THRIVE OPERATIONS LIMITED

Thrive Managed Firewall Service

The Thrive Managed Firewall Service provides fully managed edge security, utilising Thrive’s cloud based management platform to govern the service. The service includes fully monitored physical or virtual firewalls, in addition to comprehensive management of the firewall configuration, policies and rules.

Features

• Physical or virtual Fortinet FortiGate cloud managed firewall appliance(s)
• Stateful packet filtering
• Network Address and Port Address Translation
• 10 configuration changes (per month, per device)
• 1 DMZ, 3 VLAN’s
• Web Filtering
• Regularly scheduled review of Firewall Firmware and base configuration
• Intrusion Prevention Service
• Gateway Anti-Virus/Anti-Spyware
• VPN Service (including various configurations, secured by MFA)

Benefits

• Utilise vast technical expertise to manage your security infrastructure
• Reduce costs by outsourcing specialist skills or repetitive manual tasks
• Improve IT budget planning through predictable costs
• Avoid critical ICT assets being exposed by mismanagement
• Decrease downtime with strictly managed SLAs and efficient resource allocation
• Enhance IT strategy and planning by leveraging Thrive’s prolific experience
• Develop scalable security infrastructure which adapts to changing organisational needs

£150 a device a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pcotterill@thrivenetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

505447613847866

Contact

Phil Cotterill
01582 429999
pcotterill@thrivenetworks.com

Service scope

• Service constraints: For support reasons the service must comply with Thrive’s design guides.
• System requirements:
  • The virtual environment sizing is contingent on the vFW model
  • Sufficient connectivity provision at the client premises
  • Sufficient power provision at the client premises

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: The response is dependent upon the severity of the incident which is determined by the Cybersecurity Analyst. P1 Incidents are responded to within 15 minutes.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Each incident raised is classified in accordance with the impact it has on the customer; P1 - Major Incident 15 minutes response. P2 - Critical Incident 30 minutes response. P3 – Urgent Incident 60 minutes response. P4 - Normal Incident 4 hour response. Thrive Engineers resolve issues through telephone support, diagnostics tools and vendor support. All resolution activities are documented within the client portal and the incident is closed upon the customer’s approval.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: No training is provided as standard as this is a security managed service; the only exception is guidance to understand and review the security management platform reports and the Thrive Client Portal if this is the first Thrive service being subscribed to.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Thrive will provide consultancy during the offboarding process to determine the relevant aspects of data the client wishes to extract. All residual data will be wiped/erased from Thrive systems upon completion of service termination.
• End-of-contract process: The service can be renewed, uplifted, or terminated depending upon the client's requirement.

Using the service

• Web browser interface: Yes
• Using the web interface: Users will be able to generate and view reports, and view the health status of appliances within a Thrive Managed, secure client-dedicated tenant, within Thrive's Security Management platform. Co-management is a possibility but would require clarification during the consultation phase of the engagement.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: The vendor tests and provides conformance against WCAG 2.0 AA in a report dated October 2020.
• Web interface accessibility testing: This is provided by the vendor as above
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Thrive regularly reviews the infrastructure is performing as required, and adds additional resources when the requirement grows (i.e., due to onboarding new clients). This is performed as part of Thrive's standard management and maintenance lifecycle(s) for the varying offerings we provide.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: Thrive will consult with the Client to select the appropriate firewall platform based on information provided during the initial consultation to review security requirements. Security services that are activated at the request of the Client after the initial consultation or firewall configuration that negatively impact the performance of the hardware and software are the responsibility of the Client. Thrive will work with the Client to select another firewall platform that may result in additional monthly fees.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Other
• Other metrics: Firewall health metrics
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Firewall configuration backed-up regularly
• Backup controls: This is fully managed by Thrive.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The management platforms for this service are hosted within Thrive's Data Centre environment which has a 100% uptime guarantee.
• Approach to resilience: Thrive's Data Centre environment is built on Cisco FlexPod with a fully redundant design containing no single points of failure. The networking at every layer is redundant. The internet service uses three separate ISPs diversely delivered into two Data Centres.
• Outage reporting: The systems are monitored 24/7 and use e-mail alerting into the Thrive24/7 support team. Outages are monitored for all hardware and networking and virtual infrastructure

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Management Interfaces are tenant orientated, with customer access restricted to their organisation tenant only.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: SGS UK Limited
• ISO/IEC 27001 accreditation date: 30/06/2021
• What the ISO/IEC 27001 doesn’t cover: All items not defined by our scope of certification and statement of applicability version 3.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials ISO9001 BS10012:2017
• Information security policies and processes: The information security policies and processes followed by Thrive are in line with the ISO27001 specification.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Thrive using best practice as outlined in the ITIL framework
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerabilities are managed within Thrives in house service management system. Vulnerabilities are identified through vendor notification, onsite tools and systems. Each vulnerability is assessed to ensure high priority items are actioned immediately in accordance with Thrives change processes. All vendor security patching and vulnerabilities are actioned immediately. Other vulnerabilities are reviewed at Operations Meetings and scheduled for assessment and rectification appropriate to the issue. Thrives cloud design is highly resilient with multiple layers of security to ensure vulnerabilities are minimised or removed. The mature platform has been operational for many years with no client outages or client affecting security impacts.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Thrive staff are located on site at Thrives datacentre premises to continuously monitor all aspects of Thrive's Managed Services. Thrive use multiple monitoring applications across all aspects of the service from the environment, security, VMware, OS and infrastructure. All monitoring platforms alarm on triggered events but also threshold breaches. By monitoring in this way Thrive mitigate all impacts before they become client effecting. All elements up to and including Microsoft or Linux Operating Systems are monitored and alerts are sent to the service team 24x7. Security patching and vulnerabilities addressing critical platform vulnerabilities are actioned immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: Incidents are captured from customers, Thrives engineers and monitoring platforms, and adhere to the nine ITIL Incident Management activities. Each incident Event is logged on Thrive's client portal and categorised in agreement with the customer according to the business impact; P1 - Major Incident 15 minutes response. P2 - Critical Incident 30 minutes response. P3 – Urgent Incident 60 minutes response. P4 - Normal Incident 4 hour response. Thrive Engineers resolve issues through telephone support, diagnostics tools and vendor support. All resolution activities are documented within the client portal and the incident is closed upon the customer’s approval.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Infrastructure is set-up in dedicated instance/tenant; clients do not have global administrative access to these environments, only to their particular tenant.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: The Thrive Datacentre has an energy power usage efficiency (PUE) rating of 1.3 and achieves this through the use of Fresh Air Cooling Systems (using outside ambient fresh air rather than chillers whenever possible) in addition to utilising hot isle containment and efficient UPS systems. Thrive has a policy of continual energy efficiency, heat reclamation system, and hot and cold air segregation.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  Thrive are providing additional environmental benefits in the performance of the contract such as flexible working, car share programs for office based staff and are actively working towards net zero greenhouse gas emissions as well as ISO14001 certification.

  Covid-19 recovery

  Thrive are a high growth business operating in a high growth sector and have created new employment opportunities, offer re-training via our Rising Tide program and other return to work opportunities for those left unemployed by COVID-19.

  Tackling economic inequality

  With our cloud and cloud managed cyber security offerings Thrive are creating a number of new roles across our organisation. In the last year the team has grown by over 300 people as we create employment and training opportunities. The current skills shortage in the UK for cyber security staff currently stands at 11,200.; Thrive has also been supporting educational attainment relevant to our G-Cloud offerings, including training to address skills gaps and result in recognised qualifications.

  Equal opportunity

  Through our "Rising Tide" program, that has been in place since 2020, Thrive are fully supporting in-work progression to help people, including those from disadvantaged or minority groups, to develop their careers and move into higher paid work by developing new skills many that are relevant to the services we are offering through the G-Cloud program.

Pricing

• Price: £150 a device a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pcotterill@thrivenetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.