Secure Government/Defence Cloud Environment
Our customer in the Defence sector had been operating within an on-premise based environment with strong ties to working on-site. Due to growth and expansion of their operations, they were looking to move into the cloud to modernise their work practices, including the ability to enable a mobile workforce and simpler remote access, to facilitate both external and internal collaboration.
The need for increased data sharing and collaboration between authorised agencies, departments and corporations needed to be balanced with the need to maintain security compliance including IRAP accreditation to PROTECTED and capability of accreditation to SECRET. In addition to these requirements was the need to ensure information for different projects and organisations was able to be kept separate and secure internally as well as externally.
The nature of information to be stored in the environment raised concern about the use of public cloud services for sizeable portion of the environment. With M365 and Azure providing a substantial amount of the required functionality, an ‘out of the box’ Azure Stack was selected as it enabled these services to be used in a private cloud.
A key component of the design was a central management tenant for delivering a set of services and security capabilities such as desktop management, remote access, network services, internet access, security platforms and such, all controlled from the master tenant, and agencies requiring access to the environment would be assigned their individual sub-tenant with full control of their own organisation identities, controls over data, sharing, users and guests as well as building out their own applications and services.
Chamonix was engaged as part of a build and deployment team, whose role was to implement a highly available on-premise environment integrated with an Azure stack instance to deliver highly secure Cloud functionality. Key to the implementation was a focus on maintaining the high level of robust cyber security whilst enabling a mobile workplace to meet the unique needs of the workforce, which was spread across multiple locations as well as various corporations, government agencies and departments. Our customer wanted to ensure they were able to meet future supply chain requirements including adherence with the Essential Eight Maturity Model and IRAP accreditation to PROTECTED.
The solution included:
- central ‘master’ tenant to create and manage all ‘sub’ tenants
- file sharing internal/external
- audio and video conferencing
- multi-tenant cloud-based secure print
- Microsoft Teams/365 functionality
- on-prem level of security/data control
- robust and reliable backup and restore solution
- monitoring and reporting
- end user hardware recommendations and selection
- AV equipment recommendations and selection
- in-situ equipment use/re-use/upgrade
The design included the use of three isolated administration zones based on the enhanced security administration model, with communications and access controlled between zones by network controls, administrative controls and just in time elevation via Azure Privileged Identity Management for privileged user access. This concept limits the possible flow of management traffic so that only the network elements and segments explicitly required to communicate with each other can do so, increasing the complexity for potential attackers and reducing the scope of a possible attack.
Our role within the deployment team was a heavy focus on design as well as implementation of the infrastructure services, including the deployment of multiple Microsoft Hyper-V clusters and pools of virtual servers to manage the environment, and supporting various vendors with access, troubleshooting and controls to setup and deploy each solution and application to ensure successful function of each aspect.