Cloud Gateway

Our service provides a fully managed security suite and secure transit broker for all traffic between your Offices, Data Centres, Cloud Services and Remote Users. Our SD-WAN connects your new and existing infrastructure as an MPLS alternative, both as a complementary product to Cloud Gateway and as a standalone offering.


  • SD-WAN and Cloud-based Secure Enterprise Network
  • Single Enforcement: One security policy for your entire organisation
  • Secure Web Gateway: Control and stipulate rules for all traffic
  • Advanced Threat Protection: Protection against phishing and malware sites
  • Network Forensics: Analytics and trending reporting capabilities
  • Cloud Connect: Private Connection to any cloud provider of choice
  • Portal: Cloud-based management, logging and reporting
  • Secure mobile access for remote users
  • Scalable and Elastic: No physical hardware constraints
  • Up to 24/7/365, monitoring, alerting, SLA backed and service targets


  • Agile Network allowing constant evolution of supply chain and technology
  • One global security enforcement point
  • End-to-end encryption
  • Delivers operational efficiencies by reducing hardware costs and management complexities
  • Delivers reliability and scalability
  • Accredited to connect PSN environments
  • Integrates into your existing network without disruption
  • Fully managed network and security Service
  • Compliant with HMG architectural patterns
  • Agile & Open Standards: Speeds up project delivery times


£8333 per instance per month

  • Education pricing available

Service documents

G-Cloud 10



Sholto Vaughan

020 3102 4616


Service scope

Service scope
Service constraints Customers will require their own connectivity medium (e.g MPLS or Internet). this can be provided by Cloud Gateway, but more often is not. A terminating device capable of BGP/IPSec/Static Public IP or Cloud Gateway Stratus is also required.
System requirements Any end user device capable of IP based connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 Hour response time
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels There is one support level which encompasses the service as a whole and is included within the monthly service fee. There are a number of Cloud support engineers that are provided to each client depending on the size of the requirement. A Technical Account Manager is provided as standard for each client. This is a fully managed service and all changes to the platform are made via a support ticket request.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started User documentation is provided with clear instructions on how to complete both initial set up and configuration.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Log information, analytics and anything else that is customer specific can be copied to a repository of the customer’s choice at which point the source data will then be deleted upon confirmation of successful copy / transmission.
End-of-contract process The customer has the opportunity to renew the service or cease the contract. If the desire is to cease then the customer has two options;

1 – Turn the service off with immediate effect and billing ceases inside the agreed billing cycle (end of month for example)

2 – Continue operating the service with an agreed plan to migrate the functionality. This will be charged at Consultative rates as required until such time as Cloud Gateway can be turned off

Using the service

Using the service
Web browser interface Yes
Using the web interface Users can access operational performance metrics against their Cloud Gateway Service.

Users cannot see protocols, ports or the make-up of rules. Users cannot update their firewall rules or security requests via the control panel, nor can they see logs.
Web interface accessibility standard None or don’t know
How the web interface is accessible N/a
Web interface accessibility testing None
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources We enforce customer segregation by using dedicated tenancies. This ensures that their Cloud Gateway service is not affected or shared by other users.
Usage notifications Yes
Usage reporting
  • Email
  • SMS


Infrastructure or application metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Log files and system configurations are backed up daily
  • A daily incremental backup is retained for 7 days
  • Backups of Log files are retained for sixty days
Backup controls Your users have no control over backups. All backup and recovery administration is managed for you by our service team.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% service availability. Where any service availability issues arise for connectivity from a user site, service credits will only be applicable to that site. Where any service availability issues arise for connectivity to the internet or cloud hosted providers, service credits will be applicable to all user sites.
Approach to resilience Our service is built using overlays inside a resilient cloud architecture. Consequently, each component, each set of components, each stack and each full tenancy is designed to be resilient at multiple points. This is achieved in its simplest form by having more than one of each component part available (akin to traditional High Availability), but also by leveraging Cloud resilient functions such as Multiple Availability Zones, Multiple Regions or both.
Outage reporting Our service sends alerts to our monitoring and engineering teams to inform them of any potential outages. The issues are sanitised to see if they require manual intervention by our team or whether automatic recovery has occurred. If manual intervention is required then a proactive alert ticket is raised into our service desk portal. Our service desk portal will show tickets that are being worked on and these can be viewed by you at any time. In addition, SMS and/or e-mail alerts can be created against any incidents relating to an outage, which will then be sent to approved phones or inboxes.

Identity and authentication

Identity and authentication
User authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels Our service has a robust set of multi-layered security functions at its core. Access to and from any service is managed, maintained and enforced in line with Customer approved policy.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Assessment Beaurau
ISO/IEC 27001 accreditation date 12/4/2018
What the ISO/IEC 27001 doesn’t cover The Service is covered in full
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our service is built to adhere to the HMG UK Official guidelines, which in turn adhere to the National Cyber Security Centre (NCSC) cloud security principles and the Center for Internet Security (CIS) critical security controls.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are assessed and implemented in line with the agreed customer change process. We have a CMDB where all configurations, files and changes are stored for a stipulated period of time.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Potential Threats are assessed through Live monitoring and alerting within our platform. We obtain information from our security vendors directly (subscription and notification emails) RSS feeds. We deploy patches manually or via auto updates into our cloud infrastructure.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We identify potential compromises through Live monitoring and alerting on our platform. Depending on severity the incident will be addressed immediately or inline with customer agreed change control.
Incident management type Supplier-defined controls
Incident management approach We operate under the VeriSM framework, utilising the best of ITIL v3 and DevOps methodologies.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon, Microsoft and Fortinet
How shared infrastructure is kept separate Our service is built on a variety of Cloud platforms. It is separated by customer and each customer has their own dedicated hosting environment, such that no two customers will ever share the same service components.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £8333 per instance per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑