Vysiion Ltd

Cloud Gateway

A secure transit broker, hybrid cloud connectivity Platform-as-a-Service (PaaS) and alternative to Azure Expressroute. Provides fully managed security suites and secure traffic management across your network, multiple cloud service providers, PSN, HSCN and internet. Available options: Remote Access Service, Web Application Firewall (WAF), Enhanced Security Options, and Consultancy Services.


  • Managed Service: PSN and HSCN accredited connectivity
  • Enhanced encryption management and consultancy services
  • Remote Access Service (RAS) optional enhancement
  • Web Application Firewall (WAF) optional enhancement
  • VeriSM-aligned service model, with up to 24/7/365 support
  • Cloud Connect: Rapid, secure connectivity to any cloud service provider
  • SD-VPN: Intelligent software-defined network provision
  • Firewall-as-a-Service: All traffic is sanitised, monitored and logged
  • Secure Web Gateway: Secure connectivity to the internet
  • Portal: Customisable dashboard for complete visibility, analytics, incident management


  • Digital Transformation: Enables blended on-prem/cloud, continuous change
  • Accredited to connect PSN and HSCN environments
  • Enhanced Visibility: A single, timely and accurate source of truth
  • Central Ingress Point: Eliminates shadow IT and duplicate connectivity
  • Responsive Platform: Promotes choice and expedites pace of change
  • Centralised Security Model: Full policy enforcement and visibility
  • Technology Agnostic: Connect via any means (MPLS, internet, 4G/5G, broadband)
  • Vendor Agnostic: Connect to any/many cloud service providers
  • calable and Elastic: No physical hardware constraints
  • Digital Transformation: Enables blended on-prem/cloud, continuous change


£8333 per instance per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


Vysiion Ltd

Caroline Andrewes

01249 446500


Service scope

Service scope
Service constraints No constraints. The service operates on a 'bring your own' basis.
System requirements Any end user deivce capable of IP based connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Bespoke SLAs depending on customer requirement.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support and technical account management under SLAs (Mon-Fri 09:00-17:30 excl bank holidays) is included in the annual fee for the PaaS. Up to 20 small changes per month are included in the standard charge. Additional or complex changes are priced on application, and are charged at the prevailing daily rate.
Enhanced 24/7/365 support is charged at 25% of the Annual Recurring Charge. Ad-hoc consultancy and technical architecture services are charged at the prevailing daily rate.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Having engaged with the customer early in the process to fully understand their requirements, we implement a VeriSM based transition process to produce and provision the service quickly and efficiently. After completing UAT, we can provide training to the customer via a number of methods, depending on what best suits their needs. This could be on-site workship sessions, conference calls, or written documentation. A period of Early Life Support is agreed with the customer, so that we can help the users gain experience in using the service, backed up by an ITIL based support organisation that can continue to provide advice and assistance once go live has passed.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Log information, analytics and anything else that is customer specific can be copied to a repository of the customer’s choice at which point the source data will then be deleted upon confirmation of successful copy/transmission.
End-of-contract process "The customer has the opportunity to renew the service or cease the contract. If the desire is to cease then the customer has two options;

1 – Turn the service off with immediate effect and billing ceases inside the agreed billing cycle (end of month for example)

2 – Continue operating the service working with the customer and new provider, to an agreed plan, to migrate service. This will be charged at consultative rates as required until such time as Cloud Gateway can be safely turned off"

Using the service

Using the service
Web browser interface Yes
Using the web interface When live service commences, the client receives a dedicated URL to access their own instance of the Cloud Gateway Portal. The Portal delivers reporting and analytics of all network and security events, accessible via a web interface. It allows network administrators and users to control and keep track of real-time network performance as well as being alerted to live incidents on the network. The Portal also provides a ticketing function where helpdesk incidents can be raised, feeding directly to our support team for resolution. Users cannot see or change the rules which govern firewall and security policy, nor can they see logs via the Portal. New functionality and features are added to the Portal regularly to improve user experience.
Web interface accessibility standard None or don’t know
How the web interface is accessible N/A
Web interface accessibility testing None
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources We enforce customer segregation by using dedicated tenancies. This ensures that their Cloud Gateway service is not affected or shared by other users.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • HTTP request and response status
  • Network
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra support
Organisation whose services are being resold 6point6

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Log files and system configurations
Backup controls Users do not control backups. All backup and recovery administration is handled by Cloud Gateway as part of our fully managed service.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% service availability. Where any service availability issues arise for connectivity from a user site, service credits will only be applicable to that site. Where any service availability issues arise for connectivity to the internet or cloud hosted providers, service credits will be applicable to all user sites.
Approach to resilience "Our service is built using overlays inside a resilient cloud architecture. Consequently each component, each set of components, each stack and each full tenancy is designed to be resilient at multiple points. This is achieved in its simplest form by having more than one of each component part available (akin to traditional High Availability), but also by leveraging cloud resilient functions such as Multiple Availability Zones, Multiple Regions, or both.
Outage reporting Our service sends alerts to our monitoring and engineering teams to inform them of any potential outages. The issues are sanitised to see if they require manual intervention by our team, or whether automatic recovery has occurred. If manual intervention is required then a proactive alert ticket is raised within our service desk portal. Our service desk portal shows tickets that are being worked on and these can be viewed by the client at any time. In addition, e-mail alerts can be created against any incidents relating to an outage, which will then be sent to approved recipients.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels Our service has a robust set of multi-layered security functions at its core. Access to and from any service is managed, maintained and enforced in line with customer approved policy.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ACM
ISO/IEC 27001 accreditation date 10/07/2016
What the ISO/IEC 27001 doesn’t cover Nothing
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Vysiion is ISO27001 and Cyber Essentials Plus accredited and has a full suite of associated accredited information security policies that are managed and maintained by our Head of Business Services. We design and implement solutions which meet stringent security requirements and meet current industry standards as well as aligning with customers’ information policies and procedures to ensure we protect our customers’ systems and data from security breaches and cyber attacks. We continually monitor and review our security practices, working closely with officially appointed security advisors and accreditation bodies, and as such are very familiar with current legislation and standards, best-practice guidelines and the approaches required to protect UK government assets. Our employees are security cleared to enable them to deliver services to the highest information security requirements.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow ITIL 3 aligned Change and Configuration processes for all changes
All changes to infrastructure and systems are managed through these processes ensuring that standardised methods and procedures are followed for all. The process ensures that all changes are formally assessed, authorised and controlled to minimise any adverse service impact.
Our Change Advisory Board assess and validates all Changes from a business, technical, security and delivery perspective, drawing on subject matter experts when required.
A Forward Schedule of Change is maintained.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Potential threats are assessed through live monitoring and alerting within our platform. This is backed up with vulnerability scan's every 2 weeks across the whole platform to test, track and confirm patches have been deployed while also testing security configurations. We also obtain information from our security vendors directly (subscription and notification emails) RSS feeds. We deploy patches manually or via auto updates into our cloud infrastructure.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We identify potential compromises through live monitoring and alerting on our platform. Our monitoring and alerting rules are based on the AWS CIS Foundations benchmarks with additional controls and alerts for any non AWS infrastructure. These events are sent to our SIEM where alarms are triggered based a set of configured rules. Depending on severity the incident will be addressed immediately or in line with customer agreed change control.
Incident management type Supplier-defined controls
Incident management approach We operate under the VeriSM framework, utilising the best of ITIL v4 and DevOps methodologies.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon, Microsoft, Fortinet
How shared infrastructure is kept separate Our service is built on a variety of cloud platforms. It is separated by customer, and each customer has their own dedicated hosting environment, such that no two customers will ever share the same service components.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres Cloud Gateway provides on-net connectivity by means of a point of presence in ARK and Equinix data centers, based in the UK.
Equinix data centres meet ISO 50001 Energy Management and ISO 14001 Environmental Management Standards.


Price £8333 per instance per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Yes: We will provide a free fully dedicated platform with access to one cloud provider of the client's choice, for up to 4 weeks, to test connectivity. If technical consultancy is required, this is chargeable at the prevailing daily rate.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Terms and conditions
Service documents
Return to top ↑