Thales UK Ltd

Key Management Service

Key Management Service - Controlling Cloud Encryption Keys
The Thales Key Management Service solution provides an independent whole lifecycle service for the management of encryption keys to fulfil requirements for safe, compliant and comprehensive key management across multiple clouds, including: Microsoft Azure, AWS, Azure Stack, Microsoft Office365, and Salesforce.com

Features

• Key management centralised from a single pane of glass/browser window
• Key storage in secure High Security Module, certified to FIPS140-2
• Integrates with a wide range of off-the-shelf cloud provider solutions
• Federated login using cloud service credentials
• Automated key rotation
• Cloud provider key provisioning
• Existing keys can be synchronised with Thales KMS
• Fully redundant component architectures – delivered, managed and monitored 24x7x365
• Carry out site surveys and develop transition plans/strategies

Benefits

• Centralised Key Management, implementable across all cloud providers
• No need to architect/deploy/maintain a high availability cloud KMS on-premises
• Whole Life Management through the entire cryptographic lifecycle
• Cloud provider agnostic - migrate easily between cloud providers
• Easy transition. Migrate, synchronising with existing cloud provider keys
• Allows customers to take full control of their key material
• Services offered can be scaled flexibly to support business needs
• Secure, resilient operations. Using specially trained, security cleared personnel
• Pro-active customer support detects issues before they happen

£59,635.04 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at fcmo@uk.thalesgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

916507393315784

Contact

Phaedra Warnes
07974 011385
fcmo@uk.thalesgroup.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Hybrid cloud
• Service constraints: Ciphertrust provides many deployment models that can adapt to public/private/hybrid cloud. It is possible to deploy as a physical or virtual appliance and to connect to a FIPS 140-3 L3 HSM for increased security. Using clustered deployments for production high availability and fault tolerance is recommended
• System requirements:
  • Virtual Ciphertrust must be deployed in supported clouds or hypervisor
  • Physical Ciphertrust can be racked in standard 1RU datacentre racks
  • Specific licences may be needed to connect 3rd/1st party software
  • Appropriate connectivity between Ciphertrust and client machines must be considered

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 24 x 7 x 365 coverage; ; The Thales Standard Support Package provides your organization with the technical support services you may need for a non-critical, development or test environment. It allows you access to our team of Technical Support Engineers, who will endeavour to answer any questions you may have about installing, configuring and maintaining your Thales products. Initial response within 8 business hours and access to Thales Support Portal and knowledge base; ; • 1 Hour for Critical issues • 4 hours for High issues • 8 hours for Medium and Low cases
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Premier Support Plan Coverage: includes unique SLA of up to 30-minute for First Technical Response. Additional features above Enhanced Support include: > Regular Support Account reporting and management. > Two certification training credits, allowing two of your engineers to attend Thales certification courses. This plan provides named technical contact and advanced services such as upgrades and migrations guidance, monthly updates, cases status calls and roadmap presentations. Enhanced Support Plan Coverage: Thales offers a comprehensive and responsive coverage option with its Enhanced Support Plan. The Enhanced coverage applies to Enterprise hardware products and stand-alone software products which often have to work together as a total solution. Features included above the Standard Support Plan include: > 24x7x365 online and phone support coverage with First Technical Response of one hour for critical issues and 4-hour response time for high issues. > 24x7 access to the Thales Knowledge Base and Support Portal. > Free advance exchange option, with priority shipment on the next business day. The exchanged hardware product is shipped from an authorized Thales location. > Free electronic access to all update releases of firmware or software originally provided with the hardware product and of Thales stand-alone software-based security products.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Thales – We help customer in various ways….; • Presales team help understand the product via POC, Demos etc.; • Customers can procure Professional Services to help in the deployment in different environments and integrating with other third party products (if required); • Thales also provides detailed documentation which can be accessed via …; ; https://thalesdocs.com/ctp/ctaas/admin/cm_admin/index.html
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: As Ciphertrust is a physical or virtual appliance, the customer is in full control and ownership of their data. The ability to migrate or extract data is general well supported, but varies depending on the use case being executed.
• End-of-contract process: The service is terminated

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Most administration is done via web UI or REST API, but it varies according to the use cases being performed with the key manager
• Accessibility standards: None or don’t know
• Description of accessibility: Thales - CipherTrust Data Security Platform Services (CDSPaaS) is offered through the Data Protection on Demand (DPoD) marketplace. To provision CipherTrust Service….; • Register a DPoD subscriber tenant through either of the following URLs, ; • https://ciphertrust.dpondemand.io/?tenant=<generated_tenant_name; • ; • A DPoD subscriber tenant is a DPoD instance, with its own unique URL subdomain.; • Log in to your DPoD subscriber as the Tenant Administrator.; • Provision the CipherTrust Service on DPoD to make a CDSPaaS tenant with an automatically generated tenant name. ; • Click the service name in DPoD to launch CDSPaaS web console UI in a separate browser tab.
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Ciphertrust providest a REST API that facilitates deployment of use cases or integration with 3rd party tools such as SIEMs, logging/monitoring APIs and orchestration frameworks such as terraform. Permissions are granular and customizable via a policy system that facilitates webUI or REST API users to perform actions with minimal permission necessary. Advanced features such as RBAC and ability to use quorum and multifactor authentication are available
• API documentation: Yes
• API documentation formats:
  • HTML
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Ciphertrust can integrate with a large number of 1st party and 3rd party software, encryption, key management and cloud key management interfaces, and also provides a REST, NAE-TLS and KMIP interfaces for customized integrations and APIs.; ; Users in Ciphertrust are subjected to policies and RBAC providing granular control on permissions, access control and objects.

Scaling

• Independence of resources: Ciphertrust must be properly sized and designed in terms of architecture to handle the load. Load comes mostly from 3rd party software using key management services, not users. Load varies depending on the use cases being executed, some are intensive but most are of low load.

Analytics

• Service usage metrics: Yes
• Metrics types: Ciphertrust uses Prometheus metrics, remote syslog and snmp to export logs and metric information. Interfaces such as rsyslog, Grafana, splunk, cloud logging APIs and many others can be used to collect them.
• Reporting types: API access

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Interaction with key management data is typically specific for each use case, but broadly can be done via main protocols/APIs: NAE-TLS, KMIP, REST/JSON
• Data export formats: Other
• Other data export formats:
  • NAE-TLS
  • KMIP
  • REST/JSON
• Data import formats: Other
• Other data import formats:
  • NAE-TLS
  • KMIP
  • REST/JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Ciphertrust is a key management appliance and Thales recommends the deployment in cluster for high availability and fault tolerance.
• Approach to resilience: Ciphertrust is not a service, but a key management appliance. Achieving resilience is done via clustered deployments
• Outage reporting: Appliance can be monitored via SNMP, syslog and other logging APIs that can feed alarming/monitoring interfaces

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is managed by customer Admins, including the creation of employee accounts and identifiers. Cloud HSM does not create any default accounts for users when services are provisioned.; Crypto operations are controlled by the partition officer and crypo users identities within a service tile. Each tile has its own set of identities and credentials. Portal based users who manage the environment or deploy applications are fully isolated from these tile based user identities
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company
• ISO/IEC 27001 accreditation date: Jan 5 2024
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 18/1/2024
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: None
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • FIPS 140-2 Level 3 certificate number 3519 & 3520
  • SOC2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: https://thalesdocs.com/dpod/resources/white_papers/platform_white_paper/index.html#marketplace-and-service-security-model

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Thales implement a robust change management process with Technical and change approval boards for its product lines. Supporting policy documents can be made available as part of contractual discussions
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: https://thalesdocs.com/dpod/resources/white_papers/platform_white_paper/index.html#threat-monitoring-at-thales
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: https://thalesdocs.com/dpod/resources/white_papers/platform_white_paper/index.html#thales-internal-controls-and-procedures-for-dpod-marketplace-and-cloud-services
• Incident management type: Supplier-defined controls
• Incident management approach: The Thales CSIRT team operate across all product lines within Thales, Thales complies with RFC2350; Our Cert for RFC2350 and more information on our CSIRT team can be found here; https://www.gemalto.com/csirt; Thales has and will maintain a security incident response plan that includes procedures to be followed in the event of any actual, suspected, or threatened security breach of the personal information. Upon request, Thales shall provide documentation regarding such analysis and remediation.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  Fighting climate change; Thales UK has a clear focus on fighting climate change. Thales has set itself a target of becoming a Carbon Net Zero company by 2030, powered by cleaner energy used more efficiently at our sites and for our business, with renewable energy supplies.; ; There are several strategies that Thales and our Cyber offerings implement to fight climate change, including:; ; 1) Sustainable future. Thales has put fighting climate change at the centre of its strategy, highlighted by the fact that tackling climate change is one of the 4 Thales strategic pillars. Thales Cyber security and consultancy offerings have enabled companies to develop secure and sustainable products, prevent product recalls, learn digital lessons and reduce rework that go towards meeting their strategic sustainability objectives and tackle climate change.; ; 2) Travel reduction. Thales has introduced a Smart Working model to reduce the travelling required by the workforce. One pillar of this is arranging virtual meetings with Customers, Stakeholders and interested parties. Thales has also deployed numerous tools to enable Thales UK to effectively operate via remote / smart working. It is expected that meetings under G-Cloud could implement this methodology to offer the same benefits to the customer. Running on managed services means efficient use of shared and common infrastructure, allowing sustainable collaboration from existing infrastructure, where organisations or teams may once have had dedicated infrastructure are now allowed to work remotely, securely.; ; 3) Carbon reduction. Thales strives to implement carbon reduction, through a series of targets to reduce carbon emissions annually. Smart working, championed by our Cyber Security Consultants and offerings has been a key enabler of this strategy. Additionally, services enabling secure collaboration mean that businesses do not need to procure additional new hardware, thereby having a positive environmental impact.

  Tackling economic inequality

  For the theme of “Tackling Economic Inequality” Thales’s methodology centres on a number of Sub themes these included: Levelling up, Increasing productivity and Education & Training.; Levelling up - Geographical Challenges; ; Thales is committed to the UK prosperity as a whole and drives economic activity in all parts of the country. In 2020, Thales supported over 25,400 jobs in the economy, driving growth in all four nations of the UK.; Thales works with local government and institutions to provide opportunities for local people and to support redevelopment of deprived parts of the UK. A recent example includes:; Investing in Wales - In partnership with Blaenau Gwent Council, the Welsh Assembly and the University of South Wales, Thales established a £20m National Digital Exploitation Centre in EbbwVale. It’s generating new jobs in high-demand and high-skill areas for a region that has suffered from economic inequality. ; Education and Training; ; Thales is committed to the professional development of the contract workforce and provides access to learning opportunities to ensure employees have knowledge and skills to keep up with the pace of technological change. ; Thales has an established early careers programme that attracts both apprentices and graduates (A&G) from a diverse background. In 2023 we hired 154 A&G colleagues, with a 2025 objective of at least 10% of all new hires to be graduates/apprentices.; Where appropriate due to Security Aspects, Thales will enable A&Gs to work alongside projects teams to learn ‘on the job’ and gain valuable insights beyond academic lessons. ; School STEM Workshops. Careers Fairs & Volunteering; ; Thales has an established partnership with the Smallpeice Trust to deliver STEM and careers workshops to members of underrepresented groups in schools/colleges serving disadvantaged communities. ; All employees benefit from 24 hours yearly allowance for volunteering.

  Wellbeing

  Thales considers the health and wellbeing of our people to be fundamental to our success as a business. We have a well-established health and wellbeing (H&W) support provision, which has enabled us to rapidly provide critical support to our employees where and when it is needed most. ; In 2017, Thales signed the Time to Change pledge, publically stating our commitment to changing the way we think and talk about mental health in the workplace. We have trained 200+ of our people in Mental Health First Aid, a network of supporters who can recognise the early signs of mental ill health, listen whilst assessing for crisis, and provide information. ; Help @ Hand; Thales provides every employee & their families access to an Employee Assistance Programme - A 24/7 helpline for in the moment emotional and practical support, or signposting onward resources, such as healthcare or local assistance. ; In 2021 Thales developed a ways of working model to support and equip teams, individuals & people managers with resources and frameworks to promote our hybrid ways of working following the pandemic, the framework promotes a culture of wellbeing and psychological safety for teams to work effectively within the new working culture.; Sustained & continued support; Thales also has a dedicated Employee Relations team to provide specific and tailored interventions. Thales will work alongside Occupational Health, H&W providers and rehab services to establish adjustments and tailored programmes to enable employees to return to work in the manner that is safest for them.; Thales will track and monitor working patterns to ensure that all hours worked are booked in the ERP Systems to actively monitor loading on individuals so that individuals maintain a healthy work/life balance. Any significant deviations from the norm will be raised in sprint planning reviews to inform resource balancing actions.

Pricing

• Price: £59,635.04 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at fcmo@uk.thalesgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.