Sopra Steria Ltd

Sopra Steria Cloud Container Services (DevOps Platform as a Service)

This PaaS builds on OpenShift (Docker and Kubernetes) to provide integrated DevSecOps securely as a managed service. The preconfigured DevOps environment contains source control management, CI/CD pipelines and deployment within a secure cloud environment to provide the basis for rapid development and operation of Microservice and containerised applications.


  • Open-Source container based application PaaS under a subscription model
  • Automated DevOps CI/CD, pipelines with secure source control management
  • Managed runtime supporting rapid Microservice development and operation
  • Supported OpenShift platform based on Docker and Kubernetes architecture
  • Extensible runtime to support legacy application inclusion and migration
  • UK Sovereign cloud platform delivered from two UK data centres
  • Polyglot languages :Java, Spring, .NET Core, Node, Angular, NoSQL, Python
  • Configurable controls for integrated access control and user profiles
  • Service level, high availability and fault tolerant production platform
  • Hybrid cloud using secure and dedicated connectivity options


  • DevOps-as-a-service to increase application delivery speed and quality
  • Supports agile development at scale through automated tooling
  • Rapid deployment, start/stop aligned to digital service project lifecycle
  • Flexible subscription model with service levels
  • OpenShift with Sopra Steria’s expertise to manage cloud containerisation
  • Reduced cost of application ownership and budget certainty
  • Love that legacy through migration/integration of existing applications
  • Elastic platform, integrate cloud services and additional middleware options
  • Accreditable solution with add-on accreditation and security monitoring options
  • Managed data access with high availability and disaster recovery


£31400 per unit per month

Service documents


G-Cloud 11

Service ID

6 6 1 0 4 1 9 6 5 5 3 7 3 5 2


Sopra Steria Ltd

Chris Horne

07954 834 818

Service scope

Service scope
Service constraints The service is constrained to a supported level of running application runtime nodes as specified in the Red Hat OpenShift documentation. Additional runtime nodes can be added to the service on request in an elastic manner and will incur additional costs.
System requirements
  • Buyers will configure a VPN to the cloud hosted environment
  • Additional middleware products would be licensed by the buyer

User support

User support
Email or online ticketing support Email or online ticketing
Support response times From 15 minutes of a ticket being logged onto the system depending on priority/severity of incident/request during agreed support hours. Outside of these hours then this will be from the start of the next support period.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Text based web chat accessible via a desktop window (can be client based or browser based).
Web chat accessibility testing None.
Onsite support No
Support levels Our Standard support service included in the cost of this service includes access to Service Desk and a Service Delivery Manager. We have an integrated knowledgebase enabling an instant self-service solution for customer questions. Our knowledgebase is available 24 x 7. If the knowledgebase does not provide the answer then the call is transferred to our service desk (9am to 5pm Monday to Friday) via Webchat or email. Our target email response SLA for questions is 95% within 2 working hours, and we aim to have resolved all queries 2 working days (p3) or 10 working days (p4).
DevOps and application support is available through Sopra Steria’s additional G-Cloud services.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Sopra Steria would work with the customer to configure the platform as per the customer’s specific needs. Basic set up of the standard environment is included, for example VPN connectivity and default DevOps tool configuration. Additional requirements would be addressed through Sopra Steria consultancy services.
User documentation is provided.
Onsite training is available on request at an additional cost.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • Video
  • Audio
  • Webinars/Webex
  • Presentations
End-of-contract data extraction The DevOps Platform as a Service provides the pre-integrated tooling and environment required to develop digital applications using a source to build philosophy. We provide access to the tooling in order for the customer to manage the extraction of the data:
• Source code can be cloned out of the environment using standard Git based functionality.
• Customer specific Images can be cloned from the Docker Registry
• Data can be extracted by the customer while access to the environment is available
• Sopra Steria could provide the data as an export activity as a costed off boarding option.
• Logs can be extracted by the customer while access to the environment is available
• Sopra Steria could provide available logs as an export activity as a costed off boarding option.
End-of-contract process We offer a rolling month by month contract and will not penalise exit provided the notice period is honoured.
All customer information will be available to the customer to remove until termination of the contract
Upon termination of the contract the environment will be decommissioned including the application runtime environment and all associated data.

Using the service

Using the service
Web browser interface Yes
Using the web interface We provide access to the Red Hat OpenShift management console in order to allow management of the container deployments within the platform. Users can manage the container deployments within the environment undertaking tasks such as deploying containers, stopping containers and scaling containers. User access is restricted to the management of containers to allow Sopra Steria to manage the underlying platform configuration in order to guarantee the service. Jenkins is integrated and provides the web interface to manage the continuous integration, continuous delivery pipelines within a project. The GitLab web interface is provided to allow the delivery team to manage source control and the project delivery.
Web interface accessibility standard None or don’t know
How the web interface is accessible The Red Hat OpenShift management web console has not been assessed against EN 301 549 9.
Web interface accessibility testing None.
What users can and can't do using the API We provide native access to the underlying APIs of Red Hat OpenShift and GitLab. The OpenShift API provides the same features as the web user interface allowing the creation of projects, management of projects, creation of containers, deployment and runtime configuration. The GitLab API allows developers to integrate the source control management system into their standard development IDE and lifecycle.
API automation tools
  • Ansible
  • Chef
  • SaltStack
  • Terraform
  • Puppet
  • Other
Other API automation tools Jenkins, GitLab CI & OpenShift S2I builders
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
  • Other
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface Customers can access Red Hat OpenShift using CLI tool. The tool will allow the user to perform the same actions through the CLI on the OpenShift environment as the web console.
The users access is limited to the privileges provided to them under their authentication model.


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Dedicated resource is used as part of the service to the customer in order to ensure the service is not affected by other users demands customers.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics Container availability, health and resource allocation
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Other
Other data at rest protection approach Data at rest is encrypted using services provided through the 3rd party cloud provider (AWS). The keys used for this encryption are stored within the 3rd party cloud provider’s Key Management System.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • OpenShift environment and supporting Virtual Machines
  • Volumes attached to Virtual Machines
  • Databases with persisted volumes
Backup controls Backups will be performed to a defined schedule
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network Within the AWS network client specific data is held within a segregated VPC and Account. AWS is responsible for ensuring segregation of customer data. Within the VPC and account dedicated storage is provided to the client. Access to the OpenShift environment management is secured using user RBAC. Application access can be secured by the client using the single sign on capability present within the environment. OpenID / OAuth tokens are typically used to secure application access to specific users with specific roles.

Availability and resilience

Availability and resilience
Guaranteed availability The DevOps platform is offered as a Highly Available platform utilising HA configurations for key services. This should provide a 99.95% availability target. Our target response SLA for questions is 95% within 2 working hours, and we aim to have resolved all queries 2 working days (p3) or 10 working days (p4).
These availability and response targets are offered without penalty to Sopra Steria. If different targets and a service credit regime are required we are happy to discuss your requirements and these can be provided at additional cost.
Approach to resilience The service is deployed in a High Availability architecture as recommended by Red Hat with nodes split across two three AWS Availability Zones (logical Data Centres). Additional detail is available on request.
Outage reporting As part of our standard monitoring service we provide an adequate level of system health monitoring of our solution to ensure it is stable and has enough resource to operate effectively. Our standard checks include testing devices for connectivity, verifying log feeds and infrastructure resources (e.g. CPU, memory, storage capacity, etc.). In our standard implementation this service is integrated with our service management toolset which allows IT related alerts to be automatically directed to the relevant team for prompt resolution. In addition, depending on the client requirements, we can implement additional features to provide an enhanced monitoring and management service with metrics on application availability and business processes. We can also include more mature capabilities such as High Availability/Disaster recovery components in our solution, extended log retention, service desk support, and a 24 x 7 protective monitoring service. Moreover, we can also include our Remote Operations Centre (ROC) which can monitor the health of our client IT systems in a bid to prevent any outage from happening.

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication Token based authentication to access restful API provided within the service.
Access restrictions in management interfaces and support channels Management interfaces are generally restricted to Sopra Steria staff using role based access controls.
Customers accessing the Red Hat OpenShift management interface will be authenticated and access restricted to specific user with privileged access. Federated integration to the customers identify source can be configured on request.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL – Business Assurance
ISO/IEC 27001 accreditation date 18/12/2017
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Sopra Steria has established an Information Security Management System (ISMS) and comprehensive set of security policies has part of our ISO27001 certification with an overarching ‘UK Corporate Security Policy’ is issued by Sopra Steria’s UK Head of Corporate Security and approved by the UK CEO. We have a robust set of security processes and controls to ensure security is effectively embedded in our organisation and these are all subject to both internal and external audit as part of our certification requirements. These controls and processes are systematically applied to our client operations which thus comply with ISO27001.
Sopra Steria also adheres to HMG Information Security and Information Assurance Standards, the Cabinet Office’s Security Policy Framework (SPF) and HMG Good Practice Guides, and is also certified under NCSC’s Cyber Essentials Plus scheme.
Sopra Steria has a Corporate Information Security team led by the Head of Corporate Security who has the delegated responsibility from the Board for operating our ISMS. As part of our security governance, we have established a Corporate Information Security Forum (CISF) that meets quarterly sits below, and ensures that the ISMS is being maintained at an operational level. The CISF reports into the Information Security Steering Board (ISSB).

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our configuration and change management process is aligned with ITIL and ISO20000 best practice and includes:
• maintaining a Service Asset and Configuration Management Database (CMDB) to enable Incident, Changes and Problems to be tracked against the affected Configuration Items;
• record, track, report and audit Configuration Items (CIs) in relation to the Solution both physical and virtual
• detail the relationship between Configuration Items aiding in Change impact assessment and Incident / Problem Resolution;
• support a change advisory board (CAB) approach, supporting a gatekeeper function for the Services to ensure that changes are fully ready before deployment.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Sopra Steria use a number of threat sources and feeds to provide contextualisation of its alerts and triggers. The threat sources that Sopra Steria use are a combination of feeds from central government (e.g. NCSC, CiSP) and vendors (e.g. IBM XForce, LogRhythm’s threat intelligence services, AlienVault Open Threat Exchange and Splunk Threat Intelligence, etc.). Depending on the type of service we provide to our clients, we typically correlate the threat intelligence with the client assets, their classification and any asset vulnerabilities fed into our SIEM from vulnerability scanners. This provides a holistic view and helps us prioritise remediation and patching.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The standard service includes provision for the delivery of logs (across VPN) to the buyer’s Protective Monitoring Solution. At additional cost alternative Protective Monitoring approaches can be implemented including: • Our multi-tenanted Protective Monitoring solution • A dedicated Protective Monitoring Solution for this platform based on our expertise in providing Protective Monitoring for a range of clients. The processes within these optional Protective Monitoring approaches are aligned with HMG standards and NCSC guidelines, particularly GPG13, and we also operate within the ISO27001: 2013 framework.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our standard approach to incident management is aligned to ISO20000 and ITIL best practice.
• Incidents logged and monitored throughout their lifecycle
• Incidents graded P1 to P4 with relevant resolution prioritisation and target closure time
• Root cause analysis is undertaken and uncorrected errors transferred to Problem Management
• Prompt communication of service failures to manage the expectation of users
• Perform lessons learnt from incident as part of our continuous improvement
• Exceptional major incidents are assigned an accountable manager who will drive appropriate stakeholder engagement
• Reporting and analysis is reflected in service reporting to the customer.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon Web Services (AWS).
How shared infrastructure is kept separate AWS provides segregation of client data and activity through their platform. Details are available on AWS website. Each organisation has a dedicated DevOps as a Service middleware environment built up on the dedicated cloud.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres UKCloud’s services are CarbonNeutral® cloud services. UKCloud achieved this certification by working with Natural Capital Partners to measure and reduce CO2 emissions across all sources used to deliver cloud services. These include direct emissions from all owned or leased stationary sources that use fossil fuels and/or emit fugitive emissions, and emissions from the generation of purchased electricity and steam (including transmission and distribution losses) to power their servers. For UKCloud’s cloud services to achieve CarbonNeutral® status, an independent assessment of the CO2 emissions produced from direct and indirect sources required to deliver them was carried out, followed by an offset-inclusive emissions reduction programme. This means that for every tonne of greenhouse gas emissions produced in delivering cloud services, a verified carbon offset is purchased which guarantees that an equivalent amount of greenhouse gas emissions is reduced from the atmosphere through a renewable energy or clean technology project.


Price £31400 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑