G-Cloud Service ID number: 3588 0686 6032 608
The mature and proven UKCloud Cross Domain Security Zone helps you achieve the goals of the Government Digital Strategy by making government community (for example, PSN) facing applications available to citizens and industry via the internet. It’s ideal for solutions where service accessibility and data security are key underpinning principles.
Our Cross Domain Security Zone service can help you to…
| Product specific features | Product specific benefits |
| Security | Create citizen-facing services while maintaining data security
The UKCloud Cross Domain Security Zone provides a secure way to transfer data between workloads hosted on UKCloud’s Assured OFFICIAL and Elevated OFFICIAL cloud platforms |
| Compliance | Be confident that your solutions meet the required compliance levels
The UKCloud Guard works on standardised system architectures which have been reviewed by CESG The Walled Garden is subject to standardised checks and procedures to strike the right balance between data security and time to delivery |
| Assurance | Use the service with the confidence of third-party validation
The service benefits from extensive independent validation (including CESG design reviews) that is properly aligned with CESG Cloud Security Principles, making it ideal for all data classified at OFFICIAL (including OFFICIAL SENSITIVE) |
| Cost-effectiveness | Use UKCloud’s ready-made Guard to reduce your own infrastructure and compliance costs
The UKCloud Guard is delivered as a shared multi-tenant cloud service with usage-based billing |
| Flexibility | Choose the solution you need
Use the ready-made UKCloud Guard, or design and manage your own single-tennant Walled Garden. Because you control the design of your Walled Garden, you can alter it as your requirements evolve |
| Control | With the self-managed Walled Garden, you can apply bespoke controls to support a wider range of use cases and traffic flows |
There are two service options: the UKCloud-managed UKCloud Guard and the self-managed Walled Garden.
UKCloud Guard (formerly known as Cross Domain Guard)
We provide a secure, scalable and managed UKCloud Guard that supports structured and inspectable HTTP-based data flows. This option provides an immediately available solution to support simple use cases, such as applications designed to make inspectable web services calls between the security domains using XML.
Walled Garden (formerly known as Cross Domain Solution)
We provide self-service access to the Cross Domain Security Zone so that you can design, implement and manage your own Walled Garden, using technology and application services of your choice. We provide an assurance wrap by managing firewalls between the security zones and ensuring you use appropriate risk management to understand and mitigate identified risks.
The Walled Garden is ideal if you require more control and flexibility over what is passed between security domains, to support a wider range of use cases.
The UKCloud Guard provides:
The Self-managed single-tenant Walled Garden provides:
UKCloud provides a number of related service options, including:
Global Load Balancing
Application-tuned DDoS protection
The UKCloud Cross Domain Security Zone (CDSZ) enables customers to transfer data securely between the UKCloud Assured OFFICIAL (formerly IL2) cloud platform and the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform using CESG-approved cross-domain security patterns.
This allows solutions hosted on the Elevated OFFICIAL cloud platform that are citizen facing to be accessed securely from the internet.
Two service options are available to enable use of the CDSZ:
Yes. UKCloud Cross Domain services are available only to customers purchasing other UKCloud services, such as IaaS (compute and storage) or PaaS (Hadoop and Digital Application Platform).
The complex assurance requirements mean that trials aren’t available.
If you’re already a UKCloud customer you can find the information you need in the UKCloud Portal Knowledge Centre, including a detailed description of the assurance process and an application form.
New customers should contact the UKCloud sales team to discuss their requirements.
As a minimum the application form must include:
For citizen-facing solutions hosted on the Elevated OFFICIAL cloud platform that need to be accessible from the internet, you can use the UKCloud Guard, or build your own solution using the Walled Garden.
If you use the UKCloud Guard, you’ll need to deploy additional web servers on the Assured OFFICIAL cloud platform to perform pre-authentication, validation checking and initial anti-virus. The web servers can then communicate with your application server hosted on the Elevated OFFICIAL cloud platform via HTTP web services through the UKCloud Guard. Use of the UKCloud Guard is subject to approval by the UKCloud SIRO.
With the Walled Garden, you can create your own inspection, anti-malware and security services in the CDSZ between the internet-facing components on the Assured OFFICIAL cloud platform and the higher-security components hosted on the Elevated OFFICIAL cloud platform. Use of a self-managed Walled Garden is subject to approval by the UKCloud SIRO.
Direct connectivity into the UKCloud Elevated OFFICIAL cloud platform via the internet is possible using a CAPS-approved VPN solution using government-grade encryption products (eg X‑Kryptor). CPA-approved VPN solutions may be used subject to approval by the UKCloud SIRO. UKCloud can host the CAPS or CPA IPsec VPN gateway device within the Elevated OFFICIAL cloud platform, but procurement, configuration and ongoing management of the solution are your responsibility.
UKCloud also offers Secure Remote Access, a CPA-approved VPN solution that allows access to the Elevated OFFICIAL cloud platform via a self-managed Walled Garden within the CDSZ. For more information, see the UKCloud Secure Remote Access service definition on the Digital Marketplace.
Yes, there is a 1GiB throughput limitation to the CDSZ in both Farnborough and Corsham.
The storage capacity of a VM in the CDSZ is 60GiB.
UKCloud cannot provide additional storage in the CDSZ for designs involving patch repositories. We advise customers to engage a UKCloud solutions architect to create a design that allows use of storage on the Assured or the Elevated platform.
UKCloud provides a secure and scalable Guard which supports structured and inspectable HTTP-based data flows.
This service offers an immediately available (subject to the assurance process) multi-tenant Guard to support simple use cases.
It can inspect structured and inspectable HTTP-based data such as XML and JSON.
Both guards (IWSVA and Deep Secure) can currently pass through JSON content. This is currently based on both products recognising the content as text.
No. Any changes to what is and isn’t allowed through the guard will be decided at a service level by UKCloud.
If you need a different solution, we recommend you use the Walled Garden.
Yes. You can implement a dual-site option that provides a secondary guard route in case the primary one fails.
Each business case and proposed solution will be assessed by the UKCloud team, and must be approved by the UKCloud SIRO.
We aim to carry out the assessment within five days of receiving the business case and proposed solution, but we can’t commit to timelines for approval.
We provide self-service access to the CDSZ so that customers can create their own Walled Gardens using the technology and application services of their choice.
We provide an assurance wrap by ensuring that customers use appropriate risk management techniques to understand and mitigate identified risks.
No.
Because a Walled Garden Solution is bespoke, we offer an assurance wrap to guide customers towards an effective design that will help to maximise their chances of meeting compliance requirements.
The variable nature of Walled Garden Solutions means we may charge for the assurance wrap on an SFIA rate card basis, according to the number of days’ support needed.
Broadly, the process is as follows:
Full details of each stage are available in the UKCloud Portal Knowledge Center or from your Account Director.
The evidence pack will generally consist of:
When the Walled Garden is in operation, the customer is responsible for ensuring continuing compliance with security operating procedures (SyOps) and other security obligations.
The bespoke nature of the Walled Garden means we can’t provide committed timescales for each phase in the process.
However, we aim to provide feedback from a named source within five days of each submission.
The UKCloud SIRO is ultimately responsible for deciding which solutions and configurations are allowed.
Our secure online Portal provides service management functionality. Alternatively, you can reach support by phone or email.
Walled Gardens are managed from the higher-security side of the platform (Elevated OFFICIAL). The security requirements are much stricter and require a PSN-approved connection, UKCloud Secure Remote Access or CPA-approved encryption.
UKCloud ‘s maintenance windows are as follows (times are UK local times):
Planned maintenance
Any pre-planned maintenance of any infrastructure relating to the services. We’ll provide you with at least 14 days’ advance notice of any planned maintenance. It will take place between 00:00 and 06:00 Monday to Sunday or between 08:00 and 12:00 on a Saturday or Sunday. No planned maintenance will take place on a Saturday unless agreed in advance by both parties.
Emergency Maintenance
Any emergency maintenance of any infrastructure relating to the services. Whenever possible, we’ll provide you with at least six hours’ advance notice of emergency maintenance; and carry it out between 00:00 and 06:00 Monday to Sunday or between 08:00 and 12:00 on a Saturday or Sunday, unless there’s an identified and demonstrable immediate risk to a customer’s environment.
Both solutions have a minimum commitment period of one month. The billing models are as follows:
UKCloud Guard
Billing is based on the amount of data transferred between domains. You buy a starter pack which includes an amount of data that can be transferred. You’re billed at an incremental rate for data transferred above the starter pack threshold.
Walled Garden
Billing is based on the solution design. You pay a monthly rental fee, with additional charges based on the number of VMs required to run the solution.
Payment can be made by direct bank transfer (BACS/CHAPS).
An early exit charge will be payable if the contract is terminated within the minimum term. The early exit charge will be equal to the cost of three months’ service less payments already made. Customers are responsible for extracting their own data from the platform if required. UKCloud may make an additional charge for transferring data out of the service.
The platform is hosted in the UK and operated by Security Cleared staff. It has extensive independent validation (including CESG PGA) that it is fully aligned with CESG Cloud Security Principles, making it ideal for all data classified at OFFICIAL (including OFFICIAL SENSITIVE) and legacy IL0–IL4 solutions.
Protective monitoring is included for our IaaS platform and follows GPG 13.
