Fujitsu Services Limited

Fujitsu Secure Cloud

Fujitsu Secure Cloud platform is used to deliver our next generation digital business capabilities, drawing on extensive global experience of delivering technology at all security classifications. Fujitsu Secure Cloud provides a private dedicated private/community cloud solution capable of running workloads with Government Security Classification of OFFICIAL, SECRET and TOP SECRET.

Features

  • OFFICIAL, SECRET and TOP SECRET Managed Private Cloud
  • Virtual Server, Virtual Network, Storage and Backup
  • Infrastructure as a Service (IaaS)
  • Platform as a service (PaaS)
  • Flexible User Portal and API Access
  • Blueprinting and templating service
  • UK based Security cleared Service Management Team
  • Customer configurable workloads including web, database and application servers
  • Linux and Windows based

Benefits

  • Low volume minimum commitment
  • Various charging methods including pay-as-you-use
  • Flexible User Portal and API access with object level security
  • Compliant with NCSC Cloud Security Principles 1-14
  • Single or Dual Data centres – UK or Crown Premises
  • Data centres with existing government network connections (RLI, SLI, PSN)
  • Cyber Essentials Plus accredited Supplier
  • Phased Transition

Pricing

£135.10 a virtual machine a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at government.frameworks@uk.fujitsu.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

7 0 7 5 1 4 6 6 3 4 3 5 5 2 8

Contact

Fujitsu Services Limited Government Frameworks Desk
Telephone: 07867829234
Email: government.frameworks@uk.fujitsu.com

Service scope

Service constraints
None
System requirements
  • Customers are responsible for third party application licenses.
  • Management of Customer’s payload (Operating System and above) not included
  • Customer's payload Management is not included as standard-can purchase separately.
  • Customers is responsible for applications deployed to Fujitsu Secure Cloud.

User support

Email or online ticketing support
Email or online ticketing
Support response times
As per Service Definition Document
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Please see Service Definition for details of the service levels. This standard offering provides a virtual server availability of 99.9%. Support is provided during standard working hours Monday to Friday 08:00Hrs – 17:00Hrs (excluding Public and Bank Holidays). The option for additional support hours can be requested and shall be subject to an additional charge. A named Service Delivery Management will be aligned to this service.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
As part of the standard service, no specific on-boarding activities have been included. The customer will receive an operational cloud environment, user portal and API interface which they can start consuming. If required, Fujitsu is able to provide a service to migrate existing cloud and physical services to the cloud and provide a set of additional blueprint templates. The exact requirements for this service should be discussed with Fujitsu and will incur an additional charge.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users are freely available to extract data prior to the end of the contract. If required Fujitsu can support this process but this will attract an additional charge.
End-of-contract process
As part of the standard service, no specific off-boarding activities have been included. The customer should ensure all services have been migrated off the cloud service prior to the end of the contract. Fujitsu is able to provide additional services to support the customer with these migration activities and should confirm the price for these services prior to termination.

Using the service

Web browser interface
Yes
Using the web interface
Please see the details in the Service Definition document.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
To be confirmed.
Web interface accessibility testing
To be confirmed.
API
Yes
What users can and can't do using the API
Please see the Service Definition document.
API automation tools
Other
Other API automation tools
TBC
API documentation
Yes
API documentation formats
Other
Command line interface
No

Scaling

Scaling available
Yes
Scaling type
Manual
Independence of resources
This is a dedicated private cloud service and therefore not impacted by other customers.
Usage notifications
Yes
Usage reporting
  • API
  • Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
Less than once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Other
Other data at rest protection approach
Details can be provided on request.
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
Service enables customer to perform backups – additional charges apply
Backup controls
The service provides mechanisms to allow the authorised customer users to perform backups of data within their tenant. Backup services shall be charged on a per usage basis.

By default, Fujitsu has no access to customer data and does not perform backup or recovery actions for a customer. Fujitsu can provide services specific to customer needs for backup, recovery and business continuity at additional charge.

The cloud service can be hosted at customer datacentre/s, Crown Hosting datacentre/s and Fujitsu datacentre/s as required by the customer and as such the backup, recovery and business continuity services are bespoke for each customer.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
Other
Other protection within supplier network
Details can be provided on request.

Availability and resilience

Guaranteed availability
The standard service provides a service availability of 99.9% for each Virtual Server measured on a 24 x 7 basis and calculated monthly.
There is a Service Credit, (please contact Fujitsu for detail) of the usage fee due for that virtual server for that month, if the performance commitment is not met.
Approach to resilience
Fujitsu will deliver Fujitsu hosted services from its UK data centres. Details can be provided on request including options for customer/Crown Premises.
Outage reporting
Email alerts are provided.

Identity and authentication

User authentication
Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels
This can be supplied on request.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication
Devices users manage the service through
Dedicated device over multiple services or networks

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
User-defined
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Bureau Veritas
ISO/IEC 27001 accreditation date
30/11/2018
What the ISO/IEC 27001 doesn’t cover
The service is covered.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Fujitsu delivers the Services using a secure ISO27001:2013 compliant support environment. This element of the service comprises - Definition, maintenance and implementation of the Fujitsu standard Information Security Management System (ISMS); Physical protection of the defined infrastructure within Fujitsu’s ISO27001:2013 accredited Data Centres; Undertaking appropriate audits and assessments to ensure ongoing compliance; Implementation and enforcement of Fujitsu’s security policies and supporting processes and procedures; Prevention of unauthorized physical or logical access to the Services; Identification of threats to relevant assets and implementation of proactive controls to diminish risk probability and/or impacts; Visibility and involvement in the maintenance of the Fujitsu standard ISMS at all levels of Fujitsu management.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
For Customer-initiated operational Change Requests, Fujitsu will:
a) impact assess any Customer initiated Change Requests
b) where Fujitsu is willing and able to perform the Change Request, at provide a quote for the additional Charges associated with implementing the Change Request; and
c) action and implement approved Change Requests.

For Fujitsu-initiated Change Requests (such as system upgrades), Fujitsu will follow their change management procedure to include raising, classifying, assessing, planning and implementing the change.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Fujitsu shall monitor the service for potential threats and vulnerabilities. When new security patches are made available from a vendor, these shall be applied following the vendor described deployment approach. Patches are deployed based on the threat level and existing mitigation approaches that are in place. All appropriate security patches will be applied within 30 days of release from the vendor.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Fujitsu delivers the Services using a secure ISO27001:2013 compliant support environment. This element of the service comprises - Definition, maintenance and implementation of the Fujitsu standard Information Security Management System (ISMS); Physical protection of the defined infrastructure within Fujitsu’s ISO27001:2013 accredited Data Centres; Undertaking appropriate audits and assessments to ensure ongoing compliance; Implementation and enforcement of Fujitsu’s security policies and supporting processes and procedures; Prevention of unauthorized physical or logical access to the Services; Identification of threats to relevant assets and implementation of proactive controls to diminish risk probability and/or impacts; Visibility and involvement at all levels of Fujitsu.
Incident management type
Supplier-defined controls
Incident management approach
Fujitsu will following their Security Incident Management process should a security incident be recognised or reported. Users can report security incidents by contacting Fujitsu's support team. The appointed Service Delivery Manager will provide details of Security Incidents and appropriate reporting during regular review meetings.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
VMware
How shared infrastructure is kept separate
Each organisation may require its own dedicated cloud instantiation in which case there is no sharing.

Where organisations are able to share a cloud service, multi-tenancy is deployed using a combination of physical separation (servers and network devices) and virtual technologies available in the VMware suite of tools based on the NIST aligned VMware Validated Design underpinning the service.

The mechanisms to implement separation of organisations is appropriate to the security classification of the service and adheres to the relevant Security Policies.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
The Strategic Fujitsu Datacentres are registered “participants” in the EU Code of Conduct for datacentres, complying with their energy efficiency guidelines conforming to ISO50001 Energy Management. The Supplier’s infrastructure planners have used optimal layouts, as determined by the EU Code of Conduct to build the service within these datacentres.

Pricing

Price
£135.10 a virtual machine a month
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at government.frameworks@uk.fujitsu.com. Tell them what format you need. It will help if you say what assistive technology you use.