Communication-STEM Ltd

Silverfort Unified Protection Platform

Allows organisations to protect their Active Directory Environment and Users, by the use of user behaviour analysis, MFA, Service Account Protection and ITDR.

Features

• User Behaviour Analysis: Monitor user behaviour to detect cyber attacks
• Automate the discovery of service accounts
• Control service account options to stop lateral movement
• Extend MFA to onsite critical assets
• Use MFA for activities such as RDP, Powershell, PSExec, Fileshares
• Restrict access of users to critical assets, to deliver PAM
• Detect and report malicious user activity and export to SIEM
• Identity Attack Response: Restrict user and machine activity when threatened
• Privileged Access Management: Restrict and Monitor Privileged User Access
• Log Management: Enhance Active Directory Logs

Benefits

• Apply Zero Trust to Users and Machines
• Stop users and machines moving laterally in your network
• Protect AD and AD users from cyber attacks
• Stop ransomware being distributed through your environment
• Detect changes in user activity and restrict their access
• Restrict 3rd parties and contractors access on your network
• Automate Service Account discovery and classification
• Automate the management of Active Directory
• Extend cloud based conditional access to onsite users
• Provide additional Active Directory authentication detail to SIEM platforms

£636 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrea.le.velle@c-stem.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

214387406638758

Contact

Andrea le Velle
0345 241 0000
andrea.le.velle@c-stem.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: We extend. Microsoft Entra MFA, DUO MFA, PING MFA, OKTA MFA, FIDO Tokens, Microsoft Entra Conditional Access, Microsoft for Defender and Identity,
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements:
  • System is flexible and can integrate into most environments
  • Full requirements will be discovered pre-project communicated in project pre-requisites

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard support response time in one hour Monday to Friday 09:00 to 17:00 excluding English and Welsh bank holidays. Support can be extended to 24x7 if required.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support response time in one hour Monday to Friday 09:00 to 17:00 excluding English and Welsh bank holidays. Support can be extended to 24x7 if required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: On-line deployment and training
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Their data is not held outside their own environment
• End-of-contract process: Software stops functioning

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The Silverfort Dashboard is designed to assist you in formulating effective identity protection strategies, the Dashboard provides a comprehensive overview of our Unified Identity Protection Platform.
• Accessibility standards: None or don’t know
• Description of accessibility: The service is a web interface however it has not been designed with users of assistive technologies in mind.
• Accessibility testing: No testing has been performed.
• API: Yes
• What users can and can't do using the API: Ingest data feeds into behavioural analytics engine. Export date into 3rd party product.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Authenticator can be changed to show customer logo and text

Scaling

• Independence of resources: N/A

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Silverfort

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Data at Rest: AES (256 bit)
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Their data is not held outside their own environment
• Data export formats: Other
• Other data export formats: Their data is not held outside their own environment
• Data import formats: Other
• Other data import formats: Their data is not held outside their own environment

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: N/A
• Data protection within supplier network: Other
• Other protection within supplier network: The only movement of data and the only personal data which is transmitted between client and services is done via TLS / HTTPS.

Availability and resilience

• Guaranteed availability: 10% of underlying hosting costs will be refunded where availability is < 99.99%. 25% of underlying hosting costs will be refunded where availability is < 99% and a full refund will be given on underlying hosting costs where the availability is less than 95%. Availability when hosted in a customer's environment is their responsibility.
• Approach to resilience: Information available on request.
• Outage reporting: Via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: The Silverfort Admin Console WebUI supports granular RBAC with the ability to create different 'Roles/Personas' within it to cater for the needs of Help/Support Desk, Auditors, Read-Only, Operators, Administrators, etc., using several different settings that can be individually set to be Not Accessible/View/Edit.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: IQNET
• ISO/IEC 27001 accreditation date: 06/12/2022
• What the ISO/IEC 27001 doesn’t cover: Customer hosted deployments
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC2 Type2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC 2
• Information security policies and processes: Software development processes are independently audited to comply with the requirements of ISO 27001.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All change requests must be documented and significant changes communicated to impacted users.; ; Any changes to the security architecture or customer data handling of a system must be approved in advance by the CISO. All other changes require the approval of the VP R&D, or their delegates.; ; An appropriate Change Approval Board oversees the change, at both the infrastructure and application level. This CAB includes representatives, who are subject matter experts and capable of reviewing and approving changes that occur. ; ; All changes are documented clearly in a JIRA ticket.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Silverfort identify all their proprietary code, third-party applications, sensitive data, open-source components and other digital assets, and then identify their weaknesses. Assessment tools and scanners can be used to assist with this process. ; ; All the vulnerabilities discovered are evaluated and prioritized. Next, Silverfort will patch or otherwise address the weaknesses according to their priority. Remediation is often managed through a combination of automatic updates from vendors, patch management solutions and manual techniques. For vulnerabilities that are identified, the results of the evaluation, and progress toward remediation, along with any costs involved will be documented.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The codebase is audited to identify potential weaknesses which are resolved through regular updated. The tool itself identifies and alerts on compromises. Silverfort will respond immediately to any security incident.
• Incident management type: Supplier-defined controls
• Incident management approach: Silverfort have a predefined process for responding to common events. Users report incidents to the CISO or user contact dependent on the type of event. Incidents are reported via the office of the CISO.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Our employees are our most valuable resource and are a key factor in the delivery of services to our clients. We recognise that it is the caliber of the people that make up our teams that differentiates us from our competitors. As such, we work hard to recruit, develop and retain the best talent in the industry. As part of their personal development, each of our employees is given a clear route for progression, including technical and professional training. Further to this, it is crucial that all employees maintain a high level of safety and technical expertise, therefore regular training and advice is made available. We provide our employees with training to ensure they are aware of the company's legal obligations, policies and internal procedures relating to the provision of Equality and Diversity. This understanding of their obligations allows them to interact with their colleagues fairly and equally in all areas of their employment. Annual appraisals are conducted with all employees, allowing quality one-to-one time with their manager to discuss their performance, establish new objectives and determine the employee's individual training and development needs that are required to assist in achieving their goals.

Pricing

• Price: £636 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Full features of the product available for 14 days.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrea.le.velle@c-stem.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.