The Squiz Cloud

hamburgerfensuckedSecurity

Nov 20, 2013 (3 years and 8 months ago)

160 views


Squiz
UK
Ltd.

A

Zetland House, 109
-
123 Clifton Street, London, EC2A 4LD


P

+
44

(0) 207 101 8300

F
+
44 (0) 870 112 3394

W
www.squiz.
co.uk



UNITED KINGDOM

AUSTRALIA


NEW ZEALAND

EUROPE UNITED STATES

LONDON EDINBURGH


G
-
Cloud Tender

Supplementary Information

Version 1.0




th

December 2011




Commercial in confidence

>


2

of
26


Contents Page

Introduction

4

Responses to requirements in the Glossary

5

12.1

Service Definition

5

Requirements

5

Response

5

12.2

Data extraction/removal

16

Requirements

16

Response

17

12.3

Data storage and processing locations

18

Requirements

18

Respons
e

18

12.4

Deployment Models

18

Requirements

18

Response

18

12.5

Service Models

19

Requirements

19

Response

19

12.6

Burst versus elastic resources

20

Requirements

20

Response

20

12.7

Guaranteed and non guaranteed resources

20

Requirements

20

Response

20

12.8

Persistence of storage

21

Requirements

21

Response

21

12.9

Service provisioning

21

Requirements

21

Response

21

12.10

Utilisation monitoring/reporting

21

Requirements

21

Response

21

12.11

Data centre(s)

22

Requirements

22

Response

22

12.12

Network

22

Requirements

22



Commercial in confidence

>


3

of
26


Response

22

12.13

Use by
other suppliers

23

Requirements

23

Response

23

12.14

Standard Configurations

23

Requirements

23

Response

24

12.15

Service Roadmaps

25

Requirements

25

Response

25

12.16

PaaS Types

26

Requirements

26

Response

26




Commercial in confidence

>


4

of
26


Introduction

As part of the
G
-
Cloud tender, Squiz identified some additional requirements in section 12 of the ITT document.
This document is provided to cover off these requirements.




Commercial in confidence

>


5

of
26


Responses to requirements in the Glossary

12.1

Service Definition

Requirements

This

is the minimum set of information that is expected in a service definition (suppliers may choose not to
provide these aspects of a service, but do need to be clear in their service definition that they don’t).



An overview of the G
-
Cloud Service (functiona
l, non functional)



Information assurance


Impact Level (IL) at which the G
-
Cloud Service is accredited to hold and
process information



Details of the level of backup/restore and disaster recovery that will be provided



On
-
boarding and Off
-
boarding
processes/scope etc.



Pricing (including unit prices, volume discounts (if any), data extraction etc.)



Service management details



Service constraints (e.g. maintenance windows, level of customisation permitted, schedule for
deprecation of functionality/feat
ures etc.)



Service Levels (e.g. performance, availability, support hours, severity definitions etc.)



Financial recompense model for not meeting service levels



Training



Ordering and invoicing process



Termination terms

o

By consumers (i.e. consumption)

o

By the
Supplier (removal of the G
-
Cloud Service)



Data restoration / service migration



Consumer responsibilities



Technical requirements (service dependencies and detailed technical interfaces, e.g. client side
requirements, bandwidth/latency requirements etc.)



Det
ails of any trial service available.

Response

12.1.1

Overview of Cloud Services

The Squiz Cloud

The Squiz Cloud is
a

fully managed cloud
-
hosting environment

-

r
un by Squiz, for

Squiz products and solutions. It delivers a
scalable, robust and secure online

infrastructure allowing you to
realise the full value of the Squiz Suite. By leveraging Cloud
technologies, we can help you reallocate your budget to develop
and implement richer, more engaging online solutions for your
prospects, customers and staff.

All

Squiz Cloud Packages include:



Automated Healing & High Availability

-

The Squiz Cloud is specifically designed to provide full system
redundancy with automated healing of all storage, computer and network services without human
interaction. In the event o
f a hardware failure on any part of the Squiz Cloud, an automated process
rebuilds the infrastructure redundancy in a matter of minutes, which readies the system for handling any



Commercial in confidence

>


6

of
26


future hardware failure.



Scaling and Easy Upgrades

-

Because your application
s will be running in a managed virtual pool of
resources, you have the ability to upgrade your services to handle higher peaks and demand without
having to purchase or lease expensive hardware. Adding a new virtual instance (Squiz
CMS/Search/Analytics) to
your existing pool of resources is also quick and easy.



99.9% Uptime Guarantee

-

Squiz provides 99.9% uptime guarantees for all Squiz Cloud services as
required for any enterprise or mission
-
critical online presence. Squiz also has a range of Service Level

Agreement offerings in place for additional peace of mind, like guaranteed response times and 24/7/365
service desk support with our highly qualified IT and web support team.



24x7x365 Health Monitoring

-

The Squiz Support team monitors all client services

around the clock. This
includes not only all cloud hardware, but also the client services like Database, Web & Network services
that are crucial to ensuring your online applications are running 24 hours a day, 7 days a week and 365
days a year.



Managed Ba
ckup Services

-

Squiz Cloud Hosting includes a managed backup service that incrementally
copies customer data nightly (24x7) to an external backup service. We store copies of all data for 3
months. The length of data storage can be extended to up to 7 year
s through our Service Level
Agreements.



Carrier
-
Grade Network & Transit

-

Squiz owns and operates a carrier
-
grade network independent of any
one particular bandwidth provider, allowing us to continue to provide service even in the event of an
upstream outa
ge or failure. We guarantee services will be available via multiple paths with at least one
Tier 1 provider upstream at all times.

The Squiz Cloud service is covered by a Cloud Hosting agreement, which covers the terms and conditions
under which the soluti
ons are being hosted. For information, see also: ‘
Squiz Suit
e SaaS Subscription
Agreement

(sample)
’.

Squiz’s cloud is hosted in The Bunker (
http://www.thebunker.net/
) and managed through 3Tera Applogic
virtualisati
on technology (
http://www.3tera.com/AppLogic/
).

The Squiz Suite

The Squiz Suite is a
supported open source

web experience management suite
,

which incorporates a
revolutionary content management system, innovative analytics capabilities, highly effective search and a
robust platform for integrating applications and data. These elements work together seamlessly
to create a
usable, yet powerful platform for the creation, management and optimisation of compelling online experiences.




Commercial in confidence

>


7

of
26



Squiz CMS

is a highly usable interface for creating, publishing and maintaining websites. It features true inline
editing, context s
ensitive help, powerful collaboration features and contextual functionality for the creation of
multi
-
lingual and device specific websites.

Squiz Analytics offers innovative and powerful tools to help optimise site content. It can be used to monitor site
t
raffic, to set up and track goals and for multivariate testing. Squiz Analytics utilises Google Analytics data,
allowing you to leverage the functionality you already value.

Squiz Matrix is the latest release of the popular
MySource

Matrix enterprise
-
level

web content management
system. It delivers highly flexible and robust business integration and application development tools and is
trusted by hundreds of organisations around the world. This solution can underpin the other solutions to create
powerful ad
ditional functionality, like integration with other data repositories, social media or custom
applications, like CRM, ERP, CCMS, etc. through its web services functionality.

More information about the Squiz Suite solutions can also be found in the enclosed

‘Squiz Solutions


Squiz
Suite’ document.
Below, a list of functionality is provided for the individual solutions.

Squiz CMS

The Squiz CMS is a Web Content Management solution, specifically
designed for its ease of use. As part of the Squiz Suite, it can

be
connected to Squiz Analytics for Website Analytics and Mutli Variate
Testing
(MVT)
capabilities
, and to Squiz Matrix for enhanced functionality
and integration capabilities
.

Some key functionality of the Squiz CMS is:



Inline What
-
You
-
See
-
Is
-
What
-
You
-
G
et (WYSIWYG) editing
capabilities



Fully configurable templating capabilities, based on open standards, like JavaScript, CSS and (X)HTML



Contextual Help capabilities to reduce training requirements



Fully browser based



Track Change capability



WCAG/WAI Access
ibility Checking and Validation, and automatic cleansing of content, copied from



Commercial in confidence

>


8

of
26


Microsoft Office solutions



Context capability for context aware site delivery, e.g. based on device, location, accessibility needs
(high contrast, text
-
only, etc)



Reuse capab
ilities through linking
, nesting

and snippets



Aliasing capabilities to enable the creation of novelty, marketing or other type of shorter URLs



No restrictions on sites, templates, users or any other restrictions



Multilingual capabilities



Connectors to LDAP/Active Directory, Squiz Matrix
for additional capabilities
and Public Folders



Full metadata, including dropdowns, checkbox,
textfield and radio button capabilities, where rules can be
applied as needed.



G
roup
-
based workflow and permissio
n capabilities

to enable the creation of intranet, extranet and
internet websites



Upload and management of web, binary
(images, video, documents)
and other content without
restrictions



Analytics functionality through Google Analytics tracking and Squiz Ana
lytics connectivity



Automatic Update capabilities



Can be used as part of the Squiz Suite or as a standalone solution



Integrated Search capabilities

and connectors for our external search solutions

Squiz Analytics

Squiz Analytics is an Analytics reporting s
olution, which
leverages the Google Analytics data

to provide
enhanced reporting and recommendation capabilities. Some of the key features are:



Enhanced reporting capabilities, like organisational visitors, mobile browser/devices, etc



Recommendation Engine

to improve conversion rates



Goal setting,
tracking
and goal reporting
capabilities



Multivariate testing capabilities via connectivity with the Squiz CMS



Aggregation of multiple Google Analytics accounts and projects in a single interface



Granular security

capabilities to control which users or user groups can view reports or assign goals



Contextual help to reduce training overhead



Automatic Update capabilities



Can be used as part of the Squiz Suite or as a standalone solution

Squiz Matrix

Squi
z Matrix is an Enterprise
-
class
Business Integration Engine, which can be used in combination with the
other Squiz Suite
solutions or as a standalone

solution.

Some of the key features are:



Fully configurable templating capabilities, based on open standard
s, like JavaScript, CSS and (X)HTML



Fully documented on http://manuals.metrix.squizsuite.net to reduce training requirements



Fully browser based



Content Differencing capability



WCAG/WAI Accessibility Checking and Validation, and cleansing capability of con
tent, copied from
Microsoft Office solutions



Context capability for context aware site delivery, e.g. based on device, location, accessibility needs
(high contrast, text
-
only, etc)



Reuse capabilities through linking, nesting and snippets




Commercial in confidence

>


9

of
26




Aliasing capabili
ties to enable the creation of novelty, marketing or other type of shorter URLs



No restrictions on sites, templates, users or any other restrictions



Multilingual capabilities



Connectors to LDAP/Active Directory, Public Folders
, MS Sharepoint and HP TRIM. T
he solution also
has a CMIS bridge to enable connectivity with other CMIS compliant solutions



Full metadata, including dropdowns, checkbox, textfield and radio button capabilities, where rules can be
applied as needed.



Group
-
based workflow
with email and e
scalation capabilities



P
ermission capabilities to enable the creation of intranet, extranet and internet websites



Upload and management of web, binary (images, video, documents) and other content without
restrictions



Full webservices API, enabling integrat
ion via REST, SOAP and JavaScript (incl. JSON and AJAX)



Database, XML, RSS, CSV and other connectors to enable aggregation of external content



Integrated Bulkmail capability to enable sending of email notifications



Calendar capabilities, including recurrin
g events and consumption of iCal feeds



E
-
Commerce payment gateways (PayPal, eSec, SagePay, DataCash, etc) and shopping cart capability
for shopping and donation areas on sites



Integrated Search capabilities and connectors for our external search solutions



Google Maps, Forum, Blogging and other web2.0 capabilities, like Polls, Quizzes and Forms



Thessaurus functionality to enable controlled vocabulary, tag clouds, related links, etc.



News feed capabilities and RSS delivey mechanisms



Automatic sitemap, A
-
Z, me
nus, breadcrumbs and other Information Architecture functionality



Configurable reporting capability of the state of content within the solution



Trigger capability for automating a wide variety of tasks, like image resizing, period based status
changes,
social media updates, and many more...

12.1.2

Information Assurance

Squiz Cloud based servcies are capable o
f delivering services up to IL2. Squiz is in the process of getting the
system certified to IL3.

The Cloud environment holds ISO27001
accreditation

and Squiz has

documented Risk Management policies
and procedures available to ensure staff, delivery and o
ngoing contracts provide

the highest levels of
confidentiality, integrity and availability. Because of our large governmental client base globally, Sq
uiz systems
are subject to regular,
independent

penetration and security testing ensuring our systems always meet the
highest levels of against different threat sources and vulnerability.
.

12.1.3

Backup & Disaster Recovery

All Squiz Cloud Services Hosting
include a managed backup service that incrementally copies customer data to
an external backup service. Backups are taken nightly (24x7) and

copies of all data is securely stored for 3
months. The frequency and length of data storage can be extended to up
to 7 years by extended the Service
Level Agreement provided with the Cloud offering.

The Squiz Cloud is specifically designed to provide full system redundancy with automated healing of all
storage, computer and network services without human interaction.

In the event of a hardware failure on any
part of the Squiz Cloud, an automated process rebuilds the infrastructure redundancy in a matter of minutes,
which readies the system for handling any future hardware failure.



The Squiz Cloud is physically store
d across two UK data centres, both former nuclear bunkers (in Kent and
Berkshire). Both data centres are protected by integrated processes for physical, digital and human security,



Commercial in confidence

>


10

of
26


with DR capabilities meaning loss of any one physical location will not dis
rupt Service provision.

12.1.4

On
-
boarding/Off
-
boarding processes

Onboarding

Squi
z

provides a Private Cloud service for its Squiz Suite solutions, and the hosting agreement for this is
enclosed with this document as ‘Squiz Suite SaaS Subscription Agreement

(sample)’. As part of the agreement,
Squiz can host and manage the Operating System, the Database, the Solution and the supporting software
installed within the Cloud Image.

Our team support our clients providing services throughout the lifecycle of thei
r project, described by the three
key areas of Analysis, Implementation
,

and
Ongoing
Support

and Hosting. Squiz will project manage the project
according the Project LifeCycle

(PLC) methodology as outlined in the enclosed ‘Squiz Solutions


Squiz Suite’
documentation.


Analysis

Squiz can help you in the analysis phase of your project, from determining your business requirements, to
information architecture design, user analysi
s and usability testing.

The key output of the Analysis Phase is a Functional Specification, which defines the functionality of your site.
The Functional Specification is required before we start planning for the website implementation, since this
docume
nt defines your website in terms of layout and functionality.

A Functional Specification should define each page that you require Squiz to build, in addition to each functional
component of a page to be built. A functional component is any part of a page
that is not standard content, for
example an embedded news headline listing or an embedded calendar. Example wireframes for pages and
functional components can be found in the section describing our Analysis packages.

Having this level of detail makes it
easy for Squiz to understand the type and number of items to be built, as well
as those that need to be designed during Design Creative during the Implementation Phase. From a Functional
Specification, Squiz can determine the appropriate Implementation Pa
ckage for your needs, based on the
number of functional components you require us to build. The number of functional components will also affect
the duration of your project.

You may decide that you would like to undertake the Analysis Phase in
-
house or

contract out to a third party.
Squiz is happy to work with you in this way, and will analyse any provided input documents such as an
Information Architecture or Functional Specification to ensure that they provide the right level of detail. If not,
we a
re happy to provide analysis services to ensure that we have enough information to undertake the website
implementation.

Implementation




Commercial in confidence

>


11

of
26


During the Implementation Phase, Squiz takes the wireframes in your Functional Specification and builds your
website.

Squiz specialises in providing the services necessary to implement your website in Squiz Matrix from start to
finish, including build planning, project management, design creative, design implementation, functional
implementation, content migration, docume
ntation, platform build, QA testing, go live support and training.

As part of the Implementation process, Squiz will
for instance
work with you to define the number of cloud units
for your specific requirements and allocate a number of Cloud Units from the

resource pool.

Squiz have created a suite of Implementation Packages including differing levels of these implementation
services, based on the typical requirements of different sized projects. Depending on the requirements outlined
in your Functional Sp
ecification, you may need to extend a package with additional levels of certain services.

Ongoing Support and Hosting

Once your site is live, you may wish Squiz to provide ongoing

support services such as software upgrades,
24x7 emergency support, a single point of contact and priority help desk access with response time and uptime
guarantee, and Cloud Hosting.

Squiz can provide these services under a Service
Level Agreement (SLA)
or Software as a Service

Agreement,
which is a formal agreement between you and Squiz, chosen to meet your particular requirements for the
support and/or Hosting of your Squiz system.

Offboarding

If the client wishes to host the solution elsewhere, Squiz c
an provide you with a copy of the solution, which can
be installed elsewhere as needed.

The CMS solution has a range of functionalities available that can aid in the export of content

from the solution
:



RSS Publishing


the solution fully supports the cre
ation of RSS with the RSS Feed asset. This asset
generates outbound RSS Feeds without the need for formatting, and takes care of sending the correct
headers and suppressing the site design. The RSS Feed asset currently supports RSS 1.0 (RDF), RSS
2.0 and A
tom 1.0.



XML or CSV export of content, for example form submissions may be exported in XML or CSV format.



To create a Custom asset


this involves building an asset to interface to a specific system that is
proprietary to a particular client.



To build an
Asset Bridge


this involves building an asset to interface to a system that is not propr
ietary
to a particular client.





12.1.5

Pricing

Squiz provides a quote on the basis of the requirements outlined by a client, which can either be a fixed price,



Commercial in confidence

>


12

of
26


or

Time & Material Basis.
The packages offered in the table below are based on standard cofigurations.

As part of a quotation, Squiz will define a Cloud Hosting Package, suitable for your requirements. This package
provides a number of Cloud Units, as well as

warranty and support.


You may have requirements to extend you Cloud capacity to cater for expected, and unexpected increases in
traffic. Squiz Cloud enables you to flex you
r set
-
up for short bursts, ensuri
ng you handle the increase in demand
without
committing

to
unnecessary

Cloud
Units
for the entire year.

Each Cloud Unit
is made up of the following:

1.

1 CPU

2.

2GB RAM

3.

20GB storage

The unit price for Cloud Bu
rst Units is as follows:



Pre purchased units are priced at
£100 / mth

/ cloud unit



Cloud units
billed in arrears (because a system has used extra resources) are priced at £
250 / mth

/
unit.

Services, like Data Extraction can be quoted as needed. Typically, this is quoted on a consultancy basis.
Consultancy, outside the cover of the SLA

or Hosting Ag
reement
, is charged on a time and material basis at an
hourly rate of £140/hr. However, we provide Support packs that will provide you with prepaid time at a reduced
hourly rate. Support Packs not only save you money, they also protect you from future pric
e increases by
locking in discounted rates for up two years (from invoice date).


The following Support Packs are available:




Commercial in confidence

>


13

of
26


Pack

Number of Hours

Price excl VAT

Silver Support Pack

7.5 hours

£1,000.00

Gold Support Pack

37.5 hours

£4,750.00

Platinum
Support Pack

150 hours

£17,500.00

Diamond Support Pack

300 hours

£33,000.00

Enterprise Support Pack

600 hours

£60,000.00


Note that unused Support Pack hours expire two years from the invoice date, and onsite support attracts a 50%
time loading’ so time

is used 1½ times faster.

Note that Support packs are on a time basis and can be repurposed by you as needed for Squiz services.
Support packs do not expire for 2 years and left over time can be used where required (e.g. future integration,
custom dev, etc
).

12.1.6

Service Management Details

Squiz provides a comprehensive range of service management level. These range from hosting only
agreements right up to fully managed SaaS environments. Documents detailing these agreements are attached
as follows.

Servi
ce Management details
and level of support, etc. is dependent on the hosting agreement. A sample of the
SaaS Hosting Agreement is provided as a separate document, ‘
Squiz Suit
e SaaS Subscription Agreement

(sample)
’. This document also outlines the terms of
the agreement.

Details relating the support services provided as part of the Cloud Hosting Agreement can be found in the

Squiz Cloud and Service Options
’ document enclosed.

12.1.7

Service Constraints

Squiz imposes remarkably few service constraints on its

customers. This is due to the efficient deployment of
client systems on the Squiz Cloud.
The Customer or Squiz can customise each system

without impacting the
delivery of the other systems on the Cloud service.
Full details are of the services are describ
ed in the attached
documents as follows.

Service Management details and level of support, etc. is dependent on the hosting agreement. A sample of the
SaaS Hosting Agreement is provided as a separate document, ‘
Squiz Suit
e SaaS Subscription Agreement

(sampl
e)
’. This document also outlines the terms of the agreement.

Details relating the support services provided as part of the Cloud Hosting Agreement can be found in the

Squiz Cloud and Service Options
’ document enclosed.




Commercial in confidence

>


14

of
26


12.1.8

Service Levels
.

There are sev
eral options depending on the client’s requirements so this has been uploaded as a separate
document.

Information relating

to

Support Hours, Severity Definition
s, Service Levels,
is described in the attached
document

Squiz Cloud and Service Options
’.

12.1.9

F
inancial

recompense model

Squiz operates a system of service credits as financial recompense. Squiz Cloud services come with a standard
99.9% uptime guarantee. If Squiz fails to meet this uptime, the Customer will be credited with 1 hour of Squiz
t
ime or £140. The number of service credits due increases inline with the downtime experienced.

A sample of the SaaS Hosting Agreement is provided as separate document
s
, ‘
Squiz Suit
e SaaS Subscription
Agreement

(sample)


and ‘
Squiz Cloud and Service Options
’, which includes recompense information
.

12.1.10

Training

Training is one of a range of services offered by Squiz to help you improve your organisation’s skillsets during
the full lifecycle of the solution in your organisation.

Squiz offers an extensive r
ange of courses that will instruct your content editors, approvers and administrators
on how to make the most from your implementation, whether you run an individual
Squiz Matrix
instance or a
range of products in the Squiz Suite.

When planning for your
training needs during the implementation phase or your web project, you will need to
consider those people who will be involved in the website implementation project, in addition to the wider
content author group.

Squiz recommends that your project team un
dertake the appropriate training courses during the Planning
Phase of your Implementation Project, with the course requirement being determined according to their
expected role during the Build Phase. During the Build Phase, Squiz recommends rolling out tr
aining to the
wider content author group.

As part of Squiz Implementation Packages, Squiz undertakes a Training Needs Analysis during the Planning
Phase of your project and develops an appropriate Training Plan. A Training Needs Analysis and Training Plan
can be provided on a time and materials basis if required.

To ensure your employees use your solution most effectively, our training options are available independently to
your web project. Our training offering is open to anyone that is using our solutio
ns, whether you implemented
your Squiz Solution with or without Squiz’s involvement. Squiz can discuss any training need you might have
and tailor a training schedule for you accordingly.

Pack

Number of Units

Price excl
.

VAT

Single Unit

1

£500,00

Silver
Training Pack

10

£4,750.00




Commercial in confidence

>


15

of
26


Gold Training Pack

30

£13,500.00

Platinum Traing Pack

50

£20,000.00

Diamond Training Pack

100

£35,000.00


You can see a list of the training courses Squiz offers at the end of this document. Full details of all courses and
the course schedule for the different training centres is available online at
http
://www.squiz.co.uk/services/training

The price of each training course is determined by the number of
training units required. For example, MATR101 (Squiz Matrix Fundamentals) uses 2 training units per attendee.
The Implementation Packages include an alloc
ation of training units that can be distributed amongst your staff.
Additional training units can be purchased on an as
-
needs basis per unit, or alternatively, you can purchase pre
-
paid packs of training units at a discounted price, see also the pricing be
low.

Each scheduled training course includes notes, workshops/exercises and an assessment component to test
participant knowledge and comprehension. The assessment is a combination of practical activities and
examination questions. Attendees who pass the a
ssessment will be awarded a certificate in recognition of their
new skills.

Note that unused Units expire after 2 years. The pricing indicated is for Training in the Squiz offices only. The
training modules can be found in the Squiz UK website,
http://www.
squiz.co.uk/services/training
. Note that if
pricing between this document and the website differ, the pricing on the website should be used.

When training is to be provided outside the Squiz London offices:
-

travel, subsistence and
accomodation cost will b
e passed on to the client.

Please note that all of the courses have prerequisites that must be satisfied before attendance is permitted. This
simply ensures that participants are not out of their depth, and that they have the best chance of understanding
course content.

12.1.11

Ordering and Invoicing Process

Services are ordered via a Standard Work Order Agreement (attached as document ‘standard work order
agreement text uk’. Squiz will also create bespoke contracts
if required by the Customer or
for
servi
ces worth
over £100,000.
Service will commence upon the receipt of the signed work order or contract and an invoice will
be issued. Payment terms are 30 days.

12.1.12

Termination Terms

Full termination details are provided in the attached documents as foll
ows.

A sample of the SaaS Hosting Agreement is provided as
separate documents


Squiz Suit
e SaaS Subscription
Agreement

(sample)
’ and ‘
Squiz Cloud and Service Options
’, which includes termination term information.

12.1.13

Data Restoration /
Service Migratio
n

When hosted on the Squiz Cloud, Squiz provides
a managed backup service that incrementally copies
customer data nightly (24x7) to an external backup service.
If data requires restoration, Squiz can restore the



Commercial in confidence

>


16

of
26


c
ontent from backup.

If the Customer would l
ike to migrate the service, Squiz can provide the entire system as a virtual machine
image or provide an export of all data in XML or CSV format.

12.1.14

Consumer Responsibilities

The Squiz Cloud provision is to provide a fully managed solution for the cus
tomer, maintaining all software and
cloud elements on behalf of the customer. The customer would be responsible for providing a clear designated
contact person at all times, and notifying of any Squiz of any changes to that person. In addition the customer

will need to promptly provide information required
resolving

any
incident

with the
system
, and the customer
should operate the service inline with Squiz's best practice recommendations.

12.1.15

Technical Requirements

Infrastructure Setup

When the solution

is hosted on the Squiz Cloud, Squiz will work with you to optimise the Infrastructure, based
on your existing requirements. When hosted elsewhere, Squiz provides the Squiz Suite solutions as Virtual
Images (VMWare) that can be installed on external hostin
g solutions. If required, Squiz can provide additional
recommendation on

architecture documentation if needed.

Client Side Usage

The CMS can be operated over a 56K modem connection, however, the faster the network the better the
performance. If the website

is accessed over a fast Ethernet network connection, the performance appears to
be that of an application run locally (i.e. nearly instant screen refreshes).

Access to the administration and editing interface of the CMS is entirely browser based so is com
patible with a
wide range of client Standard Operating Environments such as MS Windows, Mac OSX, Linux and Solaris.

The browsers used for the administration and editing of Squiz Matrix must be Java enabled (JRE1.5+) and can
be used on all YUI A
-
graded brow
sers (
http://developer.yahoo.com/yui/articles/gbs/
).

Squiz products

include a browser
-
based WYSIWYG editor in the interfaces and allow authoring of content
without any HTML or other technical kno
wledge. The solution has a similar look and feel of a Microsoft Office
type application, which ensures the user will be quickly familiar with its use.

12.1.16

Details of any trial service available

Squiz offer trial systems to organisations

which are seeking to evaluate the system offering. As part of the Squiz
will provide the customer evaluation team with a 1/2 day induction course to help them understand the basic
use of the system, and to be available for any questions the evaluation tea
m has. A standard trial system is
available for up to two weeks, but this can be renewed if required for the evaluation team. The trial system is a
fully functioning instance of the system the customer will purchase and the customer is free to use any
func
tionality
within

the system.

12.2

Data extraction/removal

Requirements

Suppliers will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for
each of their G
-
Cloud Services and/or retrieve their data. Suppliers
will commit to providing details of this,



Commercial in confidence

>


17

of
26


clearly and unambiguously in the Service Definition for each service. This will include, but not be limited to:



The data standards that will be in use (within the service).



A commitment to returning all consumer ge
nerated data (e.g. content, metadata, structure, configuration
etc.) and a list of the data that will be available for extraction. Where there is a risk of confusion, data that
will not be available for later extraction will also be published.



The formats/
standards into which data will be able to be extracted and preferably a list other common
services/technologies to which an export/import mechanism is available.



A price for the extraction of consumer generated data (or the migration to another service pro
vider’s
service).



Confirmation that the Supplier will purge and destroy (as defined in security accreditation for different
ILs) consumer data from any computers, storage devices and storage media that are to be retained by
the Supplier after the end of th
e subscription period and the subsequent extraction of consumer data (if
requested by the consumer).

Response



The data standards that will be in use (within the service).

The entire contents of the system can be exported into XML or csv files. Squiz will d
ocument the XML file so it
can be easily uploaded into another system or stored for later use.

Squiz also has a bridge that utilises the Content Management Interoperability Standard (CMIS) to enable
content to be moved into other compatible systems more ea
sily.

All data is stored in documented database tables or XML as required.



A commitment to returning all consumer generated data (e.g. content, metadata, structure, configuration
etc.) and a list of the data that will be available for extraction. Where the
re is a risk of confusion, data that
will not be available for later extraction will also be published.

All data stored by Squiz, including

consumer
-
generated data will ne returned to the Customer. For avoidance of
doubt, all data stored by Squiz can and w
ill be exported should the Customer leave the service.



The formats/standards into which data will be able to be extracted and preferably a list other common
services/technologies to which an export/import mechanism is available.

All data can be exported in
to XML or CSV files. Squiz has a large number of connectors available to other
common service / technologies to import or export data. Including, but not limited to:

-

Web Services APIs

-

Sharepoint

-

TRIM

-

Content Management Interoperability Standard (CMIS)

-

ODBC

database connectors




A price for the extraction of consumer generated data (or the migration to another service provider’s
service).

The Customer is free to extract consumer generated data and migrate to another service provider at no cost.
However, if th
e Customer would like to employ Squiz Services to extract or migrate the data, the Customer will



Commercial in confidence

>


18

of
26


need to buy the number of hours required.



Confirmation that the Supplier will purge and destroy (as defined in security accreditation for different
ILs) consum
er data from any computers, storage devices and storage media that are to be retained by
the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if
requested by the consumer).

Squiz will purge and destroy all d
ata, compliant with IL2 standards at the Customers request.

12.3

Data storage and processing locations

Requirements

All servers/storage will be allocated a ‘locale’. Each locale is a physically separate set of infrastructure, such
that a failure in one lo
cale will not affect another locale, nor can any information pass from one locale to another
(without the customer choosing to do so). Any one particular data
-
centre location will contain at least one
locale, but is likely to have more. Each locale will
have a security classification (i.e. security impact level)
identified.

Response

The system will be housed at The Bunker, Squiz’s hosting partner.

No data will leave the Squiz Cloud or ‘locale’
unless requested by the Customer.

A failure in any one local
e will not impact service delivery.

The Bunker provides the most secure data centres in Europe, located within purpose
-
built armoured nuclear
bombproof military specified fortresses. This unequalled level of security and redundancy is coupled with the
abil
ity to support high levels of power and cooling and stringent access control procedures. The Bunker’s
facilities are staffed 24×7×365 by security, technical and networks staff. All sites are linked to each other and to
the Internet by their own fully redun
dant, multi
-
homed, gigabit network picking up multiple carriers from and
number of POPS in locations in London. The two datacenters of the Bunker is located in Ash and Newbury.

12.4

Deployment Models

Requirements

Public and private cloud services in a UK g
overnment context:

G
-
Cloud phase 2 definitions:



Public Cloud means Utility Computing that is available to individuals, public and private sector
organisations. Public Cloud is often non
-
geographically specific and can be accessed wherever there is
an Inter
net connection.



Private Cloud means a Utility Computing infrastructure exclusively for the use of one organisation or
community.



Hybrid Cloud means a combination of Public and Private Clouds, both remaining separate entities, but
with Workload able to migr
ate between them.

Response

The Squiz Cloud is considered a Private Cloud, since Squiz currently only hosts Squiz Solutions on its Cloud



Commercial in confidence

>


19

of
26


service. The solutions (Squiz CMS, Squiz Matrix, Squiz Analytics) can be installed either on the Squiz Cloud or
other ho
sting environments as required. In this case, a Service Level Agreement can be provided. A sample is
provided with this document.

The Squiz Cloud can

be used as a hybrid cloud because Squiz gives Customers the option to publish data to
Public Cloud or Content Distribution Networ
ks. This is an optional service that can be turned on at the
Customers request.

12.5

Service Models

Requirements

IaaS and PaaS

definitions
-

NIST defines these as follows
1
:



Cloud Infrastructure as a Service (IaaS).

The capability provided to the consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy
and run arbitrary software,
which can include operating systems and applications. The consumer does not manage or control the
underlying cloud infrastructure but has control over operating systems, storage, deployed applications,
and possibly limited contr
ol of select networking components (e.g., host firewalls).



Cloud Platform as a Service (PaaS).

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer
-
created or
acquired applications created using programming languages

and tools supported by the provider. The
consumer does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, or storage, but has control over the deployed applications and possibly application
hosting env
ironment configurations.



Cloud Software as a Service (SaaS)

The capability provided to the consumer is to use the provider’s applications running on a cloud
infrastructure. The applications are accessible from various client devices through a thin client i
nterface
such as a web browser (e.g., web
-
based email). The consumer does not manage or control the
underlying cloud infrastructure including network, servers, operating systems, storage, or even individual
application capabilities, with the possible excep
tion of limited user
-
specific application configuration
settings.

Cloud Support Services


In addition to the NIST definitions, the G
-
Cloud requires support services associated with the different
cloud service models. These may include services to transfer
data/configuration between G
-
Cloud
providers, management and support of applications (workloads) operating on G
-
Cloud services, multi
supplier service integration services and cloud strategy and implementation services.

Response

Squiz considers its Cloud
Solution a Software
-
as
-
a
-
Service Cloud, since the consumer will not be able to
manage or control the underlying
infrastructure
, not will they be able to append the structure through the 3Tera
Aplogic interface.

The Cloud Hosting Agreement and/or Service L
evel Agreement provided will provide a range of support options,



1

http://csrc.nist.gov/publications/drafts/800
-
145/Draft
-
SP
-
800
-
145_cloud
-
definition.pdf




Commercial in confidence

>


20

of
26


like warranty support and helpdesk
access

as needed. The level of support depends on the agreement.

12.6

Burst versus elastic resources

Requirements

It is worth defining another key attribute

of IaaS and PaaS, elastic versus burst resources. The G
-
Cloud Phase
2 Technical Architecture work strand report provides a detailed description and definition of these and should be
referred to when reading this document.



Burst: Computing Resources automa
tically expand and contract in response to changes in application
workload.



Elastic: resources must be requested by the user, operator or application. “Elastic” differs from burst in
that the application or user must request the additional resources for ex
ample via an Application
Programmatic Interface (API).

Elastic and burst resources can be described from a Service Unit view point (i.e. at the level of units which can
be purchased and consumed) and also from a technical view point (components within a s
ervice unit). For the
purposes of the IaaS and PaaS lots, we will be interested in the elasticity and/or burstability of the service both
at the level of the units we consume as well as the components thereof. It is fundamental for cloud consumers
to under
stand this aspect of the IaaS and PaaS services being offered.

Suppliers will need to define elasticity versus burstability for services at the level of the chargeable service units
offered as well as at the components thereof.

Response

The Squiz Cloud dyn
amically allocates resources from a resource pool and as such, the Squiz Cloud is to be
considered a burst resource.

The Cloud unit pricing allows for resources to be purchased in advance (at a discount) or in arrears based on
actual usage.

12.7

Guaranteed

and non guaranteed resources

Requirements

Within the elastic and burst resource allocation models (above) the concept of guaranteed and non
-
guaranteed
capacity also exists.



Guaranteed: Additional capacity that is reserved when not in use so that it is alw
ays available, as and
when needed. It is likely that having this capacity reserved will come at a cost.



Non
-
Guaranteed: Additional capacity is not reserved and thus not guaranteed, it is available for use by
all customers on a “first come first served” bas
is. This is the predominant model used in the multi
tenancy public cloud.

Suppliers will need to define the levels of guaranteed and non
-
guaranteed resource capacity included in the
services they offer.

Response

Each Cloud Hosting Agreement will have a nu
mber of cloud units allocated, which are 100% guaranteed to the



Commercial in confidence

>


21

of
26


client as part of the agreement. The Squiz Cloud has a resource pool of additional cloud units that can be used
on an ad
-
hoc basis if required (e.g. due to excess traffic spikes), and these ar
e considered non
-
guaranteed.

12.8

Persistence of storage

Requirements

Storage can be defined as persistent or non
-
persistent when related to a virtual compute resource.



Persistent: Storage is allocated/de
-
allocated separately to virtual compute instance a
llocation/de
-
allocation. As such data stored in persistent storage will still be available after a virtual compute instance
to which it is attached is terminated.



Non
-
Persistent: Storage is inherent to the virtual compute instance and thus any data it cont
ains
disappears when the virtual compute instance is terminated.

It is important for consumers to understand the persistence model being offered to ensure that
data/configuration is not lost when virtual compute resource is terminated and that creation of

additional virtual
compute instances is as efficient as possible through applying existing configuration.

Suppliers will need to define the persistence or non
-
persistence of the storage units on offer.

Response

The storage is non
-
persistent to a Virtual
Compute Resource. The database, operating system and solution
(including the settings) are all managed within the Virtual Image.

12.9

Service provisioning

Requirements

Suppliers will provide rapid provisioning and de
-
provisioning for all G
-
Cloud services.

This will include providing
full “self service” capabilities for the ordering and provisioning/de
-
provisioning and cancelling of G
-
Cloud
services.

Response

Squiz
enables rapid provisioning and de
-
provision of its Cloud services. All Squiz systems can be p
rovisioned or
de
-
provisioned within 1 working day.

12.10

Utilisation monitoring/reporting

Requirements

Utilisation reporting will be available at both a consumer level as well as at a Crown level (i.e. aggregate of all
consumer organisations, broken down
by organisation)

“Real
-
time” online management information including, usage reporting by unit consumed. This will include the
information required for consumers and/or the Crown to understand and control consumption e.g. units that are,
and are not, being
utilised, trends etc.

Response




Commercial in confidence

>


22

of
26


The Squiz Support team monitors all client services around the clock. This includes not only all cloud hardware,
but also the client services like Database, Web & Network services that are crucial to ensuring your online
appl
ications are running 24 hours a day, 7 days a week and 365 days a year.

All Cloud packages offer reporting online through Squiz’s client extranet facility. Reporting through the extranet
allows clients to view:



Tickets lodged with Squiz (Tier 1 & 2)



Extern
al website monitoring and outage information



Notices from your Account Manager and Squiz

Should you require customised reporting, Squiz can extend your reporting options.

The Squiz Cloud Virtualisation Environment, 3Tera A
pplogic, delivers

custom reportin
g

and Squiz will provide
Cloud Unit
reports that detail utilisation, trends, etc for the Customer and the Crown.

12.11

Data centre(s)

Requirements

Suppliers will identify either the TIA
-
942 or the Uptime Institute tier

of the data centre(s) used to provide the
services. Where tier identification is conducted through self
-
assessment, this must be clearly noted and the
supplier must commit to providing visibility of workings if requested.

The EU Code of Conduct for data c
entre operations (EU CoC) provides a number of best practices which can
be applied to data centres regardless of whether they are already in use, undergoing a retrofit process or still
being planned. Suppliers will commit to providing visibility of their
application of those best practices.

Response

Squiz’s data centre,
The Bunker
,

is
a Tier 3
datacentre
.
The Bunker is both ISO 27001 accredited and PCI DSS
certified, providing you with assurance that
their

security and management procedures are regularly s
ubjected
to rigorous, independent testing to ensure that they comply with stringent standards for safety, product
performance, and reliability.

The Bunker also partnered with CNS, and IT Security and Netwoking consultancy to boost their IT security
commitm
ent, see also:
http://www.thebunker.net/2011/07/28/the
-
bunker
-
and
-
cns
-
announce
-
it
-
security
-
partnership/
.

The Bunker is also fully compliant with EU Co
de of Conduct for data centre operations (EU CoC).

12.12

Network

Requirements

The supplier will ensure that G
-
Cloud Services utilise an assured data transport mechanism, appropriate for the
Services and BIL being delivered and aligned to HMG PSN strategy. Suppliers will need to ensure that they
have received approval (against the re
levant requirements/assurance mechanisms) from the network provider
for connection of their services (e.g. PSN Compliance).

Response




Commercial in confidence

>


23

of
26


Squiz adheres to
PSN Compliance
requirements. Specifically:



The Squiz Matrix solution containing a
PSN compliant web servi
ces

API, CMIS bridge and a variety of
connectors for interoperability purposes
, see also http://manuals.matrix.squizsuite.net



Service Level Agreements to cover uptime, warranty and support
; see also the enclosed Service Level
Agreement and Hosting Agreemen
t



Transparency of pricing



A rigid development model, which compliments the development roadmap and open source nature of the
solutions.

Product security at Squiz begins with the product development team. Each junior developer is paired with a
senior develo
per until they fully understand the PHP programming language and the product itself. Senior
developers act as mentors, showing junior developers best practice and learning security by example. This
includes a transfer of knowledge based around common web a
nd PHP security concerns such as XSS, SQL
injection and the privacy of system information.

The product development team have a set of tools available to them to help maintain their focus on security.
PHP_CodeSniffer, the standard for static code analysis i
n the PHP world, is a tool written by Squiz to analyse
PHP, JavaScript and CSS code for coding style violations. It also includes security checks for common
vulnerabilities such as the direct use of super globals in PHP and vulnerabilities reported by 3rd
party tools such
as JSLint and the Zend Code Analyzer. In addition, we also perform automated unit testing on our products,
ensuring that discovered issues are fixed and do not reoccur.
For instance:
Squiz's flagship product,
Squiz

Matrix, currently has in

excess of 12,000 code points tested for regressions.

In addition to these proactive measures, independent security consultants also periodically audit Squiz’s
products. Being an open source company, Squiz's products are also downloaded and analysed by hun
dreds of
independent developers a month. Squiz receives both bug and security reports from its open source
community, generally with code patches supplied, allowing for a faster test and release cycle for security issues.
While Squiz values these external
contributions, every line of code is checked and tested by Squiz product
developers before being released in our products. We tightly control access to our code repository to ensure
releases only contain source code that has passed Squiz's extensive test s
uite and code analysis process.

12.13

Use by other suppliers

Requirements

Suppliers will commit to make their IaaS/PaaS G
-
Cloud services available for purchase by third parties who
intend to supply services to government so they can offer SaaS or more trad
itional infrastructure/application
delivery (on same or better terms) etc. This is applicable to both the Public and Private cloud delivery models,
but probably needs to be emphasised for the Private cloud.

Response

At this stage, Squiz will offer its Priv
ate Cloud as a SaaS model only, and will currently only host Squiz solutions
onto its service. In the future,
Squiz

might consider opening the service up to a IaaS type infrastructure.

12.14

Standard Configurations

Requirements

Where defined, suppliers wil
l provide pricing for at least one standardised configuration or to identify a “closest



Commercial in confidence

>


24

of
26


fit” from existing offerings. This is to allow government consumers to compare like for like across suppliers.
Note: The current standardised configurations are defined

in the Standard Configurations section in the ITT
documentation and are not provided in this specific section of the requirements.

Response

As part of Squiz ‘s standard project methodology, time is allocated as part of the planning phase to work with
the
client to design
a suitable number of cloud units for their system.

As part of the Cloud Hosting Agreement, you will be allocated a number of Cloud Units
, which will regularly be
monitors for capacity purposes, and if your account manager will inform yo
u
if any adjustments are needed.


Squiz Cloud Packages

The following Squiz Cloud packages are available (as referenced in the questionnaire).



Squiz Suite

Squiz Matrix

Enterprise Suite

Gold Enterprise
Suite

Platinum
Enterprise Suite


Price

£1,5
00/month
or

£15
,000/year if pre
-
paid

£2,000/month
or

£20,000/year if
pre
-
paid

£3,000/month
or

£30,000/year if
pre
-
paid

£5,000/month
or

£50,000/year if
pre
-
paid

£7,500/month
or

£75,000/year if
pre
-
paid

Squiz Suite Software

Squiz CMS










Squiz Search









Squiz Analytics









Squiz Matrix










Software Warranty











Upgrades & Security
Patches

Squiz Subscription for
one instance of the
Squiz Suite
, excluding
Squiz Matrix

Squiz
Matrix
Subscription

Squiz
Suite
Subscription

Squiz
Suite
Subscription

Squiz
Suite
Subscription


Cloud Units

3

10

13

20

30

Support

Bundled
Monthly
Support hours

via Support Pack

2

2

5

10

System Emergency
Support

12/7

12/7

24/7

24/7

24/7

Priority Help Desk
Access









Help Desk Hours of
Access

Business hours

Business hours

24/7

24/7

24/7



Squiz Suite Subscription
” means one instance of Squiz Matrix
,

CMS
,

Analytics and Search. Squiz Suite components may not be
substituted i
n a single Squiz Suite instance







Commercial in confidence

>


25

of
26








12.15

Service Roadmaps

Requirements

This should contain notice periods for deprecation of features/functionality, listings of scheduled
feature/functionality deprecation and preferably a forward look to new features/functionality or defect resolution
that will be introduced.

Res
ponse

The Squiz Suite, of which Squiz Matrix is an
essential part, is a rapidly evolving product, which
follows a disciplined release cycle (shown in the
diagram and described below). The open source
nature of the product means its functional
evolution is

driven by end users, the result of
which is a product that is closely aligned to its
user’s requirements. Squiz manages different
concurrent “streams” of software development as
shown in the diagram below:

The diagram to the left highlights the fact that
there are several significant types of release.

The development stream is not released for client use as all new software development is added to this stream.
When sufficient functionality has been added to warrant a new release Squ
iz creates a new “beta”
release,
which initiates a new stream. The following release stages are outlined:



A Beta release, denoted by the Beta Release symbol (
) in the diagram above) is an early release of a
new version of Squiz that is undergoing testing in preparation for becom
ing a new production version.
New functionality is rarely added to new beta versions; rather changes are restricted to stability and
performance improvements only.



A Release Candidate (
) is an advanced beta release that is generally believed to be ready f
or
production use. Some users in the Squiz community, typically those who value quick access to new
functionality, will upgrade to a release candidate thereby allowing further testing on production systems.



A Stable release (
) is created when there have b
een no significant stability or performance concerns
identified since the last release candidate distribution. In other words, once the release has passed all
testing processes and has been running successfully for at least one month in community productio
n
environments, a new production release will be formed.




Commercial in confidence

>


26

of
26




A Final release (
) for a production stream is created when there is a new widely adopted stable
production release and there are not enough users on the older stream to warrant the effort required t
o
make a new release. Consequently, there is no fixed date for a final release; instead a final release it
entirely dictated by user demand.

Major releases of the software with new functionality are scheduled to occur approximately once every four
months.

As specified previously, when upgrading your system, Squiz normally performs a backup of your Squiz Matrix
system and installs an additional copy for upgrade testing purposes and when completed, the upgraded system
will become your live
system, thus requir
ing no
downtime.

Since Squiz Matrix is very much the de
-
facto solution used by our clients, Squiz is not intending on depreciating
any features or the software itself in the long
-
term future.

Defects, etc are covered under warranty support through your SLA

or Hosting Agreement. When a defect is
found, Squiz will prioritise the fix and roll this out as
per the Service Levels
.
If the fix was made in a later version
of the software, Squiz will
perform

an upgrade.

12.16

PaaS Types

Requirements

Managed
components = managed server components, available individually or grouped together in a
configuration defined by the consumer. Component examples: operating system, database, application server,
web server etc.)

Managed application deployment platform = a
pre
-
configured grouping of components that provides a fully
managed environment into which application code can be deployed and executed (e.g. springsource, mod_rails,
LAMP etc.).

Response

Squiz will not provide any of its services as a PaaS service.

The s
olutions are available as Virtual Images, which contain the solution, the underlying database, the
Operating System and additional software as required for the software to be run and monitored.