ProofID Ltd

SailPoint Identity Security Cloud

Cloud based Identity Governance solution from leading identity vendor, SailPoint.Identity Security Cloud enables business friendly identity governance via access request, access certification and effective provisioning and deprovisioning of joiners, movers and leavers, along with improved productivity and Password Management capabilities. Patented Zero Knowledge Encryption security model.

Features

• Access Review covering cloud and on premise applications
• Automated provisioning and user life cycle management as a service
• Business application integration
• Access Certification Campaigns verifies user access permissions by line management
• Password Management for on and off network password resets
• Access Request delivered as a service
• Identity warehouse showing all accounts and access a user has
• Governance of roles and role policy management
• Securely deliver IGA with patented Zero Knowledge Encryption algorithm
• Visibility, reporting and querying for identities, entitlement, accounts and policies

Benefits

• Enables resources owners and business managers to manage access
• Automate joiner/mover/leaver scenarios, create custom HR states driving user access
• Connector library supporting leading enterprise systems and custom connectors
• Reduced helpdesk calls for password management, improving security and efficiency
• Secure self-service password management reduces IT load enhancing user producitivity
• Mobile apps for password management/reset, access requests and approvals
• Single source of truth for all questions concerning user access
• Govern business and IT roles for automation and security
• Communicates with existing infrastructure securely without forcing any changes
• Instantly answers "who has what level access to what resource"

£125,000 an instance

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@proofid.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

128485392981261

Contact

Andy Rutter
0753 912 7901
sales@proofid.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Identity Security Cloud (ISC) enables business friendly identity governance via access request, access certification and effective provisioning and deprovisioning of joiners, movers and leavers. This is achieved by connecting to your organisation's applications.
• Cloud deployment model: Public cloud
• Service constraints: Identity Security Cloud is deployed in Amazon Web Services (AWS). Hosted data resides in one of several AWS regions, the location of which is determined by the customer. Customers may elect to have their data hosted in the UK, the EU in Frankfurt, Germany or in the US in Oregon or Virginia.
• System requirements:
  • Web Browsers: Firefox, Internet Explorer, Microsoft Edge, Chrome or Safari
  • Hypervisor for Virtual Appliances housing our connectivity layer
  • SaaS solution. Other components are managed in AWS by SailPoint

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: “Business Hours” 8am-6pm local time, Monday to Friday, except local public holidays for non-severity 1 cases. For all severity 1 cases: 7 days a week at 24 hours a day coverage. Severity 1 - Response time one hour; Severity 2 - Response time two hours; Severity 3 - Response time eight hours; Severity 4 - Response time 12 hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: SailPoint offers Premium support for our ISC platform. Premium support provides 24x7 support for severity 1 issues.; ; Support and maintenance includes:; (a) Telephone or electronic support to help Customer locate and correct problems with the SaaS Services. ; (b) Bug fixes and code corrections to correct malfunctions in order to bring such SaaS Services into substantial conformity with the operating specifications contained in the Documentation.; (c) All extensions, enhancements and other changes that SailPoint, at its sole discretion, makes or adds to the SaaS Services and which SailPoint furnishes, without charge, to all other subscribers of the SaaS Services.; (d) Up to five (5) dedicated contacts designated by Customer in writing that will have access to support services.; (e) Access to Compass, SailPoint’s customer and partner portal, which includes discussion forums, technical information, latest company and product information, webinars, and product downloads. It also provides collaborative forums, which allow interaction between customers and SailPoint subject matter experts.; (f) Appointment of a Customer Success Manager to serve as your primary point of contact and advocate within SailPoint.; ; SailPoint also offer professional services that can be provided onsite or remotely. Professional services are not included, but are available at an additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: ProofID provides professional services, during the initial phase of deployment.; ; Comprehensive documentation is provided by SailPoint to cover all aspects of Identity Security Cloud (ISC) functionality. All ISC documentation is provided online via the Compass web portal and includes technical white papers, implementation guidance, ISC wiki, and other documentation. Compass also includes a User Forum where clients can ask specific questions and get answers from our technical support staff and other clients.; ; SailPoint offers instructor-led Administrator and Implementation training sessions that are tailored to each customer’s deployment and cover topics such as: ; ·Introduction to ISC; ·Setup; ·Data Aggregation and Correlation; ·Implementation Guidelines; ·Access Certification; ·Password Management ; ·Troubleshooting
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Identity Security Cloud has API’s and reports which the users can use to export their data as needed. If the user wants ProofID's assistance in the export process, they can purchase services hours to have ProofID Professional Services assist in the process.
• End-of-contract process: Upon termination of the SaaS Agreement or expiration of the Subscription Term, SailPoint shall immediately cease providing the SaaS Services and all usage rights granted under this SaaS Agreement shall terminate.; ; The contract (SaaS subscription) includes access to the service and customer support for the service. All professional services are additional costs and this would include any transitional professional services required at the end of the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems: Linux or Unix
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No difference
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Publicly available view of platform metrics to check current and previous 90 day performance
• Accessibility standards: None or don’t know
• Description of accessibility: The status of the SailPoint Identity Security Cloud services can be checked here: https://status.sailpoint.com/
• Accessibility testing: The SailPoint Engineering QA process also involves the use of screen readers such as JAWS to verify that the business user interfaces correctly function with technologies used by visually impaired users.
• API: Yes
• What users can and can't do using the API: SailPoint offers a fully functioning, versioned API. ; ; The Identity Security Cloud (ISC) Platform APIs allow you to build your own applications, web sites, and tools that take advantage of ISC's data, features, and flows. The APIs follow a familiar RESTful standard, using query and path parameters, request/response headers, and JSON request/response bodies.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Common configuration changes can be made directly in your web-based admin interface. The platform is designed to be extensible using our no code/low code workflow engine and/or APIs.

Scaling

• Independence of resources: As a true SaaS solution, Identity Security Cloud is able to dynamically scale immediately, as needed, to meet customer needs.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Managed Services

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: Identity Security Cloud utilizes its patented zero knowledge encryption to provide multiple layers of encryption on all critical data stored in the IdentityNow cloud database.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: On top of providing report and audit data in CSV or PDF format, as well as through available RESTful APIs, SailPoint Identity Security Cloud allows data to be extracted in CSV/PDF format from many widgets and pages throughout the interface, allowing easy data export.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: PDF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: AWS implements least privilege throughout its infrastructure components. AWS prohibits all ports and protocols that do not have a specific business purpose. Network scanning is performed and any unnecessary ports or protocols in use are corrected.; ; Access to the ISC data within the AWS environment is restricted only to SailPoint DevOps team. Customer data at rest is encrypted with the AES256 algorithm. ISC provides encryption of all customer data, where the most sensitive customer data is dual-encrypted, using keys that are only ever controlled by the customer or end user's device. No key is persisted or made available to SailPoint.

Availability and resilience

• Guaranteed availability: The SaaS Services will achieve System Availability of at least 99.9% during each calendar month of the Subscription Term. “System Availability” means the number of minutes in a month that the key components of the SaaS Services in a Customer production environment are operational as a percentage of the total number of minutes in such month, excluding downtime resulting from (a) scheduled maintenance, (b) events of Force Majeure, (c) malicious attacks on the system, (d) issues associated with the Customer’s computing devices, local area networks or internet service provider connections, or (e) inability to deliver services because of acts or omissions of Customer or any Identity Cube user. ; ; If SailPoint fails to meet System Availability in an individual month, upon written request by Customer within 30 days after the end of the month, SailPoint will issue a credit in Customer’s next invoice in an amount equal to ten percent (10%) of the monthly fee for the affected SaaS Services for each 1% loss of System Availability below stated SLA per SaaS Service, up to a maximum of fifty percent (50%) of the Customer’s monthly fee for the affected SaaS Services.
• Approach to resilience: SailPoint’s Identity Security Cloud solution is provided utilizing Amazon Web Services with each primary hosting location providing full redundancy of hardware, software, and network infrastructure across three AWS Availability Zones. SailPoint provides fully automated failover and advanced backup and recovery measures to ensure that IAM services are available for operation and use. Additionally, controls are in place to provide quick restoration capabilities from backup, in the event that a site or overall service experiences a critical failure.
• Outage reporting: Identity Security Cloud is a pure SaaS solution and Identity Security Cloud service components are monitored by SailPoint DevOps personnel. There is a public status dashboard, http://status.identitynow.com/.; ; For issues broadly impacting all customers, notice and updates would be posted to the Compass portal. You can elect to receive email notification when such notices are posted to Compass. For serious issues, your customer success manager will reach out to you via email and/or phone. SailPoint Assigns a Customer Success Manager to every client. The Customer Success Manager serves as your primary point of contact and your advocate within SailPoint.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: SailPoint applies the principle of least privileged access. Employees are granted access based on pre-approved roles and job descriptions, which are reviewed and re-certified at least annually.; ; In ISC, administrative access is restricted to DevOps. We utilize a support account, which is separate from customer access accounts. Access to the production environment by SailPoint DevOps personnel requires remote access into the EC2 environment which is restricted through the use of a SSH connection from the SailPoint corporate IP address and two-factor authentication. ; ; In ISC, access is role-based, allowing staff for example to receive elevated rights for their specific function.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus
• ISO/IEC 27001 accreditation date: 19/12/2022
• What the ISO/IEC 27001 doesn’t cover: N/A ProofID's ISO27001:2013 certification covers the entire business, staff, processes and assets in the provision of Identity and Access Management facilities at ProofID's Old Trafford office, remote staff and 3rd Party Hosted cloud provision in accordance with statement of applicability v13
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ProofID operate a comprehensive Information Security Manual which is aligned and certified as ISO27001:2013 as part of our ISO certification. This certification covers all areas of the business and services provided to customers. ProofID have an information security committee which meets quarterly to review the organisations ISMS and associated policies, this committee is comprised of individuals from across the business and chaired by the Technical Director which is part of the ProofID board of directors. Information Security status, updates and events are reported as part of the regular management meetings and also covered as part of the board meetings (every 2 months). All line managers within the business are responsible for ensuring the adherence to the organisations information security policies within their area of the business and where relevant drafting and owning policies relevant to their business areas under the supervision of the Technical Director. Information Security is a key part of ProofID and is included in employees induction and are brief on the policies, event reporting etc. Breaching of the information security policies is covered as part of the organisations employment and disciplinary procedures.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: As part of ProofID's ISMS and ISO27001:2013 certification change and configuration management procedure is followed. All components of the service are covered through the procedure including servers, network links, applications, security components etc. When a change is required a change request is created detailing the assets impacted, change, backout plan, details of relevant testing, any security implications are flagged by the requestor. The change board then reviews the requested change to ensure sufficient details and also compliance with the organisations information security policies and associated risks, as required a risk assessment will be performed is a security risk is identified.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerabilities are assesses using the following criteria which drives the patching approach Is the vulnerability exploitable outside of the network? How complex must an attack be to exploit the vulnerability? Is authentication required to attack? Does the vulnerability expose confidential data? The Organization has established the following timeline requirements for reacting to notifications of relevant vulnerabilities: Remote, unauthenticated, non-complex attacks: < 1 day Remote, authenticated, non-complex attacks: 1 day Remote, complex attacks exposing confidential information: 1 day All others: 1 week Notifications are received through subscribing to the applications vulnerability notification systems (emails, RSS feeds etc)
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are identified through system monitoring and log file analysis looking for unusual patterns of activity and configuration changes Should a security breach (physical and systems) be identified or suspected which directly or indirectly involves customer data then the Information Security Manager is responsible for immediately notifying the relevant customer(s). Incidents involving high-value or business critical systems (as identified under section 8.1 of the Manual) are immediately reported to the Information Security Manager.
• Incident management type: Supplier-defined controls
• Incident management approach: All information security events and weaknesses are, immediately upon receipt, recorded by Support team in WebTrack, then assessed and categorized by the Information Security Manager (whom automatically receives confirmation by email of a new recorded incident/event or update). ProofID have a standard process of handling events, vulnerabilities, incidents and unknown events with associated process and priorities. Root cause analysis and corrective actions are recorded and where relevant feed back to the affected individuals, these are reviewed at the quarterly information security committee meetings.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  ProofID is committed to valuing diversity and seek to provide all staff with the opportunity for employment, career and personal development on the basis of ability, qualifications and suitability for the work as well as their potential to be developed into the job.; We believe people from different backgrounds can bring fresh ideas, thinking and approaches which make the way work is undertaken more effective and efficient.; The company will not tolerate direct or indirect discrimination against any person on grounds of age, disability, gender / gender reassignment, marriage / civil partnership, pregnancy / maternity, race, religion or belief, sex, or sexual orientation whether in the field of recruitment, terms of conditions of employment, career progression, training, transfer or dismissal.; It is also the responsibility of all staff in their daily actions, decisions and behaviour to promote these concepts, to comply with all relevant legislation and to ensure that thy do not discriminate against colleagues, customers, suppliers or any their person associated with the Company.

  Wellbeing

  ProofID has a wellbeing policy in place for members of staff.; The company recognises that a mental wellbeing impact for one person can be very different to another person and this policy has been developed with this in mind taking those individual needs and requirements into account. This case by case approach does mean that the company may respond differently to each unique set of circumstances.

Pricing

• Price: £125,000 an instance
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@proofid.com. Tell them what format you need. It will help if you say what assistive technology you use.