e2e Secure Cloud Connect Service - Service Definition Document

Transcription

1 e2e Secure Cloud Connect Service - Service Definition Document Overview A cloud connectivity service that connects users, devices, offices and clouds together over the Internet. Organisations can choose a service that suits their security and connectivity requirements. Includes VPN clients that support Windows, Mac, Linux and most tablets and phones to provide secure anywhere access to cloud resources. This is a cloud independent service as it covers cloud connectivity to e2e or any other suitable cloud provider. Service Overview Cloud services offer outstanding value for money but the connectivity to and from the services is often overlooked. e2e s secure cloud connect service takes away all the hassle of implementing and managing the secure connectivity required to consume the services securely. The service is designed to the highest security standards and follows CESG best practice and architectural guidelines. This can provide all the security and service advantages of commissioning dedicated private links but is much quicker, cost effective and scalable. The service reduces an organisation s exposure to threats by consolidating all cloud connectivity to a security gateway that cleanses and monitors traffic. This gateway provides security services such as in-line antivirus scanning, intrusion prevention and optional protective monitoring as well as other advanced security monitoring services. The service provides a complete VPN and security hub that provides strong encryption with certificate based, always-on full tunnel client/mobile VPNs as well as on demand, two-factor based thin client style connectivity from appropriately secured devices. Mobile devices are supported and can be managed as part of the service. Allows your organisation to connect to and manage cloud resources using CESG approved technologies Allows your organisation to connect to and manage cloud resources using a wide range of Windows, Linux, MAC and even Android and IOS devices Allows your organisation to connect to and manage cloud resources using a wide range of tablets, phones, and other similar devices running Windows, Linux, MAC, Android and IOS Mobile Device Management as an option we can provide a fully managed MDM solution with integrated device security, secure app containers, secure , etc. Assured service design the service is designed by a Senior CESG IA Architect in line with CESG guidelines and to a proven, tested design 1

2 Security assurance the service has a Protective Monitoring service aligned with your risk posture and threat model Cloud service model only pay for what you use Cloud procurement model no CAPEX, no setup charges, just a monthly fee for the services you use Flexibility to run whatever applications and services you choose within the service Scale-up on demand service flexes with your business to ensure the resources are available when you need them most Securely enables your business by allowing you to pursue the best value services and maximise opportunities whilst maintaining your security posture Agile, adaptive cloud aware service secures your journey to the cloud by supporting connectivity to hybrid or existing customer solutions and other cloud services Three service levels available to ensure you have a level of service that fits your needs Highly available and DDOS resistant - designed to provide 99.99% monthly availability Provides a single, resilient cloud access method secures your cloud by reducing the entry points to one resilient, multi-site secure connect gateway thereby dramatically reducing your exposure and providing auditable, secure access Optional proxy service provided so that organisations can send all their Internet bound traffic through the security services thereby increasing threat detection and infected host detection All Private Clouds used for this service are located in the UK, all data resides in the UK and the service is managed by a UK company using SC cleared staff All access to the service can be secured with two or even three factor authentication Optional Protective Monitoring and Alerting service for potential and verified threats Expert Incident Response available before a cyber-event becomes a major security incident Standards compliance - built to work with existing organisations security frameworks and facilitate compliance with ISO27001, IASME and Cyber Essentials Plus Simply put these cloud connect services enable you to consume the benefits of the cloud without compromising security and affordability. 2

3 The Cloud Connect Service The service is designed to offer a level of security that fits your organisations risk appetite and business goals. Every service is designed to a set pattern with levels differentiated on service/support levels and security features. The diagram below illustrates how the service works. 3

4 e2e Secure Cloud Connect Service Connectivity options and responsibilities The diagram above shows the managed cloud on the right. Items in blue are the customer s responsibility and items in orange and green are e2e s responsibility. The service is designed to be consumed over the Internet using IPSec VPNs or TLS encryption. e2e can provide an optional dedicated VPN device at any of the customers locations in order to provide a managed site to site VPN service. The customer can also choose to provide their own fixed VPN endpoint. Remote access VPNs follow the same pattern; e2e can provide a VPN client or the customer can use their existing VPN client (so long as it is a CESG CPA foundation approved product). How do I know which service is appropriate? There is a level of service appropriate for all organisations. If you do not currently know what the right level of service is we offer a simple process: 1. e2e provide a free, one day on site cloud workshop led by a CESG Senior IA Architect where we work with your organisation to establish your requirements and cover aspects such as your organisations risk profile and security assurance requirements, connectivity requirements as well as your platform and application requirements. 2. The workshop report includes expert advice from e2e and includes generating your heat map similar to the below and this gives us a score: 3. This score then maps to our recommended services: 4

5 4. If you need more help we can provide follow up workshops with no commitment from you to purchase a cloud service. We will walk you through a risk based approach that starts with your business requirements and allows you to decide which service aligns best. 5

6 e2e Secure Cloud Connect Service levels of service Baseline Target SLA/Month (during service hours) 99.50% Service Hours 8am to 6pm Mon-Fri Service Hours Response Time 1 hour Emergency/out of hours 24/7 response time 8 hours Optional (Baseline Protective Monitoring Service recommended) DOS and DDOS Protection Baseline Mobile VPN, fixed VPN, Security features triple-tier firewalls, twofactor authentication Enhanced Target SLA/Month during service hours 99.99% Service Hours 8am to 6pm Mon-Fri Service Hours Response Time 1 hour Emergency/out of hours 24/7 response time 8 hours DOS and DDOS Protection Enhanced Optional (Enhanced Protective Monitoring Service recommended) Mobile VPN, fixed VPN, triple-tier firewalls, twofactor authentication, Security features network anti-virus, network IPS, network IDS Premium Target SLA/Month during service hours 99.99% Service Hours 8am to 8pm Mon-Fri Service Hours Response Time 1 hour Emergency/out of hours 24/7 response time 4 hours DOS and DDOS Protection Premium Optional (Premium Protective Monitoring Service recommended) Mobile VPN, fixed VPN, triple-tier firewalls, twofactor authentication, Security features network anti-virus, network IPS, network IDS, Botnet detection, DLP, triple-factor authentication 6

7 Roles and responsibilities This is a fully managed service that covers the creation of the fixed VPNs, provision of the mobile VPN devices and cloud connect security services. Each customer solution has dedicated VPN devices at the e2e datacentre and customers can either use existing VPN devices or e2e provided devices at their managed VPN end points. The customer (or the customers 3 rd party supplier) is responsible for installing and configuring the mobile VPN clients and supporting the end users. The customer is responsible for managing any of their own VPN devices used in the service or delegating management of these devices to e2e. e2e are responsible for managing all the VPN devices they provide as part of the service. The customer is responsible for providing details of all users and informing e2e of users leaving the service. Pricing There is an on-boarding charge for this service. This is to enable your organisation to be able to consume the service and includes training and guided build workshops to streamline the on-boarding. The on-boarding charges are one off charges that are incurred at service commencement. There is a second one off charge that is incurred when scaling up. This is due to the increase in license, underlying private compute, bandwidth and other service costs that are required to provide the new level of service. There are three parts to the pricing; the number of mobile VPN users, MDM users and the number of fixed VPNs. Mobile VPNs Baseline Enhanced Premium On-boarding Scale-up One off at service commencement Number of users Monthly price per user Monthly price per user Monthly price per user Incurred when scaling up (one off, not per month) , , , , , , , ,

8 , , , , Fixed VPNs Baseline Enhanced Premium On-boarding Scale-up One off at service commencement Number of fixed VPNS Monthly price per VPN Monthly price per VPN Monthly price per VPN Incurred when scaling up (one off, not per month) , , , , , , , , , , , , Mobile Devices (MDM) Baseline Enhanced Premium On-boarding Scale-up One off at service commencement Monthly price per device Monthly price per device Monthly price per device Incurred when scaling up (one off, not per month) Number of devices , , , , , , , , , , , , , ,

9 Cloud Connect Security Monitoring/ Protective Monitoring Service The Cloud Connect service can be purchased without a protective monitoring service if an organisation determines that they do not require it. This would result in the service logging data but no actions being taken to investigate or inform the customer of the alerts. Organisations can also choose one of three levels of protective monitoring i.e. they can choose a premium cloud connect service and a baseline protective monitoring service or any other such combination that best aligns with their risk posture. The protective monitoring service provides a complete security monitoring system, designed and built by e2e experts who have spent over 15 years designing and building security systems for major banks, telco s, payment providers and the military. e2e have taken the best of open source and commercial systems and blended them together to provide a formidable arsenal of security services. Some of the components of this system have been provided below: Log collection, storage and monitoring of all data flowing through the secure cloud connect Network based IDS using open source tools and network based IPS using commercial tools Traffic monitoring and intelligent traffic analysis (i.e. detects and classifies traffic based on its type not it s port number e.g. detects data tunnelling and applications using nonstandard ports, exfiltration and other data leakages) Packet capture and analysis to enable investigations into alerts and to support incident response DNS monitoring to detect DNS lookups to known or suspected malware or other suspicious domain names Botnet monitoring hunts for and alerts on any type of connection known to be used by botnets Web and threat monitoring monitors access to the Internet and s and hunts for known threats and signs of potential threats in web site browsing, URLs and s Threat indicator monitoring and latest threat intelligence monitoring Geographic analysis of all attacks and traffic Cloud-focused service design that provides monitoring of the latest cloud based threats and intelligence Fully managed cloud service that can be provided with varying levels of customer involvement as appropriate In depth reporting on all aspects of the service Threat detection across a wide range of traffic web, smtp, http and https inspection as an option 9

10 There are three levels of service available: Baseline Protective Monitoring and Alerting Service Log Collection Log Storage Log Reporting Log Alerting alerts to customer Monthly statistical report Retention periods of 3-12 months Log collection limited to 10 logs per second per device averaged over month Any log source capable of generating collectable logs Includes one virtual network IDS per 128 IP addresses Includes one instance of packet capture, DNS monitoring, botnet, web and monitoring Customer responsible for investigating events, or purchasing e2e incident response days to be used for this purpose Enhanced Protective Monitoring and Alerting Service As baseline plus: Monthly event and threat summary Retention periods of months for logs and one week for full packet captures Alerts triaged by e2e vsoc and escalated to customer when appropriate Includes host based IDS agent (optional if network based IDS can be deployed effectively) Includes one on-premises security monitoring device provide by e2e as part of the service Threat indicator detection (detects typical signs of threats by their indicators) 10 Premium Protective Monitoring and Alerting Service As enhanced plus: Fully managed service that includes e2e triage prior to raising alerts with customer Includes e2e incident response engagement (first 5 days) for any incident e2e escalate to customer as a Priority 1 Includes event triage and investigation services (provides customer with evidence and advice and options to mitigate, contain or manage threat). Includes full event reporting, security processes management, monthly review meeting and continuous service improvement Removes the requirement for customer to provide any security resources Includes external vulnerability scanning and alerting services

11 The protective monitoring service is priced per device or IP address that passes through the cloud connect service. This should be the real number of customer IP addresses protected by the service. There are no on-boarding or scale up charges. Cloud Connect Baseline Protective Monitoring and Alerting Service Number of IP addresses monitored Per Month , , , , , Cloud Connect Enhanced Protective Monitoring and Alerting Service Number of IP addresses monitored Per Month , , , , , , Cloud Connect Premium Protective Monitoring and Alerting Service Number of IP addresses monitored Per Month ,

12 , , , , , , VPN devices Where e2e are required to provide a VPN device there is fixed charge per device that covers the device and installation. CPA VPN Device Installation of an e2e provided CPA VPN device Per device 2, Proxy Services Web, DNS, NTP and SMTP proxy services can be provided to further secure your organisation s cloud. You will need to configure all your services to point to a cluster of proxy services at e2e and close down all other outbound internet access from your other services other than the VPNs. This dramatically increases your security and simplifies your cloud landscape. The same can be done for SMTP traffic. If required we can also provide SSL inspection of all outgoing HTTPS traffic to look for threats buried in encrypted traffic. This method of cloud security is highly effective at bringing your cloud under control and allows us to identify anomalous traffic by its characteristics as well as by matching against known threats. These services are only available at Enhanced and Premium. Organisations will only ever need one of each of the items below unless they chose a dual site service which then requires two. Web proxy service (1 to 250 users/ IP addresses) Web proxy/https proxy/dns/ntp cluster at one location Per month SMTP proxy service (1 to 250 users/ IP addresses) SMTP proxy cluster at one location Per month Web proxy service ( IP addresses) Web proxy/https proxy/dns/ntp cluster at one location Per month SMTP proxy service ( users/ip addresses) SMTP proxy cluster at one location Per month Web proxy service ( users/ip addresses)) 12

13 Web proxy/https proxy/dns/ntp cluster at one location Per month SMTP proxy service ( users/ip addresses) SMTP proxy cluster at one location Per month It is also possible for web browsing and to be directed through other cloud web SMTP security services that they customer may already have or wish to procure. In those cases the services above would not be required and we would route the traffic to the requested cloud provider. Priced examples A customer requires 25 mobile vpn users to connect two offices, one cloud service and the baseline service best fits their needs. The monthly cost would be: 25X Mobile VPN users at baseline = X Fixed VPN at baseline = 1,200 Total: 2, per month They choose the baseline protective monitoring service. There are 25 mobile VPN users and they connect to two servers in the office and one in the cloud. The protective monitoring service needs to cover 28 IP addresses: Protective Monitoring: per month The on-boarding charges are: Mobile: 2, Fixed: 2,

14 A customer requires connectivity for 110 users and one cloud service. The monthly cost for an enhanced service would be: 110X Mobile VPN users at enhanced= 2, x Fixed VPN at enhanced = Total: 3, per month They choose the enhanced protective monitoring service. There are 110 mobile VPN users and they connect to two web servers in the cloud and one server in the cloud. The protective monitoring service needs to cover 113 IP addresses: Protective Monitoring: 1, per month The on-boarding charges are: Mobile: 2, Fixed: 2, A customer with 500 users and 10 VPNs with a Premium service would be: 500X Mobile VPN users premium = 10, X Fixed VPN premium = 4, Total: 14, per month The on-boarding charges are: Mobile: 5, Fixed: 2, They choose the premium protective monitoring service. There are 500 mobile VPN users and they connect to two web servers in the cloud and one server in the cloud. The protective monitoring service needs to cover 600 IP addresses as they direct all cloud traffic through the service as well as opting for the full Web proxy service: Protective monitoring: 9, per month Web proxy: 1, per month 14

15 A customer requires an MDM solution for 50 devices. These devices need to connect to their on premise system. The enhanced service best fits their needs: 1X Fixed VPN enhanced = X MDM devices = 1, The customer scales up to 100X MDM devices: The scale up charge is: 1, Total = 3, per month (after scale up) The on-boarding charges are: Fixed: 2,500.00, MDM: 2, They decide that the baseline protective monitoring service best suits their needs and there are 55 IP addresses to be protected before the scale up and 165 after: Protective monitoring: per month Protective monitoring: 1, per month (after scale up) A customer requires connectivity for 2 offices, 2 cloud services, 50 mobile vpn users and 50 mobile devices at enhanced. They opt for no protective monitoring service. 4X Fixed VPN enhanced = X Mobile VPN users = 1, X MDM devices = 1, Total: 5, per month The on-boarding charges are: Fixed: 2,500.00, Mobile: 2,500.00, MDM: 2,

16 Service scale up/scale down options Secure Cloud Connect Service It is possible to scale up and scale down the service levels of from Baseline to Enhanced and from Enhanced to Premium or from Baseline to Premium. There is no charge for scaling up or down service levels. Scale up example: A customer requires 25 mobile vpn users to connect two offices and one cloud service. The baseline service best fits their needs. The monthly cost would be: 25X Mobile VPN users at baseline = X Fixed VPN at baseline = 1,200 Total: 2, per month The customer decides to scale up the service level to enhanced for a critical period of 2 months. During those two months the customer pays: The monthly cost would be: 25X Mobile VPN users at enhanced = 1, X Fixed VPN at enhanced = 1, Total: 2, per month Service scale up /scale down options Secure Cloud Connect Protective Monitoring Service It is also possible to scale up or scale down the service levels of the protective monitoring element of the service on a month by month basis. There is no charge for scaling up or down service levels. Scale up support options The service includes the BAU activities relating to managing the services and providing support but it is possible that the customer requires the reassurance of having dedicated e2e resource on hand to support their IT team during critical times. The following scale up option allowing customers to purchase cost effective support and scale it up at times of emergency or heightened importance: Private Cloud Management and Support Ad hoc items Extended support add on 24/7 response uplifts support level to a one hour response 24/7 for any day or number of days Per Day

17 Dual site options The service can be distributed across two e2e datacentres. This provides availability levels above 99.99%. This increases the quantity of fixed VPNs required. The dual site costs are double the single site cost. e2e provide connectivity between sites as part of the dual site service. Either site on its own is capable of handling all traffic. Other Services A range of other services are available that can be used to perform tasks such as assisting you with the roll out of VPN clients, connecting the mobile VPN to active directory or certificate services for user authentication or to assist with design aspects of the service. These are priced per day as per e2e s SFIA rate card. Other Services Design effort per day Service training per day Ad hoc support per day User authentication integration (e.g. mobile VPN to customers active directory per day) Advice and consultancy per day 1,

18 Service Specific Terms and Conditions On-boarding is included with the following scope: e2e will support the customer in connecting/enrolling the requested fixed VPNs, mobile VPNS and mobile devices into the service. Optionally we can also migrate data into the service on a time and material basis. Examples of this would be connecting to an existing customer active directory service which would be On-boarding charged on a time and material basis. Off-boarding is included with the following scope: all user access will be revoked and any e2e cloud connect components containing customer data will be wiped and factory reset. All customer data will be removed. The customer is expected to migrate their own data out of the service prior to the end of the service. Optionally we can also migrate the data out of the Off-boarding service (such as historical access logs) on a time and material basis. Backups Disaster recovery Service lead time Minimum term Early exit charge Termination charge Consumer responsibilities Technical requirements Ordering and Invoicing Data restoration/service migration All e2e managed devices are backed up as part of the service. The service can be split across two UK datacentres if required. Typically working days from acceptance of order. The service has a minimum term of 6 months. One month of service cost. Termination before initial 6 months incurs early exit charge The control and management of end users of the service and any VPN components installed or provisioned on customer equipment including end user devices To manage the service the user is required to enrol with our two-factor authentication service and connect to the service using one of the following: Windows, Linux, MAC, IOS, Android. To create a fixed VPN the customer is required to either provide a CESG CPA foundation level approved device (IPsec Security Gateway) or allow e2e to supply and provision one. To create a mobile VPN the customer us required to either provide and support a CESG CPA foundation level approved device (IPSec VPN for remote working) or allow e2e to supply one. Monthly in arrears by Purchase Order or Direct Debit. Data can be migrated into and out of the service using the VPN access methods provided. e2e can assist with this process on a time and materials basis if required. 18

19 Financial recompense model Training Trial Service If the service level falls below the stated availability (excluding planned or emergency maintenance and excluding any fault that is not the responsibility of e2e or e2e components), consumers will be eligible for a service credit. Service credits are provided as professional service credits that can be used for any support, design or security activities and are calculated at a value of 10% of service spend on the particular service. The customer can choose to purchase training days. There is no trial service available. More information and contact details For more details on this service and to see the other services we offer visit Enquiries, and more information is available on request, info@e2e-agile.com with any queries. 19