Immediate Response
2. High - Response within 10 minutes
3. Medium - Response within 1 hour
4. Low - Response within 4 hours
5. Very Low - Response within 24 hours.

The standard SLA response times are applicable from 09:00 to 17:00 Monday to Friday (excluding UK Bank Holidays). 365/24/7 Support is also available as a service at an additional cost.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support is provided 09:00 to 17:00 Monday to Friday and include 1st line (User support) through to the system management, monitoring and Administration.
Additional support is available to extend the service support to 365/24/7 at additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Specific support is provided to Users for onboarding services, which includes documentation, online training material and can include onsite training.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Access is provided for the customer to extract data, or can be undertaken by SecureIA at no additional charge, depending on the method of delivery. Data can be provided as an image of the Virtual Machines, as extracted data or specific formats such as database exports. Where data is to be delivered by SecureIA, encrypted portable drives can be provided.
End-of-contract process SecureIA will work with the customer to ensure that the required data, records and audit logs have been extracted and verified before the services are terminated.
Data content is then destroyed in accordance with InfoSec Standard 5.
The SecureIA service support team will assist the customer with communications to the User community about the end of the contract and either the termination or transfer of services.
Images of Virtual Machines will be provided to the customer on request to allow the transfer of the services. Where support from SecureIA is required beyond the end of the contracted services, for example to support the transition to another provider may incur additional charges.

Using the service

Using the service
Web browser interface Yes
Using the web interface The services are delivered via a customisable web-interface which authenticates and authorises User access to the services to which they have been allocated.
In additional to application services, this web-interface can include access to the Virtual Machine Orchestration services, system health monitoring, protective monitoring tools, performance and utilisation reports.
Web interface accessibility standard None or don’t know
How the web interface is accessible The services are delivered via a customisable web-interface which authenticates and authorises User access to the services to which they have been allocated.
The accessibility features of the User Interface can be configured with the customer and User community to deliver the features and functions required to meet the specific business needs.
Web interface accessibility testing Web-interface testing is normally included in the Acceptance Testing of the service provided to the customer, the scope of this testing being agreed as part of the Service definition.
API No
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
  • Other
Using the command line interface A secured connection can be made from specified sites into a Bastion Host which provides an SSH connection to the Infrastructure. Access to specific Virtual Machine hosts is therefore available which allows the customer to manage either run command line functions, or launch RDP sessions from which to manage the host, operating system, and installed applications.

All such connectivity is only available to specified Users, and requires additional authentication. This type of access is monitored and logged, being reported as part of the Protective Monitoring services.

Scaling

Scaling
Scaling available Yes
Scaling type Manual
Independence of resources Resources can be independently allocated to project User communities to ensure resilience of the service and capacity.
Capacity of services are monitored, and customers are informed of changes in demand.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual Machine Images
  • Data Files
  • Databases
  • Configuration Files
  • Records and Audit Logs
Backup controls Backup and restoration activities are automated and managed by SecureIA, based on User requests. These are agreed within a Service Level Agreement for the project, and can be varied by request through the Service Desk.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Each customer is provided with a Service Level Agreement which specifies the availability and response targets.
Typical availability is 99.96, assured by contractual commitment. SecureIA offer Service Credits against the guaranteed levels of availability.
Approach to resilience Resilience of the service is provided throughout the service provision.
• The Data Centres are classified as a Tier 3 data centre with alternate supply paths for all services to ensure 100% Data Centre uptime.
• All redundant systems are regularly tested for operation and effectiveness.
• N+1 Redundant Power Supplies.
• The Public Sector Dataroom also has additional power connection allowing the entire room to be independently serviced in the event of a catastrophic failure at the site).
• Redundant Backup Power from Generators and UPS (N+1).
• 100% carbon neutral, PAS 2060 certified hosting.
• Carrier Neutral with a range of Tier 1 and 2 carriers.
• Multihomed internet presentation, means that if 1 carriers Point of Presence fails communications will automatically failover to another.
• Redundant (N+1) Air Conditioning and Environmental Control.
• Environmental systems supported by redundant power systems.

DR facilities are also available, with secure connectivity provided to replicate data between the production and DR facilities.
Outage reporting Service outages and planned maintenance activities are communicated via the service web-interface status dashboards and messaging, via email alters and the Service Desk team make contact with agree Points of Contact in order to communicate status and ongoing activities.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Separate accounts are required for Administrative Access, with authentication and authorisation controls applied to all Administrative functions.
SSH access to the Virtual machines command line, and RDP sessions requires key-based authentication from a specified source location into a bastion host, which then requires further authentication and account escalation at each onward connection to the specific administrative services.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR Limited
ISO/IEC 27001 accreditation date 24/06/2016
What the ISO/IEC 27001 doesn’t cover The processes and procedures agreed within the Risk Managed Accreditation Document Set (RMADS) that have been agreed with the Accreditor in compliance with JSP and MoD policies.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Formal Accreditation from MoD (DAIS)
  • Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Formal Accreditation from DAIS,
Cyber Essentials,
IASME Governance
Information security policies and processes Security policies and procedures form part of the formal system accreditation by DAIS.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Components of the system are recorded and tracked through their lifetime
Every change to a configurable item requires a Change Control Form to be documented and approved.
Changes are assessed for potential security impact, and where necessary are communicated to the system Accreditor for approval.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability management processes form part of the Risk Managed Accreditation Document Set (RMADS) which have been reviewed and approved by the DAIS Accreditor.
SecureIA monitor threat sources, including CERT to gain information about potential threats.
Vulnerabilities and Remediation activities are assessed to determine the priority, with patches being applied within the hour for critical security issues through to monthly patching for routine updates.
Protective monitoring type Supplier-defined controls
Protective monitoring approach SecureIA employ protective monitoring services in compliance with Protective Monitoring for HMG ICT systems (GPG-13).
Incident management type Supplier-defined controls
Incident management approach Processes for reporting incidents is included within the Risk Managed Accreditation Document Set (RMADS) which includes HMG monitoring departments and points of contact.
Users should report incidents to the first line Service Desk team, either by phone, email or via the web-portal.
Incident reports are provided as part of the reporting cycle, with exceptional RCA and incident reports provided for security incidents.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Private Cloud customers have dedicated infrastructure for the Virtual Machines.
Elements of common infrastructure are independently tested
by CHECK scheme providers to give confidence that products and security controls tested have been configured in accordance with good practice

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres The Data Centre has been certified against PAS2060 Carbon Neutral standard, enabling us to offer 100% carbon neutral solutions.
Our data centres achieve a PUE of <1.3 at full design load. This means that when the data centre is fully occupied, for every 1.3KW of power input into the data centre, 1KW is delivered to the IT equipment.
As a data centre operator with a low PUE we reduce our running costs with efficient technologies, that use less power. We pass these cost savings on to our customers.
As part of our commitment to energy efficiency, The Data Centres are also certified to the environmental standards of ISO 14001:2015.
We have a voluntary Climate Change Agreements (CCA) which a reement is made with the Environment Agency to reduce energy use and carbon dioxide (CO2) emissions.
Although we are not members of the EU code of conduct for data centres, they do adhere to the requirements of the code of conduct.

Pricing

Pricing
Price £250 per virtual machine per month
Discount for educational organisations No
Free trial available Yes
Description of free trial SecureIA are happy to provide a trial of the services or Proof of Concept to demonstrate and verify that the business requirements can be delivered by our services. The period and extent of the trial can be agreed to support the customers business case.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑