Thales UK Ltd

Thales HSM - Luna

Thales Luna Cloud HSM is a cloud-based platform that provides a range of Cloud HSM and key management services through a simple online marketplace. With Cloud HSM security is made simpler, more cost-effective and easier to manage because there is no hardware to buy, deploy and maintain.

Features

• Cloud-based HSM - enables customers to protect cryptographic key
• SOC 2 certification - compliance defined five trust service principles
• Preconfigured APIs - Easier Integration: Key Management, HSM on Demand
• HSM Location neutrality- Secure Sensitive Data multi cloud, Virtual/On-Premise environment
• Supports 100s of uses cases including, PKI, TDE, and others
• 99.95% availability - Full SLA to meet customer requirements
• HSM FIPS140-2 Level 3 certified, Supports all standard crypto keys
• On-Demand growth - service with infinite scalability and elasticity
• Automated backups and failover included
• Fully managed by Thales - unrivalled experience in security services

Benefits

• Click and deploy any number of HSM services in minutes
• Simple GUI-based web wizard that anyone can use
• Preconfigured APIs - Easier Integration: Key Management, HSM on Demand
• ISO27001 for the Cloud HSM Service not just DC/processes
• SOC 2 certification - compliance defined five trust service principles
• Low TCO - Thales manages all hardware, software, and infrastructure
• Simple usage-based billing for cloud-based OpEx model
• Centralised management and control of all cryptographic material
• Supports multi cloud, hybrid and on premise deployment models
• Strong separation of duties for administrators and application owners

£1,413 an instance a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at fcmo@uk.thalesgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

518790468007402

Contact

Phaedra Warnes
07974 011385
fcmo@uk.thalesgroup.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Each HSM on Demand service offers; - 100 secrets stored per service,; - 5 clients machines per service ; - 100 transactions per second per service tile. ; Technical support is 24/7 remote; ; Each Key Broker Service offers ; - unlimited key storage; - key management functions
• System requirements:
  • Supported client operating system including Windows, Linux, Ubuntu, AIX
  • Requires the advanced version of Oracle Java 7/8
  • Supported Cryptographic API’s include: PKCS#11 2.20, JCA within Oracle Java
  • Web based portal means zero administrator software is required
  • Service use requires access to internet over SSL/TLS connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 24 x 7 x 365 coverage; ; The Thales Standard Support Package provides your organization with the technical support services you may need for a non-critical, development or test environment. It allows you access to our team of Technical Support Engineers, who will endeavour to answer any questions you may have about installing, configuring and maintaining your Thales products. Initial response within 8 business hours and access to Thales Support Portal and knowledge base; ; • 1 Hour for Critical issues • 4 hours for High issues • 8 hours for Medium and Low cases
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: 24/7 support as described is included by default into our service at no extra cost
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Via the DPOD portal it’s a simple click and download option to select each tile.; This service offers the following start up tools; Documentation – online or PDF; Onsite or remote training ; Free online resources such as YouTube videos
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Hardware Security Module Services; Customers have limited options to extract materials from the environment by design, due to the nature of the service functions being offered. Hardware security modules are one way devices preventing extraction of key material. However customer clone their cryptographic material to compatible on premise Thales HSMs maintaining a security of that material.; ; Key Management services; Thales offer options to export keys from the environment, subject to attributes being set by the customer at creation, to enabling customers to extract encryption keys securely.
• End-of-contract process: The Tenant initial service selection results in a Minimum Billable usage (=MBU) of a fixed quantity over a fixed term on a fixed service. Tenants can use services outside the scope of the MBU:; 1) usage beyond MBU– usage of the same service outside the timely scope of the MBU; 2) usage outside MBU– usage of a different service outside the service-type scope of the MBU; 3) usage above MBU– usage of an additional quantity of the same service outside the quantitative scope of the MBU; After the MBU term (1) the tenant can continue to use the service without disruption. The tenant can always use services outside (2) and above (3) the MBU commitment. For each monthly period the tenant gets billed the MBU or the actually used quantity of a service, whichever is greater. When the MBU term has ended, the MBU is zero, and the actual usage is the billable usage. All billing is monthly in arrears. Billing can be directly to the Tenant, or via a tiered model to the tenant’s parent or grandparent. The MBU is a commitment at each tenant’s level. The monthly comparison MBU vs actual usage is at the tenant level.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Cloud HSM interface allows you to securely generate, store and manage cryptographic keys used for securing your infrastructure or for encryption in your applications. From the interface you can insert and make changes across the following areas; ; • Log in ; • Creating an Account ; • Adding a Subscriber Tenant Account ; • Account Information Required ; • Adding a Service Provider Admin Account ; • Managing an Account ; • Editing Account Credentials ; • Resetting Account Passwords ; • Resetting an MFA Token ; • Deleting an Account ; • Configuring Service Availability ; • Generating Reports ; • Report Format ; • Generating Summary Reports ; • Generating Monthly Reports
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: N/a
• API: Yes
• What users can and can't do using the API: CLOUD HSM support a REST API for all management functions. This can be used alongside many automation tools:; ; -Creating services; -Generating Service Clients; - Deleting Services; - Listing usage; More details can be found in the documentation available here :; https://thales.na.market.dpondemand.io/docs/Cloud HSM/api/
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: Cloud HSM dynamically manages customer demand, moving customer workloads between HSM resources as required. Capacities are constantly managed to maintain capacities required to support current and future customer needs.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Cloud HSM offers FIPS 140-2 Level 3 Hardware security Modules, as such key material benefits from additional protection measures as outlined within this framework and independently verified by NIST approved Labs and certified
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The Luna Cloud HSM service allows data import and export through the PKCS#11 API.
• Data export formats: Other
• Other data export formats: PKCS #11
• Data import formats: Other
• Other data import formats: PKCS #7

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Cloud HSM offers a 99.95% SLA; ; The SLA can be viewed at the link below for further details - https://supportportal.gemalto.com/csm?id=kb_article_view&sys_kb_id=7cf99d59db695344d298728dae9619f3&sysparm_article=KB0017430
• Approach to resilience: Cloud HSM is built to be highly available and resilient, running in separate, geographically separated, data centre environments and designed to be delivered as a scalable cloud service, leveraging many newer deployment and automation technologies in addition to all those expected for a traditional service like UPS, generators and redundant connectivity etc.; ; Cloud HSM is designed using numerous microservices rather than one monolithic block of software, which alongside the use of hardware agnostic platforms and containerising components minimise risk, remove dependencies and enable dynamically deploying components via automated. This gives significant advantage should Cloud HSM face an unexpected incident by allowing the service to react quickly and autonomously to rectify issues as transparently as possible to our customers.; Real-time replication between production and DR sites, alongside regular online and offline backups provide additional resilience should large scale disruptions and natural disasters.
• Outage reporting: Service reporting is available via a public dashboard, with service alerts available via SMS, EMAIL and RSS Feeds.; ; This can be viewed here:; ; https://status.dpondemand.io/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is managed by customer Admins, including the creation of employee accounts and identifiers. Cloud HSM does not create any default accounts for users when services are provisioned.; Crypto operations are controlled by the partition officer and crypo users identities within a service tile. Each tile has its own set of identities and credentials. Portal based users who manage the environment or deploy applications are fully isolated from these tile based user identities; ; Thales underlying infrastructure requires employees to use unique identifiers for operations within production environments, with privileged credentials being controlled via a duel custody system.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company, LLC 1541862-10
• ISO/IEC 27001 accreditation date: 5th Jan 2024
• What the ISO/IEC 27001 doesn’t cover: The scope of the ISO/IEC 27001:2022 certification covers the information security management system (ISMS) supporting SafeNet ; Trust Access (STA), Data Protection on Demand (DPoD), and IdCloud operations and aligned with ISO/IEC 27018:2019 (Code of ; Practice for PII in public clouds acting as PII processors), and ISO/IEC 27017:2015 (Code of Practice for information security controls ; based on ISO/IEC 27002 for cloud services), in accordance with the Statement of Applicability, version 10.0, dated October 23, 202
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 18/1/2024
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/a
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • FIPS 140-2 Level 3 certificate number 3519 & 3520
  • SOC2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cloud HSM operations, and operations-related IT is fully compliant with the ISO 27001:2013 standard, having achieved independent certification to ISO27001 for its Information Security Management System and processes. In addition, Cloud HSM holds the following certifications FIPS 140-2
• Information security policies and processes: Thales ISMS for Cloud HSM is based upon the ISO 27001 standard and corporate policies. Supporting documentation can be provided as part of contractual discussions

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Thales implement a robust change management process with Technical and change approval boards for its product lines. Supporting policy documents can be made available as part of contractual discussions
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Thales Security and Cloud HSM Security operations team monitor infrastructure tools to maintain compliance with polices, updates and detect threats. Thales maintains support with all vendors of its infrastructure, including security advisories. A formal patch management process is implemented within Thales, where ever possible patches are deployed in a timely manner, being validated in dev, staging environments before being pushed into production. However due to the nature of some of our service offerings such as FIPS 140-2 Certified HSMs, some updates release to production for some use cases may be dependent on third party review and audit by NIST.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: As part of the information deployment, monitoring tools are deployed across the environment to detect deviations from standard configurations. This includes WAF, IPS, IDS, proxies and other inspections technologies. If an issue is detected that system can automatically be segregated for further inspection and new baseline deployments brought into production transparently to customers.
• Incident management type: Supplier-defined controls
• Incident management approach: The Thales CSIRT team operate across all product lines within Thales, Thales complies with RFC2350; ; Our Cert for RFC2350 and more information on our CSIRT team can be found here; https://www.gemalto.com/csirt; Thales has and will maintain a security incident response plan that includes procedures to be followed in the event of any actual, suspected, or threatened security breach of the personal information. Upon request, Thales shall provide documentation regarding such analysis and remediation.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  Fighting climate change; Thales UK has a clear focus on fighting climate change. Thales has set itself a target of becoming a Carbon Net Zero company by 2030, powered by cleaner energy used more efficiently at our sites and for our business, with renewable energy supplies.; ; There are several strategies that Thales and our Cyber offerings implement to fight climate change, including:; ; 1) Sustainable future. Thales has put fighting climate change at the centre of its strategy, highlighted by the fact that tackling climate change is one of the 4 Thales strategic pillars. Thales Cyber security and consultancy offerings have enabled companies to develop secure and sustainable products, prevent product recalls, learn digital lessons and reduce rework that go towards meeting their strategic sustainability objectives and tackle climate change.; ; 2) Travel reduction. Thales has introduced a Smart Working model to reduce the travelling required by the workforce. One pillar of this is arranging virtual meetings with Customers, Stakeholders and interested parties. Thales has also deployed numerous tools to enable Thales UK to effectively operate via remote / smart working. It is expected that meetings under G-Cloud could implement this methodology to offer the same benefits to the customer. Running on managed services means efficient use of shared and common infrastructure, allowing sustainable collaboration from existing infrastructure, where organisations or teams may once have had dedicated infrastructure are now allowed to work remotely, securely.; ; 3) Carbon reduction. Thales strives to implement carbon reduction, through a series of targets to reduce carbon emissions annually. Smart working, championed by our Cyber Security Consultants and offerings has been a key enabler of this strategy. Additionally, services enabling secure collaboration mean that businesses do not need to procure additional new hardware, thereby having a positive environmental impact.

  Tackling economic inequality

  For the theme of “Tackling Economic Inequality” Thales’s methodology centres on a number of Sub themes these included: Levelling up, Increasing productivity and Education & Training.; Levelling up - Geographical Challenges; ; Thales is committed to the UK prosperity as a whole and drives economic activity in all parts of the country. In 2020, Thales supported over 25,400 jobs in the economy, driving growth in all four nations of the UK.; Thales works with local government and institutions to provide opportunities for local people and to support redevelopment of deprived parts of the UK. A recent example includes:; Investing in Wales - In partnership with Blaenau Gwent Council, the Welsh Assembly and the University of South Wales, Thales established a £20m National Digital Exploitation Centre in EbbwVale. It’s generating new jobs in high-demand and high-skill areas for a region that has suffered from economic inequality. ; Education and Training; ; Thales is committed to the professional development of the contract workforce and provides access to learning opportunities to ensure employees have knowledge and skills to keep up with the pace of technological change. ; Thales has an established early careers programme that attracts both apprentices and graduates (A&G) from a diverse background. In 2023 we hired 154 A&G colleagues, with a 2025 objective of at least 10% of all new hires to be graduates/apprentices.; Where appropriate due to Security Aspects, Thales will enable A&Gs to work alongside projects teams to learn ‘on the job’ and gain valuable insights beyond academic lessons. ; School STEM Workshops. Careers Fairs & Volunteering; ; Thales has an established partnership with the Smallpeice Trust to deliver STEM and careers workshops to members of underrepresented groups in schools/colleges serving disadvantaged communities. ; All employees benefit from 24 hours yearly allowance for volunteering.

  Wellbeing

  Thales considers the health and wellbeing of our people to be fundamental to our success as a business. We have a well-established health and wellbeing (H&W) support provision, which has enabled us to rapidly provide critical support to our employees where and when it is needed most. ; In 2017, Thales signed the Time to Change pledge, publically stating our commitment to changing the way we think and talk about mental health in the workplace. We have trained 200+ of our people in Mental Health First Aid, a network of supporters who can recognise the early signs of mental ill health, listen whilst assessing for crisis, and provide information. ; Help @ Hand; Thales provides every employee & their families access to an Employee Assistance Programme - A 24/7 helpline for in the moment emotional and practical support, or signposting onward resources, such as healthcare or local assistance. ; In 2021 Thales developed a ways of working model to support and equip teams, individuals & people managers with resources and frameworks to promote our hybrid ways of working following the pandemic, the framework promotes a culture of wellbeing and psychological safety for teams to work effectively within the new working culture.; Sustained & continued support; Thales also has a dedicated Employee Relations team to provide specific and tailored interventions. Thales will work alongside Occupational Health, H&W providers and rehab services to establish adjustments and tailored programmes to enable employees to return to work in the manner that is safest for them.; Thales will track and monitor working patterns to ensure that all hours worked are booked in the ERP Systems to actively monitor loading on individuals so that individuals maintain a healthy work/life balance. Any significant deviations from the norm will be raised in sprint planning reviews to inform resource balancing actions.

Pricing

• Price: £1,413 an instance a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Fully functional Cloud HSM service for 30 days

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at fcmo@uk.thalesgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.