Cirro

Secure Multi Cloud Connectivity

A secure, fully managed, multi-cloud connectivity service. Any site, any network, any cloud; AWS, Azure, IBM, Oracle, Google.
Connect via SD-WAN, point-to-point, MPLS or VPN. Directly connected to PSN and HSCN (Janet due in Q3 2019)
Available options:
Remote Access Service, Web Application Firewall, Enhanced
Security Options, and Consultancy Services.

Features

  • Connect any site or remote users to any cloud
  • Managed security gateway between sites and cloud environment
  • Intra-Cloud security
  • Multi-Cloud security with back-up, replication & storage for DR
  • Secure, web-based Firewall (WAF) with advanced security options
  • Full reporting, monitoring and dashboard

Benefits

  • Simplest way to secure multi-cloud environments
  • Seemless security between networks from different locations
  • Centralised, managed security
  • Quick and efficent way to securly connect to any Cloud

Pricing

£8333 per instance per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11

758628476072691

Cirro

Michael Owen

020 3418 0412

michaelo@cirro-solutions.co.uk

Service scope

Service scope
Service constraints No constraints. The service requires a terminating device capable of BGP/
IPSec
System requirements Users device capable of IP based connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Dependant on severity/priority. From 30mins to 2hours as a guide.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support and technical account management under SLAs
(Mon-Fri 09:00-17:30 excl bank holidays) is included in the annual
fee. Up to 20 small changes per month are included in
the standard charge. Additional or complex changes are priced on
application and are charged at the prevailing daily rate.
Enhanced 24/7/365 support is charged at 25% of the Annual
Recurring Charge. Ad-hoc consultancy and technical architecture
services are charged at the prevailing daily rate.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Having engaged with the customer early in the process to fully
understand their requirements, we implement a VeriSM based transition process to produce and provide the service quickly and
efficiently. After completing UAT, we can provide training to the
customer via a number of methods, depending on what best suits
their needs. This could be on-site workshop sessions, conference
calls, or written documentation. A period of Early Life Support is
agreed with the customer, so that we can help the users gain
experience in using the service backed up by an ITIL based
support organisation that can continue to provide advice and
assistance once go live has passed.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Word
  • Excel
End-of-contract data extraction This is completed against a Statement of Works under Exit Management and can include:
Log information, analytics and anything else that is customer
specific can be copied to a repository of the customer’s choice at
which point the source data will then be deleted upon confirmation
of successful copy/transmission.
End-of-contract process The exit management plan is implemented, a Statement of Works is created or the services is terminated. All settings will be removed ad wiped from the system and all document relating to the customer environment will be securely serased or shredded.

Using the service

Using the service
Web browser interface Yes
Using the web interface A client receives a dedicated URL to access their own instance of the dashboard. The dashboard delivers reporting and analytics of all network and security events.
The dashboard allows network administrators and users to control and keep track of real-time network performance as well as being alerted to live incidents. The dashboard also provides ticketing functionality. Users cannot see or change the rules which govern firewall and security policy, nor can they see logs via the dashboard. New functionality and features are added to the dashboard regularly to improve user experience.
Web interface accessibility standard None or don’t know
How the web interface is accessible Via a standard web-browser using SSL/TLS with user credentials
Web interface accessibility testing None
API No
Command line interface No

Scaling

Scaling
Scaling available Yes
Scaling type Automatic
Independence of resources We enforce customer segregation by using dedicated tenancies.
This ensures that their Cloud Gateway service is not affected or
shared by other users.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • HTTP request and response status
  • Network
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Cloud Gateway, Cloud9, Veeam

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Back-up and recovery of any Cloud environment
  • Back-up using Veeam or similar agent
  • Back-up virtual machines & instances
  • Back-up and restore files, folders or VM's
  • Back-up and restore Office365 / Azure
Backup controls Via a back-up agent portal, they control back-up and retention policies and restore locations.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% service availability. Where any service availability issues
arise for connectivity from a user site, service credits will only be
applicable to that site. Where any service availability issues arise
for connectivity to the internet or cloud hosting providers, service
credits will be applicable to all user sites.
Approach to resilience Our service is built using overlays inside a resilient cloud
architecture. Consequently, each component, each set of
components, each stack and each full tenancy is designed to be
resilient at multiple points. This is achieved in its simplest form by
having more than one of each component part available (akin to
traditional High Availability), but also by leveraging cloud resilient
functions such as Multiple Availability Zones, Multiple Regions, or
both.
Outage reporting Our service sends alerts to our monitoring and engineering teams
to inform them of any potential outages. The issues are sanitised to
see if they require manual intervention by our team, or whether
automatic recovery has occurred. If manual intervention is required
then a proactive alert ticket is raised within our service desk portal.
Our service desk portal shows tickets that are being worked on and
these can be viewed by the client at any time. In addition, e-mail
alerts can be created against any incidents relating to an outage,
which will then be sent to approved recipients.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels Our service has a robust set of multi-layered security functions at
its core. Access to and from any service is managed, maintained
and enforced in line with customer approved policy.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 IQS Standards Audits Division
ISO/IEC 27001 accreditation date 16/07/2018
What the ISO/IEC 27001 doesn’t cover The certification covers all relevant elements of the solution
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our service is built to adhere to the HMG UK Official guidelines,
which in turn adhere to the National Cyber Security Centre (NCSC)
cloud security principles and the Center for Internet Security (CIS)
critical security controls. We adhere to ISO 27001 certification,
Cyber Essentials, and Cyber Essentials PLUS.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are assessed and implemented in line with the agreed
customer change process. We have a CMDB where all
configurations, files and changes are stored for a stipulated period
of time
Vulnerability management type Supplier-defined controls
Vulnerability management approach Potential threats are assessed through live monitoring and alerting
within our platform. This is backed up with vulnerability scan's
every 2 weeks across the whole platform to test, track and confirm
patches have been deployed while also testing security
configurations. We also obtain information from our security
vendors directly (subscription and notification emails) RSS feeds.
We deploy patches manually or via auto updates into our cloud
infrastructure.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We identify potential compromises through live monitoring and
alerting on our platform. Our monitoring and alerting rules are
based on the AWS CIS Foundations benchmarks with additional
controls and alerts for any non-AWS infrastructure. These events
are sent to our SIEM where alarms are triggered based on a set of
configured rules. Depending on the severity the incident will be
addressed immediately or in line with customer agreed change
control.
Incident management type Supplier-defined controls
Incident management approach We operate under the VeriSM framework, utilising the best of ITIL
v4 and DevOps methodologies.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon, Microsoft and Fortinet
How shared infrastructure is kept separate Each tenant has a dedicated virtual instance and its logically segrated

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres Data centres adhere to ISO 50001 Energy Management and 14001 Environment Management (which we also hold).

Pricing

Pricing
Price £8333 per instance per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We will provide a free fully dedicated platform with access to
one cloud provider of the client's choice, for up to 4 weeks, to test
connectivity. If technical consultancy is required, this is chargeable
at the prevailing daily rate.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑