Secure Remote Access
Dispel's secure remote access product is worth considering if your team needs to standardize, harden, monitor, or efficiently manage access into industrial control systems (for example, SCADA), legacy environments, or critical networks.
Features
- Secure Remote Access
- Moving Target Defence
- Role Based Access Control
- Enforced Multi-Factor Authentication (2FA & MFA)
- Screen Recording and Live Streaming
- Full Traffic Logs & SIEM integrations
- Form-Based Access Control
- End-to-End AES-256 Encryption
- Active Directory, Okta, and Microsoft SSO integrations for IAM
- Data Streaming and Exfiltration
Benefits
- Standardize how operational technology is accessed.
- Standardize how access to operational technology is managed.
- Streamline your access and approval processes with forms.
- Assert user, device, port, protocol, and timeframe control on access.
- Make an inherently current governance model using time-based approvals.
- Provide data streams to contractors in minutes.
- Segment your IT, OT, and Project networks in hours.
- Shift your networks to a Moving Target Defense posture.
- Get coherent, auditable insight into your access processes.
Pricing
£25,000 a unit a year
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
8 2 2 8 5 2 3 7 1 2 9 3 5 1 0
Contact
Dispel, LLC
Llyr Garner
Telephone: + 1 917 268 5190
Email: llyr.garner@dispel.com
Service scope
- Service constraints
-
- Remote access is brokered to local networks via a hardware or virtual appliance. You will need to set a planned schedule to update this appliance.
- The orchestration engine responsible for providing the service is typically managed by Dispel. Customers have the ability to purchase single-tenant licenses for orchestration engines.
- Customers may supply their own cloud accounts.
- Virtual desktop and other virtual asset customizations need to be performed by Dispel. - System requirements
-
- Virtual Gateway Appliance - on-premises VM size requirements
- BYO Hardware appliance - size requirements
- VDI (Custom Applications) - BYO licenses
- Cloud accounts - optional BYO subscription
- SSO Integrations - optional OAuth2.0, AD, SAML
- MFA - optional ToTP & Hardware Tokens
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Within 24hrs
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- Web chat
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
-
https://www.intercom.com/help/en/articles/2530813-is-the-intercom-messenger-accessible
Tested against WCAG 2.0 Level AA - Onsite support
- Yes, at extra cost
- Support levels
-
Dispel provides all customers with customer support. Dispel differentiates support from incidents. Support is defined as helping users use the services while an incident is an outage or error in services. Dispel monitors for outages and errors 24/7 and provides SLAs for response plans and uptime guarantees. Dispel actively monitors support submissions from 9 AM EST to 6 PM EST Monday through Friday, excluding nationally recognized holidays in the United States.
Dispel provides Priority 1, 2, and 3 support for customers. The target response times are 2 hours, 1 day, and 3 days respectively.
For customers that require support with implementation and custom applications, Dispel can provide packages scoped based on the type of work. Because each customer need may be different, we tailor pricing based on outcome measures. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- By default, we provide training and documentation to the Admin, who in turn train and onboard their users. Upon request, we provide custom online training. For additional cost, we also provide onsite training.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- All Dispel deployments are single-tenant, so when a customer's contract ends, their infrastructure is entirely destroyed and wiped. We also remove all information from that customer from the database. If they would like, we can send them a copy to store before ensuring all data relating to the customer is destroyed from Dispel systems.
- End-of-contract process
- All Dispel deployments are single-tenant, so when a customer's contract ends, their infrastructure is entirely destroyed and wiped. We also remove all information from that customer from the database. If they would like, we can send them a copy to store before ensuring all data relating to the customer is destroyed from Dispel systems
Using the service
- Web browser interface
- Yes
- Using the web interface
-
Users log into their account, request access, and receive credentials for their remote access session through the web interface.
Admins use the web interface to manage user accounts, approve access requests, and configure access rules for devices. - Web interface accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web interface accessibility testing
- For UK Article 3(1) of Commission Implementing Decision (EU) 2018/1523, Dispel's accessibility statement was prepared using Version 2.4 of the ITI Voluntary Product Accessibility Template® (VPAT®) INI edition. The evaluation methods used were based on general product knowledge and testing with assistive technologies.
- API
- Yes
- What users can and can't do using the API
- Dispel's API is a closed access API which users cannot directly access. User actions are brokered through the front-end web console.
- API automation tools
- Ansible
- API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- Command line interface
- No
Scaling
- Scaling available
- Yes
- Scaling type
- Automatic
- Independence of resources
- Each user has a dedicated (single-tenant) virtual desktop. Each regional cloud SD-WAN is independent of other customer networks and other regional networks within a single customer.
- Usage notifications
- Yes
- Usage reporting
-
- Other
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- Memory
- Network
- Number of active instances
- Reporting types
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- Other locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Wicket VM instances.
- Customized routing nodes.
- Deployed VMs that are networked into an Enclave.
- Recorded virtual desktop sessions.
- All databases behind admin console.
- Traffic Logs - often sent to customer SIEM.
- Backup controls
-
(1) Wicket virtual appliances may be backed up manually dependent upon the virtualization platform they are deployed on.
(2+3) Cloud VMs may be "snapshot" at the cloud provider level on a schedule or ad-hoc.
(4) Specific recordings may be exported for backup purposes on an ad-hoc basis.
(5) Databases are automatically backed up, and may be backed up on an ad-hoc basis as well.
(6) Traffic logs are often backed up by being sent to a local SIEM for storage. - Datacentre setup
-
- Multiple datacentres with disaster recovery
- Single datacentre with multiple copies
- Scheduling backups
- Supplier controls the whole backup schedule
- Backup recovery
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
Dispel will maintain at least 99.9% Uptime for Online Service hosted by Dispel and at least 99% Uptime for Network Service hosted by Dispel (“Service Levels”). The Uptime calculation for each Service Feature that may be included with the applicable Services is described below (“Uptime Calculation”). If Dispel does not meet a Service Level in any calendar quarter during the applicable Order Term, Customer will be entitled to receive service credit to Customer’s account (“Service Credits”) based on a pre-specified policy (“Service Credits Calculation”).
If Dispel does not meet a Service Level, Customer may redeem any applicable Service Credits only upon written request to Dispel within thirty (30) days of the end of the calendar quarter in which Dispel failed to meet the Service Level. Written requests for Service Credits redemption must be sent to Dispel Support. Service Credits may take the form of a credit to Customer's account, cannot be exchanged into a cash amount, are limited to a maximum of ninety (90) days of paid service per calendar quarter, require Customer to have paid all outstanding invoices, and expire upon expiration or termination of Customer's agreement with Dispel. - Approach to resilience
- Resilience is built into our Moving Target Defense posture. Further information is available on request, but at a high level, our infrastructure is (1) Cloud agnostic, (2) data centre agnostic, (3) disposable, and (4) rebuilds in approximately 10-30 minutes depending on configuration. These capabilities allow for single tenant deployments that are fully segmented from one another and can be resilient to geographic or even cloud provider-level outages.
- Outage reporting
- Dispel's team actively monitors customer deployments. If we identify any outages, including those isolated to a single network, our team provides email alerts to all relevant stakeholders.
Identity and authentication
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google apps)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
-
MFA on all administrative console logins.
Backend infrastructure limited to isolated network with access brokered
by individual, certificate-based encrypted connections.
Support communication channels are protected with MFA logins and remote support tunnels to deployed wickets are initiated from the wicket in an outbound-only fashion. - Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Username or password
- Devices users manage the service through
- Directly from any device which may also be used for normal business (for example web browsing or viewing external email)
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- A-LIGN Assurance
- ISO/IEC 27001 accreditation date
- (Pending Audit)
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
- SOC 2 (Pending Audit)
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- Dispel aligns its security governance standards to IEC/ISO 27001 and SOC 2. Dispel is currently undergoing its audit for certification.
- Information security policies and processes
-
Dispel maintains an information security policy aligned to SOC 2 2017, ISO 27001 v2013, and HIPAA security controls. Dispel partnered with Drata to perform an independent review of Dispel's conformance to applicable security controls. Drata continuously monitors the company's policies, procedures, and IT infrastructure ensuring adherence.
To do this, Drata connects directly to the company's infrastructure accounts, version control and developer tools, task trackers, endpoints, hosts, HR tools, and internal policies. Drata then continuously monitors these resources to determine if the company meets defined framework standards.
Dispel controls include: Acceptable Use Policy, Annual Penetration Tests, Annual Risk Assessment, Background Checks, Backup Policy, BCP/DR Tests Conducted Annually, Code of Conduct, Code Review Process, Contractor Requirements, Cryptography Policies, Customer Data Policies, Data Protection Policy, Disaster Recovery Plan, Disclosure Process for Customers, Disposal of Sensitive Data on Hardware, Encryption Policy, Firewalls, Incident Response Plan, Information Security Policy, Least-Privileged Policy for Customer Data Access, Logging/Monitoring, Login Password, MFA on Accounts, Multiple Availability Zones, Password Policy, Physical Security, Remediation Plan, Risk Assessment Policy, Security Policies, Security Team/Steering Committee, Security Training, SLA for Security Bugs, Software Development Life Cycle Policy, System Access Control Policy, Unique Accounts Used, Version Control System, and Web Application Firewall.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Dispel's Software Development Life Cycle (SDLC) Policy governs change management at the Company. This policy establishes and maintains processes for ensuring that its computer applications or systems follow an SDLC process which is consistent and repeatable, and maintains information security at every stage.
Information security implications are addressed and reviewed regularly, and responsibilities for information security are defined and allocated to the roles defined in the project management methods. Secure system principles fall within four categories; Business, Data, Application, and Technology. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Dispel's Vulnerability Management Policy requires all product systems must be scanned for vulnerabilities at least annually; all vulnerability findings must be reported, tagged, and tracked to resolution in accordance with the SLAs defined herein; and records of findings must be retained for at least 5 years. The Policy dictates how we assess potential threats to the Company's services, how quickly patches are deployed, and where we receive information on threats from.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Dispel uses a shared security responsibility model for monitoring. Dispel uses public cloud providers such as Amazon Web Services, who monitor their infrastructure. We also use Heroku, who provide security monitoring of their platform. We provide tools to our customers which allow for logging and monitoring of activity within the system.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- Dispel uses an Incident Response Plan conformant with SOC 2 Criteria: CC2.2, CC2.3, CC4.2, CC5.1, CC7.3, CC7.5, CC9.1; and ISO 27001 Annex A: A.16. Dispel's security incident response policy is intended to establish controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. This policy requires that all users report any perceived or actual information security vulnerability or incident as soon as possible.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Supplier
- Virtualisation technologies used
- Other
- Other virtualisation technology used
- Cloud providers (Azure or AWS for example). For local virtual appliances, the hypervisor is customer dependent.
- How shared infrastructure is kept separate
- Dispel networks are single-tenant for any given customer and are built in the cloud provider/datacentre defined by the customer. Each user is given a single-tenant virtual desktop for their remote access connection.
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
-
They meet guidelines for the European Code of Conduct for Energy Efficiency in Data Centres.
(AZURE) https://blogs.microsoft.com/eupolicy/2021/05/20/microsoft-azure-adheres-to-the-eu-cloud-code-of-conduct/
(GCP) https://cloud.google.com/security/compliance/eu-cloud-code-of-conduct
(AWS) https://sustainability.aboutamazon.com/environment/the-cloud
Social Value
- Fighting climate change
-
Fighting climate change
To learn more about Dispel's Environment & Sustainability Statement, please visit: https://legal.dispel.io/social/environment-and-sustainability
Dispel understands that its operations have an environmental impact. From our travel to meet with clients, to running cloud data centers, our daily activities create GHG. The continued robust increase in GHGs in the atmosphere is currently the primary force in climate change (IPCC, 2014). Our climate change mission is therefore to measure our impact on GHG, reduce where we can, and offset through carbon capture an equivalent or greater amount of GHG to those we cannot eliminate. As a tech company our climate impact is relatively minimal compared to other industries. Clients use our products as an environmental alternative to older business practices. It is, after all, better for the earth to log on rather than drive to a site. Nevertheless, the individual contributions toward and prioritization of the environment at all companies helps society grapple with climate change.
Dispel has a five step climate strategy: 1) Define, 2) Measure, 3) Target, 4) Reduce, and 5) Communicate. In addition to our own climate goals and practices, Dispel’s products help companies achieve carbon neutrality by reducing their need for travel, hardware, and shipping. Remote access to industrial control systems obviates the need for plant managers and third-party vendors to fly or drive to sites. Dispel virtual desktops eliminate the need for buying, shipping, and disposing of laptops for plant commissioning events and “for SCADA use only” cybersecurity framework compliance. - Covid-19 recovery
-
Covid-19 recovery
Dispel's remote access allows operational environments and critical infrastructure to continue functioning during remote work. By allowing secure remote access, we are helping slow COVID spread, allowing users to stay home but still do their job. - Tackling economic inequality
-
Tackling economic inequality
For a complete overview of Dispel's Diversity, Equity & Inclusion practices, please visit https://legal.dispel.io/social/diversity-equity-and-inclusion
Dispel is committed to complying with all federal, state, and local equal employment laws. To that end, the company is dedicated to maintaining a work environment that is free from harassment and discrimination on the basis of age, race, creed, color, national origin (including ancestry), religion, gender or sex, sexual orientation (including transgender status, gender identity or expression), pregnancy (including childbirth, lactation, and related medical conditions), alienage or citizenship status (unless required by law), disability, reproductive health decision making (including, but not limited to, the decision to use or access a particular drug, device, or medical service), marital status, partnership status, caregiver status, domestic violence victim status, familial status, military status, unemployment status, genetic information (including genetic characteristics), or any other protected status under federal, state, or local laws. The company is dedicated to the fulfillment of this policy with respect to all aspects of employment, including, but not limited to, recruiting, hiring, placement, transfer, training, promotion, compensation, termination, and all other terms, conditions, and privileges of employment.
Building a company community requires people, which means hiring them. We pride ourselves on a highly motivated, competitive culture solving complex and challenging problems. Our products and technology help defend against sophisticated and well-funded adversaries. Dispel maintains programs supporting underrepresented communities (URC), women, Indigenous Americans, and the LGBTQ+ community. - Equal opportunity
-
Equal opportunity
Dispel is committed to complying with all federal, state, and local equal employment laws. To that end, the Company is dedicated to maintaining a work environment that is free from harassment and discrimination on the basis of age, race, creed, color, national origin (including ancestry), religion, gender or sex, sexual orientation (including transgender status, gender identity or expression), pregnancy (including childbirth, lactation, and related medical conditions), alienage or citizenship status (unless required by law), disability, reproductive health decision making (including, but not limited to, the decision to use or access a particular drug, device, or medical service), marital status, partnership status, caregiver status, domestic violence victim status, familial status, military status, unemployment status, genetic information (including genetic characteristics), or any other protected status under federal, state, or local laws. The Company is dedicated to the fulfillment of this policy with respect to all aspects of employment, including, but not limited to, recruiting, hiring, placement, transfer, training, promotion, compensation, termination, and all other terms, conditions, and privileges of employment.
The Company will conduct a prompt and thorough investigation of all allegations of discrimination, harassment, or retaliation, or any violation of the Equal Employment Opportunity Policy in a confidential manner. The Company will take appropriate corrective action, if and where warranted. The Company prohibits retaliation against employees who provide information about, complain about, or assist in the investigation of any complaint of discrimination or violation of the Equal Employment Opportunity Policy.
The Company encourages employees to report incidents of discrimination and harassment internally. Employees who believe they have been subjected to discrimination or harassment in the workplace, consistent with N.Y. Lab. Law § 203-E, also may seek relief by filing a complaint with the New York Division of Human Rights and the U.S. Equal Employment Opportunity Commission (EEOC). - Wellbeing
-
Wellbeing
Dispel maintains a robust and competitive wellness and benefits program for all its employees. The Company provides comprehensive medical, dental, vision; life, long-term disability, and short-term disability insurance; a company-matching 401k retirement plan; generous unlimited PTO for vacation; education support for professional improvement supporting company goals; wellness time for physical fitness; and an option pool to give employees a stake in the company's long-term vision.
You can see reviews from Dispel's employees on Glassdoor: https://www.glassdoor.com/Reviews/Dispel-Reviews-E7142963.htm
Pricing
- Price
- £25,000 a unit a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- Dispel offers full-featured 6-week pilot deployments at a single site. After the pilot period, the deployment rolls over into the contracted production deployment.