Cloud 21 Limited

NHS Identity Management (BDS Directory Manager)

Cloud21 provides BDS Directory Manager that enables JML (joiner, mover and leaver) processes to be automated. The software integrates directly with ESR, Active Directory, NHSmail and Office 365 to allow organisations to establish electronic workflows that streamline staff induction and perform ongoing account management throughout the user lifecycle.

Features

• Integration with ESR for automated staff data collection
• Supports multiple additional identity data sources and manual entry
• Account management in Active Directory, Entra and NHSmail
• Rule-based security group management to implement PBAC
• User folder creation and security assignment
• Management of change, user rename and expiration
• User-defined email notifications in response to key events
• Transactional processing with control over approval
• Detail auditing of all data changes and transaction results
• Optional self-service (SpecOps) and delegated password reset facilities

Benefits

• Deployed and supported by dedicated identity management team
• Reduced cost of technical administration
• Improvements in accuracy of staff data within Active Directory
• Better staff experience during induction and assignment change
• Reduction in retention of historic user permissions
• Audit evidence to support DSPT submissions
• Assignation and monitoring of licence usage on Office 365
• Accessible database of ESR data and user’s system accounts
• Facility to delegate entry and approval to non-technical staff
• The most widely adopted NHS identity management solution

£5.24 to £65 a user a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid-management@cloud21.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

180607750003137

Contact

Steve Gray
0845 838 8694
bid-management@cloud21.net

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: The delivery of the Directory Manager core service is for the creation of joiner, mover and leaver processes to integrate ESR, Active Directory and an elected messaging platform (Exchange, Exchange Online or NHSmail)
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: The delivery of the Directory Manager core service is for the creation of joiner, mover and leaver processes to integrate ESR, Active Directory and an elected messaging platform (Exchange, Exchange Online or NHSmail). Although the software can accommodate many data sources, the initial scope is ESR, CSV and manual entry. The email notifications configured as part of the core service will relate solely to the processing joiner, movers and leavers. Once the core service is established, additional time to extend the configuration and scope of the Directory Manager platform can be procured through the support contract.
• System requirements:
  • ESR Integration with supplier
  • Virtual machines to install solution
  • AD/EntraID Service accounts
  • SQL server instance
  • Windows Server and SQL server licensing

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Directory Manager is fully supported by Cloud21 with the service desk operating 08:00 – 18:00 Monday to Friday. Support incidents can be reported by phone or email. There is an SLA associated with the support service that provides response and remediation times based on the severity of the support incident. The support and maintenance service attracts and annual subscription which is approximately 10% of the initial deployment cost.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Directory Manager is fully supported by Cloud21 with the service desk operating 08:00 – 18:00 Monday to Friday. Support incidents can be reported by phone or email. There is an SLA associated with the support service that provides response and remediation times based on the severity of the support incident. The support and maintenance service attracts and annual subscription which is approximately 10% of the initial deployment cost.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: The BDS Directory Manager deployment procedures are well established and governed by the ‘Statement of Approach’ document that accompanies the delivery of the service. This includes the following key sign-off waypoints in the service delivery: ; ; Matching of ESR, Active Directory, Office 365 and/or NHSmail sign-off (data matching) ; ; Account creation and management sign-off (end-to-end testing) ; ; Notification testing and sign-off (joiner, change and leaver emails) ; ; Go-live monitoring and sign-off (system performance and operation) ; ; These sign-offs engage the appropriate HR, technical administration, communications and operational teams. The information and procedures are manifested within a ‘Site Handbook’ which details the configuration and routine operating procedures and represents the final handover and sign-off of the deployment project.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The data is in SQL server and can be exported to CSV if required
• End-of-contract process: The client data remains on Private Cloud or Hybrid infrastructure and would not be accessible by the supplier

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
• Application to install: Yes
• Compatible operating systems: Windows
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: There is a back end .NET application that is accessible for system asset owners and IT.
• Accessibility standards: None or don’t know
• Description of accessibility: There is a back end .NET application that is accessible for system asset owners and IT. This has to be accessed on the Virtual server interface.
• Accessibility testing: Not applicable
• API: No
• Customisation available: Yes
• Description of customisation: Buyers can interface with many systems to gain further benefits from the product including various Microsoft Cloud services.; Various rules can be set up to allow Joiners movers and leavers to add to AD groups etc depending on other AD criteria such as Job description.; There is a large amount of configurable parameters for workflows.

Scaling

• Independence of resources: The solution can be hosted on-premise or private cloud, so resources can be configured to ensure availability/capacity.; Other design considerations on hybrid architecture are considered as part of the onboarding

Analytics

• Service usage metrics: Yes
• Metrics types: Service operations are visible and can be monitored through the web client.; Historic processing information is extracted through regular reports for support purposes.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Buyers are responsible for providing private cloud infrastructure or on-premise hybrid data centre resources
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported from SQL server as CSV
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Buyers are responsible for providing private cloud infrastructure or on-premise hybrid data centre resources.; The availability will vary depending on the hosting solution opted for
• Approach to resilience: Buyers are responsible for providing private cloud infrastructure or on-premise hybrid data centre resources.; The resilience levels are based on the number of Domain controllers and varying HA configuration options
• Outage reporting: Direct communication to the client.; Metrics are collected for support purposes. There are notifications that can be configured to send site information if there are any issues.; ; Customer Cloud/Hybrid infrastructure is not monitored by the support service, so this would be the client's responsibility to raise a support ticket.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Windows authentication can be used as an option to the client
• Access restrictions in management interfaces and support channels: This uses AD integrated RBAC and permissions.
• Access restriction testing frequency: Never
• Management access authentication:
  • Username or password
  • Other
• Description of management access authentication: Windows Authnetication can be used as an option too

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 09/01/2024
• What the ISO/IEC 27001 doesn’t cover: We are covered for the following activities. The provision of professional IT services and IT support providing Consultancy, Product Development and Managed services including IT Service Desk, Cyber Security and SOC within the Healthcare, Local Authorities, Education and Professional Service Sectors Anything outside of this would not be covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: ISO 9001:2015

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Cloud21 has a Head of Cyber Security which reports to the VP of Digital Technical Services who reports to the President of Cloud21.; ; Cloud21 has well defined information security measures and security policies as part of our ISO27001 accreditation.; ; Our development and release process is part of our QMS operating procedures audited under ISO9001:2015.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our Configuration and Change Management approach adheres to ISO standards, ensuring systematic implementation and consistent quality outcomes. We utilise a structured change control process with a bespoke database, establishing and maintaining configuration baselines for assessing change impact and facilitating rollback if needed. Comprehensive documentation and post-implementation reviews ensure transparency and quality within NHS organisations.; Customers are responsible change control for all private / hybrid / on premise elements.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Directory Manager leverages Microsoft Technologies at its core. Our vulnerability management approach focuses on ensuring compatibility with the latest security patches from Microsoft. This proactive measure guarantees that our solution remains resilient against emerging threats, aligning with industry standards and safeguarding NHS data integrity. Encouraging customers to apply these patches reinforces our commitment to continuous security enhancements.; Customers are responsible vulnerability management for all private / hybrid / on premise elements.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Our Protective Monitoring Approach entails local monitoring of Directory Manager, leveraging customer solutions. BDS maintains basic configuration reporting for active version monitoring, ensuring compliance with supported standards. The Directory Manager provides robust audit tracking for user actions, masking sensitive data, and generating weekly error log reports. Log data transmission is encrypted, prioritising collaboration with NHS organisations to mitigate vulnerabilities and ensure personal data security.; ; Customers are responsible for all private / hybrid / on premise infrastructure / cloud elements.
• Incident management type: Undisclosed
• Incident management approach: Our incident management process involves logging support calls via phone or email, categorising incidents by severity and impact, and actively reaching out to customers upon identifying vulnerabilities or issues affecting the product. We prioritise these issues based on severity and impact for timely resolution, guided by SLAs. The product team analyses incidents, ensuring effective incident resolution aligned with ITIL principles. This proactive approach, coupled with customer engagement, enhances our incident management process and fosters customer satisfaction.; Customers are responsible for incident management for their private / hybrid / on premise environments.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Wellbeing

  Fighting climate change

  Cloud21’s quality and compliance team have been extremely busy over the last 24 months and have recently become ISO14001 certified demonstrating our commitment to reducing its environmental impact.; Ambitions for 2024/25; For this service we will: ; ; • Implement a reduce, reuse and recycle scheme (coffee pods, pens and batteries); • Eliminate single use plastic bottles from our office headquarters; • Promote rail travel over air travel for practical journeys; • Promote the ‘green leaf hotel’ scheme where practical to do so; • Accurately measure commutable mileage ; • Reduce paper use and printing at the our headquarters ; • Reduce emissions by 7.14% (19.23 tCO2e) from baseline ; ; We believe it is all about making small changes in order to make a big impact and promoting environmental sustainability. ; ; Cloud21 has implemented a carbon reduction plan in line with the NHS’s carbon reduction roadmap.

  Wellbeing

  We have a company-wide approach called VIBE (Valuing Inclusion, Belonging and Equity), which includes the provision of resources and support to improve physical, emotional and mental health and wellbeing which complements our company values. ; ; Our VIBE team promote social inclusion and wellbeing by running events that supporting charities, such as Samaritans and MIND.; ; We understand stress can impact a person’s mental health, this can result in absences and even resignations, but more importantly, it can impact people's lives fundamentally. Making sure that work is a safe place to discuss wellbeing and mental health by creating an inclusive and supportive environment will provide employees with the tools needed to manage mental health.; ; We look to reduce the pressure and stress involved in modernising systems and technology leveraging our past experience and sharing this with all stakeholders involved. ; ; Initiatives we are looking to run within the next 18 months:; • Run Health and wellbeing webinars and sharing resources to support our teams such as ‘NHS Every mind matters’ and the ‘6 ways to wellbeing’. ; • Continue to raise mental health awareness through running company lead events such as ‘fun-runs’ or ‘Movember’ to promote mental health awareness.; • Offer mentoring support from trained mental health first aiders to support our staff.; • Ensuring we continue to develop our Wellbeing policy.

Pricing

• Price: £5.24 to £65 a user a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid-management@cloud21.net. Tell them what format you need. It will help if you say what assistive technology you use.