Fujitsu Secure Cloud
Fujitsu Secure Cloud platform is used to deliver our next generation digital business capabilities, drawing on extensive global experience of delivering technology at all security classifications. Fujitsu Secure Cloud provides a private dedicated private/community cloud solution capable of running workloads with Government Security Classification of OFFICIAL, SECRET and TOP SECRET.
Features
- OFFICIAL, SECRET and TOP SECRET Managed Private Cloud
- Virtual Server, Virtual Network, Storage and Backup
- Infrastructure as a Service (IaaS)
- Platform as a service (PaaS)
- Flexible User Portal and API Access
- Blueprinting and templating service
- UK based Security cleared Service Management Team
- Customer configurable workloads including web, database and application servers
- Linux and Windows based
Benefits
- Low volume minimum commitment
- Various charging methods including pay-as-you-use
- Flexible User Portal and API access with object level security
- Compliant with NCSC Cloud Security Principles 1-14
- Single or Dual Data centres – UK or Crown Premises
- Data centres with existing government network connections (RLI, SLI, PSN)
- Cyber Essentials Plus accredited Supplier
- Phased Transition
Pricing
£135.10 a virtual machine a month
Service documents
Request an accessible format
Framework
G-Cloud 12
Service ID
7 0 7 5 1 4 6 6 3 4 3 5 5 2 8
Contact
Fujitsu Services Limited
Government Frameworks Desk
Telephone: 07867829234
Email: government.frameworks@uk.fujitsu.com
Service scope
- Service constraints
- None
- System requirements
-
- Customers are responsible for third party application licenses.
- Management of Customer’s payload (Operating System and above) not included
- Customer's payload Management is not included as standard-can purchase separately.
- Customers is responsible for applications deployed to Fujitsu Secure Cloud.
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- As per Service Definition Document
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Please see Service Definition for details of the service levels. This standard offering provides a virtual server availability of 99.9%. Support is provided during standard working hours Monday to Friday 08:00Hrs – 17:00Hrs (excluding Public and Bank Holidays). The option for additional support hours can be requested and shall be subject to an additional charge. A named Service Delivery Management will be aligned to this service.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- As part of the standard service, no specific on-boarding activities have been included. The customer will receive an operational cloud environment, user portal and API interface which they can start consuming. If required, Fujitsu is able to provide a service to migrate existing cloud and physical services to the cloud and provide a set of additional blueprint templates. The exact requirements for this service should be discussed with Fujitsu and will incur an additional charge.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- Users are freely available to extract data prior to the end of the contract. If required Fujitsu can support this process but this will attract an additional charge.
- End-of-contract process
- As part of the standard service, no specific off-boarding activities have been included. The customer should ensure all services have been migrated off the cloud service prior to the end of the contract. Fujitsu is able to provide additional services to support the customer with these migration activities and should confirm the price for these services prior to termination.
Using the service
- Web browser interface
- Yes
- Using the web interface
- Please see the details in the Service Definition document.
- Web interface accessibility standard
- None or don’t know
- How the web interface is accessible
- To be confirmed.
- Web interface accessibility testing
- To be confirmed.
- API
- Yes
- What users can and can't do using the API
- Please see the Service Definition document.
- API automation tools
- Other
- Other API automation tools
- TBC
- API documentation
- Yes
- API documentation formats
- Other
- Command line interface
- No
Scaling
- Scaling available
- Yes
- Scaling type
- Manual
- Independence of resources
- This is a dedicated private cloud service and therefore not impacted by other customers.
- Usage notifications
- Yes
- Usage reporting
-
- API
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- CPU
- Disk
- Memory
- Network
- Number of active instances
- Reporting types
-
- API access
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2012
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- Less than once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Other
- Other data at rest protection approach
- Details can be provided on request.
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Hardware containing data is completely destroyed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
- Service enables customer to perform backups – additional charges apply
- Backup controls
-
The service provides mechanisms to allow the authorised customer users to perform backups of data within their tenant. Backup services shall be charged on a per usage basis.
By default, Fujitsu has no access to customer data and does not perform backup or recovery actions for a customer. Fujitsu can provide services specific to customer needs for backup, recovery and business continuity at additional charge.
The cloud service can be hosted at customer datacentre/s, Crown Hosting datacentre/s and Fujitsu datacentre/s as required by the customer and as such the backup, recovery and business continuity services are bespoke for each customer. - Datacentre setup
-
- Multiple datacentres with disaster recovery
- Multiple datacentres
- Single datacentre with multiple copies
- Single datacentre
- Scheduling backups
- Users schedule backups through a web interface
- Backup recovery
- Users can recover backups themselves, for example through a web interface
Data-in-transit protection
- Data protection between buyer and supplier networks
- Private network or public sector network
- Data protection within supplier network
- Other
- Other protection within supplier network
- Details can be provided on request.
Availability and resilience
- Guaranteed availability
-
The standard service provides a service availability of 99.9% for each Virtual Server measured on a 24 x 7 basis and calculated monthly.
There is a Service Credit, (please contact Fujitsu for detail) of the usage fee due for that virtual server for that month, if the performance commitment is not met. - Approach to resilience
- Fujitsu will deliver Fujitsu hosted services from its UK data centres. Details can be provided on request including options for customer/Crown Premises.
- Outage reporting
- Email alerts are provided.
Identity and authentication
- User authentication
- Dedicated link (for example VPN)
- Access restrictions in management interfaces and support channels
- This can be supplied on request.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 2-factor authentication
- Devices users manage the service through
- Dedicated device over multiple services or networks
Audit information for users
- Access to user activity audit information
- Users receive audit information on a regular basis
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users receive audit information on a regular basis
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Bureau Veritas
- ISO/IEC 27001 accreditation date
- 30/11/2018
- What the ISO/IEC 27001 doesn’t cover
- The service is covered.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Fujitsu delivers the Services using a secure ISO27001:2013 compliant support environment. This element of the service comprises - Definition, maintenance and implementation of the Fujitsu standard Information Security Management System (ISMS); Physical protection of the defined infrastructure within Fujitsu’s ISO27001:2013 accredited Data Centres; Undertaking appropriate audits and assessments to ensure ongoing compliance; Implementation and enforcement of Fujitsu’s security policies and supporting processes and procedures; Prevention of unauthorized physical or logical access to the Services; Identification of threats to relevant assets and implementation of proactive controls to diminish risk probability and/or impacts; Visibility and involvement in the maintenance of the Fujitsu standard ISMS at all levels of Fujitsu management.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
For Customer-initiated operational Change Requests, Fujitsu will:
a) impact assess any Customer initiated Change Requests
b) where Fujitsu is willing and able to perform the Change Request, at provide a quote for the additional Charges associated with implementing the Change Request; and
c) action and implement approved Change Requests.
For Fujitsu-initiated Change Requests (such as system upgrades), Fujitsu will follow their change management procedure to include raising, classifying, assessing, planning and implementing the change. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Fujitsu shall monitor the service for potential threats and vulnerabilities. When new security patches are made available from a vendor, these shall be applied following the vendor described deployment approach. Patches are deployed based on the threat level and existing mitigation approaches that are in place. All appropriate security patches will be applied within 30 days of release from the vendor.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Fujitsu delivers the Services using a secure ISO27001:2013 compliant support environment. This element of the service comprises - Definition, maintenance and implementation of the Fujitsu standard Information Security Management System (ISMS); Physical protection of the defined infrastructure within Fujitsu’s ISO27001:2013 accredited Data Centres; Undertaking appropriate audits and assessments to ensure ongoing compliance; Implementation and enforcement of Fujitsu’s security policies and supporting processes and procedures; Prevention of unauthorized physical or logical access to the Services; Identification of threats to relevant assets and implementation of proactive controls to diminish risk probability and/or impacts; Visibility and involvement at all levels of Fujitsu.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Fujitsu will following their Security Incident Management process should a security incident be recognised or reported. Users can report security incidents by contacting Fujitsu's support team. The appointed Service Delivery Manager will provide details of Security Incidents and appropriate reporting during regular review meetings.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Supplier
- Virtualisation technologies used
- VMware
- How shared infrastructure is kept separate
-
Each organisation may require its own dedicated cloud instantiation in which case there is no sharing.
Where organisations are able to share a cloud service, multi-tenancy is deployed using a combination of physical separation (servers and network devices) and virtual technologies available in the VMware suite of tools based on the NIST aligned VMware Validated Design underpinning the service.
The mechanisms to implement separation of organisations is appropriate to the security classification of the service and adheres to the relevant Security Policies.
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
- The Strategic Fujitsu Datacentres are registered “participants” in the EU Code of Conduct for datacentres, complying with their energy efficiency guidelines conforming to ISO50001 Energy Management. The Supplier’s infrastructure planners have used optimal layouts, as determined by the EU Code of Conduct to build the service within these datacentres.
Pricing
- Price
- £135.10 a virtual machine a month
- Discount for educational organisations
- No
- Free trial available
- No