NETbuilder Ltd

AWS Managed Infrastructure

NETbuilder provides Amazon Web Services (AWS) professional services from strategy through platform design, implementation, maintenance and support to live service deployment on AWS infrastructure. Our experts help advise, manage, design and deliver integrated AWS work packages or end-to-end solutions.

Features

  • Support the design of cloud architecture and infrastructures on AWS
  • Provide fully redundant and resilient cloud infrastructures built on AWS
  • Support flexible and scalable, storage, network, monitoring and backup services
  • Provide industry expert cloud implementation support for your AWS initiatives
  • Automate code testing, deployment processes and CI / CD infrastructure
  • Support AWS VPC, EC2, S3, RDS, Route 53, IAM services
  • Support AWS Cloud Watch, Cloud Trail, SNS, SES services
  • Apply best practice cyber security solutions, processes and procedures

Benefits

  • Deliver operational cloud stacks at speed
  • Facilitate platform maturity enhancement and speed up your cloud transformation
  • Best-in-class implementation for cloud platform hosting applications
  • Reduce time to market, overall costs, focus on engaging customers
  • Relieve IT staff of day-to-day operational and management activities
  • Flexible system configurations based on needs with automated cloud infrastructure
  • Add flexibility to your AWS cloud initiatives
  • Improve security posture and minimise cyber security risks

Pricing

£350 to £999 a person a day

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@netbuilder.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

8 7 0 4 7 4 7 4 1 0 4 1 4 5 1

Contact

NETbuilder Ltd Thomas Hooson
Telephone: 0845 680 2083
Email: gcloud@netbuilder.com

Service scope

Service constraints
The customer is responsible for, and remains liable for ensuring that their licensing is compliant with deployment in a virtualised cloud environment.

The customer is responsible for agreement and complying with the AWS client agreement and acceptable usage rights. This can be found at https://aws.amazon.com/agreement/
System requirements
  • Operating systems must be x86 based.
  • Operating systems must not be end of support
  • Legacy environments will require an audit prior to acceptance

User support

Email or online ticketing support
Yes, at extra cost
Support response times
NETbuilder provide prioritised support services for the Managed Services, to be accessed by the Customer’s Technical Support Contacts 24 hours a day, 7 days a week (each such request a “Service Request” or an “Incident” or a “Change Request”) according to an agreed set of Response Times for each service request type and priority level.

Indicative response times:

• P1 Highest Severity Incident - 15 minute response
• P2 High Severity Incident - 1 hour
• P3 Medium Severity Incident - 2 hours
• P4 Low Severity Incident - 4 hours
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our Production Support offering ensures that the customer’s technology estate is operational whilst providing them with significant autonomy in daily application and business operations. Production customers are assisted with a self-service portal that makes it easy to request help, search knowledgeable content and track progress on issues, and by the NETbuilder Technical Support team composed of service desk agents and a named Service Delivery Manager (SDM) primarily tasked with system maintenance, security, health reporting and monitoring on a 24x7 basis.

Our Enterprise Support offering builds on Production Support and is a premium full-service package developed with the goal of empowering customer teams to focus on their core business and deliver effectively at scale. This offering entitles the customer to a single point of contact with NETbuilder; the Technical Account Manager (TAM), a highly skilled professional proactively supporting the customer during deployment time and production related activities, while ensuring the ongoing maintenance and management of the technology stack. The TAM meets regularly with the customer and can assist with activities such as performance tuning, configuration and planning.

Pricing of the Managed Service is determined on a case by case basis dependent upon the service offering, service level agreements and customer requirements.
Support available to third parties
No

Onboarding and offboarding

Getting started
NETbuilder's service setup and onboarding process consists of several steps:

Introduction

• Visit the customer to meet the team and perform initial introductions
• Provide an overview of the Managed Service
• Formulate a plan for the next steps

Discovery

• Run an initial discovery phase in which we review and validate the scope of the service with the business and technical stakeholders
• Create an inventory of the resources to support
• Review existing security controls and processes
• Perform any necessary knowledge transfer
• Define a service catalogue with associated SLAs
• Review of resources and costs required for the managed service

On-Boarding

• Provision the support, networking and monitoring services
• Implement quality controls
• Check integration points
• Integrate to the customer business process
• Trial run end-to-end key use cases and live incidents
• Start preparing initial knowledge base and relevant run books
• Implement relevant security controls and processes

Transition

• Switch to the new support service
• Check hands for an official start
• Provide/receive frequent feedback and reporting for a defined period

Maintenance and Support

• Proactively support and maintain managed service resources
• Provide service level reports with KPIs
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Customer instances and data can be transferred to the customer and source instance/data deleted upon completion. This transfer is included within the managed service cost.
End-of-contract process
A high level exit plan is contained within the Managed Service documentation. The exit plan contains off-boarding instructions as to whether the service is to be ceased or migrated to another third party.

Using the service

Web browser interface
Yes
Using the web interface
The AWS management console interface lets you access and manage AWS through a simple and intuitive web-based user interface. Access rights and levels of access are determined depending upon the specific AWS managed service that will be procured.

The Console facilitates cloud management for all aspects of your AWS account, including monitoring your monthly spending by service, managing security credentials, or even setting up new IAM Users.

All IaaS AWS administration, management, and access functions in the AWS Console are available in the AWS API and CLI. New AWS IaaS features and services provide full AWS Console functionality through the API and CLI at launch or within 180 days of launch
Web interface accessibility standard
None or don’t know
How the web interface is accessible
The AWS management console interface lets you access and manage AWS through a simple and intuitive web-based user interface. Access rights and levels of access are determined depending upon the specific AWS managed service that will be procured.

The Console facilitates cloud management for all aspects of your AWS account, including monitoring your monthly spending by service, managing security credentials, or even setting up new IAM Users.

All IaaS AWS administration, management, and access functions in the AWS Console are available in the AWS API and CLI. New AWS IaaS features and services provide full AWS Console functionality through the API and CLI at launch or within 180 days of launch
Web interface accessibility testing
None
API
Yes
What users can and can't do using the API
AWS provides extensive API support. Please visit https://docs.aws.amazon.com/ for detailed information.
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
API documentation
Yes
API documentation formats
  • HTML
  • ODF
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
All AWS functionality is available via the CLI

Scaling

Scaling available
Yes
Scaling type
Manual
Independence of resources
Customer environments are logically segregrated to prevent users and customer from accessing resources not assigned to them.

Services which provide virtualised operational environments such as EC2 ensure that customers are segregated via security management processes/controls at the network and hypervisor level.

AWS continuously monitors service usage to project infrastructure needs to support availability commitments/requirements. AWS maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently.

In addition, NETbuilder can proactively monitor service and resource performance and review performance metrics with the customer.
Usage notifications
Yes
Usage reporting
  • API
  • Email
  • SMS

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Backup
  • Patching
  • Anti Virus
  • Security controls and posture
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Amazon Web Services (AWS)

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other
Other data at rest protection approach
AWS adheres to independently validated privacy, data protection, security protections and control processes. AWS is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS enables customers to control their content.
Wherever appropriate, AWS offers customers options to add additional security layers to data at rest, via scalable and efficient encryption features. AWS offers flexible key management options and dedicated hardware-based cryptographic key storage. Data at rest protection sub-principle and related processes within AWS services, subject to audit at least annually under ISO 27001:2013, AICPA SOC 1, SOC 2, SOC 3 and PCI-DSS certification.
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • All applicable data including system configurations.
  • Log files, databases, instances and application data.
Backup controls
Backups are controlled by the Service Desk according to a backup schedule and retention period agreed with the customer
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. AWS gives customers ownership and control over their content by design through simple, but powerful tools that allow customers to determine how their content will be secured in transit.

AWS enables customers to open a secure, encrypted channel to AWS services using TLS/SSL, and/or IPsec or TLS VPN (if applicable), or other means of protection the customer wish to use.

API calls can be encrypted with TLS/SSL to maintain confidentiality; the AWS Console connection is encrypted with TLS.

Availability and resilience

Guaranteed availability
NETbuilder will use commercially reasonable efforts to make the Included Services available for each AWS region with a Monthly Uptime Percentage of at least 99.99%, in each case during any monthly billing cycle. In the event any of the Included Services do not meet the Service Commitment, you will be eligible to receive a Service Credit as described below.

Less than 99.99% but equal to or greater than 99.0%: 10%
Less than 99.0% but equal to or greater than 95.0%: 30%
Less than 95.0%: 100%

AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on the AWS website via the links below:

• Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/
• Amazon S3 SLA: http://aws.amazon.com/s3-sla
• Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/
• Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/
• Amazon RDS SLA: http://aws.amazon.com/rds-sla/
• AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/

Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
Approach to resilience
The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.

AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Outage reporting
Alerts are generated by our monitoring platform that are received by our 24x7 Service Desk. SMS text alerts, phone calls and/or email notifications are generated and dispatched to user stakeholders for the affected services.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Management access utilises role based access controls and is granted only to those team members who need it. Two factor authentication is also used to further secure and control access.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
ISOQAR
ISO/IEC 27001 accreditation date
November 2018
What the ISO/IEC 27001 doesn’t cover
All aspects of our Managed Services are included within the scope of our ISO27001:2013 Accreditation.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
• ISO27001:2013
• Cyber Essentials

AWS:

ISO 27001:2013, Cyber Essentials Plus; ISO 27017; ISO 27018; SOC 1/2/3
Information security policies and processes
Our ISO 27001 Management System identifies significant information security aspects and the associated impacts of our operations. These are managed at all times in a way that minimises risk to all our stakeholders. Training and continual risk assessment ensures this is undertaken in a controlled manner.

Specifically, we

• Include information security considerations in existing management systems and initiatives with the aim of improving our management processes, information security performance, whilst committing, at a minimum, to compliance with relevant legislation, contractual security obligations and other requirements to which the company subscribes including ISO 27001
• Work in partnership with our contractors and suppliers to influence and/or improve the integrity of their information security.
• Provide and maintain information security.
• Identify and seek to prevent information security incidents which may arise from our processes, operations and work activities.
• Make adequate provision for dealing with all emergency situations in our business.
• Ensure available access to information security training for our staff, encouraging them to apply good practice at all times.
• Discuss information security issues regularly at the highest levels of the company and consult with our staff on all related matters.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change requests can range from supporting AWS infrastructure design work through to provisioning new instances and services.

We use a well-defined change management process to ensure that changes are implemented in a controlled manner. Changes are risk assessed, include roll back/recovery procedures and are reviewed by our Change Advisory Board (CAB) prior to implementation.

Our change management process follows ITIL standards and is included in our ISO 27001 scope.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
NETbuilder has a ISO 27001 aligned vulnerability management process. This processes is audited several times per year both internally and by a UKAS accredited ISO certification body.

All relevant systems are anti-malware protected. Updates are tested prior to deployment and are applied according to a schedule. Mailing list subscriptions and security alert briefings are used to keep abreast of the latest vulnerabilites.

Vulnerability assessments are also performed on a regular basis using industry standard tools and remediated in a timely manner.

AWS Security performs vulnerability scans on the host operating system, web applications, and databases in the AWS environment.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
NETbuilder has a ISO 27001 aligned protective monitoring process. These processes are audited several times per year both internally, externally and by the ISO governing body.

Protection is provided in a number of ways, including SIEM, IPS, host sensors and next generation firewalls.

AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth-usage. Devices monitor:

• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag potential compromise incidents, based on AWS Service/Security Team- set-thresholds.
Incident management type
Supplier-defined controls
Incident management approach
NETbuilder's Incident Management process follows the ITIL standard and is included in our ISO 27001 scope. As such, it is audited and approved by our external auditors. Incidents are raised by customers (via the service desk portal, email or phone), monitoring systems or service desk technicians. Root cause analysis is performed for any incident.

AWS has its own comprehensive Incident Management plan, details of which can be provided upon request.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Third-party
Third-party virtualisation provider
Amazon Web Services (AWS)
How shared infrastructure is kept separate
Customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualized operational environments to customers, ensure that customers are segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation.

Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. The Amazon EC2 firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets pass through this layer. The physical random-access memory (RAM) is separated using similar mechanisms.

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£350 to £999 a person a day
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@netbuilder.com. Tell them what format you need. It will help if you say what assistive technology you use.