easy to adopt, easy to use, easy to leave
service description
Secure Remote Access
IaaS
version 6.0
Open
Contents
Highlights .............................................................................................................................. 3
Overview ............................................................................................................................... 3
Example use cases ............................................................................................................... 4
Information assurance........................................................................................................... 4
Product features.................................................................................................................... 4
Technical features................................................................................................................. 5
Backup / Recovery & Disaster Recovery ............................................................................... 6
Service levels ........................................................................................................................ 6
Roles & Responsibilities ........................................................................................................ 7
Pricing ................................................................................................................................... 8
Trial service .......................................................................................................................... 9
Appendix ............................................................................................................................. 10
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 2 of 13
Open
Highlights

A Secure Remote Access solution leveraging CESG Assured VPN technologies
and the secure ‘Walled Garden’ architectural pattern

Enables flexible connectivity for remote administrators and mobile workers to the
Skyscape Elevated OFFICIAL (PGA IL3) cloud platform

Optimised for OFFICIAL – hosted in the UK & operated by SC cleared staff, the
service benefits from extensive independent validation (including CESG Design
Review) that it is properly aligned with CESG Cloud Security Principles making it
the ideal service for remote access to systems classified at OFFICIAL (including
OFFICIAL-SENSITIVE)

Provided as a cloud service – no requirement to purchase and manage CESG
approved VPN hardware
Overview
Skyscape Secure Remote Access Service enables consumers to securely connect to the
Skyscape Elevated OFFICIAL (PGA IL3) cloud platform using CESG approved Internet VPN
technologies and the ‘walled garden’ architectural pattern.
The Secure Remote Access Service is designed to enable system administrators and mobile
workers to securely access workloads running on the Skyscape Elevated OFFICIAL (PGA
IL3) cloud platform from locations which do not have alternative secure network connections
such as PSN, N3, etc.
The service leverages the proven Skyscape Assured Cloud platform which provides the
following benefits:

UK Sovereign cloud platform delivered from two secure UK data centres by a UK
company with SC cleared UK staff

Extensive assurance through independent validation and alignment with the CESG
Cloud Security Principles

Accredited PSN Service enabling secure, compliant access via government
community networks including N3, PSN Assured & PSN Protected networks

Comprehensive automation and orchestration enabling true consumption of the
infrastructure as a cloud service (e.g. via the Portal and API)
Skyscape Secure Remote Access Service provides robust levels of assurance appropriate
for data classified as OFFICIAL or OFFICIAL-SENSITIVE.
Skyscape’s service has been designed specifically of for the UK public sector and is
available only to the UK public sector. The service supports and complies with all relevant
areas of the Government ICT Strategy and Information Principles for the UK Public Sector.
Skyscape’s datacentres are some of the most energy efficient in the world and as such
support the Green Government ICT Strategy in full.
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 3 of 13
Open
Example use cases
Simpler
Better
Cheaper
Organisations which have
system administrators and
remote workers who need
secure connectivity into the
Skyscape Elevated OFFICIAL
cloud platform can simply
establish a secure virtual
private network over the
Internet using CESG approved
technologies.
Organisation no longer need to
be constrained by end-user
devices which are too locked
down such that they are not
usable for power-users like
developers and system
administrators. Organisations
can now use any end-user
device which is managed
within the terms of PSN
compliance.
The Secure Remote Access
Service enables organisations
to avoid the cost and
complexity of; buying &
maintaining CESG approved
VPN hardware; configuring the
solution in line with CESG
standards and; implementing
an appropriate two-factor
authentication solution.
Organisations can instead buy
this service on a ‘per-user-permonth’ basis
Information assurance
The Skyscape assured cloud platform is designed and optimised to meet the unique
information assurance needs of UK public sector organisations.

UK Sovereign cloud platform delivered from two secure UK data centres by a UK
company with SC cleared UK staff

Suitable for all data classified at OFFICIAL, including OFFICIAL-SENSITIVE data
under the Government Security Classification Policy (GSCP)

Suitable for legacy IL2, IL3 and IL4 (by aggregation) systems under the Government
Protective Marking Scheme (GPMS)

Extensive independent validation of alignment with the CESG Cloud Security
Principles

Enables access to IaaS services which are CESG Pan Government Accredited at
both IL2 & IL3 and our accredited PSN Services which have secure, compliant
access via both PSN Assured & PSN Protected networks

Independently certified against ISO27001, Cyber Essentials Plus and members of
the Cloud Security Alliance (CSA)

Secure (List X) and resilient (Tier 3) UK data centres facilities capable of hosting data
classified at SECRET

Protective Monitoring (aligned with GPG13) across all Skyscape platforms
Product features
The Skyscape Secure Remote Access Service provides a secure and cost-effective method
of connecting to your workloads hosted on the Skyscape Elevated OFFICIAL (PGA IL3)
cloud platform. The service provides the following features;

Assured – hosted in the UK & operated by SC cleared staff, the service benefits from
extensive independent validation (including CESG design reviews) that it is properly
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 4 of 13
Open
aligned with CESG Cloud Security Principles making it the ideal service for all data
classified at OFFICIAL (including OFFICIAL-SENSITIVE)

Flexible – enables choice over end-user devices (managed & assured by the
consuming organisation) rather than mandating the use of inflexible, locked-down
devices managed by the provider

Cross-platform – compatible with a variety of end-user platforms including Android,
Apple, Linux and Microsoft Windows

Cost-effective – the Secure Remote Access Service is delivered as a cloud service
which provides secure access via a shared multi-tenant CESG approved Internet
VPN solution

Green – the Skyscape service is based in UK data centres which offer market
leading efficiency around power and cooling. A Skyscape solution will generate less
Carbon than many other solutions
Technical features
The Skyscape Secure Remote Access Service provides the following technical features:

Based on CESG approved CPA technology including Cisco AnyConnect and Cisco
VPN gateways

A highly available and disaster tolerant solution spanning two UK data centres
separated by over 100km

Secure authentication using two-factor authentication based on Skyscape issued
device certificates

Implementation of a ‘walled garden’ architecture enabling consumers to deploy and
manage appropriate systems in a DMZ, allowing secure and controlled onward
access to workloads hosted on the Skyscape Elevated OFFICIAL (PGA IL3) cloud
platform

Compatible with a variety of customer managed end-user devices which meet the
following conditions:
o
Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client
which is assured under the CESG CPA scheme against the IPsec VPN for
Remote Working Software Client security characteristic
o
Recommended use of a CPA approved data at rest encryption solution
o
Mandatory user-to-device authentication ensuring only authorised users can
access the end-user device
o
Mandatory user-to-service authentication ensuring only authorised users can
access the Secure Remote Access Service
o
Mandatory device-to-service authentication ensuring only authorised end-user
devices can access the Secure Remote Access Service
o
Recommended use of Secure Boot where available
o
Mandatory use of a platform which supports Platform Integrity & Application
sandboxing to reduce the risk of the end-user device becoming compromised
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 5 of 13
Open
o
Mandatory use of Application Whitelisting to reduce risk of malicious code
execution on the end-user device
o
Mandatory use of anti-malware software (regularly updated) to reduce risk of
malicious code execution on the end-user device
o
Mandatory use of enterprise-enforced security policies ensuring that endusers cannot over-ride or reconfigure security critical features
o
Mandatory use of external interface protection such as host-based firewalls to
limit the exposure of the end-user device to untrusted networks
o
Mandatory use of a Device Update policy to ensure the end-device is
regularly updated with security patches
o
Recommended use of an enterprise audit and monitoring service by the
consuming organisation to ensure security events are centrally logged and
reviewed.
o
Mandatory implementation of an Incident Response plan by the consuming
organisation to respond to security incidents such as loss of the end-user
device
o
Configuration and management of end-user devices assured by the
consuming organisation to be in line with CESG End User Device guidance
and compliant with PSN IA conditions

Available for remote access only within UK and safe harbour countries

Available for use only by users who have been appropriate vetted and security
cleared as assured by the consuming organisation in line with PSN IA conditions

Integrated with the Skyscape Protective Monitoring solution (aligned with GPG13)

Connectivity into the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform only –
no onward connectivity to government community networks such as PSN Assured,
PSN Protected, Legacy GCF networks (e.g. GSI, GSE, PNN, etc) or N3
Backup / Recovery & Disaster Recovery
The Skyscape Secure Remote Access Service is hosted across two UK data centres
(separated by over 100km) and offers the consuming organisation a solution that provides a
highly available and disaster tolerant solution.
Service levels
Skyscape provide both an Availability SLA and Response Time SLA for the Secure Remote
Access Service as per the following table.
STANDARD
Availability (monthly*)
Incident response
Service credits
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
99.90%
P1 – within 15 minutes
P2 – within 4 hours
P3 – within 24 hours
P4 – within 72 hours
10% of monthly spend on the
Secure Remote Access Service
Open
Secure Remote Access Service
Page 6 of 13
Open
* Availability indication based on an average 730hrs per month. Excludes planned &
emergency maintenance. Unavailability applies to the Secure Remote Access VPN endpoints due to a fault recognised at the IaaS layer or lower, for example:

Fault is not caused by the consumer (OS, Applications, user networks).

Fault is within Skyscape controlled components such as the virtual infrastructure,
storage, power and physical firewalls & routers etc.

External connectivity providers (e.g. internet) are also not included in the availability
calculation.
In addition, Skyscape also provide an Availability Service Level Target on the Skyscape
Portal i.e. the ability to log into the portal to create support tickets and use other functions.
Target Availability (monthly*)
Client Portal Availability (monthly)
99.90%
Roles & Responsibilities
Responsibility
Provision of End-User Device
Consumer
Configuration and Management of EndUser Device
Consumer
Vetting of Users of the Secure Remote
Access Service
Consumer
Assurance/Accreditation of Users and
End-User Devices
Consumer
Provision of CESG approved Internet
Gateway service
Skyscape
Provision of two-factor authentication
solution for device-to-service
Skyscape
Provision of two-factor authentication
solution for user-to-service
Skyscape or Consumer
Provision of ‘Walled Garden’ environment
for consumer systems
Skyscape
Configuration and Management of
application services in ‘Walled Garden’
Consumer
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 7 of 13
Open
Pricing
The Skyscape Secure Remote Access Service is priced as follows:
Remote Access Pack
Monthly Price
Effective Monthly Price
10 named users & devices
£500
£50 per user per month
25 named users & devices
£1,000
£40 per user per month
100 named users & devices
£2,500
£25 per user per month
1000 named users & devices
£5,000
£5 per user per month
* Prices are per calendar month or part thereof.
The prices above include:

Access to managed CESG approved VPN gateways

Cisco AnyConnect license for the end-user device

Two-factor authentication using device certificates

A ‘walled garden’ VDC where consumers can deploy their application services
(additional costs apply as per the following table)
vCPU
(2GHz)
RAM
(GB)
STANDARD
(per month)
Tiny
1
2
£150.00
Small
2
4
£250.00
Medium
4
8
£350.00
Medium High
Memory
4
16
Large
8
16
Large High
Memory
8
32
Tier 1 Apps
Small
8
48
Tier 1 Apps
Medium
8
64
Tier 1 Apps
Large
8
96
£500.00
£750.00
£1,000.00
£1,500.00
£2,000.00
£3,000.00
Worked Example:
Consumer requires a Secure Remote Access Service for 105 named users and devices. The
consumer will run 2 x Medium sized VM’s in the ‘walled garden’ as bastion hosts.
Consumer buys:

1 x 100 named users & devices @ £2,500 per month

1 x 10 named users & devices @ £500 per month

2 x Medium VM’s @ £350ea per month = £700 per month

Total = £3,700 per month
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 8 of 13
Open
Ancillary Options
The Skyscape Pricing Guide provides a comprehensive catalogue of pricing; including all
ancillary service options available to consumers when used in conjunction with the Skyscape
Secure Remote Access Service. Ancillary options include:

Connectivity options including HybridConnect, PSN, N3, Internet, data centre
interconnect, etc.

SFIA rate card for ad-hoc services.
Other ancillary options are available and can be found in the Skyscape Pricing Guide.
Trial service
Due to complex assurance requirements related to this service, a trial service is not
available.
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 9 of 13
Open
Appendix
On-boarding and off-boarding
Service constraints
On-boarding
The Skyscape Secure Remote Access service
can only be used for connectivity to Skyscape
services such as Compute-as-a-Service, Hadoopin-the-Cloud, etc.
Due to the nature of this service, on acceptance of
an order, Skyscape will work with the consumer to
create an Assurance Plan for the Secure Remote
Access Service to include the consumer’s endusers and associated devices. The assurance
plan will include:
The service is designed to operate only when the
following constrains are met:

Configuration and management of end-user
devices assured by the consuming
organisation to be in line with CESG End User
Device guidance, compliant with PSN IA
conditions and compliant with the ‘Technical
Requirements’ section below
Available for use only by users who have been
appropriately vetted and security cleared as
assured by the consuming organisation in line
with PSN IA conditions

Validation of requirement by the HMG
customer (e.g. Department SIRO)

Evidence from HMG customer that end-user
devices are configured and managed in line
with minimum requirements (e.g. scope of
PSN compliance with IA requirements)

Evidence from HMG customer that users of
the Secure Remote Access Service are vetted
and security cleared in line with minimum
requirements (e.g. scope of PSN compliance
with IA requirements)
Skyscape will adhere to the following in terms of
maintenance windows;


Confirmation by HMG customer that an
appropriate Security Incident Management
process applies to this solution

Confirmation by HMG customer that the
service will only be accessed from the UK and
safe harbour countries

Confirmation by HMG customer and each
individual user of agreement to Skyscape
Acceptable Use Policy (AUP)

Identification of data flows required between
the ‘Walled Garden’ and the consumer’s
solution (e.g. Firewall Access Control List)
Skyscape will create the consumer’s Primary
Administrator account and send the consumer a
Welcome Pack which includes the URL for the
Skyscape Portal for access to the knowledge
centre and service management function.
The consumer’s Primary Administrator can the
provide details of each Named User and
associated end-user device to be enrolled into the
Secure Remote Access Service.
Off-boarding
On termination of the Secure Remote Access
Service, Skyscape will:

Revoke all user and device certificates
associated with the solution

Disable all user accounts

Remove Access Control Lists from ‘Walled
Garden’ firewalls

Deleted the ‘Walled Garden’ virtual data centre
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
“Planned Maintenance” means any pre-planned
maintenance of any infrastructure relating to the
Services. Skyscape shall provide the Client with at
least twenty four (24) hours’ advance notice of
any such planned maintenance:
Planned maintenance of Skyscape’s infrastructure
relating to the Services shall happen between the
hours of 00:00 and 06:00 (UK local time) Monday
to Sunday and/or between the hours of 08:00 and
12:00 (UK local time) on a Saturday and/or
Sunday. No planned maintenance will take place
on a Saturday unless agreed in advance by both
parties;
Planned Maintenance shall be excluded from any
availability calculation in regard to service credits
but shall be included in the monthly service
reporting;
“Emergency Maintenance” means any emergency
maintenance of any of the infrastructure relating to
the Services. Whenever possible, Skyscape shall
provide the Client with at least six (6) hours’
advance notice:
Whenever possible Emergency Maintenance of
Skyscape’s infrastructure will happen between the
hours of 00:00 and 06:00 (UK local time) Monday
to Sunday and/or between the hours of 08:00 and
12:00 (UK local time)on Saturday and/or Sunday
unless there is an identified and demonstrable
immediate risk to a Clients environment;
Emergency Maintenance shall be excluded from
any availability calculation in regard to service
credits but shall be included in the monthly service
reporting.
Open
Secure Remote Access Service
Page 10 of 13
Open
Training
Costs
Skyscape have created a number of videos, help
guides, manuals and FAQs to help train and
instruct users so that they are up and running
quickly and easily.
An Early Exit charge will be payable if the contract
is terminated within the minimum term. The Early
Exit charge will be equal to the cost of 3 months
service less payments already made.
Skyscape also have a number of Partners who
are able to deliver additional services such as
training, support and managed services.
Skyscape would be pleased to introduce you to
such partners where appropriate.
Consumers are responsible for extracting their
own data from the platform if required.
Ordering and invoicing
Billing for the service is monthly in arrears based
on the maximum number of Remote Access packs
configured at any time during the month.
Payment can be via Purchase Order and Direct
Debit. Skyscape are preparing to be able to
accept Debit/Credit Card payments (e.g.
Government Procurement Card) – please enquire
at time of order to check whether this is available.
Service lead time
Setting up a new consumer within the Skyscape
Portal will typically be completed within 4 hours
from acceptance of order.
Skyscape may make an additional charge for
transferring data out of the service.
Consumer responsibilities
The control and management of access and
responsibilities for end users including appropriate
connectivity, security and assurance/accreditation
if required. Where access is required over
Government Secure Networks such as N3, legacy
GCF networks or PSN, the consumer is
responsible for adhering to the Code of
Connection.
Providing details of all devices to be enrolled into
the service. Management and administration of
end-user devices including ensuring that security
policies remain in effect, security patches are
regularly applied and anti-malware software is upto-date. Please refer to the ‘Service Constraints’
section for additional information.
Resources to validate the Assurance Plan activity
will be assigned within 10 days from acceptance
of order.
Providing details of all users to be enrolled into
the service. Ensuring all users of the service are
vetted and security cleared as appropriate.
Ensuring all users receive regular information
security training.
Due to the variable nature of this service, full onboarding of the consuming organisation including
enrolment of all users and end-user devices will
take an indeterminate amount of time.
Ensuring the service is only used from within the
UK and safe harbour countries.
Termination
Providing a suitable Internet connection to enable
end-user devices to connect to the Skyscape
Secure Remote Access Service.
Terms
Providing access requirements between the
‘Walled Garden’ and consumer solutions (e.g.
firewall ports)
The service is subject to a minimum term of three
months. Termination within this initial term will
incur an Early Exit charge.
Manage security incidents related to the use of
this service (e.g. lost end-user devices)
Consumers are required to provide notice of
termination of not less than 10 working days.
At the point of termination, consumers must
ensure that they have extracted any required data
from the ‘Walled Garden’ virtual data centre as
Skyscape will ensure all consumer data, accounts
and access will be permanently deleted, and will
not be able to be subsequently recovered or
restored.
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
The consumer is also responsible for ensuring
only appropriate data (e.g. OFFICIAL or
OFFICIAL-SENSITIVE) is stored and processed
by applications on this environment and that they
comply with the Skyscape Security Operating
Procedures (SyOps) and other information
assurance requirements as specified in Skyscape
System Interconnect and Security Policy (SISP)
and associated accreditation documentation sets.
Open
Secure Remote Access Service
Page 11 of 13
Open
Data restoration / service migration
Technical requirements
For service migration, Skyscape allows existing
data to be migrated to and from the ‘Walled
Garden’ virtual data centre.
Consumers must provide end-user devices which
meet the requirements of this service:
In many circumstances, Skyscape can help
facilitate a bulk migration to the platform using
offline data ingest and extraction – please ask
Skyscape for details.
Financial recompense model
If the service level falls below the stated
availability percentage (excluding Planned and
Emergency maintenance periods), consumers will
be eligible for service credits on affected storage
only. Service credits will be calculated as a
percentage of the fees for the affected services for
the monthly billing period during which the failure
occurred (to be applied at the end of the billing
cycle).

Mandatory use of Cisco AnyConnect VPN
Client or an embedded IPsec client which is
assured under the CESG CPA scheme
against the IPsec VPN for Remote Working
Software Client security characteristic.

Recommended use of a CPA approved data at
rest encryption solution

Mandatory user-to-device authentication
ensuring only authorised users can access the
end-user device

Mandatory user-to-service authentication
ensuring only authorised users can access the
Secure Remote Access Service

Mandatory device-to-service authentication
ensuring only authorised end-user devices can
access the Secure Remote Access Service
Service Credit

Secure Remote
Access Service
10% of monthly spend
on this service
Recommended use of Secure Boot where
available

Client Portal
1% of monthly spend
per 1% below service
level target or part
thereof
Mandatory use of a platform which supports
Platform Integrity & Application sandboxing to
reduce the risk of the end-user device
becoming compromised

Mandatory use of Application Whitelisting to
reduce risk of malicious code execution on the
end-user device

Mandatory use of anti-malware software
(regularly updated) to reduce risk of malicious
cost execution on the end-user device

Mandatory use of enterprise-enforced security
policies ensuring that end-users cannot override or reconfigure security critical features

Mandatory use of external interface protection
such as host-based firewalls to limit the
exposure of the end-user device to untrusted
networks

Mandatory use of a Device Update policy to
ensure the end-device is regularly updated
with security patches

Recommended use of an enterprise audit and
monitoring service by the consuming
organisation to ensure security events are
centrally logged and reviewed.

Mandatory implementation of an Incident
Response plan by the consuming organisation
to respond to security incidents such as loss of
the end-user device
Service description SC-SVC-06, version 6.0
© Skyscape Cloud Services Limited, 2014
Open
Secure Remote Access Service
Page 12 of 13
Skyscape Cloud Services Limited
A8 Cody Technology Park
Ively Road
Farnborough
Hampshire
GU14 0LX
+44 (0)1252 303300
info@skyscapecloud.com
www.skyscapecloud.com
@skyscapecloud
© Skyscape Cloud Services Limited.
All Rights Reserved.
SC-SVC-06