On Direct Business Services Limited

Cloud Direct Enterprise Mobility and Security (EMS)

Empower your employees to work on their favourite devices and apps, while you maintain control over who has access to your business resources and over which devices – with peace of mind that your business data is protected at all times.


  • Protects at the user, device, application and data level
  • Access thousands of applications using the same credentials
  • Role based access control
  • Device and application management including remote wipe
  • Proactive monitoring of devices; keeps business and personal data separate
  • Protect files from unauthorised access; online and offline
  • Alerts unusual behaviour and actions to highlight areas of weakness
  • Can be used with on-premise Active Directory
  • Multi-factor authentication for greater security
  • Understand what applications are used and their risk


  • Peace of mind due to complete protection
  • Much easier for employees to remember login details
  • Less chance of unintentional or malicious tampering of data/systems
  • Much easier to centrally manage security and identify risks
  • Less intrusive as only controlling the business data/apps
  • Resolve problems before they become major issues
  • Supports mobility and productivity while staying secure
  • Keeps you compliant; Data Protection Act and industry standards
  • One product to protect lots of different devices
  • Cost savings with a bundle purchase


£0.20 to £11.20 per user per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


On Direct Business Services Limited

Liam Ryan

0800 0789 437


Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to Integration with Office 365 and the rest of the Microsoft Cloud products. Can be used with an on-premise Active Directory.
Cloud deployment model Public cloud
Service constraints Azure Active Directory:
• For Synchronised deployments you will need an on-premise Active Directory and Azure Active Directory Connect (formerly DirSync).
• For Federated deployments you will need an on-premise Active Directory, Azure Active Directory Connect (formerly DirSync) and Active Directory Federated Services or third-party identity provider.

Intune supports - Windows, Mac, iOS, Android and Windows Phone.

Information Protection - Windows, Mac, iOS, Android and Windows Phone and tablets.
System requirements
  • Azure Active Directory deployments - see service description
  • Intune - Windows and Mac desktops and laptops
  • Intune - iOS, Android and Windows phones and tablets
  • Information Protection - Needs Azure AD
  • Information Protection - Windows and Mac
  • Information Protection - iOS, Android and Windows phones and tablets
  • See the service description for more details

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Core Customer Support working hours; 8am-6pm Monday to Friday, excluding Bank holidays. Support issues classified as critical are supported 24x7x365. Dependant on issue classification - see our Service Definition. Initial Response times are between one hour and one working day.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Unknown.
Web chat accessibility testing We haven't directly performed any testing.
Onsite support Yes, at extra cost
Support levels We provide break/fix support as standard, 24/7 with critical case support out of hours.

For each case you'll be given a named contact.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We have a knowledge base where customers can access help articles. If we were to deploy the service (a Scope of Work would be agreed) which may offer some training.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction The customer can either migrate their account to another provider at which point we would lose all access. If the customer left and cancelled the service the data would be securely destroyed.
End-of-contract process No cancellation fees to cancel the service. Service will remain in place until the agreed cancellation date.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service offers device management.
Accessibility standards None or don’t know
Description of accessibility Unknown.
Accessibility testing We haven't completed any testing directly
Customisation available Yes
Description of customisation Customers can configure the service to perform single or same sign-on, can setup device management settings, can setup information protection settings and setup Cloud App Security.


Independence of resources Microsoft monitor the EMS service to ensure there are enough resources available to provide a good service to all users.


Service usage metrics Yes
Metrics types The service provides some analysis of usage, devices, information access, applications used within the business and potential threats.
Reporting types Real-time dashboards


Supplier type Reseller providing extra support
Organisation whose services are being resold Microsoft

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can export data as CSV files.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The service is guaranteed to be available at least 99.9% within a month apart from in certain scenarios as described in the Service Description. Based on the level of downtime, a customer can get a maximum of 30% back across all affected licences.
Approach to resilience The data and service is based out of two data centres to provide fail over should one become unavailable.
Outage reporting Service health is displayed in the Office 365 Admin portal.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels The customer decides what users have which permissions; in many instances this relates to whether they're a user or have admin privileges. For support purposes, any one from a customer can raise a support issue but only account details are discussed with nominated contacts. For our employees we operate a strict access control policy where only necessary employees have access to customer systems. This is reviewed periodically and we monitor usage to make sure it isn't abused.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date Active
What the ISO/IEC 27001 doesn’t cover Not applicable
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date Active
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover Not applicable
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 22301 - Intune, Cloud App Security and Azure
  • ISO 27018 - Intune, Cloud App Security and Azure

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Cloud Direct have several policies around information security including vendor management, problem management, risk management, access control and information control. Every policy and process has an owner who is responsible to ensure it's followed as well as line-managers within the business. We have also built processes into our systems to help with adherence. Any time a process isn't followed a non-conformance is raised and investigated.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Cloud Direct hold ISO 27001 (Security) certification and follow annually audited processes for the management of change within the service. Changes to the service are classified as either pre-defined change , i.e. changes that are documented as a standard procedure for example, adding in a new replication instance or authorisation change which must be approved. All authorisation changes are reviewed by our change board before being allowed to proceed. Full documentation of these changes are retained within our service management system.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability management is covered under our ISO 27001 certification in conjunction with our Tier 1 Cloud Solutions Partnership with Microsoft. Microsoft are responsible for the management of vulnerabilities and service patching.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Microsoft provides an extensive monitoring and protective service for the Cloud platform. This includes an extensive defence system against Distributed Denial-of-Service (DDoS) attacks. It uses industry standard detection and mitigation techniques. Microsoft Cloud meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.
Incident management type Supplier-defined controls
Incident management approach Cloud Direct holds a ISO20000 certification for service management. This is an independent audit of a business’ ability to delivery consistently high-quality IT services. Cloud Direct bases its processes on ITIL® - a comprehensive set of best practices for IT Service Management. The ethos behind ITIL is the recognition that organisations are increasingly dependent on IT in order to meet business needs. This leads to an increased requirement for high quality IT services. All incident management processes are documented and audited in line with this certification.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.20 to £11.20 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Trials are available for 30 days.Depending on your trial aims, trialling the service may not be the most practical way to experience Office 365 so we can provide demonstrations to meet your needs.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑