CA Limited

CA Identity Service (IDaaS)

CA Identity Service facilitates rapid and secure adoption of cloud applications by providing SaaS based identity lifecycle management, user provisioning and SSO for cloud applications. Integration capabilities reduce the risk of over-privileged, rogue and orphan accounts that can be used inadvertently or maliciously to gain access to critical resources.

Features

  • User Provisioning
  • Single Sign-On
  • Account Discovery & Management
  • Two-Factor Authentication
  • Application Management

Benefits

  • Improves business agility with fast secure rollout of cloud applications
  • Reduces administrative costs with automated entitlement management
  • Boosts employee productivity with secure SSO for hybrid environments
  • Minimizes the cloud attack surface with accurate user provisioning

Pricing

£2.00 per unit per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10

579835711578533

CA Limited

Grant Williams

+44 7795857658

grant.williams@ca.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints NA
System requirements NA

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Severity 1 - 1 business hour, Severity 2 - 2 business hours, Severity 3 - 4 business hours, Severity 4 - 1 business day
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible NA
Web chat accessibility testing NA
Onsite support No
Support levels NA
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started CA provide a range of solution documentation, onsite & online training and implementation services for customers.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Terminating clients have the following options to receive their data:

- API data extractions via HTTPS producing XML formatted flat files. The user guide XOG Developer Guide contains the related technical details.

- Oracle data pump generated file containing all tables with client data.

- Oracle data pump generated file of the client’s entire CA PPM database schema. This option requires a valid, perpetual CA PPM license.
End-of-contract process Upon termination or expiration of subscription, customer data is subject to the following conditions:

- If requested by the customer, the data is exported to an industry standard format and shared with the customer;

- A portion of the data or meta data that is required for billing and audit purposes is retained and all other data is securely deleted from the primary and backup locations.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Screen Reader Optimized UI determines whether the user interface is optimized so that a screen reader can better recognize the features.

High Contrast Color Mode - determines whether a specific UI theme to assist color-deficient users is used. If selected, the user sees the High Contrast UI theme.

Display - change font style, color and size, screen resolution, cursor width and blink rate, icon size, high-contrast schemes.

Sound - volume, text-to-speech, visual warnings, notices, schemes, captions.

Keyboard - repeat rate, tones associated to keys, sticky keys, keyboard shortcuts.

Mouse - click speed, click lock, reverse action, blink rate, pointer options.
Accessibility testing CA generally provides a VPAT (Voluntary Product Accessibility Template) for its SaaS solutions. The VPAT documents the results of testing procedures updated for the Section 508-refresh/WCAG 2.0 harmonisation criteria. Specific tests are carried out against Section 1194. The VPAT or similar will be available on request when available.
API No
Customisation available No

Scaling

Scaling
Independence of resources Scalability is maintained by eliminating any single points of failure and using load balancers to fail over to servers that are still operational. The CA IDaaS application is stateless allowing servers to pass users from each other with no downtime to end-users. Vertical and horizontal scaling allows for multiple servers and multiple instances to be installed. Any hardware load balancer or switch can be utilized that supports stateless and sticky sessions.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Ongoing client data retrieval is provided for via a web based user interface (including reports and dashboards) or WSDL based API’s.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • PDF
  • EXCEL
  • EXCEL (PAGINATED)
  • RTF
  • DOCX
  • ODT, ODS
  • XLSX (PAGINATED0, XLSX
Data import formats
  • CSV
  • Other
Other data import formats Upload Excel/CSV using the CA PPM APIs.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks All web traffic is protected by SHA256 bit TLS 1.0, 1.1, or 1.2 encryption and 2048 bit RSA public keys. The CA IDaaS SaaS application encrypts user session data. CA IDaaS SaaS email services supports TLS encryption.
Data is not exchanged with 3rd parties with the excepton of AWS where encrypted database backups are electronically transferred via a secure tunnel. No third party is given access to client data.
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability An industry leading service availability SLA over a one-month (30-day) period of 99.8% service availability is provided as standard.
Please consult the document "SaaS Listing for CA IDaaS" for more information."
Approach to resilience The CA Technologies Business Continuity Management (BCM) program consists of crisis management, business continuity planning and disaster recovery. BCM ensures that the organization is prepared to respond to unplanned business interruptions that affect the availability of critical business processes and the IT services that support those processes.
CA Technologies establishes and maintains policies and procedures relevant to contingency planning, recovery planning and proper risk controls to help ensure SaaS solutions from CA Technologies continued performance in the event of any business disruption worldwide. These plans provide for off-site backup of critical data files, program information, software, documentation, forms and supplies, as well as alternative means of transmitting and processing program information at an alternate site and resource support.
The recovery strategy provides for recuperation after both short–term and long-term disruptions in facilities, environmental support and data processing equipment. Testing is performed on a routine basis following industry standard best practices.
Outage reporting Continuous monitoring of all service components (infrastructure and application) is deployed to proactively identify any component or service trending towards failure or approaching capacity. CA’s best-of-breed monitoring solutions are deployed, supplemented with vendor-specific diagnostic tools where appropriate
We utilize CA Unified Infrastructure Management for real-time system monitoring and alerting, which facilitates both proactive and rapidly reactive remediation. The tool will alert to actual outages, as well as trends that are likely to lead to a potential service outage.
Additionally, Application Health is continually monitored, and includes the following features:
* Browser based “real clicks” against CA IDaaS
* Tracks page - load timing, total transaction time, success, failure rates.
* Transaction robot utilizes cloud technology
* Runs synthetic transaction every 10 minutes against customer environment
* Validates Portal health
* Monitoring System alerts and Monitoring Portal to Network Operations Center (NOC)
* Alerts are validated by human NOC staff
* Validated issues become cases @ support.ca.com
* Automated Call Routing to CA IDaaS Operations
* Customer call-tree document (conditions for contact, who and when to contact)

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels The measures implemented in order to manage and restrict access can be divided into six sub-categories: 1) Physical Access Control; 2) Logical Access Control; 3) Access Administration; 4) Authentication and Authorization; 5) Data Access Control; 6) Data Transfer. Please consult the document "Information Security Practices" for more information.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SAI Global (Certificate ISM20129
ISO/IEC 27001 accreditation date 03/03/16
What the ISO/IEC 27001 doesn’t cover NA
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification PCI Security Standard Council (PCI SSC)
PCI DSS accreditation date 01/05/16
What the PCI DSS doesn’t cover Available upon request
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards CA SaaS solutions undergo a SSAE-16 Type I audit and can also include:
Payment Card Industry (PCI-DSS)
Visa ACS: Applicable to SaaS solutions that hold card issuer specific cryptographic keys
SSAE-16 Type II SOC 1 (SOC 2 tba)
Please refer to www.ca.com/saas and click on the TRUST button.
Information security policies and processes CA SaaS offerings are subject to third party audits in accordance with the auditing standards and frequency noted in the applicable SaaS Listings which may include PCI DSS for payment card industry offerings but more commonly are conducted under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (“SSAE 16”) published by the American Institute of CPAs (AICPA). SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on controls within service organizations. For those audits under SSAE 16, the resulting Service Organization Controls (SOC) Report includes; the auditor's opinion on the fairness of the presentation of the CA Technologies description of controls that have been placed in operation, the suitability of the design of the controls to achieve the specified control objectives, and the auditor's opinion on whether the specific controls were operating effectively during the period under review.
Details of CA's full Information Security Practices are available on request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Change Management process includes a formal review and approval of all changes via the Change Advisory Board (CAB) which includes representatives from the different teams within the SaaS Hosting organization. All changes submitted to the CAB have to be prepared in a Request for Change (RFC) template that includes (but not limited to) items such as: issue statement, components to be changed, environment, test procedure, back out plans, escalation process, etc. The RFC has to be reviewed and approved by a manager before it is presented to the CAB.

Controls are attested via third-party SSAE 16 audits.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability Management - CA Technologies contracts with an independent, third party vendor to evaluate and validate the security of our service on an ongoing basis. High risks are identified, validated, and remediated before production systems are made available. Medium risks are evaluated and resolved on a priority basis. Ongoing scans are performed to ensure that no new risks have been introduced.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach CA Technologies maintains a comprehensive set of information security Policies and Procedures that are approved by senior management and are reviewed and updated to remain compliant with the law and current industry practices. These Policies and Procedures include:
• Organizational security
• Physical and environmental security
• Communications and connectivity
• Change control
• Data integrity
• Incident response
• Privacy
• Backup and offsite storage
• Vulnerability monitoring
• Information classification
• Data-handling; and
• Security configuration standards for networks, operating systems, applications and desktops

Full details of CA's Information Security Practices are available on request.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach CA Technologies maintains a comprehensive set of information security Policies and Procedures that are approved by senior management and are reviewed and updated to remain compliant with the law and current industry practices. These Policies and Procedures include:
• Organizational security
• Physical and environmental security
• Communications and connectivity
• Change control
• Data integrity
• Incident response
• Privacy
• Backup and offsite storage
• Vulnerability monitoring
• Information classification
• Data-handling; and
• Security configuration standards for networks, operating systems, applications and desktops

Full details of CA's Information Security Practices are available on request.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £2.00 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial User Provisioning
In-depth provisioning and de-provisioning enables accurate access with permission assignment and orphan account detection.

Single Sign-On
Single sign-on and secure login with two-factor authentication improves productivity while enabling secure access to apps.

Identity Management
Identity lifecycle management that accurately reflects business controls and dynamically addresses rapidly changing environments.

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑