INTEGRITY360 LIMITED

Thales Data Protection on Demand (DPoD)

Thales DPOD is a cloud-based platform providing a wide range of cloud HSM and key management services. Security is now simpler, cost effective and easier to manage because there is no hardware to buy, deploy and maintain. Just click and deploy the services you need, provision users, add devices.

Features

• DPoD Cloud-based HSM enables customers to protect critical cryptographic keys
• SOC2 certification proving compliance with the defined five trust service-principles
• Preconfigured APIs, easier to Integrate: Key-Management, HSM on Demand Services
• Location neutrality-Secure Sensitive Data in-any Cloud, Virtual or On-Premise environment
• Simple web-based configuration wizard that enables rapid deployment
• 99.95% availability - full SLA to meet customer requirements
• FIPS-140-2 Level-3 certified, supports standard crypto-keys: RSA, ECC and AES
• On-demand growth, service with infinite scalability and elasticity
• BYOK support, for AWS, Azure, Google and other cloud-providers
• Fully managed by Thales – unrivalled experience in security services

Benefits

• Click and deploy any number of HSM services in minutes
• Simple GUI-based web wizard that anyone can use
• Automated deployment, scalability, backups, and failover
• ISO27001 for DPOD Service
• Hardware, software and infrastructure managed with automated-functions and key-backups
• Large number of integrations including, PKI, Databases, Cyber-Ark, IoT, Hashicorp
• Simple usage-based billing for cloud-based OpEx model
• Centralised management and control of all cryptographic material
• Supports multi-cloud, hybrid and on-premise deployment models
• Strong separation of duties for administrators and application owners

£1,632.00 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

499251939584898

Contact

Paul Momirovski
+44 20 3397 3414
bidreviewboard@integrity360.com

Service scope

• Service constraints: Each HSM on Demand service offers; - 100 keys per service,; - 5 clients machines per service; - 100 transactions per second per service tile.; ; Each Key Broker Service offers; - unlimited key storage; - key management functions
• System requirements:
  • Supported client operating-systems: Windows, Linux, Ubuntu, AIX, etc.
  • SafeNet Luna HSM-Client-10.1 requires the advanced version of Oracle Java-7/8
  • Supported Cryptographic API’s: PKCS#11-2.20, JCA within Oracle Java 8, 9
  • Supported Cryptographic API’s: JCA within OpenJDK-7, 8, 9, OpenSSL
  • Supported Cryptographic API’s: Microsoft CAPI, Microsoft CNG
  • Web based portal means zero administrator software is required
  • Service use requires access to internet over SSL/TLS connection

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: The Thales Standard Support Package provides your organization with the technical support services you may need for a non-critical, development or test environment. It allows you access to our team of Technical Support Engineers, who will endeavour to answer any questions you may have about installing, configuring and maintaining your Thales products. Initial response within 8 business hours and access to Thales Support Portal and knowledge base.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: Standard Account Management support hours are 9.00am to 5.00pm Monday to Friday. We provide an Account Management function for all Public Sector clients. Our Account Managers endeavour to respond to requests as quickly as possible and are supported by a team of System Engineers to offer technical advice and scoping before and during purchase. After purchase, technical support is as per price list. Hands-on assistance & professional services by engineers is available outside of break-fix on paid time and materials basis defined by a Scope of Work.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The DPOD service offers the following start up tools; Documentation – online or PDF; Onsite or remote training; Free online resources such as YouTube videos
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Hardware Security Module Services; Customers have limited options to extract materials from the environment by design, due to the nature of the service functions being offered. Hardware security modules are one way devices preventing extraction of key material. However customer clone their cryptographic material to compatible on premise Thales HSMs maintaining a security of that material.; ; Key Management services; Thales offer options to export keys from the environment, subject to attributes being set by the customer at creation, to enabling customers to extract encryption keys securely.
• End-of-contract process: The Tenant initial service selection results in a Minimum Billable usage (=MBU) of a fixed quantity over a fixed term on a fixed service. Tenants can use services outside the scope of the MBU:; 1) usage beyond MBU–usage of the same service outside the timely scope of the MBU; 2) usage outside MBU–usage of a different service outside the service-type scope of the MBU; 3) usage above MBU–usage of an additional quantity of the same service outside the quantitative scope of the MBU; After the MBU term (1) the tenant can continue to use the service without disruption. The tenant can always use services outside (2) and above (3) the MBU commitment. For each monthly period the tenant gets billed the MBU or the actually used quantity of a service, whichever is greater. When the MBU term has ended, the MBU is zero, and the actual usage is the billable usage. All billing is monthly in arrears. Billing can be directly to the Tenant, or via a tierd model to the tenant’s parent or grandparent. The MBU is a commitment at each tenant’s level. The monthly comparison MBU vs actual usage is at the tenant level.

Using the service

• Web browser interface: Yes
• Using the web interface: DPoD interface allows you to securely generate, store and manage cryptographic keys used for securing your infrastructure or for encryption in your applications. From the interface you can insert and make changes across the following areas:; • Log in; • Creating an Account; • Adding a Subscriber Tenant Account; • Account Information Required; • Adding a Service Provider Admin Account; • Managing an Account; • Editing Account Credentials; • Resetting Account Passwords; • Resetting an MFA Token; • Deleting an Account; • Configuring Service Availability; • Generating Reports; • Report Format; • Generating Summary Reports; • Generating Monthly Reports
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: As part of our standard User Experience testing across the whole Data Protection on Demand service we undertake basic usability testing using certain processes and tools. We would be happy to discuss and investigate the feasibility of any specific requirements that may be required.
• API: Yes
• What users can and can't do using the API: DPOD support a REST API for all management functions. This can be used alongside many automation tools:; - Creating services; - Generating Service Clients; - Deleting Services; - Listing usage; More details can be found in the documentation available here :; https://thales.na.market.dpondemand.io/docs/dpod/api/
• API automation tools:
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
• Other API automation tools: Any automation-tool which supports interaction with a REST based-API
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • Other
• Using the command line interface: The CLI provides users will all the same functionality as what is made available through the UI. Using the CLI, customers can perform administrative functions on DPoD such as managing users and creating subscription groups. In addition there is a CLI interface that allows application owners to manage HSMoD services. Using this CLI, they can create and delete services and create and download client packages to target machines to grant access to the HSMoD service.The CLI command are scriptable so that customers can automate the provisioning and de-provisioning of services according to their own internal workflows and procedures. CLI is for administration of DPoD users and services. The CLI does not allow any access to the keys, nor does it allow users to perform any cryptographic operations.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Data Protection on Demand dynamically manages customer demand, moving customer workloads between HSM resources as required. Capacities are constantly managed to maintain capacities required to support current and future customer needs.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Thales Data Protection on Demand

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Data Protection on Demand offers FIPS 140-2 Level 3 Hardware security Modules, as such key material benefits from additional protection measures as outlined within this framework and independently verified by NIST approved Labs and certified.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • HSM on-Demand services may-be backup by customers at any-time
  • Backed up-to a compatible Thales-Luna-HSM or Backup-HSM purchased separately
  • Thales maintain operational service backups to maintain availability and resilience
  • Thales cannot restore or backup customers key material
  • Customer information is completely opaque to Thales
• Backup controls: Customers initialise backup manually via a Universal HSM Client package (required to use HSM devices from Thales) and initialise a secure backup between Data Protection on Demands cloud HSM services and compatible on-premise Luna HSM devices.; Key material replication is replicated and highly available across the environment replicating at time of creation / change to material. A explanation can be found on our YouTube channel; Operational service backup is automated and transparent to customers.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Hardware Security Module Services; Due to the complex nature of the security involved, please see supporting documentation available here. https://thales.na.market.dpondemand.io/docs/dpod/services/hsmod_services/hsmod_client_connection/; ; Key Management services; Key Management service tiles operate between the secured application and the Data Protection on Demand Service using appropriate protocols for that use case. Typically this is API driven over TLS secured connections with key material being secured in transit by methods specified by that use case such as wrapped keys.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Data Protection on Demand offers a 99.95% SLA; ; The SLA can be viewed at the link below for further details - https://supportportal.gemalto.com/csm?id=kb_article_view&sys_kb_id=7cf99d59db695344d298728dae9619f3&sysparm_article=KB0017430
• Approach to resilience: Data Protection on Demand is built to be highly available and resilient, running in separate, geographically separated, data centre environments and designed to be delivered as a scalable cloud service, leveraging many newer deployment and automation technologies in addition to all those expected for a traditional service like UPS, generators and redundant connectivity etc.; ; Data Protection on Demand is designed using numerous microservices rather than one monolithic block of software, which alongside the use of hardware agnostic platforms and containerising components minimise risk, remove dependencies and enable dynamically deploying components via automated. This gives significant advantage should Data Protection on Demand face an unexpected incident by allowing the service to react quickly and autonomously to rectify issues as transparently as possible to our customers.; Real-time replication between production and DR sites, alongside regular online and offline backups provide additional resilience should large scale disruptions and natural disasters.
• Outage reporting: Service reporting is available via a public dashboard, with service alerts available via SMS, EMAIL and RSS Feeds.; ; This can be viewed here:; ; https://status.dpondemand.io/

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is managed by customer Admins, including the creation of employee accounts and identifiers. DPoD does not create any default accounts for users when services are provisioned.; Crypto operations are controlled by the partition officer and crypo users identities within a service tile. Each tile has its own set of identities and credentials. Portal based users who manage the environment or deploy applications are fully isolated from these tile based user identities; ; Thales underlying infrastructure requires employees to use unique identifiers for operations within production environments, with privileged credentials being controlled via a duel custody system.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Certification Body of Schellman & Company, LLC 1541862-3
• ISO/IEC 27001 accreditation date: 15th April 2019
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: August 29, 2019
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: FIPS 140-2 Level 3 certificate number 3519 & 3520

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Data Protection On-Demand-operations, and operations-related IT is fully compliant with the ISO27001:2013 standard, having achieved independent certification to ISO27001 for its Information Security Management System and processes. In addition, Data Protection On-Demand holds the following certifications FIPS-140-2, SOC -2, PCI-DSS for its Data Centres with service certification planned during 2020.
• Information security policies and processes: Thales ISMS for DPoD is based upon the ISO 27001 standard and corporate policies. Supporting documentation can be provided as part of contractual discussions.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Thales implement a robust change management process with Technical and change approval boards for its product lines. Supporting policy documents can be made available as part of contractual discussions.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Thales Security and DPoD Security operations team monitor infrastructure tools to maintain compliance with polices, updates and detect threats. Thales maintains support with all vendors of its infrastructure, including security advisories. A formal patch management process is implemented within Thales, where ever possible patches are deployed in a timely manner, being validated in dev, staging environments before being pushed into production. However due to the nature of some of our service offerings such as FIPS 140-2 Certified HSMs, some updates release to production for some use cases may be dependent on third party review and audit by NIST.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: As part of the information deployment, monitoring tools are deployed across the environment to detect deviations from standard configurations. This includes WAF, IPS, IDS, proxies and other inspections technologies. If an issue is detected that system can automatically be segregated for further inspection and new baseline deployments brought into production transparently to customers.
• Incident management type: Supplier-defined controls
• Incident management approach: The Thales CSIRT team operate across all product lines within Thales, Thales complies with RFC2350; ; Our Cert for RFC2350 and more information on our CSIRT team can be found here; https://www.gemalto.com/csirt; Thales has and will maintain a security incident response plan that includes procedures to be followed in the event of any actual, suspected, or threatened security breach of the personal information. Upon request, Thales shall provide documentation regarding such analysis and remediation.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality

  Fighting climate change

  DPoD being a service minimizes the need of dedicated Hardware being manufactured and shipped around the world.; The service nature of DPoD also means that for the customers there are no need for running their own Data centres and having to physically visit the data centres to perform maintenance tasks.

  Covid-19 recovery

  As DPoD is a service it enabled fluent use of its capabilities throughout Covid as people could stay at the safety of their homes without needing to travel. Same applies for Covid recovery as well along with the fact that DPoD being very cost-effective it supports business with their potential financial challenges as well while ramping up again after Covid.

  Tackling economic inequality

  The DPoD as a service model and OpEx based business model enables smaller businesses / organisations who do not have the technical expertise and large amount of money to spend in a CapEx investment to also come on board the service and enhance their security in these times of increasing cyberattacks.

Pricing

• Price: £1,632.00 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Fully functional Data Protection on Demand service for 30 days .
• Link to free trial: https://thales.eu.market.dpondemand.io/signup/

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.