enterprise architecture information security management
TRANSCRIPT
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
= Keystone Edge / ServiceNow Application View
Keystone Edge / ServiceNow Application Interaction ViewArrow = Communication Initiation Direction
p11 of 69
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
CENTER Application Interaction ViewArrow = Communication Initiation Direction
p12 of 69
= Keystone Edge / ServiceNow Application View
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
Splunk Application Interaction ViewArrow = Communication Initiation Direction
p13 of 69
= Keystone Edge / ServiceNow Application View
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
CyberArk Application Interaction ViewArrow = Communication Initiation Direction
p14 of 69
= Keystone Edge / ServiceNow Application View
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
Privileged Session Management (PSM) Application Interaction ViewArrow = Communication Initiation Direction
p15 of 69
= Keystone Edge / ServiceNow Application View
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
Application Identity Management (AIM) Application Interaction ViewArrow = Communication Initiation Direction
p16 of 69
= Keystone Edge / ServiceNow Application View
SysAdmin
End Users
Administrator / Developer
PSM-1 PSM-2
Privileged Session Mgr (PSM)
PSM for secure access
PVWA PVWA
Password Vault Web Access (PVWA)
CPM-1 CPM-2
Central Policy Mgr (CPM)
CPM-2
Password Vault Cluster
Workforce Identity Management: Privileged User Management: Credential Distribution
Threat and Vulnerability Management: Password Vaulting
SailPoint Identity IQ – Identity & Access Management (IAM)
UI Hosts – MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit
136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB
136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB
Batch / Task Hosts – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwapp001 2CPU 8-Cores 16GB D-300GB
136ppotwapp002 2CPU 8-Cores 16GB D-300GB
Database Server Host – MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit
136ppotwsql003 2CPU 8-Cores 128GB D-1150GB
136ppotwsql004 2CPU 8-Cores 128GB D-1150GB
CENTER™ SuiteMS SharePoint Server – MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners
136pvotwapp001 4vCPU 16GB D-300GB
Project Server – MSI Project Management, Sys Eng, and Ent Arch
136pvotwapp002 4vCPU 16GB D-300GB
MS SQL Server DWH – MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit
136ppotwsql001 2CPU 8-Cores 32GB D-10200GB
136ppotwsql002 2CPU 8-Cores 32GB D-10200GB
MED
MED
Financial Management Systems
DigitalFuel
DigitalFuel Application – Front-end financial management portal, COV ITFM Users
136pvotlapp002 2vCPU 8GB D-568GB
136pvotlapp001 2vCPU 8GB D-568GB
SM
Database Server – COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program’s VITA managed Oracle RAC environment.
DigitalFuel
VMware vRealize Automation (vRA) – Cloud Management Platform –
Cloud Brokerage Service – IaaS
Automation IaaS Database – MSI SMS Administration and Cloud Brokerage
136PVOTWSQL001 4vCPU 16GB D-520GB
Operations Database – MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2
136PVOTLAPP007 4vCPU 16GB D-400GB
SNOW MID Server – ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand
136PVOTLAPP011 4vCPU 16GB D-128GB
136PVOTLAPP010 4vCPU 16GB D-128GB
136PVOTWAPP003 4vCPU 8GB D-140GB
Infrastructure Appliance – Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)
136PVOTWAPP004 4vCPU 8GB D-140GB
Automation Application – Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4
136PVOTLAPP004 4vCPU 18GB D-158GB
136PVOTLAPP003 4vCPU 18GB D-158GB
136PVOTLAPP006 2vCPU 8GB D-328GB
136PVOTLAPP005 2vCPU 8GB D-328GB
136PVOTLAPP008 2vCPU 8GB D-458GB
136PVOTLAPP009 2vCPU 8GB D-458GB
MED
SM
MED
Operations App – MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2
SM
Log Insight Application – MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4
SM
MED
MED
Keystone Edge Broker
Splunk – Central Logging Security Visibility
Search Head – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp001 2CPU 8-Cores 128GB D-1100GB
Index Server – MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit
136ppotlapp002 2CPU 8-Cores 128GB D-1100GB
F5 Load Balancer
Reverse Proxy Server
Okta Identity Provider (IDP)
Okta BridgeActive Directory
(AD) Agent
SMTP Servers
Syslog Servers
NTP ServersTime Source Interface
Domain Controllers
SNMP Servers
Email Gateway
Vault Cluster Partner
COV AD
ServiceNow BackupMiami, FL
Oracle PrimaveraKE supports Primavera.
VA-170822-SAIC-02.3.1. MSI Services Solution.
Keystone Edge™ (KE) stores data within an Oracle relational database accessible via the platform and via web services queries.VA-170822-SAIC-03~30 Exhibit 3
Cloud Service
Keystone Edge
Nessus Pro to be installed on MSI-operated and VITA-
approved PC’s outside CESC.
All SMS components, except Keystone Edge, are intended to
be accessed exclusively from within the COV network (directly
or via VPN connection) and do not provide an external, Internet-accessible user
interface.
Keystone Edge (ServiceNow) components are hosted in ServiceNow’s data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.
Financial Management System (FMS) Users
IAM
CMDB
Customer data in ServiceNow can be exported in Excel format.
Clustered Data Warehouse
Information Security Management System (ISMS) Platform
A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.
Application Identity Manager (AIM) Appliance
p12/24 of 69
AUTH AD
Google Cloud Platform (GCP) Microsoft Azure Amazon Web Services (AWS)
= Security Focused Apps
p12/24 of 69
Privileged Session Mgr (PSM) Archives
p31 of 69
p31/35/39 of 69
PSM-3
p31 of 69
p35 of 69
p39/40 of 69
p39/40 of 69
p44 of 69
= DR
p63 of 69
p4/10 of 69
Privileged Account Security
p4/5/10 of 69
Enterprise ArchitectureSMS VAR Model Based on CDD v4 Document
= VITA’s MSI Integrator
Robert Kowalke ~ Enterprise Architecture ~ [email protected] Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)
Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page: http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap35.html
This fit-for-purpose view is intended for a minimum 11x17 sized paper.
PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.VITA Draft Discussion Document // Rev: Nov-8-2018
p10 of 69
p10 of 69
SailPoint Identity IQ Application Interaction ViewArrow = Communication Initiation Direction
p17 of 69
= Keystone Edge / ServiceNow Application View