MTI Technology Ltd

MTI Delinea Secret Server Cloud Privilege Access Management & Privilege Manager

Delinea Secret Server Cloud is an online password manager hosted in Azure, a highly secure and available platform. Secret Server has layers of built-in security with easy access management for IT admins, robust segregation of role based duties, AES 256 bit encryption, 60+ out-of-the box reports to demonstrate compliance.

Features

• Discover unknown or unmanaged privileged accounts.
• Lock down and protect sensitive accounts.
• Integrate with Active Directory and Azure AD
• Report to demonstrate compliance with policies and mandates
• Automate Privileged account rotation policy
• Monitor credentials for tampering evidence outside of Secret Server
• Authorise and control Password usage with 2-Factor Authenication

Benefits

• Understand the unknown unknowns. What you don't know CAN hurt
• Enforce least privilege and reduce your attack surface, avoid ransomware
• Simple to set-up using existing system credentials and information
• Simple, effective means to prove compliance and share audit information
• Save operational and manual processes to improve efficiencies.
• Ability to report on all password changes and provide forensics
• Utilise existing multifactor authentication to grant access, simple & secure

£995 a user

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid@mti.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

378513999106445

Contact

Darren Moyes
01483520200
bid@mti.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No
• System requirements:
  • Microsoft Server 2016 or newer
  • Windows 11 or newer
  • .NET Framework: 4.8 or newer
  • RAM: 16 GB or higher
  • Processor: 4 CPU Cores
  • Disk Space: 150MB
  • SQL Server 2016 or newer

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any requests for technical support received by email will receive a response within 24 hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support is included within the subscription fee. This is email or phone support accessible during UK Office hours. 24x7 call packs can be purchased for an additional fee.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide an extensive E-Learning library for clients' Administrators, E-Learning for end users, a Support Portal with all documentation, Knowledge Base Articles, and Forums. We also offer in-person training as a Professional Service if needed.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Clients would instigate Unlimited Admin Mode (4-Eyes process recommended) and export all Secrets into a CSV file.
• End-of-contract process: Client would export relevant details and web instance will become inactive.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Desktop is preferred and more feature rich.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The Interface is a WEB Gui
• Accessibility standards: None or don’t know
• Description of accessibility: The Web Gui is accessed via supported web browsers (Chrome, Edge and Firefox).
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Delinea Secret Server API lets authorised users manage secrets securely. Users can:; ; Retrieve, create, and edit passwords for privileged accounts.; Search for secrets based on criteria.; Control access to secrets with folder permissions.; However, users cannot:; ; See actual passwords in plain text (they remain encrypted).; Perform actions beyond secret management (like installing software).; Access the API without proper authentication.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Your logo can be uploaded, and colour scheme can be amended to match corporate colours. Views, dashboards and position of reports can be ammended as per client preference too. Solution allows for creation of Custom SQL Reports and custom, multi-tiered workflows. Custom connection components can be created for password rotation and session launching. Custom Alerts can also be created.

Scaling

• Independence of resources: Secret Server supports high availability (active-active-plus) web server (front-end) clustering. There is no physical limit to the number of active web servers that can run simultaneously.

Analytics

• Service usage metrics: Yes
• Metrics types: Realtime metrics can be viewed at status.thycotic.com Available stats are DNS Time, Connection Time, First/Last Byte Time
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Delinea

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: AES 256 Encryption
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data export function on a following basis - Per Item, Per Vault, Per Selection. Password data must be available for export by specific users. This may also be used to export data for a user leaving the service
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: SSL, SSH
• Data protection within supplier network: Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Availability means that your data is accessible through Secret Server Cloud to authorized personnel when needed. Secret Server Cloud leverages the Azure platform for its High Availability: All services for Secret Server Cloud within Azure are auto-scaling so that during heavy usage, computing resources are automatically increased to ensure uninterrupted service even during the most heavily used times. Customer databases are continuously backed up with a differential backup every hour and a transaction log every 5 minutes. All data on the Azure platform is geo-redundant in the event of an outage or interruption to facilitate immediate disaster failover and recovery. In addition, Secret Server Cloud is protected by a Web Application Firewall (WAF) as an extra layer of protection against malicious scripts and potential Distributed Denial of Service (DDoS) attacks. Secret Server Cloud also takes advantage of Azure’s built in redundancy which generates three copies of each customer’s database that are maintained across fault tolerant nodes to ensure continuous availability
• Approach to resilience: Availability means that your data is accessible through Secret Server Cloud to authorized personnel when needed. Secret Server Cloud leverages the Azure platform for its High Availability: All services for Secret Server Cloud within Azure are auto-scaling so that during heavy usage, computing resources are automatically increased to ensure uninterrupted service even during the most heavily used times. Customer databases are continuously backed up with a differential backup every hour and a transaction log every 5 minutes. All data on the Azure platform is geo-redundant in the event of an outage or interruption to facilitate immediate disaster failover and recovery. In addition, Secret Server Cloud is protected by a Web Application Firewall (WAF) as an extra layer of protection against malicious scripts and potential Distributed Denial of Service (DDoS) attacks. Secret Server Cloud also takes advantage of Azure’s built in redundancy which generates three copies of each customer’s database that are maintained across fault tolerant nodes to ensure continuous availability
• Outage reporting: Alert to clients along with public dashboard https://status.delinea.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Secret Server permissions can be configured to prevent administrators access to privileged account information. Access is granted based on Role Based Access Control (RBAC) model. Access is restricted to authenticated users passing Username and Password and MFA. Service can also be integrated with Single Sign On (SSO) providers and IdPs.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Coalfire
• ISO/IEC 27001 accreditation date: 19/09/2019
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: Azure and Intune awarded CSA STAR Attestation
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: Azure and Intune were awarded Cloud Security Alliance STAR Attestation based on an independent audit.
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Any applicable to Azure
  • SOC2

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SAS AICPA Controls
• Information security policies and processes: SOC 2 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed, and is the basis of the SOC 2 report.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow an AGILE/SCRUM approach to development methodology with some small variations where needed. We use Visual Studio for development, Microsoft VSO (Git) for Source Code Control, and YouTrack for user story/Scrum management.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We are subscribed to threat newsletters and vulnerability lists for Microsoft, Amazon AWS, SANS, and US-CERT. When these feeds are updated we review them and take necessary action if there are any findings. We also subscribe to direct vulnerability feeds for software vendors we use if they provide them.​
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: N/A
• Incident management type: Supplier-defined controls
• Incident management approach: As per Azure SLA. In line with AICPA

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  MTI publishes an annual Quality & Environmental (Q&E) Policy statement, which is aligned to its ISO 9001 & ISO 14001 accreditations and the annual EcoVadis CSR review and accreditation. MTI’s Corporate & Social Responsibility policies integrate our business values and operations to meet our strategic objectives and the expectations of our customers, employees, investors, suppliers, the community and the environment. By putting our CSR into practice, we are committed to conducting ourselves responsibly and in an ethical manner, creating a positive and supportive working environment, supporting local communities, improving service levels to customers, acting fairly and collaboratively with suppliers and other third parties, to deliver solutions that support our environmental objectives. Our Environmental Management System, recognised by independent ISO 14001 Environmental Management certification, incorporates our Environmental Policies and Procedures.Demonstrating our commitment to protecting the environment and sustainability. We undergo regular independent audits to demonstrate our commitment to improvement. Our management review programme and CSR and Environmental Reporting, evaluate and demonstrate our environmental achievements, through measurement of impacts as a result of all business activities, monitoring of reduction targets, achievements against objectives & results from our activities, initiatives and environmental commitments. Our FY2022 focus includes; Zero-Carbon Society: we will strive to achieve zero emissions from our own business activities and encourage carbon neutrality within our supply chain. Through comprehensive energy conservation activities and the use of renewable energy, we aim to reducing our carbon footprint and impact on the environment through reduction of contributions to greenhouse gases (GHGs) and annual CO2 emissions, and support supplier commitments; •Partnering with Tier-1 suppliers who are committed to carbon neutrality, evidenced through annual environmental and sustainability assessment •Commitment form partners/product vendors to commit to supplying packaging with a minimum of 50% recycled content (80% Cardboard) or be entirely derived from sustainable sources.

  Covid-19 recovery

  In response to the COVID-19 pandemic, MTI has implemented thorough in-house technology solutions allowing over 90% of our staff to be based at home, including the majority of our service delivery staff. This approach provides greater job opportunities across the region without the potential for geographically disadvantage, and ensures we have skilled staff locally across the UK to deliver our core services. Where MTI are delivering longer-term services to Buyers, MTI is committed to sourcing and utilising local suppliers to provide relevant elements of the service and would support running local supplier days to publicise the delivery and give opportunities for local company involvement. MTI recognises that the COVID-19 pandemic presents challenges for graduate employment and is offering employment opportunities for graduates in order to support local students to progress from higher education into jobs utilising their skills and knowledge.

  Tackling economic inequality

  MTI has invested significantly in developing in house skills and capabilities in order to provide high-class services across a wide range of technologies and disciplines, with emphasis on providing a wide range of professional and managed services. Our Internal Development Programmes and individual development plans ensure that all employees are offered opportunities for learning and development and provides skills training for new employees and existing employees to prepare them for promotions, transfers or new responsibilities. Our development programmes help our employees stretch their capabilities and those of the organisation, upskilling employees through investments in a wide range of skills and product training and development for staff and managers to broaden opportunities. Building a diverse and inclusive workplace has become an imperative part for the all-round growth and development of MTI. Therefore, our HR team takes tangible steps to create a workplace that is committed to diversity and inclusion, including providing career opportunities to support disadvantaged people into the workplace. MTI are registered to the Disability Confident scheme and have agreed to the Disability Confident commitments to provide interventions to increase employment opportunities and retention for people with a long- term health condition or disability to support these people into employment.

  Equal opportunity

  We recognise our obligations under the Equality Act 2010, Article 119 of the Treaty of Rome, The Race Relations Act, The Employment Equality (Sexual Orientation) Regulations 2003 and The Employment Equality (Religion or Beliefs) Regulations 2003, and The Codes of Practice published by the Equal Opportunities Commission, the Commission for Racial Equality and the European Commission; We are committed to the principle of equal opportunities in employment. We are opposed to any form of less favourable treatment or financial reward through direct or indirect discrimination, harassment, victimisation to our staff members or job applicants on the grounds of race, religious beliefs, political opinions, creed, colour, ethnic origin, nationality, marital/parental status, sex, sexual orientation, offending past, disability, age, caring responsibilities or social class. We extend protection under this Policy to our suppliers, customers, contractors, and others who are on our premises and in return expect all suppliers, customers, contractors and others to behave in the same way towards our members of staff. This policy is intended to assist the organisation to put this commitment into practice. Compliance with this policy should also ensure that employees do not commit unlawful acts of discrimination. Communicating this policy will be supported by appropriate training, and the effectiveness of this Policy will be monitored on an on-going basis. No form of intimidation, bullying or harassment will be tolerated. Implementation of this policy will be carried out where necessary by invoking the Disciplinary Procedure. Every employee is required to assist the organisation to meet its commitment to provide equal opportunities in employment and avoid unlawful discrimination.

  Wellbeing

  The organisation has developed an employee wellbeing policy to manage its obligations to maintain the mental health and wellbeing of all staff. It covers the organisation's commitment to employee health, the responsibilities of managers and others for maintaining psychological health, health promotion initiatives, communicating and training on health issues, the range of support available for the maintenance of mental health, and organisational commitment to handling individual issues.

Pricing

• Price: £995 a user
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Password Vault and Limited Discovery/Automation
• Link to free trial: https://thycotic.com/products/secret-server/

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid@mti.com. Tell them what format you need. It will help if you say what assistive technology you use.