Secure Remote Access

The UKCloud Secure Remote Access service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform, using NCSC-approved internet Virtual Private Network (VPN) technologies and the ‘Walled Garden’ architectural pattern using bastion hosts.

G-Cloud Service ID number: 8949 9812 4897 727

OVERVIEW

The UKCloud Secure Remote Access service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform, using NCSC-approved internet Virtual Private Network (VPN) technologies and the ‘Walled Garden’ architectural pattern using bastion hosts.

FEATURES/BENEFITS

Product specific features  Product specific benefits
Provides a secure access via shared multi-tenant NCSC-approved internet VPN solution Leveraging UKCloud’s solutions, reduce your own infrastructure and compliance costs
Compatible with a variety of end-user platforms – Android, Apple, Linux, Windows Choose the tools that are right for your workforce
Scale the service on demand – unrestricted by 3rd party suppliers Self-assure devices, instead of using of inflexible, locked-down managed devices
 24/7 service desk included as standard with SLA response times Feel supported to get the best from your application
Assured; UK hosted by SC and NPPV cleared personnel Have confidence in who has access to your data
Aligned with NCSC Cloud Security Principles Your solutions are on a NCSC best practice cloud
Connect over the internet, PSN, JANET or N3/HSCN Choose the right network to connect your solution to
Optimised for OFFICIAL – designed for OFFICIAL and OFFICIAL-SENSITIVE Supports and enables the Government Digital Strategy
Support for Remote Workers and Systems Administrators Enable BYOD and simplifies 3rd party compliance

SERVICE INFORMATION

The service enables system administrators, mobile and remote workers to securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections to PSN Protected.

Secure Remote Access:

  • Is for UK users only
  • Is available to users who have been appropriately vetted and security-cleared as assured by the customer organisation in line with PSN Information Assurance conditions
  • Provides connectivity into the UKCloud Elevated OFFICIAL cloud platform only – there is no onward connectivity to government community networks such as N3/HSCN, PSN Assured, PSN Protected and legacy networks such as PNN

TECHNICAL SPECIFICATIONS

The UKCloud Secure Remote Access service provides the following technical features:

  • Based on NCSC-approved CPA technology including Cisco AnyConnect and Cisco VPN gateways
  • Provides secure two-factor authentication based on UKCloud-issued device certificates
  • Has a ‘Walled Garden’ architecture which enables customers to deploy and manage appropriate systems in a DMZ, allowing secure, controlled onward access to workloads hosted on the UKCloud Elevated OFFICIAL cloud platform
  • Integrated with the UKCloud Protective Monitoring solution (aligned with GPG13)

FAQs

SERVICE

Q     What is the service?

The UKCloud Secure Remote Access (SRA) service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform using NCSC-approved internet virtual private network (VPN) technologies and the ‘Walled Garden’ architectural pattern.

System administrators and mobile workers can securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections such as PSN or N3/HSCN.

Q     Do I have to buy other UKCloud services to use UKCloud Secure Remote Access?

Yes. UKCloud Secure Remote Access is available only to customers purchasing other UKCloud services such as IaaS (compute and storage) or PaaS (Hadoop and Digital Application Platform).

Q     Is there a free trial available?

The complex assurance requirements related to this service mean that a trial service isn’t available.

Q     Does UKCloud provide the managed devices for using the Secure Remote Access service?

No. We don’t provide them, but we have partners who can provide the managed devices and other services if required.

Q     What is the process for applying for a Secure Remote Access solution?

If you’re already a UKCloud customer you can find the information you need in the UKCloud Portal Knowledge Centre, including a detailed description of the assurance process and an application form.

New customers should contact the UKCloud sales team to discuss their requirements.

Q     What information must the application form include?

As a minimum the application form must include:

  • A business case explaining why a secure remote access solution is required
  • The technical architecture of the solution incorporating the UKCloud Secure Remote Access service
  • An assurance plan — your proposed approach to ensuring that risks are correctly identified, appropriate mitigation is implemented and residual risks are accepted so that both the customer and UKCloud SIROs can make an informed decision about the risks of the solution

Q     What is likely to be included in the assurance plan?

The assurance plan will include:

  • Validation of requirements by the customer (department SIRO)
  • Evidence from the customer that end-user devices are configured and managed in line with minimum requirements (for example scope of PSN compliance with IA requirements)
  • Evidence from the customer that users of the Secure Remote Access Service are vetted and security-cleared in line with minimum requirements (scope of PSN compliance with IA requirements)
  • Confirmation by the customer that an appropriate security incident management process applies to the solution
  • Confirmation by the customer that the service will be accessed from the UK only
  • Confirmation by the customer and each individual user of agreement to the UKCloud Acceptable Use Policy (AUP)
  • Identification of data flows between the Walled Garden and the customer’s solution (firewall access control list)

Q     What requirements are placed on the access devices?

The service is compatible with customer-managed end-user devices that meet the following conditions:

  • Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the NCSC CPA scheme against the IPsec VPN for remote working software client security characteristic
  • Mandatory user-to-device authentication ensuring only authorised users can access the end-user devices
  • Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service
  • Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service
  • Mandatory use of a platform which supports platform integrity and application sandboxing to reduce the risk of the end-user device being compromised
  • Mandatory use of application whitelisting to reduce risk of malicious code execution on the end-user device
  • Mandatory use of regularly updated anti-malware software to reduce the risk of malicious code execution on the end-user device
  • Mandatory use of enterprise-enforced security policies ensuring that end-users cannot override or reconfigure security-critical features
  • Mandatory use of external interface protection such as host-based firewalls to limit exposure of the end-user device to untrusted networks
  • Mandatory use of a device update policy to keep the end-user device regularly updated with security patches
  • Mandatory implementation of an incident response plan by the customer organisation to respond to security incidents such as loss of the end-user device
  • Configuration and management of end-user devices must be assured by the consuming organisation as being in line with NCSC End User Device guidance and compliant with PSN IA conditions
  • Recommended use of a CPA-approved data-at-rest encryption solution
  • Recommended use of Secure Boot where available
  • Recommended use of an enterprise audit and monitoring service by the customer organisation to ensure security events are centrally logged and reviewed

Q     How long will the assurance process take?

Each business case and proposed solution will be assessed by the UKCloud team, and must be approved by the UKCloud SIRO.

We aim to carry out the assessment within five days of receiving the business case and proposed solution, but we can’t commit to timelines for approval.

Q     What is the assurance wrap review?

If you need help gathering appropriate evidence, or effectively designing your SRA solution, we offer an assurance wrap review to guide you towards an effective design that will help to maximise your chances of meeting compliance requirements.

The variable nature of the engagement means we charge for the assurance wrap on an SFIA rate card basis, depending on the number of days’ support needed.

Q     What is the assurance process for approving a Secure Remote Access Solution?

Broadly, the assurance process is as follows:

  • Initial application
  • UKCloud design review (with a cloud architect)
  • Proposed evidence pack submission (by the customer)
  • Full evidence pack submission (by the customer)
  • UKCloud SIRO review and approval or rejection

Full details of each stage are available in the UKCloud Portal Knowledge Centre or from your account director.

Q     Does the UKCloud assurance process replace the assurance requirements of any networks a solution may be connected to?

No. The Secure Remote Access service is intended only for customers to remotely access the UKCloud Elevated OFFICIAL assured cloud platform.

If your solution needs to face an external controlled-access network, such as PSN or N3/HSCN, you must complete the appropriate compliance for that network.

Q     What are the ongoing requirements?

When the Secure Remote Access service is in operation, the customer is responsible for ensuring continuing compliance with Security Operating procedures (SyOps) and other security obligations.

Q     Who makes the final decision to allow or deny the use of Secure Remote Access?

The UKCloud SIRO is ultimately responsible for deciding which solutions and configurations are allowed.

Q     If I plan to use Secure Remote Access and a Walled Garden, can I use a single Walled Garden for both?

It’s best to use two separate Walled Gardens within the Cross Domain Secure Zone, to ensure compliance requirements are met.

Solutions can be designed to use a single Walled Garden infrastructure, but are likely to require a more intensive review during the Assurance Wrap process.

Customers will still be billed for both services.

Q     Can I connect to multiple virtual data centres (vDCs) from a single Walled Garden?

Yes. You only need to implement a single instance of Secure Remote Access, as a Bastion host can provide gateway services to more than one vDC. The Assurance Wrap process will outline the scope of connected services.

If you wish to add additional services to your Secure Remote Access service, you’ll need to review your existing compliance documentation via the Assurance Wrap.

Q     Can I use the UKCloud’s Secure Remote Access solution from outside the UK?

No, the nature of the UKCloud solution is that you must be using it from known endpoints inside the UK.

If you have international access requirements, please contact your account manager to discuss alternative options.

CERTIFICATES

Q     How long do Secure Remote Access certificates last for?

SRA certificates last for 12 months. You’ll need to renew certificates no later than two weeks before the certificates expire to avoid any interruption to your service.

Q     How do I order additional Secure Remote Access certificates?

To renew or revoke your certificate, raise a service request via the UKCloud Portal, selecting the “Renew and/or Revoke SRA Certificate” option.

For renewals, it’s important you give us at least two weeks’ notice to prevent a break in your service.

Q     How do I renew or revoke an old certificate?

Our secure online Portal provides service management functionality. Alternatively, you can reach support by phone or email.

Q     Can I renew or revoke my certificates in bulk?

Yes. To renew or revoke your certificates in bulk, raise a service request via the UKCloud Portal, selecting the “Renew and/or Revoke multiple SRA Certificates” option.

Attach the Secure Remote Access bulk renewal/revoke” form containing all the certificates you need renewing and/or revoking with details including User ID (UID) and certificate name. It would also be useful to provide host name or machine name.

For renewals, it’s important you give us at least two weeks’ notice to prevent a break in your service.

Q     What are my responsibilities for this service?

You need to maintain a list of your certificates and advise us if you need to request new or additional certificates as well as needing any to be revoked.

BILLING & LEGAL

Q     How will I be billed?

Secure Remote Access has a minimum commitment period of three months and is billed on a monthly basis.

The billing model has two parts:

  • A per-user fee, bought in packs to cover your user base
  • An hourly rental fee for each Bastion host required to support your access requirements

A small Bastion host will be provided free of charge each month. If you decide to increase the size of this VM or provision additional VMS, you will still receive the value of the small VM free of charge per month and this will be deducted from the invoice if larger or additional VMs are used as Bastion hosts.

Q     Is there a minimum term?

The service is subject to a minimum term of three months. Termination within this initial term will incur an early exit charge.

SECURITY

Q     Why does use of CPA-approved solutions to access the UKCloud Elevated OFFICIAL environment via the internet require approval by the UKCloud SIRO?

UKCloud offers two ways to connect to the UKCloud platform’s Elevated OFFFICIAL security domain via a CPA-approved solution:

  • By using the UKCloud-managed SRA service (covered in this FAQ)
  • By hosting self-managed CPA-approved VPN solutions (see below)

CPA-approved VPN solutions have undergone a less rigorous NCSC assurance process than CAPS-approved solutions. NCSC recognises that there is therefore greater risk associated with the robustness of CPA-approved solutions.

As some PSN-accredited solutions (such as the UKCloud solution) host multiple customers, UKCloud has a responsibility to ensure that these less assured solutions are used appropriately. Therefore, you must have a compelling business case to justify why the use of CPA-approved solutions is necessary. This business case is reviewed by the UKCloud SIRO (and periodically inspected by the PSN Accreditor) who will approve its use if appropriate.

For clarity, CPA-approved VPN solutions may always be used to provide an encryption overlay on a CAS(T) compliant circuit. It’s only the use of CPA-approved solutions over non-CAS(T)-compliant circuits (for example, the internet) that require approval by the UKCloud SIRO.

Q     Can I use UKCloud Secure Remote Access to connect to the UKCloud Elevated OFFICIAL cloud platform?

Yes, subject to compliance with information assurance requirements. Our Secure Remote Access service is designed to enable customers to connect via the internet to their services hosted on the UKCloud Elevated OFFICIAL cloud platform, by using a CPA-approved VPN solution and other NCSC guidance such as Walled Gardens.

All traffic between the end-user device and the UKCloud Elevated OFFICIAL cloud platform must be routed through a Walled Garden hosted within the UKCloud Cross Domain Security Zone.

UKCloud is required to validate your ability to comply with information assurance requirements, which is why use of this service is subject to approval by the UKCloud SIRO.

Refer to the UKCloud Secure Remote Access service description on the Digital Marketplace for more information.

Q     Can I use UKCloud Secure Remote Access to connect to other PSN services?

No. The UKCloud Secure Remote Access service is designed to facilitate connectivity to services hosted on the UKCloud Assured cloud platform only.

Consider PSN-compliant remote access services if you require access to the broader PSN.