nShield as a Service (nSaaS)
nSaaS is a subscription-based solution for generating, accessing and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 nShield Connect HSMs. This cloud-hosted model gives organisations the option to either supplement or replace HSMs in their data centers while retaining the same benefits as owning the appliances.
Features
- FIPS 140-2(Level 3) validated & EAL4+ certified HSM
- Supports all the major algorithms and cryptographic APIs
- HSMs located in secure UK Data Centers
- Fully Managed or Self Managed Service available
- All operational staff BS7858 cleared
- ISO/IEC 27001: 2013 compliant policies & procedures
- Cloud Security Alliance Security Trust Assurance and Risk - L1
Benefits
- Customers own their Security World resources and keys
- On-demand control to migrate/expand secure code execution
- FIPS 140-2 Level 3 and eIDAS certified security of keys
- Continue using the same applications within cloud-based nShield HSMs
- Can be used with multiple cloud service providers
- Supports hybrid cloud deployments and offers easy key migration
- Full control of cryptographic keys and full separation of duties
Pricing
£1,590 an instance a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
4 7 6 5 6 5 8 6 0 5 1 6 8 6 3
Contact
Entrust Datacard (Europe) Limited
Robert Hann
Telephone: 07818 552411
Email: robert.hann@entrust.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
-
PKI as a Service;
Key Management Solutions;
Privileged Access and Secrets Management;
Containers/Micro Services;
ADCs, Firewalls, TLS/SSL Inspection;
Encryption, Database Security, Tokenisation;
Payment Security;
Identity, User Authentication;
IOT, Certificate Management;
BlockChain;
Digital Signing, Code Signing. - Cloud deployment model
- Private cloud
- Service constraints
- None
- System requirements
- No specified requirements
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Our support service is a 24x7x365
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- No
- Support levels
- 24/7 access to our expert technical support via web portal, phone and email • Initial response within 4 hours • Critical incident management process, to handle mission critical technical issues • Hot fixes for software and firmware issues • Access to the help center and knowledgebase • Software, firmware and documentation updates • Priority escalation handling Our support package provides our highest level of 24x7 technical support. It is designed for organizations who cannot allow their business to be impacted by extended outages within their critical live environment. Support includes access to our highly skilled team of technical support engineers, 24 hours a day, 365 days a year.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Entrust agrees the preferred interface to the HSM, sets up the VPN between the Customer Site and Entrust data Centres, assists with connection between the HSM and customer's application, assists/trains the customer to install and configure the HSM client and tests the system. Training is largely unnecessary except for installing and configuring the HSM client process.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- Entrust will provide the administrative tokens that allow the customer to restore their Security World to an alternate nShield HSM. Entrust consulting services can be engaged for any other required migration, or to support rotation or extraction planning and execution.
- End-of-contract process
- If the customer exits the contract and requires their key material, on a T&M basis Entrust can assist the customer in backing up their key material
Using the service
- Web browser interface
- No
- Application to install
- Yes
- Compatible operating systems
-
- Linux or Unix
- MacOS
- Windows
- Designed for use on mobile devices
- No
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
-
PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI/CNG, Web Services (requires Web Services Option Pack), nCore.
The APIs/protocols are defined in the Service Description.
Users select the most appropriate interface method to the HSMs for their applications at service setup.
Once setup there is no means (or need) to change the interface without service interruption. - API documentation
- Yes
- API documentation formats
-
- HTML
- API sandbox or test environment
- No
- Customisation available
- No
Scaling
- Independence of resources
- Customer are provided with their own dedicated HSM(s) as part of this service
Analytics
- Service usage metrics
- No
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Other
- Other data at rest protection approach
- We don't hold customer data within the service.
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- In-house destruction process
Data importing and exporting
- Data export approach
- This service does not hold any user data
- Data export formats
- Other
- Other data export formats
- No customer data is held in this service
- Data import formats
- Other
- Other data import formats
- No customer data is held in this service
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- Service availabilities are published in the Service Description, for nSaaS availability is 99.9%.
- Approach to resilience
- HSMs are set up in an HA cluster across our UK datacenters.
- Outage reporting
- Individual HSMs and service components can report errors and outages through various means (including API, Email, Web Interface, SNMP). In the event of an error to fetch an update, the local system will report this failure via the above methods. Service Status of the datacentre is also available.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Dedicated link (for example VPN)
- Access restrictions in management interfaces and support channels
- The customer doesn't have access to management interfaces but they do have access to the support team to facilitate actions.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- LRQA
- ISO/IEC 27001 accreditation date
- 06/10/2023
- What the ISO/IEC 27001 doesn’t cover
- Nothing
- ISO 28000:2007 certification
- No
- CSA STAR certification
- Yes
- CSA STAR accreditation date
- 28/09/2021
- CSA STAR certification level
- Level 1: CSA STAR Self-Assessment
- What the CSA STAR doesn’t cover
- Nothing
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
- Data Centres are SOC 2 Type II compliant.
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- We are ISO27001 certified for our entire operations. We have an array of Policies and Procedures to cover every aspect of our Operations. External and internal auditing ensures compliance with these.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- We have strict change control on all our customer systems and configurations and the process is audited for our ISO27001 certification. Once a change is approved after operational, functional and security assessment, only authorised personel who are vetted can action changes and two person control is mandatory.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- We monitor on a regular basis any releases from all vendors and other publicly released exploits. Patching these vulnerabilities are performed in a timely manner ensuring that our clients are not put at risk.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
Comprehensive monitoring of nSaaS is designed to identify a potential attack early and to react accordingly; through the technology deployed at the boundary and by initiating additional protection.
SIEM solutions will alert the SOC of any potential or suspected attack. The response is multi-faceted; in the first instance the Entrust hosting partner will initiate their on demand DoS/DDoS mechanisms which will blackhole traffic to any specific /32 network.
Where a DoS or DDoS event is suspected, Entrust’s response will be initiated through:
• SIEM logs to SOC
• Syslog / SNMP logs to Operation teams for Availability and Load monitor - Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- Our Incident Management policy and procedures follows best practice as required by ISO27001:2013. Examples of incidents and events are defined and subsequent actions are designed into security incident responses. Users report incidents either by telephone, email or directly to managers or the Security Manager. All incidents are recorded in the Service Desk system and coordinated through to closure by the investigating body. Incident reports are generated upon completed investigation and these are shared with interested parties under NDA, as required contractually, legally, regulatory. All incidents are reported to the Security Management Forum and subsequently to the Board of Directors.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
Our goal is to manage our manufacturing, warehousing, distribution, and office facilities to minimize ecological impact. Entrust maintains an ISO 14001 certification at its headquarters and principal manufacturing facility and is working to set organizational carbon reduction goals to achieve net zero carbon emissions by 2050. We also comply with important environmental measures such as REACH, RoHS, and Proposition 65 where applicable to our business.Tackling economic inequality
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.Equal opportunity
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.Wellbeing
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.
Pricing
- Price
- £1,590 an instance a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- We provide a test HSM environment in our lab to assist with integration.