G-CLOUD FRAMEWORK SERVICE DEFINITION Envault Data Protection Service Suite - Cloud Data Storage Protection ISSUE 1 23 rd August 2013
Table of Contents 1 SERVICE OVERVIEW & SOLUTION... 4 1.1 Envault Data Protection Suite... 4 1.2 Benefits of EnDaPS to Your Business... 5 1.3 Key differentiators of Envault solutions... 5 1.4 Envault Cloud Storage Protection... 5 1.5 Features and Benefits of Envault Internal Media Protection... 6 1.6 Envault Internal Media Protection Service Delivery... 6 2 INFORMATION ASSURANCE... 7 3 BACKUP/RESTORE AND DISASTER RECOVERY PROVISION... 7 4 ON-BOARDING AND OFF-BOARDING PROCESSES... 8 4.1 On-Boarding... 8 4.2 Off-Boarding... 8 5 EnVault SECURITY... 8 5.1 Secure Encrypted Connection from the Client to the Application... 9 6 SERVICE MANAGEMENT DETAILS... 9 6.1 Technical Boundary... 9 6.2 Support Boundary... 10 6.3 User Authorization and Roles... 10 6.4 General Support details... 11 7 SERVICE CONSTRAINTS... 11 7.1 Planned Maintenance... 11 7.2 Emergency Maintenance... 11 8 SERVICE LEVELS... 11 8.1 Award of Service Credits:... 12 8.2 Payment of Service Credits:... 12 9 Financial recompense... 12 10 TRAINING... 12 11 INVOICING PROCESS... 13 12 TERMINATION TERMS... 13 13 DATA EXTRACTION /REMOVAL CRITERIA... 13 13.1 Data standards in use... 13 13.2 Consumer generated data... 13 13.3 Data extraction... 14 13.4 Price of extraction... 14 13.5 Purge & destroy... 14 14 DATA PROCESSING AND STORAGE LOCATION(S)... 14 15 DATA RESTORATION / SERVICE MIGRATION... 14
16 CUSTOMER RESPONSIBILITIES... 14 17 TECHNICAL REQUIREMENTS... 14 18 BROWSERS... 14 19 DETAILS OF ANY TRIAL SERVICE AVAILABLE... 15
1 SERVICE OVERVIEW & SOLUTION 1.1 Envault Data Protection Suite Envault Data Protection Suite (EnDaPS) set of services offer Military grade data protection for Businesses & Government organizations. These services minimise the risks of data leaks due to human error and attempted theft across and between business operations and communications. EnDaPS offers protection for different data storages including: o Internal Media, o removable mass storage media o Cloud storage across and between organisations. o Emails and Mail attachments including protection against data leaks and theft. Fig1. Envault s Data Protection Suite (EnDaPs) With its powerful and non-intrusive approach, developed on patented technology (Core technology Patent# EP2165284), EnDaPS enables roll out of data protection easily whilst maintaining control, and without compromising or impacting the effectiveness of existing business operations In addition to data protection, EnDaPS empowers administrators and managers with audit data on how data and documents are being handled across entities, without intruding on the user privacy. This enables organisations to take proactive actions to mitigate data threats. Envault services are complementary to existing infrastructure and threat management systems such as Anti-virus & Anti-malware services that may already exist on your IT network.
1.2 Benefits of EnDaPS to Your Business Ensure the security of your own data as well as your customers and partners data. Eliminate the costs and related consequences of potential loss or theft of sensitive data Increase the confidence and speed in your business operations and partner collaboration. Enables more employees to work-from-home Enables secure mobile working. Keeps you informed on the patterns of file usage relating to sensitive data. 1.3 Key differentiators of Envault solutions Unbreakable protection through innovative-patented technology. We take a tiny fragment away from your file and store it at a different location during encrypting. Active protection and control. EnDaPs services not only encrypt but also maintain an audit trail for every operation on protected documents. Roll out protection at different levels such as Internal disks, External removable media, Emails and importantly Cloud storage. Highly transparent to your employees. They don t need to remember passwords. Offered as software as a service (SaaS). No additional IT infrastructure to manage at your end. Complements the existing anti-virus and anti-malware solutions as well as services such as bit-locker. 1.4 Envault Cloud Storage Protection Envault s Cloud Storage Protection is one of the core services that form part of Envault Data Protection Suite (EnDaPS). This service helps you to protect the data that your employees store on your company s private cloud or the popular public clouds. All the data transferred to the cloud storage space, from the protected computers is encrypted. Your employees can create shared workspaces on the cloud and share the stored data with external persons using a passphrase. Unauthorised persons would not be able to make use of the data, even if they can break into the cloud storage. This is due to our patented technology that removes a tiny fragment of the stored document and stores it elsewhere, in EnDAPS servers. In addition, Your IT department can centrally track and maintain an audit trail on data transferred to and accessed from the cloud storage. Using centralized policies, IT teams can control who can copy files to cloud storage and who cannot. Roll out Cloud storage protection automatically, across all the corporate machines. It works silently in the background and your employees continue to work as before. They do not need to remember any passwords, except of course when sharing the documents with external partners.
1.5 Features and Benefits of Envault Cloud Protection Fig. 2. Envault Cloud Protection Protection for public cloud storages such as Amazon, Dropbox, Skydrive, icloud as well as Private enterprise clouds. Built for collaboration with internal and external partners. Workspaces allow you to securely share the data you re your partners. Powerful insights into the usage of cloud storage across the company Use Audit trail reports to provide confidence to your customers & partners, on the security of their data. Freedom from worry and consequences of compromised cloud security and resulting loss and theft of data. You can deny access to any previously shared data with a single click. Take advantage of Envault s patented technology that provides multiple layers of unbreakable protection for the data, without any hassles to your employees. No mandatory passwords Employees can use passphrase while sharing with external partners / Customers. For intra-company usage, this is not required. No new systems to manage - Easily roll out and use the service through our Software as a Service (SaaS) model of service delivery. Very little user training required while rolling out this powerful protection. 1.6 Envault Cloud Protection Service Delivery All EnDaPS Services are offered as Hosted SaaS services. We host EnDaPS services in Tier3 class Data centres in UK and deliver the service to you in typical Software as a Service (SaaS) model.
We partner with UKFast as our Datacentre partner in UK. The service is hosted in UK datacentres and managed jointly by Envault and UKFast. The service is purchased as an SaaS l subscription. Licencing is by volume of identifiable devices and/or users. 2 INFORMATION ASSURANCE Envault complies with relevant information security legislations including but not limited to Data Protection Act 1998, Computer Misuse Act 1990, and Electronic Communications Act 2000. As described in section 1.3, Envault Internal Media protection service is delivered to you from Envault s partner data centres. Our contracted service arrangement with UKFast benefits from the following security certifications: ISO 27001:2005 certification for Information Security Management System as well as ISO 9001:2008 certifications for Quality Management System, PCI Data Security Standard (DSS), ISO 14001:2004 (Environmental Management), PAS 2060:2010 (The Publically Available Sepcification for carbon Neutrality). For a full description of these certifications our service is contracted to deliver please refer to the following link: http://www.ukfast.co.uk/accreditations.html This allows Envault to provide the following infrastructure security: Critical exterior perimeter is constructed of materials that provide UL Standard #752, Level V Ballistic Protection Monitored/Recorded 24x7 CCTV surveillance, with physical access strictly limited to authorised personnel Integrated Card Access and Biometric control systems to restricted areas N+1 Network Resilience and Access Performance N+1 Redundant heating, ventilation and air conditioning systems N+1 Dedicated UPS and Stand-by Emergency Power (Generator) VESDA smoke detection with Hi-fog zoned fire suppression systems In addition, the network connections to our data centre from your IT network is secured with two-way authentication with SSLv3 certificates and TLSv1 protocol encryption. Envault Client software has been designed such that, it does not interact /interfere with other software on the computers. Also, the computer users cannot bypass the service or tamper with it. Accessed via the internet the target accreditation for this service is IL2. 3 BACKUP/RESTORE AND DISASTER RECOVERY PROVISION Our service through our contracted hosting partner s data centres, offer robust disaster recovery infrastructure to ensure back up and restoration of critical data. Our SLA s with the data centre providers ensure 99.95% availability and security of the EnDaPS services delivered from these data centres. Our service is designed to be fault tolerant assuring integrity of data and mitigation of data loss through any service interruptions. The innovative protection technology used by EnDaPs, stores tiny fragments of every protected document, in an encrypted form, anonymously on EnDaPs servers. Our servers
have the capability to carry out automatic back up at regular intervals, to ensure the availability and integrity of this fragment data. In addition, EnDaPs services also store management and historical data such as the usage statistics. This data is automatically backed up by our service and restored in the event of a service outage that impacts the integrity of this data set. Audit data is maintained on a rolling two year basis. 4 ON-BOARDING AND OFF-BOARDING PROCESSES 4.1 On-Boarding Our services can be provisioned within 1 week of procuring our services, including rolling out the protection to all the computers registered on your corporate network. Our agile approach to on-boarding enables us to quickly: Consult: confirm existing technical infrastructure, and service connections to data centre. Deploy: configure clients for envault service. (Client software installation is carried out as a background task for each of the protected devices using the MSI installer packages which can be configured to roll out approved upgrades to client machines.) Evaluate: review/test operational deployment and confirm service integrity. (As best practice, an agile approach to installation is recommended with an initial set of machines updated on a pilot basis. After an initial observation period, the rest of the landscape should be upgraded). Maintain: Continuous monitoring and review of operational stability of deployed service including training and support services. (Envault helps you in creating the required communication and training material for the employees. This material is in the form of PDF documents and Screencast video files. We also provide the required documentation and training to your IT administration team). 4.2 Off-Boarding When you decide to stop using this service, it can be rolled back easily without leaving any traces on the PCs/Laptops. The client software can be uninstalled from a centralized location using the uninstall scripts that are included. No other traces such as registry entries, preferences etc. are left after the service is uninstalled. The uninstallation process is transparent to the end users and does not affect any of their data or activities. All previously protected documents and storage devices can be unencrypted using Envault provided software tools 5 EnVault SECURITY Envault is cognoscente of and seeks to comply with relevant information security legislations including but not limited to Data Protection Act 1998, Computer Misuse Act 1990, and Electronic Communications Act 2000. Finnish Communication Regulatory authority is in last phase of granting NCSA (National Communication Security Authority) certificate for EnDaPs solutions. National Approval of the information encryption products to be used for protecting international level classified information. EnDaPS services store a tiny fragment of each of protected document on the server side. The original file is first encrypted using AES-256 encryption alchorithm. The fragment is then
extracted and stored in EnDaPS servers. This fragment is mandatory for opening original file.. This fragment consists of random bits from the original document and cannot be used for any meaningful interpretation. All the usage data collected by the EnDaPS services, for the purpose of audit trail, are, in general, anonymised for normal users. Only the users with special authorizations can see the info on identification of the user or the names of the files being protected. All others see only the statistical information. EnDaPS services do not back up the original documents being protected. For secure User Authentication, Windows AD login/password combination and Kerberos authentication is used. Authentication in transport (SSL) is based on industry-standard PKI mechanisms. 5.1 Secure Encrypted Connection from the Client to the Application All the connections from EnDaPS servers in the Datacentres and the user machines are secured with two-way authentication with SSLv3 certificates and TLSv1 protocol, mitigating unauthorised access or Man-in-Middle attacks. 6 SERVICE MANAGEMENT DETAILS 6.1 Technical Boundary This service comprises of the EnDaPS server application, tiny encrypted fragments of the protected documents, document operations data. In addition, the service also consists of the client software installed on the protected computers. These clients do not interact with any local or remote software, other than the EnDaPs server.
Fig. 3. High level Technical Architecture of EnDaPS The technical boundary of the service All aspects of it that are running are within our datacenter, The Disaster Recovery datacentre, which contains a full copy of the environment and the secure copying procedure between the two datacentres. The client software that is installed and runs on the protected computers of your company. In addition, designated people from within your corporate network can access the usage reports using any HTTP browser. Functioning of EnDaPS services requires a secure network connection between the client software and EnDaPS servers. The client software stores usage and fragment data locally on the protected machines, until they get access to the EnDaPs server. 6.2 Support Boundary Envault Support includes issues resulting from any faults within the technical boundary of the systems, in addition to help and support to IT admins and end users on the usage of service and troubleshooting. However, some specific aspects such as the network connection between the client and Server may have to be handled by your IT administration team. These are typically the issues relating to firewall configurations, connectivity issues. Envault takes care of Roll out, Roll back and Operations of the service. Our support services are available to IT Admin teams as required. Our Level 1 (L1), Level 2 (L2) support is provided in the UK. Level 3 (L3) support is offered from our RnD offices in Espoo, Finland. More details on the Support please refer to our SLA provided as supporting documentation. 6.3 User Authorization and Roles EnDaPS services provide three different types of Admin roles and one End User role. The main roles being: 1. User Admin: Access to all user data. In this case, the data relating to documents and users is not anonymised. User Admins can see the details of the users and the operations that they are carrying out. User Admins do not have rights to modify the service configuration or enterprise protection policies.
2. End users: End users mainly use the service. The service usage is transparent to the end users, except is use-cases such as where users can share an encrypted document to other users. Other roles and configurations are possible and subject to further discussion with Envault at time of configuration. Company Active Directory s Windows passwords are used as passwords for this service. 6.4 General Support details Envault offers L1, L2 and L3 service on 8x5 basis, in UK time zone. Envault would request for a Single Point of Contact from your side for coordinating support activities. Envault will nominate a designated contact from our end, along with an escalation chain. While L1 and L2 support is offered from UK, L3 support is offered from our facilities in Espoo. Envault releases service updates from time to time. Such updates are provided free of charge to customers with active license and support plans.. 7 SERVICE CONSTRAINTS 7.1 Planned Maintenance EnDaPS services may require a planned maintenance. This may be OS level patches, security upgrades or application updates. Such maintenance would be planned at least seven calendar days in advance. It will be scheduled at the lowest traffic such as holidays / non-working hours. 7.2 Emergency Maintenance Where Emergency Maintenance is necessary and is likely to affect the Service, we would inform your team as soon as possible and with the intent of a minimum of one hour s notice prior to the start of the Emergency Maintenance unless such an issue requires immediate attention. 8 SERVICE LEVELS Envault provides a 99.95% availability assurance service to Customers, excluding Planned maintenances. The service performance is measured quarterly. Error & Failure Classifications Envault commits to respond to the error reports / notifications according to the following data: A Critical Errors and situations which have severe impact on the functions and operability of the Envault s Data Protection System and require immediate solving/repairing. Such as acute missing / drop down of the protection (e.g. driver does not protect data saved to external memory device without notifying this to the end-user) or saved data is corrupted and become un-repairable. B Important Errors and situations which have severe impact on the functions and operability of the Envault s Data Protection System affecting to single end-user. Such as un-able to use protected device, folder etc due missing network connection or problems caused by the operating system, or drop-down of the system s capability to serve the end-user etc. C Minor
Other conditions and error situations which do not have significant effect on the fucntions of the system. Response times for the reported Errors Table below defines the response times for the above mentioned error classes. Calssification Acknowledged Fix or work-around Final solution ready and delivered A Critical max 60 minutes max 1 working days max 10 working days B Major max 60 minutes max 2 working days max 20 working days C Minor max 60 minutes max 10 working days max 40 working days For any interruptions, beyond the agreed SLA s Envault would offer service credits to the customers. 8.1 Award of Service Credits: At Envault s discretion the maximum amount of compensation for agreed service disruption 125% of Envault's support fee for the affected licenses during the three months preceding the Service performance period. Service Availability Service Credits e.g. 99.49% to 99% 75% e.g.98.99% to 98% 100% e.g.97.99% or less 125% 8.2 Payment of Service Credits: The compensation will be paid to the Customer's service account in the form of subscription fee credits and shall not be exchanged for cash or other forms of payment. 9 Financial recompense There are no further financial recompense. Any and all recompense is subject to service credits as defined above and as included in Envault s T s & C s associated with this service. 10 TRAINING Before service set up, we conduct a planning cum training session for configuring the network accesses etc. In addition, usage training along user manuals are provided to the IT Admins and Key users. Also, Screencast video tutorials are available for easier understanding of the procedures, for the broader teams. Specific training requirements are to be discussed at the time of engagement and will be subject to the SFIA rate card.
11 INVOICING PROCESS Envault invoices you on a quarterly basis, at the beginning of every quarter. All support costs are included in this price. Alternative involicing periods may be considered and subject to further discussion at engagement. Envault invoices the customer directly; all sums invoiced are due within 14 days of the date of Envault s invoice. 12 TERMINATION TERMS The following are highlights from the specific terms & Conditions associated with this service. Please refer to the Terms & Conditions for the full set of details.. The customer acknowledges that it has purchased the Services for the Minimum Period and any Renewal Term(s)), as defined in the Certificate or Order Summary. Customers are expected to commit to the service for a period of 12 months. Envault is happy to discuss other arrangements. Please refer to the documents titled Envault Terms & Conditions for a complete description of terms applicable to this service. An extract from the related T&C is included here for convenience as follows: Either party may terminate this Agreement in its entirety, or in part with respect to an Order for Services, at any time upon thirty (30) days prior written notice, if the other party materially fails to comply with any of the terms and conditions of this Agreement and such failure is not cured by the end of such thirty (30)-day period. Licensor may terminate this Agreement immediately if Customer materially fails to comply with Sections 2, 3, 4, 5 or 6 of this Agreement. (b) Unless otherwise specified by the parties in writing, either party may terminate this Agreement in part with respect to the delivery by Licensor of any of the Services upon thirty (30) days advance written notice. Upon any such partial termination, Licensor shall advise Customer of the extent to which performance of a terminated Service has been completed through such date. Licensor shall be paid for all work performed and expenses with respect to such Service through the date of termination. 13 DATA EXTRACTION /REMOVAL CRITERIA 13.1 Data standards in use Envault as a principle uses OpenStandards whenever and wherever possible such as use of ASCII, XML, HTML4.0, CSV and SQL compatible database, data formats. We also use certain message formats ( using ASCII data type) for handling the data within our software. Envault defines specific data standards for commissioning of data, reporting of data, publication of data, transference/migration. Consistency in defining these standards allows quicker, validated and efficient importing & processing of data in a structured form. Where no standards currently exist Envault is able to propose standards based on those it has already defined and is using to facilitate data collection by working with it s customers to define appropriate data standards. 13.2 Consumer generated data We commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction. Where there is a
risk of confusion, data that will not be available for later extraction will also be published. 13.3 Data extraction The formats/standards into which data will be able to be extracted include but are not limited to CSV and Text. Other common services/technologies to which an export/import mechanism could be developed Web Services, BI tools (e.g. Crystal Reports). 13.4 Price of extraction All the data generated while using this service is owned by you. Envault does not use it for any other purpose. However, A price for the extraction of the data or the migration to another service provider s service will be the subject of further discussion depending upon delivery mechanism, volume of data, and any specific requirement to provide an extraction format not in the list above. 13.5 Purge & destroy Envault commits that it will purge and destroy (as defined in security accreditation for different ILs) any consumer data from any computers, storage devices and storage media that are to be retained by us or our partners after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer). 14 DATA PROCESSING AND STORAGE LOCATION(S) Access to services is restricted by configuration of services during the enrolment process; processing of all data takes place in England, with storage facilities maintained in England. 15 DATA RESTORATION / SERVICE MIGRATION Should Envault be advised or discover a material degradation in the data supporting the service it will follow planned/emergency procedures as defined in the Planned/Emergency maintenance section in the Service Constraints section in this document. Service migration requirements will be handled through the process described in the On-Boarding section of this document. 16 CUSTOMER RESPONSIBILITIES Customer responsibilities will be agreed at the initiation phase of the project and included in a Project Initiation Document. Typically these will include providing a main point of contact, provision of working facilities, making staff available for interviews and workshops and project meetings, and timely approval and acceptance of all key deliverables. 17 TECHNICAL REQUIREMENTS The EnDaPs clients can be installed on Windows family Operating systems. (Windows Vista and Windows 7 & Windows 8). The EnDaPS servers can be installed on Linux family of operating systems as well as Windows servers. 18 BROWSERS Admin users use browser to view the reports on usage of removable media. These reports can be accessed from all the popular Internet browsers. The service has been tested accessed using the following browsers: -Internet Explorer 6 or higher [including IE9] - Firefox 3.6 or higher [including FF4}
- Safari 5.0.1 or higher - Chrome 8 or higher 19 DETAILS OF ANY TRIAL SERVICE AVAILABLE Limited trials may be available subject to negotiation. Any trial will be limited in functionality and serviceability. Such trials will be at the discretion of Envault. Please note no service credits are offered during any free/trial periods.