Skip to main content

Help us improve the Digital Marketplace - send your feedback

Charterhouse Voice & Data

Rapid 7 Insight CloudSec

InsightCloudSec secures your public cloud environments from development to production with a modern, integrated, and automated approach.

Features

  • Continuous security and compliance with real-time analysis and automated remediation.
  • Enforce security rules throughout CI/CD build process preventing misconfigurations.
  • Ensure runtime protection for cloud workloads
  • Identify vulnerabilities and misconfigurations, and surface threats with anomaly detection.
  • Identify vulnerabilities and misconfigurations, and surface threats with network analysis.
  • Reduce risk by maintaining least-privilege access for cloud workloads.
  • Reduce risk by maintaining least-privilege access for data.
  • Reduce risk by maintaining least-privilege access for applications.

Benefits

  • Unified visibility and monitoring across multi-cloud environments
  • Achieve continuous security and compliance across multi-cloud environments
  • Prevent misconfigurations across multi-cloud enviorments
  • Real-time automated remediation
  • Secure configurations through automated cloud security and vulnerability management
  • Secure workloads through automated cloud securityand vulnerability management.
  • Manage identity and effective access across ephemeral resources, at scale.

Pricing

£16.22 a unit a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@cvdgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

4 0 1 3 5 7 6 2 7 5 1 4 1 5 7

Contact

Charterhouse Voice & Data Liz Holmes
Telephone: 02076137441
Email: publicsector@cvdgroup.com

Service scope

Service constraints
InsighCloudSec is a platform that requires software updates to maintain feature sets and to introduce enhancements. This can be managed by the customer or managed by Rapid7
System requirements
  • Domain whitelisting
  • Proxy validation (if applicable)
  • Cloud provider account permissions

User support

Email or online ticketing support
Email or online ticketing
Support response times
"RESPONSE TIME TARGET AND UPDATE CADENCE
Severity-1 “Critical” < 2 Hours 4 Business Hours
Severity-2 “High” < 4 Business Hours 3 Business Days
Severity-3 “Medium” < 12 Business Hours 5 Business Days"
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
"RESPONSE TIME TARGET AND UPDATE CADENCE
Severity-1 “Critical” < 2 Hours 4 Business Hours
Severity-2 “High” < 4 Business Hours 3 Business Days
Severity-3 “Medium” < 12 Business Hours 5 Business Days"
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Rapid7 products are easy to install and use, and our team can provide expert guidance to take your usage of the product much further. The Deployment Services for InsightCloudSec help you through deployment and ensure that you get the most value out of your investment and are included in your purchase.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
If you opt to end your engagement with Rapid7, you have the opportunity to collect and transfer any data that is possible to export.
End-of-contract process
At the end of a contract, you will have the opportunity to collect and transfer any data possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days. No additional fees apply.

Using the service

Web browser interface
Yes
Using the web interface
Users can perform all actions through the web interface, including administration, reporting, and more. Further details available on request.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Users can perform all actions through the web interface, including administration, reporting, and more. Further details available on request
Web interface accessibility testing
Details available on request
API
Yes
What users can and can't do using the API
Insight Cloud Sec provides a wide range of APIs that allow the user to set-up, configure & operate cloud security, as well as pass alerts & norifications to other applicaitons. Full details are at: https://docs.divvycloud.com/reference/reference-getting-started
API automation tools
  • Terraform
  • Other
Other API automation tools
  • AWS Cloud Formation
  • Further IaC (Infrastructure as Code) provisioning tools are roadmapped
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Users do not need to use a command line interface for initial setup, maintenance, or searching across data. Command line is used to support IaC analysis for DevSecOps validation.

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
Cloud components are hosted in AWS. Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers.
Usage notifications
Yes
Usage reporting
  • API
  • Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • Network
  • Number of active instances
  • Other
Other metrics
Platform availability
Reporting types
Real-time dashboards

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Rapid7

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other
Other data at rest protection approach
All of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Where possible, Rapid7 utilizes AWS’s services to manage encryption at rest (e.g. S3, EBS, RDS, etc.). When not possible, Rapid7 utilizes block level encryption provided by LUKS.

Block level encryption is used for ElasticSearch (only used to index some asset metadata). For all other persistence technologies/layers, AWS KMS is used.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
No

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Data sent to and from the Insight platform, including data collected by collectors, agents, and engines; data ingested via APIs and plugins; and interaction with the user interface is encrypted with TLS (HTTPS). Collectors, agents, engines, and plugins are configured to verify and require a valid TLS certificate issued by a trusted certificate authority.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Data sent to and from the Insight platform, including data collected by collectors, agents, and engines; data ingested via APIs and plugins; and interaction with the user interface is encrypted with TLS (HTTPS). Collectors, agents, engines, and plugins are configured to verify and require a valid TLS certificate issued by a trusted certificate authority.

Availability and resilience

Guaranteed availability
During the term of Customer’s subscription, the Service will perform in accordance with and subject to this Service Level Agreement (“SLA”). Rapid7’s target is 100% System Availability. If the System Availability during a given month is less than 99.95%, Customer may be eligible for a credit (“Service Credit”), which is the sole and exclusive remedy for any failure to meet the SLA.
Approach to resilience
Rapid7 maintains a Business Continuity Plan for the Insight platform. The primary goal of this plan is to ensure organizational stability, as well as coordinate recovery of critical business functions in managing and supporting business recovery in the event of disruption or disaster.

Thus, the plan accomplishes the following:
• Ensures critical functions can continue during and after a disaster with minimal interruption;
• Identifies and decreases potential threats and exposures; and
• Promotes awareness of critical interdependencies.

We can share a high-level overview of our Business Continuity Plan for the Insight platform upon request.
Outage reporting
Service status is available at status.rapid7.com. Users may elect to subscribe to notifications from this site.

Identity and authentication

User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
The Rapid7 Insight cloud comes with role-based access control and support for multi-factor authentication.

Members of the team using InsightIDR can be made Administrator (full access), Investigator (Incident-only access), or Read Only. These roles will limit the functional access of the user, but will not restrict the data that is accessible in InsightIDR. Creating this three-level structure allows interested members outside of the security team to gain insight into the network and view incident alerts without disrupting the workflow of others.
Access restrictions in management interfaces and support channels
Data is compressed and encrypted then forwarded to the Insight Platform. Raw log data is encrypted in transit and at rest. Data is transmitted over SSL TLS 1.2 with modern ciphers. InsightIDR employs public key cryptography and challenge-response handshakes to ensure
data security and integrity. Encryption and security controls are also applied within AWS S3.

Data is encrypted at rest using file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Rapid7 utilizes AWS’s services to manage encryption at rest or block level encryption provided by LUKS.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through
Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
06/11/2023
What the ISO/IEC 27001 doesn’t cover
The 27001 Certification covers us to deliver services throughout the UK.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
SOC 2 Type II

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
SOC 2 Type II
Information security policies and processes
"The Information Security and Information Technology groups are responsible for monitoring compliance with data security policies and procedures. Users found in violation of information security policies may be subject to disciplinary action, up to and including 1) removal from any access to company or customer assets, data, or systems, 2) termination of employment, and/or 3) legal action. When required, Information Security will work with Legal and People Strategy to address any instance of non-compliance.

We use a SaaS product to manage and control relevant Information Security policies, which includes version control editors and full audit history. Rapid7 employment policies are documented in an internal employee handbook."

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Rapid7 applies a systematic approach to managing change so that changes to services impacting Rapid7 and our customers are reviewed, tested, approved, and well communicated. Separate change management processes are in place for corporate IT systems and Insight platform systems to ensure changes are tailored to the specifics of each environment. The goal of Rapid7’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The Information Security team is continuously monitoring the Rapid7 network and our product environments in accordance with formally documented vulnerability management processes and procedures. Information Security conducts vulnerability scans on a continuous basis, at least weekly. Rapid7 begins immediate action following the identification of critical vulnerabilities and generally completes the process in well under 48 hours.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The Information Security team is continuously monitoring the Rapid7 network and our product environments in accordance with formally documented vulnerability management processes and procedures. Information Security conducts vulnerability scans on a continuous basis, at least weekly. Rapid7 begins immediate action following the identification of critical vulnerabilities and generally completes the process in well under 48 hours.
Incident management type
Supplier-defined controls
Incident management approach
"There is a formal Incident Management process in place and we can provide our Incident Response policy. Incidents are handled by the Information Security team and are escalated to Rapid7's in-house Incident Response team when necessary.

Rapid7 uses InsightIDR to monitor on-premises and cloud environments for security incidents. Information Security partners with the MDR and Incident Response services teams to supplement Rapid7’s incident response program. InsightIDR alerts are regularly reviewed by analysts and escalated via a paging system when indications of potentially malicious activity are detected."

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Other
Other virtualisation technology used
Virtualization is not used in the separation between users. The Insight cloud is designed as a secure multi-tenant application and is hosted on Amazon Web Services.
How shared infrastructure is kept separate
InsightIDR is designed as a secure multi-tenant application. Each customer's user data is isolated in its own individual database in AWS, preventing other customers from accessing your user data. As an additional safeguard, each customer's log data is tokenized using a unique UUID that walls the data off from other customers, isolating your company's data.

For additional information on our cloud security, please refer to: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-platform-cloud-security-overview.pdf/.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
,

Social Value

Social Value

Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

Fighting climate change

Rapid7s purpose is simple: secure the foundations of our technologically-dependent society.

At its heart, cybersecurity health is tied to our ability to successfully manage our massive and increasingly-complex technology ecosystem.

We believe Cybersecurity works best when individuals, companies and government work together.

Our environmental strategy gives an overview of Rapid7s efforts as a global participant in the fight against climate change.

• Our Sustainability Committee regularly explore ways to improve our approach and ensure we exceed all applicable environmental laws and regulations.

Rapid7:

• Identify and measure the material environmental impacts of our operations.

• Establish targets to reduce our environmental impact and strive for continuous improvement. As a technology company with no physical manufacturing, we still minimize our greenhouse gas (GHG) emissions. We regularly calculate our GHG emissions to review where we can make an impact.

• Reuse, recycle, and responsibly dispose of electronic waste. Rapid7 is committed to using third party vendors that allow us to recycle our outdated electronics according to international guidelines.

• Minimize waste sent to landfill through recycling in all locations and composting of food waste in select Rapid7 offices.

• Conduct waste audits in larger Rapid7 offices to measure waste reduction.

• Switched from single use dishware and cutlery to reusable products, reducing landfill waste.

• Measure major greenhouse gas emissions with the aim of continuous reduction of carbon-intensive activities, improved energy efficiencies, and the procurement of renewable energy.

• Develop goals, practices, and metrics to measure and create more sustainable workplaces at Rapid7.

• Rely on conferencing technology to eliminate non-essential business travel.

• Locate offices near transportation hubs to maximize use of public transportation.

• Locate offices in areas with easy, walkable access to amenities.

• Use sustainable materials and systems when completing new offices builds, retrofitting where appropriate.

Tackling economic inequality

• Offices designed to be inclusive to all Moose, with gender-neutral restrooms and showers and mother’s suites

• Competitive maternity and paternity leave for expectant parents

• Pay equity regardless of gender or race, confirmed by routine surveys and external specialist review

• Curated and gamified courses on diversity, inclusion, and belonging through Linkedin Learning

• Expand the cybersecurity workforce by developing new talent sources and fostering STEM programs which reach underrepresented and under-resourced communities.

When we create more opportunities for all people we further equality while expanding the workforce, solving one of cybersecurity’s biggest challenges.

• Support free and open security solutions, which provide tools to those without resources to protect their organizations, and support organizations who lack resources to effectively implement the cybersecurity measures they need.

• Strengthen cybersecurity outcomes and awareness for all through advocacy and research, particularly within under-resourced and vulnerable communities.

We are compelled to create better policy outcomes and drive community collaboration, support those without significant security resources, and provide greater education on the realities of the threat landscape.

The Rapid7 Cybersecurity Foundation invests in organizations who work in the following areas in pursuit of creating a secure and prosperous digital future for all:

• STEM education, Diversity, Equity & Inclusion in technology, and efforts by organizations to make careers in cybersecurity welcoming to all;

• Open source tools and volunteering to help make effective cybersecurity solutions available to under-resourced organizations, including non-profits and municipalities;

and

• Research and policy advocacy to strengthen cybersecurity for vulnerable communities, improve cybersecurity awareness, and make effective security outcomes available to all.

Equal opportunity

"At Rapid7, we fundamentally believe that every person deserves an equal opportunity to build an exceptional career and that diversity of mindset is integral to the growth and success of our company."

Corey Thomas, Chairman & CEO

At Rapid7, we celebrate people bringing diverse perspectives to the table as we work together to help create a secure digital future for everyone.

Diversity of backgrounds and mindsets help us close gaps in experience and spark innovation. A deep commitment to Diversity, Equity & Inclusion is core to the strength and success of our business.

It empowers our communities, makes our company healthier, and makes our customers more secure. It’s also, quite simply, the right thing to do. Not just for us, but for the advancement of our industry and our world. This is why we are building a place where everyone feels welcome to be their authentic selves.

We’re committed to bringing together people from different backgrounds and investing in programs that nurture pathways for the future talent of our tech community.

This commitment is fueled by two of our core values: Be an Advocate and Bring You. We advocate for customers, underrepresented groups, and one another, to create a more connected and collaborative experience for all; and we want every person to feel empowered to embrace their own uniqueness and feel comfortable bringing their true self to work.

Wellbeing

We refer to our people at Rapid7 as Moose, a word that remains unchanged in both its singular and plural forms.

It’s one of the many ways we work to build an internal sense of camaraderie and community.

We’re one Moose and proud of the diverse perspectives that strengthen our herd.

Here are some notable initiatives helping to make Rapid7 a more diverse, equitable, and inclusive home for every Moose.

At Rapid7, we believe that everyone has a role to play in creating an inclusive environment.

We regularly create intentional moments for our people to educate themselves on the lived experience of others and grow on their personal journey of inclusion.

Our goal is that anyone, no matter their background can come to Rapid7, be proud of who they are and do their best work ever.

Community and Culture are a big deal here, our Rapid Impact Groups (RIGs) are supported by the business, but entirely driven by employees.

The only requirement is that our groups foster connection across the business, offer opportunities for professional development, aid in the elevation of the communities they were created to support and find meaningful ways to support fellow RIGs.

• Offices designed to be inclusive to all Moose, with gender-neutral restrooms and showers and mother’s suites

• Competitive maternity and paternity leave for expectant parents

• Pay equity regardless of gender or race, confirmed by routine surveys and external specialist review

• Curated and gamified courses on diversity, inclusion, and belonging through Linkedin Learning

Pricing

Price
£16.22 a unit a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
InsightIDR is available as a full-featured 30-day free trial. Users can:

• Add in security data across their network, cloud services & infrastructure, and endpoints
• Detect common and targeted threats, or simulate attacks to validate pre-built detections
• Investigate incidents & try automation and containment integrations

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@cvdgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.