Boundary Security Protection (BSP)
Security boundary protection that mitigates risks of DoS, data exfiltration, enumeration, exploitation. Security protections that can be customised for your environment. Technology based on NCSC principles (ROSA). Ability to integrate with SIEM products such as SPLUNK and ELASTIC.
Features
- Accurate real time monitoring and reporting
- Generation of custom threat intelligence data
- Ability to detect DoS, DDoS and sophisticated APT level attacks
- Developed using NCSC architectural principles from ROSA
- Generation of data enrichment provides quick investigation and action
- Multiple SIEM integration
- NCSC certified training
Benefits
- Reduces need for in-house expertise
- Provides a high level of assurance to detect malicious activity
- Provides deep visibility into attacks
- Identifies exfiltration
- Reduces risks due to misconfiguration or design errors
- Security monitoring methodology based on ROSA
- Minimal ongoing maintenance (configure once)
- Non intrusive architecture ensures no loss of service
- Minimal capital outlay, instant benefits realisation
Pricing
£2,257 to £2,786 a unit a month
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
8 8 2 1 0 1 4 8 6 2 5 2 6 7 9
Contact
UBDS IT Consulting Ltd
Ann Gaskell
Telephone: 03301110066
Email: frameworks@ubds.com
Service scope
- Service constraints
-
Supported on Amazon Web Services;
Physical edge deployments required - System requirements
-
- AWS VPC
- EC2 instance being monitored being of type AWS Nitro system
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Dependent on SLA requirements We will reply to generic questions within next business day Service response times are based on incident priority Incident management is based on 24x7x365 coverage
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AAA
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- Web chat
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- WCAG 2.1 AAA
- Web chat accessibility testing
- We have ensured or helpdesk system has been tested as part of service onboarding
- Onsite support
- Yes, at extra cost
- Support levels
- All service support levels are supported by specialist service management support and cloud engineering. Severity - P1 Key site or multi-site outage, or loss of service for an application. An issue that significantly affects all staff not able to perform their role. An issue that significantly affects the activities of the business. The impact on the reputation of the business is high. An issue that poses a significant risk to the customer’s applications and data security. 30 mins 2 Hours Next Business Day Availability – 24x7x365 Severity P2 Standard site outage or lose Critical functionality or network access interrupted or degraded. An issue that significantly affects a moderate number of staff, with an impact on performing their role. An issue that will moderately affect activities of the business. The impact on the reputation of the business is moderate. Poses some risk to the customer’s data security. 60 mins 4 Hours Next Business Day Availability – 24x7x365 Severity P3 Causes no significant impact on business activities. Affects a minimal number of staff, minimal impact An issue that will minimally affect business activity 4 hours 8 Hours Next Business Day Availability – 24x7x365 Severity P4 12 hours 2 Days 5 Business Days
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Training can be delivered onsite, or offsite. Training is 1-day in duration. Further training can be provided at additional cost. User documentation can be provided if required which can be customised specifically for the customers services being protected. Engineers can be deployed to assist with configuration and resolution of onboarding issues.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Word
- End-of-contract data extraction
- A copy of packets and metadata is received and stored to inspect non-legitimate data. This stored data can be exported at the end of the contract. The data is in JSON and RAW formats.
- End-of-contract process
-
Service is disabled / decommissioned.
All data is destroyed
Data can be returned to the customer
Using the service
- Web browser interface
- Yes
- Using the web interface
- We will provide a web interface to the solution dashboard in read only mode. This will allow customers to gain full visibility of the service and help to plan for any additional requirements. No changes will be possible through the solution dashboard. Any change management requests will be done through our ITSM system
- Web interface accessibility standard
- WCAG 2.1 AAA
- Web interface accessibility testing
- We have carried out testing with accessible users for our solution and service management dashboards
- API
- No
- Command line interface
- No
Scaling
- Scaling available
- Yes
- Scaling type
- Manual
- Independence of resources
- Each instance is independent of one-another. Therefore one customer service does not impact another customer
- Usage notifications
- Yes
- Usage reporting
-
- API
- SMS
- Other
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- CPU
- Disk
- Memory
- Network
- Number of active instances
- Reporting types
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with another standard
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- A third-party destruction service
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Data from non-legitimate traffic
- Configuration data
- Configured ruleset
- Backup controls
-
The only components of the solution that is unique to the customer is;
1. The configuration of the service (network IP address, default gateway, syslog server address).
2. The ruleset required to detect non-legitimate traffic. This is a single files that can be backed-up by the customer.
3. Data of identified non legitimate traffic. This is in JSON and RAW formats. Each can be backed up on separate schedules. - Datacentre setup
- Multiple datacentres with disaster recovery
- Scheduling backups
- Users schedule backups through a web interface
- Backup recovery
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
The service is using AWS infrastructure, which provides as a minimum 99.99% uptime.
For every 1% below this SLA, the customer will be refunded the corresponding % of the monthly billing - Approach to resilience
-
The service is using AWS infrastructure using a single instance.
For an additional fee multiple availability zones can be used to provide a level of assurance with regards to resilience - Outage reporting
-
Email alerts
Phone calls
Identity and authentication
- User authentication
- 2-factor authentication
- Access restrictions in management interfaces and support channels
- Management access is only possible using mutual TLS authentication, which requires a valid certificate on the client. The client can be configured for certificate pinning to mitigate man-in-the-middle attacks.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Devices users manage the service through
-
- Dedicated device on a segregated network (providers own provision)
- Dedicated device on a government network (for example PSN)
- Dedicated device over multiple services or networks
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- QMS
- ISO/IEC 27001 accreditation date
- 06/06/2021
- What the ISO/IEC 27001 doesn’t cover
- No exceptions
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
-
- FIPS 140-2 Level 1
- Common Criteria
- Security Technical Implementation Guides (DISA for DoD)
- ISO9001
- ISO22301
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
- Cyber Essentials Plus ISO9001 ISO22301
- Information security policies and processes
-
Instances are created using a repeatable automated build process which follows the defined secure build standard.
All management of the solution requires mutual authentication using digital signatures (certificates) with TLS, this ensures only validated user can access the service, which is defined in the security policy for managing the service.
The reporting structure is via the DPO and then CISO
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
The change management process for software changes follows a strict process to determine the risk and potential impact. Any releases are signed off on by appropriate parties.
To minimise the risk of corruption due to changes and the accidental removal of security controls a formal change control procedure is followed when making changes to any production system. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
The service is hardened and has a well defined attack surface.
Any vulnerabilities are assessed against the attack surface and determined if they impact the confidential, integrity or availability of the service.
If the vulnerability can not be mitigate with other security controls software patches are tested and deployed. From testing to deployment we aim for 48 hours as a maximum - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Vulnerabilities are identified and tracked. Vulnerabilities are identified by:
Receiving vendor and security researcher vulnerability announcements, Monitoring vendor reporting distribution lists and reporting forums, monitoring public reporting forums (CERT and NCSC)
Incidents are responded to depending on the severity. For a potential compromise this would be within an hour - Incident management type
- Supplier-defined controls
- Incident management approach
- We have a complete service reporting and management reporting process that augments and works with our clients operating model
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Third-party
- Third-party virtualisation provider
- AWS
- How shared infrastructure is kept separate
- Native AWS seperation
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
- AWS Hosted datacentres
Social Value
- Fighting climate change
-
Fighting climate change
UBDS recognises that we can make a difference through implementing environmental performance that protects and improves the communities we operate in. We are ISO14001 accredited, have an Environmental Management Scheme and we have created and published a Carbon Reduction Plan.
We track the environmental impact of our operations, ensuring that we reduce emissions in line with our carbon reduction plan during all activities, including operational delivery. We see carbon reduction as an exercise in continuous improvement and it is a key part of our work.
Our GCloud contracts enable us to fight climate change in a number of ways:
• We engage with buyers before the contract start to discuss initiatives such as remote working to minimise emissions.
• We engage with the supply chain to see evidence of commitments to net zero and discuss initiatives to reduce a contract’s environmental impact.
• We will support and promotes local environmental projects to promote positive stewardship and sustainable practices in the communities in which we work.
• We support and promotes environmental initiatives and projects that our customers have developed or are part of.
• We work proactively with clients throughout the contract to deliver environmental benefits, e.g.:
- Facilitating the implementation of a Cloud first approach, which can reduce a service’s energy consumption by c. 88% due to public cloud economies of scale.
- Implementing “Green by Design” services that self-optimise energy consumption, e.g. auto-scaling cloud infrastructure on demand, automatic powering-down of infrastructure not in use.
- Partnering with technology providers with carbon emission goals e.g. AWS and Azure have commitments to achieve zero or negative carbon emissions. - Covid-19 recovery
-
Covid-19 recovery
UBDS recognises the impact of Covid-19 on communities across the country and we have made efforts through our work to support local areas and help them recover. We will continue to do this through GCloud contracts, with initiatives such as:
• Providing Digital Skills Training
UBDS can provide digital skills training for disadvantaged people within the communities we work in, meaning that they have enhanced employment opportunities, something that is particularly important in areas where jobs have been lost through Covid-19. We also support digital enablement programmes and make donations of equipment to groups/charities (such as wiped equipment that we are replacing).
• Developing partnerships with local schools and colleges
We work with schools and colleges near our contracts to provide careers advice, curriculum and literacy support, with team members acting as Enterprise Advisors to local schools. We also develop retraining, mentoring and work placement programmes with colleges
• Supporting local SMEs/VCSEs
We do this by providing advice to SMEs and VCSes, as well as through inclusion in our supply chain.
Where practical, UBDS commit to recruiting and deploying locally sourced skills and services. This is something which is important in supporting local economies affected by Covid-19, as well as the environmental benefits of minimising peoples’ daily commute.
This is particularly evident in our sourcing activities, particularly with regards to customer engagements. We look to make use of local suppliers whenever there is a requirement outside of our own immediate expertise.
This approach boosts innovation, brings new perspectives and unlocks potential savings through the agility and value for money SMEs offer as well as helping local economies to rebuild post-Covid-19.
• Charity work
We encourage our staff to participate in, an contribute to, charity events and community schemes in their local area, including projects to support those affected by Covid-19. - Tackling economic inequality
-
Tackling economic inequality
We will seek to address economic inequality within communities we work with on GCloud contracts through activities that drive investment, stimulate the local economy. create employment and increase job security:
• Our apprenticeship scheme
UBDS’ apprenticeship scheme is designed to offer opportunities to young people and/or those facing barriers to employment. Our Digital Academy in London and Salford hires local apprentices and graduates, including from deprived areas. We are committed to hiring new apprentices over the next year from the areas we have contracts in. Our apprentices are provided with training and mentoring to develop skills and we work closely with customers to facilitate practical work experience.
• Creating employment opportunities through our work
UBDS has experienced significant growth through the contracts that we have won and this has enabled us to create employment contracts in London and Salford, as well as in other areas across the UK. We believe that GCloud will lead to further opportunities and contracts.
• Payment of at least the living wage at all times
• Supporting local companies, including SMEs and VCSEs, through the course of our contracts by bringing them into our supply chain and through the provision of advice on developing their business. - Equal opportunity
-
Equal opportunity
We are fully committed to equal opportunity as an organisation and will seek to use GCloud contracts to help us to embed equality and diversity throughout our work and our partnerships. We recognise that diverse teams bring unique value to our work and we celebrate the depth, breadth and diversity of experiences and backgrounds that drive our innovation and delivery of well-rounded solutions for the public. We feed this through our supply chain, including recruitment processes and work with customers to promote inclusive working environments. We:
• Build diversity into our company policies, for example flexible working and benefits that are fair to all.
• Recognise unconscious bias may occur and encourage staff to suggest ways to improve promotion of diversity.
• Use hiring methods to remove bias from the process, for example evaluation without viewing information that could disclose race, gender or age.
• Ensure equality and accessibility in recruitment to attract diverse candidates, giving opportunities to those who do not fit a typical profile.
• Develop genuinely diverse teams across our business and mentor new staff.
• We report on diversity within our organisation and work with partners who commit to doing so. We can use this information when working with customers to develop KPIs around diversity and reporting on these. - Wellbeing
-
Wellbeing
UBDS recognises the importance of the wellbeing of our staff and our suppliers and we have built a supportive, inclusive environment to support that. This supports and champions diversity as well as being sensitive to mental health related issues and mirrors our commitment to equal opportunities. Our approach is fed through all of our GCloud contracts and includes:
• Building diversity into our company policies, for example flexible working and benefits that are fair to all.
• Recognising unconscious bias may occur and encourage staff to suggest ways to improve promotion of diversity.
• Use hiring methods to remove bias from the process, for example evaluation without viewing information that could disclose race, gender or age.
• Ensuring equality and accessibility in recruitment to attract diverse candidates, giving opportunities to those who do not fit a typical profile; eg, we recently recruited a team member on an asylum seeker visa.
• Developing genuinely diverse teams across our business and mentor new staff
• Providing mental health “first aiders” within our organisation
• Ensuring that all of our buildings are fully accessible and assessing any needs new starters have in terms of equipment etc.
• Encourage staff to take time out to volunteer within the local community and for charities, with paid time off to support this
• Encourage healthy routes to work (e.g. cycling, walking) and participation in schemes to support this.
Pricing
- Price
- £2,257 to £2,786 a unit a month
- Discount for educational organisations
- No
- Free trial available
- No