Enterprise Architecture Information Security Management ...

[Pages:8]= VITA's MSI Integrator

Sys Admin

Administrator / Developer

AUTH AD COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

Keystone Edge / ServiceNow Application Interaction View

Arrow = Communication Initiation Direction

p11 of 69

AUTH AD

Sys Admin

Administrator / Developer

COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

CENTER Application Interaction View

Arrow = Communication Initiation Direction

p12 of 69

Sys Admin

Administrator / Developer

AUTH AD COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

Splunk Application Interaction View

Arrow = Communication Initiation Direction

p13 of 69

Sys Admin

Administrator / Developer

AUTH AD COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

CyberArk Application Interaction View

Arrow = Communication Initiation Direction

p14 of 69

Sys Admin

Administrator / Developer

AUTH AD COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

Privileged Session Management (PSM) Application Interaction View

Arrow = Communication Initiation Direction

p15 of 69

AUTH AD

Sys Admin

Administrator / Developer

COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

Application Identity Management (AIM) Application Interaction View

Arrow = Communication Initiation Direction

p16 of 69

AUTH AD

Sys Admin

Administrator / Developer

COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

= VITA's MSI Integrator

SailPoint Identity IQ Application Interaction View

Arrow = Communication Initiation Direction

p17 of 69

Sys Admin

Administrator / Developer

AUTH AD COV AD

Nessus Pro to be installed on MSI-operated and VITA-

approved PC's outside CESC.

p4/10 of 69

Financial Management System (FMS) Users

End Users

All SMS components, except Keystone Edge, are intended to

be accessed exclusively from within the COV network (directly

or via VPN connection) and do not provide an external, Internet-accessible user interface.

Reverse Proxy Server

p10 of 69

Okta Identity Provider (IDP)

Okta Bridge Active Directory

(AD) Agent

F5 Load Balancer

p31/35/39 of 69

Cloud Service

Keystone Edge

Keystone EdgeTM (KE) stores data within an Oracle relational database

accessible via the platform and via web services queries.

VA-170822-SAIC-03~30 Exhibit 3

CMDB

Customer data in ServiceNow can be exported in

Excel format.

Oracle Primavera KE supports Primavera. VA-170822-SAIC-02.3.1. MSI Services Solution.

ServiceNow Backup Miami, FL

Keystone Edge (ServiceNow) components are hosted in ServiceNow's data centers within FedRAMP moderate certified spaces subject to physical and logical security controls necessary to maintain compliance with that certification. ServiceNow instances are deployed on client-dedicated hardware (not multi-tenant) within their secured facilities. Primary data center location for these instances is Culpepper, VA with a secondary facility for redundancy and system availability during upgrades in Miami, FL. As part of compliance with the FedRAMP certification, all network access to these systems from the Internet is encrypted HTTPS (443/TCP) via TLS 1.2, and data is encrypted at rest via full disk encryption.

p10 of 69

Google Cloud Platform (GCP)

Microsoft Azure

Amazon Web Services (AWS)

Enterprise Architecture

SMS VAR Model Based on CDD v4 Document

p12/24 of 69

CENTERTM Suite

p12/24 of 69

MED

136pvotwapp001 4vCPU 16GB D-300GB

MS SharePoint Server ? MSI Bus Svce Management, Proj Management, Sys Eng, Ent Arch, Process Owners

MED

136pvotwapp002 4vCPU 16GB D-300GB

Project Server ? MSI Project Management, Sys Eng, and Ent Arch

Clustered Data Warehouse

136ppotwsql001 2CPU 8-Cores 32GB D-10200GB

136ppotwsql002 2CPU 8-Cores 32GB D-10200GB

MS SQL Server DWH ? MSI Business Service Management, Proj Management, Sys Eng, Ent Arch, Process Owners, GEN-9, 64-bit

Financial Management

Systems

p44 of 69

SM DigitalFuel

136pvotlapp001 2vCPU 8GB D-568GB

136pvotlapp002 2vCPU 8GB D-568GB

DigitalFuel Application ? Front-end financial management portal, COV ITFM Users

Database Server ? COV ITFM Users and Agency Financial Management. Leveraging the Application Integration Services (AIS) program's VITA managed Oracle RAC environment.

DigitalFuel

Information Security Management System (ISMS) Platform

p4/5/10 of 69

A VITA owned and provided Governance, Risk and Compliance platform. Will be the source of policy and audit. Archer assists in the control of the audit lifecycle, enabling governance of audit-related activities, while also providing integration with risk and control functions. (Manual integration today) Security Policy and Audit source. Risk Management Framework, Controls Framework, Audit Lifecycle Control, Security Dashboards, and Security Governance.

Splunk ? Central Logging Security Visibility

136ppotlapp001 2CPU 8-Cores 128GB D-1100GB

Search Head ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

136ppotlapp002 2CPU 8-Cores 128GB D-1100GB

Index Server ? MSI Security & Service Desk, Core Infrastructure Demand; Gen-9 64-bit

Vault Cluster Partner

IAM

CPM-1

CPM-2

CPM-2

Central Policy Mgr (CPM)

PVWA

PVWA

Password Vault Web

Access (PVWA)

PSM-1

PSM-2

PSM-3

Privileged Session Mgr

(PSM)

PSM for secure access

p31 of 69

Application Identity Manager (AIM) Appliance

Password Vault Cluster

Privileged Account Security

Privileged Session Mgr (PSM) Archives p31 of 69

Workforce Identity Management: Privileged User Management: Credential Distribution Threat and Vulnerability Management: Password

Vaulting

MED

136PVOTLAPP010 4vCPU 16GB D-128GB

Keystone Edge Broker

136PVOTLAPP011 4vCPU 16GB D-128GB

SNOW MID Server ? ServiceNow Management, Information, and Discovery server; SMS Admin, STS Integration Services, Core Infrastructure Demand

VMware vRealize Automation (vRA) ? Cloud Management Platform ? Cloud Brokerage Service ? IaaS

p39/40 of 69

MED

136PVOTWAPP003 4vCPU 8GB D-140GB 136PVOTWAPP004 4vCPU 8GB D-140GB

Infrastructure Appliance ? Handles API calls from brokerage platform, Web Services, Manager Service, Distributed Execution Manager (DEM), DEM Orchestrator (DEO), Agent(s)

MED

136PVOTLAPP003 4vCPU 18GB D-158GB 136PVOTLAPP004 4vCPU 18GB D-158GB

Automation Application ? Front end portal for cloud brokerage platform, MSI SMS Admin, Core Infrastructure Demand, OVF SUSE v11SP4

SM

p63 of 69

136PVOTLAPP005 2vCPU 8GB D-328GB 136PVOTLAPP006 2vCPU 8GB D-328GB

Operations App ? MSI SMS Admin and API for cloud brokerage platform to use, OVF SUSE v11SP2

SM

136PVOTLAPP008 2vCPU 8GB D-458GB 136PVOTLAPP009 2vCPU 8GB D-458GB

Log Insight Application ? MSI SMS Admin, end-user portal and API for cloud brokerage platform to use (Administration), OVF SUSE v11SP4

p39/40 of 69

MED

136PVOTWSQL001 4vCPU 16GB D-520GB

Automation IaaS Database ? MSI SMS Administration and Cloud Brokerage

SM

136PVOTLAPP007 4vCPU 16GB D-400GB

Operations Database ? MSI SMS Administration and Cloud Brokerage OVF SUSE v11SP2

SailPoint Identity IQ ? Identity & Access Management (IAM)

136PPOTWAPP003 2CPU 8-Cores 16GB D-300GB 136PPOTWAPP004 2CPU 8-Cores 16GB D-300GB

UI Hosts ? MSI Service Desk, IAM Admin, SAML Authentication, Core Infrastructure Demand; Gen-9 64-bit

136ppotwsql003 2CPU 8-Cores 128GB D-1150GB

136ppotwsql004 2CPU 8-Cores 128GB D-1150GB

Database Server Host ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

136ppotwapp001 2CPU 8-Cores 16GB D-300GB 136ppotwapp002 2CPU 8-Cores 16GB D-300GB

Batch / Task Hosts ? MSI Service Desk, IAM Admin, Core Infrastructure Demand; Gen-9 64-bit

p35 of 69

Syslog Servers

Email Gateway

Domain Controllers

SMTP Servers

NTP Servers

Time Source Interface

SNMP Servers

= Keystone Edge / ServiceNow Application View

= Security Focused Apps

= DR

PURPOSE: To depict MSI SMS CDD v4 document in a graphical format for VAR analysis and template diagram examples within the document.

VITA Draft Discussion Document // Rev: Nov-8-2018

This fit-for-purpose view is intended for a minimum 11x17 sized paper.

Robert Kowalke ~ Enterprise Architecture ~ robert.kowalke@vita. Relationship Management & Governance (RM&G) @ Virginia Information Technologies Agency (VITA)

Commonwealth Enterprise Solutions Center (CESC) Architectural Artifacts/Graphs/Views/Matrices/etc. reference page:

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.