Daemon Directory Services Ltd

Active Directory Unification Service

The DDS Active Directory Unification Service (ADUS) consolidates multiple staff directory sources (Active Directory, HR system, Intranet, etc.) giving a 'single truth' on staff to support identity and authentication services typically needed for cloud migration. ADUS services can be consumed either from the cloud or from an on-premises implementation.

Features

  • Consolidates internal and external staff directory data
  • Seamless unattended operation in the background
  • Unified staff data critical for cloud services using SSO authentication
  • Provides application access control and attribute personalisation
  • Service includes full RESTful APIs for directory access
  • Service support bulk import and export via batch files
  • Provides a 'difference engine' listing changes between batches
  • Service includes management web interface for administrators
  • Secure design, developed for government using NCSC patterns and principles
  • Development and customisation package to meet additional customer needs

Benefits

  • Supports a department's adoption of cloud services
  • Provides a 'single truth' about personnel in an organisation
  • Reduces management using tools such as automated on-boarding
  • Easy integration through the support for identity protocols and standards
  • Improved management, using automated proactive monitoring tools
  • Immediate availability as a cloud service
  • Available as an on-premises application for close coupling to AD
  • Support for on-premises application available to maintain capability
  • Ability to extend the service to fit customer requirements exactly

Pricing

£0.15 to £1.25 per user per month

  • Free trial available

Service documents

G-Cloud 10

767645195513816

Daemon Directory Services Ltd

Max Northwood

01206 298525

max.northwood@dds-labs.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The ADUS service consolidates multiple staff directory sources to provide aggregated staff information to any identity federation service providing single-sign-on authentication to the cloud.
Cloud deployment model Hybrid cloud
Service constraints ADUS depends upon being able to export directory information from the customer's Active Directory any other customer staff data sources (HR etc.). Exports tools are included in the service package which support both a direct API or batch connection to the source data systems. The connected systems need to either present those APIs or be able to export batch data to ADUS. ADUS supports batch data transfer through FTP, FTPS, shared folders or HTTP download.
System requirements If installed locally requires Windows Server VM per service

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All incidents are graded by priority, then: Priority 1 - Response in 2 hours, Fix guaranteed within 1 day; Priority 2 - Response in 4 hours, Fix within 2 days; Priority 3 - Response in 1 day, Fix within 3 days; Priority 4, Response within 4 days Fix within 4 days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels A service help desk is included in the service package. All incidents reported to the help desk are recorded in the CRM system and graded by priority 1-4. A Technical Account manager is assigned to a customer on commencement of the service. A Technical Engineer is assigned to any reported incident. A full service report, describing the nature of the fault and its fix is available to the customer on resolution of the incident.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The ADUS service is a background B2B service and is not directly exposed to users. It has an administrator user interface which presents a system dashboard and supporting interfaces (reporting, configuration etc.). DDS will configure the system for the customer and provides an Implementation Questionnaire" for the purpose. DDS also provides an Administrator Training Guide and provides training for the administration staff to manage their own system.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The ADUS consolidation service persists staff data and holds historical information on directory imports which is held subject to retention rules agreed with the customer when the service is on-boarded. This data can be made available to the customer as a MS SQL database export supplied on either DVD or USB memory stick dependent on size. The size of the export will depend on the size and number of the imports; as a guideline 6 months of daily imports of 3 directory sub-systems with ~ 35k staff records = 12GB. Different formats of database output is required can be provided at extra charge.
End-of-contract process At the point that the customer disengages form the service the service connections are closed for the customers users. Any persisted customer data (i.e.: directory content) is retained for a period of 3 months and then deleted permanently. This allows the customer to reconnect to the service within that period with their last used settings intact. If required the customer can request a backup copy of the Directory data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The web browser interface has been developed using HTML5 and the "Bootstrap" library which supports different form factor devices out-of-the-box. All browser interfaces are rigorously tested on representative devices from Apple, Android and Windows mobile to ensure compatibility for different form factors.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing A third party company specialising in web site accessibility was engaged to independently validate the key web application interfaces in the DDS suite.
API Yes
What users can and can't do using the API The service has a set of Business-to-Business (B2B) APIs for third party applications to access the staff profile and directory data within the system. The APIs support SOAP, REST and (for the directory work) LDAP protocols. The APIs are read only with functions for searching the data (against a search string) and retrieving specific data objects (against a key). Access to the APIs controlled by validating the calling application's credentials.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The web interface can be customised at an organisation level by applying a 'branding' (or 'theme') for the pages. Users cannot individually customise the pages.

Scaling

Scaling
Independence of resources All DDS services are designed for scalability and resilience by using clustering. DDS will scale the compute power of the service by adding additional VMs and VM resources (CPU cores, RAM and Disk) as needed.

Analytics

Analytics
Service usage metrics Yes
Metrics types All DDS software records usage within the application logs. This information includes the total number of user requests, duration of the response to the request, with rolling average of usage totals and average response times.
Reporting types
  • Real-time dashboards
  • Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach DDS makes staff directory and related meta data data available to customers' administrators on request through the application management portal. Data can be sliced in different ways (e.g.: by data set, by field, by period etc. and can be downloaded as a file in a selected format.
Data export formats
  • CSV
  • Other
Other data export formats LDIF, XML, XLS(X)
Data import formats
  • CSV
  • Other
Other data import formats
  • LDIF, XML
  • XLS, ZIP

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service availability is offered at a guaranteed 99.5%. Availability of the service is measured by the ability to deliver the web application service to the Internet, not end user accessibility, (which may be affected by an agency’s local network supplier). The maximum unplanned service downtime is 3.6 hours per calendar month. Periods of scheduled maintenance are excluded from the calculation of Availability.
Approach to resilience Available on request
Outage reporting The DDS Help Desk is the source of information for calculating availability. The Availability is measured as a percentage of the total actual available time against total planned available time incurred during a Payment Period.
Email alerts defining scheduled maintenance times and unscheduled downtime will be sent to registered customer administrators.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels The application suite has web browser interfaces for administration. This is secured by (a) at a user level by access control and single-sign-on, and (b) optional white-listing of IP addresses for management access.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Accreditation inherited from AWS
ISO/IEC 27001 accreditation date Unknown
What the ISO/IEC 27001 doesn’t cover Accreditation covers the environment the applications are operating in. The application code was accredited earlier in a different operating environment (at the Home Office) in 2015 by AmethystRisk for operation at the then IL3 level.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Inherited from AWS accreditation
PCI DSS accreditation date Unknown
What the PCI DSS doesn’t cover The accreditation applies to the operating environment. The application was been accredited by AmazonRisk in 2015
Other security certifications Yes
Any other security certifications
  • Application was CHECK (tested) in 2015 by Digital Assurance
  • Application accredited to IL3 for use with Home-Office and DWP

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes DDS employs third party organisations to advise and assure its security procedures. This has resulted in a formal documented security policy which staff are required to abide by. This is aligned with ISO27001 principles and has been validated by our security advisers.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach DDS manages all application changes using its change control system. This records each component changed, the date, and related change
details such as the reason for the change, the change team, the tester and tested undergone. Each component and any changes applied to them are unit and system tested during their development and subjected to OWASP security testing. Each component of the application carried a version and revision level which are tracked in the application package.
Vulnerability management type Supplier-defined controls
Vulnerability management approach DDS software is regularly run through two vulnerability scanner; OWASP and teh 'BURP Scanner'. These test kits are regularly updated to ensure the latest threats are being tested for. Vulnerabilities regarded as critical are patched within a week of detection. Less serious vulnerabilities are patch on 1 month cycle.
Protective monitoring type Supplier-defined controls
Protective monitoring approach DDS aligns its protective monitoring againstCESG/NCSC's GPG13 guidelines. All critical actions and events within the application software are recorded on multiple log files held on virtual WORM drives. The resulting log files are scanned for exceptional situations through LogicMonitor.
Incident management type Supplier-defined controls
Incident management approach Incidents are logged at the DDS Help Desk, either by phone or email. The DDS Help Desk accepts responsibility for the call and progresses towards its Resolution. The Call remains open and until the customer Agrees that the incident can be closed. The DDS Help Desk may impose a ‘STOP CLOCK’ if the Customer is unable to provide sufficient information and the DDS Help Desk is unable to proceed with the Incident Resolution. Incidents are reported back tot he customer in monthly reports.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Public Services Network (PSN)

Pricing

Pricing
Price £0.15 to £1.25 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A free trial can be order for a period of one month. The free trial will require the customer to provide a once-off data set in a compatible format for DDS to load into the system. The data specification for this upload is available on request.

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑