Gradian Systems Ltd

Broadcom/Symantec Validation & Identification Protection (VIP)

In the world of BYO devices and remote access, organizations need a
security-solution that can address the growing attack surface.

Symantec-VIP is a user-friendly, cloud-based, strong-authentication service that provides secure access to sensitive data and applications anytime, anywhere, from any device enabling a critical piece of your Zero-Trust security strategy.

Features

• Delivers authentication without requiring dedicated in-premise server hardware
• One-time password credentials in a variety of hardware, software
• Authenticate users via SMS messages or voice-enabled phone calls
• Transparent risk-based authentication Leveraging device and behavior profiling intrusions
• Self-service credential provisioning
• Enterprise Infrastructure Support Integrates with popular VPNs and corporate directories
• Web-based application integration

Benefits

• Augment password-based logons with an additional authentication factor
• Reduces costs, VIP cloud-based approach allows strong authentication
• Select the right authentication approach to deliver protection
• The VIP infrastructure enable you to support millions of users
• Scalability and reliability enabling support of millions of users
• Future-proof

£1 a user

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at stuart.case@gradian.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

864868598952117

Contact

Stuart Case
07770 377936
stuart.case@gradian.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The SLA guarantees a 99.95% uptime which means that Symantec is responsible for the High Availability
• System requirements: LDAP directory synchronisation, if groupings will be used

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Please see Gradian's Support Guide
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Please see Gradian's Support Guide attached.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Documentation is made available from within the portal. Training can be provided at an additional cost
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: When the contract ends the service is suspended. The organisation at any time can delete information that is within the service
• End-of-contract process: When the contract ends the service is suspended. The organisation at any time can delete information that is within the service

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Broad range of authenticator options, including hardware authenticators, and FREE; software authenticators for desktop and mobile, plus out-of-band support via SMS text; messages or voice phone calls. Mobile authenticators support push notification with optional; local device authentication such as biometric or device PIN
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: VIP Manager Portal - An administrator/operator web portal capable of configuring service settings, enabling integrations, managing credentials and users, and providing a complete reporting solution.; Self Service Portal - An end-user web portal designed to assist in the management of strong authentication token.; Enterprise Gateway - A multi-purpose on-premises component to support strong authentication with remote access solutions (RADIUS), to synchronize AD/LDAP user and groups if desired, and to provide direct sign-on to the VIP Manager and Self-Service Portal using local directory authentication.
• Accessibility standards: None or don’t know
• Description of accessibility: The VIP Service is an authentication services hosted in a multi-tenant cloud solution comprised of credential databases, user databases and a fully documented set of web service (SOAP) APIs
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Custom API's are available for integrating with support for open standards such as SAML; and RADIUS. You can add two-factor authentication to your web and mobile apps while; retaining your look and feel with our easily integrated APIs and Credential Development Kit
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Any user facing components such as self service portal and authentication dialogues may; be customised with the customer's logo, configured via the customer administrator via the; management console. For deeper integration using the service API and credential developer; kit, the authentication process may be completely customised by the customer, using; custom authenticators and custom workflows

Scaling

• Independence of resources: Symantec Service Level Agreements guarantee 99.95 percent availability.; https://www.symantec.com/content/dam/symantec/docs/data-sheets/identity-andauthentication-; solutions-infrastructure-security-en.pdf

Analytics

• Service usage metrics: Yes
• Metrics types: Credential validations, successful and unsuccessful
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Broadcom/Symantec

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Administrators configure options to synchronize information from a compliant LDAP directory.; Reports can be exported from the service in CSV format
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: There is no requirement to upload data

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Symantec Service Level Agreements guarantee 99.95 percent availability.; https://www.symantec.com/content/dam/symantec/docs/data-sheets/identity-andauthentication-; solutions-infrastructure-security-en.pdf
• Approach to resilience: Resilience information is available on request
• Outage reporting: Available on request

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: To access the MSS portal the client contact or user must be a registered authorized contact with a valid Secure ID token. Symantec SOC staff needs to access the MSS Web Portal from the internal SOC Network to be able to conduct administration tasks and their authentication is also 2-factor.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: KPMG
• ISO/IEC 27001 accreditation date: 10/2016
• What the ISO/IEC 27001 doesn’t cover: KPMG Audit accredited the service in October 2016 until October 2019 for ISO27001:2013. The Information Security Management Certificate applies to all offerings, activities, locations, and supporting components where customer data is located and used to deliver Symantec's MSS in accordance with Statement of Applicability v2016.09.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SSAE 16 SOC 1 Type II

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Symantec MSS is an ISO27001 certified organization, a PCI-DSS compliant service provider, and provides a SSAE16/SOC1 Type II report.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Symantec MSS is an ISO27001 certified organization, a PCI-DSS compliant service provider, and provides a SSAE16/SOC1 Type II report. These security assurance engagements are conducted by accredited third party audit firms.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Symantec MSS is an ISO27001 certified organization, a PCI-DSS compliant service provider, and provides a SSAE16/SOC1 Type II report. These security assurance engagements are conducted by accredited third party audit firms.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Symantec's Global Security Office, in combination with Symantec's Managed Security Services, provides the proactive monitoring of the service. Please see https://www.symantec.com/about/customerone for more information
• Incident management type: Supplier-defined controls
• Incident management approach: Symantec's incident management process is available from our customer trust portal, https://www.symantec.com/about/customer-trust-portal. It is listed under the Security Program Summaries section.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Gradian are very proud to be an equal opportunity employer.

Pricing

• Price: £1 a user
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at stuart.case@gradian.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.