Strata Insight

Strata Insight provides single view of the cyber security and compliance of your ICT estate across both on-premises and cloud environments. It presents this view against your chosen risk or control framework providing you a view of your business risks and the technical issues they stem from.


  • Asset reports, see the state of all your assets
  • Security monitoring reporting, consolidate your alerts and event data
  • Control frameworks, select your chosen security control frameworks
  • Metric reporting, understand how compliant you are
  • Risk modelling, understand risks in addition to compliance
  • Reporting engine, schedule and run complex reports
  • Dashboarding, provides at-a-glance summary of your compliance and risk
  • IaaS based, supplier managed and resilient to failure
  • Secure connectivity, to on-premises tools and users
  • Collector framework, combine data from different tools in one place


  • Custom control frameworks, develop frameworks to suit your requirements
  • Get started quickly with pre-built control frameworks and content
  • Understand current or developing compliance issues within your environment(s)
  • Understand the risks to your specific environment(s)
  • Save costs by planning activities against identified risks and metrics
  • Improve processes by integrating tasking with monitoring
  • Eliminate error-prone, manual security reporting
  • Track performance of security operations teams or outsourced providers


£30000 per unit per year

Service documents


G-Cloud 11

Service ID

3 0 1 6 1 4 9 0 5 8 9 0 9 0 2



GCloud Team

020 3095 1001

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints No
System requirements
  • User access via supported browser
  • Data collection via deployed collector or agreed alternative
  • Access to data from the buyer's deployed toolsets

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Contractual response times vary depending on priority.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Strata provide a single level of support to all customers based on the criticality of the incident and the level to which it affects the solutions ability to deliver its services. We pro-actively monitor the solution and report to your teams any issues we have detected with obtaining up to date monitoring information.
You will be provided with a technical account manager that can assist in resolving any issues and provide guidance and support on how to resolve of any risks detected by the solution.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a users with an onboarding guide outlining how the solution functions and data requirements and describing the quick start process. This is followed by the on-site quick start engagement to integrate the user's agreed data sources and customise content to the customer's requirements.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users request a data extract via our support team, we then provide exports of recent audit reports and the control framework configuration as data file exports.
End-of-contract process At the end of the contract the solution is terminated, user access revoked and the users instance decommissioned. Recent input data and configuration is retained for 30 days to support re-commissioning of the service unless it is requested that it is deleted earlier. In every case, we work with the customer to ensure that they are happy the data is securely erased after the service ends.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API The API can be used to provide updated input data to the solution including the definition of new assets.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The solution can include custom risk and supporting control frameworks as well as custom reporting and dash-boarding views. This will allow users to ensure the data is present to them in the most effective form and format.
Customisation are developed by our team of deployment consultants and then deployed into customer instances.


Independence of resources Each customer is deployed in a separate cloud instance (or cell) that has its own dedicated set of IaaS resources that is independent from, and logically seperated from all other customer cells.


Service usage metrics Yes
Metrics types We provide metrics on the consistency of input data availability, the performance of the service itself, user access to the service and any data processing errors.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can request a complex data export via a support ticket or can use controls within the system to export data for common use-cases.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • PPT
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.

ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security.

Availability and resilience

Availability and resilience
Guaranteed availability AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on our website via the links below:

• Amazon EC2 SLA:
• Amazon S3 SLA:

Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
Approach to resilience The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions. AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilisation of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Outage reporting In the event of service outage we will provide email based updates to our customers with details of the outage and the actions we are taking.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Support requests are only responded to when received from an agreed and approved contact point that has been onboarded as a support contact.

Management interfaces are only available to supplier staff based on an RBAC model within the solution. Access to infrastructure and infrastructure management interfaces uses agreed multi-factor authentication mechamism.

User authentication is required to access the solution and changes to the solution configuration can only be made by authorised users.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Our approach is aligned to ISO 27001 but we are not currently certified or implementing all of the technical controls.
Information security policies and processes We have an incident response process for handling any issues with our solution which contains specific steps for resolving security related incidents in our environments.
Our data classification and handling policy provides guidance and details to all staff on how to handle both client and internal data, including its storage and retention.
All issues are summarised and report to the board with a named board member then undertaking responsibility to investigate the issues and develop improvements to our processes and system.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All components of our service are tracked though configuration management processes, based on our deployment approach using software defined infrastructure. Environments are built and changed using automated scripts drawing on versioned artefacts and configuration files that are stored in a repository. When in service components are tracked to ensure their health and patching status.
Changes to the solutions architecture and dependencies are reviewed internally prior to their deployment and then monitored while in service. All code undergoes a review against our coding standards.
Vulnerability management type Undisclosed
Vulnerability management approach Potentially threats are assessed based on which elements of the solution are vulnerable to them and the other mitigating controls that are in places on that element. Our solution design is based on a defence in depth approach layering, infrastructure and application controls together with protective monitoring in place.
Patches are deployed monthly, with the exception of security patches that will decrease the vulnerability of the solution, these can be deployed weekly.
Strata are in the process of apply to the Cyber Security Information Sharing Partnership run by the NCSC.
Protective monitoring type Undisclosed
Protective monitoring approach Our solution is based within AWS and combines the CloudTrail, CloudWatch capabilities with monitoring on instances and applications logs. Events and data from this solutions are presented to our support team to alert for unusual behaviour and potential compromises.
When a potential issues is found it is reported and handled via our incident handling approach. Incidents are then handled in line with our support SLA's.
Incident management type Undisclosed
Incident management approach All incidents are handled via our incident handling process, which includes pre-defined responses to DoS and other forms of generalised attack on the availability of the service.
Users can report incidents via our email support channels.
We provide summary reports of all incidents that have affected a clients IaaS cell alongside our standard monthly service reports. These are delivered by email to the clients named contact.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £30000 per unit per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑