easy to adopt, easy to use, easy to leave service description Secure Remote Access IaaS version 6.0 Open Contents Highlights .............................................................................................................................. 3 Overview ............................................................................................................................... 3 Example use cases ............................................................................................................... 4 Information assurance........................................................................................................... 4 Product features.................................................................................................................... 4 Technical features................................................................................................................. 5 Backup / Recovery & Disaster Recovery ............................................................................... 6 Service levels ........................................................................................................................ 6 Roles & Responsibilities ........................................................................................................ 7 Pricing ................................................................................................................................... 8 Trial service .......................................................................................................................... 9 Appendix ............................................................................................................................. 10 Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 2 of 13 Open Highlights A Secure Remote Access solution leveraging CESG Assured VPN technologies and the secure ‘Walled Garden’ architectural pattern Enables flexible connectivity for remote administrators and mobile workers to the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform Optimised for OFFICIAL – hosted in the UK & operated by SC cleared staff, the service benefits from extensive independent validation (including CESG Design Review) that it is properly aligned with CESG Cloud Security Principles making it the ideal service for remote access to systems classified at OFFICIAL (including OFFICIAL-SENSITIVE) Provided as a cloud service – no requirement to purchase and manage CESG approved VPN hardware Overview Skyscape Secure Remote Access Service enables consumers to securely connect to the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform using CESG approved Internet VPN technologies and the ‘walled garden’ architectural pattern. The Secure Remote Access Service is designed to enable system administrators and mobile workers to securely access workloads running on the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform from locations which do not have alternative secure network connections such as PSN, N3, etc. The service leverages the proven Skyscape Assured Cloud platform which provides the following benefits: UK Sovereign cloud platform delivered from two secure UK data centres by a UK company with SC cleared UK staff Extensive assurance through independent validation and alignment with the CESG Cloud Security Principles Accredited PSN Service enabling secure, compliant access via government community networks including N3, PSN Assured & PSN Protected networks Comprehensive automation and orchestration enabling true consumption of the infrastructure as a cloud service (e.g. via the Portal and API) Skyscape Secure Remote Access Service provides robust levels of assurance appropriate for data classified as OFFICIAL or OFFICIAL-SENSITIVE. Skyscape’s service has been designed specifically of for the UK public sector and is available only to the UK public sector. The service supports and complies with all relevant areas of the Government ICT Strategy and Information Principles for the UK Public Sector. Skyscape’s datacentres are some of the most energy efficient in the world and as such support the Green Government ICT Strategy in full. Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 3 of 13 Open Example use cases Simpler Better Cheaper Organisations which have system administrators and remote workers who need secure connectivity into the Skyscape Elevated OFFICIAL cloud platform can simply establish a secure virtual private network over the Internet using CESG approved technologies. Organisation no longer need to be constrained by end-user devices which are too locked down such that they are not usable for power-users like developers and system administrators. Organisations can now use any end-user device which is managed within the terms of PSN compliance. The Secure Remote Access Service enables organisations to avoid the cost and complexity of; buying & maintaining CESG approved VPN hardware; configuring the solution in line with CESG standards and; implementing an appropriate two-factor authentication solution. Organisations can instead buy this service on a ‘per-user-permonth’ basis Information assurance The Skyscape assured cloud platform is designed and optimised to meet the unique information assurance needs of UK public sector organisations. UK Sovereign cloud platform delivered from two secure UK data centres by a UK company with SC cleared UK staff Suitable for all data classified at OFFICIAL, including OFFICIAL-SENSITIVE data under the Government Security Classification Policy (GSCP) Suitable for legacy IL2, IL3 and IL4 (by aggregation) systems under the Government Protective Marking Scheme (GPMS) Extensive independent validation of alignment with the CESG Cloud Security Principles Enables access to IaaS services which are CESG Pan Government Accredited at both IL2 & IL3 and our accredited PSN Services which have secure, compliant access via both PSN Assured & PSN Protected networks Independently certified against ISO27001, Cyber Essentials Plus and members of the Cloud Security Alliance (CSA) Secure (List X) and resilient (Tier 3) UK data centres facilities capable of hosting data classified at SECRET Protective Monitoring (aligned with GPG13) across all Skyscape platforms Product features The Skyscape Secure Remote Access Service provides a secure and cost-effective method of connecting to your workloads hosted on the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform. The service provides the following features; Assured – hosted in the UK & operated by SC cleared staff, the service benefits from extensive independent validation (including CESG design reviews) that it is properly Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 4 of 13 Open aligned with CESG Cloud Security Principles making it the ideal service for all data classified at OFFICIAL (including OFFICIAL-SENSITIVE) Flexible – enables choice over end-user devices (managed & assured by the consuming organisation) rather than mandating the use of inflexible, locked-down devices managed by the provider Cross-platform – compatible with a variety of end-user platforms including Android, Apple, Linux and Microsoft Windows Cost-effective – the Secure Remote Access Service is delivered as a cloud service which provides secure access via a shared multi-tenant CESG approved Internet VPN solution Green – the Skyscape service is based in UK data centres which offer market leading efficiency around power and cooling. A Skyscape solution will generate less Carbon than many other solutions Technical features The Skyscape Secure Remote Access Service provides the following technical features: Based on CESG approved CPA technology including Cisco AnyConnect and Cisco VPN gateways A highly available and disaster tolerant solution spanning two UK data centres separated by over 100km Secure authentication using two-factor authentication based on Skyscape issued device certificates Implementation of a ‘walled garden’ architecture enabling consumers to deploy and manage appropriate systems in a DMZ, allowing secure and controlled onward access to workloads hosted on the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform Compatible with a variety of customer managed end-user devices which meet the following conditions: o Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the CESG CPA scheme against the IPsec VPN for Remote Working Software Client security characteristic o Recommended use of a CPA approved data at rest encryption solution o Mandatory user-to-device authentication ensuring only authorised users can access the end-user device o Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service o Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service o Recommended use of Secure Boot where available o Mandatory use of a platform which supports Platform Integrity & Application sandboxing to reduce the risk of the end-user device becoming compromised Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 5 of 13 Open o Mandatory use of Application Whitelisting to reduce risk of malicious code execution on the end-user device o Mandatory use of anti-malware software (regularly updated) to reduce risk of malicious code execution on the end-user device o Mandatory use of enterprise-enforced security policies ensuring that endusers cannot over-ride or reconfigure security critical features o Mandatory use of external interface protection such as host-based firewalls to limit the exposure of the end-user device to untrusted networks o Mandatory use of a Device Update policy to ensure the end-device is regularly updated with security patches o Recommended use of an enterprise audit and monitoring service by the consuming organisation to ensure security events are centrally logged and reviewed. o Mandatory implementation of an Incident Response plan by the consuming organisation to respond to security incidents such as loss of the end-user device o Configuration and management of end-user devices assured by the consuming organisation to be in line with CESG End User Device guidance and compliant with PSN IA conditions Available for remote access only within UK and safe harbour countries Available for use only by users who have been appropriate vetted and security cleared as assured by the consuming organisation in line with PSN IA conditions Integrated with the Skyscape Protective Monitoring solution (aligned with GPG13) Connectivity into the Skyscape Elevated OFFICIAL (PGA IL3) cloud platform only – no onward connectivity to government community networks such as PSN Assured, PSN Protected, Legacy GCF networks (e.g. GSI, GSE, PNN, etc) or N3 Backup / Recovery & Disaster Recovery The Skyscape Secure Remote Access Service is hosted across two UK data centres (separated by over 100km) and offers the consuming organisation a solution that provides a highly available and disaster tolerant solution. Service levels Skyscape provide both an Availability SLA and Response Time SLA for the Secure Remote Access Service as per the following table. STANDARD Availability (monthly*) Incident response Service credits Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 99.90% P1 – within 15 minutes P2 – within 4 hours P3 – within 24 hours P4 – within 72 hours 10% of monthly spend on the Secure Remote Access Service Open Secure Remote Access Service Page 6 of 13 Open * Availability indication based on an average 730hrs per month. Excludes planned & emergency maintenance. Unavailability applies to the Secure Remote Access VPN endpoints due to a fault recognised at the IaaS layer or lower, for example: Fault is not caused by the consumer (OS, Applications, user networks). Fault is within Skyscape controlled components such as the virtual infrastructure, storage, power and physical firewalls & routers etc. External connectivity providers (e.g. internet) are also not included in the availability calculation. In addition, Skyscape also provide an Availability Service Level Target on the Skyscape Portal i.e. the ability to log into the portal to create support tickets and use other functions. Target Availability (monthly*) Client Portal Availability (monthly) 99.90% Roles & Responsibilities Responsibility Provision of End-User Device Consumer Configuration and Management of EndUser Device Consumer Vetting of Users of the Secure Remote Access Service Consumer Assurance/Accreditation of Users and End-User Devices Consumer Provision of CESG approved Internet Gateway service Skyscape Provision of two-factor authentication solution for device-to-service Skyscape Provision of two-factor authentication solution for user-to-service Skyscape or Consumer Provision of ‘Walled Garden’ environment for consumer systems Skyscape Configuration and Management of application services in ‘Walled Garden’ Consumer Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 7 of 13 Open Pricing The Skyscape Secure Remote Access Service is priced as follows: Remote Access Pack Monthly Price Effective Monthly Price 10 named users & devices £500 £50 per user per month 25 named users & devices £1,000 £40 per user per month 100 named users & devices £2,500 £25 per user per month 1000 named users & devices £5,000 £5 per user per month * Prices are per calendar month or part thereof. The prices above include: Access to managed CESG approved VPN gateways Cisco AnyConnect license for the end-user device Two-factor authentication using device certificates A ‘walled garden’ VDC where consumers can deploy their application services (additional costs apply as per the following table) vCPU (2GHz) RAM (GB) STANDARD (per month) Tiny 1 2 £150.00 Small 2 4 £250.00 Medium 4 8 £350.00 Medium High Memory 4 16 Large 8 16 Large High Memory 8 32 Tier 1 Apps Small 8 48 Tier 1 Apps Medium 8 64 Tier 1 Apps Large 8 96 £500.00 £750.00 £1,000.00 £1,500.00 £2,000.00 £3,000.00 Worked Example: Consumer requires a Secure Remote Access Service for 105 named users and devices. The consumer will run 2 x Medium sized VM’s in the ‘walled garden’ as bastion hosts. Consumer buys: 1 x 100 named users & devices @ £2,500 per month 1 x 10 named users & devices @ £500 per month 2 x Medium VM’s @ £350ea per month = £700 per month Total = £3,700 per month Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 8 of 13 Open Ancillary Options The Skyscape Pricing Guide provides a comprehensive catalogue of pricing; including all ancillary service options available to consumers when used in conjunction with the Skyscape Secure Remote Access Service. Ancillary options include: Connectivity options including HybridConnect, PSN, N3, Internet, data centre interconnect, etc. SFIA rate card for ad-hoc services. Other ancillary options are available and can be found in the Skyscape Pricing Guide. Trial service Due to complex assurance requirements related to this service, a trial service is not available. Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 9 of 13 Open Appendix On-boarding and off-boarding Service constraints On-boarding The Skyscape Secure Remote Access service can only be used for connectivity to Skyscape services such as Compute-as-a-Service, Hadoopin-the-Cloud, etc. Due to the nature of this service, on acceptance of an order, Skyscape will work with the consumer to create an Assurance Plan for the Secure Remote Access Service to include the consumer’s endusers and associated devices. The assurance plan will include: The service is designed to operate only when the following constrains are met: Configuration and management of end-user devices assured by the consuming organisation to be in line with CESG End User Device guidance, compliant with PSN IA conditions and compliant with the ‘Technical Requirements’ section below Available for use only by users who have been appropriately vetted and security cleared as assured by the consuming organisation in line with PSN IA conditions Validation of requirement by the HMG customer (e.g. Department SIRO) Evidence from HMG customer that end-user devices are configured and managed in line with minimum requirements (e.g. scope of PSN compliance with IA requirements) Evidence from HMG customer that users of the Secure Remote Access Service are vetted and security cleared in line with minimum requirements (e.g. scope of PSN compliance with IA requirements) Skyscape will adhere to the following in terms of maintenance windows; Confirmation by HMG customer that an appropriate Security Incident Management process applies to this solution Confirmation by HMG customer that the service will only be accessed from the UK and safe harbour countries Confirmation by HMG customer and each individual user of agreement to Skyscape Acceptable Use Policy (AUP) Identification of data flows required between the ‘Walled Garden’ and the consumer’s solution (e.g. Firewall Access Control List) Skyscape will create the consumer’s Primary Administrator account and send the consumer a Welcome Pack which includes the URL for the Skyscape Portal for access to the knowledge centre and service management function. The consumer’s Primary Administrator can the provide details of each Named User and associated end-user device to be enrolled into the Secure Remote Access Service. Off-boarding On termination of the Secure Remote Access Service, Skyscape will: Revoke all user and device certificates associated with the solution Disable all user accounts Remove Access Control Lists from ‘Walled Garden’ firewalls Deleted the ‘Walled Garden’ virtual data centre Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 “Planned Maintenance” means any pre-planned maintenance of any infrastructure relating to the Services. Skyscape shall provide the Client with at least twenty four (24) hours’ advance notice of any such planned maintenance: Planned maintenance of Skyscape’s infrastructure relating to the Services shall happen between the hours of 00:00 and 06:00 (UK local time) Monday to Sunday and/or between the hours of 08:00 and 12:00 (UK local time) on a Saturday and/or Sunday. No planned maintenance will take place on a Saturday unless agreed in advance by both parties; Planned Maintenance shall be excluded from any availability calculation in regard to service credits but shall be included in the monthly service reporting; “Emergency Maintenance” means any emergency maintenance of any of the infrastructure relating to the Services. Whenever possible, Skyscape shall provide the Client with at least six (6) hours’ advance notice: Whenever possible Emergency Maintenance of Skyscape’s infrastructure will happen between the hours of 00:00 and 06:00 (UK local time) Monday to Sunday and/or between the hours of 08:00 and 12:00 (UK local time)on Saturday and/or Sunday unless there is an identified and demonstrable immediate risk to a Clients environment; Emergency Maintenance shall be excluded from any availability calculation in regard to service credits but shall be included in the monthly service reporting. Open Secure Remote Access Service Page 10 of 13 Open Training Costs Skyscape have created a number of videos, help guides, manuals and FAQs to help train and instruct users so that they are up and running quickly and easily. An Early Exit charge will be payable if the contract is terminated within the minimum term. The Early Exit charge will be equal to the cost of 3 months service less payments already made. Skyscape also have a number of Partners who are able to deliver additional services such as training, support and managed services. Skyscape would be pleased to introduce you to such partners where appropriate. Consumers are responsible for extracting their own data from the platform if required. Ordering and invoicing Billing for the service is monthly in arrears based on the maximum number of Remote Access packs configured at any time during the month. Payment can be via Purchase Order and Direct Debit. Skyscape are preparing to be able to accept Debit/Credit Card payments (e.g. Government Procurement Card) – please enquire at time of order to check whether this is available. Service lead time Setting up a new consumer within the Skyscape Portal will typically be completed within 4 hours from acceptance of order. Skyscape may make an additional charge for transferring data out of the service. Consumer responsibilities The control and management of access and responsibilities for end users including appropriate connectivity, security and assurance/accreditation if required. Where access is required over Government Secure Networks such as N3, legacy GCF networks or PSN, the consumer is responsible for adhering to the Code of Connection. Providing details of all devices to be enrolled into the service. Management and administration of end-user devices including ensuring that security policies remain in effect, security patches are regularly applied and anti-malware software is upto-date. Please refer to the ‘Service Constraints’ section for additional information. Resources to validate the Assurance Plan activity will be assigned within 10 days from acceptance of order. Providing details of all users to be enrolled into the service. Ensuring all users of the service are vetted and security cleared as appropriate. Ensuring all users receive regular information security training. Due to the variable nature of this service, full onboarding of the consuming organisation including enrolment of all users and end-user devices will take an indeterminate amount of time. Ensuring the service is only used from within the UK and safe harbour countries. Termination Providing a suitable Internet connection to enable end-user devices to connect to the Skyscape Secure Remote Access Service. Terms Providing access requirements between the ‘Walled Garden’ and consumer solutions (e.g. firewall ports) The service is subject to a minimum term of three months. Termination within this initial term will incur an Early Exit charge. Manage security incidents related to the use of this service (e.g. lost end-user devices) Consumers are required to provide notice of termination of not less than 10 working days. At the point of termination, consumers must ensure that they have extracted any required data from the ‘Walled Garden’ virtual data centre as Skyscape will ensure all consumer data, accounts and access will be permanently deleted, and will not be able to be subsequently recovered or restored. Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 The consumer is also responsible for ensuring only appropriate data (e.g. OFFICIAL or OFFICIAL-SENSITIVE) is stored and processed by applications on this environment and that they comply with the Skyscape Security Operating Procedures (SyOps) and other information assurance requirements as specified in Skyscape System Interconnect and Security Policy (SISP) and associated accreditation documentation sets. Open Secure Remote Access Service Page 11 of 13 Open Data restoration / service migration Technical requirements For service migration, Skyscape allows existing data to be migrated to and from the ‘Walled Garden’ virtual data centre. Consumers must provide end-user devices which meet the requirements of this service: In many circumstances, Skyscape can help facilitate a bulk migration to the platform using offline data ingest and extraction – please ask Skyscape for details. Financial recompense model If the service level falls below the stated availability percentage (excluding Planned and Emergency maintenance periods), consumers will be eligible for service credits on affected storage only. Service credits will be calculated as a percentage of the fees for the affected services for the monthly billing period during which the failure occurred (to be applied at the end of the billing cycle). Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the CESG CPA scheme against the IPsec VPN for Remote Working Software Client security characteristic. Recommended use of a CPA approved data at rest encryption solution Mandatory user-to-device authentication ensuring only authorised users can access the end-user device Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service Service Credit Secure Remote Access Service 10% of monthly spend on this service Recommended use of Secure Boot where available Client Portal 1% of monthly spend per 1% below service level target or part thereof Mandatory use of a platform which supports Platform Integrity & Application sandboxing to reduce the risk of the end-user device becoming compromised Mandatory use of Application Whitelisting to reduce risk of malicious code execution on the end-user device Mandatory use of anti-malware software (regularly updated) to reduce risk of malicious cost execution on the end-user device Mandatory use of enterprise-enforced security policies ensuring that end-users cannot override or reconfigure security critical features Mandatory use of external interface protection such as host-based firewalls to limit the exposure of the end-user device to untrusted networks Mandatory use of a Device Update policy to ensure the end-device is regularly updated with security patches Recommended use of an enterprise audit and monitoring service by the consuming organisation to ensure security events are centrally logged and reviewed. Mandatory implementation of an Incident Response plan by the consuming organisation to respond to security incidents such as loss of the end-user device Service description SC-SVC-06, version 6.0 © Skyscape Cloud Services Limited, 2014 Open Secure Remote Access Service Page 12 of 13 Skyscape Cloud Services Limited A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0)1252 303300 info@skyscapecloud.com www.skyscapecloud.com @skyscapecloud © Skyscape Cloud Services Limited. All Rights Reserved. SC-SVC-06