Jisc Services Ltd

Govroam

A federated roaming service for the wider public sector, providing seamless connectivity to the end user. Govroam makes offering offsite connectivity easy, delivering savings and efficiencies while enhancing the control employers have over staff roaming behaviours. Operated by Jisc, govroam brings regional roaming initiatives together under a standardised national-scale service.

Features

  • Provides a national standard for federated roaming design
  • Guaranteed minimum service capability allows effective remote working.
  • Service design built on a fabric of trust between participants.
  • Uses your existing staff authentication mechanisms to grant access.
  • Transfer of authentication data secured by end-to-end encrypted protocols.
  • Support offered by end users' home organisation.
  • Free at point of service to end users.
  • Device and infrastructure agnostic, enabling BYOD.
  • Geolocation companion app supports easy venue discovery.
  • Explicitly national in scope, with potential international integration.

Benefits

  • Supports your mobile workforce, improving productivity by simplifying off-site connectivity.
  • User-friendly roaming, with a “zero-touch” automated process after initial configuration.
  • Secure authentication incorporating a real-time “member in good standing” check.
  • Standardises your guest WLAN provision to an industry best-practice standard.
  • Reduces/eliminates the need for customer-facing visitor support.
  • Reduces/eliminates the use of temporary credentials, improving network security.
  • Reduces/eliminates the need for costly SIM-based data provision.
  • Exert real-time control over staff access to roaming connectivity.
  • Reduces/eliminates the need for costly SIM-based data provision.
  • Reuses existing network infrastructure.

Pricing

£310 to £3,080 a unit a month

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

9 6 1 9 5 1 7 1 5 5 0 3 0 4 4

Contact

Jisc Services Ltd Jisc helpdesk
Telephone: 03003002212
Email: help@jisc.ac.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Community cloud
Service constraints
Scheduled maintenance is under the control of Jisc, and will be announced at least 7 days in advance and will be scheduled into the next available maintenance window.

Unscheduled maintenance, which is only undertaken in an emergency, of the govroam central service, as well as the other servers and services under control of Jisc, will be announced as early as possible.
System requirements
  • Standards based RADIUS Server
  • Compliant Enterprise WiFi Deployment
  • Compliant access control
  • Compliant support process
  • IoS or Android (for use with govroam App)

User support

Email or online ticketing support
Email or online ticketing
Support response times
For general enquiries or technical questions Members should contact the govroam team at govroam@jisc.ac.uk. The team will acknowledge receipt within 4 hours during a working day, and provide a solution or initiate further investigation to all enquiries as soon as possible, but no later than 5 working days.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Technical boarding, B2B troubleshooting and security incident management are included as standard. Enhanced RADIUS federation design consultancy at SFIO rates (see service definition for SLA).
Support available to third parties
Yes

Onboarding and offboarding

Getting started
There is a defined technical boarding process supported by both deployment and operations training, an extensive documentation package and unlimited telephone/email support.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Service operations do not require holding end user data. Any business contacts etc will be deleted in accordance with our data protection policy.
End-of-contract process
Trust relationship between customer and central RADIUS servers are removed. All public references to customer as a participant are removed.

Using the service

Web browser interface
No
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
As a connectivity service, the only differences between mobile and desktop are the OS elements required for initial configuration. The service has no interface for the end user.
Service interface
No
API
No
Customisation available
No

Scaling

Independence of resources
Resilience and redundancy in depth across all service elements. Normative use of the service by customers creates minimal load as authentication services are light touch.

Analytics

Service usage metrics
Yes
Metrics types
A govroam service report is presented at stakeholder meetings approximately every six months. The report includes information on the number of member organisations and the number of successful roaming sessions.
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Other
Other data at rest protection approach
Physical access control, very little data to protect. Both datacentres are ISO/IEC 27001:2013 certified.
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
No data to export
Data export formats
Other
Other data export formats
N/A
Data import formats
Other
Other data import formats
N/A

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)
Data protection within supplier network
Other
Other protection within supplier network
Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)

Availability and resilience

Guaranteed availability
The availability of the central service is targeted as 99.9%.
Approach to resilience
There are multiple load-balanced instances to handle load in the event of an outage. These are hosted in geographically redundant tier 3 facilities, with redundant backups of infrastructure.
Outage reporting
Email alerts are generated against central service as part of the major incident handling process. Major outages are also reported via the service webpage and Twitter account.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
The member organisation determines who can access roaming provision, and controls credential issue and revocation according to their own policies. Govroam receives a connectivity request from a visiting user’s device and securely conveys it to their home organisation, where their identity is confirmed and the home organisation decides, based on its policies, whether the user is allowed to connect. Govroam conveys that back to the visited organisation which then grants or blocks access accordingly, confident that the visitor’s home organisation is aware of the transaction and has just checked that the visitor in question is a member in good standing.
Access restrictions in management interfaces and support channels
Access credentials are only issued to required staff, as specified by the RFO.
Note that the govroam app is managed by a third-party consultant.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Description of management access authentication
Credentials are issued individually to verified contacts at the request of an RFO.
Two-factor authentication for VPN login provides network access via a secure hosting facility.
Username and password used to access the service.

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
LRQA
ISO/IEC 27001 accreditation date
23/06/2016
What the ISO/IEC 27001 doesn’t cover
Please contact us for more information
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Please contact us for more information
PCI DSS accreditation date
Please contact us for more information
What the PCI DSS doesn’t cover
Please contact us for more information
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO 9000:2015. Also aligned with ITILv4. The responsibility for secure provision is split between Jisc, the end-user's home organisation, and the organisation they are visiting. For incidents with actual or potential information security or service integrity implications, we may delegate incident investigation and management to the Janet network CSIRT.
Information security policies and processes
ISO/IEC 27001:2013.
Member organisations are required to comply with the Janet Acceptable Use Policy and the Janet Security Policy.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change management controls are applied to industry best practice. In particular, we are aware of the change management principles in ITILv4 and align our processes with these.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We deploy a variety of effective systems and process; including fire-walling, IDS, inline DDOS prevention, regular internal and external vulnerability scanning, penetration testing, flow logging and centralised logging and authentication. Our incidence response process is modelled in NIST/SAN principles. It is managed via a dedicated incident response lead and backup roles. This process mandates engagement with CSIRT, SIRO and Infosec security manager. JISC CSIRT works to a 2hr response SLA on Incidents.
Incident management type
Supplier-defined controls
Incident management approach
We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)
  • Other
Other public sector networks
Potentially, all public sector networks can connect guests through govroam.

Pricing

Price
£310 to £3,080 a unit a month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Limited functionality.
Trial available for the technical onboarding process, not the roaming function.

Service documents