NQM API Gateway
NQM Secure API Gateway platform provides you with the tools to turn existing data and compute assets into secure externally accessible API. A fully secure platform implementing zero trust principles.
Features
- Build APIs rapidly with full lifecycle management
- Quickly surface data assets through APIs
- Quickly surface compute capability through APIs
- Fine grained routing and tunnelling
- Edge based capability for routing to local resources
- Auditing, metering and building
- Analytics for insight and performance
- Builds on identity credential and authorisation capability (zerotrust)
- Supports REST, websockets, gRPC, streaming and more
- Highly secure
Benefits
- Monetise existing data and compute assets
- Highly secure, reduces risk of API abuse
- Real time integration with partners and stakeholders
- Rapidly develop and eternalise value added services
- Integrate services across organisation securely
- Increase productivity
Pricing
£2,000 an instance a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
2 8 9 7 6 1 7 5 6 2 3 4 0 7 8
Contact
NquiringMinds Ltd
Nicholas Allott
Telephone: 07714145711
Email: nick@nqminds.com
Service scope
- Service constraints
- N/A
- System requirements
- Linux based OS for platform install
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 2 hours - Mon-Fri 8-6 5 hours all other times
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 A
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 A
- Web chat accessibility testing
- User testing
- Onsite support
- Yes, at extra cost
- Support levels
- Basic support provided in the original package Enhanced support (on site/one to one tutorials etc) provided at £100/hour
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- System is fully documented with examples, videos and walk through. Training can be provided either online of physically.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- Data can be downloaded from the system at any time. By default CSV and JSON formats are supported, New formats can be provided on request. In addition to built in export functions, the APIs provides the ability to create customised export and synchronisation functions
- End-of-contract process
- Customer is reminded at 3 month and 1 month before contract termination. If customer does not want to renew they are advised to take the necessary data exports. API is provide and support can be requested for customer specific data extraction. At 2 week before contract termination, we provide a shut down check list to customer for approval. On contract termination, we initiate the service shutdown, which includes data removal, data deletion and full wipe of dependent hardware.
Using the service
- Web browser interface
- Yes
- Using the web interface
- Service interface provides a user interface for back end administration functions as well as full programmatic API access
- Web interface accessibility standard
- WCAG 2.1 A
- Web interface accessibility testing
- The service has been tested by users of assistive technology across its customer base to ensure ease of use.
- API
- Yes
- What users can and can't do using the API
- We provide a full API that provides secure, permission access to everty aspect of the platform function. Multiple APIs exist : Open API, native language APIs (JavaScript, C, Python etc), streaming and GRPC APIs
- API automation tools
-
- Chef
- OpenStack
- API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- Command line interface
- Yes
- Command line interface compatibility
- Linux or Unix
- Using the command line interface
-
We provide a full API that provides secure, permission access to every
All capabilities are mediated through strong authentication and authorisation controls
Scaling
- Scaling available
- Yes
- Scaling type
- Manual
- Independence of resources
- Each user has dedicated machine
- Usage notifications
- Yes
- Usage reporting
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- CPU
- Disk
- HTTP request and response status
- Memory
- Network
- Number of active instances
- Other
- Other metrics
-
- Data access
- Analytical processes
- Security events
- User behaviours
- Additional can be added easily
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Physical access control, complying with CSA CCM v3.0
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Full VM images
- Database exports
- Event logs (from which database can be rebuilt)
- Files
- Backup controls
- Fully configurable form UI or from API
- Datacentre setup
- Multiple datacentres with disaster recovery
- Scheduling backups
- Users schedule backups through a web interface
- Backup recovery
-
- Users can recover backups themselves, for example through a web interface
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- We aim to provide 99.9% availability across our application portfolio and historically have achieved this figure. If we fail to meet this objective within any calendar month the customer can apply for a commensurate refund.
- Approach to resilience
- Underlying physical availability is provided with appropriately configured commercial cloud based provider (typically Azure or AWS). At a software level we can provide clustering, replication and round robin allocation of resource requests. Precise resilience requirements can be negotiated with the end customer. Full details in request.
- Outage reporting
- We provide all of - data dashboard - API - email alerts System availability is measured both through the end application availability and health checks on all dependent underlying processes
Identity and authentication
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google apps)
- Access restrictions in management interfaces and support channels
- Every user is authenticated by known and trusted authentication provider and is provided with an appropriate authorisation level. This authorisation level determine what service they have access to. This authorisation fine grained allowing access to micro service definitions. The authorisation levels can be grouped to common authorisation roles. Any user requesting support/management out of band (e.g. phone) will have to provide appropriate authentication credentials to access service
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Devices users manage the service through
-
- Dedicated device on a segregated network (providers own provision)
- Dedicated device on a government network (for example PSN)
- Dedicated device over multiple services or networks
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- Between 6 months and 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
-
- Cyber Essentials Plus
- Working towards 27001
- We inherit standard security certification of AWS https://aws.amazon.com/security/
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
- We are Cyber Essentials Plus certified and are seeking to secure ISO/IEC 27001. We are putting in place the necessary governance to achieve this standard.
- Information security policies and processes
- Reporting flow - internal /external report - Chief Security Officer - Chief Executive Officer We are currently Cyber Essentials Plus certified and initiating ISO 27001 certification. We have in place the following policies - Vulnerability disclosure - Data breach - Business continuity - Data retention - Incident handing - Device on boarding/life cycle - Employee on boarding/life cycle - Firewall and systems access - Secure development
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- All changes to configuration/change management are singed off by two appropriately qualified personnel. All changes and processes are required monthly by our chief security officer. Vulnerability checks are run against our underlying software components continuously using online tools Full security policy documents can be provided on request.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Our vulnerability threat analysis comes from four primary dimensions - underlying compute platform - dependent software components - employee - external software attack Systems exist for real time behavioural analysis for the underlying platform and employee behaviour, with appropriate alerting and escalation. Continuous threat analysis is performed on underlying software components. We monitor the relevant CERTS for vulnerability reports additionally Full security policy documents can be provided on request.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- The platform supports an integrated system log that aggregate relevant logs across component behaviour, network behaviour and user behaviour. Alerting system is defined that includes both explicit rule based alerts and statistical/ML backed anomaly detection. Alerts are evaluated by the internal security team escalating to our CSO as required Full security policy documents can be provided on request.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Incident can be reported internally, externally or by paying users. Incidents can be reported by email, phone or web interface. Standard forms and triaging processes exist to streamling reporting and level one handling. Incident reports can be exacted in multiple formats using built in tools Full security policy documents can be provided on request.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- No
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
-
Our standard installation comes on AWS
https://aws.amazon.com/about-aws/sustainability/
Social Value
- Social Value
-
Social Value
Equal opportunityEqual opportunity
Support in-work progression to help people, including those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract.
Pricing
- Price
- £2,000 an instance a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
-
Free access to the TDX can be provided to prospective clients for a 4 week trial.
A 4 week fully supported trial is also available for £10k
This will include access to all features of the TDX and all APIs
TDX application are negotiated separately. - Link to free trial
- Demos can be found on https://nquiringminds.com