e2e Secure Cloud Connect Service - Service Definition Document

(1)

e2e Secure Cloud Connect Service– Service Definition Document v1.6

1 OPEN

e2e Secure Cloud Connect Service - Service Definition

Document

Overview

A cloud connectivity service that connects users, devices, offices and clouds together over the Internet. Organisations can choose a service that suits their security and connectivity requirements. Includes VPN clients that support Windows, Mac, Linux and most tablets and phones to provide secure anywhere access to cloud resources. This is a cloud independent service as it covers cloud connectivity to e2e or any other suitable cloud provider.

Service Overview

Cloud services offer outstanding value for money but the connectivity to and from the services is often overlooked. e2e’s secure cloud connect service takes away all the hassle of implementing and managing the secure connectivity required to consume the services securely. The service is designed to the highest security standards and follows CESG best practice and architectural guidelines. This can provide all the security and service advantages of commissioning dedicated private links but is much quicker, cost effective and scalable.

The service reduces an organisation’s exposure to threats by consolidating all cloud connectivity to a security gateway that cleanses and monitors traffic. This gateway provides security services such as in-line antivirus scanning, intrusion prevention and optional protective monitoring as well as other advanced security monitoring services. The service provides a complete VPN and security hub that provides strong encryption with certificate based, always-on full tunnel client/mobile VPNs as well as on demand, two-factor based thin client style connectivity from appropriately secured devices. Mobile devices are supported and can be managed as part of the service.

Allows your organisation to connect to and manage cloud resources using

CESG approved technologies

Allows your organisation to connect to and manage cloud resources using a

wide range of Windows, Linux, MAC and even Android and IOS devices

Allows your organisation to connect to and manage cloud resources using a

wide range of tablets, phones, and other similar devices running Windows, Linux, MAC, Android and IOS

Mobile Device Management – as an option we can provide a fully managed

MDM solution with integrated device security, secure app containers, secure email, etc.

Assured service design – the service is designed by a Senior CESG IA Architect

(2)

2 OPEN

Security assurance – the service has a Protective Monitoring service aligned

with your risk posture and threat model

Cloud service model – only pay for what you use

Cloud procurement model – no CAPEX, no setup charges, just a monthly fee

for the services you use

Flexibility to run whatever applications and services you choose within the service

Scale-up on demand service flexes with your business to ensure the resources

are available when you need them most

Securely enables your business by allowing you to pursue the best value

services and maximise opportunities whilst maintaining your security posture

Agile, adaptive cloud aware service secures your journey to the cloud by

supporting connectivity to hybrid or existing customer solutions and other cloud services

Three service levels available to ensure you have a level of service that fits your

needs

Highly available and DDOS resistant - designed to provide 99.99% monthly

availability

Provides a single, resilient cloud access method – secures your cloud by

reducing the entry points to one resilient, multi-site secure connect gateway thereby dramatically reducing your exposure and providing auditable, secure access

Optional proxy service provided so that organisations can send all their Internet

bound traffic through the security services – thereby increasing threat detection and infected host detection

All Private Clouds used for this service are located in the UK, all data resides in

the UK and the service is managed by a UK company using SC cleared staff

All access to the service can be secured with two or even three factor authentication

Optional Protective Monitoring and Alerting service for potential and verified

threats

Expert Incident Response available before a cyber-event becomes a major

security incident

Standards compliance - built to work with existing organisations security

frameworks and facilitate compliance with ISO27001, IASME and Cyber Essentials Plus

(3)

3 OPEN

The Cloud Connect Service

(4)

4 OPEN

e2e Secure Cloud Connect Service – Connectivity options and responsibilities

The diagram above shows the managed cloud on the right. Items in blue are the customer’s responsibility and items in orange and green are e2e’s responsibility. The service is designed to be consumed over the Internet using IPSec VPNs or TLS encryption. e2e can provide an optional dedicated VPN device at any of the customers’ locations in order to provide a managed site to site VPN service. The customer can also choose to provide their own fixed VPN endpoint. Remote access VPNs follow the same pattern; e2e can provide a VPN client or the customer can use their existing VPN client (so long as it is a CESG CPA foundation approved product). How do I know which service is appropriate?

There is a level of service appropriate for all organisations. If you do not currently know what the right level of service is we offer a simple process:

1. e2e provide a free, one day on site cloud workshop led by a CESG Senior IA Architect where we work with your organisation to establish your requirements and cover aspects such as your organisations risk profile and security assurance requirements, connectivity requirements as well as your platform and application requirements.

2. The workshop report includes expert advice from e2e and includes generating your heat map similar to the below and this gives us a score:

(5)

5 OPEN

(6)

6 OPEN

e2e Secure Cloud Connect Service levels of service

Baseline

Target SLA/Month (during service hours)

99.50%

Service Hours

8am to 6pm Mon-Fri

Service Hours Response Time

1 hour

Emergency/out of hours 24/7 response time

8 hours

Protective Monitoring Service

Optional (Baseline

recommended)

DOS and DDOS Protection

Baseline

Security features

Mobile VPN, fixed VPN,

triple-tier firewalls,

two-factor authentication

Enhanced

Target SLA/Month during service hours

99.99%

Service Hours

8am to 6pm Mon-Fri

Service Hours Response Time

1 hour

Emergency/out of hours 24/7 response time

8 hours

DOS and DDOS Protection

Enhanced

Protective Monitoring Service

Optional (Enhanced

recommended)

Security features

Mobile VPN, fixed VPN,

triple-tier firewalls,

two-factor authentication,

network anti-virus, network

IPS, network IDS

Premium

Target SLA/Month during service hours

99.99%

Service Hours

8am to 8pm Mon-Fri

Service Hours Response Time

1 hour

Emergency/out of hours 24/7 response time

4 hours

DOS and DDOS Protection

Premium

Protective Monitoring Service

Optional (Premium

recommended)

Security features

Mobile VPN, fixed VPN,

triple-tier firewalls,

two-factor authentication,

network anti-virus, network

IPS, network IDS, Botnet

detection, DLP, triple-factor

(7)

7 OPEN

Roles and responsibilities

This is a fully managed service that covers the creation of the fixed VPNs, provision of the mobile VPN devices and cloud connect security services. Each customer solution has dedicated VPN devices at the e2e datacentre and customers can either use existing VPN devices or e2e provided devices at their managed VPN end points. The customer (or the customers 3rd_{party supplier) is responsible for installing and} configuring the mobile VPN clients and supporting the end users.

The customer is responsible for managing any of their own VPN devices used in the service or delegating management of these devices to e2e.

e2e are responsible for managing all the VPN devices they provide as part of the service.

The customer is responsible for providing details of all users and informing e2e of users leaving the service.

Pricing

There is an on-boarding charge for this service. This is to enable your organisation to be able to consume the service and includes training and guided build workshops to streamline the on-boarding. The on-boarding charges are one off charges that are incurred at service commencement. There is a second one off charge that is incurred when scaling up. This is due to the increase in license, underlying private compute, bandwidth and other service costs that are required to provide the new level of service.

There are three parts to the pricing; the number of mobile VPN users, MDM users and the number of fixed VPNs.

Mobile VPNs Baseline Enhanced Premium On-boarding Scale-up

(8)

8 OPEN

500-1000 £11.00 £13.00 £17.50 £5,000.00 £1,500.00 1001-2000 £10.00 £11.00 £15.00 £5,000.00 £1,500.00

Fixed VPNs Baseline Enhanced Premium On-boarding Scale-up

Number of fixed VPNS Monthly price per VPN Monthly price per VPN Monthly price per VPN One off at service commencement Incurred when scaling up (one off, not per month) 1-5 £ 400.00 £ 450.00 £ 475.00 £2,500.00 £900.00 6-10 £ 375.00 £ 425.00 £ 450.00 £2,500.00 £900.00 11-20 £ 350.00 £ 400.00 £ 425.00 £2,500.00 £900.00 21-50 £ 325.00 £ 375.00 £ 400.00 £2,500.00 £900.00 51-100 £ 300.00 £ 350.00 £ 375.00 £5,000.00 £1,500.00 101-250 £ 275.00 £ 325.00 £ 350.00 £5,000.00 £1,500.00 250-500 £ 95.00 £ 105.00 £ 125.00 £5,000.00 £2,500.00 501-1000 £ 90.00 £ 100.00 £ 115.00 £5,000.00 £2,500.00

Mobile Devices (MDM) Baseline Enhanced Premium On-boarding Scale-up

(9)

9 OPEN

Cloud Connect Security Monitoring/ Protective Monitoring Service

The Cloud Connect service can be purchased without a protective monitoring service if an organisation determines that they do not require it. This would result in the service logging data but no actions being taken to investigate or inform the customer of the alerts. Organisations can also choose one of three levels of protective monitoring – i.e. they can choose a premium cloud connect service and a baseline protective monitoring service or any other such combination that best aligns with their risk posture.

The protective monitoring service provides a complete security monitoring system, designed and built by e2e experts who have spent over 15 years designing and building security systems for major banks, telco’s, payment providers and the military. e2e have taken the best of open source and commercial systems and blended them together to provide a formidable arsenal of security services.

Some of the components of this system have been provided below:

 Log collection, storage and monitoring of all data flowing through the secure cloud connect

 Network based IDS using open source tools and network based IPS using commercial tools

 Traffic monitoring and intelligent traffic analysis (i.e. detects and classifies traffic based on its type not it’s port number – e.g. detects data tunnelling and applications using nonstandard ports, exfiltration and other data leakages)

 Packet capture and analysis to enable investigations into alerts and to support incident response

 DNS monitoring to detect DNS lookups to known or suspected malware or other suspicious domain names

 Botnet monitoring – hunts for and alerts on any type of connection known to be used by botnets

 Web and email threat monitoring – monitors access to the Internet and emails and hunts for known threats and signs of potential threats in web site browsing, URLs and emails

 Threat indicator monitoring and latest threat intelligence monitoring

 Geographic analysis of all attacks and traffic

 Cloud-focused service design that provides monitoring of the latest cloud based threats and intelligence

 Fully managed cloud service that can be provided with varying levels of customer involvement as appropriate

 In depth reporting on all aspects of the service

(10)

10 OPEN There are three levels of service available:

Baseline Protective Monitoring and Alerting Service

Enhanced Protective Monitoring and Alerting Service

Premium Protective Monitoring and Alerting Service

Log Collection

As baseline plus: As enhanced plus: Log Storage

Log Reporting Monthly event and threat summary

Fully managed service that includes e2e triage prior to raising alerts with customer

Log Alerting

Retention periods of 12-36 months for logs and one week for full packet captures

Includes e2e incident response engagement (first 5 days) for any incident e2e escalate to

customer as a Priority 1

Email alerts to customer

Alerts triaged by e2e vSOC and escalated to customer when appropriate

Includes event triage and investigation services (provides customer with evidence and advice and options to mitigate, contain or manage threat).

Monthly statistical report

Includes host based IDS agent (optional if network based IDS can be deployed effectively)

Includes full event reporting, security processes management, monthly review meeting and continuous service improvement Retention periods of 3-12

months

Includes one on-premises security monitoring device provide by e2e as part of the service

Removes the requirement for customer to provide any security resources

Log collection limited to 10 logs per second per device averaged over month

Threat indicator detection (detects typical signs of threats by their indicators)

Includes external vulnerability scanning and alerting services Any log source capable of

generating collectable logs

Includes one virtual network IDS per 128 IP addresses

Includes one instance of packet

capture, DNS monitoring, botnet, web and email monitoring

Customer responsible for investigating events, or purchasing e2e incident

response days to be used for this purpose

(11)

11 OPEN

The protective monitoring service is priced per device or IP address that passes through the cloud connect service. This should be the real number of customer IP addresses protected by the service. There are no on-boarding or scale up charges.

Cloud Connect Baseline Protective Monitoring and Alerting Service

Number of IP addresses monitored

Per Month

10-25

£445.00

26-50

£645.00

51-100

£815.00

101-150

£1,100.00

151-250

£1,650.00

251-500

£2,050.00

500-1000

£3,995.00

1001-2000

£5,995.00

Cloud Connect Enhanced Protective Monitoring and Alerting Service

Number of IP addresses monitored

Per Month

10-25

£615.00

26-50

£855.00

51-100

£1,195.00

101-150

£1,450.00

151-250

£2,250.00

251-500

£3,550.00

500-1000

£5,750.00

1001-2000

£8,995.00

Cloud Connect Premium Protective Monitoring and Alerting Service

Number of IP addresses monitored

Per Month

10-25

£1295.00

(12)

e2e Secure Cloud Connect Service– Service Definition Document v1.6 12 OPEN 51-100

£2,750.00

101-150

£4,750.00

151-250

£6,750.00

251-500

£7,250.00

500-1000

£9,550.00

1001-2000

£16,995.00

VPN devices

Where e2e are required to provide a VPN device there is fixed charge per device that covers the device and installation.

CPA VPN Device

Installation of an e2e provided CPA VPN device

Per device

£2,850.00

Proxy Services

Web, DNS, NTP and SMTP proxy services can be provided to further secure your organisation’s cloud. You will need to configure all your services to point to a cluster of proxy services at e2e and close down all other outbound internet access from your other services other than the VPNs. This dramatically increases your security and simplifies your cloud landscape. The same can be done for SMTP traffic. If required we can also provide SSL inspection of all outgoing HTTPS traffic to look for threats buried in encrypted traffic. This method of cloud security is highly effective at bringing your cloud under control and allows us to identify anomalous traffic by its characteristics as well as by matching against known threats.

These services are only available at Enhanced and Premium. Organisations will only ever need one of each of the items below unless they chose a dual site service which then requires two.

Web proxy service (1 to 250 users/ IP addresses)

Web proxy/HTTPS proxy/DNS/NTP cluster at one location Per month

£550.00

SMTP proxy service (1 to 250 users/ IP addresses)

SMTP proxy cluster at one location

Per month

£550.00

Web proxy service (250-500 IP addresses)

Web proxy/HTTPS proxy/DNS/NTP cluster at one location Per month

£850.00

SMTP proxy service (250-500 users/IP addresses)

(13)

13 OPEN

Web proxy/HTTPS proxy/DNS/NTP cluster at one location Per month

£1150.00

SMTP proxy service (500-2000 users/IP addresses)

SMTP proxy cluster at one location

Per month

£1150.00

It is also possible for web browsing and email to be directed through other cloud web SMTP security services that they customer may already have or wish to procure. In those cases the services above would not be required and we would route the traffic to the requested cloud provider.

Priced examples

A customer requires 25 mobile vpn users to connect two offices, one cloud service and the baseline service best fits their needs. The monthly cost would be: 25X Mobile VPN users at baseline = £875.00

3X Fixed VPN at baseline = £1,200

Total: £2,075.00 per month

They choose the baseline protective monitoring service. There are 25 mobile VPN users and they connect to two servers in the office and one in the cloud. The protective monitoring service needs to cover 28 IP addresses:

Protective Monitoring: £855.00 per month

(14)

14 OPEN

A customer requires connectivity for 110 users and one cloud service. The monthly cost for an enhanced service would be:

110X Mobile VPN users at enhanced=£2,750.00 1x Fixed VPN at enhanced = £450.00

They choose the enhanced protective monitoring service. There are 110 mobile VPN users and they connect to two web servers in the cloud and one email server in the cloud. The protective monitoring service needs to cover 113 IP addresses:

Protective Monitoring: £1,450.00 per month

The on-boarding charges are: Mobile: £2,500.00 Fixed: £2,500.00

A customer with 500 users and 10 VPNs with a Premium service would be: 500X Mobile VPN users premium = £10,000.00

10X Fixed VPN premium = £4,500.00

The on-boarding charges are: Mobile: £5,000.00 Fixed: £2,500.00

They choose the premium protective monitoring service. There are 500 mobile VPN users and they connect to two web servers in the cloud and one email server in the cloud. The protective monitoring service needs to cover 600 IP addresses as they direct all cloud traffic through the service as well as opting for the full Web proxy service:

(15)

15 OPEN

A customer requires an MDM solution for 50 devices. These devices need to connect to their on premise email system. The enhanced service best fits their needs:

1X Fixed VPN enhanced = £450.00 50X MDM devices = £1,750.00

The customer scales up to 100X MDM devices: The scale up charge is: £1,500.00.

Total =£3,450.00 per month (after scale up)

The on-boarding charges are: Fixed: £2,500.00, MDM: £2,500.00

They decide that the baseline protective monitoring service best suits their needs and there are 55 IP addresses to be protected before the scale up and 165 after:

Protective monitoring: £815.00 per month

Protective monitoring: £1,100.00 per month (after scale up)

A customer requires connectivity for 2 offices, 2 cloud services, 50 mobile vpn users and 50 mobile devices at enhanced. They opt for no protective monitoring service.

4X Fixed VPN enhanced = £1800.00 50X Mobile VPN users = £1,750.00 50X MDM devices = £1,750.00

(16)

16 OPEN

Service scale up/scale down options – Secure Cloud Connect Service

It is possible to scale up and scale down the service levels of from Baseline to Enhanced and from Enhanced to Premium or from Baseline to Premium. There is no charge for scaling up or down service levels.

Scale up example:

A customer requires 25 mobile vpn users to connect two offices and one cloud service. The baseline service best fits their needs. The monthly cost would be:

25X Mobile VPN users at baseline = £875.00 3X Fixed VPN at baseline = £1,200

The customer decides to scale up the service level to enhanced for a critical period of 2 months. During those two months the customer pays:

The monthly cost would be:

25X Mobile VPN users at enhanced = £1,000.00 3X Fixed VPN at enhanced = £1,350.00

Service scale up /scale down options – Secure Cloud Connect Protective Monitoring

Service

It is also possible to scale up or scale down the service levels of the protective monitoring element of the service on a month by month basis. There is no charge for scaling up or down service levels.

Scale up support options

The service includes the BAU activities relating to managing the services and providing support but it is possible that the customer requires the reassurance of having dedicated e2e resource on hand to support their IT team during critical times.

The following scale up option allowing customers to purchase cost effective support and scale it up at times of emergency or heightened importance:

Private Cloud Management and Support Ad hoc items

Extended support add on 24/7 response – uplifts support level

(17)

17 OPEN

Dual site options

The service can be distributed across two e2e datacentres. This provides availability levels above 99.99%. This increases the quantity of fixed VPNs required. The dual site costs are double the single site cost. e2e provide connectivity between sites as part of the dual site service. Either site on its own is capable of handling all traffic.

Other Services

A range of other services are available that can be used to perform tasks such as assisting you with the roll out of VPN clients, connecting the mobile VPN to active directory or certificate services for user authentication or to assist with design aspects of the service. These are priced per day as per e2e’s SFIA rate card.

Other Services

Design effort per day

£900.00

Service training per day

£900.00

Ad hoc support per day

£850.00

User authentication integration

(e.g. mobile VPN to customers’ active directory per day)

£850.00

(18)

18 OPEN

Service Specific Terms and Conditions

On-boarding

On-boarding is included with the following scope: e2e will support the customer in connecting/enrolling the requested fixed VPNs, mobile VPNS and mobile devices into the service. Optionally we can also migrate data into the service on a time and material basis. Examples of this would be

connecting to an existing customer active directory service which would be charged on a time and material basis.

Off-boarding

Off-boarding is included with the following scope: all user access will be revoked and any e2e cloud connect components containing customer data will be wiped and factory reset. All customer data will be removed. The customer is expected to migrate their own data out of the service prior to the end of the service. Optionally we can also migrate the data out of the service (such as historical access logs) on a time and material basis.

Backups All e2e managed devices are backed up as part of the service.

Disaster recovery The service can be split across two UK datacentres if required.

Service lead time Typically 10-30 working days from acceptance of order.

Minimum term The service has a minimum term of 6 months.

Early exit charge One month of service cost.

Termination

charge Termination before initial 6 months incurs early exit charge

Consumer responsibilities

The control and management of end users of the service and any VPN components installed or provisioned on customer equipment including end user devices

Technical requirements

To manage the service the user is required to enrol with our two-factor authentication service and connect to the service using one of the following: Windows, Linux, MAC, IOS, Android.

To create a fixed VPN the customer is required to either provide a CESG CPA foundation level approved device (IPsec Security Gateway) or allow e2e to supply and provision one.

To create a mobile VPN the customer us required to either provide and support a CESG CPA foundation level approved device (IPSec VPN for remote working) or allow e2e to supply one.

Ordering and

Invoicing Monthly in arrears by Purchase Order or Direct Debit.

Data

restoration/service migration

(19)

19 OPEN

Financial

recompense model

If the service level falls below the stated availability (excluding planned or emergency maintenance and excluding any fault that is not the

responsibility of e2e or e2e components), consumers will be eligible for a service credit. Service credits are provided as professional service credits that can be used for any support, design or security activities and are calculated at a value of 10% of service spend on the particular service.

Training The customer can choose to purchase training days.

Trial Service There is no trial service available.

More information and contact details

For more details on this service and to see the other services we offer visit www.e2e-assure.com