Cirro

Secure Multi Cloud Connectivity

A secure, fully managed, multi-cloud connectivity service. Any site, any network, any cloud; AWS, Azure, IBM, Oracle, Google.
Connect via SD-WAN, point-to-point, MPLS or VPN. Directly connected to PSN and HSCN (Janet due in Q3 2019)
Available options:
Remote Access Service, Web Application Firewall, Enhanced
Security Options, and Consultancy Services.

Features

  • Connect any site or remote users to any cloud
  • Managed security gateway between sites and cloud environment
  • Intra-Cloud security
  • Multi-Cloud security with back-up, replication & storage for DR
  • Secure, web-based Firewall (WAF) with advanced security options
  • Full reporting, monitoring and dashboard

Benefits

  • Simplest way to secure multi-cloud environments
  • Seemless security between networks from different locations
  • Centralised, managed security
  • Quick and efficent way to securly connect to any Cloud

Pricing

£8333 per instance per month

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

7 5 8 6 2 8 4 7 6 0 7 2 6 9 1

Contact

Cirro

Michael Owen

020 3418 0412

michaelo@cirro-solutions.co.uk

Service scope

Service constraints
No constraints. The service requires a terminating device capable of BGP/
IPSec
System requirements
Users device capable of IP based connectivity

User support

Email or online ticketing support
Email or online ticketing
Support response times
Dependant on severity/priority. From 30mins to 2hours as a guide.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Standard support and technical account management under SLAs
(Mon-Fri 09:00-17:30 excl bank holidays) is included in the annual
fee. Up to 20 small changes per month are included in
the standard charge. Additional or complex changes are priced on
application and are charged at the prevailing daily rate.
Enhanced 24/7/365 support is charged at 25% of the Annual
Recurring Charge. Ad-hoc consultancy and technical architecture
services are charged at the prevailing daily rate.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Having engaged with the customer early in the process to fully
understand their requirements, we implement a VeriSM based transition process to produce and provide the service quickly and
efficiently. After completing UAT, we can provide training to the
customer via a number of methods, depending on what best suits
their needs. This could be on-site workshop sessions, conference
calls, or written documentation. A period of Early Life Support is
agreed with the customer, so that we can help the users gain
experience in using the service backed up by an ITIL based
support organisation that can continue to provide advice and
assistance once go live has passed.
Service documentation
Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Word
  • Excel
End-of-contract data extraction
This is completed against a Statement of Works under Exit Management and can include:
Log information, analytics and anything else that is customer
specific can be copied to a repository of the customer’s choice at
which point the source data will then be deleted upon confirmation
of successful copy/transmission.
End-of-contract process
The exit management plan is implemented, a Statement of Works is created or the services is terminated. All settings will be removed ad wiped from the system and all document relating to the customer environment will be securely serased or shredded.

Using the service

Web browser interface
Yes
Using the web interface
A client receives a dedicated URL to access their own instance of the dashboard. The dashboard delivers reporting and analytics of all network and security events.
The dashboard allows network administrators and users to control and keep track of real-time network performance as well as being alerted to live incidents. The dashboard also provides ticketing functionality. Users cannot see or change the rules which govern firewall and security policy, nor can they see logs via the dashboard. New functionality and features are added to the dashboard regularly to improve user experience.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Via a standard web-browser using SSL/TLS with user credentials
Web interface accessibility testing
None
API
No
Command line interface
No

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
We enforce customer segregation by using dedicated tenancies.
This ensures that their Cloud Gateway service is not affected or
shared by other users.
Usage notifications
Yes
Usage reporting
  • Email
  • Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • HTTP request and response status
  • Network
Reporting types
Real-time dashboards

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Cloud Gateway, Cloud9, Veeam

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Back-up and recovery of any Cloud environment
  • Back-up using Veeam or similar agent
  • Back-up virtual machines & instances
  • Back-up and restore files, folders or VM's
  • Back-up and restore Office365 / Azure
Backup controls
Via a back-up agent portal, they control back-up and retention policies and restore locations.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
99.95% service availability. Where any service availability issues
arise for connectivity from a user site, service credits will only be
applicable to that site. Where any service availability issues arise
for connectivity to the internet or cloud hosting providers, service
credits will be applicable to all user sites.
Approach to resilience
Our service is built using overlays inside a resilient cloud
architecture. Consequently, each component, each set of
components, each stack and each full tenancy is designed to be
resilient at multiple points. This is achieved in its simplest form by
having more than one of each component part available (akin to
traditional High Availability), but also by leveraging cloud resilient
functions such as Multiple Availability Zones, Multiple Regions, or
both.
Outage reporting
Our service sends alerts to our monitoring and engineering teams
to inform them of any potential outages. The issues are sanitised to
see if they require manual intervention by our team, or whether
automatic recovery has occurred. If manual intervention is required
then a proactive alert ticket is raised within our service desk portal.
Our service desk portal shows tickets that are being worked on and
these can be viewed by the client at any time. In addition, e-mail
alerts can be created against any incidents relating to an outage,
which will then be sent to approved recipients.

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels
Our service has a robust set of multi-layered security functions at
its core. Access to and from any service is managed, maintained
and enforced in line with customer approved policy.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
IQS Standards Audits Division
ISO/IEC 27001 accreditation date
16/07/2018
What the ISO/IEC 27001 doesn’t cover
The certification covers all relevant elements of the solution
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our service is built to adhere to the HMG UK Official guidelines,
which in turn adhere to the National Cyber Security Centre (NCSC)
cloud security principles and the Center for Internet Security (CIS)
critical security controls. We adhere to ISO 27001 certification,
Cyber Essentials, and Cyber Essentials PLUS.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are assessed and implemented in line with the agreed
customer change process. We have a CMDB where all
configurations, files and changes are stored for a stipulated period
of time
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential threats are assessed through live monitoring and alerting
within our platform. This is backed up with vulnerability scan's
every 2 weeks across the whole platform to test, track and confirm
patches have been deployed while also testing security
configurations. We also obtain information from our security
vendors directly (subscription and notification emails) RSS feeds.
We deploy patches manually or via auto updates into our cloud
infrastructure.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We identify potential compromises through live monitoring and
alerting on our platform. Our monitoring and alerting rules are
based on the AWS CIS Foundations benchmarks with additional
controls and alerts for any non-AWS infrastructure. These events
are sent to our SIEM where alarms are triggered based on a set of
configured rules. Depending on the severity the incident will be
addressed immediately or in line with customer agreed change
control.
Incident management type
Supplier-defined controls
Incident management approach
We operate under the VeriSM framework, utilising the best of ITIL
v4 and DevOps methodologies.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Third-party
Third-party virtualisation provider
Amazon, Microsoft and Fortinet
How shared infrastructure is kept separate
Each tenant has a dedicated virtual instance and its logically segrated

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
Data centres adhere to ISO 50001 Energy Management and 14001 Environment Management (which we also hold).

Pricing

Price
£8333 per instance per month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
We will provide a free fully dedicated platform with access to
one cloud provider of the client's choice, for up to 4 weeks, to test
connectivity. If technical consultancy is required, this is chargeable
at the prevailing daily rate.

Service documents

Return to top ↑