Charterhouse Voice & Data

Rapid 7 Insight CloudSec

InsightCloudSec secures your public cloud environments from development to production with a modern, integrated, and automated approach.

Features

• Continuous security and compliance with real-time analysis and automated remediation.
• Enforce security rules throughout CI/CD build process preventing misconfigurations.
• Ensure runtime protection for cloud workloads
• Identify vulnerabilities and misconfigurations, and surface threats with anomaly detection.
• Identify vulnerabilities and misconfigurations, and surface threats with network analysis.
• Reduce risk by maintaining least-privilege access for cloud workloads.
• Reduce risk by maintaining least-privilege access for data.
• Reduce risk by maintaining least-privilege access for applications.

Benefits

• Unified visibility and monitoring across multi-cloud environments
• Achieve continuous security and compliance across multi-cloud environments
• Prevent misconfigurations across multi-cloud enviorments
• Real-time automated remediation
• Secure configurations through automated cloud security and vulnerability management
• Secure workloads through automated cloud securityand vulnerability management.
• Manage identity and effective access across ephemeral resources, at scale.

£16.22 a unit a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@cvdgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

401357627514157

Contact

Liz Holmes
02076137441
publicsector@cvdgroup.com

Service scope

• Service constraints: InsighCloudSec is a platform that requires software updates to maintain feature sets and to introduce enhancements. This can be managed by the customer or managed by Rapid7
• System requirements:
  • Domain whitelisting
  • Proxy validation (if applicable)
  • Cloud provider account permissions

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: "RESPONSE TIME TARGET AND UPDATE CADENCE; Severity-1 “Critical” < 2 Hours 4 Business Hours; Severity-2 “High” < 4 Business Hours 3 Business Days; Severity-3 “Medium” < 12 Business Hours 5 Business Days"
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: "RESPONSE TIME TARGET AND UPDATE CADENCE; Severity-1 “Critical” < 2 Hours 4 Business Hours; Severity-2 “High” < 4 Business Hours 3 Business Days; Severity-3 “Medium” < 12 Business Hours 5 Business Days"
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Rapid7 products are easy to install and use, and our team can provide expert guidance to take your usage of the product much further. The Deployment Services for InsightCloudSec help you through deployment and ensure that you get the most value out of your investment and are included in your purchase.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: If you opt to end your engagement with Rapid7, you have the opportunity to collect and transfer any data that is possible to export.
• End-of-contract process: At the end of a contract, you will have the opportunity to collect and transfer any data possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days. No additional fees apply.

Using the service

• Web browser interface: Yes
• Using the web interface: Users can perform all actions through the web interface, including administration, reporting, and more. Further details available on request.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Users can perform all actions through the web interface, including administration, reporting, and more. Further details available on request
• Web interface accessibility testing: Details available on request
• API: Yes
• What users can and can't do using the API: Insight Cloud Sec provides a wide range of APIs that allow the user to set-up, configure & operate cloud security, as well as pass alerts & norifications to other applicaitons. Full details are at: https://docs.divvycloud.com/reference/reference-getting-started
• API automation tools:
  • Terraform
  • Other
• Other API automation tools:
  • AWS Cloud Formation
  • Further IaC (Infrastructure as Code) provisioning tools are roadmapped
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: Users do not need to use a command line interface for initial setup, maintenance, or searching across data. Command line is used to support IaC analysis for DevSecOps validation.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Cloud components are hosted in AWS. Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Network
  • Number of active instances
  • Other
• Other metrics: Platform availability
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Rapid7

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: All of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Where possible, Rapid7 utilizes AWS’s services to manage encryption at rest (e.g. S3, EBS, RDS, etc.). When not possible, Rapid7 utilizes block level encryption provided by LUKS.; ; Block level encryption is used for ElasticSearch (only used to index some asset metadata). For all other persistence technologies/layers, AWS KMS is used.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: No

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Data sent to and from the Insight platform, including data collected by collectors, agents, and engines; data ingested via APIs and plugins; and interaction with the user interface is encrypted with TLS (HTTPS). Collectors, agents, engines, and plugins are configured to verify and require a valid TLS certificate issued by a trusted certificate authority.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Data sent to and from the Insight platform, including data collected by collectors, agents, and engines; data ingested via APIs and plugins; and interaction with the user interface is encrypted with TLS (HTTPS). Collectors, agents, engines, and plugins are configured to verify and require a valid TLS certificate issued by a trusted certificate authority.

Availability and resilience

• Guaranteed availability: During the term of Customer’s subscription, the Service will perform in accordance with and subject to this Service Level Agreement (“SLA”). Rapid7’s target is 100% System Availability. If the System Availability during a given month is less than 99.95%, Customer may be eligible for a credit (“Service Credit”), which is the sole and exclusive remedy for any failure to meet the SLA.
• Approach to resilience: Rapid7 maintains a Business Continuity Plan for the Insight platform. The primary goal of this plan is to ensure organizational stability, as well as coordinate recovery of critical business functions in managing and supporting business recovery in the event of disruption or disaster. ; ; Thus, the plan accomplishes the following:; • Ensures critical functions can continue during and after a disaster with minimal interruption;; • Identifies and decreases potential threats and exposures; and; • Promotes awareness of critical interdependencies.; ; We can share a high-level overview of our Business Continuity Plan for the Insight platform upon request.
• Outage reporting: Service status is available at status.rapid7.com. Users may elect to subscribe to notifications from this site.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: The Rapid7 Insight cloud comes with role-based access control and support for multi-factor authentication.; ; Members of the team using InsightIDR can be made Administrator (full access), Investigator (Incident-only access), or Read Only. These roles will limit the functional access of the user, but will not restrict the data that is accessible in InsightIDR. Creating this three-level structure allows interested members outside of the security team to gain insight into the network and view incident alerts without disrupting the workflow of others.
• Access restrictions in management interfaces and support channels: Data is compressed and encrypted then forwarded to the Insight Platform. Raw log data is encrypted in transit and at rest. Data is transmitted over SSL TLS 1.2 with modern ciphers. InsightIDR employs public key cryptography and challenge-response handshakes to ensure ; data security and integrity. Encryption and security controls are also applied within AWS S3.; ; Data is encrypted at rest using file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Rapid7 utilizes AWS’s services to manage encryption at rest or block level encryption provided by LUKS.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 06/11/2023
• What the ISO/IEC 27001 doesn’t cover: The 27001 Certification covers us to deliver services throughout the UK.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: SOC 2 Type II

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SOC 2 Type II
• Information security policies and processes: "The Information Security and Information Technology groups are responsible for monitoring compliance with data security policies and procedures. Users found in violation of information security policies may be subject to disciplinary action, up to and including 1) removal from any access to company or customer assets, data, or systems, 2) termination of employment, and/or 3) legal action. When required, Information Security will work with Legal and People Strategy to address any instance of non-compliance.; ; We use a SaaS product to manage and control relevant Information Security policies, which includes version control editors and full audit history. Rapid7 employment policies are documented in an internal employee handbook."

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Rapid7 applies a systematic approach to managing change so that changes to services impacting Rapid7 and our customers are reviewed, tested, approved, and well communicated. Separate change management processes are in place for corporate IT systems and Insight platform systems to ensure changes are tailored to the specifics of each environment. The goal of Rapid7’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The Information Security team is continuously monitoring the Rapid7 network and our product environments in accordance with formally documented vulnerability management processes and procedures. Information Security conducts vulnerability scans on a continuous basis, at least weekly. Rapid7 begins immediate action following the identification of critical vulnerabilities and generally completes the process in well under 48 hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The Information Security team is continuously monitoring the Rapid7 network and our product environments in accordance with formally documented vulnerability management processes and procedures. Information Security conducts vulnerability scans on a continuous basis, at least weekly. Rapid7 begins immediate action following the identification of critical vulnerabilities and generally completes the process in well under 48 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: "There is a formal Incident Management process in place and we can provide our Incident Response policy. Incidents are handled by the Information Security team and are escalated to Rapid7's in-house Incident Response team when necessary.; ; Rapid7 uses InsightIDR to monitor on-premises and cloud environments for security incidents. Information Security partners with the MDR and Incident Response services teams to supplement Rapid7’s incident response program. InsightIDR alerts are regularly reviewed by analysts and escalated via a paging system when indications of potentially malicious activity are detected."

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: Virtualization is not used in the separation between users. The Insight cloud is designed as a secure multi-tenant application and is hosted on Amazon Web Services.
• How shared infrastructure is kept separate: InsightIDR is designed as a secure multi-tenant application. Each customer's user data is isolated in its own individual database in AWS, preventing other customers from accessing your user data. As an additional safeguard, each customer's log data is tokenized using a unique UUID that walls the data off from other customers, isolating your company's data.; ; For additional information on our cloud security, please refer to: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-platform-cloud-security-overview.pdf/.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: ,

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Rapid7s purpose is simple: secure the foundations of our technologically-dependent society. ; ; At its heart, cybersecurity health is tied to our ability to successfully manage our massive and increasingly-complex technology ecosystem. ; ; We believe Cybersecurity works best when individuals, companies and government work together. ; ; Our environmental strategy gives an overview of Rapid7s efforts as a global participant in the fight against climate change. ; ; • Our Sustainability Committee regularly explore ways to improve our approach and ensure we exceed all applicable environmental laws and regulations. ; ; Rapid7:; ; • Identify and measure the material environmental impacts of our operations. ; ; • Establish targets to reduce our environmental impact and strive for continuous improvement. As a technology company with no physical manufacturing, we still minimize our greenhouse gas (GHG) emissions. We regularly calculate our GHG emissions to review where we can make an impact. ; ; • Reuse, recycle, and responsibly dispose of electronic waste. Rapid7 is committed to using third party vendors that allow us to recycle our outdated electronics according to international guidelines.; ; • Minimize waste sent to landfill through recycling in all locations and composting of food waste in select Rapid7 offices.; ; • Conduct waste audits in larger Rapid7 offices to measure waste reduction.; ; • Switched from single use dishware and cutlery to reusable products, reducing landfill waste.; ; • Measure major greenhouse gas emissions with the aim of continuous reduction of carbon-intensive activities, improved energy efficiencies, and the procurement of renewable energy.; ; • Develop goals, practices, and metrics to measure and create more sustainable workplaces at Rapid7.; ; • Rely on conferencing technology to eliminate non-essential business travel.; ; • Locate offices near transportation hubs to maximize use of public transportation.; ; • Locate offices in areas with easy, walkable access to amenities.; ; • Use sustainable materials and systems when completing new offices builds, retrofitting where appropriate.

  Tackling economic inequality

  • Offices designed to be inclusive to all Moose, with gender-neutral restrooms and showers and mother’s suites; ; • Competitive maternity and paternity leave for expectant parents; ; • Pay equity regardless of gender or race, confirmed by routine surveys and external specialist review; ; • Curated and gamified courses on diversity, inclusion, and belonging through Linkedin Learning; ; • Expand the cybersecurity workforce by developing new talent sources and fostering STEM programs which reach underrepresented and under-resourced communities. ; ; When we create more opportunities for all people we further equality while expanding the workforce, solving one of cybersecurity’s biggest challenges.; ; • Support free and open security solutions, which provide tools to those without resources to protect their organizations, and support organizations who lack resources to effectively implement the cybersecurity measures they need.; ; • Strengthen cybersecurity outcomes and awareness for all through advocacy and research, particularly within under-resourced and vulnerable communities. ; ; We are compelled to create better policy outcomes and drive community collaboration, support those without significant security resources, and provide greater education on the realities of the threat landscape. ; ; The Rapid7 Cybersecurity Foundation invests in organizations who work in the following areas in pursuit of creating a secure and prosperous digital future for all:; ; • STEM education, Diversity, Equity & Inclusion in technology, and efforts by organizations to make careers in cybersecurity welcoming to all;; ; • Open source tools and volunteering to help make effective cybersecurity solutions available to under-resourced organizations, including non-profits and municipalities;; ; and; ; • Research and policy advocacy to strengthen cybersecurity for vulnerable communities, improve cybersecurity awareness, and make effective security outcomes available to all.

  Equal opportunity

  "At Rapid7, we fundamentally believe that every person deserves an equal opportunity to build an exceptional career and that diversity of mindset is integral to the growth and success of our company." ; ; Corey Thomas, Chairman & CEO ; ; At Rapid7, we celebrate people bringing diverse perspectives to the table as we work together to help create a secure digital future for everyone.; ; Diversity of backgrounds and mindsets help us close gaps in experience and spark innovation. A deep commitment to Diversity, Equity & Inclusion is core to the strength and success of our business. ; ; It empowers our communities, makes our company healthier, and makes our customers more secure. It’s also, quite simply, the right thing to do. Not just for us, but for the advancement of our industry and our world. This is why we are building a place where everyone feels welcome to be their authentic selves. ; ; We’re committed to bringing together people from different backgrounds and investing in programs that nurture pathways for the future talent of our tech community. ; ; This commitment is fueled by two of our core values: Be an Advocate and Bring You. We advocate for customers, underrepresented groups, and one another, to create a more connected and collaborative experience for all; and we want every person to feel empowered to embrace their own uniqueness and feel comfortable bringing their true self to work.

  Wellbeing

  We refer to our people at Rapid7 as Moose, a word that remains unchanged in both its singular and plural forms. ; ; It’s one of the many ways we work to build an internal sense of camaraderie and community. ; ; We’re one Moose and proud of the diverse perspectives that strengthen our herd.; ; Here are some notable initiatives helping to make Rapid7 a more diverse, equitable, and inclusive home for every Moose. ; ; At Rapid7, we believe that everyone has a role to play in creating an inclusive environment. ; ; We regularly create intentional moments for our people to educate themselves on the lived experience of others and grow on their personal journey of inclusion. ; ; Our goal is that anyone, no matter their background can come to Rapid7, be proud of who they are and do their best work ever.; ; Community and Culture are a big deal here, our Rapid Impact Groups (RIGs) are supported by the business, but entirely driven by employees. ; ; The only requirement is that our groups foster connection across the business, offer opportunities for professional development, aid in the elevation of the communities they were created to support and find meaningful ways to support fellow RIGs. ; ; • Offices designed to be inclusive to all Moose, with gender-neutral restrooms and showers and mother’s suites; ; • Competitive maternity and paternity leave for expectant parents; ; • Pay equity regardless of gender or race, confirmed by routine surveys and external specialist review; ; • Curated and gamified courses on diversity, inclusion, and belonging through Linkedin Learning

Pricing

• Price: £16.22 a unit a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: InsightIDR is available as a full-featured 30-day free trial. Users can:; ; • Add in security data across their network, cloud services & infrastructure, and endpoints; • Detect common and targeted threats, or simulate attacks to validate pre-built detections; • Investigate incidents & try automation and containment integrations

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@cvdgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.