Nine23

Symmetric Key Agreement Service

QuantumCloud™ is a Platform-as-a-Service(PaaS) for Symmetric Key Agreement. Secure by design, it hardens cyber security across the network and its data communications by generating symmetric encryption keys between end points. Able to manage individual and group key sessions with policy enforcement. Supports existing encryption algorithms to layer into existing network.

Features

• Authentication services for data-in-transit and data-at-rest using symmetric keys
• Point-to-Point Symmetric Key Agreement for all endpoints and connected devices
• Replaces PKI security risks between end points with symmetric keys
• Individual and Group Key Agreement for management of endpoint communications
• GUI-based Administration Console, APIs and Software Development Kits for integration
• Provides synergistic services to utilise existing encryption standards e.g. AES256
• Integrates with third party firewalls, routers, switches and application-comms infrastructures
• Integrates with data-at-encryption solutions IOT, 5G and other next-generation systems
• Provides authentication services for physical and virtual infrastructure
• Option to be installed as private instance within client network

Benefits

• Reduces eavesdropping decryption threat risk for critical data in transit
• Hardens cybersecurity and reduces decryption threat risk for critical data-at-rest
• Layers into existing architecture minimising and rip and replace
• Enables granular user defined dynamic security group encryption policy
• Secures data-in-transit across untrusted infrastructure using symmetric keys
• Secures data-at-rest use where symmetric keys need remote vaulting
• Enhances strengthened authentication services enabling for physical and virtual endpoints
• Removes manual symmetric key refresh and management processes
• Removes intensive administration and cost burden of PKI certificate management
• Provides secure by design framework for IOT and 5G infrastructure

£40 a device a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nine23.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

193274518152552

Contact

Stuart McKean
+44 (0) 23 8202 0300
gcloud@nine23.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Can be used as an add on to: networking and security services such as firewalls, routers, switches, SASE services, AAA and Identity Management systems, software management systems, private and public cloud storage services, mobile applications, ITAR and EAR file exchange services, IOT control systems.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Some use cases will require professional integration services to external systems that have not yet been integrated into pre-packaged solution offerings. External systems that require strengthened encryption will need to support the use of symmetric keys as part of the encryption libraries and services that are incorporated into the software layers of the communications and data storage stack. The support of RFC8784 and RFC8446 are preferred for data in transit use cases.
• System requirements:
  • Java, C++, Python, JavaScript development environments for SDKs
  • Customer endpoint hardware is required but excluded from the service
  • ETSI 014 agent requires virtual machine infrastructure seated on hardware
  • Software applications that are seated on Linux, windows, iOS, Android
  • Private instance deployments require server hardware, HSMs and networking equipment
  • Private instance deployments require virtualisation and container management licenses

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within one hour
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: SM
• Web chat accessibility testing: SM
• Onsite support: Yes, at extra cost
• Support levels: As an ISO 20000 certified service management organisation we provide a standardised SLA for clients to ensure the service is understood by you, and is sufficiently supported by our engineers. You will be able to interact directly with engineers who know your account and can deal with issues directly without having to first negotiate an unskilled Helpdesk. Our UK based helpdesk staff are all SC & NPPV3 cleared.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Clients can follow documentation on how to initiate and start receiving our services. This can be augmented with training onsite, or delivered remotely. We deliver a standardised service, honed during deliveries to existing public sector clients, meaning a low risk and swift deployment without unexpected consultancy costs.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Client will provide secure physical media to Nine23, which will then be populated with the specified client data and returned to the client.
• End-of-contract process: The client will have extracted the data they need to keep for archive or transition purposes. Any managed devices are taken off management which will wipe enterprise and managed data from the devices. The client is then free to undertake any disposal requirements that may be stipulated under IS5. Hosted areas are then made inaccessible to the internet and deleted. This is all provided without cost to the client. Any additional services will be charged based on the day rates on our SFIA rate card.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • Windows
  • Other
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The service interface is either the GUI Security Console or enabled with the use of the APIs for automation. Both the console and APIs require security authentication for access their capability.
• Accessibility standards: None or don’t know
• Description of accessibility: The symmetric key services offered are driven via access to the system APIs, but there is a GUI-based security administration console which is used for building policy rules which determine what endpoints are able to gain symmetric key agreement with each other. The majority of business-as-usual features are operated by the use of the APIs but GUI is also used for system health monitoring, usage and audit reporting.
• Accessibility testing: Security proofing testing has been undertaken with the use of Tamarin modelling tools.
• API: Yes
• What users can and can't do using the API: The API is used to register and de-register endpoints on the system, to provision devices and continuously authenticate endpoints registered to the system. The API is also used to construct symmetric key agreement and rotate authentication and session keys.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can integrate the services with applications and endpoint systems as required. The rules associated with security groups and what endpoints can construct symmetric key agreements are fully definable by the tenant system administrator.

Scaling

• Independence of resources: The service is built on cloud infrastructure that can be scaled depending on user consumption. The managed service offering is monitored and scaled-out as and when needed.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Arqit

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The system does not require any significant or regular need to export file data. Most audit data is available using the console screen but there are mechanisms to record details into a file.
• Data export formats: Other
• Other data export formats: Not applicable
• Data import formats: Other
• Other data import formats: Not applicable

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Where appropriate any network interconnection is achieved with the use of encrypted tunnels e.g. TLS and IPsec.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: The service itself can be used to strengthen the protection within any network. Symmetric keys can be used to establish IPsec and TLS tunnels which are considered quantum safe.

Availability and resilience

• Guaranteed availability: We provide SLAs to each client outlining the expected availability of each service. Unplanned outages that lead to decreased availability from the levels set out in the SLAs lead to credits on those services during the next period.
• Approach to resilience: Architectural resiliency is designed into the hosted environment and is backed by the Tier 3+ UK Data Centre. Details can be given to clients upon request.
• Outage reporting: Email alerts to nominated client representatives, with quantitative and qualitative detail.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: The service uses Keycloak for the identity and access management solution.
• Access restrictions in management interfaces and support channels: We restrict the management interface access to known personnel who are registered on the system via the Keycloak authentication service. Devices can only be enrolled into the system if attempted by users that have a valid authentication token. User access is controlled with the use of RBAC.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: UKAS
• ISO/IEC 27001 accreditation date: 01/07/2022
• What the ISO/IEC 27001 doesn’t cover: 14.1.1 Information security requirements analysis and specification ; 14.1.2 Securing applications services on public networks ; 14.1.3 Protecting application services transactions ; 14.2.1 Secure development policy ; 14.2.6 Secure development environment ; 14.2.7 Outsourced development ; 14.3.1 Protection of Test Data; 16.1.7 Collection of evidence
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Government Ministries' accreditations at OFFICIAL-SENSITIVE (available on request)
  • CPA (up to OFFICIAL SENSITIVE) for key service components
  • Cyber Essentials Plus for company-wide IT security
  • CPA Build Standard assessment of development mechanisms
  • NPPV3 Vetting
  • 14 Cloud Security Principles

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Independently tested and accredited by existing government clients. References available on request.; ; Cyber Essentials plus
• Information security policies and processes: We apply NCSC and industry best practice to ensure 14 Cloud Security Principles are applied during design, deployment, operation, and decommission. We provide IS1&2 compliant RMADS and maintain our own Security Management Plan which is integral to our ISO9001, 27001, 20000 accreditation, which is independently audited every year.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Services are configured and documented for reference. Changes are initiated with internal or external requests that start a Change Acceptance Process, during which the business imperative, security risks, user impact, and costs are considered. A lightweight process is adopted for agility of service, but If necessary, a full security impact assessment is undertaken and when the requisite authorisations are received, the change is effected and documentation updated.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to a number of vulnerability and threat monitoring agencies including the NCSC threat newsletter. A baseline patching process is maintained monthly for all services, and emergency responses to critical threats are evaluated and actioned appropriately.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our protective monitoring tools examine SIEM data from our platform and client areas, including GPG13 compliant reporting. Incidents are responded to based on the severity of the event and can be immediate notification to clients to allow fixes to be effected straight away.
• Incident management type: Supplier-defined controls
• Incident management approach: Our SyOPs and Security Management Plan outline procedures for incident management and reporting. Our SMP is certified ISO27k controls and verified by a CCP qualified IA lead.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • Health and Social Care Network (HSCN)
  • Other
• Other public sector networks: PND

Social Value

• Fighting climate change:

  Fighting climate change

  One of our key objectives for 2022 is to complete certification of ISO 14001:2015 – Environmental Management. This internationally agreed standard sets out the requirement for businesses to review all areas of their organisation and improve their environmental performance through more efficient use of resources and waste reduction. Nine23 are anticipating certification by the end of May 2022. We welcome queries as to the status of this; ; For an SME it is harder to make a larger strides in reducing the causes of Climate Change; therefore we have joined forces with a number of other global hi-tech companies to set collective goals . The first is with the Trust X Alliance; which brings a number of SME’s together to look at the United Nations Sustainable Development Goals. There are a total of 17 Goals aimed at transforming our world, with Good Health and Wellbeing, Gender Equality, Decent Work and Economic Growth and Climate Action being our main focus.; ; In addition, Nine23 are part of a pilot group of technology companies working with Net Zero to create a consensus across the Tech industry as to what Net Zero means for businesses in the sector and to provide an industry standard against which business claiming to be Net Zero can be assessed. The goal is to create a pragmatic, effective and publicly available guide for Tech firms to achieve Net Zero. This “protocol” will be practical and easy to use, whilst remaining comprehensive in its scope and ambitious in its scientific robustness - offering businesses a realistic method of achieving credible sustainability goals, in line with the global climate goals required by the Paris Agreement.
• Covid-19 recovery:

  Covid-19 recovery

  Nine23 are working hard to help build a stronger economy by supporting Local businesses and creating jobs, apprenticeships and training opportunities within the local community where employees reside. We work closely with a number of local businesses to supply key areas of support. Accounting, telephony, and the University of Southampton Park - in addition, all hands-on trades are locally based. Where possible we also prefer to use SMEs for hardware or software procurement. We are also members of the living wage foundation and aim to raise living standards of our staff, in addition to paying our taxes.; ; Nine23 are a firm supporter of the apprenticeship scheme and graduate work placements and have provided numerous opportunities for developing roles through the service desk and marketing departments, into more senior positions. We are proud our business has a part to play in the wider health of the UK economy
• Tackling economic inequality:

  Tackling economic inequality

  Nine23 Ltd are passionate about tackling economic inequality. We are members of the Living Wage foundation and have moved from being office based, to hybrid working. This has enabled us to recruit further afield, broadening our reach of potential employees and giving us more diverse candidates. We now have staff based in various locations around the UK.; ; We strongly believe in the 5 foundational principles of quality work as outlined in the Governments Good Work Plan and closely align our culture, processes, and values in support of these. A continual focus on job satisfaction, safety wellbeing & security, fair pay, participation & progression, and voice & autonomy help to attract and retain staff from all backgrounds, minimise staff turnover, increase capability and maximise efficiency. Targeted plans are implemented to ensure continuous improvement in these key areas.; ; Continued focus alongside ongoing skill development, enables our workforce to reach their potential. Removing their (real or perceived) barriers to success, providing support for educational attainment, including providing training schemes to access professional qualifications ensures that their unique and valuable perspectives and skills are nurtured. Active engagement with the recruitment and development of existing staff and apprentices and offer posts specifically to those seeking to re-train into Digital and Cyber Security related roles. Our most recent apprentice joined Nine23 with a clear path for personal growth whilst learning on the job skills in the highly technical sector of IT support. We will be recruiting more individuals into our Cyber Security apprentice scheme.; ; We provide support for the existing workforce by providing careers advice, mentoring, coaching, training and development, mock interviews, and CV advice. We give them support for in-house progression and development into high growth areas or known skills shortages.
• Equal opportunity:

  Equal opportunity

  Even as a SME we aim to ensure opportunities are available to all. We are actively working to monitor, influence and improve our workforce diversity and social mobilisation efforts.; Nine23 are working hard to help build a stronger economy by supporting Local businesses and creating jobs, apprenticeships and training opportunities within the local community where employees reside. We work closely with a number of local businesses to supply key areas of support. Accounting, telephony, and the University of Southampton Park - in addition, all hands-on trades are locally based. Where possible we also prefer to use SMEs for hardware or software procurement. We are also members of the living wage foundation and aim to raise living standards of our staff, in addition to paying our taxes.; ; Nine23 are a firm supporter of the apprenticeship scheme and graduate work placements and have provided numerous opportunities for developing roles through the service desk and marketing departments, into more senior positions. We are proud our business has a part to play in the wider health of the UK economy.
• Wellbeing:

  Wellbeing

  Employee wellbeing has always been a priority - especially during the 2020 – 2022 Pandemic. Whilst all staff have been working from home we have increased our daily check-in calls and staff one2ones to ensure any issues are picked up and support provided as soon as possible.; We have provided free counselling sessions for any member of staff that needs it and supported those that have taken time off work due to sickness.; Nine23 have adapted working hours to fit with the real life situations people have to deal with – from child to caring or the elderly.

Pricing

• Price: £40 a device a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Use of a non-commercial demonstration can be requested.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nine23.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.