Secure Remote Access

The UKCloud Secure Remote Access service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform, using CESG-approved internet Virtual Private Network (VPN) technologies and the ‘Walled Garden’ architectural pattern using bastion hosts.

G-Cloud Service ID number: 8949 9812 4897 727

OVERVIEW

The UKCloud Secure Remote Access service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform, using CESG-approved internet Virtual Private Network (VPN) technologies and the ‘Walled Garden’ architectural pattern using bastion hosts.

FEATURES/BENEFITS

Product specific features  Product specific benefits
Provides a secure access via shared multi-tenant CESG-approved internet VPN solution Leveraging UKCloud’s solutions, reduce your own infrastructure and compliance costs
Compatible with a variety of end-user platforms – Android, Apple, Linux, Windows Choose the tools that are right for your workforce
Scale the service on demand – unrestricted by 3rd party suppliers Self-assure devices, instead of using of inflexible, locked-down managed devices
 24/7 service desk included as standard with SLA response times Feel supported to get the best from your application
Assured; UK hosted by SC and NPPV cleared personnel Have confidence in who has access to your data
Aligned with CESG Cloud Security Principles Your solutions are on a CESG best practice cloud
Connect over the internet, PSN, JANET or N3 Choose the right network to connect your solution to
Optimised for OFFICIAL – designed for OFFICIAL and OFFICIAL-SENSITIVE Supports and enables the Government Digital Strategy
Support for Remote Workers and Systems Administrators Enable BYOD and simplifies 3rd party compliance

SERVICE INFORMATION

The service enables system administrators, mobile and remote workers to securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections to PSN Protected.

Secure Remote Access:

  • Is for UK users only
  • Is available to users who have been appropriately vetted and security-cleared as assured by the customer organisation in line with PSN Information Assurance conditions
  • Provides connectivity into the UKCloud Elevated OFFICIAL cloud platform only – there is no onward connectivity to government community networks such as N3, PSN Assured, PSN Protected and legacy networks such as PNN

TECHNICAL SPECIFICATIONS

The UKCloud Secure Remote Access service provides the following technical features:

  • Based on CESG-approved CPA technology including Cisco AnyConnect and Cisco VPN gateways
  • Provides secure two-factor authentication based on UKCloud-issued device certificates
  • Has a ‘Walled Garden’ architecture which enables customers to deploy and manage appropriate systems in a DMZ, allowing secure, controlled onward access to workloads hosted on the UKCloud Elevated OFFICIAL cloud platform
  • Integrated with the UKCloud Protective Monitoring solution (aligned with GPG13)

FAQs

SERVICE

Q     What is the service?

The UKCloud Secure Remote Access (SRA) service enables customers to securely connect to the UKCloud Elevated OFFICIAL (formerly IL3) cloud platform using CESG-approved internet virtual private network (VPN) technologies and the ‘Walled Garden’ architectural pattern.

System administrators and mobile workers can securely access workloads running on the UKCloud Elevated OFFICIAL cloud platform from locations that don’t have alternative secure network connections such as PSN or N3.

Q     Do I have to buy other UKCloud services to use UKCloud Secure Remote Access?

Yes. UKCloud Secure Remote Access is available only to customers purchasing other UKCloud services such as IaaS (compute and storage) or PaaS (Hadoop and Digital Application Platform).

Q     Is there a free trial available?

The complex assurance requirements related to this service mean that a trial service isn’t available.

Q     Does UKCloud provide the managed devices for using the SRA service?

No. We don’t provide them, but we have partners who can provide the managed devices and other services if required.

Q     What is the process for applying for a Secure Remote Access solution?

If you’re already a UKCloud customer you can find the information you need in the UKCloud Portal Knowledge Centre, including a detailed description of the assurance process and an application form.

New customers should contact the UKCloud sales team to discuss their requirements.

 

Q     What information must the application form include?

As a minimum the application form must include:

  • A business case explaining why a secure remote access solution is required
  • The technical architecture of the solution incorporating the UKCloud Secure Remote Access service
  • An assurance plan — your proposed approach to ensuring that risks are correctly identified, appropriate mitigation is implemented and residual risks are accepted so that both the customer and UKCloud SIROs can make an informed decision about the risks of the solution

 

Q     What is likely to be included in the assurance plan?

The assurance plan will include:

  • Validation of requirements by the customer (department SIRO)
  • Evidence from the customer that end-user devices are configured and managed in line with minimum requirements (for example scope of PSN compliance with IA requirements)
  • Evidence from the customer that users of the Secure Remote Access Service are vetted and security-cleared in line with minimum requirements (scope of PSN compliance with IA requirements)
  • Confirmation by the customer that an appropriate security incident management process applies to the solution
  • Confirmation by the customer that the service will be accessed from the UK only
  • Confirmation by the customer and each individual user of agreement to the UKCloud Acceptable Use Policy (AUP)
  • Identification of data flows between the Walled Garden and the customer’s solution (firewall access control list)

Q     What requirements are placed on the access devices?

The service is compatible with customer-managed end-user devices that meet the following conditions:

  • Mandatory use of Cisco AnyConnect VPN Client or an embedded IPsec client which is assured under the CESG CPA scheme against the IPsec VPN for remote working software client security characteristic
  • Mandatory user-to-device authentication ensuring only authorised users can access the end-user devices
  • Mandatory user-to-service authentication ensuring only authorised users can access the Secure Remote Access Service
  • Mandatory device-to-service authentication ensuring only authorised end-user devices can access the Secure Remote Access Service
  • Mandatory use of a platform which supports platform integrity and application sandboxing to reduce the risk of the end-user device being compromised
  • Mandatory use of application whitelisting to reduce risk of malicious code execution on the end-user device
  • Mandatory use of regularly updated anti-malware software to reduce the risk of malicious code execution on the end-user device
  • Mandatory use of enterprise-enforced security policies ensuring that end-users cannot override or reconfigure security-critical features
  • Mandatory use of external interface protection such as host-based firewalls to limit exposure of the end-user device to untrusted networks
  • Mandatory use of a device update policy to keep the end-user device regularly updated with security patches
  • Mandatory implementation of an incident response plan by the customer organisation to respond to security incidents such as loss of the end-user device
  • Configuration and management of end-user devices must be assured by the consuming organisation as being in line with CESG End User Device guidance and compliant with PSN IA conditions
  • Recommended use of a CPA-approved data-at-rest encryption solution
  • Recommended use of Secure Boot where available
  • Recommended use of an enterprise audit and monitoring service by the customer organisation to ensure security events are centrally logged and reviewed

Q     How long will the assurance process take?

Each business case and proposed solution will be assessed by the UKCloud team, and must be approved by the UKCloud SIRO.

We aim to carry out the assessment within five days of receiving the business case and proposed solution, but we can’t commit to timelines for approval.

Q     What is the “Assurance Wrap”?

Some customers may need help with gathering appropriate evidence, or effectively designing to use the Secure Remote Access service.

We offer an Assurance Wrap to guide customers towards an effective design that will help to maximise their chances of meeting compliance requirements.

The variable nature of the engagement means we charge for the Assurance Wrap on an SFIA rate card basis, according to the number of days’ support needed.

Q     What is the assurance process for approving a Secure Remote Access Solution?

Broadly, the assurance process is as follows:

  • Initial application
  • UKCloud design review (with a cloud architect)
  • Proposed evidence pack submission (by the customer)
  • Full evidence pack submission (by the customer)
  • UKCloud SIRO review and approval or rejection

Full details of each stage are available in the UKCloud Portal Knowledge Centre or from your account director.

Q     Does the UKCloud assurance process replace the assurance requirements of any networks a solution may be connected to?

No. The Secure Remote Access service is intended only for customers to remotely access the UKCloud Elevated OFFICIAL assured cloud platform.

If your solution needs to face an external controlled-access network, such as PSN or N3, you must complete the appropriate compliance for that network.

Q     What are the ongoing requirements?

When the Secure Remote Access service is in operation, the customer is responsible for ensuring continuing compliance with Security Operating procedures (SyOps) and other security obligations.

Q     Who makes the final decision to allow or deny the use of Secure Remote Access?

The UKCloud SIRO is ultimately responsible for deciding which solutions and configurations are allowed.

Q     If I plan to use Secure Remote Access and a Walled Garden, can I use a single Walled Garden for both?

It’s best to use two separate Walled Gardens within the Cross Domain Secure Zone, to ensure compliance requirements are met.

Solutions can be designed to use a single Walled Garden infrastructure, but are likely to require a more intensive review during the Assurance Wrap process.

Customers will still be billed for both services.

Q     Can I connect to multiple virtual data centres (vDC) from a single Walled Garden?

Yes. You only need to implement a single instance of Secure Remote Access, as a Bastion host can provide gateway services to more than one vDC. The Assurance Wrap process will outline the scope of connected services.

If you wish to add additional services to your Secure Remote Access service, you’ll need to review your existing compliance documentation via the Assurance Wrap.

Q     Can I use the UKCloud’s Secure Remote Access solution from outside the UK?

No, the nature of the UKCloud solution is that you must be using it from known endpoints inside the UK.

If you have international access requirements, please contact your account manager to discuss alternative options.

SUPPORT

Q     How do I raise a support ticket?

Our secure online Portal provides service management functionality. Alternatively, you can reach support by phone or email.

Q     What are your service maintenance windows?

UKCloud’s maintenance windows are as follows (times are UK local times):

Planned maintenance
Any pre-planned maintenance of any infrastructure relating to the services. We’ll provide you with at least 14 days’ advance notice of any planned maintenance. It will take place between 00:00 and 06:00 Monday to Sunday or between 08:00 and 12:00 on a Saturday or Sunday. No planned maintenance will take place on a Saturday unless agreed in advance by both parties.

Emergency Maintenance
Any emergency maintenance of any infrastructure relating to the services. Whenever possible, we’ll provide you with at least six hours’ advance notice of emergency maintenance; and carry it out between 00:00 and 06:00 Monday to Sunday or between 08:00 and 12:00 on a Saturday or Sunday, unless there’s an identified and demonstrable immediate risk to a customer’s environment.

BILLING & LEGAL

Q     How will I be billed?

Secure Remote Access has a minimum commitment period of three months and is billed on a monthly basis.

The billing model has two parts: a per-user fee, bought in packs to cover your user base; and a monthly rental fee for each Bastion host required to support your access requirements. A small Bastion host will be provided free of charge each month. If you decide to increase the size of this VM or provision additional VMS, you will still receive the value of the small VM free of charge per month and this will be deducted from the invoice if larger or additional VMs are used as Bastion hosts.

Q     How can I pay for the services?

Payment can be made by direct bank transfer (BACS/CHAPS).

Q     What are the termination fees?

The service is subject to a minimum term of three months. Termination within this initial term will incur an early exit charge.

SECURITY

Q     What data is suitable for the UKCloud assured cloud platform?

The platform is hosted in the UK and operated by Security Cleared staff. It has extensive independent validation (including CESG PGA) that it is fully aligned with CESG Cloud Security Principles, and is therefore ideal for all data classified at OFFICIAL (including OFFICIAL SENSITIVE) and legacy IL0–IL4 solutions.

Q     Is there a protective monitoring service?

Protective monitoring is included for our IaaS platform and follows GPG13.

Q     Why does use of CPA-approved solutions to access the UKCloud Elevated OFFICIAL environment via the internet require approval by the UKCloud SIRO?

UKCloud offers two ways to connect to the UKCloud Elevated OFFFICIAL cloud platform via a CPA-approved solution:

  • By using the UKCloud-managed Secure Remote Access service
  • By hosting self-managed CPA-approved VPN solutions (see below)

CPA-approved VPN solutions have undergone a less rigorous CESG assurance process than CAPS-approved solutions. CESG recognises that there is therefore greater risk associated with the robustness of CPA-approved solutions.

As some PSN-accredited solutions (such as the UKCloud solution) host multiple customers, UKCloud has a responsibility to ensure that these less assured solutions are used appropriately. Therefore, customers must have a compelling business case to justify why the use of CPA-approved solutions is necessary. This business case is reviewed by the UKCloud SIRO (and periodically inspected by the PSN Accreditor) who will approve its use if appropriate.

For clarity, CPA-approved VPN solutions may always be used to provide an encryption overlay on a CAS(T) compliant circuit. It’s only the use of CPA-approved solutions over non-CAS(T)-compliant circuits (eg the internet) which require approval by the UKCloud SIRO.

Q     Can I use UKCloud Secure Remote Access to connect to the UKCloud Elevated OFFICIAL cloud platform?

Yes, subject to compliance with information assurance requirements. Our Secure Remote Access service is designed to enable customers to connect via the internet to their services hosted on the UKCloud Elevated OFFICIAL cloud platform, by using a CPA-approved VPN solution and other CESG guidance such as Walled Gardens.

All traffic between the end-user device and the UKCloud Elevated OFFICIAL cloud platform must be routed through a Walled Garden hosted within the UKCloud Cross Domain Security Zone.

UKCloud is required to validate your ability to comply with information assurance requirements, which is why use of this service is subject to approval by the UKCloud SIRO.

Refer to the UKCloud Secure Remote Access service description on the Digital Marketplace for more information.

Q     Can I use UKCloud Secure Remote Access to connect to other PSN services?

No. The UKCloud Secure Remote Access service is designed to facilitate connectivity to services hosted on the UKCloud Assured cloud platform only.

Consider PSN-compliant remote access services if you require access to the broader PSN.