Ideesec Ltd

Cloud security and Cyber security services

The provision of security services for the design, implementation and securing of cloud services. We provide pre-deployment expertise that ensures that all threat modeling, vulnerabilities and security maintenance services are in place and tested. Ongoing Penetration testing of solutions through change and operational deployment.

Features

  • Threat modeling define security epics and stories clearly
  • Security by design influencing the code base to ensure security
  • Vulnerability scanning preparing and performing testing
  • Secure Devops tools CICD deployment DAST and SAST tools
  • Penetration Testing and Healthchecks, red team engagements
  • Compliance and accreditation testing
  • Risk Management understanding the risk of data (GDPR)
  • Experienced ethical hackers: CREST, CEH, OSCP, OSWP, CISSP & CISM
  • Managed detection and response Secure Operating Centres
  • Implementation of cloud specific security tools

Benefits

  • Early detection of code vulnerabilities
  • Provide best in class open source and mainstream security tools
  • Access to highly skilled ethical hackers and pen testing resources
  • Enhance efficiency of delivering secure products to market earlier
  • Understand, manage and mitigate risks early in the product lifecyle
  • Understand if products have vulnerabilities early in their development
  • Understand gaps in compliance early and put strategies in place.
  • Detect and extinguish breaches early
  • Implement leading edge security to prevent being hacked
  • Bring together the best of breed technologies for SOC deployment

Pricing

£400 per person

Service documents

G-Cloud 10

659065619519780

Ideesec Ltd

M Franklin

07721655007

mikef@ideesec.com

Service scope

Service scope
Service constraints The service will require access to all code in development
System requirements
  • Systems must be running on mainstream Operating Systems
  • All products must be fully licensed to enable patching

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Response times are the same however we operate on a double rate for weekend work
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels 1st and 2nd line support is provided directly to end clients, with a documented escalation point to a senior account manager if required. Support is included within SFIA rate card day rates.
Email support: Response times are within 24 hours, 9 to 5 weekdays.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We are happy to provide guidance and advice as to how to use our services. Our service generally commences with a review of the scope and an agreement of the full detail of what service is most appropriate and the effort likely to be required.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We do not hold any user's data during the contract
End-of-contract process We will hold a close of the contract meeting to review the delivery of the items in the original scope. This may include a lessons learned session to assist both parties in understanding the good and bad bits (if applicable).

Using the service

Using the service
Web browser interface No
API No
Command line interface No

Scaling

Scaling
Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources We allow for expansion and contraction of usage of tools deployed on the cloud. These are designed to allow for elasticity and the ebbs and flows of normal usage within specified upper limits (to be defined)
Usage notifications Yes
Usage reporting
  • API
  • Email

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability This is wholly dependent on the solution required. We are able to design a security solution that is extremely high availability in cloud, on prem or a hybrid.
Approach to resilience We adopt the best in breed services and maintain to the highest standards to ensure our solution is robust, resilient and secure to ensure compliance to regulatory and statutory legislation.
Outage reporting This will be dependent on the level of service required. The SOC or security reporting solution will be able to provide all 3 of the options listed, dashboard, API and email alert.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels We employ the best in breed Identity and Access Management solutions. This allows a coarse grained and fine grained entitlement and management of access to some or all features of the system. We maintain a strong management protocol that only allows people to see and access features and data/assets that they are entitled to.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications We employ highly experienced consultants and associates with security certifications

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards WE are currently working toward ISO 27001
Information security policies and processes We are currently working toward ISO 27002 compliance and follow the guidelines for our internal processes.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We adhere to the ITIL change and management control processes.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We adhere to a strict process of releasing code only once it has been scanned for vulnerabilities and peer reviewed. All systems and OS will be fully patched and any known/inherent vulnerabilities are listed and managed in a risk based approach. New vulnerabilities in code will be remedied where possible and risk managed if not possible. All systems undergo rigorous penetration testing before release into operation.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We employ a strength in depth approach to protective monitoring. All information and data is handled under a strict access policy and need to know. We ensure that perimeter controls prevent intrusion and leakage of data and we monitor behaviour within the network. Any potential compromise is alerted and dealt with as swiftly as it can be.
Incident management type Supplier-defined controls
Incident management approach We operate to the standard ISO/IEC 27035-3. While we are not certified as a business to this stadnard our personnel operate and assist in implementing this standard. We use Zendesk for incident management and this tied together with a SOC allows us to build context and meaningful reports.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes

Pricing

Pricing
Price £400 per person
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Terms and conditions
Service documents
Return to top ↑