GoPivotal (UK) Limited

Pivotal Cloud Foundry

PCF is a unified, multi-cloud platform to run your enterprise applications and micro services within. PCF PAS allows developers to quickly push applications without having to manual create their own containers - the platform does this. PCF PKS provides an evergreen Kubernetes runtime to run any containers you do have.

Features

  • Container creation from application code
  • Container deployment
  • Container runtime management
  • Application high availability management
  • Application lifecycle management
  • Application and systems monitoring
  • Software Defined Networking
  • Kubernetes service
  • Platform as a Service (PaaS)
  • Container as a Service (CaaS)

Benefits

  • Quickly create application containers using an automated process
  • Securely manage containers centrally, and scan for vulnerabilities
  • Hands off management of container instances and health
  • Automatically scale instances up or down depending on demand
  • Securely manage application and service bindings centrally
  • Quickly collate logs and metrics and report on system health
  • Quickly make application or service instances available on the network
  • Quickly provide a managed Kubernetes environment to developers
  • Free developers to spend time writing applications, not container scripts
  • Ensure your applications are all secure by using curated opensource

Pricing

£262 to £1542 per instance per year

Service documents

Framework

G-Cloud 11

Service ID

3 9 9 5 5 2 6 7 5 6 2 2 8 6 3

Contact

GoPivotal (UK) Limited

Imran Razzaq

07817719868

irazzaq@pivotal.io

Service scope

Service constraints
The platform runs on Amazon AWS, Google Cloud Platform (GCP), Microsoft Azure and VMWare vSphere based infrastructure.
System requirements
  • Must have capacity for at least 34 Virtual Machines
  • Must have subnets configured for applications, services, and management
  • Must have a hardware or elastic load balancer configured
  • Must have a wildcard DNS entry configured for the platform
  • Should have an existing log management or cyber incident system

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is available. This is available 24 hours a day, 7 days a week, 365 days a year. Target Response Times Critical (Severity 1) 30 minutes or less (24 hours/ 7days a week) Major (Severity 2) 2 business hours Minor (Severity 3) 8 business hours Cosmetic (Severity 4) 1 business day Business Hours - 7am to 7pm, Monday to Friday.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We provide Support for all Enterprise users. The cost is included in the Annual subscription for our software (see above). We provide an additional level of support called Business Critical Support services which are delivered remotely by a Designated Support Engineer (DSE). The DSE serves as your single point of contact for Pivotal Software support and is an extension of your team: In personally overseeing your Pivotal support experience, the DSE drives faster resolution and engages Pivotal subject-matter experts when needed. The DSE engages your team in discussing open service requests and product-related issues, driving toward more efficient resolution and enabling discussion of future plans, projects, or enhancements. Should there be a critical event, your DSE will conduct a full Root Cause Analysis, including incident review with detailed outline of the impacting event, additional detail around the debug analysis, recovery, and the resolution steps taken. Your DSE can facilitate the feature request process with your team, advocates with Pivotal product management on your behalf, and lays out timelines and delivery dates of new features. The cost of this service for 12 months is £70,000 and £35,000 for 6 months, which provides 10 hours/week support for the duration of the agreement.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Pivotal Cloud Foundry Dojo Services are designed to accelerate your success with Pivotal Cloud Foundry by pairing our experts with your people to plan, implement, customize, use, and scale the platform to meet your needs. By working together we improve project outcomes and maximize on-the-job skills enablement. An expert team from Pivotal will work with designated people from your organization on a prioritized backlog over a period of 4 or 6 weeks. Typically the Pivotal Cloud Foundry Dojo service is focused on deployment and testing concerns. Actual work is tailored against your objectives and actively prioritized by your Product Owner to ensure investments align to what’s most important.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data created by the system or its applications would still be stored in a customers IaaS provisioned storage in its native format. Customers therefore can simply continue to use the data connected to the database product that created it. PCF is generally installed to use Postgres or MySQL database products, both of which are open source. Redis is also used for some caching functions. Container builds are generally stored in an S3 compatible store, such as AWS S3. Customers therefore always have their own data under their own control, and not locked in to the platform.
End-of-contract process
In the event of expiration of a Subscription License or any termination of the Agreement, Customer must remove and destroy all copies of Software, including all backup copies, from the server, virtual machine, and all computers and terminals on which Software (including copies) is installed or used and certify destruction of the Software. All support services cease. If the customer has created application and services they are free to move or migrate these applications to other instances of Cloud Foundry or other platforms. The costs associated with doing this are borne by the user. Pivotal can provide consulting services to assist in this process. The costs associated with are dependent on the number, density and complexity of the applications. The Service Description and prices for Pivotal Consulting Services is available in the section on Cloud Support.

Using the service

Web browser interface
Yes
Using the web interface
There is a browser-native HTML5 graphical console for PCF Ops Manager that allows users to use the service. The software uses a graphically rich user interface that has a number of pre-configured tiles that allow users to select the services that they require and then deploy them as required with a single click. These tiles can also be configured by the user to deliver additional functionality if required through the same web interface. Limitations and controls on who and how changes can be made through the web interface can be implemented if required. There is a browser-native HTML5 graphical console for developers called PCF Apps Manager that allows developers to use the service. Users can see their application as a tile and they can manage the application as they wish from the tile.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
The web interface is accessible through a browser. We support all major browser types. The end user is able to access some but not all of the accessibility features. Currently, users can use the High contrast visibility features within these browsers. We are working on making our software more accessible by delivering additional functionality that will allow us to be WCAG 2.1 AA compliant by the end of the year.
Web interface accessibility testing
We have been undertaking a significant amount of testing with assistive technology users. All our support services and applications are WCAG 2.1 AA compliant. We are working on a roadmap to ensure that all our end-user applications are WCAG 2.1 AA compliant by the end of this year.
API
Yes
What users can and can't do using the API
PCF web interfaces and command line interfaces are built on the same RESTful API layer. All functions of the platform can be accessed via an API. This is a HTTPS and JSON based API. Many customers integrate their own scripts and CI/CD pipelines with the PCF REST API.
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
  • Other
Other API automation tools
Concourse
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
All functionality of the platform is available either via a web based user interface and a command line interface. An API layer under pins and is common to these two access mechanisms. Many customers use this interface to integrate their CI/CD platforms. It is a RESTful HTTPS and JSON based set of services. All APIs are documented publicly on our website.

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
PCF resources can be segmented in to Organisations and Spaces with quotas assigned for the total compute or RAM used. This limits how many resources individuals users or groups can use from the total provisioned compute available. Furthermore, if physical separation is required between compute instances then Isolation Segments can be configured that ensures some workloads do not run on the same physical hardware. This is useful where, for example, two CPU intensive applications should not be run on the same hardware.
Usage notifications
Yes
Usage reporting
  • API
  • Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
The method used will depend upon the underlying Infrastructure as a Service (IaaS) used. Many customers will use vSphere in their own infrastructure, in which case the controls are customer defined.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Container Images
  • Uploaded applications
  • Platform configuration
Backup controls
Scheduling of different backup actions can be accomplished individually. Data can be backed up separately using tools specific to the data store.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups
Users schedule backups through a web interface
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The level of availability on the PCF Platform as a Service (PaaS) depends upon the infrastructure it is deployed upon. Amazon AWS, for example, has a particular SLA it guarantees and so the PCF platform could not be guaranteed to be any further available than that. Pivotal Labs provide a platform DoJo whereby our labs team pairs with a customers platform management team to install and configure the platform on their infrastructure to meet any SLAs they may have. PCF is configurable in a variety of ways to meet scalability and availability requirements as necessary.
Approach to resilience
Pivotal Cloud Foundry is fully compliant with the NCSC Cloud Security principles. A full document describing how we enable these is available on request. This includes resilience of the PCF platform and applications installed within it. In summary, PCF provides resilience in that the entire platform can be scaled across multiple availability zones. PCF also places deployed applications across availability zones to ensure resilience. PCF actively monitors and manages applications and services to ensure a specified number of instances are available at any one time. PCF can be configured to auto scale application instances up and down depending upon the workload on each application at the time, saving departments money.
Outage reporting
There is a PCF Apps Manager dashboard that allows the current state of an application and its instances to be viewed and reviewed visually. A log stream is available from the PCF Loggregator subsystem to a customer's preferred log management platform. PCF actively monitors all applications, services, and its own components. PCF will kill and restart and instances that fail in order to ensure there will not be any outages. This is done by the platform without any need of human intervention by an operator. PCF Healthwatch provides a live Web UI graph/charting application to view current status of the system and applications. Alerts can also be configured if required.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication
The exact network interconnects available will depend upon the customer's own preferred infrastructure as a service (IaaS), be they AWS, GCP, Microsoft Azure, or their own private infrastructure using VMWare vSphere.
Access restrictions in management interfaces and support channels
Pivotal restricts access to named user accounts working on behalf of customers or ourselves. Separate administration roles are available for all administration tasks. A separate security service (Called CredHub) can be used for administration of the platform and access to applications and roles within them, further segmenting access to manage the platform.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • NIST 800-53(r4) controls are documented for Pivotal Cloud Foundry
  • Pivotal Cloud Foundry is undergoing a UK Government accreditation process

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
A mapping of NCSC cloud security guidance on to PCF features is available on request. A Pivotal reference architecture for PCF at Official (including OS) is available on request. A NIST 800 53 (r4) controls mapping is available on our website. We are submitting our application for ISO 27001 imminently.
Information security policies and processes
Pivotal’s Information Security Policies are based on ISO/IEC 27001:2013. The policies have been published on the company’s internal portal and are reviewed periodically and approved by the Chief Security Officer. All users are provided with appropriate security awareness training to ensure policies are followed. The Information Security Team is led by the Chief Security Officer. The security organization is comprised of 3 distinct yet collaborative teams - (1) Governance, Risk and Compliance (2) Information Security and (3) Physical Security.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Every Pivotal software upgrade is pre-tested against our own security pipeline and alongside other components in the platform before it is shipped to customers via the Pivotal Network (PivNet). We perform additional vulnerability scanning of our software and dependencies using third party scanning software. Ever code change to a component is linked to a requirement, and has tests written for it, before it is accepted in to the next release. This provides tracking of every change back to the specific user need that it was required for, alongside the output of the tests.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Regular testing is done against all our software. In addition, when a CVE is disclosed in the third party component or dependency, we take the latest fix and test it and ship it as soon as possible after the upstream project releases a fix. We also routinely harden software components to minimise the attack surface.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
All service and application component logs are aggregated in to a log stream allowing centralised analysis of all activity within an installation (Called a Foundation). There are also components to spot when an unauthorised process modified any binaries of built containers, or works around the immutable nature of a running container. How quickly a response occurs depends on the customer's own incident management processes and policies.
Incident management type
Supplier-defined controls
Incident management approach
How quickly a response occurs depends on the customer's own incident management processes and policies. Should a problem be discovered in the underlying Pivotal platform, Pivotal's support staff will respond within the SLA agreed timings.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Other
Other virtualisation technology used
Depends upon the customer's chosen Infrastructure as a Service (IaaS) provider. On a customers own network this would be VMWare vSphere. On AWS, Google Cloud Platform (GCP), or Microsoft Azure it is determined by those providers.
Pivotal Application Service (PAS) and Pivotal Container Service (PKS) themselves also have the ability to separate individual containers on the underlying VMs using Isolation Segments (PAS) and multiple Kubernetes Clusters (PKS).
How shared infrastructure is kept separate
Again this depends on the customer's own infrastructure provider and policies. Pivotal Application Service (PAS) can separate workloads logically using Organisations and Spaces. This is particularly useful to enforce quotas on different applications or teams. Isolation Segments within PAS will physically separate containers across physical hardware, and ensure software defined network and storage separation if desired.

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£262 to £1542 per instance per year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
There is a free 90 day time limited and usage limited version that can be used for testing and evaluation purposes.
Link to free trial
https://aws.amazon.com/quickstart/architecture/pivotal-cloud-foundry/ and https://azuremarketplace.microsoft.com/en-us/marketplace/apps/pivotal.pivotal-cloud-foundry

Service documents

Return to top ↑