Prolinx Ltd

Prolinx Assured Cloud Services (PACS), Secure Platform as a Service (PaaS)

Prolinx PaaS is a UK-hosted assured community Cloud Service that delivers a fully managed UK Sovereign secure and scalable application hosting platform, including Evaluation, Design, Integration and Security Approvals, with an agile storage and consumption model supported by a 24x7x365 Service Desk. Available at the Official and Secret security tiers.

Features

• Multi-functional environment
• Secure, simple, and highly scalable hosting platform to aid collaboration
• Delivered as a fully managed end-to-end service
• ISO9001, ISO20000, ISO27001 certified organisation and ITIL service management framework
• Securely operated in UK by SC/DV Cleared Personnel (minimum level)
• Supported by a 24/7 UK-based Service Desk
• Option to access database, application and specialist support services
• Secure and hardened identity management service
• Connectivity to MSN/MCN(S)/PSN (assured and Protect)
• Initial building block for SaaS

Benefits

• Reduces cost and complexity of managing technology and resources
• Can handle Official (including caveats) in all environments
• Service hosted in the UK ONLY locations for data sovereignty
• Increases operational efficiency through provision of Prolinx expertise
• Allows customer focus on core business values (application and data)
• Simple application on-boarding process
• Flexible replication and backup options
• OS patching/AV/Malware delivered as part of the fully managed service
• Securely operated in UK by SC/DV Cleared Personnel
• Opex billing model allows for stable and predictable financial forecasts

£0.10 a virtual machine an hour

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sam.howells@prolinx.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

176755478390541

Contact

Sam Howells
+44 (0) 330 180 0099
Sam.howells@prolinx.co.uk

Service scope

• Service constraints: A constraint is each individual new service cannot operate without DAIS accreditation. We agree to represent the proposed services to the accreditors addressing the approach and risk control.
• System requirements:
  • Application licencing is the responsbilitiy of the Application Owner/Customer.
  • Need to gain relevant authority approval and accreditation

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any questions/ requests for information will be acknowledged within 4 working hours and resolved within 1 working day.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Prolinx will offer 1st line support for initial diagnosis, as well as 2nd and 3rd line support. Prolinx also offer consultancy, technical account management and cloud support engineers. A customer support representative is also appointed. ; Please refer to SFIA rate card for support costs.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: An Application Requirement Document (ARD) is provided to the Application Owner to complete; this will define the requirement.; ; The on-boarding process will be initiated that will end with the provision of Administrator account(s), access the VM(s) and to a platform Dashboard.; ; Prolinx can provide on-line supporting material (User Guides) to assist customers to maximise the benefits of the Official Connections collaborations tool. On-site training can be provided and our Service Desk can be available to provide assistance and guidance to customers as required. More formal classroom training can be provided which Prolinx would be happy to facilitate.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Termination or migration will necessitate a four week period prior to any expiry of the contractual agreement; Prolinx and the customer will agree an exit plan which will include a mandatory service migration meeting covering: • The return of user generated data most appropriate to meet the exit and security requirements • Whether they wish their data to remain available for future use (i.e.; persistent storage). If the data is not required, it will be purged and destroyed in accordance with the requirements associated with the data BIL rating. • Whether they wish to extract their data. If the data is rated at Official including caveats (BIL3), precautions will need to be put in place to ensure that the security of the data is not compromised. Data can be extracted in a variety of formats including XML, CSV and TXT. • Exit project plan • The compliance requirements for secure destruction of important data and storage media • Risk Assessments and agreed service cessation milestones • Final commercial reconciliation. Prolinx will agree a price for delivering the exit plan and will have fifteen days to transfer or destroy all user generated data within the Prolinx Assured Cloud Service.
• End-of-contract process: In line with G Cloud T&Cs at least 90 days notice of termination must be provided in writing. In the event of termination, all/any remaining service charges will still apply and will be payable on or before the termination date. Termination or expiry of the contractual agreement will initiate the Exit Project Plan as set out in the off-boarding section of this document.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them.; ; Services which provide virtualized operational environments to customers ensure that customers are segregated via security management processes/controls at the network and hypervisor level.; ; Prolinx continuously monitors service usage to project infrastructure needs to support availability commitments/requirements. Prolinx maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, the Prolinx capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Custom metrics generated by customers’ applications and services
  • Metrics associated with log files generated by the applicatio
  • Security metrics associated with user activity
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Machine image
  • Flexible backup of Drives available.
• Backup controls: The back up and data recovery SLAs are more likely to be pre-agreed with the customer, rather than user initiated. However, manual or scheduled backups are possible but need to pre-defined.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Prolinx currently provides SLAs for several services for Goverment Departments. Due to the rapidly evolving nature of Prolinx’s product offerings, SLAs are best to be pre-agreed to satsify the user requirements. ; Prolinx offer well-architected solutions that leverage unique capabilities such as multiple IL3 Secure Data centres that, can ease the burden of achieving specific high availability SLA requirements.
• Approach to resilience: The PACS Business Continuity plan details the process that PROLINX follows in the case of an outage, from detection to deactivation. PROLINX has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that PROLINX performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions. ; ; PROLINX maintains a ubiquitous security control environment across all their data centres. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. ; ; Customers are responsible for implementing contingency planning, training and testing for their systems hosted on PACS. PROLINX provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographically separated data centres.
• Outage reporting: An email alert and direct conversation with the Global Operations Security Control Centre (GOSCC) for MoD clients.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Prolinx make use of trusted roles and have separation of duty and limits on each transactional privilege set. All these measures combine to an accepted standard practise which has satisfied already provisioned MoD and other Government contracts.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 20/06/2018
• What the ISO/IEC 27001 doesn’t cover: There are no exceptions and our certificate covers the following: The provision of IT infrastructure solutions and IT managed services, which includes consultancy, design and implementation services. This in accordance with the ISMS statement of applicability dated 20/06/2018.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: CSA CCM version 3.0; ISO/IEC 27001

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Prolinx has a variety of methods already in use to support change and configuration management to track and identify components from cradle to grave. The design and change of any function is managed via key stages from initiation, planning and co-ordination through to validation and testing and early life support. This will be managed using ITIL methodologies and best practices.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Prolinx monitoring platform can provide real-time views of availability statistics, as well as detailed monitoring and analysis of data from virtual switches, routers, servers and any other SNMP-enabled devices. The Prolinx monitoring platform which includes availability, security and integrity monitoring of the applications and VMware horizon environment. Prolinx also use Fortigate firewalls and Fortigate wireless hardware for its architectures. These products are best of breed within the market and can be fully managed, supported and monitoring by Prolinx service desk. Every incident that requires escalation we engage the relevant parties taking any necessary action reporting directly to the GOSCC
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: The Prolinx monitoring platform can provide real-time views of availability statistics, as well as detailed monitoring and analysis of data from virtual switches, routers, servers and any other SNMP-enabled devices. The Prolinx monitoring platform which includes availability, security and integrity monitoring of the applications and VMware horizon environment. Prolinx also use Fortigate firewalls and Fortigate wireless hardware for its architectures. These products are best of breed within the market and can be fully managed, supported and monitoring by Prolinx service desk. Every incident that requires escalation we engage the relevant parties taking any necessary action reporting directly to the GOSCC
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Service Desk manages incidents using a dedicated service management tool suite these can be raised by a telephone call, email or from an automated alerting system. Incidents are classified and prioritised in accordance with the agreed SLAs. There are multiple types of classification and several levels of prioritisation that can have different response and resolution characteristics ranging from 30 minute responses with 4 hour resolutions to 4 hour responses with 48 hour resolutions with several levels in between. Incidents are managed to ensure that any impact is minimised and the situation is dealt with appropriately.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: We use a blend of the most popular technologies such as VMware, Hyper V, Red Hat etc and have suitably qualified and and experienced personnel competent in these technologies to bespoke secure IaaS solutions to our customers.
• How shared infrastructure is kept separate: Customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualized operational environments to customers, ensure that customers are segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Prolinx comply with the guidelines within the EU Code of Conduct for Energy Efficient Data Centres. The Datacentre utilised by Prolinx uses electrical and cooling systems that are certified by their M&E Design & Construction contractor to exceed the UTI Tier III uptime percentage. ; ; They offer the highest levels of sustainability across their data centres without compromising security and availability. In accordance with EU guidelines, the Datacentre has implemented and exceeded the requirements of the HMG Greening Strategy, designed to ensure the lowest possible environmental impact. The direct air-cooled data centre is considered best-in-class, requiring no mechanical cooling >99% of the year. ; ; Because the Datacentres are factory-built offsite, the embedded carbon footprint and construction waste are greatly reduced – and have BREEAM accreditation indicating we recycle over 90% of this waste. We responsibly source power through competitive tendering that favours renewable energy. The data centre building has photo voltaic cell installations on the roof to capture solar energy. We have also introduced rainwater harvesting at the site to offset water consumption. Our own Datacentre benefits from cold isles which supply cooling only to the area that requires it. DCs have a PUE of 1.2

Pricing

• Price: £0.10 a virtual machine an hour
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sam.howells@prolinx.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.