ZUHLKE ENGINEERING LTD.

Azure Managed Cloud Service

We provide a flexible service to allow offload operational management to a managed service. We manage the end-to-end digital services including, networking, operating systems and applications. We manage Azure, Amazon Web Services (AWS) others and hybrid. Our service is UK government compliant and provides on-demand, scalable cloud resources.

Features

• 24x7 monitoring/response IaaS, SaaS, Serverless and Kubernetees platforms
• Cloud hosting, cost management, cost optimisation
• Cloud design, deployment, operation and continuous improvement
• ISO9001 and ISO27001 certified with ITIL service management
• Managed end-to-end service, including networking, operating systems and applications
• NCSC aligned, with support by SC cleared staff available
• AWS and Azure certified partner
• Application migration/development and management. Service management with incident/change management
• Easy to use commercial models tailored to your needs
• Award winning and proven for UK government

Benefits

• Proactive cloud cost optimisation to ease cost management
• Secure to NCSC standards
• Scalable with consumption based commercial models available
• Easily scale support up/down with cloud platform consumption
• Tailored SLAs to meet your service requirements
• Up to 24 x 7 support available
• Securely managed cloud platform monitored 24 x 7
• Rapid, repeatable deployment and operation driven by automation tooling
• Ability to draw on deep and wide skills as needed
• Enhanced access to cloud providers through our extensive international relationships

£0.01 a virtual machine an hour

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Jonathan.Cook@Zuhlke.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

657864637401707

Contact

Jonathan Cook
+44 207 033 8000
Jonathan.Cook@Zuhlke.com

Service scope

• Service constraints: Please refer to https://docs.microsoft.com/en-gb/azure/ to determine those constraints which are applicable to your service needs
• System requirements: Service system requirements are maintained here https://docs.microsoft.com/en-gb/azure/

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide response based on priority. For highest priority needs we provide up to 24 x 7 service with 30 minute response. For lower priority needs we provide reduced SLAs to keep the cost of the overall service lower.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: We provide private instant messaging groups to allow our supported clients to chat directly to support engineers. This allows text chat, and sharing of documents, voice and video content, within the boundaries of the security protocols our client requires us to operate.
• Web chat accessibility testing: We have validated the suitability of the chat tools we use with every client to confirm that our solution meets their needs.; ; To date we have not tested our web chat approach with people who are assistive technology users.
• Onsite support: Yes, at extra cost
• Support levels: Please see Microsoft provided support plans here https://azure.microsoft.com/en-gb/support/plans/; ; Our service is provided in accordance with different priority definitions (P1, P2, P3, P4), where the service level varies in accordance priority and with targets defined for Response (up to 30 minutes), Recovery (up to 2 hours), Resolution (up to 2 working days) and Update (up to hourly).; ; Support costs are bespoke to each service and the specific SLAs our client's require. Cloud support engineers and technical account managers can be provided and included within these costs.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We provide a bespoke service tailored to the needs of each client.; ; Training can be provided on-site, remotely, to many people or on 1:1 basis, we provide training by doing (pairing with our experts) and also documentation. ; ; Most commonly a combination of training options are provided.; ; See https://azure.microsoft.com/en-us/resources/ plus comprehensive online documentation for various solutions available across the platform. See https://docs.microsoft.com/en-us/azure/. ; ; We offer remote best practice guidance from our Azure Engineers called FastTrack for Azure. https://azure.microsoft.com/en-us/programs/azure-fasttrack/#overview
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
  • Other
• Other documentation formats:
  • Video e.g. MP4 and MOV
  • Audio e.g. MP3 and WAV
  • Collaboration documentation (Confluence, Sharepoint, Notion.io)
  • Lightweight Markup (Markdown.md)
  • Microsoft (.Doc and .PPT)
  • Jupyter Notebook (.pynb)
• End-of-contract data extraction: Customers are able to remove their data at any time through the same means they uploaded. Either over their network (internet or express route) or via the Azure Import/Export services. Also, see https://www.microsoft.com/en-us/trustcenter/privacy
• End-of-contract process: Microsoft is governed by strict standards and removes cloud customer data from systems under their control, overwriting storage resources before reuse, and purging or destroying decommissioned hardware. https://www.microsoft.com/en-gb/trust-center/privacy/data-management?rtc=1

Using the service

• Web browser interface: Yes
• Using the web interface: https://azure.microsoft.com/en-gb/features/azure-portal/
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Microsoft Accessibility Conformance Reports show commitment to accessibility. For enterprise, education, and government professionals, these reports help with procurement decisions and product integration within an organisation. Search Reports https://cloudblogs.microsoft.com/industry-blog/government/2018/09/11/accessibility-conformance-reports/
• Web interface accessibility testing: https://www.microsoft.com/en-us/accessibility/
• API: Yes
• What users can and can't do using the API: Please see https://msdn.microsoft.com/en-us/library/azure/ee460799.aspx
• API automation tools:
  • Ansible
  • Chef
  • SaltStack
  • Terraform
  • Puppet
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
  • Other
• Using the command line interface: The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation. https://docs.microsoft.com/en-us/cli/azure/?msclkid=2b50e70aa91311ec9b84e2bb2e192699

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Each customer environment is logically separated. This prevents users from accessing resources that are not assigned to them.; ; Where services provide virtual environments, we ensure that customers are segregated by security management processes and controls at both the network and hypervisor level.; ; Azure employs a combination of isolation, resource management, auto-scaling, capacity planning, and SLAs to guarantee that users' reserved capacity remains unaffected by demand from other users.; ; User have access to On-Demand Capacity Reservation https://learn.microsoft.com/en-us/azure/virtual-machines/capacity-reservation-overview
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • SMS
  • Other
• Other usage reporting: We can configure alerts via Azure Portal to receive console alerts. ; ; Users can set up alerts on criteria, including resource utilisation, performance metrics and service limits. Azure can send notifications via email, SMS, webhook and other communications channels. See here https://azure.microsoft.com/en-gb/get-started/azure-portal

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • A comprehensive list such as AD, Server, Service, Configuration Stores
  • Spring, Automation, Private Cloud, Batch, Workspaces, Accounts, Blockchain Members
  • Bot Services, Redis, App Firewall policies, Profiles, Roles, VMs
  • Storage accounts, blob services, file services, queue services, table services
  • All metrics can be found here:
  • https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Microsoft

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Azure Blobs
  • Backups, for up to 10 years
  • PostgreSQL servers, backup databases and retain
  • Backup SAP HANA databases running on Azure VMs
  • Backup SQL Server databases running on VMs
  • Backup Azure files to a storage account
  • Backup Azure managed disks
  • Backup entire Windows/Linux VMs
  • System state with Microsoft Azure Recovery Services
  • On-premises, backup files, folders
• Backup controls: We provide users with fine grained control over what backups are performed and configure different backup schedules for resources. This is enabled by assigning Azure Policies in Backup Center https://learn.microsoft.com/en-us/azure/backup/backup-center-overview
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Transit encryption using Transport Layer Security (TLS) 1.2. All traffic leaving a data centre is encrypted in transit. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.; An additional layer of encryption is provided at the infrastructure layer. Whenever Azure customer traffic moves between datacentres-- outside physical boundaries not controlled by Microsoft or on behalf of Microsoft-- a data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: We follow a pattern of continuous security assessment and work in accordance with best practice guidance from NCSC. We consider and review our own network to ensure we identify and mitigate risks.; ; Customer environments are logically separated to prevent users accessing resources not allocated to them. Azure enables customers to use an open, secure, encrypted channel to Azure using TLS/SSL and VPN (IPsec/TLS). API calls can be encrypted (TLS/SSL), plus the Azure Portal console is TLS encrypted.

Availability and resilience

• Guaranteed availability: See SLA's for each service here https://azure.microsoft.com/en-gb/support/legal/sla/summary/?msclkid=0132c6f0a91b11ec927496d95a52a9a9
• Approach to resilience: Network reliability through intelligent software; Safe Deployment with AIOps; Resiliency threat modelling for large distributed systems; Low and no impact maintenance; For more detail please see https://azure.microsoft.com/en-us/features/reliability/#features
• Outage reporting: Through Azure Service Health which gives personalised alerts and guidance for Azure service issues.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
• Other user authentication: Azure Active Directory is Microsoft’s multi-tenant cloud-based directory and identity management service. Azure-AD includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, and privileged account management.; ; https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods?msclkid=b2a138a1a92d11ec918375623c320dc1
• Access restrictions in management interfaces and support channels: Azure-AD can designate separate administrators to serve different functions. These administrators will have access to features in the Azure portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user-licenses, and manage domains, among other things. A user who is assigned an admin role will have the same permissions across all of the cloud services that your organization has subscribed to, regardless of whether you assign the role in the Office365 portal, in the Azure classic portal, or by using the Azure-AD module for Windows PowerShell.
• Access restriction testing frequency: Never
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Swiss Association for Quality and Management Systems (SQS)
• ISO/IEC 27001 accreditation date: 19/01/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Group CEO is responsible and accountable for security policies and processes and who places the Chief Security Officer (CSO) in day-to-day charge of security. The CSO together with our Security Office facilitate ISMS processes and maintain the policy framework.; ; We employ a pyramid approach with regard to our policies. Our main goal is to reduce the number of policies that have to be read and understood by all staff. More specific topics are covered target group specific policies (e.g. physical security, or security in human resources). Levels in the pyramid: 1) ISP & Strategy, 2) Corporate Security Policy, 3) User Group Specific Policies & Guidelines, 4) Security Specific Procedures, 5) Plans & Checklists

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Azure has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others.; ; Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.; Please see https://www.microsoft.com/en-us/SDL/OperationalSecurityAssurance and https://www.microsoft.com/en-us/sdl
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.; 1: Run automated vulnerability scanning tools; 2: Deploy automated operating system patch management solution; 3: Deploy automated patch management solution for third-party software titles; 4: Compare back-to-back vulnerability scans; 5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities; For more information https://docs.microsoft.com/en-us/security/benchmark/azure/security-control-vulnerability-management
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Defender for Cloud gives you increased visibility into, and control over, the security of your Azure resources as well as those in your hybrid cloud environment.; ; Defender for Cloud performs continuous security assessments of your connected resources and compares their configuration and deployment against the Azure Security Benchmark to provide detailed security recommendations tailored for your environment.; ; In addition Intelligent Security Graph provides real-time threat protection in Microsoft products and services. It uses advanced analytics that link a massive amount of threat intelligence and security data to provide insights that can strengthen organisational security
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Microsoft has robust processes to facilitate a coordinated response to incidents.; • Identification: System and security alerts may be harvested, correlated, and analysed.; • Containment: The escalation team evaluates the scope and impact of an incident.; • Eradication: The escalation team eradicates any damage caused by the security breach, identifies root cause for why the security issue occurred.; • Recovery: During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.; • Lessons Learned: Each security incident is analysed to protect against future reoccurrence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: VMware, Hyper-V, Red Hat Virtualisation
• How shared infrastructure is kept separate: In cloud-enabled workplace, a tenant can be defined as a client or organisation that owns/manages a specific instance of that cloud service. With the identity platform provided by Microsoft Azure, a tenant is a dedicated instance of Azure Entra ID that your organisation receives/owns when it signs up for Microsoft cloud service. Each Azure Entry ID directory is distinct/separate from other Azure Entra ID directories. The Azure Entry ID architecture isolates customer data and identity information from co-mingling. This means users and administrators of one Azure Entra ID directory cannot accidentally or maliciously access data in another directory. See: https://docs.microsoft.com/en-us/azure/security/fundamentals/isolation-choices

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are leading the way to show how open data accelerates decarbonisation of the UK national energy system.

  Covid-19 recovery

  Nature journal reported that our NHS Covid-19 app averted 1 million infections and saved thousands of lives.

  Tackling economic inequality

  We bring small & local businesses, startups, not-for-profit and academics into our ways of working.

  Equal opportunity

  We provide equal opportunity employment. We invest in helping disadvantaged communities grow digital skills.

  Wellbeing

  Our mental health first aiders are trained to look out for our customers, our partners, as well as our own people.

Pricing

• Price: £0.01 a virtual machine an hour
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Please see https://azure.microsoft.com/en-gb/free
• Link to free trial: https://azure.microsoft.com/en-gb/free/

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Jonathan.Cook@Zuhlke.com. Tell them what format you need. It will help if you say what assistive technology you use.