Softcat Limited

Illumio Zero Trust Segmentation Platform

Illumio offers a comprehensive platform for micro-segmentation and security. It provides real-time visibility into application traffic, enabling precise control over communication pathways. This enhances security by minimizing attack surfaces and ensuring compliance across hybrid cloud environments.

Features

• Automated security enforcement

Benefits

• Eliminate blind spots inside data centers and the cloud

£270 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psitq@softcat.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

975129260043476

Contact

Charles Harrison
01628 403403
psitq@softcat.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: N/A
• System requirements:
  • Minimum Disk Space: 500MB
  • Recommended Disk Space: 1.5GB to 2.0GB
  • Operating System: Windows or Linux

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1 - 30mins; P2 - 2Hrs; P3 4-hrs; P4 1 Business day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Illumio Technical Support provides enterprise level 24/7, follow the sun coverage, for your Illumio solution. This includes identifying issues, providing resolutions to those issues and making software releases & fixes available.; Illumio offers a Technical Account Manager separately.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online recorded training material available for consumption free of charge via support portal or paid training subscription for 12 months access to online live learning modules with labs.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Customers may export data contained on the PCE at any time in JSON or CSV format.; Illumio Core SaaS is hosted on AWS, which adheres to NIST 800-88 guidelines for data destruction. Policies and procedures are in place for ensuring secure disposal of customer production data. Data is removed from the application at customer request or at subscription termination. Backups are retained for 90 days, however would not be customer accessible in the event of termination.; Please refer to your Illumio agreement for more information.
• End-of-contract process: Illumio Core SaaS is hosted on AWS, which adheres to NIST 800-88 guidelines for data destruction. Policies and procedures are in place for ensuring secure disposal of customer production data. Data is removed upon subscription termination or at customer request. Data remains in backups until expiration after 90 days.; ; Certification of data destruction can be provided upon request. ; ; Data shared by customers in the course of doing business, e.g., emails and support information, may be deleted upon customer request, except for data held reasonably for backup and archival purposes. Please see Illumio's Privacy Policy for more information. https://www.illumio.com/privacy-policy/

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • Windows
  • Other
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The Illumio API is a RESTful API and uses JSON over HTTPS, which helps automate configuration. JSON is used to encode all data transfer in both directions, so that everything sent to and everything received from the API gets encoded in JSON. To work with Illumio API, you need to be authorized by an Illumio administrator and to have the appropriate credentials for authentication
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Illumio has three core products which helps an organisation customise the solution to their requirements; Illumio Core (Workload Security), Illumio Cloud Secure (Cloud Security) and Illumio Endpoint (Endpoint Security)

Scaling

• Independence of resources: Data from multiple tenants is stored in one table space (single-schema) and logical segregation is handled by the data access layer. Other necessary logical segregation controls are built into the system, including as per tenant capacity controls to limit the usage of storage (size limit), CPU/application stack (API limits) to prevent one tenant from interfering with the security, confidentiality and availability of other tenants, while sharing the same physical infrastructure. Every software module - existing and new - uses these common logical segregation controls.

Analytics

• Service usage metrics: Yes
• Metrics types: Illumio monitors the uptime metrics, utilizing an external product to look into metrics for availability.; ; Illumio can share SaaS platform uptime reports during monthly Customer Success calls
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Illumio

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: Illumio Core implements a wide range of security controls, including encryption of data-in-transit (and encryption of data-at-rest for SaaS deployments), strong authentication using SAML IdPs, brute-force login attempt mitigations, VEN tamper protection, session expiration, and other measures.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Using the Export feature, you can download PCE objects in JSON and CSV formats. These reports are very useful when you want to share the data with application owners, managers, executives, or auditors who do not have access to the Illumio PCE
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Illumio is hosted on Amazon Web Services (AWS) and provides an uptime Service Level Agreement (SLA) of 99.8% for Illumio Core SaaS. For information about the SLA, please refer to the Illumio Master Subscription Agreement (https://www.illumio.com/legal/eula).
• Approach to resilience: The Illumio Core SaaS platform is hosted on AWS, which maintains multiple layers of infrastructure redundancy. The Core PCE is configured for high availability (HA), with multiple redundant nodes to provide failover capabilities in the event of outages, corruption or system failures.; ; Illumio also has an established BCP and DR Plan that includes processes, procedures, and contact information to be used in the event of an incident or disaster. This process is validated annually by independent assessors as part of the Core Type 2 SOC 2 examination. Please refer to the Core Type 2 SOC 2 report for more information.
• Outage reporting: Illumio will notify SaaS customers of any BCP and DR events that impact their services using email and/or web notifications. Additionally, information on outages and other relevant items can be found on the Illumio support portal.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: All users are uniquely identified by unique user IDs assigned to them during employment.; ; Access requests are logged in a ticket tracking system, reviewed and approved based on a need-to-know basis, and restricted to the least privilege necessary.; ; User access reviews are performed on a regular basis to ensure that access to data is properly restricted and authorized.; ; Access to corporate network, production systems and customer support services is removed immediately following termination of an internal user.
• Access restriction testing frequency: At least once a year
• Management access authentication: Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: A copy of documentation can be shared under NDA
• PCI DSS accreditation date: A copy of documentation can be shared under NDA
• What the PCI DSS doesn’t cover: A copy of documentation can be shared under NDA. For a list of all current certifications, please refer to Illumio's certifications page: https://www.illumio.com/certifications
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • https://www.illumio.com/certifications
  • Type 2 SOC 2
  • NIAP Common Criteria
  • SSAE-18
  • FIPS 140-2
  • Section 508

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: The Security team maintains a set of written Information Security policies, standards, and processes. Policies are reviewed by executive management at least annually or when a major change occurs. All employees are required to acknowledge and sign the Employee Handbook, which includes Illumio's security policies, at hire and annually thereafter.; ; The Illumio Information Security GRC team provides independent oversight regarding compliance with Information Security policies. The Governance, Risk & Compliance Senior Program Manager reports to the VP, Information Security.; ; These policies and procedures are validated and tested by independent auditors as part of the SOC 2 Type 2 examination.
• Information security policies and processes: Illumio's maintains a dedicated security team, overseen by the VP of Information Security.; ; The Security team maintains a set of written Information Security policies, standards, and processes. Policies are reviewed by executive management at least annually or when a major change occurs. All employees are required to acknowledge and sign the Employee Handbook, which includes Illumio's security policies, at hire and annually thereafter.; ; The Illumio Information Security GRC team provides independent oversight regarding compliance with Information Security policies. The Governance, Risk & Compliance Senior Program Manager reports to the VP, Information Security.; ; Illumio does not share security policies externally. These policies and procedures are validated and tested by independent auditors as part of the SOC 2 Type 2 examination. Please refer to the SOC 2 Type 2 report for evidence.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Product: Security is integrated into the Illumio product development lifecycle. Illumio performs secure architecture design reviews and threat modeling for each feature. Static analysis is performed for key parts of the codebase, and open-source components are scanned for vulnerabilities. Illumio also engages independent assessment firms to perform offensive testing (pentests) and targeted code reviews for major releases. Each release validated and signed-off by the security team.; ; IT systems: Illumio IT maintains a formal change management process, which includes Security team input. A weekly Change Advisory Board is used a forum to socialize the planned changes and surface any potential objections.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Illumio maintains a comprehensive program to identify and address vulnerabilities in the product. Security defects identified via reporting or during testing are remediated based on risk severity and in accordance with internal SLAs. Critical patches (application, system, security) happen as needed.; ; Threat intel feeds are implemented programmatically. Vulnerability feeds are currently monitored on an ad hoc basis.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Security alerts for the Illumio environment are monitored on a 24x7 basis, through a combination of dedicated SOC Analysts and on-call rotations. Security monitoring protocols are defined through both policies and procedures, in alignment with other policies such as for Incident Response.
• Incident management type: Supplier-defined controls
• Incident management approach: Illumio has a formal Incident Response Program which includes a documented Incident Response Policy, Plan and relevant procedures. The Incident Response Program is tested at least on an annual basis.; ; This process and documentation is validated and tested by independent third-party auditors as part of the Type 2 SOC 2 examination. Please refer to the Type 2 SOC 2 report for evidence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Softcat are dedicated to reducing our environmental impact and actively promoting sustainability. Our commitment to sustainability is a core aspect of our business strategy, driving us to innovate and lead in the creation of a more sustainable future for our company and the communities we serve. This commitment is embedded in our policies, operating procedures, and training programs.; ; We are proud to be the first FTSE 250 company to be awarded 5-star status in relation to the United Nations Sustainable Development Goals. ; ; We aim to achieve a Carbon Net-Zero Value Circle by 2040 by prioritising renewable energy, reducing natural resource use, minimising waste, and safeguarding biodiversity in compliance with environmental legislation.; ; At Softcat, we have taken significant steps towards securing renewable energy across our organisation, reducing our scope 1 & 2 emissions. We had the target of using 100% Renewable Energy across all our locations by 2024. We successfully delivered against this target ~2 years early.; ; In May 2023 we took delivery of 15 electric vehicles, replacing all existing fossil-fuelled company cars used by employees for business means. The implementation of the EV pool fleet will see a saving of over 80 tons of CO2e per year. A huge impact on our Net Zero targets.

  Tackling economic inequality

  As a value-add reseller, Softcat outsources the products, services, and solutions through our extensive network of partners, to best suit the needs of our broad client base. We always consider and promote SMEs and local providers where appropriate, particularly for the products and services we offer via the G Cloud framework.; ; We remain dedicated to improving employability and educational awareness across schools, colleges, and universities to help break down the barriers to joining technology organisations.; ; We work collaboratively with many schools that are close in proximity to our offices, to ensure we are actively supporting the community as well as schools from lower socio-economic backgrounds. ; ; We visit the schools to talk about the IT sector and the roles in our organisation, as well as promoting work-experience opportunities during the summer. In particular, we actively encourage students from diverse backgrounds to engage in work experience to appreciate the roles available in our sector.; ; For ambitious school and college leavers, a Softcat Apprenticeship is a great first step into the world of work, with 94% of our apprentices offered a permanent position at Softcat post apprenticeships, which goes to show the amazing opportunity available with us.; ; We were ranked 1st in IT & Consultancy, and 10th overall in by RateMyApprenticeship.com - Best 100 Apprenticeship Employers 2023-2024 list.; ; Softcat now also offer 12 month paid internships to University students looking to complete a year in industry as part of their undergraduate studies.

  Equal opportunity

  Our approach to diversity and inclusion is introduced first during our induction training, as part of our Softcat values, outlining responsibility to uphold our principles. This message is reinforced by our process and policies, networks, Allyship Training and Inclusion Awareness campaigns.; ; Softcat supports diversity and inclusion through various networks including:; - Supporting Women in Business (SWIB); - The Ethnic and Cultural Network; - The Pride Network; - The Family Network; - The Empowering Disability and Neurodiversity Network (EDN); - The Faith at Work Network; - Armed Forces & Veterans Network; These networks aim to create a supportive and inclusive work environment for all employees, regardless of gender, ethnicity, sexual orientation, disability, or family commitments.; ; Our allyship programme, Stronger Together, is a mixture of event and workshop-based training available to all staff. Programme topics include, bias, power, privilege, and being a greater ally. ; ; Inclusion Awareness campaigns include race, disability, sexual orientation, gender, faith, and caring responsibilities. These sessions highlight and celebrate minority groups, through panel sessions, Q&A sessions and training, providing an opportunity to discuss and understand ways to be more inclusive. ; ; Our efforts to improve diversity and inclusion have been incredibly successful. Since 2020, the number of female employees below management level has increased to 35%, and the number of ethnic minority employees rose to 17%.

  Wellbeing

  At Softcat, all employees are provided with access to our multidimensional wellbeing programme which includes flexible work arrangements, free nutritious breakfast, mental health support, employee benefits scheme, health and wellbeing week activities, and online workshops.; ; Giving back to the community is an innate part of who we are as a company. All Softcat employees are therefore given two volunteer days per year to support a charitable or community cause. ; ; Each of our 10 regional offices also support local charities through fundraising, donations and events. For example, our Manchester office has raised over £30,000 for the WeLoveMCR charity. This funding has supported young, disadvantaged Manchester citizens in gaining qualifications to broaden their work opportunities and supporting local groups in delivering indispensable services that enable community cohesion.

Pricing

• Price: £270 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: For any customer wishing to try Illumio a Proof of Concept service can be supplied, or a virtual test environment can be accessed to see the solution in practice.; ; This is available on request

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psitq@softcat.com. Tell them what format you need. It will help if you say what assistive technology you use.