Secure Remote Access
The UKCloud Secure Remote Access service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform, using NCSC-approved internet Virtual Private Network (VPN) technologies and the ‘Walled Garden’ architectural pattern using bastion hosts.
Find Cloud Storage on the Digital Marketplace here.
Features & benefits
There are many features and benefits to our Secure Remote Access product, from providing secure access via shared multi-tenant NCSC-approved internet VPN solution to the ability to scale the service on demand – unrestricted by 3rd party suppliers
Find out more
The service enables system administrators, mobile and remote workers to securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections to PSN Protected
Find out more
The UKCloud Secure Remote Access service provides a number of technical features all of which are available here
Find out more
There are many features and benefits to our Secure Remote Access product, from providing secure access via shared multi-tenant NCSC-approved internet VPN solution to the ability to scale the service on demand – unrestricted by 3rd party suppliers.
|res||Product specific benefits|
|Provides a secure access via shared multi-tenant NCSC-approved internet VPN solution||Leveraging UKCloud’s solutions, reduce your own infrastructure and compliance costs|
|Compatible with a variety of end-user platforms – Android, Apple, Linux, Windows||Choose the tools that are right for your workforce|
|Scale the service on demand – unrestricted by 3rd party suppliers||Self-assure devices, instead of using of inflexible, locked-down managed devices|
|24/7 service desk included as standard with SLA response times||Feel supported to get the best from your application|
|Assured; UK hosted by SC and NPPV cleared personnel||Have confidence in who has access to your data|
|Aligned with NCSC Cloud Security Principles||Your solutions are on a NCSC best practice cloud|
|Connect over the internet, PSN, JANET or N3/HSCN||Choose the right network to connect your solution to|
|Optimised for OFFICIAL – designed for OFFICIAL and OFFICIAL-SENSITIVE||Supports and enables the Government Digital Strategy|
|Support for Remote Workers and Systems Administrators||Enable BYOD and simplifies 3rd party compliance|
The service enables system administrators, mobile and remote workers to securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections to PSN Protected.
Secure Remote Access:
- Is for UK users only
- Is available to users who have been appropriately vetted and security-cleared as assured by the customer organisation in line with PSN Information Assurance conditions
- Provides connectivity into the UKCloud Elevated OFFICIAL cloud platform only – there is no onward connectivity to government community networks such as N3/HSCN, PSN Assured, PSN Protected and legacy networks such as PNN
The UKCloud Secure Remote Access service provides the following technical features:
- Based on NCSC-approved CPA technology including Cisco AnyConnect and Cisco VPN gateways
- Provides secure two-factor authentication based on UKCloud-issued device certificates
- Has a ‘Walled Garden’ architecture which enables customers to deploy and manage appropriate systems in a DMZ, allowing secure, controlled onward access to workloads hosted on the UKCloud Elevated OFFICIAL cloud platform
- Integrated with the UKCloud Protective Monitoring solution (aligned with GPG13)
Q What is the service?
The UKCloud Secure Remote Access (SRA) service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform using NCSC-approved internet virtual private network (VPN) technologies and the ‘Walled Garden’ architectural pattern.
System administrators and mobile workers can securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections such as PSN or N3/HSCN.
Q Do I have to buy other UKCloud services to use UKCloud Secure Remote Access?
Yes. UKCloud Secure Remote Access is available only to customers purchasing other UKCloud services such as IaaS (compute and storage) or PaaS (Hadoop and Digital Application Platform).
Q Is there a free trial available?
The complex assurance requirements related to this service mean that a trial service isn’t available.
Q Does UKCloud provide the managed devices for using the Secure Remote Access service?
No. We don’t provide them, but we have partners who can provide the managed devices and other services if required.
Q What is the process for applying for a Secure Remote Access solution?
If you’re already a UKCloud customer you can find the information you need in the UKCloud Portal Knowledge Centre, including a detailed description of the assurance process and an application form.
New customers should contact the UKCloud sales team to discuss their requirements.
Q What information must the application form include?
As a minimum the application form must include:
- A business case explaining why a secure remote access solution is required
- The technical architecture of the solution incorporating the UKCloud Secure Remote Access service
- An assurance plan — your proposed approach to ensuring that risks are correctly identified, appropriate mitigation is implemented and residual risks are accepted so that both the customer and UKCloud SIROs can make an informed decision about the risks of the solution
Q What is likely to be included in the assurance plan?
The assurance plan will include:
- Validation of requirements by the customer (department SIRO)
- Evidence from the customer that end-user devices are configured and managed in line with minimum requirements (for example scope of PSN compliance with IA requirements)
- Evidence from the customer that users of the Secure Remote Access Service are vetted and security-cleared in line with minimum requirements (scope of PSN compliance with IA requirements)
- Confirmation by the customer that an appropriate security incident management process applies to the solution
- Confirmation by the customer that the service will be accessed from the UK only
- Confirmation by the customer and each individual user of agreement to the UKCloud Acceptable Use Policy (AUP)
- Identification of data flows between the Walled Garden and the customer’s solution (firewall access control list)
Q What requirements are placed on the access devices?
The service is compatible with customer-managed end-user devices that meet the following conditions:
- Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the NCSC CPA scheme against the IPsec VPN for remote working software client security characteristic
- Mandatory user-to-device authentication ensuring only authorised users can access the end-user devices
- Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service
- Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service
- Mandatory use of a platform which supports platform integrity and application sandboxing to reduce the risk of the end-user device being compromised
- Mandatory use of application whitelisting to reduce risk of malicious code execution on the end-user device
- Mandatory use of regularly updated anti-malware software to reduce the risk of malicious code execution on the end-user device
- Mandatory use of enterprise-enforced security policies ensuring that end-users cannot override or reconfigure security-critical features
- Mandatory use of external interface protection such as host-based firewalls to limit exposure of the end-user device to untrusted networks
- Mandatory use of a device update policy to keep the end-user device regularly updated with security patches
- Mandatory implementation of an incident response plan by the customer organisation to respond to security incidents such as loss of the end-user device
- Configuration and management of end-user devices must be assured by the consuming organisation as being in line with NCSC End User Device guidance and compliant with PSN IA conditions
- Recommended use of a CPA-approved data-at-rest encryption solution
- Recommended use of Secure Boot where available
- Recommended use of an enterprise audit and monitoring service by the customer organisation to ensure security events are centrally logged and reviewed
Q How long will the assurance process take?
Each business case and proposed solution will be assessed by the UKCloud team, and must be approved by the UKCloud SIRO.
We aim to carry out the assessment within five days of receiving the business case and proposed solution, but we can’t commit to timelines for approval.
Q What is the assurance wrap review?
If you need help gathering appropriate evidence, or effectively designing your SRA solution, we offer an assurance wrap review to guide you towards an effective design that will help to maximise your chances of meeting compliance requirements.
The variable nature of the engagement means we charge for the assurance wrap on an SFIA rate card basis, depending on the number of days’ support needed.
Q What is the assurance process for approving a Secure Remote Access Solution?
Broadly, the assurance process is as follows:
- Initial application
- UKCloud design review (with a cloud architect)
- Proposed evidence pack submission (by the customer)
- Full evidence pack submission (by the customer)
- UKCloud SIRO review and approval or rejection
Full details of each stage are available in the UKCloud Portal Knowledge Centre or from your account director.
Q Does the UKCloud assurance process replace the assurance requirements of any networks a solution may be connected to?
No. The Secure Remote Access service is intended only for customers to remotely access the UKCloud Elevated OFFICIAL assured cloud platform.
If your solution needs to face an external controlled-access network, such as PSN or N3/HSCN, you must complete the appropriate compliance for that network.
Q What are the ongoing requirements?
When the Secure Remote Access service is in operation, the customer is responsible for ensuring continuing compliance with Security Operating procedures (SyOps) and other security obligations.
Q Who makes the final decision to allow or deny the use of Secure Remote Access?
The UKCloud SIRO is ultimately responsible for deciding which solutions and configurations are allowed.
Q If I plan to use Secure Remote Access and a Walled Garden, can I use a single Walled Garden for both?
It’s best to use two separate Walled Gardens within the Cross Domain Secure Zone, to ensure compliance requirements are met.
Solutions can be designed to use a single Walled Garden infrastructure, but are likely to require a more intensive review during the Assurance Wrap process.
Customers will still be billed for both services.
Q Can I connect to multiple virtual data centres (vDCs) from a single Walled Garden?
Yes. You only need to implement a single instance of Secure Remote Access, as a Bastion host can provide gateway services to more than one vDC. The Assurance Wrap process will outline the scope of connected services.
If you wish to add additional services to your Secure Remote Access service, you’ll need to review your existing compliance documentation via the Assurance Wrap.
Q Can I use the UKCloud’s Secure Remote Access solution from outside the UK?
No, the nature of the UKCloud solution is that you must be using it from known endpoints inside the UK.
If you have international access requirements, please contact your account manager to discuss alternative options.