Barrier Networks

Barrier Networks Menlo Cloud Secure Browser Platform and Remote Browser Isolation (RBI)

The Menlo Cloud Secure Browser Platform eliminates the possibility of malware reaching user devices via compromised or malicious websites or documents, or via phishing and credential harvesting attacks with a 100% effectiveness warranty.

Features

• Browser Isolation prevents browser-based attacks
• Document Isolation prevents attacks from weaponized documents
• Email Isolation - prevent attacks from weaponized links / attachments
• Global Cloud Proxy - URL Database, SSL Decryption
• Advanced Traffic Visibility - DLP, CASB, Analytics
• Phishing Awareness Training - customisable content served to users
• Advanced Reporting and Analytics of both Web and Email traffic
• Automatically scaled Cloud environments based on traffic volumes
• Advanced Reporting and Analytics of all associated logs
• Secure Application Access

Benefits

• Reduce Web-Based Malware Containment Cost
• Prevent Zero-hour phishing attack and credential harvesting
• Reduce Security Operations Engineer Workforce Cost
• Reduce Patching Cost
• Replace legacy VPN with secure application access
• Mitigate Brand / PR Damage Risk
• Provide URL filtering and appropriate use controls
• Prevent Data Leakage and Insider Threat
• Reduce cost by Replacment of legacy Virtual Desktop Infrastructure (VDI)
• Reduce risks of Generative AI usage

£49.60 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

297565228269769

Contact

Iain Slater
0141 356 0101
info@barriernetworks.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: The Menlo Secure Cloud Enterprise Browser Platform can be integrated with existing security systems and architecture for traffic routing, authentication and traffic visibility. Typical integrations include Proxy (Symantec (BlueCoat), McAfee, Zscaler, Forcepoint), Firewalls (Palo Alto Networks, Check Point, Fortinet, Cisco), SAMLv2 IDaaS Providers and SIEM (Sentinel, Splunk, Qradar, LogRhythm, AlienVault)
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: No cloud based contraints as cloud enviroment managed, maintained and patched by Menlo (SLA 99.9 availability). ; Constraints for On-premise environment : would need to be maintained by customer for hardware / software, updates, configuration and patching.
• System requirements: HTML 5 enabled Web Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Menlo Security Customer Success provides three levels of Support with differing SLAs for responses based on the priority/urgency level. The Support levels are Basic, Premium and Platinum.; ; Basic Support Response Times:; P1 (Urgent) – 1 Hr; P2 (High) – 4 Hr ; P3 (Normal) – 4 Hr; P4 (Low) – 4 Hr; ; Premium Support:; P1 (Urgent) – 30 Min; P2 (High) – 1 Hr ; P3 (Normal) – 3 Hr; P4 (Low) – 4 Hr; ; Platinum Support:; P1 (Urgent) – 15 Min; P2 (High) – 30 Min ; P3 (Normal) – 2 Hr; P4 (Low) – 4 Hr
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Zendesk uses the Voluntary Product Accessibility Template (VPAT), to publish an Accessibility Conformance Report (ACR), which documents an audit of our systems relative to WCAG 2.1 AA performed by a third party accessibility vendor.; ; More information can be found online: https://www.zendesk.co.uk/company/agreements-and-terms/accessibility/
• Onsite support: Yes, at extra cost
• Support levels: Menlo Security Customer Success provides three levels of Support - Basic, Premium and Platinum. All three levels provide the following functions:; ; - Technical support access; - Support case analytics; - Online learning and training; - Technical onboarding, including configuration guidance; ; Basic Support operates Mon-Fri for 12 hours per day. Premium Support operating hours increase to a 24x7 model. Platinum Support also operates 24x7 though also includes a Designated Technical Account Engagement (TAM); ; Additionally, there is the Menlo Security Resident Support Engineer Service Program, whereby an Engineer is provided on-site for all support and expertise.; ; The Platinum Support offering provides access to a designated Technical Account Manager (TAM) drawn from Menlo Security's senior support staff for additional support continuity. The TAM can support provide onsite support where necessary, however typically support is done remotely. Ongoing Professional Services is typically carried out as part of the Menlo Security Resident Support Engineer Service Program. A Menlo Security resident support engineer offers on-site support expertise and help. This is provided as an additional cost option.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: System Admins can take advantage of the Technical onboarding, including configuration guidance, that is included in all Customer Support packages. Typically, the Platform is set up, configured and tested on a small subset of users before being rolled out to the larger user base. Deployment to the wider user community is usually automated using the likes of Active Directory Group Policy to deploy any required components or settings to the users. Any required integrations are completed and tested prior to user deployment phase.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Only System Admins have access to the Web Access and Audit logs. These are maintained in the Menlo Cloud Secure Enterprise Browser (MCSEB) for the duration of the subscribed retention period; either 30 days or 3, 6 or 12 Months. Any data that is older than the subscribed retention period is automatically purged. Tenants and the associated log data can also be decommissioned and purged at the end of the contract on request. The Logging API can also be used to download all Log data as well as the ability to purge all or specific log data.
• End-of-contract process: If customers choose not to renew their contracts with Menlo Security they can request that their Tenant be disabled. This would then be removed from our Global Cloud along with all related data and logs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The Menlo Cloud Secure Enterprise Browser is managed and configured centrally using the online Admin User Interface. This is accessible via a supported web browser and provides System Admins a centralised interface to configure policies across all users subscribed to Menlo Security Platforms. The Admin UI includes a SAML integration for authentication as well and the ability to enable Multi-Factor Authentication. Role-Based Access Controls allow for assigning granular access rights to other System Admins for both policy and reporting related tasks.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Carried out during the Software Development Lifecycle
• API: Yes
• What users can and can't do using the API: There are 3 APIs that can be used by System Administrators:; 1. Logging API – to download the Access and Audit logs in various formats for SIEM integration.; 2. File Extraction API – to send extracted files to a third party for analysis e.g. Sandbox or a Content Disarm and Reconstruction (CDR) service; 3. Policy API – for Policy Automation and Orchestration
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: MCSEB is fully customisable from not only a Policy and Reporting perspective, but also with relation to banners, block pages and other messages presented to the user. All policies can be configured per Active Directory Users and Groups and a granular Exceptions Editor is provided to change the Policy Enforcement action for all request types. Role-Based Access Controls (RBAC) allow granular access rights to be assigned to individual Admins and a full audit trail is provided for details of any changes. Admins can be assigned both Read-Write or Read-Only access to portions of the Admin UI.

Scaling

• Independence of resources: Menlo’s Global Elastic Cloud was built from the ground up for unlimited elastic scalability. Menlo monitors crucial components of the architecture, automatically adding or subtracting resources as load dictates across redundant data centers. All clusters scale elastically, ensuring immediate and transparent failover between regional data centers with independent power and redundant connectivity.

Analytics

• Service usage metrics: Yes
• Metrics types: MCSEB provides multiple Reporting tools - from high-level Dashboards to our detailed and fully customisable forensics and analytics tool called Insights. A detailed Log search facility is provided for all Logs – Web Access, Email Logs, DLP Logs and Audit Logs. Customers can create and schedule reports from any of the associated data – reports typically incorporate Productivity, Security and Bandwidth. Data Leakage Protection (DLP), Cloud Access Security Broker (CASB) and Secure Application Access reports are also included with these additional optional modules.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Menlo

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: All Data at Rest is stored encrypted using AES 256-bit encryption. The MCSEB SaaS offering is hosted in fully secure Amazon data centres. Amazon provide numerous security policies and controls around security practices in general, as well as the physical security of their associated data centres:; Security Processes: https://aws.amazon.com/whitepapers/overview-of-security-processes ; Data Center Security: https://aws.amazon.com/compliance/data-center/controls/; ; Amongst numerous other controls, there is:; ; Physical Access Controls; - Tightly Controlled and Restricted Physical Access ; - Based on Least Privilege ; ; Surveillance and Monitoring Controls; - Physical access points to server rooms are recorded by CCTV; - Professional Security Staff man the Data Center Entry Points
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Only Web Access Logs and Audit Logs are actually stored in the Menlo Security Global Cloud and only the System Admins who have the necessary rights have visibility of these.
• Data export formats: Other
• Other data export formats:
  • LEEF
  • Key Value Pair (KVP)
  • CEF
  • JSON
• Data import formats: Other
• Other data import formats:
  • User cannot upload any data to the MSIP.
  • There is no other requirement for users to upload data.

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Menlo Security regularly implements and reviews the embedded controls to ensure the MSIP is secure, any compromise is contained, and most importantly, does not enable the attacker to have a path to the users’ endpoint. Specifically for communication between MCSEB and the Endpoint: - Uses TLS 1.2 AES 256 bit encryption - A purpose-built firewall enforces unidirectional content between the MCSEB and the endpoint. - From the MCSEB to the endpoint, only presentation (DOM) updates can be communicated - From the endpoint to the MCSEB, only user inputs (mouse or keyboard) can be communicated - all other communications are dropped
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: The Menlo Security Operations team manages & controls the Cloud SaaS service from a specific, highly controlled and protected network. Menlo Security employs internal security audits and third-party audits every 6 months. These audits include network and service penetration testing and Amazon AWS audits. We have restricted AWS Operational Access by using the least privilege principles and role-based access applied for all accounts. In addition, multi-factor authentication is required for all services including webmail (Google Apps), source control and cloud operations access. All Data stored at Rest and in Transmit is encrypted using AES 256 bit Encryption.

Availability and resilience

• Guaranteed availability: Service Availability is guaranteed by SLA for 99.9% of the time
• Approach to resilience: Resilience is achieved through complete redundancy in every deployment region across multiple data centers and transparent in-region failover to the nearest deployment region. A stateless design delivers seamless session continuity for users traveling between service regions. Geo- and latency-based routing logic ensures that users are guaranteed to always access the best region based on their location. A dynamic session management model allows new updates to be rolled out to customers without any service interruption or downtime. The service is closely monitored for any issues and has automatic recovery implemented wherever possible. The service is automatically scaled to provide further performance based on traffic thresholds.
• Outage reporting: Menlo Security follows the framework defined in the Incident Management Policy that specifies that customers are notified for all categories of incidents. Customer Admins are notified for an availability incident affecting a given deployment region or for any service incident resulting in a disruption to end users in that region via the Menlo Status page and other channels listed below. Notification is as soon as possible during the availability incident or following the incident when the service disruption is short lived.; Menlo Security uses Zendesk software to power our Helpdesk operations. Authorised Customers can be notified via this tool (tickets, notification emails, announcements, etc.)

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: Various authentication options are provided and supported by MCSEB:; ; 1. Directory Based Authentication using SAMLv2 e.g. Local such as Active Directory Federation Services (ADFS) or a Cloud provider such as AzureAD, Okta, Ping, OneLogin, Centrify, SiteMinder CA, etc.; 2. Anonymous Mode – users would be identified by a known Public IP Address that they connect to the Service from. This would need to be defined in the Admin UI.; 3. Local Database Accounts – accounts created either by the user self-registering with their corporate email address or created by Menlo Security. Users would manage their own passwords.
• Access restrictions in management interfaces and support channels: When a web request reaches Menlo Security a secure connection is established, and a check is made for an authentication token contained in a cookie in the user’s browser. If present, this indicates the user has previously authenticated against the system and the correct policy can be applied. If not present, then the system will first try to identify the user based on the IP Address they are connecting on. If known, the user will be authenticated using one of the mechanisms described above. If not-known the user will be presented with a login prompt via the browser.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: Menlo follows least privileged principle where, by default least privilege access is given and request for additional access must be approved from there. ; ; Most commonly the SAML identity provider is used to authenticate Admin Users. Here a Group is also most commonly used in the IdP to limit access to the correct set of Admins. All the security functionality provided by the IdP are thus extended to the Admin logins.

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: A-lign
• ISO/IEC 27001 accreditation date: 8/3/2018
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO27001
  • ISO27017
  • ISO27018
  • AWS SOC2
  • FedRAMP
  • TX-RAMP
  • TISAX

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: As the MSGC is fully hosted in AWS, we also inherit all the SOC 2 certification from AWS that refer to data center and physical security.; ; AWS Security Controls:; https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf ; ; AWS DC Security:; https://aws.amazon.com/compliance/data-center/controls/; ; Menlo Security Compliance:; https://www.menlosecurity.com/compliance
• Information security policies and processes: Menlo Security has an Information Security Management System (ISMS) in place as part of our ISO 27001 certification. Our series of Information Security Management System policies includes (i) Employee Handbook, (ii) Acceptable Use Policy, (iii) Access Control Policy, (iv) Change Management Policy, (v) Data Classification Policy, (vi) Disaster Recovery Policy, (vi) Incident Management Policy, (vii) Logging and Backup Policy, (viii) Mobile Devices and Teleworking, (ix) Password Policy, (x) Vendor Management Policy, (xi) Onboarding Procedure, (xii) offboarding Procedure, (xiii) Change Management, (xiv) Document and Record Control, and (xv) Asset Inventory.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Menlo Security leverages a formal change management process and internal ticketing system to track all requirements, changes, associated designs and testing requirements. This covers all production and non-production changes, including service software updates as well as both functional and security patches. ; The Menlo Security Global Cloud is updated regularly with scheduled updates that include all latest security patches. Critical security patches are applied on-demand as/when Menlo Security is notified of newly identified vulnerabilities. All service updates and patches are applied with zero downtime or impact to customers.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: According to the Change Management Policy, any identified critical security patches are applied on-demand as/when Menlo Security is notified of newly identified vulnerabilities. Alternatively during the internal or third-party audit there are daily updates with partial readouts. A final report is produced and a readout is done. Based on the report, Jira tickets are created, labelled and prioritized. Critical and High-Priority issues are addressed during the engagement. Remaining issues are addressed as resources allow. Issues that are addressed or previously addressed during the engagement are re-tested. All service updates and patches are applied with zero downtime or impact to customers.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All email is processed through the Menlo service which includes protections, DLP and encryption. Email configuration is centrally managed by IT. This is part of the Acceptable Use and Data Classification policies as part of the ISMS.; Endpoint management solutions are in place to ensure that endpoints are properly configured and secured. All laptops and devices must have encryption enabled.; Employees use the Menlo Security Isolation Platform for malware protection on endpoints. In addition there is policy, as part of the ISMS for Acceptable Use, Data Classification and Cryptography and Mobile devices and Teleworking.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: 1. Establish an incident management policy and form an Incident Response Team; 2. Detection and reporting: Identify and report events and alerts that may or may not be an incident.; 3. Assessment and decision: Assess the situation to determine whether it is in fact an incident and proceed accordingly; 4. Response: Contain, eliminate, recover from and analyze the incident, where appropriate.; 5. Lessons learned and Improvements: Improvements are made to the organization’s management of information and operational risks as a result of incidents experienced.; 6. Incident notification/disclosure: Notification/disclosure is made in the most expedient time possible and without unreasonable delay.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  • To create an environment in which individual differences and the contributions of all our staff are recognised and valued.; • Every employee is entitled to a working environment that promotes dignity and respect to all. No form of intimidation, bullying or harassment will be tolerated.; • Training, development and progression opportunities are available to all staff.; • To promote equality in the workplace which we believe is good management practice and makes sound business sense.; • We will review all our employment practices and procedures to ensure fairness.; • Breaches of our Equality Policy will be regarded as misconduct and could lead to disciplinary proceedings.; • This policy is fully supported by Senior Management.; • The policy will be monitored and reviewed regularly.

  Wellbeing

  • We promote an open, supportive company culture where employees look out for one another and feel comfortable discussing any difficulties. Mental health is valued equally to physical health.; • Employees have access to confidential counselling, therapy, and other mental health resources through our employee assistance program.; • We encourage taking time off when needed for mental health days in addition to sick days. Employees are trusted to manage their time off responsibly.; • Training is provided to managers on recognizing signs of burnout, ; work overload, and other mental health concerns. Managers work to ; proactively address issues and reduce employee stress.; • Employee workloads and schedules are designed to be reasonable ; and sustainable. ; • Wellness initiatives like meditation breaks, stress management ; workshops, mindfulness programs, and social events are offered ; throughout the year.

Pricing

• Price: £49.60 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Menlo Security can provide access to a fully functioning production tenant that is created and dedicated specifically to the prospect. This is commonly used during an Evaluation or Proof of Value (PoV), where use cases and business benefits can be demonstrated and fulfilled through the use of the Platform.
• Link to free trial: Try.menlosecurity.com

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.