This section outlines the system’s hardware and software components.
The solution’s hardware will be based on Windows-compliant hardware and provided by the cloud host IAW SLAs. The specifications for the hardware are dependent on the dynamic load of the solution. The decision to base the solution in a robust, on-demand cloud facilitates the growth or shrinkage of the necessary hardware to accommodate the changing business needs of the OSDBU and CVE organization. The cloud provider
The VEMS solution is a cloud-based solution accessed via virtual desktops using the on Microsoft Windows operating system. Once end users have been properly authenticated, they use the virtual desktop to access commonly available productivity software such as the Microsoft Dynamics Customer Relationship Management system and its integrated subcomponents – SharePoint, SQL Server, and the list of commercially available plug-ins listed previously.
Other components of the solution integrate through existing infrastructure. These items are:
The VOIP interface provided by the Cisco Universal Call Connector. This component leverages the existing VOIP infrastructure and collaboration software already available in the VA
The collection of web services provided by designated, secured gateways at the cloud’s boundary. These web services gateways provide secured integration points between the cloud and the external data sources and data requestors whom have been properly authorized to provide or access cloud-based services.
The VEMS environment shall leverage Identity and Access Management (IAM) processes and tools to further strengthen security by implementing Single Sign On (SSO), access privileges and defined user based roles to access VA web-based applications, federal and industry databases from all VA locations. The VEMS will to leverage the VA’s preferred web Single Sign On solution once it has been made available to the project team.
As VEMS adopts the various user characteristics of Customer Relationship Management (CRM), workflow and queue management, data, document and validation management; it is key to implement additional security and access controls within the VA organization via ADFS and/or IAM tool(s) and processes with the following considerations:
Automated user provisioning and de-provisioning of access to VA and/or external applications and databases.
Compliance visibility to ensure access rights across services and provide centralized compliance reports across access rights, provisioning/de-provisioning, and end user and administrator activity.
Centralized integration into central Active Directory (AD) or LDAP directory to seamlessly leverage and extend to new applications without modifications to firewalls. As VA users are added or removed from an Active Directory, access to cloud-based applications should be modified automatically, via industry standards like SSL.
The maintenance and tracking of application versions and user management via cloud-based services needs to be considered as part of an overall application integration strategy.
Centralized administration models for different applications to allow reporting, and user and access management across VA and external cloud applications. Additionally, a defined security model needs to provide the right level of access to individual application administrators, to manage specific users and applications within the same IAM system.
Mobile authentication through a single enterprise credentialed system, utilizing Single Sign on (SSO), Security Access Management Language (SAML), etc.
If utilizing Active Directory Federation Services (ADFS), key factors are ADFS supports only SSO, no provisioning/de-provisioning, provides limited SSO for applications that support SAML or WS-Fed.
VEMS will use the Citrix XenApp virtualization platform to publish virtual desktops to designated users. This functionality will minimize the opportunities for data leakage and will provide a consistent user interface for creating and editing Microsoft Office documents. These documents will be stored on virtualized network drives and/or in the VEMS document management repository (SharePoint).
The VEMS solution operates in the cloud using a virtualized LAN with load-balanced application and data aggregation servers. The VEMS solution uses data provided by means of the public Internet and that provided by commercial data suppliers. This section describes the high-level data communications architecture between the VEMS solution and its suppliers of relevant data. As the project’s requirements elaboration teams continue to investigate and expand the details of the data integration requirements, the requirements will be prioritized and duplications will be removed; subsequently the communications architecture will be enhanced to reflect those details.
The VEM solution will use logical and physical data gateways to function as data integrity enforcement points to manage the inflow of data to the VEMS cloud. Data transmitted from the Internet (such as that provided by Dun & Bradstreet, LexisNexis, and other contracted data suppliers) will be validated for compliance with the service level agreements defining the business partner relationship with those companies. Data transmitted from the VA network will occur over a Trusted Internet Connection (TIC) and will be subjected to similar checks of validity and integrity. All gateway access will require authorization. All data will be transmitted using secured data transmission protocols such as HTTPS. Where necessary and feasible, data access (such as logging into the VEMS solution) and data transmission (such as requesting and receiving data from data suppliers) will be tracking for auditing purposes.