Cloud Provider puts Government-class security at the heart of its commercial SPI model
tolomy, the secure cloud provider, today announced the launch of a suite of secure cloud services making government-level accredited cloud available to all. tolomy offers the highest levels of information assurance with support for CESG accredited Business Impact Levels 1, 2 and 3 across its Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) (the SPI model). Services are available on a managed, collaborative or unmanaged basis to confer maximum agility and flexibility, and all benefit from integral security controls delivered by tolomy, an accredited cloud provider operating out of government certified UK-based data centres.
Demand for an SME offering that combines information security best practice with stringent industry standards has never been greater. Research suggests up to 67 percent cite security concerns as a major barrier to cloud adoption[i] <#_edn1> while those in the cloud cite compliance as their number one concern[ii] <#_edn2> . Recognising the burgeoning need for solutions that place assurance at the heart of cloud services, tolomy decided to take the SPI cloud model and integrate security throughout the delivery process offering. The result is a flexible, scalable suite of services designed and delivered by security proficient technical personnel that include CESG listed advisors and security solution architects, providing added assurance.
tolomy is founded upon strong security principles underpinned and independently verified by a comprehensive set of globally accepted certifications and accreditations. The cloud provider is ISO9001, ISO20000, ISO27001, PSN, and Cyber Essentials Scheme compliant and, undergoing both the Cyber Essentials Basic and Cyber Essentials Plus certification. The Cyber Essentials Scheme was introduced in 2014 to reduce cyber risk and help safeguard the country’s growing digital economy. Assessment is focused on the configuration and management of ICT systems and end-user devices, and assesses resilience using various cyber-attack scenarios.
Security provisioning is integrated into each service as follows:
- IaaS - delivers compute, storage and network connectivity from data centres aligned IL 0-3, including SOC and NOC capabilities. Service Level Agreements (SLAs) available for 99.9% and 99.95% with Disaster Recovery.
- PaaS – offers complex platform services including Windows/Linux as a service with standard or enhanced management and SQL and MySQL database management, ensuring backups and patching are performed and break fix functions are managed.
- SaaS – ensures business critical applications such as Office based software are deployed securely by managing the end-to-end software life cycle from conception through to decommissioning and off-boarding.
- Protective Monitoring as a Service (PMaaS) – oversees security of IT systems across the enterprise. Includes inspection of firewall logs, investigation of O/S security alerts and monitoring Intrusion Detection Systems (IDS). Activates mechanisms for collecting and configuring ICT log information to provide comprehensive security audit trails.
- Email as a service (EaaS) – securely delivers business critical email resource using IL2 and 3. Web based email access is provided via PKI and TLS/SSL, with two factor authentication, complex password enforcement and secure archiving offered in accordance with DPA and corporate policy.
- Collaboration as a Service (CaaS) – enables organisations to make use of secure, PSN and internet facing resource portals via Microsoft Sharepoint using accredited sharing platforms for sensitive data classed IL2 and 3.
- Storage and Backup – provides managed storage capacity to increase data availability and protect critical information from accidental loss or destruction.
- Disaster Recovery – use of risk assessment, onsite assessment, and identification of risks and threats to formalise a DR plan to reduce downtime and minimise damage to the organisation.
Connectivity options range from Local and Cross site (for Active / Active DC) Load Balancer capabilities to improve availability and performance to site-to-site IPSEC VPN tunnels for the creation of virtual private tunnels to access cloud services. Standard Internet is used for IL0 and IL2 capabilities while PSN Connectivity is delivered according to Code of Connection (CoCo) regulations.
“Security can make or break the Cloud. It’s the biggest obstacle, with many expressing reservations over how to safely migrate, access, and ensure the integrity of data. I’ve even heard some compare it to emptying their data out on to the street. And with some justification, as many Cloud Service Providers see security as an add-on at best,” said Louise T. Dunne, Managing Director. “At tolomy, data protection is in our DNA. We work closely with sister organisation, Auriga Consulting, enabling us to benefit from access to highly qualified IA and IS consultants. Our industry knowledge, compliance with security standards and imminent PSN accreditation mean we’re at the cutting edge of the consummate cloud, offering highly secure government-class cloud services as standard.”