CipherToken, Smart Card/Token Management & Secure Gateways
CipherToken is a CPNI compliant smartcard standard using MIFARE DESFire EV2/EV3. OCMS is a fully integrated enterprise platform for producing, and managing the life cycle of smartcard/GovPass credentials, including on-premise encoding using diversified encryption keys. Upload, validate and transform user photos for card production. All costs are excluding VAT.
Features
- Smartcard token encoding and production (MIFARE DESFire EV1/2/3)
- Real-time reporting and whole-life management of smartcards and user activity
- Enterprise Infrastructure Integrations including SAML 2.0
- User Self-Service Module
- Access Manager Module for Physical Access Control System integration
- Visitor Management Module for visitor booking and management
- Key diversification and rollover for smartcard tokens
- Photo Capture, AI Validation & Transformation Tool
- Secure Gateways by Forcepoint (Deep Secure)
Benefits
- Reduce risk with a high security access control token
- Centrally manage and provision all access control tokens
- Save money capturing photos and confirming user data
- Increase efficiency by automating access provision
- Use occupancy monitoring to understand population levels in buildings
- Schema validation & cross domain security
Pricing
£0.14 to £0.98 a user a month
- Education pricing available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
3 5 8 6 4 8 4 3 8 9 1 2 0 8 4
Contact
Cipher10 Ltd
Business Development
Telephone: 02080502648
Email: enquiries@cipher10.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Private cloud
- Hybrid cloud
- Service constraints
- The CipherTokens produced using CTMS are MIFARE DESFire EV2 Tokens. Hardware which supports individual token key diversification must be used. For the enhanced security option (dual AES-128 read), this requires bespoke firmware.
- System requirements
-
- Windows 10 (or later) for Card Production Workstation Client
- Windows Server 2019 (or later)
- Microsoft SQL Server 2016 (or later)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 24 hour response SLA, Monday - Friday.
- User can manage status and priority of support tickets
- No
- Phone support
- No
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Support packages are bespoke for the complexity of the solution. For example, a simple 'off-the-shelf' configuration will not incur additional charges, however a custom configured capability with access control system integrations would require a custom support contract.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
The deployment of OCMS is a managed process with each deployment varying dependent on the organisation's business requirement. Training is delivered either on premise or remotely with user guidance and documentation created in line with the outcome.
An initial kick off meeting is held where the requirements gathering period is set at which point the initial configuration will be created in a Test/Acceptance environment. Following acceptance testing, this will be deployed in the Production environment.
This software is highly technical and complex require subject matter experts to configure and support. - Service documentation
- No
- End-of-contract data extraction
- Upon request at the end of the contract, an export of the customer data within the SQL database will be conducted and made available.
- End-of-contract process
- Under the SaaS model, all services cease upon the end of the contract. No residual capability is accepted. All customers will be provided with a journal of the encryption keys used for their smartcard encoding.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Chrome
- Application to install
- Yes
- Compatible operating systems
- Windows
- Designed for use on mobile devices
- No
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
-
The CTMS API capability is designed to integrate building Automated Access Control Systems for either centralised management or authentication dependent on the use case.
The APIs can be called by any user with a valid API key. The service itself cannot be set up via the APIs and users cannot make material changes to the configuration of the service using the API. - API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- No
- Customisation available
- Yes
- Description of customisation
- CTMS requires customisation for users to fully meet their business need. Branding, workflows, token architecture and authorisation roles are just a few examples of what can be customised. Some features are customisable by users, others require in depth support and consultation.
Scaling
- Independence of resources
-
Under the SaaS model, each customer has their environment deployed within a separate AWS environment with resources scaled as per the requirement.
Under the customer-hosted model, this is the customer's responsibility.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Service metrics are configured as per the customer requirement. A combination of dashboards, APIs or reports delivered via email can be facilitated.
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Reseller providing extra features and support
- Organisation whose services are being resold
- ID-ware
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- Never
- Protecting data at rest
- Physical access control, complying with CSA CCM v3.0
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users with the required permissions can export data in CSV format using the Export Configuration function.
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- SLAs are agreed on a per customer basis and is dependent on configuration.
- Approach to resilience
-
Under the MSaaS model, environments are hosted in the AWS London Region and customer can select a high availability option providing additional resilience. As a minimum, web servers have failover and load-balancing to over instances in 2 availability zones.
Under the self-hosted model, this is the customer's responsibility. - Outage reporting
- Email and SMS alerts to nominated customer contacts.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
-
Access to management interfaces is restricted to users who have been appropriately trained and from specific endpoints via either a VPN or a Virtual Desktop Infrastructure (Amazon WorkSpaces) using an restricted allow list of IP address.
Access to the AWS account is restricted to specific user with two factor authentication being mandatory. The root account is secured in line with AWS best practice. - Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- NSCS Cloud Security Principles are followed when deploying environments. ID-ware and AWS are both ISO/IEC 27001 certified and these principles are also followed by Cipher10.
- Information security policies and processes
- Cipher10 follows NCSC Cloud Security Principles for the design of systems. For the handling of sensitive cryptographic assets including DESFire key material this HMG Information Assurance Standard No. 4 is followed. Cipher10's internal policy on handling information broadly aligns with HMG Information Assurance Standards. All staff and sub-contractors are trained accordingly and this is reviewed quarterly. Any issues are reported to the Company Director.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
All configuration, patches and infrastructure changes are first deployed in a reference environment with software supply chain assurance conduct.
This also applies to the underlying AWS serverless components where new versions or features are released. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- The software vendor conduct software supply chain assurance for the software platform itself and release regular patches and security fixes. For the underlying infrastructure under the SaaS model, the NCSC Cloud Security Principles are followed.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Monitoring is in place on all environments using AWS CloudWatch with notifications configured in the event of incidents. In the event of potential compromise, customers will be notified and appropriate remediation will be made as soon practically possible.
- Incident management type
- Supplier-defined controls
- Incident management approach
-
The environments used are designed for high availability and failover within the London AWS Region. In the event of a region outage, users will be notified where possible with the estimated fix.
In the event of a service outage, notifications will be sent nominated users via email where possible with details of the incident and estimated time to fix.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
Where possible, Cipher10 will explore and support the deployment of environmentally friendly smartcards will be used to reduce the use of plastics within the industry. We partner with a number of vendors who use innovative technologies to recycle, reuse or replace plastic cards with more environmentally friendly alternatives. - Tackling economic inequality
-
Tackling economic inequality
Cipher10 is committed to ensuring that customers can choose from a wide array of vendors for their requirements. By using cloud first and industry standard integrations customers have the ability to choose the best product for their requirement. We work with a number of other SMEs from across the UK and will always seek to ensure a diverse supply chain is maintained to support both growth for the industry but also to protect the public purse.
Pricing
- Price
- £0.14 to £0.98 a user a month
- Discount for educational organisations
- Yes
- Free trial available
- No