Sopra Steria Ltd

Sopra Steria Cloud Infrastructure on Command

Our infrastructure on Command service provides a flexible, reliable and resilient Virtual Environment on a pay-as-you-go basis. We off multiple service levels and VM sizes ; 99.9% availability , low cost, consumption based pricing and required security ( IL2 and IL3 accredited)


  • Pan Government Accredited
  • UK Sovereign cloud platform delivered from two UK data centres
  • Connectivity via the Internet,PSN, N3 or private leased line
  • Multiple Service Levels and VM sizes to meet business needs
  • High availability to 99.99% and fault tolerance options available
  • Secure portal to manage VMs, Firewall rules, load balancer policies
  • Upload own VM images, applications and data/ use template configurations
  • Set and control access, user profiles and capabilities
  • Local and remote back-up options
  • VMWare vSphere at the hypervisor layer


  • Agile - change memory,processors,network and storage as needed
  • Simplified system management via a secure self-service Portal.
  • Flexible – Multiple services levels and VM sizes
  • Responsive - Immediately available – zero delay to your project.
  • Assured Security – PGA and PSN Accredited at IL2, IL3
  • Variable consumption based pricing model
  • Resilient / High Availability to meet business demands
  • Reliable – up to 99.99% availability
  • Green – market leading efficiency around power and cooling
  • Tried and trusted technologies to de-risk your cloud transition


£0.04 per virtual machine per hour

Service documents


G-Cloud 11

Service ID

2 2 3 5 6 8 8 8 6 8 3 6 3 2 3


Sopra Steria Ltd

Chris Horne

07954 834 818

Service scope

Service scope
Service constraints None
System requirements VPN to client site deployed in on-boarding process

User support

User support
Email or online ticketing support Email or online ticketing
Support response times From 15 minutes depending on priority/severity of incident/request – see service description for details.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Incident Response : P1 - within 30 mins,P2 - within 4 hours,P3 - within 24 hours , P4 - every 24 hours
Incident Update : P1 hourly,P2 - every 2 hours, P3 - every 24 hours, P4 - every 24 hours
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We have Managed Service offerings “Sopra Steria Managed Cloud Service - Dev Test” and “Sopra Steria Managed Cloud Service - Production” to provision and manage the deployed service.
Service documentation No
End-of-contract data extraction Unless requested otherwise as an additional service, the customer is responsible for maintaining a master copy or backup copy of the data used in the Infrastructure on Command Cloud prior to leaving the platform. This negates the need for secure transfer of all their data out of the solution at the end of the contract. Data can be transferred out of the solution using UKCloud facilities.
End-of-contract process On expiry of the agreement or notice of a customer stopping using the service, the service will be withdrawn. Depending on the off-boarding options selected, some or all of the following off-boarding services may apply:
Exit Checklist - The activities on the exit checklist will be completed. The checklist options will be confirmed during on-boarding which will ensure that the exit process is not ambiguous.
Data Decommission Service Process - Unless requested otherwise as an additional service, the customer is responsible for securely removing any data.
Data Deletion - When the customer terminates their agreement with Sopra Steria, we will ensure all of the customer’s data is deleted.
Billing Finalisation - Once the customer has off-boarded from the service, Sopra Steria will raise the final billing to cover any outstanding monthly, exit and consumption charges.

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available No
Independence of resources Supplier ( UK Cloud) design
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller (no extras)
Organisation whose services are being resold UK Cloud

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Never
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual Machines
  • Data storage associated with Virtual Machines
Backup controls Backups will be performed to a defined schedule
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network Data is held within UKCloud network who use dedicated CAS-T circuits between each of our sites to ensure the protection of customer data in-flight. Additionally UKCloud encrypts this data within their Elevated OFFICIAL platform. All data flows are also subject to UKCloud protective monitoring service.

Availability and resilience

Availability and resilience
Guaranteed availability 99.95%-99.99% depending on service level chosen
Approach to resilience Service is deployed across a number of sites , regions and zones. Each zone is designed to eliminate single points of failure ( such as power network and hardware). Customers are enouraged to ensure their solution spans multiple sites, regions or zones to ensure service continuity should a failure occur.
Outage reporting Outages will be reported to Sopra Steria by UK cloud and this information will then be relayed to client.

Identity and authentication

Identity and authentication
User authentication Other
Other user authentication As an Infrastructure as a Service platform end user authentication will be provided by the mechanisms in place within the solutions deployed onto this infrastructure
Access restrictions in management interfaces and support channels Customers have the option to raise a support request via telephone or email. UKCloud will always authenticate the identity of the user by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. The management interfaces are only available on the UKCloud network.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials ( certified 5/9/16)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO/IEC 27001
Cyber Essentials

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Will integrate with the client's policies and processes.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We undertake with the customer an overall security assessment for all systems and applications which is regularly reviewed.
The assessment identifies a set of customer events to be important and priority.
In the event one of these customer event occurs this triggers a series of action(s) prescribed against the event and its priority.
These actions include monitoring from capture of the event, analysing the logs, addressing and eliminating the root causes for the alert.
Sopra Steria works with the customer to ensure that the actions are geared towards the customers’ business objects for risk management of the situation.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our protective monitoring offer includes
- automated and manual monitoring of the ICT estate
- central cyber security team ( available up to 24 x 7) to track and assess incidents including real time event correlation
- alerts and reports ( eg GPG 13 compliance)
- review and intervention by specialists
When potential compromises are found action is taken to safeguard network and take remediation promptly.
Incident management type Supplier-defined controls
Incident management approach We operate a common approach to incident management across our services reflecting ITIL best practice
• All incidents logged and monitored through the lifecycle
• All incidents graded P1 to P4 with relevant resolution prioritisation and target closure time
• Root cause analysis is undertaken and uncorrected errors transferred to Problem Management
• Communication of service failures so users can adjust to service interruption
• Potential service improvements are derived from past Incidents
• Exceptional major incidents are assigned an accountable manager who will drive appropriate stakeholder engagement
• Reporting and analysis is reflected in service reporting to the customer

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate At the compute/storage layer, consumers are separated via robust hypervisor controls based on VMware vSphere technology. This solution has been previously been validated by the NCSC PGA and the implementation is regularly tested via by regular PGA scoped independent IT Security Health Checks conducted by a CHECK service provider.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres UKCloud’s services are CarbonNeutral® cloud services. UKCloud achieved this certification by working with Natural Capital Partners to measure and reduce CO2 emissions across all sources used to deliver cloud services. These include direct emissions from all owned or leased stationary sources that use fossil fuels and/or emit fugitive emissions, and emissions from the generation of purchased electricity and steam (including transmission and distribution losses) to power their servers. For UKCloud’s cloud services to achieve CarbonNeutral® status, an independent assessment of the CO2 emissions produced from direct and indirect sources required to deliver them was carried out, followed by an offset-inclusive emissions reduction programme. This means that for every tonne of greenhouse gas emissions produced in delivering cloud services, a verified carbon offset is purchased which guarantees that an equivalent amount of greenhouse gas emissions is reduced from the atmosphere through a renewable energy or clean technology project.


Price £0.04 per virtual machine per hour
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑