AltoStack

Managed Cloud Services - AWS

AltoStack Managed Cloud - AWS, provides access to Amazon Web Services resources and products on a utility basis with a commoditised management service based on ITIL and ISO27001 management processes. Designed for the UK public sector, the managed service ensures compliance and efficient use of resources.

Features

  • AWS Advanced Partner
  • AWS Solution Provider
  • AWS resources charged at the prevailing AWS list price
  • Access to full range of Amazon Web Services products/services
  • Managed by UK based Security Check (SC) cleared staff
  • Cloud Cost Optimisation
  • Cloud Governance
  • Cloud Strategy
  • Access to certified AWS experts

Benefits

  • Clear, straightforward monthly cloud billing and management information
  • Ongoing optimisation, consolidation and right-sizing, reduces cloud spend
  • Rapid scalability and deployment enables leverage of innovative cloud services
  • Provides cloud skills to supplement your internal skills and capability
  • ISO27001 and GDPR Compliant
  • Compliant with Official and Official Sensitive requirements

Pricing

£0.2 per virtual machine per minute

  • Free trial available

Service documents

G-Cloud 11

910558163223084

AltoStack

Mohammed Abubakar

07427356289

mohammed.abubakar@altostack.io

Service scope

Service scope
Service constraints Planned maintenance may take place between the hours of 22:00 and 06:00. Where maintenance is identified as potentially service impacting, 14 days notice will be provided to the customer.
The customer is responsible for, and remains liable for ensuring that their licensing is compliant with deployment in a virtualised cloud environment.
The customer is responsible for agreement and complying with the AWS client agreement and acceptable usage rights. This can be found at https://aws.amazon.com/agreement/
System requirements
  • Operating systems must be x86 based
  • Operating systems are current and receiving critical and security updates

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times within service hours as per selected management service are:
P1 15 minutes, P2 30 minutes, P3 2 hours, P4 4 hours
Gold - 24x365 Service desk and P1 Incident resolution in addition to silver
Silver - 24x365 Service desk in addition to Bronze
Bronze - 08:00-18:00 M-F Excl Holidays for all calls
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support No
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels AltoStack operates a Service Desk to provide a single contact point for all service related Incidents, Requests and Changes. Our service desk agents are available as detailed within the Management Service option selected.

Our management options are selected on a server by server basis, including management of storage, backup and underlying network and security. Basic management layer is included within the cost of each infrastructure element and provides service desk, subscription support, billing and reporting. Each layer builds on the service provided by the layer below to provide service support options from basic incident management with working hours’ support, to proactive management with 24x7 support with enhanced service levels and a named technical lead for your service.

These management options can be selected on a server by server basis, to ensure that your tailored solution exactly meets your requirements. Charges apply per server, per month.

Gold - As Silver, plus enhanced Service Levels, including 24x7 incident management, named technical lead and architectural review.
Silver - As Bronze, plus managed Antivirus, patching, proactive and capacity management and 24x7 Service desk.
Bronze - 0800:1800 Monday to Friday (excluding holidays) support, account management and no predefined support per server time limit.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We support:
• new build of VMs;
• tool driven physical or virtual to virtual migration;
• professional services managed migrations.

New build is typically best for new projects or new implementations where a clean build will provide a useful break from previous environments. This is a process led by the customer unless AltoStack are also engaged to provide professional services via Lot-3.
Tool driven migration takes advantage of vendor supplied utilities that package existing deployments for migration. In this case, the customer is responsible for deploying the tool, providing the data to AltoStack then commissioning and testing once the images have been uploaded.
AltoStack offers broad migration planning and implementation capabilities via Lot-3. Our tailored approach enables us to rationalise and transform your systems, migrating them onto our own UK based cloud services, Azure or AWS platforms. Options include:
• Cloud Readiness, Cloud Due Diligence and Cloud Design
• Transformation, consolidation and optimisation
• Operating System upgrade
• Cloud migration tooling
• Legacy system remediation
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The Customer should contact their Account Manager to cancel the service.

Our process extracts customer virtual machines from our service, transferred securely via network connectivity or via portable media, allowing you to import services on to another infrastructure.
Preparing and extracting images and data into a staging area at termination is included within the managed service price. The price of media and shipment of media to transfer data will be charged in addition to the managed service.

Further services are available to support offboarding of your service from the service and are accessible at the rates detailed within the accompanying SFIA rate card.
End-of-contract process The customer initiates the off-boarding process via a service request.

Buyer may terminate the relationship with Supplier for any reason by (i) providing Supplier with notice and (ii) closing Buyers account for all services for which Supplier provide an account closing mechanism.

Buyers pay for the services they use to the point of account termination.

Supplier customers retain control and ownership of their data. Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.

Using the service

Using the service
Web browser interface Yes
Using the web interface The portal provides access to:
• Power up/down and reboot, including console access onto virtual machines
• Self-provision virtual machines
• Manage allocated resources
• Access inventory and compliance information
• Access billing information
• Access right-sizing recommendations
Web interface accessibility standard WCAG 2.1 AA or EN 301 549
Web interface accessibility testing N/A
API Yes
What users can and can't do using the API Standard AWS API services are supported
API automation tools
  • Ansible
  • Chef
  • Terraform
  • Puppet
  • Other
Other API automation tools Helm
API documentation Yes
API documentation formats
  • HTML
  • PDF
  • Other
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface All AWS functionality is available via the CLI

Scaling

Scaling
Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Our service is capacity managed to ensure that users are not adversely affected by other users. In addition, we provide uncontended memory and for larger customers, dedicated compute resources. We also validate designs for each client through a TDA approval process for their service, which would include performance requirements. Once in service, we proactively monitor and alert on service performance and share performance metrics with our customers.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Amazon Web Services (AWS)

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach AWS adheres to independently validated privacy, data protection, security protections and control processes. (Listed under “certifications”).

AWS is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS enables customers to control their content (where it will be stored, how it will be secured in transit or at rest, how access to their AWS environment will be managed).

Wherever appropriate, AWS offers customers options to add additional security layers to data at rest, via scalable and efficient encryption features. AWS offers flexible key management options and dedicated hardware-based cryptographic key storage.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach In-house destruction process

Backup and recovery

Backup and recovery
Backup and recovery Yes
Backup controls Application and version aware, our backup service also offers client defined backup policies. Defined on a per system basis, these include customised:
• Recovery Point Objectives;
• Version retention based on number of versions and/or retention period; and,
• Retention periods
Backups are stored locally on dedicated backup disks, independent of production storage, to ensure recovery performance and replicated to an offsite tape library for Disaster Recovery purposes. Using an incremental forever approach, we provide an effective method of rolling back services to a specific point in time, without the need to maintain multiple full backups of your systems.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
Scheduling backups Supplier controls the whole backup schedule
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on our website via the links below:

• Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/
• Amazon S3 SLA: http://aws.amazon.com/s3-sla
• Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/
• Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/
• Amazon RDS SLA: http://aws.amazon.com/rds-sla/
• AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/

Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
Approach to resilience The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.

AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Outage reporting Alerts are generated by our monitoring platform that are received by our 24x7 Operations Centre. SMS text alerts and email notifications are generated and dispatched to user stakeholders for affected services. For AWS, the following are supported: Public dashboard; personalised dashboard with API and events; configurable alerting (email / SMS / messaging)

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Management access is granted only to UK based engineers that hold current Security Check (SC) Clearances. Two factor authentication, and strict segregation of administrative privileges is used to further control access.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach AltoStack has a comprehensive set of policies and standards covering our services, these are supplemented with “How To” documents, which cover the range of services providing practical method statements for common procedures when implementing platform and client services.
Information security policies and processes We operate an Information Security Management System (ISMS), incorporating best practice guidance from SANS Top 20 CIS Critical Security Controls and Good Practice Guides, our architecture and ISMS is certified to ISO27001:2013, and we are a certificated PSN Service Provider, following the PSN Code of Connection for our own infrastructure services. AltoStack comply with the CESG 14 Cloud Security Principles and are certified against the Cyber Essentials Plus Scheme.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our CMDB contains details of all the IT services delivered to our customers, together with relationships to the supporting services, shared services, components and Configuration Items (CIs) necessary to support the provision of the service.
AltoStack ensures the smooth running of operations using well-defined change management processes. Our Change Advisory Board (CAB) is managed to ITIL standards (assessed within the scope of ISO27001), with 98.5% of changes completing successfully.
Many of our processes are documented as standard changes, however service impacting or non-standard changes require a full change submission that may require communication with end customers via our Servic edesk.
Vulnerability management type Supplier-defined controls
Vulnerability management approach AltoStack engages accredited third parties to regularly conduct IT Health Checks and conduct other testing of the IaaS and client environments. Timescales for implementing fixes and patches to address known and reported vulnerabilities are detailed in the AltoStacks' Patching Policy.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach AltoStack has comprehensive incident Management Processes and Security Operating Procedures in place.

A GPG 13 compliant Security Information and Event Management (SIEM) service has been deployed in addition to log capture on the IaaS Platform which monitors up to, but not within, tenant environments with logs filtered and supplied to our operations centre. The SIEM is configured in accordance with the our SIEM & GPG13 Protective Monitoring Audit Policy.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our Incident Management process is aligned to the ITIL Standard and has been audited and approved by external auditors as part of our ISO27001 certification.
AltoStacks’ Service desk function provides the single contact point for all Incidents, Requests and Changes. Operating 24x7 the service desk agents provide core services, including help and advice, and Major Incident Management. Accessible by telephone and email, once an incident call ticket has been raised, the desk retains control of the call. Escalations and communications including updates are accessible via the Service desk.
Major Incident reports are provided for all P1 incidents within 5-working days.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used Other
Other virtualisation technology used Proprietary AWS Hypervisor
How shared infrastructure is kept separate Customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualized operational environments to customers, ensure that customers are segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation.

Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. The Amazon EC2 firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets pass through this layer. The physical random-access memory (RAM) is separated using similar mechanisms.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No

Pricing

Pricing
Price £0.2 per virtual machine per minute
Discount for educational organisations No
Free trial available Yes
Description of free trial Trial options are available, please contact us to discuss your requirements.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑