Sopra Steria Cloud Container Services (DevOps Platform as a Service)
This PaaS builds on OpenShift (Docker and Kubernetes) to provide integrated DevSecOps securely as a managed service. The preconfigured DevOps environment contains source control management, CI/CD pipelines and deployment within a secure cloud environment to provide the basis for rapid development and operation of Microservice and containerised applications.
- Open-Source container based application PaaS under a subscription model
- Automated DevOps CI/CD, pipelines with secure source control management
- Managed runtime supporting rapid Microservice development and operation
- Supported OpenShift platform based on Docker and Kubernetes architecture
- Extensible runtime to support legacy application inclusion and migration
- UK Sovereign cloud platform delivered from two UK data centres
- Polyglot languages :Java, Spring, .NET Core, Node, Angular, NoSQL, Python
- Configurable controls for integrated access control and user profiles
- Service level, high availability and fault tolerant production platform
- Hybrid cloud using secure and dedicated connectivity options
- DevOps-as-a-service to increase application delivery speed and quality
- Supports agile development at scale through automated tooling
- Rapid deployment, start/stop aligned to digital service project lifecycle
- Flexible subscription model with service levels
- OpenShift with Sopra Steria’s expertise to manage cloud containerisation
- Reduced cost of application ownership and budget certainty
- Love that legacy through migration/integration of existing applications
- Elastic platform, integrate cloud services and additional middleware options
- Accreditable solution with add-on accreditation and security monitoring options
- Managed data access with high availability and disaster recovery
£31400 per unit per month
6 6 1 0 4 1 9 6 5 5 3 7 3 5 2
Sopra Steria Ltd
07954 834 818
|Service constraints||The service is constrained to a supported level of running application runtime nodes as specified in the Red Hat OpenShift documentation. Additional runtime nodes can be added to the service on request in an elastic manner and will incur additional costs.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||From 15 minutes of a ticket being logged onto the system depending on priority/severity of incident/request during agreed support hours. Outside of these hours then this will be from the start of the next support period.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||Text based web chat accessible via a desktop window (can be client based or browser based).|
|Web chat accessibility testing||None.|
Our Standard support service included in the cost of this service includes access to Service Desk and a Service Delivery Manager. We have an integrated knowledgebase enabling an instant self-service solution for customer questions. Our knowledgebase is available 24 x 7. If the knowledgebase does not provide the answer then the call is transferred to our service desk (9am to 5pm Monday to Friday) via Webchat or email. Our target email response SLA for questions is 95% within 2 working hours, and we aim to have resolved all queries 2 working days (p3) or 10 working days (p4).
DevOps and application support is available through Sopra Steria’s additional G-Cloud services.
|Support available to third parties||Yes|
Onboarding and offboarding
Sopra Steria would work with the customer to configure the platform as per the customer’s specific needs. Basic set up of the standard environment is included, for example VPN connectivity and default DevOps tool configuration. Additional requirements would be addressed through Sopra Steria consultancy services.
User documentation is provided.
Onsite training is available on request at an additional cost.
|Other documentation formats||
|End-of-contract data extraction||
The DevOps Platform as a Service provides the pre-integrated tooling and environment required to develop digital applications using a source to build philosophy. We provide access to the tooling in order for the customer to manage the extraction of the data:
• Source code can be cloned out of the environment using standard Git based functionality.
• Customer specific Images can be cloned from the Docker Registry
• Data can be extracted by the customer while access to the environment is available
• Sopra Steria could provide the data as an export activity as a costed off boarding option.
• Logs can be extracted by the customer while access to the environment is available
• Sopra Steria could provide available logs as an export activity as a costed off boarding option.
We offer a rolling month by month contract and will not penalise exit provided the notice period is honoured.
All customer information will be available to the customer to remove until termination of the contract
Upon termination of the contract the environment will be decommissioned including the application runtime environment and all associated data.
Using the service
|Web browser interface||Yes|
|Using the web interface||We provide access to the Red Hat OpenShift management console in order to allow management of the container deployments within the platform. Users can manage the container deployments within the environment undertaking tasks such as deploying containers, stopping containers and scaling containers. User access is restricted to the management of containers to allow Sopra Steria to manage the underlying platform configuration in order to guarantee the service. Jenkins is integrated and provides the web interface to manage the continuous integration, continuous delivery pipelines within a project. The GitLab web interface is provided to allow the delivery team to manage source control and the project delivery.|
|Web interface accessibility standard||None or don’t know|
|How the web interface is accessible||The Red Hat OpenShift management web console has not been assessed against EN 301 549 9.|
|Web interface accessibility testing||None.|
|What users can and can't do using the API||We provide native access to the underlying APIs of Red Hat OpenShift and GitLab. The OpenShift API provides the same features as the web user interface allowing the creation of projects, management of projects, creation of containers, deployment and runtime configuration. The GitLab API allows developers to integrate the source control management system into their standard development IDE and lifecycle.|
|API automation tools||
|Other API automation tools||Jenkins, GitLab CI & OpenShift S2I builders|
|API documentation formats||
|Command line interface||Yes|
|Command line interface compatibility||
|Using the command line interface||
Customers can access Red Hat OpenShift using CLI tool. The tool will allow the user to perform the same actions through the CLI on the OpenShift environment as the web console.
The users access is limited to the privileges provided to them under their authentication model.
|Independence of resources||Dedicated resource is used as part of the service to the customer in order to ensure the service is not affected by other users demands customers.|
|Infrastructure or application metrics||Yes|
|Other metrics||Container availability, health and resource allocation|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Other|
|Other data at rest protection approach||Data at rest is encrypted using services provided through the 3rd party cloud provider (AWS). The keys used for this encryption are stored within the 3rd party cloud provider’s Key Management System.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||
|Backup controls||Backups will be performed to a defined schedule|
|Datacentre setup||Multiple datacentres with disaster recovery|
|Scheduling backups||Users contact the support team to schedule backups|
|Backup recovery||Users contact the support team|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||Other|
|Other protection within supplier network||Within the AWS network client specific data is held within a segregated VPC and Account. AWS is responsible for ensuring segregation of customer data. Within the VPC and account dedicated storage is provided to the client. Access to the OpenShift environment management is secured using user RBAC. Application access can be secured by the client using the single sign on capability present within the environment. OpenID / OAuth tokens are typically used to secure application access to specific users with specific roles.|
Availability and resilience
The DevOps platform is offered as a Highly Available platform utilising HA configurations for key services. This should provide a 99.95% availability target. Our target response SLA for questions is 95% within 2 working hours, and we aim to have resolved all queries 2 working days (p3) or 10 working days (p4).
These availability and response targets are offered without penalty to Sopra Steria. If different targets and a service credit regime are required we are happy to discuss your requirements and these can be provided at additional cost.
|Approach to resilience||The service is deployed in a High Availability architecture as recommended by Red Hat with nodes split across two three AWS Availability Zones (logical Data Centres). Additional detail is available on request.|
|Outage reporting||As part of our standard monitoring service we provide an adequate level of system health monitoring of our solution to ensure it is stable and has enough resource to operate effectively. Our standard checks include testing devices for connectivity, verifying log feeds and infrastructure resources (e.g. CPU, memory, storage capacity, etc.). In our standard implementation this service is integrated with our service management toolset which allows IT related alerts to be automatically directed to the relevant team for prompt resolution. In addition, depending on the client requirements, we can implement additional features to provide an enhanced monitoring and management service with metrics on application availability and business processes. We can also include more mature capabilities such as High Availability/Disaster recovery components in our solution, extended log retention, service desk support, and a 24 x 7 protective monitoring service. Moreover, we can also include our Remote Operations Centre (ROC) which can monitor the health of our client IT systems in a bid to prevent any outage from happening.|
Identity and authentication
|Other user authentication||Token based authentication to access restful API provided within the service.|
|Access restrictions in management interfaces and support channels||
Management interfaces are generally restricted to Sopra Steria staff using role based access controls.
Customers accessing the Red Hat OpenShift management interface will be authenticated and access restricted to specific user with privileged access. Federated integration to the customers identify source can be configured on request.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||DNV GL – Business Assurance|
|ISO/IEC 27001 accreditation date||18/12/2017|
|What the ISO/IEC 27001 doesn’t cover||N/A|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Plus|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Sopra Steria has established an Information Security Management System (ISMS) and comprehensive set of security policies has part of our ISO27001 certification with an overarching ‘UK Corporate Security Policy’ is issued by Sopra Steria’s UK Head of Corporate Security and approved by the UK CEO. We have a robust set of security processes and controls to ensure security is effectively embedded in our organisation and these are all subject to both internal and external audit as part of our certification requirements. These controls and processes are systematically applied to our client operations which thus comply with ISO27001.
Sopra Steria also adheres to HMG Information Security and Information Assurance Standards, the Cabinet Office’s Security Policy Framework (SPF) and HMG Good Practice Guides, and is also certified under NCSC’s Cyber Essentials Plus scheme.
Sopra Steria has a Corporate Information Security team led by the Head of Corporate Security who has the delegated responsibility from the Board for operating our ISMS. As part of our security governance, we have established a Corporate Information Security Forum (CISF) that meets quarterly sits below, and ensures that the ISMS is being maintained at an operational level. The CISF reports into the Information Security Steering Board (ISSB).
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Our configuration and change management process is aligned with ITIL and ISO20000 best practice and includes:
• maintaining a Service Asset and Configuration Management Database (CMDB) to enable Incident, Changes and Problems to be tracked against the affected Configuration Items;
• record, track, report and audit Configuration Items (CIs) in relation to the Solution both physical and virtual
• detail the relationship between Configuration Items aiding in Change impact assessment and Incident / Problem Resolution;
• support a change advisory board (CAB) approach, supporting a gatekeeper function for the Services to ensure that changes are fully ready before deployment.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Sopra Steria use a number of threat sources and feeds to provide contextualisation of its alerts and triggers. The threat sources that Sopra Steria use are a combination of feeds from central government (e.g. NCSC, CiSP) and vendors (e.g. IBM XForce, LogRhythm’s threat intelligence services, AlienVault Open Threat Exchange and Splunk Threat Intelligence, etc.). Depending on the type of service we provide to our clients, we typically correlate the threat intelligence with the client assets, their classification and any asset vulnerabilities fed into our SIEM from vulnerability scanners. This provides a holistic view and helps us prioritise remediation and patching.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||The standard service includes provision for the delivery of logs (across VPN) to the buyer’s Protective Monitoring Solution. At additional cost alternative Protective Monitoring approaches can be implemented including: • Our multi-tenanted Protective Monitoring solution • A dedicated Protective Monitoring Solution for this platform based on our expertise in providing Protective Monitoring for a range of clients. The processes within these optional Protective Monitoring approaches are aligned with HMG standards and NCSC guidelines, particularly GPG13, and we also operate within the ISO27001: 2013 framework.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Our standard approach to incident management is aligned to ISO20000 and ITIL best practice.
• Incidents logged and monitored throughout their lifecycle
• Incidents graded P1 to P4 with relevant resolution prioritisation and target closure time
• Root cause analysis is undertaken and uncorrected errors transferred to Problem Management
• Prompt communication of service failures to manage the expectation of users
• Perform lessons learnt from incident as part of our continuous improvement
• Exceptional major incidents are assigned an accountable manager who will drive appropriate stakeholder engagement
• Reporting and analysis is reflected in service reporting to the customer.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Third-party|
|Third-party virtualisation provider||Amazon Web Services (AWS).|
|How shared infrastructure is kept separate||AWS provides segregation of client data and activity through their platform. Details are available on AWS website. Each organisation has a dedicated DevOps as a Service middleware environment built up on the dedicated cloud.|
|Description of energy efficient datacentres||UKCloud’s services are CarbonNeutral® cloud services. UKCloud achieved this certification by working with Natural Capital Partners to measure and reduce CO2 emissions across all sources used to deliver cloud services. These include direct emissions from all owned or leased stationary sources that use fossil fuels and/or emit fugitive emissions, and emissions from the generation of purchased electricity and steam (including transmission and distribution losses) to power their servers. For UKCloud’s cloud services to achieve CarbonNeutral® status, an independent assessment of the CO2 emissions produced from direct and indirect sources required to deliver them was carried out, followed by an offset-inclusive emissions reduction programme. This means that for every tonne of greenhouse gas emissions produced in delivering cloud services, a verified carbon offset is purchased which guarantees that an equivalent amount of greenhouse gas emissions is reduced from the atmosphere through a renewable energy or clean technology project.|
|Price||£31400 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|