Unisys Limited

Unisys Cloud IaaS

The Unisys Cloud service is an Infrastructure as a Service (IaaS, PaaS or SaaS) offering designed to provide a private secure VMware hosting capability for customer applications and services.

Features

  • Automated provisioning of virtual computing and storage capacity
  • The automatic approval of requests for standard images
  • Request a new VM from a list of pre-defined templates
  • Change a service tier (processor, memory or storage)
  • Delete/Decommission a VM
  • Run pre-defined reports
  • Re-build a VM
  • Console access to VMs
  • Network Load balancing service enabling highly available web services.
  • Monitoring and backup of the environment to agreed SLAs

Benefits

  • Scalable and flexible service
  • Direct user access via Self-service portal
  • Multiple Data Centres located in the UK
  • Shared Resource pool
  • Enterprise ready
  • aaS model
  • Utility based pricing
  • Private and secure Cloud
  • Network access over VPN or via secure p2p WAN link
  • ISO 27001 certified service

Pricing

£160 per virtual machine per month

Service documents

G-Cloud 9

312804822472324

Unisys Limited

Simon Corscaden

020 3530 0769

cloudstore@unisys.com

Service scope

Service scope
Service constraints Hosted out of two Unisys DCs in Milton Keynes

WAN connectivity is tenant responsibility

Additional Perimeter security, such as WAF, HSM, and DDoS optional services

VM Standard sizes provide the optimal cost/benefits

Tenant specific Governance and legislative compliance is an optional service
System requirements
  • An authorised desktop (with Stealth installed if required)
  • Connectivity to the network (default: via the Internet)
  • A valid login to the service

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Restore service within: 4 hours for Severity 1 outage; 24 hours for Severity 2; and 72 hours for Severity 3
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Level 1 24x7 operations monitoring
Level 2 OS, storage & backup support with out of hours on-call support
Individual VM monitoring and alerting
Individual VM backup
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Work with new customers to build an on-boarding plan.

This will include:
• Capturing the details of the administrators for initial account creation;
• Initial Network design. Look at how the customer will connect, and what VLANS (if any) are required, Load Balanced addresses, and firewall rules;
• How any existing machines will be migrated into the new environment;
• Key contacts and points of escalation;
• Billing information.
With this information, Unisys will setup the initial environment ready to use, and produce a detailed plan for implementing any additional services required.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At service commencement, Unisys will work with the Tenant to build an off-boarding plan. This will include:
• Migration Plan – what Storage and/or VMs need to be moved and to where? What technical and personal security measures will be followed to transition or transport the data.
Data Extraction: Tenants may simply decide to copy their data over a temporary secure VPN link or even dump to an encrypted removable media and securely relay via a secure courier or transport the device by them selves. What ever the chosen option, Unisys will work with the tenant with the agreed process to extract and securely transfer data at contract exit.
• Accreditation plan – what needs to be done to ensure accreditation requirements are maintained
• Return of any Tenant specific documentation and certification
• Secure Information Destruction plan. Removal of Virtual Machine images and backups; Secure disposal of Tenant data
• Termination and decommissioning of any VPN or dedicated network lines.
End-of-contract process When leaving the service, Unisys will work with the Tenant to review update and execute the off-boarding plan that was created at contract start.

Unisys will appoint a Service Transition Lead (STL) who will be responsible for seamless and secure transition of service. Parallel work streams will be commenced, including:

Technical Migration Stream – covering seamless migration of tenant data, storage and server estate. this includes the creation of Operational Working agreement with the tenant's new supplier.

Security & Audit Stream – what needs to be done to ensure accreditation and security requirements are maintained during service transition. This stream will document the agreed process for secure destruction of tenant environment as well as how removable media and current archived backups are to be managed and transitioned.

Commercial and Contractual stream: Contract Termination and decommissioning of the service including secure removal of dedicated tenant networks and VPN links that may have been setup during contract term. Costs for STL is included in the contract; however, any tenant specific secure destruction and data and VM transition activity is subject to Change Control

Using the service

Using the service
Web browser interface No
API No
Command line interface No

Scaling

Scaling
Scaling available Yes
Scaling type Manual
Independence of resources Tenant Architecture is delivered via a N+1 design whereby each tenant's environment is hosted on their own dedicated blades - this strategy eliminates noisy neighbor situation while guaranteeing resource availability to tenant VMs.

At the Storage layer LUNs provide the tenants storage needs on a tiered SAN that automatically repurposes workloads depending on I/O demand and utilization.

All of the UKCC offering is monitored by Nagios that integrates with Unisys global ITSM auto ticketing alerting on critical alerts, as well as raise alerts on the Ops monitors.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types Network
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • CommVault Simpana 11 technology provides backups to ISILON VTL
  • The Virtual Server iDataAgent delivers protection/recovery
  • IDataAgent provides granular backup/restore options
  • Tenant manages Application or Database specific backups
  • Daily full or incremental backup is optional
  • Option to perform Ad hoc backups is available
  • Optional service to backup to Tape for offsetting
  • Restores requested via a service request VM target instance
  • Tenant specific backups - copying files to target VM
  • Standard ackup service is daily full backup of VMs
Backup controls Daily backups of the infrastructure elements are written onto ISILON VTL disk and are replicated to a secondary site to provide additional protection.

The following optional services are also available and managed by the Unisys support team:
• Tape based backups ready to be shipped to external 3rd party secure location
• Backup-as-a-service for additional protection of non-standard payloads.
• A high availability option capable of running in Active/Active configuration.
• An architecture to deliver the required RTO & RPO that meets the Tenants DR and BCP obligations.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability • To provide availability of 99.9%.
• Measure availability based on system/VM uptime
• Process requests for the automated provisioning of authorised requests within 1 hour
• Process requests to change the tier of service for an existing VM within 1 day
• Process requests to restore a VM from a previous backup within 1 day
• Restore service within 4 hours for a Severity 1 outage, within 24 hours for Severity 2 outage, and within 72 hours for a Severity 3 outage.
Approach to resilience At the external network layer Unisys would request that tenants utilizes the resilient and diversely routed Internet links or deliver similar dedicated links from the Tenant network into each of the Unisys DCs providing UKCC services.

Within the DCs all perimeter switches, NLBs and firewalls are paired in active/passive mode.

The remainder of the infrastructure also has redundancy and resiliency built into the design.

Detailed design can be made available on request.
Outage reporting Nagios and SCOM tools provide Service Management via dashboards that are operated by the DC Ops team for UKCC environment and optionally for the tenant as requested.

Critical alerts and threshold warnings are displayed using RAG status as well as relayed to service desk as email alerts.

Tenants have the option of utilizing this setup or developing their own monitoring services for their PaaS and SaaS implementations.

Identity and authentication

Identity and authentication
User authentication Username or password
Access restrictions in management interfaces and support channels Cloud Management Environment (CME) separation is achieved at Management, Network, Hypervisor and Storage Layers.

The CME does not have access to the tenant’s environment within the platform.

CME is responsible for monitoring and managing the cloud platform, but does not monitor guest OSs.

At network layer, data is separated by VLANs from virtual machines to the physical network switching infrastructure.

Inter VLAN traffic flow is protected by a firewall.

Management of Hypervisor Layer hosts and the VMs are separated; traffic to the hypervisor host is physically separated by using different network adaptors and switches to those serving tenant VM traffic.
Access restriction testing frequency At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through Dedicated device on a segregated network (providers own provision)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Standards Institute
ISO/IEC 27001 accreditation date 28/05/2015
What the ISO/IEC 27001 doesn’t cover Tenant owned and hosted environments.

Tenant Desktop or client build and the tenant UI used to access the Cloud environment.

Tenant administration, management and support of their PS Cloud hosted environments, at the PaaS or SaaS level is also out of scope of Unisys CME service offering.

Tenant owned MPLS, PSN or dedicated WAN link terminating in Unisys DCs is also out of scope of Unisys ISO certification.

Tenant User management and administration process is also excluded.

Tenants are also responsible for designing their architecture to include a DR instance capable of delivering their RPO & RTO that is backed-up with annual failover/fallback tests.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations Police Assured Secure Facility

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Unisys UKCC Cloud Information Security (IS) incorporates Unisys Corporate IS policy; adherence and compliance to both of these policies, for delegates engaged in providing UKCC Cloud services, is mandatory requirement to joining the team.

All delegates are security vetted and are provided annual Security briefings.

Compliance and joiners & leavers registers are reviewed, monitored and reported on quarterly bases.

Ad-hoc unannounced spot checks are also carried out by the Security Authority who is responsible for managing and reporting on all UKCC Cloud related Information Security incidents.

Further, delegates are also presented with the PS Cloud SyOps as well as the individual tenants’ SyOps that details how the system meets and delivers the Cyber Security Principles.

Delegates roles and responsibilities are defined by the processes and procedures outlined in the accompanying SOPS documentation.

UKCC Cloud Service Catalogue details the Security Risk Incident and Emergency Security Incident management procedures.

The UKCC Cloud Security Authority has a dotted line into the Unisys UK CIO and has a seat on the Corporate Security Governance board.

Unisys operates an anonymous incident and dispute reporting scheme.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Dedicated Cloud SDM role owns and manages the governance and ITIL based BAU Service Management function.

The Change Management process governed by the Change Advisory Board (CAB), who convene once a week to review and authorizes all changes and problem reported.

The SDM also provides monthly report on all aspects of the service, including high priority faults, security incidents and changes implemented.

They also develop and present the Capacity Management report that details growth and projection of any future (6 month view) capacity issues to the cloud as well as on any tenant systems.
Vulnerability management type Supplier-defined controls
Vulnerability management approach All UKPSC VMs are protected by perimeter security provided by a combination of Physical and Virtual Firewalls;

Intrusion Detection System (IDS) SNORT provides perimeter security.

SIEM – provided by LogRythm – available to Tenants as option service

Quarterly Vulnerability Scans are performed on all UKPSC hosted Tenants
Protective monitoring type Supplier-defined controls
Protective monitoring approach Utilises a network intrusion detection system to monitor network traffic and analyse for malicious activity. Protective Monitoring is performed by security information and event management software which collates and Analyses the log files of all servers, machines and network equipment. These tools have been fully configured to analyse and alert on all 12 Protective Monitoring Controls described in the UK Governments Good Practice Guide 13 document.
Monitored 24 x 7 with the Unisys BAU Ops team providing monitoring outside of normal working hours. Monitoring by the BAU Ops team uses a System Centre Operations Manager (SCOM).
Incident management type Supplier-defined controls
Incident management approach UKCC Cloud SDM owns and manages the Cloud Incident Management (IM) process.

During on-boarding stage, tenants are introduced to Unisys IM process that details how incidents are logged with the service desk, how to allocate priority and how incident flow takes place from being received by the appropriate resolver-groups until its resolution.

The Incident severity levels are defined by the incident characteristic that are defined in the Cloud Service Manual, which also details the process flow between Incidents and Problem record and how Incident and Problem Management tracking and reporting is performed.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Separation between tenants is achieved at all layers of CME; which does not have access to the tenant’s environments or guest OSs.
Data is separated by VLANs from virtual machines to the physical network switching infrastructure.
Inter VLAN traffic flow is protected by firewalls.
Traffic to the hypervisor host is physically separated using different network adaptors and switches.
All storage is hosted on a fiber channel SAN, with each tenant being allocated separate cluster shared volumes for their virtual machines and data.
Backup is performed at the platform level and does not have direct access to the tenants’ internal environments.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes

Pricing

Pricing
Price £160 per virtual machine per month
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑