Fifosys Limited

Secure Managed Microsoft Azure Cloud Services

As a 15 year Microsoft Partner, Fifosys deliver managed services for Microsoft Azure platforms.
Azure is a highly resilient and ever-expanding set of cloud services helping organisations meet business challenges. It provides the ability to build, manage and deploy applications on a large, global network using familiar tools and frameworks.

Features

  • Azure services with Fifosys managed support and service wrapper
  • Scale your systems automatically as required by demand
  • Highly secure managed public cloud environments customised to your requirements
  • Detect and investigate attacks on-premises and in the cloud
  • Create highly available, infinitely scalable cloud applications
  • Expert migration services including design, engineering, provisioning and management
  • Allow teams to share code, track work and ship software
  • Managed, relational SQL Database as a service
  • Unify security management and enable advanced threat protection
  • Better protect your sensitive information – whenever, wherever

Benefits

  • Can scale to meet the needs of the organisation
  • Rapidly deploy new infrastructure and servers
  • Removes the need for large investment in on-premise infrastructure
  • Fully managed and maintained environment
  • Durable, highly available and massively scalable cloud storage
  • Simplify on-premises database migration to the cloud
  • Quickly create environments using reusable templates and artefacts
  • Connect, monitor and manage billions of IoT assets
  • Simplify cloud management with process automation

Pricing

£0.01 a virtual machine an hour

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at m.patel@fifosys.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

7 6 3 8 1 2 2 5 5 8 3 7 9 2 1

Contact

Fifosys Limited Mitesh Patel
Telephone: 02076442610
Email: m.patel@fifosys.com

Service scope

Service constraints
Updates are periodically performed to improve the reliability, performance, and security of the infrastructure. If maintenance requires downtime, you get a notice of when the maintenance is planned. In these cases, you'll also be given a time window where you can start the maintenance yourself, at a time that's convenient. Each region is paired with another region within the same geography, together they make a regional pair. During planned maintenance, Azure will only update a single region at a time.

management access to the hypervisor is not available
System requirements
  • Volume licence with software assurance required for licence mobility
  • Standard connectivity via site-to-site IPSec VPN or the internet
  • See https://docs.microsoft.com/en-gb/azure/

User support

Email or online ticketing support
Email or online ticketing
Support response times
The Fifosys service desk is available 247 365 days of the year. This service provides a fully manned operation with engineers sitting in front of screen, taking calls, responding to emails and monitoring systems. Fifosys respond to incidents much faster than our SLA. We maintain a response and resolution time of 20 minutes for 86% of incidents to our desk. Our SLA is 1 hour for a priority 2 & 3 and 20 minutes for a priority 1. But we average 8 minutes response times to email support requests. These response times do not vary at weekends.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Fifosys provide 1st, 2nd and 3rd line support 24/7/365. Our Network Operations Centre (NOC) proactively monitor, maintain and remediate clients systems. This is all standard service as part of our pricing model. We provide a team which includes an IT Manager who manages the Service team (NOC & Support), an Account Manager who is responsible for day to day management of the account from a sales perspective, and Technical architects who are responsible for discussing and identifying the right technical solutions for our clients.

We encourage clients to make use of tools we provide giving full visibility of what we do, including access to a service portal to view Service Desk activity. Our incident reports and status reports give clients the information needed if anything does not meet expectations we will be open in our resolution. This forms the basis of agreed KPIs to help gain trust and sustain long professional relationships.

This data is a central focus of Service Reviews and is invaluable in identifying training needs, potential problems or areas where systems aren’t delivering what the organisation needs. This detail has been noted in external quality audits and by vendors specialising in managed service applications and CRM systems.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide a tailored training program for the cloud service dependant on the requirements. This can include on-site training, workshops or on-line training. This can even be combined if required. We have a large repository of user documentation that we share on how to use the various elements of the service.

Fifosys has years of experience performing cloud migrations and we will work with you to identify all the considerations and risks. If necessary our team of technical architects and engineers will perform a cloud assessment and planning audit to determine what technical elements need to be considered and determine your "cloud readiness" state.

We will ensure that any solution chosen balances risk , cost impact and timescales in the right way for your organisation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data can either be extracted manually by the users across a VPN or dedicated express route connection. Fifosys can be instructed to provide all of this data on removable media. The user must supply or agree to the costs of Fifosys supplying the media. This data is then removed from our systems and backup.

In the event you require a live migration of virtual machines or database data, replication services may be configured, however this may incur additional costs.

Any service documentation held by Fifosys in relation to the service will be exported from our IT documentation platform - IT Glue and provided to the user
End-of-contract process
Extracting the users live data is included in the price of the contract as are all termination fees. Any media required to export data is not included and this must be purchased by the user or the user must agree to the costs of Fifosys purchasing this on their behalf. The export of historic backups is not included as this can be a time-consuming process and the cost is dependant on how many generations of data need to be exported. All licencing within the cloud is also provided on an SPLA basis and therefore remaining the property of Fifosys

Using the service

Web browser interface
Yes
Using the web interface
The web portal allows you to view and manage all of your applications in one unified hub, including web apps, databases, virtual machines, virtual networks, storage and Visual Studio team projects. The initial service is set up via the web interface and initial build and configuration can only be performed via the web interface. Once servers and services are brought online these can be accessed through normal methods such as API, remote desktop, cli or web browser. Services that can be managed through the interface include

API Management
App Service API apps
App Service Environment
App Service Mobile apps
App Service Web apps
Application Insights
Automation
Azure Active Directory
Azure Batch
Azure Cosmos DB
Azure DevTest Labs
Azure DNS
Azure Kubernetes Service
Azure Lab Services
Azure Search
Azure SQL Database
Backup
BizTalk Services
Cloud Services
Cognitive Services
Content Delivery Network
Data Catalog
Data Factory
Data Lake Analytics
Dynamics Lifecycle Services projects
Event Hubs
ExpressRoute
IoT Hub
Log Analytics
Machine learning services
Microsoft Intune
Mobile Services
Multi-Factor Authentication
Notification Hubs
Recovery Services
Security Center
Service Bus
Site Recovery
SQL Data Warehouse
Storage
StorSimple
Stream Analytics
Traffic Manager
Virtual Machines
Virtual Network
Visual Studio Team
Web interface accessibility standard
WCAG 2.1 AA or EN 301 549
Web interface accessibility testing
Microsoft is committed to ensuring that our products and services are designed for everyone, including the approximately 1.2 billion people with disabilities in the world.
We endeavor to integrate accessibility into every stage of product development, including planning, design, research, development, and testing.
Microsoft is a signatory to the Global Initiative for Inclusive Information and Communications Technology (G3ict) Charter, which encourages governments to increase digital inclusion for citizens by incorporating accessibility criteria into their procurement policies.

Azure and Azure Government are in scope for EN 301 549
API
Yes
What users can and can't do using the API
Azure provides a full set of tools for the creation and use of APIs. The API management feature helps organisations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. You can use Azure API Management to take any backend and launch a full-fledged API program based on it.

To use API Management, administrators create APIs. Each API consists of one or more operations, and each API can be added to one or more products. To use an API, developers subscribe to a product that contains that API, and then they can call the API's operation.

The Azure portal is the administrative interface where you set up your API program. It is used to:

Define or import API schema.
Package APIs into products.
Set up policies like quotas or transformations on the APIs.
Get insights from analytics.
Manage users.

Products that contain an API may be subject to their own usage policies and users must be granted the appropriate administrative rights with the Azure portal to make changes.
API automation tools
  • Ansible
  • Chef
  • SaltStack
  • Terraform
  • Puppet
API documentation
Yes
API documentation formats
HTML
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Azure CLI 2.0 is optimized for managing and administering Azure resources from the command line, and for building automation scripts that work against the Azure Resource Manager.

The Azure CLI 2.0 program needs to be installed on the users computer and then a connection to the subscription must be established. Once established users can then manage the environment via command line. Common tasks that can be performed include: create virtual machines, manage virtual machine state, get virtual machine state, add, remove or resize disks, manage account information, view active directory objects, manage availability sets, manage resource groups, create clusters, view logs and monitoring insights, manage network resources, manage load balances, manage public IP addresses, manage user permissions and roles

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
The cloud environment is highly and easily scalable. Load across the environment is constantly monitored for performance issues and additional resources can be quickly brought on-line to cope with any peaks in demand. Access to services is load-balanced across multiple databases, network links and servers to ensure users are not affected by the demand placed on the systems by others.

Bandwidth limits are in place for any activity that could saturate network connections and have a negative impact on other users such as large file transfers or mass mailbox migrations.
Usage notifications
Yes
Usage reporting
Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Performance
  • Database connections
  • Standard Service monitoring
  • Custom infrastructure metrics
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Microsoft

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Files
  • Virtual and physical servers
  • Network Attached Storage ( NAS)
  • Storage Area Network (SAN)
  • Database Applications
  • Software Applications
  • VM disk snapshots
  • Workstations
Backup controls
Dependant on the backup method chosen, users can control what backups are performed either directly from the Azure portal, via Azure Powershell, via the Azure CLI, via the azure backup agent.

Backup and replication can also be controlled directly via VMware v-centre, Hyper-V manager or via systems centre manager.

Backup schedules are agreed with the customer at the beginning of the contract. Fifosys will proactively monitor the health of the backups and report any failures to the customer. Backup failures will also be highlighted as part of the scheduled service reviews and monthly service reports.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks
Azure service network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Azure provides customers ownership and control over their content by design.

Azure enables customers to open a secure, encrypted channel to Azure services using TLS/SSL, and/or IPsec or TLS VPN (if applicable), or other means of protection the customer wishes to use.

Availability and resilience

Guaranteed availability
Due to the rapidly evolving nature of Azure product offerings, SLAs are best reviewed directly via Microsoft's Online Service Terms at http://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=11745
Approach to resilience
Our datacentre environment is highly resilient. All hardware has a minimum of N+1 for redundancy. The entire environment is replicated to a 2nd site to protect against a complete data centre outage and there are multiple connection paths in and out of the data centre. The cloud environment is also proactively monitored 24/7/365 to ensure that any failures or predicted failures can be dealt with as soon as possible. Further details of the resiliance are available on request.
Outage reporting
Any service outages would be reported via email alerts. Any outages would be classed as a priority 1 - High impact incident and follow our high impact incident process. Users would be continuously updated on progress of the issue until resolved.

Identity and authentication

User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Only authorised individuals from our organisation can manage the system and strong authentication is in place. The management layer is segregated from the service networks to prevent any issues affecting service. All access to the systems are through N-able and an audit trail is in place.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI
ISO/IEC 27001 accreditation date
11/09/2017
What the ISO/IEC 27001 doesn’t cover
Dont Know
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Information data security is an essential part of the Fifosys business. The directors recognise the need for its clients and end users information data to remain secure and confidential at all times. Clients and Fifosys internal departments collaborate to ensure that data stays secure. Information data security systems are reviewed at regular intervals and outcomes are made available to other relevant organisations. Current policies exist for the following which are audited each year as part of our ISO 27001 accreditation: Information Security Organisation Classifying Information and Data Controlling Access to Information and Systems Processing Information and Document Purchasing and Maintaining Commercial Software Securing Hardware, Peripherals and Other Equipment Fifosys Personnel Detecting and Responding to Incidents Business Continuity

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We follow the ITIL framework for change and configuration management. All changes are logged in our ERP system - Connectwise and changes must include a reason, the technical steps, the risk assessment, the service impact, a rollback plan, a test plan and a schedule of communications. All changes, once submitted are reviewed by the change management board. All configuration are also tracked in Connectwise with installation date, service/warranty expiry, any 3rd party details and any associated configuration. Automatic updates of configuration items is also performed from our RMM tool, (N-Able) to Connectwise.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We are continually assessing threats to our service. We use automated cyber security tools such as cyberscore from XQ cyber ( A Check service provider) to continuously poll our environment for new threats and suggest remediation plans. We patch our and our clients servers every week using our automated patch management service. We also deploy next generation firewall products with anti malware protection, constantly upgraded from Cisco and we employ automated Ransomware protection across all our servers. We get our sources of threats from our multiple partners including, Microsoft, Cisco, VMware, XQ Cyber and N-able
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use our proactive monitoring tool (Nable), to identify threats. This monitors all aspects of the environment from servers to networking to anti-virus. Data is also proactively monitored for RansomWare attacks through our backup solution. When a threat or compromise is detected a ticket is automatically logged in our ERP system (Connectwise) and handled as a priority 1 ticket. We respond to these incidents within 15 minutes
Incident management type
Supplier-defined controls
Incident management approach
Our incident management process is based on the ITIL framework for service management. Incidents are categorised into service issues where IT has failed and support issues where IT hasn't failed i.e. a new user request. We have pre-defined processes for common events such as new users, subject access requests, permission changes, mobile device setup, upgrade and client specific common tasks. Users can report incidents via phone, email or online portal. Incident reports are provided to pre determined stakeholders in PDF format for high impact incidents and users can check directly in the online portal for normal or low impact incidents.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Hyper-V
How shared infrastructure is kept separate
Organisations are provided with their own dedicated virtual machines. Although multiple organisations may have virtual machines on the same physical hardware, customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualised operational environments to customers ensure that each customer is segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation.

For further information please refer to https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£0.01 a virtual machine an hour
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Fifosys will work with the customer to develop a proof of concept with clearly defined success criteria.

Normally this would be limited to 30 days and would not include services such as dedicated express route connections, large data migrations, full resilience or production workloads.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at m.patel@fifosys.com. Tell them what format you need. It will help if you say what assistive technology you use.