Innovate Ltd

Infrastructure as a Service - VMware

Cloud9's flexible services, provisioning and pricing ensuring the perfect cloud solution delivered for Most Economically Advantageous Tender (MEAT), enabling your organisation's ICT/Cloud Vision and move to Zero IT.

Cloud9 owns and operates it's own national cloud platform; a highly optimized fully featured portfolio of scalable service. Also available on Janet.


  • Dedicated V-LANS & SDN over multiple DC's
  • Built on HPE Blades & 3Par Solid state Storage
  • Managed, unmanaged or blended
  • Dedicated instance of System Centre or Azure Pack
  • IDS, IPS, AV, Firewall, Load-balancers with Cisco FirePower
  • Block & Object storage; S3 & Blob equivalent, Veeam CloudConnect
  • Directly connected to Joint Academic Network (JANET)
  • Private Cloud - Dedicated, Onsite Dedicated, Shared or Hybrid
  • Back-up, Disaster Recover & Business Continuity as a Service
  • UK Only Data Centre's IL3 or higher with ISO27001


  • Environment designed with you to your performance criteria
  • Access to Cloud Architects for support with optimisation
  • Consistent user performance
  • Supports move to Zero IT ownership model
  • Lower cost, higher performance & more secure than Public Cloud
  • Service Performance you test & sign-off on before you commit
  • Full cloud stack available in addition, including PaaS & VDI
  • Available on Janet; interconnected with PSN, N3 & HSCN
  • Used by ISV's to deliver SaaS or IoT services
  • Fixed pricing-model; know exactly what you are paying - MEAT


£9 to £10 per unit per month

Service documents

G-Cloud 10


Innovate Ltd

Michael Owen

0330 999 1000

Service scope

Service scope
Service constraints No major service constraints.

Cloud9 is designed to support organisations and users rather than constraining them.

Planned maintenance windows are discussed with customers to minimize any impact.

Janet users can connect directly to Cloud9, they can also access Cloud9 through open Internet or Point to Point.

All our Data Centre's are already ISO27001 certified, Cloud9 already adheres to best practice around security and governance.

Cloud9 are actively working towards ISO27001 certification and expect to have this when G-Cloud9 is awarded or very soon after

We can obtain higher security clearance if required where sponsored and with costs covered.
System requirements
  • Customers need to have a way of accessing the platform
  • Janet customers need available bandwidth on the Janet network
  • PSN users can access Cloud9 through a Janet Interconnect
  • N3 & HSCN can access Cloud9 through a Janet Interconnect
  • Customer needs 1st Line Support Desk

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 working hours or as agreed in an SLA
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Commercial Support includes a named Account Manager, monthly Service Review documentation and Quarterly service improvement / strategic planning discussions.

Service reviews provide a transparent way of summarising service performance, billing, change requests, risk register, agreed actions and P1-P3 incidents and details of all SLA reports and helpdesk calls.

Cloud9 Infrastructure & Platform Support levels:
1. Cloud9 supports and patches the hypervisor level, the customer patches their Platforms, any additional support required is done so on a Time & Material basis
2. Access to Cloud Architects and system experts
3. Architects help scope & design where needed
4. Support per VM instance as either (Charged per VM):
4a. Monitoring only
4b. Patched & Supported OS
4c. UK Working hours, Extended hours or 24x7x365
5. Named contacts for Commercial and Technical escalations are provided (inc)
6. Monthly or quarter service reviews cover full SLA breakdown, Service Improvement Plans, billing & scheduled maintenance (inc)
7. Customer provided named contact to Support desk (inc)
8. Can incorporate bespoke maintenance patching windows (inc)
9. Can incorporate customer Major Incident Policy (inc)

Support charges are detailed in our price book.

A primary Cloud9 Architect / Support Engineer is assigned to each customer.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full training is provided (online or onsite) to run through all aspects of the service based on an agreed SoW which details the level of support, migration, testing and training required.

The main focus is to train system administrators in how to best utilise the platform, how to monitor, report and implement changes and how to invoke back-up or DR.

Training is provided by qualified internal Cloud9 personal who themselves are responsible for day to day activities associated to management and administration of Cloud9 systems.

Importantly we also focus on understanding non-technical and procedural changes. We can also sub-contract cultural and business process management re engineering to a specialist 3rd party such as Stable Logic (see price book & service description document).

Cloud9 also provide documentation for training, support purposes, auditing and compliance. Documentation covers the design of the Cloud9 environment, the security documentation which includes supported protocols and network ports any back-up and retention policies including the portal to manage back-up locations, destinations, retention and restorations.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Cloud9 offer a managed transition or Exit that covers:

1 - Managed transition to an alternative provider; process detailed in the Agreement and a SoW will be produced to cover all aspects of contract exit, charged on time & material basis.

2 - User or nominated 3rd party, migrates data to new platform, typically using standard software to do so with limited support from Cloud9 (charged on Time & Material basis)

Cloud9 will then securely remove all user data for the platform in accordance to an Exit Plan. Customers need to ensure they have copies of any data including back-ups and event logs.

In some instances it is possible for the customer to buy dedicated Cloud9 infrastructure or assets at an agreed market rate. Onsite assets (such as VDI zero clients) can be detailed in an assets register for customers to purchase at the end of a service Term.

Cloud9 can (upon request) provide a certification confirming full data removal and system cleaning, which includes the method used and date of completion. Cloud9 ask that the customers administrator removes and destroys all customer data within the Cloud9 environment prior to a full system cleanse.
End-of-contract process The contract and Sales Order will detail all the pricing elements for the delivery and running of the services
as and when the agreement ends. The customer may wish to extend for an additional or shorter term, these commercial terms can be accommodated under G-Cloud9 guidelines / restrictions.

Should the customer wish to exit at the end of the contracted term, then the Exit Plan will be invoked. This document looks at an exit plan including migrating services to another provider, to internal platforms or whatever other options have been detailed. This will also include likely costs.

At this time a formal SoW will be produced to detail the level of involvement required from Cloud9 to transition services to another provider. This is charged on a Time & Materials basis, the rates of which are details at the start of the Agreement (see price book - Cloud9 professional services).

A Customer may wish to request the new provider assists with the transition and therefore limiting assistance and costs from Cloud9 .

Cloud9 will always look to provide professional support and assistance to reduce risk and maintain service during any major transition.

Using the service

Using the service
Web browser interface Yes
Using the web interface Cloud9 supports a number of interfaces for specific set-up's, such as System Centre 2016, Azure Pack, Jelastic, Eucalyptus (for AWS look at feel UI on KVM).

The web portal / UI is set-up for each customer by Cloud9. Each customer will be given an administrator account and expected to manage users accounts and security. The initial set-up will be based on agreed requirements, training on how to use the web interface and manage changes, including understanding best practice and support for change control, compliance and documentation.

Services are accessed through standard UI's or web-browsers. The UI's are designed to provide the feature sets required to support the needs of the administrator. Changes are logged and Cloud9 can provide time & material support (per day or per hour).
Web interface accessibility standard None or don’t know
How the web interface is accessible Interface available as Web UI via web broswer or CLI through access controls
Web interface accessibility testing We use standard Web technologies and security methods to reduce risk, such as HTTPS, SSL and support various access control methods.
Vendor specific UI's have been tested and are supported by them, the Cloud9 in-house UI has a dedicated development team who have controlled releases and a QA process.
What users can and can't do using the API Cloud9 API's provide access to all types and operations, available as REST API, customers can gain better integration into the Cloud Services platform. Operational and performance motioning can provide insight and control, delivering automation and business intelligence. The REST API covers:

User Operations
User Elements
User Types
Extension Operations
Extension Elements
Extension Types
Admin Types
Admin Elements
Admin Operations

The requirements for integration can be discussed at an early stage to capture the requirement and ensure the right technology is deployed to support the stated outcomes. Cloud9 do not offer API coding however do provide supporting documentation to customers for the platforms API's.
API automation tools
  • Chef
  • Terraform
  • Puppet
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface Full API functionality is available from the CLI


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources The Cloud9 environment is logically segregated with resource allocated to each environment ensuring consistent performance of all users on each customer environment.

This approach ensures no one customer can act as a resource thief against another and that complete independence exists. When customers approach resource limits, scale can be applied to a predefined upper agreed limit. This is monitored closely by the Cloud9 Infrastructure team who continually assess platform capacity, density and utilisation as part of infrastructure planning to ensure we maintain between 60-80% capacity to ensure we have a competitive price point, balanced with the ability to scale.
Usage notifications Yes
Usage reporting
  • API
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Service availability
  • Windows event logs
  • Resource history (changes)
  • Memory performance
  • Machine utilisation
  • Network performance
  • IDS/IPS & Network Security
  • Helpdesk performance - Support
  • Proactive alerts - optimisation / performance
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Hypervisor
  • Baremetal
  • Virtual Machine
  • Operating System
  • IOS, MAC OSX, Windows, Android, Linux
  • Utilise Veeam Cloud Connect or Infrascale
  • Back-up to and restore from Cloud9 environment
  • Support for Hot-Standby or full replication
Backup controls Each user has a dedicated UI to manage back-up routines, set retention policies and periods and invoke restoration to an existing restoration device; which can be a Cloud9 server on a pre-allocated vLAN.

Many organisations will already be using Veeam Cloud Connected which is fully supported and heavily used by Cloud9. Infrascale is also used in some instances.

Users have full control over setting schedules for data sets.

All data is encrypted locally on the source device, encrypted in transit and at rest at the Cloud9 destination.

Alerts based on failed back-ups can be sent
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Cloud9 deals with SLA's in a couple of ways. Firstly by paying our service credits where an outage has occurred. Services come with a 99.99% SLA as standard, however some designs my be highly available and therefore have a higher SLA:

Cloud9 Services Availability 99.99% or Higher - None
Cloud9 Services Availability 99.5% - 99.89% = 5%
Cloud9 Services Availability 99.49% - 99.00% = 10%
Cloud9 Services Availability 98.99% - 97.00% = 15%
Cloud9 Services Availability 96.90% - 96.00% = 20%
Cloud9 Services of less than 96.00% = 25%

Cloud9 associate SLA performance with Material Breach so customers can exit an Agreement due to continual poor performance.

Cloud9 allow customers to go through User Acceptance Testing & Sign-off pre-billing to reduce risk of performance related issues and minimising commercial risk or exposure; this also ensure customer know how the platform performs.

Cloud9 also looks at the platform performance, not just it's On/Off availability, performance is what users notice and so our focus is on consistent, high performance and service continuity. A significant amount of focus is around performance of the environment, including platform latency and capacity to ensure user-experience.

Cloud9 also has a Support response time and severity SLA.
Approach to resilience Resiliency comes down to requirements and budget. If a customer doesn't require a resilient service (or application) then they are not forced to pay for it, however a number of options exist to support various levels of resiliency based on SLA, performance and budgetary requirements:

- Local back-up's of Hyperviser or VM's are taken periodically, encrypted and stored either location or locall and on 2nd location for restoration
- High Availability design - this allows users to have hot standard by environments in a secondary location
- Load-balanced architecture - an environment whereby 50% of the users go to 1 location and 50% to a second location, each location capable of supporting 100% of users
- SDN created over multiple DC's with resource (CPU, RAM, Storage) or VM's available on that network

Cloud9 operate from multiple UK data centres (from a number of providers) each location having a minimum of two network connections from different operators.

Cloud9 is built on C7000 HP Blades in a grid design, meaning every single machine uses resource from multiple blades, further reducing single points of failure.
Outage reporting Email alerts to named customer support contacts or generic email address.
Phone call to customer support contact or helpdesk.
API with platform or service management application.

Our Support desk pro-actively contact customers to highlight any high priority (P1-P3) incidents. We discuss impact and resolution or any preventative action already taken by our Infrastructure team.

P4 or lower issues are generally dealt with over email.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels All management interfaces are only accessible by named and security vetted individuals via a two factor authenticated session on an IPSEC v2 VPN tunnel.

All connections are logged and audited.

Multiple failed attempts automatically lock the individual user account with automated notification sent.

All passwords are timed and must be unique and can't be recycled.

Cloud9 also support Software Defined Networking (SDN) virtualisation technologies, including Network Virtualization using Generic Routing Encapsulation (NVGRE) and Virtual Extensible LAN (VXLAN). These technologies are designed to supported better connectivity, access and scalability specifically for cloud computing environments.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Centre for Assessment Ltd
ISO/IEC 27001 accreditation date 07/12/2017
What the ISO/IEC 27001 doesn’t cover None
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Data Centre environments are PCI DSS certified
  • Data Centre environments are ISO27001 certified
  • Data Centre environments are HIPAA certified
  • Data Centre environments are Cyber Essentials certified
  • We expect to be fully ISO27001 certified by May 2017
  • We expect to have Cyber Essentials certification by June 2017

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes Cloud9 have an internal CISO (Chief Information Security Officer) who is ultimately responsible for the security and integrity of the Cloud9 platform and services; including customer environments, all of which are approved (either as blue-print or bespoke designs).

The CISO reports directly to the Cloud9 CTO and the Board covering strategy, risk management, planning, systems, processes, compliance, governance and continual improvement.

The Cloud9 CISO is also responsible for internal processes and procedures, ensuring they are followed inline with internal and ISO standards. The InfoSecurity team are also responsible for following, monitoring and improving systems and process as well as keeping up to date with a number of key elements, including:
- Physical security to Data Centres; Co-location Racks and Cloud9 office locations
- Environmental Controls within Data Centres
- Secure Access Management to Cloud9 platforms and Customer networks on Cloud9 platforms
- Network Infrastructure and Integrity; this also cover DDOS protection, Disaster Recovery, customer SLA's and single points of failure
- Human Resources to cover background checks and screening of employees who must also undertake security awareness and training on procedures and documentation
- Operational Security which covers incident management, patching and updates, documentation, training, accreditation, certification and continual improvement

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Changes made by the Customer to their Private Cloud environment which they support themselves, is done so at the Customers risk.
Where Cloud9 provide Support of the Customers environment, all change requests must be formally submitted and approved by Cloud9, they are fully audited and assessed against risk. The request has to include:
1. Reason
a. Improving security
b. Improving performance or functionality
c. Reduce operational overhead or cost
2. Request to be approved by Cloud9’s:
a. Service Manager
b. System Architect
c. InfoSecurity
3. Change request must include:
a. Expected outcome
b. Test plan
c. Roll-back plan
d. SoW
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach All systems are scanned for vulnerabilities every month. Cloud9 uses the Common Vulnerability Scoring System (CVSS) for all Common Vulnerabilities and Exposures (CVE) provided by the National Vulnerability Database.

Scoring for non-CVE vulnerabilities is provided by UB’s vulnerability scanning tool. A priority is placed on patching or mitigating the vulnerability based on these scores and the logical location of the vulnerability within Cloud9's network infrastructure. Remediation occurs within 10 business days for critical vulnerabilities.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our service management processes are ITIL V3 aligned and have particular focus upon Security Incident Management and Continuous Service Improvement. Some of the components of this system have been provided below:
- Network and Host based IDS/IPS
- Traffic monitoring and intelligent traffic analysis
- Packet capture and analysis to enable investigations into alerts
- DNS monitoring to detect DNS lookups to known or suspected malware
- Botnet monitoring – hunts for and alerts on any type of connection
- Web and email threat monitoring
- Geographic analysis of all attacks and traffic

Automated systems ensure ultimate continual protection.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Prevention: The understanding of and application of insight gained from the intelligence

Detection: The interpretation of any events of interest occurring to discriminate between legitimate and abnormal events to identify anomalous activity

Investigation: The analysis of anomalies to determine whether they are emerging threats that may lead to a security incident

Reaction: Our analysts use tailored, predefined and configured Playbooks to efficiently inform their reaction to an identified threat

Response: The planning of effective mitigations in response to the cyber-attack, the communication of these plans to all relevant stakeholders, and the collaboration with all relevant parties to carry out mitigations.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate An organisation is the container for a tenant and forms logical boundaries between tenants. Each organisation gets units of resources defined by the Org vDCs it has. The resources that get defined at the Org vDC are compute, storage and network.
When a Org vDC is created, a Provider vDC is used to allocate resources to the Org vDC. The Provider vDC maps these resources into different containers, which isolates the units of compute.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £9 to £10 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial A customised trial can be arranged in a limited form for a 30-day period.

Customer go through User Acceptance Testing to ensure the Cloud9 solution is fit for purpose.

Trails may be limited in functionality and integration.

All Terms & Conditions apply to trail users
Link to free trial

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑