Azure Virtual Desktop Remote Access and Working Solution

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: This service will require Microsoft licenses for the software used that is owned by Microsoft.
System requirements: Windows Server or Desktops to run user software

Windows RDS CALs

Or Windows 10 Multi user - licensed via M365

User support

Email or online ticketing support: Email or online ticketing
Support response times: Normal initial response time to a ticket is under 1 hour during service hours.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), 7 days a week
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: Oyr web chat is delivered using a Microsoft Teams based solution, therefore anything that can be delivered with Teams can be delivered here.
Web chat accessibility testing: We rely on Microsoft for the testing of their product. To that end, as described at https://support.microsoft.com/en-gb/office/accessibility-overview-of-microsoft-teams-2d4009e7-1300-4766-87e8-7a217496c3d5 we can offer the following:
Compatible with assistive technologies, like
Screen readers
Dictation software
Eye control (on Windows 10)
Voice control (on iOS and Android)
Screen magnifiers
Switch access (on iOS and Android)
Onsite support: Yes, at extra cost
Support levels: Our service level offerings are:
Bronze: 9am-5:30pm, non-bank holiday weekdays
Silver: 8am-8pm, Monday - Friday
Gold: 8am-8pm, 7 days a week
Platinum: 24x7
Support available to third parties: No

Onboarding and offboarding

Getting started: Our onboarding information process consists of the following steps:
1) Application identification and provision for remote access
2) Testing via UAT
3) Release to production portal

We provide on-site and remote training, end user videos and getting started guide and a customised Wiki for the users
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: When the contract ends, we terminate the service. We can export meta data, such as the usage logs, however we do not keep customer data on the service. The configuration information is not part of the data that can be provided to the customer.
End-of-contract process: At the end of the contract the service is either terminated, or extended. As no data resides within the service, there is nothing to hand back to an organisation.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Azure Virtal Desktop is delivered via a browser or a native application, so works on any mobile device. While it is possible to use on a phone we recommend a tablet, laptop or desktop.
Service interface: Yes
User support accessibility: None or don’t know
Description of service interface: The service interface is not designed to be used by end users, however on select occasions it can be made available.
Accessibility standards: None or don’t know
Description of accessibility: The service interface is plain html and as such can be interacted with via screen readers and other assistive technologies.

The application can also be delivered via native applications
Accessibility testing: No testing done by DO Business Services Limited.
API: Yes
What users can and can't do using the API: All aspects of the system can be controlled with the API
API documentation: Yes
API documentation formats: HTML

PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The user interface can be customised and the applications delivered to each user can be customised.

Scaling

Independence of resources: We size appropriately and can scale as needed

Analytics

Service usage metrics: Yes
Metrics types: We can provide regular reports that show:
- Number of users (concurrent and used)
- Number of sessions
- Application usage (qty of sessions, duration)
- Feature usage
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: The only data that can be exported is audit data and this is provided through a service request.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Bonded fibre optic connections
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: We offer three levels of reliable architecture than enable different levels of SLA.
We start at 99% and can provide solutions that move to 99.9% of the solution we control and provide.
In the event of failing the SLA in a month we will offer a service credit of 1 month
Approach to resilience: This information is available on request
Outage reporting: We report outages, by default, via e-mail and if the customer has an API we can call, we will also report via that api.

There is a dashboard that we can provide access to, however this has some admin capabilities, so it is limited to a select few at the customer rather than all users.

We can make an API call available for the customer to access status information of the service too.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: Access to admin and support functions is limited by security group, login username and password, that must exist in the customer AD group as well as MFA to ensure stolen credentials by themselves cannot compromise the system.

Access to AVD does not in itself provide the ability to access the customer servers or software with any admin or management capability
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: Cyber Essentials
Information security policies and processes: When we control the datacentre, we apply the following principles:
- All data is encrypted, whether in transit or at rest
In all circumstances:
- All data from AVD to the client is encrypted
- All data from AVD to client servers is encrypted
- All access, including Admin access is audited and by default has MFA enabled
- Suspicious activity is reported to the client and investigated in-house
- No customer data is held in/on the AVD system, so always remains with the customer.
- We read and follow NSCS, Microsoft and others security recommendations and patch systems as soon as possible.

Our staff must follow our security procedures at all time. If they fail to do so, they will face disciplinary action. Any concerns about security must be raised to a director to ensure follow-up and visibility

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All changes have to be approved by Change Management. This requires approval by the customer as well as our technical and security teams.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Our systems have a very small footprint exposed to the outside world to minimise security risks. All systems are kept fully patched and admin access is monitored for unusual or unexpected behaviours.

Any potential threats identified are checked with our suppliers to understand if they are a risk to the service. If they are, we immediately take remedial action. We may take remedial action in any event before we get confirmation.

We get threat information from NHS Digital, NCSC, Microsoft Security Response Centre, our suppliers and our in house team.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We run constant monitoring systems looking for suspicious activity. All suspicious activity is checked and if necessary actions will be taken to remove the issue. We may be reliant on customer solutions in terms of account management.
We respond 24x7 to security issues often within minutes of becoming aware of an issue.
Incident management type: Supplier-defined controls
Incident management approach: We have a number of pre-defined incident responses that range from user information through to full processes executed by ourselves. Where we integrate with customer systems our response may be to log a call with the customer IT teams for them to implement a change.

Where possible, we will follow standard CRB processes, however if security or service provision require an immediate response, this will be taken in conjunction with the customer in agreed scenarios.

All major incidents go through a root cause analysis and a document is produced.

Users can log incidents via e-mail or Web chat

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

Working remotely has a positive impact on reducing travel requirements and therefore our CO2 footprint. Azure Vitual Desktop enables users to travel less every day and be more productive, getting more done as a result.
Covid-19 recovery: Covid-19 recovery

Due to Covid-19 more people want to have a flexible work-style, while some need to be able to work from more remote locations. The remote access provide a secure way to enable these users to work from where they are safe and comfortable. Rather than having to travel or be furloughed, staff can continue to be productive.
Wellbeing: Wellbeing

Due to Covid-19 more people want to have a flexible work-style, while some need to be able to work from more remote locations. The remote access provide a secure way to enable these users to work from where they are safe and comfortable. Rather than having to travel or feeling insecure in a work environment, staff can continue to be productive without these stresses.

Pricing

Price: £40 to £100 a user a month
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: We can provide access to a trial solution for 2 weeks. We will install and configure the solution in this time and provide limited licenses to enable access during this time.

Azure Virtual Desktop Remote Access and Working Solution

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Azure Virtual Desktop Remote Access and Working Solution

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents