G-Cloudservice definitions

Identity as a Service (IDaaS)

G-Cloud 8

August 2016

Page 2

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

TABLE OF CONTENTS

Service Overview ...................................................................................................................... 3

Service Features ....................................................................................................................... 4

Service Architecture ................................................................................................................. 5

Service Management ................................................................................................................ 7

Service Constraints .................................................................................................................. 7

Service Levels ........................................................................................................................... 7

Sub-contractors ........................................................................................................................ 9

Training...................................................................................................................................... 9

Ordering and Invoicing ............................................................................................................. 9

Termination Terms .................................................................................................................... 9

Customer Responsibilities ....................................................................................................... 9

Service Environments ............................................................................................................ 10

Pricing ..................................................................................................................................... 10

Further Information ................................................................................................................. 10

Page 3

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Service Overview

Identity and Access Management (IAM) comprises the set of policies, processes and an underlying infrastructure that supports the creation, maintenance and exploitation of digital identities and related information. Effective IAM is required to enable secure and efficient connections for users to applications, both internal and external to an enterprise. Although IAM as a co-ordinated discipline has existed for well over a decade, the importance of IAM is continuing to increase to support the new digital environment in which we operate; for example to enable the increased use of cloud services, the increased interactions with third parties, new and more flexible end points (e.g. BYOD) and to meet increased security and compliance requirements.

Built on established IAM technologies, Capgemini offers a private cloud hosted Identity as a Service (IDaaS) solution. Through IDaaS, Capgemini can help organisations meet their Enterprise IAM requirements (i.e. for their own internal staff and third parties) and also their Customer IAM, for example using federated IAM methods to enable customers and citizens to interact with organisations in easier and more secure ways. The IDaaS service can cover a number of aspects of IAM, in particular:

IAM Area Description

Identity Storage The centralised set of directories and repositories that hold and distribute identity data

Access Management Authentication and Authorisation of users, including SSO, eSSO, Federation and Adaptive Access Management

Identity Lifecycle Management All aspects of user registration and the provisioning and management of credentials and entitlements

Fraud Reduction Using IAM to help reduce internal and external fraud

IAM-enabled Cloud Enabling organisations to securely enable access to cloud services through effective IAM

IAM-enabled Mobility Enabling organisations to securely enable mobile devices and working through effective IAM (e.g. BYOD)

Consumer Identity Enabling organisation to exploit the latest innovations in consumer identity for new Digital opportunities (e.g through Social identity integration)

Page 4

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Figure 1: Capgemini IDaaS Service

This diagram is for illustration only and does not represent any obligation or responsibility of Capgemini.

Service Features

The service comprises the following aspects:

A modular and fully featured IAM stack offering Identity and Access Administration and Risk-based context-sensitive Access Management functionalities, including consumer-scale hosted directory;

Pre-defined Enterprise IAM use cases and Consumer IAM use cases, included Social Login;

Deployable Identity Bridge or standards-based Identity Federation for SSO;

Hosting options available;

24x7 Managed Operations and Provisioning fulfilment;

Pre-defined processes and integrations of a wide range of SaaS, using latest standards (e.g. SAML 2.0, OAuth 2.0, OpenID Connect);

Risk-based Two Factor Authentication where required;

CustomerApplications,Directories

CapgeminiIntegrated

Services

Identity

Administration (front end UI

Risk-Based

Authentication

Identity

Provisioning(Back- end

Connectors)

IDaaS Service

Management

Identity Store

Directory

Administrators

Consumers

Users,Business Partners

SaaS Apps

Capgemini OperationsService Management

Adaptive Authorisation

Page 5

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Client Delegated Administrator and Analyst functionality, including policy and process configuration, operational service dashboard and service analysis tools, active service reporting and policy/text-based alerting of access incidents.

Service Architecture

The service is built using leading open source IAM components hosted in a private cloud. The table below summarises the functional capabilities provided by individual components.

Component Key Functional Capabilities

Access Management User Authentication – Supports policy and risk driven access

Federation and single sign-on based on Single Sign-on

standards like SAML 1.1, SAML 2.0, OAuth 2.0, WS-Fed, OpenID

Connect

Social sign-on based on social identities like Facebook and

Google

Identity Administration Identity Lifecycle Management – Business processes and role

based user provisioning and deprovisioning.

Identity Self Service – Supports user registration, password

management and self service.

Identity data synchronization: Supports synchronization of

identity data between various data stores providing scheduler

based synchronization and implicit synchronization through many

out of the box connectors with option of scripting custom

connectors for specific requirements.

Directory Directory Store: To store identity data of users, devices and

things

Session Data Store: Supports high availability by providing

storage for user session related data.

Page 6

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Hosting: The standard IDaaS service is hosted on infrastructure provided by Capgemini IaaS partner at UK and EU datacenters. Capgemini Automated Deployment Accelerator encompasses many technologies that allow rapid, reliable and consistent deployment of all IDaaS environments for a customer from test through to production.

Availability: The solution is designed to achieve the 99.9% uptime target. In particular, this is achieved by use of a highly resilient architecture that is appropriately load balanced with failover mechanisms, as well as a comprehensive patching and upgrade strategy and functionality. Appropriate Service Monitoring is also preconfigured to identify potential system issues ahead of service impact. If additional assurance is required, a second hosting DR site can be provided at additional cost.

Security: The IDaaS service is built on ‘Secure by design’ principles and is ISO27001 certified. Any data transmitted outside of the system is secured using encryption. The internal communication within the solution will be unencrypted. Any Federation (SAML) authentication will have an assertion signed and encrypted to protect data. Information stored in the IDaaS service is encrypted by a private key (unique for each customer). The platform is built in a single-tenant architecture to avoid any cross-over access from other customer environments (in case of security breaches at another customer’s location). The IDaaS service stores user identities in a user repository. Access control is in place to protect sensitive data stored in the directory server. All highly sensitive data is encrypted to add an additional layer of security. Configuration data is stored in configuration repositories. Access control is in place to protect important configuration data. Any sensitive data (credentials for service accounts for instance) is encrypted for all configurations that need to be accessed.

The IDaaS service is suitable for disclosing information of Government Security Classification level: OFFICIAL.

Note: Secure internal connection can be enabled at additional cost.

All passwords are either encrypted or hashed.

The service supports Contextual Authentication. Scripts can be used to assess risk, utilizing stronger authentication mechanisms only when necessary. This simplifies the end user experience whilst enforcing appropriate levels of security.

Capgemini IDaaS has the facility for different levels of granularity in its authorisation decisions. Coarse grained authorisation is typically satisfied by URL based permissions that are enforced by a Policy Agent. Medium and Fine grained policies are enforced by the Entitlements capability that allow the definition of any arbitrary rules based policy. The application is then responsible for enforcing the policy by querying the Capgemini IDaaS API to determine if the requested action is permitted for the subject given the environmental conditions.

Data backup and Restore: The standard IDaaS service supports nightly back ups, which means the restored data might be up to 24 hours old. Specific backup strategies can be discussed during client workshops to align them to customer requirements.

Page 7

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Onboarding & Offboarding of Services Capgemini recognises that requirements to Onboard and Offboard services can vary from Customer to Customer. With this in mind, Capgemini will work closely with a Client to define Onboarding and Offboarding activities as part of finalising a Call Off Agreement. Any exit assistance we provide, such as assisting with the handover of our provision of the Services back to Client or another supplier Client may appoint, shall (unless otherwise agreed) be performed, and fees paid, applying the applicable Fee Rates as set out in the “Service management” column of Capgemini SFIA rates table.

Service Management

Capgemini delivers IDaaS as a managed service with a target of 99.9% uptime. While the use of load balancers allow individual nodes to be updated one at a time, any unavoidable planned downtime is notified to the customers in advance. Service has built in reporting, monitoring and alert mechanisms/features. Disaster Recovery and Service Continuity activities (including the development of a Disaster Recovery Plan or Service Continuity Plan) are available to Client upon request in the Order Form and maybe subject to additional Charges in accordance with the SFIA rate card.

If the Availability of the Service for a given month is less than the applicable Availability Commitment, Client will receive Service Credits.

Onboarding of the Capgemini IDaaS service is undertaken a standard cost, with Capgemini Professional Services available for further configuration and integrations at additional cost. Minimum service period is for two years; no off-boarding charges apply following the end of the agreed service period.

Service Constraints

The core service is managed by Capgemini and Capgemini partners as a fully managed service. Non-core integration with applications is done on a per application basis through a professional services engagement that will be costed using standard SFIA rate card.

Service Levels

Capgemini IDaaS is supported through a multi-layer incident support system. The Client’s own service desk is expected to provide the level 1 support. Level 2 and 3 support will be provided by Capgemini. Any incidents will be assigned a severity level based on:

Number of users affected;

Page 8

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Outage duration;

Impact;

Business sensitivity.

The table below describes the incident response and service restoration times.

Priority Response Restoration

P1 30 Min 4 hours

P2 60 Min 8 hours

P3 8 Business Hours 3 days

P4

(Service Requests)

1 Business Day 5 days

All service requests will be raised as a P4 incident and will be assigned to the IDaaS resolver groups accordingly by service desk team. These SLAs are subject to dependency on Client and its vendors in case any help or assistance is required from them while restoring the reported incident.

The Incident Management will be supported on all business days from 8 AM to 5 PM British Standard Time (BST) excluding UK public holidays. However, for P1 OR critical P2 requests, on-call support during off business hours will be provided.

The following table shows the service window criteria.

Priority Support Days Timings (BST)

P1 On Seat Support

On Call Support

08:00 to 17:00 BST

All off business hours and Holidays

P2* Monday to Friday 13:30 to 22:30 BST

P3* Monday to Friday 13:30 to 22:30 BST

P4* Monday to Friday 13:30 to 22:30 BST

Page 9

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

Sub-contractors

The following sub-contractors are leveraged for providing the Capgemini IDaaS service to customers:

iWelcome BV.

Third party relationships will be managed by Capgemini, providing the agreed levels of service management reporting and governance to the customer.

Training

The standard service includes 10 days knowledge transfer around the Capgemini IDaaS solution during the implementation project phase. Exact training requirements can be determined during the workshop and design phase.

Ordering and Invoicing

The Capgemini IDaaS sales team will brief the customer on ordering process after initial discussions have been held and the customer wishes to proceed ahead. The invoicing will be done on monthly basis.

Termination Terms

In the event of early termination, Capgemini will recover any outstanding costs. For example, if the customer terminates at month 12 in a 36 month Contract then an exit charge will be applicable.

Customer Responsibilities

For IDaaS deployment projects (undertaken as part of Capgemini Service enablement) , the following customer responsibilities will apply:

The customer will provide a project manager to act as a single point of contact and an escalation route for the full duration of the project;

The customer will make available appropriate subject matter experts (business and technical) to the project as appropriate to support the project plan;

The customer will be responsible for providing detailed requirements by the mutually agreed date;

Page 10

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

The customer will progress the introduction of the service through any internal service introduction/gating process, Enterprise Architecture processes and any other standard processes that are necessary;

All internal and external user communications will be managed by the customer;

The customer will make any network changes to their networks as required for the project;

Any changes to existing application environments required for IDaaS will be customer’s responsibilities;

The customer will also provide any required application test environments and data reflective of production that the IDaaS service can integrate with.

Service Environments

IAM Fastrack Insight is a unique offering from Capgemini that rapidly establishes an IAM strategy and roadmap, and is particularly focused on enabling quick wins against common IAM requirements within enterprises. It also can provide an opportunity to quickly trial the Capgemini IDaaS service in a POC environment.

Capgemini also offers an advanced pilot capability where standard IAM use cases like SAML 2 federation, Adaptive risk based authentication, self service user registration and Multi Factor authentication against multiple applications can be explored with customers.

The standard service provides for a test and a production environment. Additional environments can be made available and supported on specific customer request (for example development environments for exclusive use by the customer).

Pricing

Please see separate pricing information attached.

Further Information

In addition to managed IDaaS services, Capgemini can provide a range of cyber security services such as - security management, security strategy and transformation, governance risk and compliance, architecture design & implementation, cyber analytics & protective monitoring, digital forensics, testing and the production of additional employee education & awareness campaign materials (i.e. campaign materials and marketing).

Capgemini has over 250 security professionals based in the UK whose expertise can be leveraged to provide our clients with cyber security services.

Page 11

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved.

For more information about this or any of our G-Cloud services, please contact our Public Sector Team:

Phone: 0370 904 4858

Email: publicsector.opps.uk@capgemini.com including the following information:

1. The name of this service.

2. The name of your organisation.

3. Your name and contact details.

4. A brief description of your business situation.

5. Your preferred timescales for starting the work.

About Capgemini

With more than 180,000 people in over 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2015 global revenues of EUR 11.9 billion. Together with its clients, Capgemini creates and delivers business, technology and digital solutions that fit their needs, enabling them to achieve innovation and competitiveness. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore®, its worldwide delivery model.

Learn more about us at www.uk.capgemini.com.

Rightshore® is a trademark belonging to Capgemini.

More information about our services, offices and research is available at

www.uk.capgemini.com

The information contained in this presentation is proprietary and confidential. Rightshore® is a trademark belonging to Capgemini. © 2016 Capgemini. All rights reserved.