Modernization of DOD: VMware Hybrid Cloud Capabilities and Portability
To modernize defense, units must continue to enlist DoD hybrid cloud solutions such as VMware on milCloud® 2.0. Agencies in the Department of Defense continue to pursue IT modernization and digital transformation, in part by using hybrid cloud platforms. Hybrid cloud provides DoD agencies requisite security, access, flexibility and cost containment. Hybrid cloud computing provides for sensitive data and applications to reside on private clouds; more operational workloads can run on the public cloud.
For DoD agencies, extending their existing on-premises cloud vSphere environment to the VMware Cloud on AWS delivers a familiar architecture that doesn’t require extensive rework – plus the full range of managed services to optimize operations. The hybrid cloud benefits for DoD include:
- Ensuring a successful migration to the hybrid cloud
- Providing a balance of security and access
- Seamlessly moving enterprise applications to the cloud
General Dynamics Information Technology (GDIT) owns and operates the full technology stack for the milCloud® 2.0 contract. GDIT and the Defense Information Systems Agency (DISA) are building a native on-demand VMware environment to provide mission partners the power to accelerate their cloud migrations without conversion. While much is still to be discovered with how JEDI cloud will operate, milCloud® 2.0 is seen as a complimentary offering.
MIGRATING TO VMWARE ON MILCLOUD® 2.0
The upcoming integration of VMware’s virtualization capabilities into the milCloud® 2.0 environment creates opportunities for Department of Defense (DoD) agencies to leverage their existing VMware footprint in milCloud® 2.0. By adding VMware to milCloud® 2.0, agencies will be able to take advantage of the benefits of the VMware platform like network virtualization and security improvements, while benefitting from future VMware improvements, such as the addition of Kubernetes containers.
VMware will continue to build out the solution and bringing that to DISA so they can continue to share those advantages and offerings. Some use cases for VMware include cloud extensions such as virtual desktops, disaster recovery functions that can complement continuity of operations plans, cloud migrations that can be application-specific or data center wide, and the build-out of next generation applications.
Using VMware within milCloud® 2.0 will also facilitate migration from a technical and workforce standpoint. The company emphasizes the ability to take a hybrid cloud approach, made easier by the familiarity DoD has with VMware. Right now, about 90 percent of all the assets that have been virtualized inside the Federal government, and specifically within DoD, have been virtualized on the VMware platform. To the operator inside an agency, when you log in, it will appear no different if your infrastructure is your on-prem environment or over on milCloud® 2.0.
milCloud® 2.0 will include two offerings for virtual machines:
- a milCloud® 2.0 standard configuration
- a higher performance version that will use a 24vCPU series
Under the standard configuration, DoD users will see performance improvements and will be able to leverage VMware’s advantages without seeing an increase in their costs. Users will also continue to benefit from the advantages of milCloud® 2.0, such as no bandwidth or transaction fees, the ability to use funds and services across years, and the speed to deployment for preapproved and already-competed cloud services. milCloud® 2.0 has multiple security measures built into the IL-5 approved environment.
DOD Digital Transformation
Cloud computing in 2021 has become the de facto choice of IT due to digital transformation shifts accelerated by remote work and the COVID-19 pandemic. While DoD Cisco collaboration tools across branches evolves, the demand for solutions that are digital-first, and the future depends on the ability to deliver that. Technological advances are helping to make it possible. Ubiquitous access to computing power through the cloud, for example, is a democratizing force, as are the greater ease and lower costs we enjoy today when it comes to collecting, storing, and using data. DoD 5G strategy, mobile, cybersecurity, AI, blockchain, and the internet of things are also key factors driving innovation.
DEPARTMENT OF DEFENSE HYBRID CLOUD / MULTI-CLOUD
With the battle between the hyperscale cloud vendors underway, you'd think that the legacy infrastructure players would recede to the background. Instead, the likes of IBM, Dell Technologies, and HPE aim to become the glue between multi-cloud deployments that feature a blend of private and public clouds as well as owned data centers. After all, most enterprises are looking at a multi-cloud strategy.
The two multicloud enablers in this mix are open source pioneer Red Hat and VMware with Cisco Systems for solving select issues and you have a vibrant hybrid and multi-cloud space to consider. There are key players that aim to be the point guards of the public cloud and how they'll connect to the hyperscale providers.
VMware is no stranger to digital transformation. Digital transformation is all about creating new possibilities. It’s about connecting people, processes, data, policies, and systems to deliver new and better experiences. Examination of their processes, policies, data, and systems, and envisioned what a superior user experience. Cloud is one core element, but also using microservices, Kubernetes, and other technologies to modernize their applications.
Setting Up CAC Smart Card Authentication with VMware Horizon
A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).
Smart card authentication, a user or administrator inserts a smart card into a smart card reader attached to the client computer and enters a PIN. Smart card authentication provides two-factor authentication by verifying both what the person has (the smart card) and what the person knows (the PIN).
The Microsoft TechNet Web site includes detailed information on planning and implementing smart card authentication for Windows systems. See the View Installation document for information about hardware and software requirements for implementing smart card authentication.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install certificates on smart cards, you must set up a computer to act as an enrollment station.
LOGGING IN WITH A SMART CARD
When a user or administrator inserts a smart card into a smart card reader, the user certificates on the smart card are copied to the local certificate store on the client system if the client operating system is Windows. The certificates in the local certificate store are available to all of the applications running on the client computer, including Horizon Client.
HOW TO CONFIGURE SMART CARD AUTHENTICATION ON VIEW CONNECTION SERVER
To configure smart card authentication, you must obtain a root certificate and add it to a server trust store file, modify View Connection Server configuration properties, and configure smart card authentication settings. Depending on your particular environment, you might need to perform additional steps.
Third-party solutions such as load balancers and gateways can perform smart card authentication by passing a SAML assertion that contains the smart card's X.590 certificate and encrypted PIN.
Prepare Active Directory for Smart Card Authentication
You might need to perform certain tasks in Active Directory when you implement smart card authentication.
Verify Your Smart Card Authentication Configuration
After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration.
Using Smart Card Certificate Revocation Checking
You can prevent users who have revoked user certificates from authenticating with smart cards by configuring certificate revocation checking. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.
Why use System Center VM Manager?
So I want to get started by asking a really obvious question. Why would anyone use VMM to manage their VMware environment? After all, vCenter Server is presumably the best tool for managing a VMware environment, just as VMM is the best tool for managing a Hyper-V environment.
Let me just say up front that VMM is never going to replace vCenter as a primary management tool for VMware. There are just too many things that you can do in vCenter that you can’t do in VMM. The advantage to using VMM is that if you have a multi-hypervisor environment, then VMM can give you a single pane of glass view into both your Hyper-V and VMware environments.
STIG Compliance Validates VMware NSX
VMware NSX meets the security hardening guidance required for installment on Department of Defense (DoD) networks. The VMware NSX STIG provides the technical security policies, requirements, and implementation details for applying security concepts to NSX. Expand digital capabilities and accelerate new service delivery with stringent governance and control. Modern apps, multi-cloud infrastructure and edge solutions from VMware enable greater mission agility with enhanced operational efficiencies.
VMware is trusted in highly secure, mission critical systems around the world, including the US Department of Defense (DoD). In the DoD, all IT systems must adhere to the rigorous Risk Management Framework (RMF) as defined in DoDI 8510.01. A critical component of RMF is the mandatory implementation of Security Technical Implementation Guides (STIGs) and Security Requirements
DOD CYBERSECURITY DISCIPLINE IMPLEMENTATION PLAN
STIGs and SRGs provide configuration for technologies such as operating systems, browsers, antivirus, web services, databases, Active Directory, and domain name services. The combination of applicable STIGs and SRGs will result in a secure configuration to prevent issues such as insider threats, data exfiltration, or advanced persistent threats.
InSpec and PowerCLI content is provided to audit and report on the state of compliance for an associated set of SRG/STIG controls. VMware provides three elements for community consumption and contribution:
1. Auditing Automation with InSpec
The role of STIG assessment automation is traditionally filled by SCAP with OVAL. VMware has looked at providing SCAP and OVAL content but we decided to move forward with InSpec for a number of reasons including, but not limited to, the following:
- Speed of development, low time to value
- Ease of use, readability
- Active community
- Appropriate for open source
- Flexibility, extensibility
- DevSecOps friendly
We may elaborate on these points in the future but the decision was not a difficult one. InSpec basics will be forthcoming.
2. Remediation Automation with Ansible
Ansible is provided to programmatically help get the system into a compliant state. Ansible is a relatively simple, extremely powerful IT automation platform. It's benefits are well documented and very similar to those listed for InSpec above. They are providing Ansible remediation content in order to integrate with existing configuration management systems.
3. Auditing and Remediation with PowerCLI
PowerCLI is an extension of Microsoft's PowerShell that is provided by VMware free of charge for automating virtual infrastructure. PowerCLI can be deployed on Windows or Linux operating systems and can reach out remotely to query and configure VMware product installations.
VMware Carbon Black for the Federal Government
VMware Carbon Black empowers agencies to meet federal standards and implement the NIST Cybersecurity Framework.
UNIFY ENDPOINT AND WORKLOAD SECURITY
IT and security teams at public sector agencies and government contractors are contending with more persistent and targeted attacks than ever before. Plus, they need to balance the goals of modernizing IT assets while securing them, all while trying to meet an ever expanding set of compliance requirements. VMware Carbon Black Cloud addresses all of these with unified, contextual, and built-in security.
TARGETED ATTACKS EXPLOIT TECHNOLOGY GAPS
Lock down servers and critical systems with allow-listing technology, and unify endpoint protection and workload protection. By using a single, multi-purpose agent results in faster threat detection and response.
COMPLEX COMPLIANCE MANDATES
Meet FISMA, NIST, ISO27001, EU NIS Directive, GDPR and other global standards with granular security controls and without impacting the app, the user, or the workload. Built-in vs. bolted-on results in easier to monitor, manage, and demonstrate compliance across the board.
DELAYED AND DISJOINTED RESPONSE
Proactively hunt down threats before they do damage and easly identify the root cause of each attack. Quickly contain fast-moving threats to endpoints and workloads with a single platform - for your on premise assets and those in the cloud.
Source Code: Central Repository
REPO ONE – DOD CENTRALIZED CONTAINER SOURCE CODE REPOSITORY (DCCSCR)
Repo One is the central repository for the source code to create hardened and evaluated containers for the Department of Defense. It also includes various source code open-source products and infrastructure as code used to harden Kubernetes distributions.
All DoD activities that create containers which could benefit the DoD at an enterprise scale should publish their containers’ source code in the DCCSCR. They should follow the DoD Enterprise DevSecOps Reference Design, Container On-boarding guide, and Container Hardening guide requirements.
Prior to creating a new container image, DoD programs should check if the container images already exists in DCAR and use the DoD-signed containers whenever possible.
DEVSECOPS PLATFORM (DSOP)
The DSOP is a collection of approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions, infrastructure as code playbooks, and hardened containers. This collection implements a DevSecOps platform compliant with the DoD Enterprise DevSecOps Reference Design, and its source code is hosted on Repo One.
Kubernetes CNCF-compliant currently supported are: OpenShift 4.x, Kubernetes upstream, D2IQ Konvoy, VMware PKS Essential and Rancher Federal RKE.
Kubernetes CNCF-compliant to be supported soon: VMware Tanzu and Oracle Kubernetes.
VMware & Open Source Cloud DOD Training
Sample a free training demo of VMware Carbon Black here or get an introduction to What's New with vSphere 7 here. For complete VMware, Red Hat, and PowerShell training courses select from the following NHDoD government training solutions:
- VMware Kubernetes Foundations
- VMware Carbon Black Cloud Enterprise EDR
- VMware Carbon Black EDR Administrator
- VMware Carbon Black Cloud Audit and Remediation
- VMware Tanzu Mission Control: Management and Operations 2020
- VMware Workspace ONE: Unified Endpoint Management Troubleshooting [V20.x]
- VMware® Kubernetes Cluster Operations
- VMware Carbon Black App Control Administrator
- VMware Cloud on AWS: Deploy and Manage 2020
- VMware Site Recovery Manager™ - Install, Configure, Manage V8.2
- VMware Tanzu Kubernetes Grid: Install, Configure, Manage [V1.0]
- VMware vSAN: Management and Operations [V7]
- VMware vSphere: Design v7.0
- VMware vSphere: What’s New v6.7-7.0
- Red Hat Automation with Ansible I (DO407)
- Red Hat Microsoft Windows Automation with Red Hat Ansible (DO417)
- 10961 Automating Administration with Windows PowerShell
milCloud® 2.0 is held by CSRA, LLC, a General Dynamics Information Technology (GDIT) managed affiliate. milCloud® and the milCloud® logo are registered trademarks owned by the Defense Information Systems Agency (DISA).