Sopra Steria Ltd

Sopra Steria Container Application Platform as a Service (aPaaS)

This PaaS builds on Red Hat's OpenShift Container Platform (open container standard and Kubernetes) to provide integrated DevSecOps securely as a managed service. The preconfigured DevOps environment contains CI/CD pipelines and deployment within a secure cloud environment providing the basis for rapid development and operation of microservice and containerised applications.

Features

• Open-Source container based application PaaS under a subscription model
• Automated DevSecOps CI/CD, pipelines using customer source control management
• Managed runtime supporting rapid Microservice development and operation
• Supported OpenShift platform based on container and Kubernetes architectures
• Extensible runtime to support legacy application inclusion and migration
• Resilient, fault tolerant platform using multiple UK AWS data centres
• Polyglot of languages (Java, Spring, .NET, Node, Angular, NoSQL, Python)
• Hybrid cloud options using secure and dedicated connectivity
• UK Service desk, aPaaS support and environment management
• Cloud native security components which automatically protect containers as standard

Benefits

• DevSecOps-as-a-service to increase application delivery speed and quality
• Supports agile development at scale through automated tooling
• Rapid deployment, start/stop aligned to digital service project lifecycle
• Flexible subscription model with service levels
• OpenShift with our expertise to manage and secure cloud containerisation
• Reduced cost of application ownership and budget certainty
• Legacy enablement through migration/integration of existing applications
• Elastic platform, integrate cloud services and additional middleware options
• Accreditable solution with add-on accreditation and security monitoring options
• Managed data access with high availability and resilience

£465 to £1,980 a unit a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at soprasteria-gcloud@soprasteria.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

127388956566342

Contact

Sopra Steria G-Cloud Team
0370 600 4466
soprasteria-gcloud@soprasteria.com

Service scope

• Service constraints: The service is constrained to a supported level of running application runtime 4 nodes as specified in the Red Hat OpenShift Container platform documentation. Additional runtime nodes can be added to the service on request in an elastic manner and will incur additional costs. ; • Buyers will configure a VPN to the cloud hosted environment ; • Additional middleware products would be licensed by the Buyer
• System requirements:
  • Buyers will configure a VPN to the cloud hosted environment
  • Additional middleware products would be licensed by the Buyer

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our target response time for questions is 95% within 2 working hours, and we aim to have resolved all queries within 2 working days (p3) or 10 working days (p4).
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Our Standard support service included in the cost of this service includes access to Service Desk and a Service Delivery Manager. Access is available to the Red Hat knowledge base and is available 24 x 7. Our target response time for questions is 95% within 2 working hours, and we aim to have resolved all queries within 2 working days (p3) or 10 working days (p4). Red Hat support is included through the subscriptions. ; DevSecOps and application support is available through Sopra Steria’s additional G-Cloud services.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Sopra Steria will work with the customer to configure the platform as per the customer’s specific needs. Basic set up of the standard environment is included, for example DevOps tool integration. Additional requirements would be addressed through Sopra Steria consultancy services. User documentation is provided. Training is available on request at an additional cost.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The extraction of the any data will depend on the solution: ; • Source code will already reside with the customer; • Customer specific images can be cloned from the Container Registry ; • Data can be extracted by the customer while access to the environment is available ; • Application logs can be extracted by the customer while access to the environment is available ; • On termination, Sopra Steria could provide the data as an export activity as a costed off boarding option ; • On termination, Sopra Steria could provide available logs as an export activity as a costed off boarding option.
• End-of-contract process: We offer a rolling month by month contract and will not penalise exit provided the notice period is honoured. All customer information will be available to the customer to remove until termination of the contract. Upon termination of the contract the environment will be decommissioned including the application runtime environment and all associated data.

Using the service

• Web browser interface: Yes
• Using the web interface: We provide access to the Red Hat OpenShift Container Platform management console in order to allow management of the container deployments within the platform. Users can manage the container deployments within the environment undertaking tasks such as deploying containers, stopping containers and scaling containers. User access is restricted to the management of containers to allow Sopra Steria to manage the underlying platform configuration in order to guarantee the service. Jenkins is integrated and provides the web interface to manage the continuous integration, continuous delivery pipelines within a project.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: The Red Hat OpenShift Container Platform management web console has been assessed against WCGA 2.1 AA and further information can be found at https://access.redhat.com/sites/default/files/attachments/openshift-4-vpat.pdf.
• API: Yes
• What users can and can't do using the API: We provide native access to the underlying APIs of Red Hat OpenShift Container Platform. The OpenShift API provides the same features as the web user interface allowing the creation of projects, management of projects, creation of containers, deployment and runtime configuration.
• API automation tools:
  • Ansible
  • Other
• Other API automation tools:
  • Jenkins
  • Tectonic CI
  • OpenShift S2I builders
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: Customers can access Red Hat OpenShift Container Platform using CLI tool. The tool will allow the user to perform the same actions through the CLI on the OpenShift Container Platform environment as the web console. The users access is limited to the privileges provided to them under their authentication model.

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Dedicated resource is used as part of the service to the customer in order to ensure the service is not affected by other users demands customers.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics: Container availability, health and resource allocation
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Other
• Other data at rest protection approach: Data at rest is encrypted using services provided through the 3rd party cloud provider (AWS). The keys used for this encryption are stored within the AWS Key Management System.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • OpenShift environment and supporting Containers
  • Volumes attached to Containers
• Backup controls: Backups will be performed to a defined schedule.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: Other
• Other protection within supplier network: Within the AWS network client specific data is held within a segregated VPC and Account. AWS is responsible for ensuring segregation of customer data. Within the VPC and account dedicated storage is provided to the client. Access to the OpenShift Container Platform environment management is secured using user RBAC. Application access can be secured by the client using the single sign on capability present within the environment. OpenID / OAuth tokens are typically used to secure application access to specific users with specific roles.

Availability and resilience

• Guaranteed availability: The Container aPaaS platform is offered as a Highly Available platform utilising HA configurations for key services. This is designed to provide a 99.95% availability target. These availability targets are offered without penalty to Sopra Steria. If different targets and a service credit regime are required we are happy to discuss your requirements and these can be provided at additional cost.
• Approach to resilience: The service is deployed in a High Availability architecture as recommended by Red Hat with nodes split across the UK AWS Availability Zones (logical Data Centres). Additional detail is available on request.
• Outage reporting: As part of our standard monitoring service we provide an adequate level of system health monitoring of our solution to ensure it is stable and has enough resource to operate effectively. Our standard checks include testing devices for connectivity, verifying log feeds and infrastructure resources (e.g. CPU, memory, storage capacity, etc.). In our standard implementation this service is integrated with our service management toolset which allows IT related alerts to be automatically directed to the relevant team for prompt resolution. In addition, depending on the client requirements, we can implement additional features to provide an enhanced monitoring and management service with metrics on application availability and business processes. We can also include more mature capabilities such as extended log retention, enhanced service desk support, and protective monitoring service. Moreover, we provide our Remote Operations Centre (ROC) which monitors the health of our client IT systems 24 x 7 in a bid to prevent any outage from happening.

Identity and authentication

• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: OAuth token based authentication to access restful API and web console access as per Red Hat OpenShift Container Platform documentation found at https://docs.openshift.com/container-platform/4.10/authentication/index.html.
• Access restrictions in management interfaces and support channels: Management interfaces are restricted to Sopra Steria staff using role based access controls. Customers accessing the Red Hat OpenShift Container Platform management interface will require to be authenticated which will be restricted to specific named individuals. Federated integration to the customers identify source can be configured on request.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: Management interfaces are restricted to Sopra Steria staff using role based access controls. Customers accessing the Red Hat OpenShift Container Platform management interface will require to be authenticated which will be restricted to specific named individuals. Federated integration to the customers identify source can be configured on request.
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DNV Business Assurance London, SE1 9LQ, United Kingdom
• ISO/IEC 27001 accreditation date: 13/10/2021
• What the ISO/IEC 27001 doesn’t cover: Not Applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Sopra Steria has established an Information Security Management System (ISMS) and comprehensive set of security policies as part of its ISO27001 certification with an overarching ‘UK Corporate Security Policy’ issued by Sopra Steria’s UK Head of Corporate Security and approved by the UK CEO. We have a robust set of security processes and controls to ensure security is effectively embedded in our organisation and these are all subject to both internal and external audit as part of our certification requirements. These controls and processes are systematically applied to our client operations which thus comply with ISO27001. Sopra Steria also adheres to HMG Information Security and Information Assurance Standards, the Cabinet Office’s Security Policy Framework (SPF) and HMG Good Practice Guides, and is also certified under NCSC’s Cyber Essentials Plus scheme.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our configuration and change management process is aligned with ITIL and ISO20000 best practice and includes: ; • maintaining a Service Asset and Configuration Management Database (CMDB) to enable Incident, Changes and Problems to be tracked against the affected Configuration Items ; • record, track, report and audit Configuration Items (CIs) in relation to the Solution both physical and virtual ; • detail the relationship between Configuration Items aiding in Change impact assessment and Incident / Problem Resolution.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Sopra Steria applies appropriate security practices to the underlying platform. Vulnerability scanning can be automated during the image build phase. Auditing and container compliance is supported with automated CIS security benchmark testing and vulnerability scanning of all production systems and containers. Network controls and firewall capabilities with container Data Loss Prevention (DLP) help to meet container compliance requirements for segmentation and isolation of critical systems. Risk reporting and scores help assess and reduce the risk of attack.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Sopra Steria is able to provide Security Operations Centre services for protective monitoring is available as an additional optional service.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our standard approach to incident management is aligned to ISO20000 and ITIL best practice. ; • Incidents logged and monitored throughout their lifecycle ; • Incidents are categorised with relevant resolution prioritisation and target closure time ; • Root cause analysis is undertaken and uncorrected errors transferred to Problem Management ; • Prompt communication of service failures to manage the expectation of users ; • Perform lessons learnt from incident as part of our continuous improvement ; • Exceptional major incidents are assigned an accountable manager who will drive appropriate stakeholder engagement ; • Reporting and analysis is reflected in service reporting to the customer.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Amazon Web Services (AWS)
• How shared infrastructure is kept separate: AWS provides segregation of client data and activity through their platform. Details are available on AWS website. Each organisation has a dedicated Container aPaaS middleware environment built up on the dedicated cloud.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: AWS has always focused on energy efficiency and continuous innovation in its datacentres in order to reduce energy usage and increase operational excellence. Its scale also allows AWS to achieve higher resource utilization and energy efficiency than the typical on-premises datacentre. In fact, 451 Research found that AWS’s infrastructure was 3.6 times more energy efficient than the median of surveyed enterprise datacentres, with more than two thirds of this advantage due to a more energy efficient server population and higher server utilization.; Amazon has become the largest corporate buyer of renewable energy in the U.S. after announcing 14 new projects in North America and Europe. The projects bring Amazon’s total renewable energy investments to 10 gigawatts of electricity production capacity—enough to power 2.5 million U.S. homes.; Already the largest corporate buyer of renewable energy in Europe and globally, Amazon continues to advance its ambitious goal to power 100% of its activities with renewable energy by 2025—five years ahead of its original target.; The latest announcement means Amazon now has 232 renewable energy projects around the world, including 85 utility-scale wind and solar projects and 147 solar rooftops on facilities and stores worldwide.; For more information, visit https://sustainability.aboutamazon.com/

Social Value

• Fighting climate change:

  Fighting climate change

  Sopra Steria (SSL) has committed to becoming Net Zero by 2028 and has been ranked in top 1% of companies globally by CDP placing on the A-list for our work tackling climate change 5 years running. ; ; Our work has a direct positive impact on client services, for example through lower emissions, reduced waste, more sustainable supply chains. ; ; Additional environmental benefits: We also provide contract-specific sustainability programmes for clients, designed, led by our Sustainability Consultants. During procurement these experts will develop a sustainability programme based on client objectives, the material impacts, and opportunities within the service. ; ; We have experience: ; ; • Undertaking service environmental impact assessments; • Measuring energy consumption, emissions with all elements of a service, (e.g., office use, business travel, use of technology and supply chain; • Evaluating the sustainability of technology products (e.g., GGICT, Energy Star, as well as product and service foot printing); • Making business case-backed recommendations, implementation roadmaps for improvements; • Delivering improvement programmes ; • Reporting performance, using recognised reporting standards, accounting methods; ; Influencing staff, suppliers, customers and communities :; ; Staff: we feature sustainability in our employee communications, invite people to contribute to our programme’s continual improvement, and offer all employees paid volunteering time which can be used to support sustainability activities such as beach cleans and climate hackathons; Suppliers: our Supplier Code of Conduct mandates high standards of environmental sustainability; SSL made CDP’s 2021 Supplier Engagement Leaderboard for taking action to measure and reduce environmental risks with our supply chains. ; Customers: as described above SSL makes sustainability, social value a part of its contracts with clients, designing and managing environmental improvements throughout the contract lifetime. ; Communities: in addition to employee volunteering, we participate in community sustainability initiatives, e.g., through membership in industry sustainability groups such as techUK and IEMA, and support for COP26 in Glasgow.
• Covid-19 recovery:

  Covid-19 recovery

  Employment, re-training and other opportunities :; In the high-growth Digital sector, Sopra Steria is continually developing the skills of our workforce, including via upskilling and reskilling initiatives, e.g. via a new Career Coach, and by extending our apprenticeship programme. Through our Tech for Good programme, and the Social Value programmes we design and deliver for customers, we focus on jobs and skills for disadvantaged and under-represented groups, including those disproportionately affected by Covid. ; People and communities: ; Our Tech for Good programme is designed to provide people, small businesses and VCSEs with skills they need to thrive and is focused on those from disadvantaged or under-represented communities. Since the beginning of the pandemic, we have transitioned to a hybrid-virtual programme to ensure continued accessibility. For example, we worked with ELATT, a digital skills charity, to create hybrid learning, ensuring those who were shielding or otherwise unable to access classroom learning, as well as those who most needed to be in a classroom to support their learning, could still participate. ; Organisations and businesses :; In the first year of the pandemic, we ran free training courses for charities and SME’s – offering Microsoft Teams training and modules on cyber security and resilience. We continue to offer pro-bono consulting for charities to help them use technology to better serve their communities.; Physical and mental health needs :; Since the start of the pandemic, we have put in place measures to prevent and manage risks to employee wellbeing – including the wellbeing of contracted staff – together with appropriate training and individual support, and initiatives to raise awareness of mental health issues at work. We have also trained ca. 60 Mental Health First Aiders.; Workplace conditions :; All our office locations have strict Covid safety protocols, with considerations for cleaning, ventilation, and occupancy.
• Tackling economic inequality:

  Tackling economic inequality

  New businesses, jobs, and skills ; Entrepreneurship and SMEs :; Sopra Steria (SSL) adheres to the Prompt Payment Code. SMEs provide us with innovative and agile solutions and deliver 50% of our work.; Barriers to employment: ; SSL provides education, skills training and employment opportunities, such as mentoring, for those facing barriers to employment.; Skills shortages:; We address the digital skills gap in our business and outside it through in-work and community learning opportunities. ; Educational attainment:; We offer a number of skills development programmes, including apprenticeships.; Influence:; ; Staff are encouraged to use paid volunteer time to support our community innovation, entrepreneurship and employability initiatives.; ; Suppliers must comply with our Supplier Code of Conduct, which requires workforce skills development.; ; Our customer social value programmes include business competitions and work experience placements.; ; We work with community organisations such as Villiers Park and Career Ready to deliver business, jobs, and skills programmes.; ; Supply chain resilience and capacity; Diverse supply chain:; We work to improve supplier diversity by:; • Making it easier to do business with us; • Measuring current supply chain diversity ; • Creating new VCSE partnerships; Innovation & new methods:; Through horizon-scanning, and supplier and industry collaboration, we support development of new technologies that improve public services, like our ethical data-driven approaches to serving vulnerable citizens. ; Collaboration:; SSL has obtained the ISO44001 Collaborative Business certification. ; Cyber security:; SSL is certified to Cyber Essentials Plus and ISO27001 standards. We require suppliers to have resilient information security processes, and flow down necessary cyber standards.; Influence:; Staff undertake cyber security training, participate in our innovation processes, e.g., competitions.; ; Suppliers are engaged through our Collaborative Business approach, must adhere to strict security requirements.; ; We share knowledge with customers via our social value programmes, continual service improvement, industry engagements.; ; We participate in community resilience, innovation forums such as techUK.
• Equal opportunity:

  Equal opportunity

  Sopra Steria’s vision is to create an inclusive culture that embraces difference as a source of creativity, innovation, and competitive advantage. Our Equality, Diversity & Inclusion (EDI) strategy, overseen by a dedicated EDI Manager, applies to contract workforces. ; Disability employment gap; Representation :; We are a Disability Confident Committed Employer. Our partnership with Vercida helps us improve diversity through recruitment.; Skills development:; All employees are given access to on-and-off-the-job development, and initiatives such as our Disability Network and our partnership with Business Disability Forum support disabled employee skills development.; Staff, suppliers, customers and communities:; Staff: all employees can join our Disability Network. Our Disability Steering Group has employee representation and executive-level sponsorship.; ; Suppliers: our Supplier Code of Conduct requires all suppliers to maintain high standards of EDI in their workforces. ; ; Customers: we regularly work with clients to improve accessibility in digital services. Example, we are providing insight to a client on the effects of digital transformation on accessibility.; ; Communities: we work with community representatives in the design and delivery of our disability work (e.g. membership in Business Disability Forum).; ; Workforce inequality; Identify and tackle inequality:; We have a range of initiatives to identify, tackle inequality in our workforce, e.g.:; •Diversity data dashboards help us understand EDI indicators and inform our programmes. ; •Employee inclusion networks give employees in under-represented groups a voice in our EDI strategy. ; •We are working to recruit more people from under-represented groups.; In-work progression:; We offer opportunities for people from under-represented groups, such as our Female and Black and Ethnic Minority Employee mentoring programmes.; Modern Slavery:; Signatories to the UN Global Compact, we actively work to prevent human trafficking through pre-employment checks and transparent recruitment practices. We are a Real Living Wage Employer.; Our Supplier Code of Conduct includes requirements for demonstrably preventing modern slavery.
• Wellbeing:

  Wellbeing

  Sopra Steria is fostering a workplace where our people are actively supported to be healthy and well and can talk openly about their mental health.; Improve health and wellbeing:; Our company-wide health and wellbeing programme for all employees including contracted staff includes:; • Work-life balance policy providing flexible and remote working options; • Extensive employee assistance programme; • Range of healthcare benefits; • Employee Trust, providing financial support in times of hardship; • Mental Health First Aiders, now with 60 trained staff; • Calendar of virtual classes, including fitness, meditation, stress management, nutrition, and resilience ; ; Improve community integration:; ; Our outcomes-focused and user-centred approach to Social Value means that in creating programmes for clients, we engage community representatives, conducing user research and needs analyses. For example, we worked with a local authority to understand community employment concerns and create a work experience programme targeted at the individuals with the most need.; ; Health, wellbeing & community integration: influence staff, suppliers, customers, and communities:; ; We engage all stakeholders in our Social Value work on Wellbeing, for example:; ; Staff: in addition to the staff support described, we also equip our people to support others’ wellbeing, for example by ensuring people managers have additional wellbeing training and objectives.; ; Suppliers: our Supplier Code of Conduct requires all suppliers to support the health and wellbeing of their workforce. ; ; Customers: our Social Value consulting team designs Social Value programmes tailored to clients’ Social Value priorities, including Health & Wellbeing. For example, we are providing pro-bono consulting to a national mental health charity to help them identify how to use technology to improve outcomes for service users.; ; Communities: To play a positive role in all our communities, all employees are given 3 days paid volunteering annually, and we offer matched funding to support charitable fundraising.

Pricing

• Price: £465 to £1,980 a unit a day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at soprasteria-gcloud@soprasteria.com. Tell them what format you need. It will help if you say what assistive technology you use.