Omada A/S

Omada: Identity Management, Access Governance and Administration Solution

A fully featured identity governance suite for efficient and compliant core identity management and access governance functionalities that enables business efficiency, improves IT Security and ensures compliance control. The flexibility of the solution allows a high degree of configuration, enabling enterprises to meet business requirements and manage identities across IT-systems.

Features

  • Identity Lifecycle Management: Automated provisioning of users access rights
  • Entitlements Management: User access management automation and maintenance
  • Access Request: Request additional access rights via approval workflows
  • Fulfilment: Automated provisioning, deprovisioning of accounts on target applications
  • Access Certification: Controls to review what users have access to
  • Role and Policy Management: Processes for defining and managing policies
  • Automated Workflows: built in process ensuring assignments are carried out
  • Reporting Analytics: Comprehensive data overview across systems to answer questions
  • Audits: Audit ready reports enables easy compliance to auditors requirements
  • Password Management: allowing policy driven password reset via self service

Benefits

  • Automated Joiner, Mover and leaver process manages access permissions
  • Automated management of user rights and resources within target applications
  • Improve the efficiency of self-service & delegated access management
  • Reduced work load and IT costs
  • Improve identity governance to allow relevant users have right access
  • Enable business level control of access rights
  • Improves business efficiency by expediting approval process and controlling violations
  • Reduces time and cost involved in compliance reporting for IAM
  • Meet ongoing compliance requirements and significantly reducing cost for audits
  • Helps implement and enforce password management business rules

Pricing

£4.40 per user per month

  • Education pricing available

Service documents

G-Cloud 11

704501072455295

Omada A/S

Donna Lightfoot

+44 2039607639

info@omada.net

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Omada IGA solution can extend Identity governance capabilities to several software systems and applications like Microsoft (including Active Directory), SAP (including HR systems), AWS, IBM, Oracle, SalesForce, ServiceNow and other ITSM tools, WorkDay, Web services, Unix, SCIM enabled solutions, LDAPs like Siemens DirX, Sun and Netscape, Novell etc.
Cloud deployment model Public cloud
Service constraints The solution is deployed in Azure. Connectivity between customer on-premise site(s) and Azure cloud infrastructure requires VPN either Azure ExpressRoute or IPSEC Site2Site VPN. Authentication is done with an Identity Provider of the customer which needs to support the SAML or OpenID Connect protocol.
System requirements
  • Customers need IPsec or ExpressRoute for Governance of OnPrem Systems
  • MS Edge, IE 11+, Chrome 53+, Safari for iPad
  • Identity Provider (IDP) for supporting SAML / OpenID Connect

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Omada will respond to Customer with confirmation of registration within two (2) hours upon receiving incidents and service requests, during available support hours, via the Omada ITSM tool within the defined Business Hours. Omada will handle all service requests and incidents in accordance with following (Time is measured relative to defined Business Hours):-
Service Requests - 95% scheduled within 5 Business days
Incidents - 95% resolved within 5 Business days

Please Note: We are not offering end user support i.e. customer's point of contact with Omada will be their named IT Administrators with some prerequisite training course
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Critical: High impact upon business operations. Critical business functions/systems are unavailable or seriously affected.
Response Time: Within 2 hours, reported by telephone and email. The case logged into the ITSM
Time for Interim Response: 8 hours
Permanent Solution: Omada shall undertake to work continuously until Permanent Solution has been delivered, maximum in 1 calendar day

High: Significant impact upon business operation resulting in reduced ability to work, making day to day operations difficult to complete
Response Time: 3 hours, reported by telephone and email.
Time for Interim Response: 2 Business day
Permanent Solution: 30 Business days

Medium: Some impact upon business operation. User can complete the majority of tasks or is able to perform normal work but may be more difficult due to the incident.
Response Time: 48 hours reported to the ITSM
Time for Interim Response: 3 Business day
Permanent Solution: Next version of the Service release, but no later than 2 calendar months

Low: No adverse effect upon business operations. User can work and the effect is such that it does not require immediate attention
Response Time: 5 Business day
Time for Interim Response: To be agreed case by case
Permanent Solution: To be agreed case by case
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Post contract signing by both the parties, we will allocate dedicated project lead from within Omada or from a Systems Integrators (if applicable) who will finalise the implementation Scope of Work. We will also allocate support staff and provide all relevant prerequisite training to named IT administrators who will contact Omada. All documentation is part of onboarding. Training has a price list associated with it and is detailed in pricing document. Omada provides extensive training to customers. All trainings are either classroom based hands-on training exercises. Trainings can be held in Omada premises or at a customer site. We also offer on-line courses.
Omada provides the following Learning paths - IGA Sponsor (4 days), OIS Implementation Consultant & OIS Project Manager (18 days), OIS Solution Architect (21 days), OIS Custom Developer (22 days), OIS Administrator (4 days).
We also offer following Courses - OIS Foundation (2 days), IGA Sponsor Training (1 day), OIS Basic Installation (1 day), OIS Processes & Surveys (2 days), OIS Training Camp (15 days), OIS Omada Data Warehouse (3 days), OIS Custom Development (4 days), OIS Operations (2 days)

All training courses are charged as per prices defined in pricing document.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats Compressed HTML
End-of-contract data extraction All identity data is collected form customer's identity store and authoritative store (HR) and as such customer would already have this data when contract ends. At this stage, we securely erase customer data. Our ISMS has standard operating procedure that manages secure erasure of data. We can provide logs from that SOP as a evidence
End-of-contract process The Off-boarding procedure is as follows: -
1 Customer terminates the contract
2 On due date: copy DB and encrypt it
3 Purge of STG and INT
4 Handover of encrypted DB to customer
5 After 14 days: Purge PROD
6 Delete Azure subscription
7 Close all tickets and delete users in Helpdesk

Prerequisites: The following prerequisites must be met before the procedure can be executed: Legal confirmed that the contract is terminated to a certain date
Timing and Scheduling
The execution of the procedure is linked to an incident created by, or on behalf on, the customer stating the issue. Based on the severity, it must be resolved within the agreed SLA

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service All users (System Administrator, Managers and end users) access OIS via a web browser. The difference, however, is that UI is not responsive on phones. Omada recommends not to go smaller than a tablet.
Accessibility standards None or don’t know
Description of accessibility Omada complies with most requirements in WCAG 2.1 AAA for instance Keyboard Accessible, Enough Time, Understandable etc. However, we do not comply with these standards as such. Additionally, OIS is EN ISO9241 compliant and satisfies suitability of tasks, ability to self describe, controllability, conformity of expectations, fault tolerance, customizing capability.
OIS meets various criteria of BITV2.0 such as facilitated perception of contents, useable without reference to sensory properties, enough time for reading contents, dispensation of flickering, help orientate and navigate, readable and understandable texts, predictable structure and usage, supporting functions for avoiding mistakes, compatibility with user agents
Accessibility testing None
API Yes
What users can and can't do using the API OIS has the following interfaces (in addition to the integration to source and target systems via connectors): -

1) REST API: Data of all data object types can be retrieved and maintained. Menu structures, data model information and other information can be retrieved and partly updated as well.
2) Web Service interface (SOAP): This interface allows the creation and change of any data object (identities, roles, permissions, organizational units…) and the start of workflow processes.
3) The access to third-party systems is possible via web services (e.g. to read data or to send a ticket in a help desk system).
API documentation Yes
API documentation formats
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation ​OIS can be configured and customised flexibly. The options are as follows:
- The data model of the OIS Enterprise Server can be extended and adapted via the web UI (objects, attributes)
- The workflows and recertification templates are configured in a graphical workflow designer / wizard.
- The web forms are designed in a graphical UI designer
- It is possible to add JavaScript to presentation layer more flexibility
- We offer limited capability for Custom CSS Style Sheets and JavaScript can be used to customize the Web UI.

Scaling

Scaling
Independence of resources OISaaS is a highly scalable. Our service is built to constantly monitor defined performance KPIs and performing automated mitigation actions if required

Analytics

Analytics
Service usage metrics Yes
Metrics types OISaaS metrics are as follows: -
1) Statistics for the all process
2) Import Status
3) Calculated identities
4) Provisioning jobs
5)Availability
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach We secure all encryption keys by storing in “Azure Key Vault” where access to which is protected by Azure Authentication/Authorization, Key usage is logged and audited, uses industry-standard algorithms, key lengths as well as HSMs (FIPS 140-2) to protect keys, no unapproved access is allowed and each Vault is specifically setup for each customer and not shared

Access to customer information by service staff is approved & logged according to ISMS-DOC-A05-4, ISMS-DOC-A09-1, ISMS-DOC-A09

We have policies and procedures for labelling & handling customer data & access control matrix are stored in OIS. Operational access is controlled by Azure AD
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All user data is usually stored in identity store (example AD) and HR systems. OIS simply uses the data for Identity Governance purpose. All data imported in OIS is available in various reports which can be exported to the following formats:
- CSV
- MSFT Excel
- MSFT Word
- HTML
- PDF
- TIFF
- XML
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network 1) Data in transit (Access to the customer Portal via public internet) is secured by TLS (HTTPS), 2 Communication to the Customers OnPrem systems is secured by an IPSec VPN using a PSK, 3) Communication to the Customers Mail Gateway (SMTP) is secured by TLS, 4) Communication between the Azure Application Gateway and the Portal is not encrypted as the network zone is considered to be a secure network, 5) Communication between the OISaaS components (Portal,OPS,RoPE,ODW) is not encrypted as the network zone is considered to be a secure network

Availability and resilience

Availability and resilience
Guaranteed availability 99.5% - 24/7/365 (excluding service windows)
Regarding refunds, we work on Service level credit concept. Further details can be provided on request.
Approach to resilience Omada’s as-a-service offering is running on Microsoft Azure. Microsoft Azure is available in 54 Regions in 140 countries of the world (i.e. UK, US, DE, …). Each region is providing full redundancy of its infrastructure. Omada utilizes two Azure Regions where one is the primary (i.e. UK West) and the other is the secondary (i.e. UK South) region to provide fully automated failover and advanced backup as well as recovery measures to ensure that the provided services are available even in case of a disaster of an entire Azure Region. The guaranteed RPO is 15 Minutes and the RTO is 90 minutes. More information is available on request.
Outage reporting Omada Identity Suite as a Service offers following:-
1) Operations monitoring capabilities via both dashboard and email alerts.
2) Dashboard provides application monitoring and very detailed log analytics including server and network performance, DB health check
3) Monitor the state of the infrastructure as well as the state of the application
4) Provide status / KPIs
5) Gathers environment logs
6) Gets priority alerts and actions
7) Alert on availability issues
8) In future, we will offer a lot more monitoring due to the new feature “Application Insights” (in progress)

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels "Access control is implemented via: -
1) Access is controlled by two different entities
• Azure Active Directory (For all Azure Platform related topics i.e. VMs, NSGs, VPNs)
• SAASOPS Active Directory domain hosting the computer accounts, service accounts and administrative accounts for the OISaaS Infrastructure components
2) Environments are only accessed with personal administrative accounts
3) Every Access to the environment is tracked and audited
4) Accesses are only granted for a specific role and for a specific time
5) Regular access reviews are performed every three months"
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL
ISO/IEC 27001 accreditation date 29/11/2018
What the ISO/IEC 27001 doesn’t cover No exceptions according to the Statement of Applicability v1.1
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Omada implementation following information security policies: -
1) Password policy is described in ISMS documents ISMS-DOC-A05-2 Omada Information Security Policy, ISMS-DOC-A09-1 Omada Access Control Policy and ISMS-DOC-A09-2 Omada User Access Management Process, Password issuing and reset will be done only via Omada HelpDesk

2) Information security incident reporting and management process as described in ISMS document ISMS-DOC-A16-2 Information Security Incident Response and Data Breach Management Procedure
3) Access to customer information by Omada service staff is approved/ monitored according to implemented controls according to ISMS-DOC-A05-4 Omada Cloud Service Specifications, ISMS-DOC-A09-1 Omada Access Control Policy and ISMS-DOC-A09-2 Omada User Access Management Process. Access in SaaS environment is protected by Azure Authentication/Authorization

4) Regarding anti-malware, programs installed on all systems which support customer cloud service offerings and controls are implemented according to Omada's ISMS policy ISMS-DOC-A12-4 Omada Anti-Malware Policy

5) Penetration tests: Security Risk Classification is described as part of R&D QMS and reference can be found in section 2.3.3 Development Procedures in document ISMS-DOC-A14-4 Omada Secure Development Environment Guidelines. In practice we have yearly external testing of our product, last one has been finished in 2018

6) Background checks are undertaken according to Omada's ISMS policy ISMS-DOC-A07-1 Omada Employee Screening Procedure

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Omada Identity Suite as a Service implements change management via following
1) Every modification to a customer environment must be covered by a change
2) All changes must be presented and approved by the “OISaaS Change Advisory Board” (An exception to that is an emergency change)
3) Emergency changes can only be changes that restore the functionality of a production customer environment based on a priority 1 incident
4) SOP OISaaS.03.03.01.ApplicationConfigurationDeployment describes a standard change
5) Several Change Boards are established
• ITSM Change Board (Every Thursday)
• Customer Change Board (Every Friday)
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our vulnerability management consists of scans of network-layer, application-layer and system-layer which is covered by ISO documents ISMS-DOC-A12-8 Omada Software Vulnerability and Patch Management Policy ISMS-DOC-A05-4 Omada Cloud Service Specifications, Section 2.8 Operations security. This section states in addition: "...The customer cloud environment is subject to regular vulnerability scanning using industry-standard tools. Critical security patches are applied in accordance with software manufacturers’ recommendations.
Protective monitoring type Supplier-defined controls
Protective monitoring approach OISSaaS protective monitoring process is
1) Based on technology “Azure Security Centre”
2) Monitoring of the security state of resources
3) Management of vulnerabilities
4) Security policies for subscriptions and resource groups
5) Central view of the security posture
6) Prioritized security alerts
7) Will be connected to the OISaaS ITSM system

The dashboard offers detailed view of policy and compliance resource security hygiene and threat protection
Incident management type Supplier-defined controls
Incident management approach Our incident management approach includes:
1) Every issue in a customer environment is tracked as an incident
2) Every incident is triaged by the Service Delivery Managers and the OISaaS Operations Team
3) Primary goal is to find a workaround if root cause cannot be fixed, problem is defined and the Problem Manager (Service Delivery Manager) takes over.
4) There are four major categories of incidents differentiated, Application, Infrastructure, Data, Security
5) Customer Incident Review (Every other day: Mo, Wed, Fr)
6) Incident Escalation Levels:
1st Level Customer Helpdesk
2nd Level OISaaS Operations
3rd Level Professional Services
4th Level R&D

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £4.40 per user per month
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑