Rapid7 Cloud Risk Complete: Hybrid Security and Risk Management
Rapid7 Cloud Risk Complete is an integrated security platform that manages risks across cloud, on-premises infrastructure, and web applications. It provides comprehensive vulnerability management, dynamic application security testing, and automated workflows to enhance security postures efficiently.
Features
- Centralised risk management across diverse environments.
- Automated security assessment tools for quick risk identification.
- Real-time visibility into cloud assets and their vulnerabilities.
- Integration with existing systems to streamline workflows.
- Customisable reporting for tailored security insights.
- Enhanced detection capabilities for web application vulnerabilities.
- Proactive threat intelligence to anticipate security risks.
- Efficient incident response with automated workflows.
- Compliance support to meet regulatory requirements.
- Cloud Security Posture Management CSPM
Benefits
- Automate compliance checks to streamline security and regulatory workflows.
- Prioritise risks intelligently for efficient resource allocation.
- Centralise security management to simplify oversight across environments.
- Enhance visibility into assets for better control and decision-making.
- Deploy scalable security solutions to adapt to changing business needs.
- Integrate seamlessly with existing tools to maintain productivity.
- Accelerate incident response with automated processes.
- Continuously monitor threats to minimise potential disruptions.
- Facilitate proactive security planning with predictive analytics.
- Support remote management to safeguard assets from anywhere.
Pricing
£150 an instance
- Education pricing available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
7 9 4 3 8 0 7 9 5 5 2 5 3 6 6
Contact
ITHQ LTD
Dale Nursten
Telephone: 02039977979
Email: bidteam@ithq.pro
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Hybrid cloud
- Service constraints
- N/A
- System requirements
-
- Windows desktop 10 v1507 to Windows 11 23H2
- MacOS Big Sur 11 to macOS Sonoma 14
- Ubuntu Linux versions 18.04 LTS to 22.04 LTS
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Oracle Cloud
- Alibaba Cloud
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Vendor response times are dependent on support contracts.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Full details of Rapid7 support levels can be found at: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-customer-support-guidebook.pdf
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- ITHQ will support the on-boarding of the solution with an agreed Scope of Works document customised to meet the customers' requirements.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- Data export tools within the platform.
- End-of-contract process
- At the end of the contract the customer will be offered the option of extending their subscription or ceasing to use the platform.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- No
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
-
Rapid7 Cloud Risk Complete offers an API. The Insight Platform provides a unified API that facilitates interaction with various Rapid7 Insight products, including Cloud Risk Complete. This API uses RESTful principles and supports common operations across different product APIs within the platform. It requires the use of an API key for authentication and supports features like pagination, rate limiting, and versioning to manage API interactions effectively.
More details can be found at https://docs.rapid7.com/insight/api-overview/ - API documentation
- Yes
- API documentation formats
-
- HTML
- API sandbox or test environment
- No
- Customisation available
- Yes
- Description of customisation
-
What: Security Policies and Configurations: Users can tailor security policies and rules to fit specific operational needs and threat models.
Dashboards and Reports: Customisable dashboards allow users to focus on metrics that matter most to their security posture.
Alerts and Notifications: Alerts can be configured to ensure the right personnel are notified about critical issues in real-time.
Integrations: The service integrates with other tools like SIEMs, compliance systems, or other IT management tools, enhancing existing workflows.
How:
User Interface (UI): Through the UI, users can easily adjust settings, configure policies, and manage alerts without technical expertise.
API Usage: For deeper integration and automation, technical users can use the provided API to develop custom scripts or applications that interact with the service.
Who:
Security Administrators and IT Teams: These users typically have the access rights to modify security settings and configurations.
Developers: They can utilize the API for creating custom integrations and automations.
Scaling
- Independence of resources
- The infrastructure supporting Rapid7's services is designed to be highly scalable. This allows the system to handle increases in demand without a degradation in performance. Rapid7 guarantees that user demands do not affect each other's service by implementing scalable cloud infrastructure, resource isolation, and load balancing. These systems automatically adjust to user loads and isolate processes, ensuring consistent service levels. Additionally, continuous performance monitoring and predictive resource allocation help manage and mitigate potential impacts from surges in demand, maintaining service reliability and speed for every user.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Rapid7 Cloud Risk Complete does provide service usage metrics. These metrics can help organisations monitor their security posture, track service usage, and analyse trends over time to improve their overall security strategy. The platform includes dashboards and reporting features that allow users to view detailed analytics related to asset vulnerabilities, threat detections, and compliance status. These tools are designed to provide actionable insights that help users prioritise security tasks and manage their resources effectively. For more specific information on accessing and utilising these metrics, you can refer to the official Rapid7 documentation or support services
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Reseller providing extra features and support
- Organisation whose services are being resold
- Rapid7
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- Less than once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
-
For offboarding or regular data management purposes, users have the option to export data such as asset details, account information, and mobile device data. Rapid7 supports exporting data in formats like CSV or PDF, allowing for flexibility in how data is saved or further processed outside of the platform. This feature is accessible through the dashboard settings, where users can select specific datasets for export.
These import export capabilities ensure that users can efficiently manage their security data, aligning with organisational changes or compliance needs. For more detailed guidance on using these features, you can refer to Rapid7's official documentation. - Data export formats
-
- CSV
- Other
- Other data export formats
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
Rapid7 guarantees a high level of availability for its Cloud Risk Complete service, typically outlined in their Service Level Agreements (SLAs). These SLAs usually specify the percentage of uptime guaranteed, often aiming for 99.9% availability. This level of service ensures that users experience minimal disruptions and consistent access to the service.
In cases where Rapid7 does not meet the guaranteed levels of availability, the SLA would typically include details on how users are compensated. This compensation might involve service credits that users can apply against future payments, providing a financial adjustment for the downtime experienced.
For exact details on the availability guarantees, SLA specifics, and compensation methods, users should refer to the specific SLA provided by Rapid7 upon subscribing to their services. This document will include all necessary details regarding uptime commitments and the procedures for claiming compensations if those commitments are not met. - Approach to resilience
-
Rapid7's Cloud Risk Complete service is designed for resilience to ensure continuous operation and availability. The service's resilience strategy includes multiple elements:
Data Center Redundancy: Rapid7 utilizes data centers that employ redundant power supplies, HVAC systems, and network connections, enhancing their ability to maintain service continuity amidst various failures.
Geographical Diversity: Services are hosted in multiple geographic locations to mitigate the impact of regional disruptions, natural disasters, or other localized problems. This geographical spread ensures that even if one location is affected, the service can still operate from other locations.
Failover Mechanisms: Automatic failover mechanisms are in place, allowing for quick switching to backup systems and data centers without service interruption in the event of a hardware or software failure.
Scalable Architecture: The infrastructure is built on a scalable cloud platform, designed to handle increases in load seamlessly. This scalability ensures that the system can adjust to spikes in demand without impacting user performance.
Continuous Monitoring: Rapid7 employs continuous monitoring of their systems to detect and respond to issues proactively. This includes performance monitoring and security monitoring to address potential security threats swiftly. - Outage reporting
-
Rapid7 reports service outages through a combination of methods to ensure users are promptly and effectively informed:
Public Dashboard: Rapid7 maintains a publicly accessible status dashboard that displays real-time information regarding system performance and any ongoing incidents or outages. This dashboard is regularly updated to reflect the current status of all services, including any active issues and expected resolution times.
API: For users integrating Rapid7 services into their own monitoring systems, an API is available that can provide real-time status updates. This allows users to programmatically check the operational status of different service components and automate their own alerting and response processes.
Email Alerts: Rapid7 also provides email alerts to notify users of significant incidents or outages. These alerts include details about the nature of the issue, the services affected, and any steps being taken to address the problem. Users can subscribe to these alerts to receive updates directly in their inbox.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
- Access restrictions in management interfaces and support channels
- Only authorised users or groups are able to access the management and support portals.
- Access restriction testing frequency
- Less than once a year
- Management access authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- QMS International Ltd
- ISO/IEC 27001 accreditation date
- 15/03/2022
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- We are ISO27001 accredited and able to supply our Information Security Policies subject to a non-disclosure agreement being put in place with the receiving party.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Will be provided by ITHQ upon request.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Will be provided by ITHQ upon request.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Will be provided by ITHQ upon request.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Will be provided by ITHQ upon request.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Tackling economic inequality
- Equal opportunity
Tackling economic inequality
ITHQ runs a corporate social responsibility programme, Life In IT, in South East England. This initiative focuses on reconditioning tech devices, which are donated by businesses as they upgrade their infrastructure. By redistributing these devices to local non-profit organisations and schools, we prevent valuable technology from being wasted and facilitate access to digital education resources for underserved communities. This program not only extends the lifecycle of technology but also significantly reduces economic barriers to accessing necessary educational tools.Equal opportunity
To specifically address equal opportunity, our Life In IT programme prioritises collaboration with schools that support students from diverse backgrounds, including low-income families, minorities, and those with disabilities. We provide customised technology solutions that cater to a wide range of learning needs and styles, thereby ensuring all students have the opportunity to succeed. By doing so, ITHQ is committed to creating a more inclusive educational environment where every student, regardless of their socioeconomic status or background, can benefit from equal access to high-quality digital education.
Pricing
- Price
- £150 an instance
- Discount for educational organisations
- Yes
- Free trial available
- No