BSI Cybersecurity and Information Resilience (UK) Ltd

McAfee MVision Cloud CASB

MVision Cloud the leading cloud access security broker trusted by over 1,000 enterprises to securely enable over 25,000 cloud services, including shadow IT and sanctioned IT. Clients leverage a single cross-cloud platform to gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and respond to threats.

Features

  • Summarises cloud usage from a business perspective
  • Encrypts data in transit and at rest in cloud services
  • Delivers comprehensive registry of SaaS, IaaS, and PaaS services
  • Automatically generates scripts for popular firewalls/web proxies
  • Sensitive log data can be tokenised on premises for security
  • Collects and analyses firewall logs
  • Usage Dashboard: easy-to-understand visual summary of key usage statistics
  • Identifies High Risk Cloud Services
  • Provides a detailed audit trail for forensic investigations
  • Detect and respond to potential data exfiltration attempts

Benefits

  • Highlights Shadow IT accross the organisation
  • Capability to self-audit the organisation’s usage of cloud services
  • Policy enforcement prevents unauthorised data leakage
  • Underpins information privacy, security, and compliance in the organisation
  • Helps protect public sector organisations from reputational damage from cyber-attack
  • Encryption and other features facilitate the adoption of cloud services
  • Identifies collaboration with third-party business partners
  • Identify sensitive data subject to compliance requirements or security policies
  • Guides users from unapproved services to sanctioned alternatives
  • Highlights gaps in cloud policy enforcement

Pricing

£6.42 to £32.50 per user per year

  • Education pricing available

Service documents

Framework

G-Cloud 11

Service ID

5 6 9 4 9 7 0 2 8 7 9 3 6 7 6

Contact

BSI Cybersecurity and Information Resilience (UK) Ltd

Neil Ryan

+353 (1) 210 1711

gcloud@bsigroup.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Operating System: Windows (32/64 bits), *nix, or Mac
  • CPU: 4 Cores min
  • RAM: 8+ GB recommended
  • NIC: 1GB with access to the internet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times are the same 24x7 and do not vary
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 A
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Support and Maintenance
Support Requests
Phone, Email & Web 24/7
Technical Support
Office hours (critical and non-critical issues) M-F 6am-6pm PST (excluding US holidays)
Availability for critical issues 24/7
Response time (See below)
Service Support
Upgrade notifications Yes
Remote diagnostics Yes
Online Resources
Documentation Yes
FAQ Yes
Based on 4 service criticality levels 1 to 4

Support is included in the annual subscription for the McAfee Services
A Technical account manager is allocated to a group of accounts and a customer success manager provides regular quarterly services reviews
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Detailed training offered both on site and by remote Webex during deplyement phase. Support is provided 24x7 to cover operation and technical aspects. User documentation is available on line.
A Customer Success manager from McAfee is allocated to the process from day 1 to ensure all operational criteria are met
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction McAfee will provide this service as part of their user agreement
End-of-contract process Unless by prior agreement all data logs or otherwise will be securely erased by McAfee .

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • Windows
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The dashboard will operate on mobile devices restricted by the rendering of the device itself and will not allow detokenisation of users unless the device is on the same corporate network as the Enteprise connector application
Service interface Yes
Description of service interface A fully interactive user portal with user privilage access is made available allowing view reporting and configuration on all aspects of the service.
Accessibility standards WCAG 2.1 A
Accessibility testing N/a
API Yes
What users can and can't do using the API The API is not available to the users but is used to control services around the McAfee service. ie a functional API not a management API
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation There are levels of customisation in both the technical fucntionality and user experience of MVision. Technically customisation and control is available in Shadow and Sanctioned IT Functionality allowing various features and control functions to be applied. The User interface can be customised and whitelabelled for the Enterprise with detailed customisation available on the screen rendered dashboard and output reports.

Scaling

Scaling
Independence of resources The MVision service is a true multi tenant cloud environment an as such scales elastically to deal with user load in real time

Analytics

Analytics
Service usage metrics Yes
Metrics types Detailed reporting is available around
Cloud Services visited
Activity on the service
Size of uploads/downloads
Risk Scoring detail of each cloud service
Anomolous activity of users versus services
Fully customisable user reports around variable parameters
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold McAfee, Z Scaler, Okta, Druva, Alert logic,Qualys, Cyligant, Proofpoint, Bitsight

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach This is not a function that users can perform
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.5% is the target availability defined in client contractual documentation.

Refunds for service discrepancies are also defined in the contract and can vary per client dependant on criticality of deployment within the organisation ie Shadow deployments are less business critical than a full reverse proxy office 365 deployment for example.
Approach to resilience The MVision solution is delivered as a highly available Software as a Service (SaaS). Each MVision data center consists of redundant hardware components and ISPs. High availability between data centers is provided through Verisign Hosted DNS (Domain Name System)

Verisign Hosted DNS (Domain Name System) provides 100% SLA for DNS resolution, globally-distributed, highly redundant design, extremely rapid propagation updates, and DNS failover as a core feature.

If a MVision data center fails, Verisign detects the failure and updates their DNS automatically to supply services from another MVision Datacenter. The MVision incident response team would then the follow Incident Response Procedure to bring the data center back online.
Outage reporting API services exist where customers can run health check . Any major outages to the API would be advised to the client by e mail with resolution activity

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Based on user permissions hierarchy and authentication
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ANAB
ISO/IEC 27001 accreditation date 21st March 2016
What the ISO/IEC 27001 doesn’t cover Subject to scope of the accreditation
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date Feb 28th 2013
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Anything outside of scope of accreditation
PCI certification No
Other security certifications Yes
Any other security certifications ISO27018

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards ISO27018
Information security policies and processes MVision has documented change control policies and procedures, as outlined by ISO 27001 and 27018
This is managed through the operations team QMS

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach MVision's Change Management (CM) process provides a framework for the thorough documentation, testing, and evaluation of all proposed changes to the production environment. The CM process mitigates risks to MVision Cloud's production applications.

process is as follows:

Weekly meetings are held to review pending patches to production systems.
Critical patches including security patches are prioritized and scheduled for implementation as soon as possible
Non-critical patches will be analyzed to determine the logical window to schedule the upgrades

In cases where downtime is required, system maintenance is during off hours.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Routine vulnerability scanning tests are performed by external companies like Qualys and others and work is created to identify and mitigate vulnerabilities.
For security reason we do not provide vulnerability scan to tenants. We can provide the scan schedule and the remediation plan and result.

Patches applied as soon as vulnerabilities are disclosed. There are multiple sources of threat intelligence.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Combination of edge protection provided by Inbound/Outbound next generation firewalls and use of IPS intrusion protection
Real-time alerting via SIEM security incident and event monitoring using Skyhigh resources
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach MVision's incident response procedure ISMS Incident Response Procedure undergoes continuous improvement as a part of our ISMS for ISO 27001.
The standard process is to open case is via email or phone. All cases are documented . Once the case is opened , the case is assigned to the technical support engineer, who will triage the case based on the information provided by the customer. If they cannot resolve the case within the first 2 hours, the case is escalated to the Senior Escalation Engineer.
Based on the severity and business impact, engineering will resolve issues as appropriate.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £6.42 to £32.50 per user per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑