Managed Enterprise Technologies Ltd

Cybersecure Hybrid Cloud Services

Hybrid cloud hosting solution offering Platform as a Service (PaaS), high availability, enterprise class compute and storage. METCLOUD's managed services include: Next Generation Firewalls (NGFW), Security Information and Event Management (SIEM), Endpoint Protection, Network Access Control, Automated Patch Management & Backup, Disaster Recovery and Proactive Monitoring & Surveillance 24/7.

Features

• Next Generation Firewalls
• Enterprise Class Compute and Storage
• Managed Vulnerability Scanning and Remediation
• Advanced Reporting
• Security Information & Event Management
• Endpoint Protection
• Network Access Control
• Monitoring & Surveillance
• Secure Remote Management
• Ongoing account management

Benefits

• Consumption Billing Model
• Rapid onboarding
• Flexible and Scalable Compute and Storage
• Accredited to ISO 27001 and Cyber Essentials
• Assists compliance with, ISO, NIS, GDPR, SOX, PCI & HIPPA
• High Availability
• Reduces management costs with hybrid cloud solutions
• Uses real time threat intelligence to protect systems and information
• Secure your Cloud Adoption projects and strategies
• Pay as you Grow Service Delivery

£0.02 to £0.27 a gigabyte a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ian.vickers@metcloud.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

791002685302718

Contact

Ian Vickers
0121 227 0730
ian.vickers@metcloud.com

Service scope

• Service constraints: Legacy systems that do not support virtualisation are unsupported.
• System requirements:
  • Buyer must provide access to systems for migration
  • Secure VPN link
  • Access to the Internet to make use of the service
  • MPLS Circuit optional

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1/Urgent 20min response ; P2/High 90min response ; P3/Medium 5hrs response ; P4/Low 10hrs response
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Using Google Accessibility Tool Kit
• Onsite support: No
• Support levels: P1/Urgent 20min response ; P2/High 90min response ; P3/Medium 5hrs response ; P4/Low 10hrs response ; ; Cloud support engineers are provided for fault resolution and pre-sales technical review.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: User Training; End-user training (online) for the platform and full documentation provided. Additional training (including onsite) is available with pricing made available upon request.; ; Migrations; We support the following scenarios for both private cloud and Microsoft Azure:; • New environments, including building, testing and commissioning of VM’s; • Tool driven physical to virtual or virtual to virtual migrations; • Managed migrations; ; New Environments ; We are able to design, specify and build VM’s to individual customer requirements. Instances are fully tested before handover with full documentation provided.; ; Tool Driven Migrations; Typically customer led, this option provides flexibility for a buyer to choose how existing systems are migrated. Vendor supplied tools are used to make the data available to us via either physical media or secure data transfer.; ; Managed Migrations; Our fully managed service can seamlessly migrate your services into our platform using our bespoke methodology. There is no need for downtime as live systems can be migrated with minimal impact. ; ; Additional Services ; We are also able to assist buyers with:; • Cloud design; • Cloud readiness assessments; • Technology optimisation; • Operating system upgrades; • Networking & infrastructure support; • Security assessments & compliance reviews.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: MS Office including Visio Drawings
• End-of-contract data extraction: Customers are able to extract data from the service using their preferred tools and methods. We are able to provide support for customers to extract data from the service which is chargeable. Our charges are listed in the accompanying pricing document and follow our standard consultancy rate.; For support with data extraction we require 60 days notice before the end of the contract. Notice should be in writing to ian.vickers@metcloud.com.; ; Customer Data is retained for a maximum of 90 days following the end of a contract. After this time all data is deleted.
• End-of-contract process: This a chargeable service, as detailed in the pricing document.

Using the service

• Web browser interface: Yes
• Using the web interface: Users can manage the services provided via a web portal secured by a username and password. 2FA is also used for authentication to portal. ; ; Users are able to start and stop VM's, view statistics and usage such as CPU, RAM & Disk Space.; ; Users are unable to provision new server instances or allocate resources to existing instances such as additional vCPU's or Memory through the web interface - this process is fully managed by our cloud engineers.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Our web interface is accessible to users of assistive technologies, such as screen readers by providing clear text descriptions for user input fields.
• Web interface accessibility testing: None
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Our platform is designed with enough overhead for customers to run their systems @ 100% utilisation without affecting others. When designing/building a solution on the platform, consideration is given to this overhead and any expansion through normal operation of the hosted systems.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • SMS

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Application Performance
  • Uptime
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Microsoft CSP, Microsoft SPLA, Webroot, Securenvoy MFA, Barracuda, SonicWall, Veeam

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Files & Folders
  • Virtual Machines
  • Whole Disks & Volumes
  • SQL Databases
  • Application Servers (MS Exchange, Sharepoint etc)
• Backup controls: Access to a management portal can be setup to allow users to setup and control their own backups. Multiple schedules can be setup as required.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: Customer networks and systems are segmented from each other using VLAN and PBR (Policy Based Routing).

Availability and resilience

• Guaranteed availability: Network SLA: 100% availability in a 30-day period. Should availability be less than 97.5% during any 30-day period the Customer may terminate the Agreement giving 60 days written notice.; ; METCloud Platform SLA: 99.9% uptime. Only a systems failure of the hardware and hypervisor layers delivering the service will constitute a failure and be covered by this SLA.; ; Service Credits are offered for breaching SLA's.; ; >99.5% <99.9% 1 Day ; Between 99% & <99.5% 7 Days; Between 97.5% <99% 12 Days; Less than 97.5% 30 days.
• Approach to resilience: Available upon request.
• Outage reporting: Email Alerts are generated immediately. These are configurable to individual customer requirement.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Named user accounts are supplied with appropriate rights and permissions. Administrator access is restricted to authenticated users providing a valid set of credentials including username and password. Two Factor Authentication (2FA) is utilised wherever possible.; ; Our support is provided to customers only. Third parties may engage with our support under prior arrangement and agreement with us. ; Access to support can be restricted to named users if necessary with requests validated by a senior manager or other named contact.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ACM Limited
• ISO/IEC 27001 accreditation date: 01/07/2019
• What the ISO/IEC 27001 doesn’t cover: Software Development
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISMS in place with defined roles for SIRO, TISO, ISO and IRO's. Documented incident response and recovery plans reviewed annually. ISMS accredited to ISO 27001 by UKAS approved auditors. Overarching Policy Statement with supporting policies for:; ; BYOD, Acceptable Use Policy (Internet, Email & Equipment), Incident Handling & Reporting, Passwords, Physical & Environmental Security, Anti-Virus/Malware, Information Classification, Protective Marking, Asset Handling, Clean Desk/Screen, Application Source Code.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our change management process follows best practice as detailed in the ITIL framework. ; ; Specifically changes are discussed and approved by a Change Advisory Board (CAB) at weekly operational meetings. ; ; Emergency changes are handled in accordance with ISO 27001, with risk assessments and impact analysis considered before changes can be approved.; ; Change logs are maintained and processes are externally audited in accordance with ISO 27001.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Threats are measured using the industry standard CVSS with ratings of Critical, High, Medium and Low. Patches are deployed within thirty days of release.; ; Our threat feeds include publicly available feeds such as IBM Threat X-Force Exchange, CiSP and Dshield. Commercial threat data is accessed through our SIEM platform (BlackStratus).
• Protective monitoring type: Undisclosed
• Protective monitoring approach: The environment is monitored 24/7 by our GPG13 compliant SIEM solution. The output of the SIEM solution is in turn monitored by a dedicated Security Operations Centre (SOC) with analysts providing alerts and remediation for identified threats. ; ; Cases rated as high or above are investigated and processed within 60 minutes.
• Incident management type: Undisclosed
• Incident management approach: Our process of handling incidents is aligned with ISO 27001 standards include pre-existing processes for common incidents. ; ; Incidents are investigated and classified according to their severity, either High, Medium or Low. All incidents are logged and reviewed for satisfactory outcome in accordance with our Information Security Management System (ISMS).; ; Incidents reports are provided via email with full case details (the who, what, where and when), supporting technical information and steps taken/needed for remediation.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Hyper-V
• How shared infrastructure is kept separate: Each customer is allocated a portion of the service for it’s own use. This includes dedicated vCPU’s, Memory and networking. MET uses best practice to secure and deploy enterprise class vendor’s solutions within the environment.; ; Customers are logically separated at both network and hypervisor levels to prevent any cross-contamination.; ; Storage is also logically separated so customers can only see data that is intended for them.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Our datacentres comply with the EU Code of Conduct for Energy Efficient datacentres. The controls and measures in place are managed by a third party supplier (Six Degrees) and are verified by external consultants. See https://www.6dg.co.uk/committed-to-data-centre-efficiency/

Social Value

• Fighting climate change:

  Fighting climate change

  In delivery of its services, METCLOUD is committed to;; ; · Minimising the impact of its activities on the environment.; ; · Continual improvement in its environmental performance.; ; · Compliance with all appropriate environmental legislation, regulations and codes of practice relevant to the industry sector in which it operates.; ; METCLOUD will review its Environmental Policy policy on an annual basis, taking account of any changes within legislation and our organisation, and other factors.
• Equal opportunity:

  Equal opportunity

  METCLOUD is committed to equal opportunities for all staff and applicants. It is our policy that all employment decisions are based on merit and the legitimate business needs of the organisation. METCLOUD does not discriminate on the basis of race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, marital or civil partner status, pregnancy or maternity, disability, religion or belief, age, or any other ground on which it is or becomes unlawful to discriminate under the laws of England and Wales (referred to as Protected Characteristics). Our intention is to enable all our staff to work in an environment which allows them to fulfill their potential without fear of discrimination, harassment, or victimisation. Our commitment to equal opportunities extends to all aspects of the working relationship including: · recruitment and selection procedures; · terms of employment, including pay, conditions, and benefits; · training, appraisals, career development and promotion; · work practices, conduct issues, allocation of tasks, discipline, and grievances; · work-related social events; and · termination of employment and matters after termination, including references.
• Wellbeing:

  Wellbeing

  METCLOUD is committed to PROMOTING MENTAL WELLBEING (including menopause) AT WORK. Mental wellbeing at work is determined by the interaction between the working environment, the nature of the work and the individual. Work has an important role in promoting mental wellbeing. It is an important determinant of self-esteem and identity. It can provide a sense of fulfilment and opportunities for social interaction. For most people, work provides their main source of income. Work can also have negative effects on mental health, particularly in the form of stress. Work-related stress is defined as the adverse reaction people have to excessive pressure or other types of demand placed upon them. Although pressure can motivate members of staff and encourage enhanced performance, when pressure exceeds the ability of an individual to cope, it becomes a negative force in the form of stress. Working environments that pose risks for mental wellbeing put high demands on a person without giving them sufficient control and support to manage those demands. METCLOUD has a strategic approach to promoting mental wellbeing, this is achieved as follows: · By adopting a company-wide approach to promoting the mental wellbeing of all members of staff. · Ensure that the approach takes account of the nature of the work, the workforce and the characteristics of METCLOUD. · Promoting a culture of participation, equality and fairness that is based on open communication and inclusion. · Creating an awareness and understanding of mental wellbeing and having a zero tolerance towards discrimination

Pricing

• Price: £0.02 to £0.27 a gigabyte a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ian.vickers@metcloud.com. Tell them what format you need. It will help if you say what assistive technology you use.