Axians Networks Limited

Radware Cloud Web Application Service

The Service offers protection from application-level web attacks. It automatically detects application domains, analyzes potential vulnerabilities and assigns optimal protection. The Service uses DNS to divert traffic towards the supplier’s Cloud and also includes DDoS Protection to 1Gbps in all packages, extended DDoS Protection is available as an option.

Features

• Full coverage of OWASP top-10 attacks
• Provides protection from 0-day web attacks
• Negative and postive security model
• Load balances and provides failover between multiple customer
• Automatically generates policies for new applications
• Single 'pane of glass' portal managed by Emergency Response Team
• Fully integrated DDoS attack protection option

Benefits

• Most comprehensive protection against simple and advanced online cyber threats
• Single pane of glass protection across Cloud and traditional DCs
• Immediate protection that is extremely fast to deploy during crisis
• Low ongoing management overhead into any environment, DevOps aligned
• Low false positive rate
• Fully managed ERT service to deal with attacks 24x7x365

£327.04 to £25,228.13 a unit a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at neil.polson@axians.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

596088032765746

Contact

Neil Polson
07788317802
neil.polson@axians.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Hybrid cloud
• Service constraints: None
• System requirements:
  • Provision of valid SSL certificates if relevant to customers service
  • Managed DNS records able to refer service to Radware platform

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Routine Questions are dealt with Next Business Day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Through web service portal
• Web chat accessibility testing: None
• Onsite support: Yes, at extra cost
• Support levels: There are SLAs in place for Time-To-Mitigation (5 to 15 Minutes depending on attack type) plus Consistency-Of-Mitigation for DDoS Attacks. The overall platform uptime commitment is 99.999%. There are 24x7 Support response SLAs for general systems issues across a number of categories: Business Critical (30 minutes); Minor and Major (24 hours); and routine configuration changes (Next Business Day). In additional to general 24x7 support, the overall managed service includes: automatic policy generation, log review, system monitoring, periodical reports, emergency response attack mitigation and access to security experts
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The security administrators of the platforms to come under Radware protection work through an automated onboarding process which Radware provide a team to oversee
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The system holds no customer 'data' it does however contain metadata that they would normally extract via Radware's management API
• End-of-contract process: The customer would re-designate their DNS records to point at a new preferred location, the Cloud WAF instance is closed down at the contract finalization date

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Web portal
• Accessibility standards: None or don’t know
• Description of accessibility: Clients under Radware's Cloud WAF protection service designate their Application's Domain names to point at Radware's Cloud infrastructure
• Accessibility testing: N/A. This question has no relevance to a Cloud WAF service that does not modify legitimate user experience. Malicious users are blocked from attacking online services
• API: Yes
• What users can and can't do using the API: They can integrate Radware's stateful API with SIEM platforms and other logging and alerting aparatus
• API documentation: Yes
• API documentation formats:
  • PDF
  • Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: They can configure the management dashboard by shifting widgets to suit their operational preferrences

Scaling

• Independence of resources: Each user has their own separate Cloud WAF instance

Analytics

• Service usage metrics: Yes
• Metrics types: Details of throughput of legitmate traffic, malicioius traffic and attack types
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Radware

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: The system holds no customer 'data', however Metadata is protected using our adherence to SSAE-16
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The system holds no customer 'data' it does however contain metadata that they would normally extract via the Radware management API
• Data export formats: Other
• Other data export formats: Other, to SIEM standard
• Data import formats: Other
• Other data import formats: Other, to SIEM standard

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Radware's platform passes the data received from internet users onto the customers web applications via regular public internet service by default. The customer could however purchase private line connectivity for the forwarding of data instead of using the internet. Private line connectivity would typically be leveraged for performance reasons as there would not be any security value as the traffic is already coming from internet locations
• Data protection within supplier network: Other
• Other protection within supplier network: Radware's platform passes the data received from internet users onto the customers web applications via regular public internet service by default. The customer could however purchase private line connectivity for the forwarding of data instead of using the internet. Private line connectivity would typically be leveraged for performance reasons as there would not be any security value as the traffic is already coming from internet locations

Availability and resilience

• Guaranteed availability: 99.999% uptime
• Approach to resilience: Radware's Cloud WAF services operates from +30 POPs globally, each with full redundancy and the ability to failover to another location
• Outage reporting: Email notification from the Operations team

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: N/A User traffic towards the customers protected servers is not subject to authentication, Radware protecting public web services
• Access restrictions in management interfaces and support channels: The Management Interface enables various levels of priviledge for administrators and suppor reprsentatives in client's ICT organisations
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QCD Certified Radware
• ISO/IEC 27001 accreditation date: 26/06/2014
• What the ISO/IEC 27001 doesn’t cover: As per the publically available certificate, Radware's ISO27001 certification is for Operations of information security, MIS, IT. Its cloud services are certified under ISO 27017
• ISO 28000:2007 certification: Yes
• Who accredited the ISO 28000:2007: Radware's Certificate details not publically available
• ISO 28000:2007 accreditation date: Certificate details not publically available
• What the ISO 28000:2007 doesn’t cover: Radware's Certificate details not publically available
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Radware's Certificate details not publically available
• PCI DSS accreditation date: Certificate details not publically available
• What the PCI DSS doesn’t cover: Radware's Certificate details not publically available
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO27002 IT — Security techniques, Code of practice, security controls
  • ISO27032 Security Techniques -- Guidelines for Cybersecurity
  • ISO27017 Information Security for Cloud Services
  • ISO27018 Information Security Protection of (PII) in public clouds
  • US SSAE16 SOC-1 TypeII, SOC-2 TypeII

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001 Information Security Management Systems; ; ISO 27002 Information technology — Security techniques — Code of practice for security controls;; ISO 27032 Security Techniques -- Guidelines for Cybersecurity;; ISO 27017 Information Security for Cloud Services;; ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds;; ISO 28000 Specification for Security Management Systems for the Supply Chain;; EU GDPR EU General Data Protection Regulation;; PCI-DSS v3.1 Payment Card Industry Data Security Standard;; HIPPA Health Insurance Portability and Accountability Act;; US SSAE16 SOC-1 Type II, SOC-2 Type II

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Aligned to ISO, SOC-1, SOC-2 and SSAE-16
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Periodic vulnerability scanning and patching through Radware's Cloud Services DevOps team. Additional vulnerability scanning is performed after any significant change implementation
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Fully monitored 24x7 using a specialist DevOps team
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Defined in Radware's Security Policy and other internal documentation

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  Axians is the ICT brand of VINCI Energies. VINCI Energies carries out numerous projects that contribute to improving everyday life and to shaping the world of tomorrow. The Axians approach has aligned with the Group, based on a Green IT audit and leading to an operational action plan. The solutions deployed by Axians are at the heart of the operational activities of the clients, and they are part of their journey towards sustainability. Thanks to our understanding of customers’ needs and our different expertise areas (including IoT and Business Applications), Axians can help our customers save water in cities, reduce their fuel consumption and optimize the energy efficiency of their sites and buildings.

  Tackling economic inequality

  Enhancing the regional economy, staying competitive and increasing quality of public service. We help the Public Sector to improve citizen well-being with proven expertise in deploying, scaling, operating and maintaining any digital infrastructure at a large, city-scale

  Wellbeing

  Citizens are expecting more from the places they live in, and the relationship with government and local authorities to deliver efficient, quality digital services. As well as needing fast, reliable and scalable technology infrastructure to ensure public sector teams can serve citizens effectively, these authorities also need to adopt solutions to support and respond to sustainable and inclusivity

Pricing

• Price: £327.04 to £25,228.13 a unit a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: No Free Version, only a time limited trial

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at neil.polson@axians.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.