Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services - Thales Service Definition for PSN Secure Web Gateway Service
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Thales Service Definition for PSN Secure Web Gateway Service
Thales Service Definition for
PSN Secure Web Gateway Service
for Cloud Services
April 2014
Page 1 of 12Thales Service Definition for PSN Secure Web Gateway Service
CONTENT
Page No.
Introduction .................................................................................................................. 3
Overview of Service ................................................................................................... 3
Key Features ................................................................................................................. 4
The Thales SaaS Cloud Model .................................................................................... 4
Protective Monitoring ................................................................................................. 5
Information Assurance (IA) .......................................................................................... 5
Statements of accreditation: .................................................................................... 5
Baseline / Bundled Gateway Services........................................................................... 6
Unbundled Gateway Services ...................................................................................... 6
Capabilities and Technical Performance Specification ................................................... 7
Service Levels ............................................................................................................ 7
Recompense model for not meeting service levels ......................................................... 8
Training .................................................................................................................... 8
Ordering................................................................................................................... 8
which shall be agreed by the Customer/Thales as part of the Call-Off Form/Agreement. .. 8
On boarding and Off Boarding .................................................................................. 8
On Boarding: ........................................................................................................ 8
Off Boarding: ........................................................................................................ 8
Customer Responsibilities ........................................................................................... 9
Thales Commitment to Open Standards ................................................................... 9
Thales support for UK Government Information Principles .............................................. 9
Principle 2 - Information is Managed........................................................................ 9
Principle 5 - Information is Re-used .......................................................................... 9
Government ICT Strategy and Greening ICT Strategies ................................................ 10
Contact Details ..................................................................... Error! Bookmark not defined.
Page 2 of 12 Thales Service Definition for PSN Secure Web Gateway Service Introduction Overview of Service As the efficient exchange of data and information between Government departments is enabled through initiatives such as G-Cloud and PSN, with web applications increasingly becoming available to support ‘joined up government’, the demand for boundary protection and Secure Web Gateways has mushroomed. Unlike the previous GSI model, PSN and G- Cloud services are based upon a ‘network of networks’ approach. This multi vendor approach drives the need to manage and control the information flows across the security domain boundaries through the use of Secure Gateways technology. Thales Secure Gateway Services are a suite of fully managed services that deliver; Web Gateway, Email Gateway and a range of File Transfer and other Inter domain Gateway capabilities. This Service Description relates to the Thales Secure Web Gateway Service. The Thales Secure Web Gateway Service securely manages the boundary between the Customer’s own security domain(s), The Internet and other Web Services. The Web Gateway Service will be configured and managed to execute the Customer’s own web access and Internet security policies. The policies will define the type of web sites, content rules, URL restrictions and black / white list rules. The Gateway Service will then manage information attempting to transit the boundary checking for prohibited words, URLs, protocols, or any malware including cyber attacks and applications embedded within embedded files and text. Thales Web Gateway Services provide security risk mitigations that contribute to lowering the SIRO’s security risk profile, mitigating risks identified in the Customer’s RMADS. The Service enables a safe, controlled and secure access to the Internet and Web Services, helping to facilitate ‘joined up government’, whilst protecting the Customer’s secure information held at IL2, IL3, Official and Official Sensitive level. The service is delivered as SaaS running on VM Ware platforms that can be scaled by our operation centre staff in Doncaster, the application software will run on virtual servers that can be created on any compatible Infrastructure platform. The on-line customer portal making available usage data, incident status and security reports whilst allowing the customer to report incidents and raise service requests and IMAC’s. Protective Monitoring services provided by the Thales CSOC (Cyber Security Operations Centre) and the ITIL service provided by the NOC (Network Operations Centre) deliver the 24 hour, 365 day per year assurance that the service is operational and secure. Thales has registered its Gateway Services solution with the Public Services Network Authority under the registration number SRV 0166. This service is being progressed with the Pan Government Accreditor (PGA). Page 3 of 12
Thales Service Definition for PSN Secure Web Gateway Service
Key Features
The Thales SaaS Cloud Model
Figure 1 shows the model that has been developed by Thales which shows all the key
attributes of the Secure Gateway Service. The Gateway policy, element management, control
and filtering applications are accessible by the Thales Operations Centre largely through web
browsers that enable re-configuration and management of the various Gateway elements.
The web based customer portal provides a channel for customer IMAC service requests and
for on-line access to incident and reporting information.
Service Level Agreement
Accreditation (Official, Official Sensitive, Secret)
Operational Service Security Boundary
Protective Monitoring ITIL Services Sub CA Service
Baseline Services:
Design
Firewalls and Functional
Functional
Firewalls
( HA Pair
) Firewalls
(HA Pair
) IL 3 IL 4 IDS
/IPS
( HA Pair
) IL 4 Network
IL 3 Network Switches IL 4-4-4
Specification
IL 3 -3-3 (HA Pair
)
Integration Functional
Switches
)
(HA Pair
Specification
File Repository File Repository
Matrix
Server
Server
Transition Specification
Matrix
Application software Matrix
Optional Services
Consulting
Change
Figure 1 Thales Secure Gateway Service Model.
The service is delivered on a virtualised infrastructure based on VMWare and has been
developed to be operational from Thales Data Centres, Customer Data Centres or from third
party IaaS Cloud providers such as Skyscape. The architecture priced provides for a 99%
availability but for High Availability applications additional load balanced and active passive
architectures are available. The SOC and NOC functions already have DR capability based
on the Thales Doncaster and Basingstoke sites connected by a high capacity PSN Network
triangulated through Bristol.
The application software and architecture graphic shown at the centre of Figure 1 represents
just one of a wide range of Gateway variants that provide the Information Assurance and
Protection necessary to mitigate the customer’s security risk profile. The pricing offered in this
G-Cloud entry Web Gateway configuration is a typical basic but effective service that
includes; Gateway policy enforcement, firewall, virus checking and intrusion detection and
protection capability. More complex, standard arrangements will add load balancing for
scalability, authentication capability, more complex packet inspection techniques and further
resilience options to protect the customer’s secure networks and information.
Page 4 of 12 Thales Service Definition for PSN Secure Web Gateway Service The Capabilities and Technical Performance Specification section describes the configuration of the Gateway and determines the level of control, filtering and inspection to be performed. Protective Monitoring The Customer’s RMADS (Risk Management and Accreditation Document Set) as approved by the Customer’s accreditor will include the risk mitigations that must be carried out to secure the accreditation. The accreditation and evaluation status of the Secure Web Gateway Services is likely to form part of the possible mitigation of risks. Protective Monitoring of the Secure Gateway Service aligns to CESG Good Practice Guide 13 (GPG13), following best practice and policies set out in HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2). The Protective Monitoring provided by the Thales SOC demonstrates the necessary operational independence from the Network Operations Centre. The SOC provides risk mitigation through Accounting, Audit, Monitoring and Management Reporting. Information Assurance (IA) The protective monitoring provided by the Thales CSOC, the ITIL framework implemented by the NOC (Network Operations Centre) and the necessary PKI services provided by the PSN Sub Certificate Authority are shown at Figure 1 within the black border that indicates the operational service boundary. These are all key components of the service that provides the necessary Information Assurance. Statements of accreditation: The security components that comprise the Gateway software suite are considered by Thales as best in class and include both Cisco Iron Port and Deep Secure Gateway software which supports the need for a single vendor independent compliant solution. Thales can provide confirmation, through the appropriate channels regarding the security evaluations undertaken as part of the process for the accreditation of services at BIL 33x and above. Many of the service components are already in use on Customer networks and on the Thales Restricted networks that have achieved accreditation by the Public Service Network Authority (PSNA) and Ministry of Defence (accredited by DSAS). The Pan Government Accreditor (PGA) has accredited both the Thales’ PSN IL3 connectivity and PKI services; these services are registered as PSNSP 002 and SRV0111. Thales has registered its Gateway Services solution with the Public Services Network Authority under the registration number SRV 0166. This service is being progressed with the Pan Government Accreditor (PGA). The protective monitoring and ITIL service management for both the accredited PSN Connectivity Services and the PSN Secure Gateway Services are hosted within our Tier 3 (TIA) List X Certified Doncaster Data Centre operation. In addition to the physical protection of the service, Thales, as a Certified CESG Assurance Service (Telecommunications) CAS(T) and ISO 27001:2005 supplier, has a mature and regularly maintained ISO 27001 ISMS. All of the documentation required is in accordance with, and compliant against HM Government IS No 1&2 and PSNA documentation sets. Page 5 of 12
Thales Service Definition for PSN Secure Web Gateway Service
Baseline / Bundled Gateway Services
The baseline services shown in Figure 1 include Design, Integration and Transition. The final
implementation of the service provided by Thales will depend upon customer agreement of
the roles and responsibilities for each of the providers, third parties and of the customer
themselves. Thales baseline services are designed with the need for this level of flexibility in
mind. Simple definitions are shown below;
Design; Ensures that the Thales preferred Web Gateway Service architectures
are configured to meet specific customer performance and IA requirements.
Integration; Based upon a common understanding of how the services will be
integrated into the existing or ‘to be’ infrastructure and agreed prior to order
acceptance. Often delivered as part of a larger WAN or LAN refresh or
deployment.
Transition; Whilst integration baseline services will facilitate the definition of
how the Gateways will fit within the LAN / WAN architecture, as part of this
price they are bounded as activities relating directly to the operation of the
Thales service transition services may also be provided to help the customer
manage the journey from their ‘As Is’ environment to the final ‘To Be’
environment.
Gateways by definition are located at network and security domain boundaries. Thales will
validate the Secure Gateway Service design against the existing infrastructure and work with
the customer and third parties to ensure a smooth integration and transition. Typically this
may include the incumbent LAN provider or data centre / hosting provider.
A detailed integration and transition plan including identification of roles and responsibilities,
the necessary joint assurance planning and cutover procedures. This will be agreed with the
customer during the early project planning phase as part of the on boarding process. Thales
has extensive experience of systems integration and can operate as the prime contractor or
work with the organisation appointed by the customer.
The price shown against this Service Description includes all baseline activities that relate
directly to the successful assurance and operational readiness of the Thales service. Thales
will be pleased to provide additional services to extend the scope beyond the standard
service.
Unbundled Gateway Services
Targeted at those Customers who wish to procure the same functionality as the Fully-
Managed Web Gateway Services but who also wish to retain elements of the service either
‘in-house’ or as part of a wider network operational environment. For example, this
‘unbundled’ approach allows efficiencies to be realised through sharing existing customer
NOC and SOC capabilities.
This approach may be favoured by Customers who for security reasons are unable to disclose
details of their operations or allow third parties to have access to equipment after installation.
It is anticipated that this will also appeal to specialist Vendors, Systems Integrators,
Outsourcers and to SMEs who can provide high quality elements of the service but are not
able to offer the full set of managed services.
Page 6 of 12 Thales Service Definition for PSN Secure Web Gateway Service
Capabilities and Technical Performance
Specification
TABLE 1 CAPABILITIES AND TECHNICAL PERFORMANCE
Gateway Target Filtering Capabilities / Functions Actions on Policy Infringement
Security
Domains
Web HIGH Standard Filtering/Functional Standard Actions:
Gateway Capabilities: Block Web Traffic; if there is a
MED
URL Filtering (Black‐list / policy infringement it
White‐list) prevents the URL from being
Protocol Filtering accessed.
Malware Detection Signature
Allow Web Traffic
Based
IDS/IPS Logging (SysLOG)
Additional/Optional Standard Alerts:
Functional/Filtering Capabilities:
Alert NOC / SOC Operator; of
URL Filtering (External Source Policy Infringement
for Reputation) Optional Alerts:
HTTP Protocol Specific
Filtering; GET, POST Alert User; of Policy
Infringement
Alert Specified User; of Policy
Infringement
Service Levels
TABLE 2 SERVICE LEVELS
Service Attribute Target Service Level
Hours of operation (Network Operation 24hrs,
Centre) 365 days per year
Availability Priced example 99.9%
Higher availability based upon selection of
resilience options
Help Desk Portal operation 24 x7 for monitoring
incidents, reporting incidents and logging
IMAC service requests
Service Request Response Less than 24 hours
IMAC Response Less than 24 hours
Page 7 of 12Thales Service Definition for PSN Secure Web Gateway Service
Recompense model for not meeting service levels
1% reduction in our service price for each month we fail to hit the targets
Training
This is a fully managed service and requires no customer training for the operational service
other than the provision of customer portal user guide and service management information
including incident escalation processes, service reporting and contact details.
Ordering
Thales will provide a written:
Specification Document
Service Level Agreement
Deployment Plan that includes key milestone dates and any customer
dependencies
which shall be agreed by the Customer/Thales as part of the Call-Off Form/Agreement.
On boarding and Off Boarding
On Boarding:
Coming on to the service will focus upon establishing the Customer Security Policy aspects
that will be enforced by the Web Gateway Service. Thales IA staff will develop the necessary
Gateway configurations and agree their operation and impact on the users with the Customer
representative before operational handover (Assurance) is completed.
The PSN Web Gateway Service manages the traffic at the network boundary and therefore
will connect to PSN Connectivity, the Customer’s local or third party networks, The integration
with the WAN and application services will be completed as part of the service integration
planning, documented by Thales through the Deployment Plan and associated customer
specific configuration documentation.
Points of contact are exchanged and the operational Service Manual reviewed with the
customer to ensure Performance Reporting, Incident Management, Change Management and
Security procedures are understood.
The operation may go live in phases to suite the Customer requirements and to bed down
changes to the existing Customer and User Email processes and procedures.
Off Boarding:
As part of the Off Boarding process the operational performance reports and incident records
may be provided to the Customer on request. Security incident information stored in the
SOC may be provided through the appropriate channels to maintain the security integrity and
Page 8 of 12 Thales Service Definition for PSN Secure Web Gateway Service
sensitivity of information. The Service does not archive Customer information or data that
transits through the Gateway components.
Operational and configuration records will be securely stored and maintained for the
appropriate period in accordance with any legal and certification obligations set by the ISO
standards, the PGA or the Government Department (Customer) prior to contract.
A shut down schedule will be agreed so the service is terminated in orderly way to avoid
disruption and facilitate and transition to an alternative provider.
Customer Responsibilities
Customers will need to:
Provide suitably qualified employees with knowledge of the customer security policies
to work with the Thales deployment team, enabling the systems to be correctly
configured by Thales.
Provide contact details for an approved set of IT staff that will have access to the
portal and have permissions to raise Incidents.
Provide contact details for incident escalation.
Ensure the customer network is compliant with relevant PSN Code of Connection
requirements
Provide Security Manager contact details for reporting any notifiable security events.
Thales Commitment to Open Standards
Thales has a commitment to adopting Open Standards during the Service Development
process where standards exist and will continue to promote new standards where they add
real customer value such as improved inter operability or lower maintenance and support
costs
Thales support for UK Government Information
Principles
Principle 2 ‐ Information is Managed
The principle requires that Information Assets are managed and protected in a manner
commensurate with their value. The Thales Secure Gateway Services are designed to enforce
the Customers own Security Policies to manage and protect information transiting a security
boundary. This includes a range of information management best-practices delivered
through the Network Operations Centre and the Thales GPG13 based Security Operations
Centre- for example to ensure appropriate availability and integrity, to avoid exposure and
loss.
Principle 5 ‐ Information is Re‐used
A “joined up” approach to the sharing of information across the public sector to deliver
public services and to meet public task responsibilities is becoming increasingly important
and expected.
Page 9 of 12Thales Service Definition for PSN Secure Web Gateway Service
One of the key aspects of re-use is supported by the use of Secure Gateway Services in
enforcement of Security Policies that have been devised as a result of careful risk-based
judgements with regard to exploiting vs. protecting UK Government information:
“External re-use – sharing information with others across organisational boundaries,
whether within the public sector, or more generally with private businesses and
citizens”
Government ICT Strategy and Greening ICT
Strategies
In support of the Government Greening ICT Strategy the Thales Group has made protecting
the environment one of its ethical values. The Group is committed to a proactive
environmental protection policy (ISO 14001 and compliant with the European Eco-
Management and Audit Scheme) and attaches importance to this principle within the
framework of its activities.
The design of Thales PSN Services, their operational support and Data Centre selection
supports both the ICT and Greening strategies through:
Use of Open Standards and PSN interconnect specification to facilitate the
creation of a common ICT infrastructure
Developing a range of ‘Securing the Cloud’ capabilities and gaining
accreditation for ICT services that are an enabler for delivering government
changes with the lowest IA risk
Developing PSNA certified Gateway Services to monitoring, managing and
reporting on information transiting security boundaries in support of IA
governance
In addition Thales implements an extensive quality control and management system, including
organisational governance processes to manage and reduce risk, provide continuous process
improvement and ensure customer satisfaction. Thales supports key principles of the
Government ICT Strategy. Thales will work with UK Government to reduce unnecessary
waste, ensure projects meet customer needs, timescales and budgetary constraints whilst
delivering a sustainable and common ICT infrastructure.
Page 10 of 12 Thales Service Definition for PSN Secure Web Gateway Service Contact Details To discuss or speak to Thales about our Gateway cloud services, we would be delighted to hear from you. We can be contacted on: thalesg‐cloud5@uk.thalesgroup.com Page 11 of 12
You can also read
