Transact Technology Solutions

Transact Cloud Management Platform (TCMP)

A simplified and streamlined reporting function on multi-cloud platforms , these include FinOps, cost analysis, security and governance, utilisation and detailed analysis of consumption and billing processes across multiple accounts

Features

  • Real-time reporting
  • Spend Analysis
  • Cost Optimisation
  • Inventory reporting
  • Usage reporting
  • Trend Analysis
  • Security
  • Governance

Benefits

  • No billing overhead
  • Clear and concise billing
  • Breakdown of billing
  • Security environment overview
  • Governance overview
  • FinOps
  • Cloud best practices
  • Mulit-cloud inventory and utilisation overview

Pricing

£5 to £500000 per instance per month

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

9 3 5 7 1 2 5 7 8 6 7 8 9 7 5

Contact

Transact Technology Solutions

Stuart Whitman

07725 367728

stuart.whitman@transactts.co.uk

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
AWS, Azure
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
No constraints in the listed environments
System requirements
Read access to environment

User support

Email or online ticketing support
Yes, at extra cost
Support response times
SLA dependent.
User can manage status and priority of support tickets
No
Phone support
No
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Transact offer 3 support levels Gold, Silver and Bronze. All costs are dependent on cloud usage. Every customer will get access to a Technical Account Manager.
Support available to third parties
No

Onboarding and offboarding

Getting started
Transact provide a Demo, Proof of Concept, on-site training and user documentation.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Transact does not collect any customer data. Their billing data will be accessible for 30 days grace after contract end before deletion unless otherwise specified.
End-of-contract process
At the end of the contract the functionality is stopped. There are no additional costs unless the customer want's Terms and Conditions specific to their environment

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
No
Service interface
Yes
Description of service interface
Customers have access to their own portal which gives them a single pane of glass overview of their environment
Accessibility standards
None or don’t know
Description of accessibility
The customers access the portal through a secure web URL. Features and constraints are reviewed on a case by case basis
Accessibility testing
We provide on-going demos of regular updates with a customer user group. We will also work with customers on specific requirements
API
No
Customisation available
Yes
Description of customisation
The dashboard and access can be customised for individual customers as can the reports produced.

Scaling

Independence of resources
Back end infrastructure is highly scalable and built to be fault tolerant

Analytics

Service usage metrics
Yes
Metrics types
Utilisation of cloud services.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Cloudcheckr

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
Other
Other data at rest protection approach
Not applicable as we are only collating their usage data in a view only format
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Not applicable we are only collating their usage data in a view only format
Data export formats
Other
Other data export formats
PDF
Data import formats
Other
Other data import formats
Via Application

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Not applicable as we are only collating their usage data in a view only format
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Offering is high availability over multiple DataCenters
Approach to resilience
Available on request
Outage reporting
https://status.aws.amazon.com/
https://azure.microsoft.com/en-gb/status/

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
IAM provides user access control to Transact services, APIs and specific resources. Other controls include time, originating IP address, SSL use, and whether users authenticated via MFA devices.

API calls can be encrypted with TLS/SSL for confidentiality and customers can use TLS/SSL-protected API endpoints.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
EY CertifyPoint
ISO/IEC 27001 accreditation date
03/12/2018
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
03/12/2018
CSA STAR certification level
Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover
N/A
PCI certification
Yes
Who accredited the PCI DSS certification
Coalfire Systems Inc
PCI DSS accreditation date
27/03/2019
What the PCI DSS doesn’t cover
N/A
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials Plus
  • Infosec
  • SOC 1/2/3

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Transact implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Cloud Provider Security Assurance is responsible for familiarizing employees with the security policies.

Transact has established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives.

The output of Transact Leadership reviews include any decisions or actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.

Policies are approved by Transact leadership at least annually or following a significant change to the environment.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation.

Teams set bespoke change management standards per service, underpinned by standard guidelines.

All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.

Emergency changes follow incident response procedures. Exceptions to change management processes are documented and escalated to Transact management.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Transact performs vulnerability scans on the host operating system, web applications, and databases in the environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.

Customers are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for their EC2 and ECS instances/ applications. Scans should include customer IP addresses (not endpoints). endpoint testing is part of compliance vulnerability scans.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Transact perform monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:

• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag incidents, based on Service/Security Team- set thresholds.

Requests to KMS are logged and visible via the account’s Services. Logs provide request information, under which CMK, and identify the resource protected through the CMK use. Log events are visible to customers after turning on services in their account.
Incident management type
Supplier-defined controls
Incident management approach
Transact adopts a three-phased approach to manage incidents:

1. Activation and Notification Phase
2. Recovery Phase
3. Reconstitution Phase

To ensure the effectiveness of the Incident Management plan, conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact.

The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5 to £500000 per instance per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Proof of Concept - a 1 month free trial for the TCMP

Access to the services such Cost Management, Security & Governance, Compliance.

Service documents

Return to top ↑