Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services - Thales Service Definition for PSN Secure Web Gateway Service

 
Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services - Thales Service Definition for PSN Secure Web Gateway Service
Thales Service Definition for PSN Secure Web Gateway Service
               

Thales Service Definition for
PSN Secure Web Gateway Service
for Cloud Services
                                                                       April 2014

Page 1 of 12
Thales Service Definition for PSN Secure Web Gateway Service                                                                  

                                                         CONTENT
                                                                                                                     Page No.
Introduction .................................................................................................................. 3
   Overview of Service ................................................................................................... 3
Key Features ................................................................................................................. 4
   The Thales SaaS Cloud Model .................................................................................... 4
   Protective Monitoring ................................................................................................. 5
   Information Assurance (IA) .......................................................................................... 5
      Statements of accreditation: .................................................................................... 5
   Baseline / Bundled Gateway Services........................................................................... 6
   Unbundled Gateway Services ...................................................................................... 6
   Capabilities and Technical Performance Specification ................................................... 7
   Service Levels ............................................................................................................ 7
   Recompense model for not meeting service levels ......................................................... 8
   Training .................................................................................................................... 8
   Ordering................................................................................................................... 8
   which shall be agreed by the Customer/Thales as part of the Call-Off Form/Agreement. .. 8
   On boarding and Off Boarding .................................................................................. 8
      On Boarding: ........................................................................................................ 8
      Off Boarding: ........................................................................................................ 8
   Customer Responsibilities ........................................................................................... 9
      Thales Commitment to Open Standards ................................................................... 9
   Thales support for UK Government Information Principles .............................................. 9
      Principle 2 - Information is Managed........................................................................ 9
      Principle 5 - Information is Re-used .......................................................................... 9
   Government ICT Strategy and Greening ICT Strategies ................................................ 10
Contact Details ..................................................................... Error! Bookmark not defined.

                                                                                                                Page 2 of 12
              Thales Service Definition for PSN Secure Web Gateway Service

Introduction
Overview of Service
As the efficient exchange of data and information between Government departments is
enabled through initiatives such as G-Cloud and PSN, with web applications increasingly
becoming available to support ‘joined up government’, the demand for boundary protection
and Secure Web Gateways has mushroomed. Unlike the previous GSI model, PSN and G-
Cloud services are based upon a ‘network of networks’ approach. This multi vendor
approach drives the need to manage and control the information flows across the security
domain boundaries through the use of Secure Gateways technology.
Thales Secure Gateway Services are a suite of fully managed services that deliver; Web
Gateway, Email Gateway and a range of File Transfer and other Inter domain Gateway
capabilities. This Service Description relates to the Thales Secure Web Gateway Service.
The Thales Secure Web Gateway Service securely manages the boundary between the
Customer’s own security domain(s), The Internet and other Web Services. The Web Gateway
Service will be configured and managed to execute the Customer’s own web access and
Internet security policies. The policies will define the type of web sites, content rules, URL
restrictions and black / white list rules. The Gateway Service will then manage information
attempting to transit the boundary checking for prohibited words, URLs, protocols, or any
malware including cyber attacks and applications embedded within embedded files and text.
Thales Web Gateway Services provide security risk mitigations that contribute to lowering the
SIRO’s security risk profile, mitigating risks identified in the Customer’s RMADS. The Service
enables a safe, controlled and secure access to the Internet and Web Services, helping to
facilitate ‘joined up government’, whilst protecting the Customer’s secure information held at
IL2, IL3, Official and Official Sensitive level.
The service is delivered as SaaS running on VM Ware platforms that can be scaled by our
operation centre staff in Doncaster, the application software will run on virtual servers that
can be created on any compatible Infrastructure platform. The on-line customer portal
making available usage data, incident status and security reports whilst allowing the customer
to report incidents and raise service requests and IMAC’s.
Protective Monitoring services provided by the Thales CSOC (Cyber Security Operations
Centre) and the ITIL service provided by the NOC (Network Operations Centre) deliver the
24 hour, 365 day per year assurance that the service is operational and secure. Thales has
registered its Gateway Services solution with the Public Services Network Authority under the
registration number SRV 0166. This service is being progressed with the Pan Government
Accreditor (PGA).

Page 3 of 12
Thales Service Definition for PSN Secure Web Gateway Service                                                                                                                                                                

Key Features
The Thales SaaS Cloud Model
Figure 1 shows the model that has been developed by Thales which shows all the key
attributes of the Secure Gateway Service. The Gateway policy, element management, control
and filtering applications are accessible by the Thales Operations Centre largely through web
browsers that enable re-configuration and management of the various Gateway elements.
The web based customer portal provides a channel for customer IMAC service requests and
for on-line access to incident and reporting information.

                  Service Level Agreement
                                    Accreditation   (Official, Official Sensitive, Secret)

                                                                                                                                                       Operational Service Security Boundary
                                              Protective Monitoring                                                                               ITIL Services                             Sub CA Service

             Baseline Services:

             Design
                                                                                                                                                  Firewalls and                            Functional
                                                                                                                                                                                             Functional
                                                                             Firewalls
                                                                             ( HA Pair
                                                                                   )          Firewalls
                                                                                              (HA Pair
                                                                                                   )                     IL 3   IL 4                 IDS
                                                                                                                                                       /IPS
                                                                                                                                                   ( HA Pair
                                                                                                                                                          )                IL 4 Network
                                                              IL 3 Network                                    Switches                                                        IL 4-4-4

                                                                                                                                                                                          Specification
                                                                 IL 3 -3-3                                    (HA Pair
                                                                                                                   )

             Integration                                                                                                                                                                       Functional
                                                                                                                                       Switches
                                                                                                                                            )
                                                                                                                                       (HA Pair

                                                                                                                                                                                            Specification
                                                                                            File Repository                                                         File Repository

                                                                                                                                                                                             Matrix
                                                                                         Server
                                                                                                                                                                  Server

             Transition                                                                                                                                                                       Specification
                                                                                                                                                                                               Matrix
                                                            Application software                                                                                                                  Matrix
             Optional Services

             Consulting
             Change

                         Figure 1 Thales Secure Gateway Service Model.
The service is delivered on a virtualised infrastructure based on VMWare and has been
developed to be operational from Thales Data Centres, Customer Data Centres or from third
party IaaS Cloud providers such as Skyscape. The architecture priced provides for a 99%
availability but for High Availability applications additional load balanced and active passive
architectures are available. The SOC and NOC functions already have DR capability based
on the Thales Doncaster and Basingstoke sites connected by a high capacity PSN Network
triangulated through Bristol.
The application software and architecture graphic shown at the centre of Figure 1 represents
just one of a wide range of Gateway variants that provide the Information Assurance and
Protection necessary to mitigate the customer’s security risk profile. The pricing offered in this
G-Cloud entry Web Gateway configuration is a typical basic but effective service that
includes; Gateway policy enforcement, firewall, virus checking and intrusion detection and
protection capability. More complex, standard arrangements will add load balancing for
scalability, authentication capability, more complex packet inspection techniques and further
resilience options to protect the customer’s secure networks and information.

                                                                                                                                                                                                              Page 4 of 12
               Thales Service Definition for PSN Secure Web Gateway Service

The Capabilities and Technical Performance Specification section describes the configuration
of the Gateway and determines the level of control, filtering and inspection to be performed.

Protective Monitoring
The Customer’s RMADS (Risk Management and Accreditation Document Set) as approved by
the Customer’s accreditor will include the risk mitigations that must be carried out to secure
the accreditation. The accreditation and evaluation status of the Secure Web Gateway
Services is likely to form part of the possible mitigation of risks. Protective Monitoring of the
Secure Gateway Service aligns to CESG Good Practice Guide 13 (GPG13), following best
practice and policies set out in HMG Risk Management standard, IA Standard No. 1 and 2
(IS1 & 2).
The Protective Monitoring provided by the Thales SOC demonstrates the necessary
operational independence from the Network Operations Centre. The SOC provides risk
mitigation through Accounting, Audit, Monitoring and Management Reporting.

Information Assurance (IA)
The protective monitoring provided by the Thales CSOC, the ITIL framework implemented by
the NOC (Network Operations Centre) and the necessary PKI services provided by the PSN
Sub Certificate Authority are shown at Figure 1 within the black border that indicates the
operational service boundary. These are all key components of the service that provides the
necessary Information Assurance.

Statements of accreditation:
The security components that comprise the Gateway software suite are considered by Thales
as best in class and include both Cisco Iron Port and Deep Secure Gateway software which
supports the need for a single vendor independent compliant solution. Thales can provide
confirmation, through the appropriate channels regarding the security evaluations undertaken
as part of the process for the accreditation of services at BIL 33x and above. Many of the
service components are already in use on Customer networks and on the Thales Restricted
networks that have achieved accreditation by the Public Service Network Authority (PSNA) and
Ministry of Defence (accredited by DSAS).
The Pan Government Accreditor (PGA) has accredited both the Thales’ PSN IL3 connectivity
and PKI services; these services are registered as PSNSP 002 and SRV0111.
Thales has registered its Gateway Services solution with the Public Services Network Authority
under the registration number SRV 0166. This service is being progressed with the Pan
Government Accreditor (PGA).
The protective monitoring and ITIL service management for both the accredited PSN
Connectivity Services and the PSN Secure Gateway Services are hosted within our Tier 3 (TIA)
List X Certified Doncaster Data Centre operation. In addition to the physical protection of the
service, Thales, as a Certified CESG Assurance Service (Telecommunications) CAS(T) and
ISO 27001:2005 supplier, has a mature and regularly maintained ISO 27001 ISMS. All of
the documentation required is in accordance with, and compliant against HM Government IS
No 1&2 and PSNA documentation sets.

Page 5 of 12
Thales Service Definition for PSN Secure Web Gateway Service                                      

Baseline / Bundled Gateway Services
The baseline services shown in Figure 1 include Design, Integration and Transition. The final
implementation of the service provided by Thales will depend upon customer agreement of
the roles and responsibilities for each of the providers, third parties and of the customer
themselves. Thales baseline services are designed with the need for this level of flexibility in
mind. Simple definitions are shown below;
              Design; Ensures that the Thales preferred Web Gateway Service architectures
               are configured to meet specific customer performance and IA requirements.
              Integration; Based upon a common understanding of how the services will be
               integrated into the existing or ‘to be’ infrastructure and agreed prior to order
               acceptance. Often delivered as part of a larger WAN or LAN refresh or
               deployment.
              Transition; Whilst integration baseline services will facilitate the definition of
               how the Gateways will fit within the LAN / WAN architecture, as part of this
               price they are bounded as activities relating directly to the operation of the
               Thales service transition services may also be provided to help the customer
               manage the journey from their ‘As Is’ environment to the final ‘To Be’
               environment.
Gateways by definition are located at network and security domain boundaries. Thales will
validate the Secure Gateway Service design against the existing infrastructure and work with
the customer and third parties to ensure a smooth integration and transition. Typically this
may include the incumbent LAN provider or data centre / hosting provider.
A detailed integration and transition plan including identification of roles and responsibilities,
the necessary joint assurance planning and cutover procedures. This will be agreed with the
customer during the early project planning phase as part of the on boarding process. Thales
has extensive experience of systems integration and can operate as the prime contractor or
work with the organisation appointed by the customer.
The price shown against this Service Description includes all baseline activities that relate
directly to the successful assurance and operational readiness of the Thales service. Thales
will be pleased to provide additional services to extend the scope beyond the standard
service.

Unbundled Gateway Services
Targeted at those Customers who wish to procure the same functionality as the Fully-
Managed Web Gateway Services but who also wish to retain elements of the service either
‘in-house’ or as part of a wider network operational environment. For example, this
‘unbundled’ approach allows efficiencies to be realised through sharing existing customer
NOC and SOC capabilities.
This approach may be favoured by Customers who for security reasons are unable to disclose
details of their operations or allow third parties to have access to equipment after installation.
It is anticipated that this will also appeal to specialist Vendors, Systems Integrators,
Outsourcers and to SMEs who can provide high quality elements of the service but are not
able to offer the full set of managed services.

                                                                                    Page 6 of 12
               Thales Service Definition for PSN Secure Web Gateway Service

Capabilities and Technical Performance
Specification
                       TABLE 1 CAPABILITIES AND TECHNICAL PERFORMANCE
Gateway Target   Filtering Capabilities / Functions               Actions on Policy Infringement
        Security
        Domains
Web        HIGH         Standard Filtering/Functional             Standard Actions:
Gateway                 Capabilities:                                       Block Web Traffic; if there is a
           MED
                              URL Filtering (Black‐list /                   policy    infringement         it
                               White‐list)                                   prevents the URL from being
                            Protocol Filtering                              accessed.
                            Malware Detection Signature
                                                                            Allow Web Traffic
                               Based
                            IDS/IPS                                        Logging (SysLOG)
                        Additional/Optional                       Standard Alerts:
                        Functional/Filtering Capabilities:
                                                                        Alert NOC / SOC Operator; of
                              URL Filtering (External Source            Policy Infringement
                               for Reputation)                    Optional Alerts:
                              HTTP Protocol Specific
                               Filtering; GET, POST                         Alert User; of Policy
                                                                             Infringement
                                                                            Alert Specified User; of Policy
                                                                             Infringement

Service Levels
                                      TABLE 2 SERVICE LEVELS
   Service Attribute                                    Target Service Level

   Hours of operation (Network Operation                24hrs,
   Centre)                                              365 days per year
   Availability                                         Priced example 99.9%
                                                        Higher availability based upon selection of
                                                        resilience options
   Help Desk                                            Portal operation 24 x7 for monitoring
                                                        incidents, reporting incidents and logging
                                                        IMAC service requests
   Service Request Response                             Less than 24 hours
   IMAC Response                                        Less than 24 hours

Page 7 of 12
Thales Service Definition for PSN Secure Web Gateway Service                                   

Recompense model for not meeting service levels
1% reduction in our service price for each month we fail to hit the targets

Training
This is a fully managed service and requires no customer training for the operational service
other than the provision of customer portal user guide and service management information
including incident escalation processes, service reporting and contact details.

Ordering
Thales will provide a written:
             Specification Document
             Service Level Agreement
             Deployment Plan that includes key milestone dates and any customer
              dependencies

which shall be agreed by the Customer/Thales as part of the Call-Off Form/Agreement.

On boarding and Off Boarding
On Boarding:
Coming on to the service will focus upon establishing the Customer Security Policy aspects
that will be enforced by the Web Gateway Service. Thales IA staff will develop the necessary
Gateway configurations and agree their operation and impact on the users with the Customer
representative before operational handover (Assurance) is completed.
The PSN Web Gateway Service manages the traffic at the network boundary and therefore
will connect to PSN Connectivity, the Customer’s local or third party networks, The integration
with the WAN and application services will be completed as part of the service integration
planning, documented by Thales through the Deployment Plan and associated customer
specific configuration documentation.
Points of contact are exchanged and the operational Service Manual reviewed with the
customer to ensure Performance Reporting, Incident Management, Change Management and
Security procedures are understood.
The operation may go live in phases to suite the Customer requirements and to bed down
changes to the existing Customer and User Email processes and procedures.

Off Boarding:
As part of the Off Boarding process the operational performance reports and incident records
may be provided to the Customer on request. Security incident information stored in the
SOC may be provided through the appropriate channels to maintain the security integrity and

                                                                                 Page 8 of 12
               Thales Service Definition for PSN Secure Web Gateway Service

sensitivity of information. The Service does not archive Customer information or data that
transits through the Gateway components.
Operational and configuration records will be securely stored and maintained for the
appropriate period in accordance with any legal and certification obligations set by the ISO
standards, the PGA or the Government Department (Customer) prior to contract.
A shut down schedule will be agreed so the service is terminated in orderly way to avoid
disruption and facilitate and transition to an alternative provider.

Customer Responsibilities
Customers will need to:
    Provide suitably qualified employees with knowledge of the customer security policies
      to work with the Thales deployment team, enabling the systems to be correctly
      configured by Thales.
    Provide contact details for an approved set of IT staff that will have access to the
      portal and have permissions to raise Incidents.
    Provide contact details for incident escalation.
    Ensure the customer network is compliant with relevant PSN Code of Connection
      requirements
    Provide Security Manager contact details for reporting any notifiable security events.

Thales Commitment to Open Standards
Thales has a commitment to adopting Open Standards during the Service Development
process where standards exist and will continue to promote new standards where they add
real customer value such as improved inter operability or lower maintenance and support
costs

Thales support for UK Government Information
Principles
Principle 2 ‐ Information is Managed
The principle requires that Information Assets are managed and protected in a manner
commensurate with their value. The Thales Secure Gateway Services are designed to enforce
the Customers own Security Policies to manage and protect information transiting a security
boundary. This includes a range of information management best-practices delivered
through the Network Operations Centre and the Thales GPG13 based Security Operations
Centre- for example to ensure appropriate availability and integrity, to avoid exposure and
loss.

Principle 5 ‐ Information is Re‐used
A “joined up” approach to the sharing of information across the public sector to deliver
public services and to meet public task responsibilities is becoming increasingly important
and expected.
Page 9 of 12
Thales Service Definition for PSN Secure Web Gateway Service                                

One of the key aspects of re-use is supported by the use of Secure Gateway Services in
enforcement of Security Policies that have been devised as a result of careful risk-based
judgements with regard to exploiting vs. protecting UK Government information:
    “External re-use – sharing information with others across organisational boundaries,
       whether within the public sector, or more generally with private businesses and
       citizens”

Government ICT Strategy and Greening ICT
Strategies
In support of the Government Greening ICT Strategy the Thales Group has made protecting
the environment one of its ethical values. The Group is committed to a proactive
environmental protection policy (ISO 14001 and compliant with the European Eco-
Management and Audit Scheme) and attaches importance to this principle within the
framework of its activities.
The design of Thales PSN Services, their operational support and Data Centre selection
supports both the ICT and Greening strategies through:
              Use of Open Standards and PSN interconnect specification to facilitate the
               creation of a common ICT infrastructure
              Developing a range of ‘Securing the Cloud’ capabilities and gaining
               accreditation for ICT services that are an enabler for delivering government
               changes with the lowest IA risk
              Developing PSNA certified Gateway Services to monitoring, managing and
               reporting on information transiting security boundaries in support of IA
               governance
In addition Thales implements an extensive quality control and management system, including
organisational governance processes to manage and reduce risk, provide continuous process
improvement and ensure customer satisfaction. Thales supports key principles of the
Government ICT Strategy. Thales will work with UK Government to reduce unnecessary
waste, ensure projects meet customer needs, timescales and budgetary constraints whilst
delivering a sustainable and common ICT infrastructure.

                                                                             Page 10 of 12
              Thales Service Definition for PSN Secure Web Gateway Service

Contact Details
To discuss or speak to Thales about our Gateway cloud services, we would be delighted to
hear from you.
We can be contacted on: thalesg‐cloud5@uk.thalesgroup.com

Page 11 of 12
You can also read
Next slide ... Cancel