Software Box Limited (SBL)

SBL Freja ID: Identity & Secure Access Management

Freja eID provides a strong identity solution to allow secure access to systems for customers and users. Multi Factor Authentication (MFA) and 2 Factor Authentication (2FA) improves user experience and removes fixed passwords. Enables compliance with GDPR and CoCo amongst other Cyber Security requirements. Supports Tokens and Soft Tokens.

Features

  • Cloud based security solution
  • Open APIs to link with single and multiple applications
  • OATH and OCRA compliant solutions
  • Licence covers internal and external users
  • Accredited European e-Identity
  • Compatible with Android and IOS apps
  • 24 hour support
  • Enables use of corporate credentials for cloud applications
  • PSD2 compliant MFA service
  • Validated cloud identity service

Benefits

  • Simple sign on for end users
  • Reduces cost of service desk support
  • Unlimited user licence available
  • Supports Know Your Customer and GDPR compliance
  • One solution can be used across multiple applications and services
  • Integrates with all major applications
  • Identity managed by the end user supporting GDPR
  • Simple application install and registration
  • Use can be shared across organisations
  • Enhances cyber security

Pricing

£0.10 per user per month

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

8 6 1 8 9 5 9 9 4 0 5 3 5 1 1

Contact

Software Box Limited (SBL)

Danielle Connor

01347 812100

tenders@softbox.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
There are no foreseeable constraints to this service.
System requirements
None

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 4 hours, 24x7
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
As the web chat functionality is currently in design, the features are yet to finalised.
Web chat accessibility testing
As the web chat functionality is currently in design, the features are yet to finalised.
Onsite support
Yes, at extra cost
Support levels
Two services are currently offered:
1. Standard office hours support Monday to Friday 9-5.
2. Premium 24/7. Support calls are prioritised according to ITIL standards and actioned appropriately.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We can provide on-site and remote support as well as training for administrators and installers
Service documentation
Yes
Documentation formats
  • HTML
  • Other
Other documentation formats
In application instructions
End-of-contract data extraction
The Freja solution does not store any data to extract.
End-of-contract process
Any configuration no longer required is deleted and the service stops working. This is included within the price.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The secure nature of the product is that the end user installs in on a mobile device or hard token. The desktop management platform can be accessed on a mobile device with the same experience.
Service interface
No
API
Yes
What users can and can't do using the API
The API is available for authentication integration and another API is available for the token provisioning service, Freja Self Service Portal. The Authentication API - allows developers to authenticate users according to currently configured mechanisms and query when Freja eID last authenticated a user.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Users can decide on the level of security required and appropriate for each service request

Scaling

Independence of resources
The standard Freja service with 10 million tokens in a single servers database has been tested to produce 1000 authentications per second. We are confident our solution has the ability to scale should a users environment require.

Analytics

Service usage metrics
Yes
Metrics types
SBL provide detailed analytics relating to the:
- system uptime
- availability
- consumption
- support requests
- service maintenance

SBL will work with the customer to agree on the necessary format, content and schedule of these reports
Reporting types
Regular reports

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Verisec Limited

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data cannot be exported as it is not stored within the solution
Data export formats
Other
Other data export formats
N/A
Data import formats
Other
Other data import formats
N/A

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
PSN assured and protected service, assured by CESG assured components. All communications with connections infrastructure can be configured to be secure and depending on the requirements will dictate the level of security applied.
Data protection within supplier network
Other
Other protection within supplier network
The token database is encrpyted using AES256. Each Freja component has a built in firewall. Each Freja component is only built with the services it needs to function. Further permieter firewalls and IPS are also utilised.

Availability and resilience

Guaranteed availability
The service availability is 99.5%; guaranteed by contractual commitment
Approach to resilience
We run multiple secure data centres with the capacity to serve 100m users worldwide 24x7.
Outage reporting
Yes, email alerts can be configured and combined with appropriate SNMP monitoring allow the system to be suitably monitored.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Dedicated devices on a segregated network
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
SGS
ISO/IEC 27001 accreditation date
November 2016
What the ISO/IEC 27001 doesn’t cover
N/A full scope is covered
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • ISO9001
  • RLi & SLi connected datacentre

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
The system's security governance is managed in a way that is analogous to ISO27001:2015; the organisation is looking to be accredited to this in the medium term
Information security policies and processes
The organisation operates in a manner that is analogous to ISO27001:2015; due to the sensitive nature of these processes, further details cannot be provided but will be upon request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Once a vulnerability is identified customers affected are contacted to discuss. If requiring a workaround, this is applied whilst the vulnerability fix is written and tested before being applied to affected customers. Work arounds are available as soon as possible. Hot fixes are generally applied in 3 month cycles.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Incident management processes follow the industry standard ITIL model, ISO27001 and industry best practice. SBL deploy a number of tools and processes to identify potential compromises, utilising market leading technologies and solutions.

Upon discover of a potential compromise mitigation steps are immediately taken to isolate the incident, minimise any risk and return normal status as soon as practicable. Due to the security sensitive nature of these processes and procedures, further information cannot be given at this time. Further details will be provided upon request.
Incident management type
Supplier-defined controls
Incident management approach
Reported compromises are monitored and if any compromises are found, they are assessed, and if considered severe enough then a fix is typically made available within 24-48hrs

Further details cannot be provided due to the security sensitive nature of these processes, at this stage; however, SBL will provide necessary details upon request.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£0.10 per user per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
SBL can provide a proof of concept trial for 30 for evaluation purposes

Service documents

Return to top ↑