Pirean

Access: One - Citizen Identity as a Service (IDaaS)

Access: One's Citizen IDaaS offering provides an easy to configure and consume platform for Identity and Access Management services for providing secure access to Citizens for Digital Services.

The service delivers GDS compliant capabilities for Registration, Authentication, Single Sign-On, Provisioning, Password Self-Service, Access Request, Delegated Administration, Strong Authentication and Reporting.

Features

  • Citizen Registration and Self-Service
  • Citizen Authentication and Single Sign-On (including SAML, OpenID Connect, OAuth)
  • Secure Access for Cloud and On-Premise Applications
  • Strong Authentication
  • Access Request, Approval and Certification
  • User Provisioning, Fulfilment and Lifecycle Workflow
  • Password Self-Service and Preferences Management
  • Delegated Administration
  • Mobile App Security and Single Sign-On
  • Real-time Reporting and Dashboarding

Benefits

  • Ease of deployment
  • Built, hosted and supported within the UK
  • A single identity (logon) for accessing digital services
  • Ease of onboarding (and off boarding) users
  • Cloud and on-premise single sign-on and user provisioning
  • End-user self-service password and preferences management
  • Centralised audit and tracking of cloud-application usage
  • Publish tailored (on brand) user-experiences specific to your organisation
  • Protect sensitive resources using Strong Authentication and remove passwords
  • Delegate everyday administration tasks to application or organisation administrators

Pricing

£1.20 per user per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 9

581367208479583

Pirean

Sales

08452260542

inquiries@pirean.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None.
System requirements Browser based access

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times are based on ticket priority.

The service's standard response times are outlined below:
Priority 1 (High) - 30 minutes;
Priority 2 (Medium) - 1 hour;
Priority 3 (Low) - 2 hours; and
Priority 4 (Request for Information) - 1 day.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels The service is offered with Standard and Premium support. Every customer is allocated a UK-based Technical Account Manager and Service Architect (for integration questions and assistance during service on-boarding).

Standard support is operational from Monday-Friday (08:00 - 18:00), excluding UK public holidays.

Premium support extends the Standard support entitlement to provide 24x7x365 support.

The cost of Standard support is included in the subscription fee.

The cost of Premium support is an additional £4,500 per month.

Notes
- Standard support includes 24x7 support for Priority 1 incidents as standard;
- Premium support can be purchased on an ad hoc (month by month) basis; and
- Premium support can be extended to provide dedicated (named) UK-based support staff to support a service on a full-time (or headcount based) basis.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Online documentation is provided as well as phone and web based support via the Pirean Service Desk.
Customer's can also purchase a fixed-fee on-boarding support service, whereby Pirean's UK Consulting and Support staff will design and implement the service on an organisation's behalf.
Additional, on-site, administrator training is available on request.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Pirean commit to provide a simple and quick exit process to enable organisations to move to a different supplier for each of their G-Cloud services and/or retrieve their data.

Key items to note:
Data that will be in use within the service will be held in open or the following proprietary formats;
- Industry standard LDAP; and
- SQL structured.

All data is encrypted.

Pirean commit to returning all customer specific data (e.g. content, metadata, structure, configuration etc.) and, as an output of the on-boarding process, to provide a list of the data that will be available for extraction.

The extraction of consumer generated data (or the migration to another service provider’s service) will be carried out at no additional cost to the standard annual subscription.

Pirean commit to purge and destroy (as defined in security accreditation for different ILs) organisation data from any computers, storage devices and storage media that are to be retained after the end of the subscription period and the subsequent extraction of organisation data (if requested).
End-of-contract process Organisations are contacted at 6 and 3-month intervals prior to the end of the contract to confirm their intent to continue or terminate their access to the service.
Should an organisation choose not to renew their subscription, Pirean commit to provide a simple and quick exit process to enable organisations to move to a different supplier for each of their G-Cloud services and/or retrieve their data.
On exiting the service, support for the extraction of consumer generated data (or assistance in the migration to another service provider’s service) will be carried out at no additional cost to the standard annual subscription (assuming the migration is performed within the period of the subscription term).
Pirean commit to purge and destroy (as defined in security accreditation for different ILs) an organisation's data from any computers, storage devices and storage media that are to be retained after the end of the subscription period and the subsequent extraction of consumer data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service is fully accessible via mobile web (with a responsive user experience).

The service also provides a number of native mobile apps for ease of access, optimised user experience and enhanced security (for example, authentication using Apple TouchID).
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing The service has been designed with accessibility guidelines in mind. On each customer go live, the platform's user acceptance testing includes WCAG specific test cases, for example integration with screen readers and to ensure all functionality is available from the keyboard etc.
API Yes
What users can and can't do using the API Provided as a REST API, the service offers an API which supports the create, read, update and delete of user accounts, permissions and attributes.

The configuration of the service is via an admin console, with restricted access to privileged users.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The service can be customised by customer-appointed service administrators.

Supported customisations include (but are not limited to):
• Look and feel of the service (for example, user portal image, organisation logos and appearance of applications);
• Add and remove target applications for single sign-on and provisioning;
• Create user groups and roles for the automated provisioning of applications;
• Configure how applications and groups are displayed (for requesting applications);
• Configure password policies and strong authentication options;
• Configure password self-service processes;
• Configure access request and approval workflows;
• Configure organisation hierarchies;
• Configure applications which require stronger authentication (step-up authentication);
• Configure custom email templates and notifications;
• Configure custom reports;
• Configure integration with identity sources (for example MDM services, HR feeds such as Workday, SAP and SuccessFactors);
• Configure integration with target services and directories (including Microsoft Active Directory and Azure AD for user authentication and single sign-on);
• Configure integration with third party SIEM and Business Intelligence tools;
• Configure integration with an organisation’s service desk; and
• Configure integration with an organisation’s MDM platform (for example, IBM MaaS360).

Scaling

Scaling
Independence of resources Pirean operate dedicated teams across Software Development, Support and Delivery / Consulting services. This ensures there are no conflicts for resources and responsibilities.
All services are provided by UK resources, operating a 24x7 capability sized to support multiple simultaneous engagements and deployments.
Our operation services operate a ratio-based staff model which ensures a minimum number of available staff per client. This ensures an appropriate number of heads to support each engagement and operational environment.
Should a client require, a headcount based Premium support model is also available, which ensures dedicated support and consulting staff aligned to specific deployment(s).

Analytics

Analytics
Service usage metrics Yes
Metrics types A variety of service metrics are available including service up-time and performance metrics, active user statistics, active application statistics, user authentication statistics, user access requests etc.
Additional service usage metrics / reports can be configured via the services reporting interface.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Audit, configuration and user data exports are supported in a number of ways.
The platform supports the export of system configuration via the Administrative GUI as well as the export of data via database extract, LDAP Data Interchange Format (LDIF), REST API, CSV file or an organisation specific Extract, Transform and Load (ETL) process.
Data export formats
  • CSV
  • Other
Other data export formats
  • LDIF
  • Database Extract
Data import formats
  • CSV
  • Other
Other data import formats
  • LDIF Import
  • JDBC Connection
  • Real-time HR data sync
  • Real-time Active Directory sync
  • Real-time migration of user accounts (during logon and registration)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The Access: One platform is designed to be available and meet service levels of 99.9% availability.

Should an issue occur, the standard service priorities and service level performance targets are:

Priority 1 (High) - Service Outage
Response SLA: 15 minutes
Operational fix, workaround or an agreed plan of action to resolve provided within 2 hours.

Priority 2 (Medium) - Service Corrosion
Response SLA: 1 hour
Operational fix, workaround or an agreed plan of action to resolve provided within 8 hours.

Priority 3 (Low) - Minor problem
Response SLA: 1 business day
Operational fix, workaround or an agreed plan of action to resolve provided within 3 business days.

Priority 4 - Service Request, or Request for Information.
Response SLA: 1 business day
Provision of required information within 5 business days of notification.

Credits
Should the above performance targets not be met, the following rebates apply:

Priority 1 (over 2 hours of down time within a 24 hour period)
Five percent (5%) of the service fee for the calendar month, for each failure.

Priority 2 (over 4 hours of impacted time within a 24 hour period)
Five percent (5%) of the service fee for the calendar month, for each failure.
Approach to resilience Pirean’s Access: One platform is designed on IBM’s Softlayer Data Centres, which are inherently secure, and resilient. Pirean utilise Softlayer services for backup and restore of VM images and databases, at each location serving an organisation.

Each client infrastructure is based on dedicated physical servers that can be located in any one or more of multiple data centres located around the globe. For UK customers, the implementations are, by default, based only in the UK. Additional geographies are added on approval by a client.

Our platform provides redundancy by employing multiple datacentres to host the client services. Our Data Centres are SOC 3 (SAS-70 Type II) compliant and use advanced measures for redundancy, availability, physical security and continuity.

The platform is monitored by the Pirean service desk, who operate an automated monitoring platform which captures system events, performance, health and response metrics. Output from the monitoring platform is provided on a regular basis (monthly) to each client to report on system utilisation, health and adherence to SLA’s. Pirean’s service desk function also provide separate reports which detail incident and service request response and resolution times.

For further details, please see the associated G-Cloud Service Definition document.
Outage reporting Systems monitoring and reporting is supported through:
- Provision of a client specific reporting a dashboard interface for monitoring the service;
- Real time notification via email.

The platform is monitored by the Pirean service desk, who operate an automated monitoring platform which captures system events, performance, health and response metrics.

Output from the monitoring platform is provided on a regular basis (monthly) to each client to report on system utilisation, health and adherence to SLA’s.

Pirean’s service desk function also provide separate reports which detail incident and service request response and resolution times.

For further details, please see the associated G-Cloud Service Definition document.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels All access to infrastructure, application, and data is controlled based on business and security requirements.

Access to administrative and management interfaces is only accessible over secure VPN, with authentication techniques such as multi-factor authentication used to verify the identity of the user.

Service operations and maintenance are split between multiple teams. The operations team is responsible for maintaining the production environment, including code deployments, while the platform and development teams release features and code in development and test environments only.

Administrative access is restricted to users with limited privileges to perform their required functions.

Further details are available on request.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 10/04/2017
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Not Applicable.
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The platform has been designed and is supporting / maintained in accordance with ISO 27001.

Key items of note are:
- The Information Security Management System (ISMS) is compliant with ISO 27001 (undergoing recertification in April 2017);
- Pirean's Information Security Steering Committee (ISSC) oversees the security of the platform and associated processes / staff;
- Our ISMS provides details of our Governance Framework (including the ISMS Policy and Information Security Handbook), this is then supported by General User Documentation (for example, Information Classification, Communications, Clear Desk and Security Awareness policies) as well as Audience Specific Documentation (Security Software Development, User Access, Security Risk Management, Change Management policies etc.); and
- Supporting documents are produced and regularly reviewed by the Information Security Steering Group (in support of the ISMS). These documents include employee handbooks as well as the organisation's business continuity, disaster recovery, incident and security management processes.

Further details of Pirean's security policies and controls are available on request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Pirean operate a change and configuration management process in accordance with best practice as defined in ISO 27001 and ISO 2000.

A change's lifecycle follows a structured process through:
- Needs identification/documentation;
- Identification of all affected parties, systems and risks;
- Risk, communication and test plans;
- Change Board approval;
- Implement the communications plan;
- Undertake pre-deployment testing;
- Implement the change;
- Complete post-implementation testing;
- Change Board approval / closure.

Customers are notified ahead of any changes to their applicable environments, and reserve the right to approve a change.

Further details are available on request.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Pirean follow a structured vulnerability management process which is documented as part of the organisation's ISO 27001 accredited Information Security Management System.

In summary, scans of the service infrastructure are performed on a periodic basis in order to provide a report of any identified vulnerabilities across assets.

The Information Security and Operations teams are responsible for reviewing vulnerability reports, implementing remediations, implementing mitigating measures, informing any affected customers and documenting any exceptions.

Resolution targets are:
Critical - 2 days;
High - 30 days;
Medium - 60 days; and
Low - 90 days.

Further details are available on request.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The Pirean infrastructure is proactively monitored for machine health and security.

These metrics include standard items such as system events, connectivity events and performance metrics such as CPU, memory and storage utilisation.

The service is also monitored against:
- Distributed Denial of Service (DDoS) attacks;
- Man in the Middle (MITM) attacks;
- IP Spoofing; and
- Port Scanning.

The platform infrastructure includes an automated capabilities to block the Open Web Application Security Project's (OWASP) top 10 list of web vulnerabilities.

The management of security incidents is documented within Pirean's ISO 27001 security accreditation.

Further details are available on request.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Pirean operate a structured incident and problem management process in accordance with best practice defined in ISO 27001 and ISO 20000.

The procedures for the identification, management and resolution of incidents and problems includes:
- Management of security incidents or weaknesses;
- Management of corrective actions arising from a problem or weakness that has occurred within the service infrastructure;
- Preventive actions to avoid and arising from weaknesses or inefficiencies identified within the service infrastructure; and
- Improvements to the service infrastructure that have been identified during normal operations of the system.

Further details are available on request.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1.20 per user per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Pirean provide free to use access to the platform for evaluation and participation in ALPHA / BETA processes.

The free to use environment provides the same functionality as the production service, for an agreed number of users and timeframe.

Further details are available on request.

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑