Q What is the service?
The UKCloud Secure Remote Access (SRA) service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform using NCSC-approved internet virtual private network (VPN) technologies and the ‘Walled Garden’ architectural pattern.
System administrators and mobile workers can securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections such as PSN or N3/HSCN.
Q Do I have to buy other UKCloud services to use UKCloud Secure Remote Access?
Yes. UKCloud Secure Remote Access is available only to customers purchasing other UKCloud services such as IaaS (compute and storage) or PaaS (Hadoop and Digital Application Platform).
Q Is there a free trial available?
The complex assurance requirements related to this service mean that a trial service isn’t available.
Q Does UKCloud provide the managed devices for using the Secure Remote Access service?
No. We don’t provide them, but we have partners who can provide the managed devices and other services if required.
Q What is the process for applying for a Secure Remote Access solution?
If you’re already a UKCloud customer you can find the information you need in the UKCloud Portal Knowledge Centre, including a detailed description of the assurance process and an application form.
New customers should contact the UKCloud sales team to discuss their requirements.
Q What information must the application form include?
As a minimum the application form must include:
- A business case explaining why a secure remote access solution is required
- The technical architecture of the solution incorporating the UKCloud Secure Remote Access service
- An assurance plan — your proposed approach to ensuring that risks are correctly identified, appropriate mitigation is implemented and residual risks are accepted so that both the customer and UKCloud SIROs can make an informed decision about the risks of the solution
Q What is likely to be included in the assurance plan?
The assurance plan will include:
- Validation of requirements by the customer (department SIRO)
- Evidence from the customer that end-user devices are configured and managed in line with minimum requirements (for example scope of PSN compliance with IA requirements)
- Evidence from the customer that users of the Secure Remote Access Service are vetted and security-cleared in line with minimum requirements (scope of PSN compliance with IA requirements)
- Confirmation by the customer that an appropriate security incident management process applies to the solution
- Confirmation by the customer that the service will be accessed from the UK only
- Confirmation by the customer and each individual user of agreement to the UKCloud Acceptable Use Policy (AUP)
- Identification of data flows between the Walled Garden and the customer’s solution (firewall access control list)
Q What requirements are placed on the access devices?
The service is compatible with customer-managed end-user devices that meet the following conditions:
- Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the NCSC CPA scheme against the IPsec VPN for remote working software client security characteristic
- Mandatory user-to-device authentication ensuring only authorised users can access the end-user devices
- Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service
- Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service
- Mandatory use of a platform which supports platform integrity and application sandboxing to reduce the risk of the end-user device being compromised
- Mandatory use of application whitelisting to reduce risk of malicious code execution on the end-user device
- Mandatory use of regularly updated anti-malware software to reduce the risk of malicious code execution on the end-user device
- Mandatory use of enterprise-enforced security policies ensuring that end-users cannot override or reconfigure security-critical features
- Mandatory use of external interface protection such as host-based firewalls to limit exposure of the end-user device to untrusted networks
- Mandatory use of a device update policy to keep the end-user device regularly updated with security patches
- Mandatory implementation of an incident response plan by the customer organisation to respond to security incidents such as loss of the end-user device
- Configuration and management of end-user devices must be assured by the consuming organisation as being in line with NCSC End User Device guidance and compliant with PSN IA conditions
- Recommended use of a CPA-approved data-at-rest encryption solution
- Recommended use of Secure Boot where available
- Recommended use of an enterprise audit and monitoring service by the customer organisation to ensure security events are centrally logged and reviewed
Q How long will the assurance process take?
Each business case and proposed solution will be assessed by the UKCloud team, and must be approved by the UKCloud SIRO.
We aim to carry out the assessment within five days of receiving the business case and proposed solution, but we can’t commit to timelines for approval.
Q What is the assurance wrap review?
If you need help gathering appropriate evidence, or effectively designing your SRA solution, we offer an assurance wrap review to guide you towards an effective design that will help to maximise your chances of meeting compliance requirements.
The variable nature of the engagement means we charge for the assurance wrap on an SFIA rate card basis, depending on the number of days’ support needed.
Q What is the assurance process for approving a Secure Remote Access Solution?
Broadly, the assurance process is as follows:
- Initial application
- UKCloud design review (with a cloud architect)
- Proposed evidence pack submission (by the customer)
- Full evidence pack submission (by the customer)
- UKCloud SIRO review and approval or rejection
Full details of each stage are available in the UKCloud Portal Knowledge Centre or from your account director.
Q Does the UKCloud assurance process replace the assurance requirements of any networks a solution may be connected to?
No. The Secure Remote Access service is intended only for customers to remotely access the UKCloud Elevated OFFICIAL assured cloud platform.
If your solution needs to face an external controlled-access network, such as PSN or N3/HSCN, you must complete the appropriate compliance for that network.
Q What are the ongoing requirements?
When the Secure Remote Access service is in operation, the customer is responsible for ensuring continuing compliance with Security Operating procedures (SyOps) and other security obligations.
Q Who makes the final decision to allow or deny the use of Secure Remote Access?
The UKCloud SIRO is ultimately responsible for deciding which solutions and configurations are allowed.
Q If I plan to use Secure Remote Access and a Walled Garden, can I use a single Walled Garden for both?
It’s best to use two separate Walled Gardens within the Cross Domain Secure Zone, to ensure compliance requirements are met.
Solutions can be designed to use a single Walled Garden infrastructure, but are likely to require a more intensive review during the Assurance Wrap process.
Customers will still be billed for both services.
Q Can I connect to multiple virtual data centres (vDCs) from a single Walled Garden?
Yes. You only need to implement a single instance of Secure Remote Access, as a Bastion host can provide gateway services to more than one vDC. The Assurance Wrap process will outline the scope of connected services.
If you wish to add additional services to your Secure Remote Access service, you’ll need to review your existing compliance documentation via the Assurance Wrap.
Q Can I use the UKCloud’s Secure Remote Access solution from outside the UK?
No, the nature of the UKCloud solution is that you must be using it from known endpoints inside the UK.
If you have international access requirements, please contact your account manager to discuss alternative options.