Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Ticketing
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Vulnerability
Definitions
LEGEND
Boundary
Subnet
Component/Service
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Ticketing
Business and
Management
Operation Services
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
LEGEND
Boundary
Subnet
Component/Service
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
Vulnerability
Definitions
IaaS/PaaS Geolocation 1
Business Operations
IaaS/PaaS Services
FedRAMP Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
Dev/Test
Code
Analysis
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
LEGEND
Boundary
Subnet
Component/Service
IaaS/PaaS Geolocation 1
Business Operations AZ 1 (AZ 2 Fail-Over Enabled)
IaaS/PaaS Services
FedRAMP Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
WAF
Service
License
Manager
NAT
Gateway
Dev/Test
Code
Analysis
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations AZ 1 (AZ 2 Fail-Over Enabled)
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
Network Diagram
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
ABD Component Shell
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
IaaS/PaaS Geolocation 1
Business Operations
IaaS/PaaS Services
FedRAMP Authorized
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
CDN Service
System
Management
Service
WAF Service
WAF
Service
External DNS
Firewall
Manager
License
Manager
NAT
Gateway
CDN Service
Ticketing
Dev/Test
Code
Analysis
Business and
Management
Operation Services
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Recursive DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
Short-Term
Storage
Long-Term
Storage
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Vulnerability
Scan Console
LEGEND
Boundary
Subnet
Component/Service
Customer Data Flow
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
CDN Service WAF ServiceExternal DNS
CDN Service WAF ServiceExternal DNS
CDN Service WAF Service
Alert Service
Customer
Admin
Customer
User
IaaS/PaaS Geolocation 1
Business Operations
IaaS/PaaS Services
FedRAMP Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
Dev/Test
Code
Analysis
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Recursive DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations AZ 1 (AZ 2 Fail-Over Enabled)
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
CSP Remote Access
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
Management Data
CDN Service WAF Service
Authoritative
DNS
Platform
Console
IaaS/PaaS Geolocation 1
Business Operations
Inherited Services
FedRAMP Authorized
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
CDN Service
Ticketing
Dev/Test
Code
Analysis
Business and
Management
Operation Services
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Recursive DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Vulnerability
Scan Console
LEGEND
Boundary
Subnet
Component/Service
External Services
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
CDN Service WAF ServiceExternal DNS
IaaS/PaaS Geolocation 1
Business Operations
Inherited Services
FedRAMP Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
Backup
Service
Dev/Test
Code
Analysis
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Recursive DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
Short-Term
Storage
Long-Term
Storage
Service Restoration Outline
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
CDN Service WAF ServiceExternal DNS
Customer access is
readily available over
the internet with any
modern web browser.
External Services
FedRAMP
Authorized
Ticketing
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Security Subnet
Alert Service
HTTPS TLS 1.2
Access through
platform's browser
console feature.
Remote Access Subnet
Bastion
Server
Public Subnet
Application Subnet
Business Data Subnet
Security Subnet
External Services
FedRAMP
Authorized
Ticketing
Security Threat
Feeds
Vulnerability
Definitions
Application Subnet
App Server 1 App Server 2
CDN Service
Security Subnet
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Shared Corporate Services
Corporate Cloud Dev Subnet
Dev/Test
Code
Analysis
Business Data Subnet
Database
Server
Public Subnet
Web Server 1 Web Server 2 Web Server 3
Development occurs in a staged manner
in accordance with organization SDLC
standards. No customer data is
processsed. This is not a customer
sandbox/training environment.
Dev Team does not have access to
production systems within ATO boundary.
API-initiated connection
for customer ticketing.
TLS 1.2 443
Short-Term
Storage
Threat feeds and
vulnerability definitions
are pulled, not pushed,
over HTTPS 443. If not
over 443, updates are
confirmed to be digitally
signed, and validated
prior to install.
IaaS/PaaS Geolocation 1
Business Operations
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
CDN Service
Ticketing
Dev/Test
Code
Analysis
Business and
Management
Operation Services
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Management Data
Short-Term
Storage
Long-Term
Storage
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Vulnerability
Scan Console
LEGEND
Boundary
Subnet
Component/Service
Security Log Overview
CSP
Admin
Customer
Admin
Customer
User
CSP
Security
CDN Service WAF ServiceExternal DNS
Business Operations
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
In addition to active dual
Availability Zones in use for
Geolocation 1, Geolocation 2
IaaS/PaaS capabilities are
available for instances where
Geolocation 1 is lost.
Transition procedures are
documented in ISCP.
Platform
Health
Monitoring
IaaS/PaaS Services
FedRAMP Authorized
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
Public Subnet
Business Data Subnet
Application Subnet
Remote Access Subnet
Management Data
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
External Services
FedRAMP
Authorized
Ticketing
Data at rest is encrypted with
FIPS validated modules. See
SSP for details.
SAML 2.0 Auth (encrypted
SAML Assertions); OR local
auth w/platform MFA (TOTP,
Hardware Key, or Text OTP)
LEGEND
(TLS 443)
All North/South and
East/West flow logs
are piped to short-term
storage. From the short-term
storage, events are sent to the
SIEM system for automated
analysis and event correlation.
All Platform services capable
of logging are configured to
log. Similar to flow logs,
platform logs are piped to
short-term storage, and then to
the SIEM for automated
analysis and event correlation.
(TLS 6514)
System logs are
forwarded to the logging
server, and then to the SIEM
for correlation and analysis.
(TLS 443)
Access logs and
administrrative events from
the ticketing system are
forwarded to the logging server
and then to the SIEM for
correlation and analysis.
SIEM corelation
rules may generate
alerts, which are sent to CSP
Security staff via the platform
alert service over email. No
sensitive material is processed
in these alerts beyond
category of alert information.
Alert
Service
Customer Data: FIPS Validated
Encryption In-Transit.
Customer Data: Non-FIPS Valided
Encryption In-Transit
MetaData: FIPS Valided Encryption
In-Transit
MetaData: Non-FIPS Valided
Encryption
Unencrypted Data In-Transit
Customer Data: FIPS Validated
Encryption In-Transit.
Customer Data: Non-FIPS Valided
Encryption In-Transit
MetaData: FIPS Valided Encryption
In-Transit
MetaData: Non-FIPS Valided
Encryption
Unencrypted Data In-Transit
Customer Data: FIPS Validated
Encryption In-Transit.
Customer Data: Non-FIPS Valided
Encryption In-Transit
MetaData: FIPS Valided Encryption
In-Transit
MetaData: Non-FIPS Valided
Encryption
Unencrypted Data In-Transit
Customer Data: FIPS Validated
Encryption In-Transit.
Customer Data: Non-FIPS Valided
Encryption In-Transit
MetaData: FIPS Valided Encryption
In-Transit
MetaData: Non-FIPS Valided
Encryption
Unencrypted Data In-Transit
IaaS/PaaS Services
FedRAMP Authorized
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
OS updates
Security Groups Depicted Below With
Corresponding Icons (ACLs)
IaaS/PaaS Geolocation 1
Business Operations
IaaS/PaaS Services
FedRAMP Authorized
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Shared Corporate Services
Corporate Cloud Dev Subnet
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert Service
Cert
Manager
Platform
Console
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
Ticketing
Dev/Test
Code
Analysis
Business and
Management
Operation Services
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Remote Access Subnet
Bastion
Server
Management Data
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Vulnerability
Definitions
LEGEND
Boundary
Subnet
Component/Service
Customer Implementation Overview
CSP
Admin
CSP
Security
CDN Service WAF ServiceExternal DNS
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
Customer Security Boundary
CDN Service WAF Service
Customer Browser
Customer
Logging System
Customer SSO
IDP
Customer
User
Customer
Admin
Customer Data: FIPS Validated
Encryption In-Transit.
Customer Data: Non-FIPS Valided
Encryption In-Transit
MetaData: FIPS Valided Encryption
In-Transit
MetaData: Non-FIPS Valided
Encryption
Unencrypted Data In-Transit
Load Balancer
Web Server 1 Web Server 2
Public Subnet
Web Server 3
App Server 1 App Server 2
Database
Server
Load
Balancer
WAF
Service
Alert Service
Business Data Subnet
Remote Access Subnet
Management Data
Security Subnet
NAT
Gateway
Alert Service
Application Subnet
Customer authentication and
event logs may be forwarded to
customer upon request. Logs
are forwarded over TLS 1.2.
SSO connection with customer's
IDP system. SAML assertion data
is encrypted with FIPS 140
validated crypto modules.
SAML 2.0 SSO
(PIV/CAC) Auth OR
local authentication w/
platform-based MFA.
Customer Interfacing
Ports/Protocols/Services:
- Web Access: HTTPS 443
- Customer Logs: TLS 1.2 443
- Customer Alerts: TLS / Non-TLS
Emails
Customer-Specific URLs:
HTTPS://example.saas
There is no difference between
Customer User and Customer
Admin data flows and/or security
controls.
IaaS/PaaS Geolocation 1
Business Operations AZ 1 (AZ 2 Fail-Over Enabled)
IaaS/PaaS Services
FedRAMP Authorized
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Shared Corporate Services
Authorization Boundary
Compute
Load
Balancer
Short-Term
Storage
Long-Term
Storage
Cached
Storage
DNS
Services
IAM
Key
Management
Alert
Service
Cert
Manager
System
Management
Service
Platform
Health
Monitoring
WAF
Service
Firewall
Manager
License
Manager
NAT
Gateway
CDN
Service
Ticketing
Business and
Management
Operation Services
Public Subnet
Load Balancer
NAT Gateway
Web Server 1 Web Server 2 Web Server 3
Internal DNS
Application Subnet
App Server 1 App Server 2
Business Data Subnet
Short-Term
Storage
Database
Server
Long-Term
Storage
Cached
Storage
Management Operations
Security Subnet
Remote Access Subnet
Bastion
Server
Management Data
OS
Anti-Virus
Scan Engine Updates
/ Vulnerability
Definitions
SIEM /
Correlation
LEGEND
Boundary
Subnet
Component/Service
ABD Overview
Customer
Admin
Customer
User
CDN Service WAF Service
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
If a system or service is used in any way to support
the Cloud Service Offering, or is referenced in any SSP
control or artifact, it should be illustrated in the ABD.
External Services
FedRAMP
Authorized
Ticketing
Security Threat
Feeds
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
LEGEND
Boundary
Subnet
Component/Service
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
External Services
FedRAMP
Authorized
Ticketing
Business and
Management
Operation Services
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Security Threat
Feeds
Customer Premise
No CSP-managed
software is deployed
within the customer's
premise.
Vulnerability
Definitions
CDN Service
IaaS/PaaS Geolocation 2
Business and
Management
Operation Services
Firewall
Manager
Platform firewall
manager is used to
manage subnet
access control lists.
Underlying Network
Infrastructure and connectivity is
maintained by IaaS/PaaS
Provider. Details of inherited
controls are contained in SSP.
WA1.AZ1.hname
WA2.AZ1.hname WA2.AZ1.hname
AS1.AZ1.hname
AS2.AZ1.hname
DS1.AZ1.hname
BS1.AZ1.hname
VS1.AZ1.hname AV1.AZ1.hname
LS1.AZ1.hname SC1.AZ1.hname
For customers, ticket requests are
initiated through an API connection
for application support requests.
CSP personnel use ticketing system
for bug tracking and remediation of
identified system issues.
External Services are
FedRAMP authorized at or
above the impact level of
this system's authorization.
Availability Zone 2
Business and
Management
Operations Data
Inter-Availability Zone
traffic is encrypted with
FIPS validated encryption
modules over TLS 1.2.
Web
Server
TLS 1.2 443
Web
Server
App
Server
App
Server
DB Server
Alert Service
TLS 1.2 8443
DB
Server
Storage
Services
TLS 1.2 443
Data Flow Ports/Protocols
Ticketing
TLS 1.2 443
TLS 1.2 443
TLS 1.2 443
API-initiated connection for
vulnerability remediation
tasks. TLS 1.2 443
Because CDN Service is not
FedRAMP Authorized, it is
strictly used for hosting static
content (public data) that is
syncronized with short-term
storage.
Short-Term
Log Store &
Forward
All customer and
meta-data is encrypted
at rest and in transit
during geolocation
migrations.
External DNS
Customer
User/Admin
CSP
Admin
CSP
Security
Platform
Console
CSP
Admin
CSP
Security
IaaS/PaaS Geolocation 2
Update Sources
FedRAMP Authorized
Business and
Management
Operation Services
OS
Anti-Virus
Scan
Engine
Updates
SIEM /
Correlation
Vulnerability
Definitions
Logging
Server
Alert Service
SIEM /
Correlation
Vulnerability
scan Engine
Anti-Virus
Server
Corporate Cloud Dev Subnet
Dev/Test
Code
Analysis
External Services
Security Threat
Feeds
Bastion
Server
Public and
Customer-facing
components are
segmented from
internal information
system components.
Short-Term Log
Store & Forward
Subnet Flow &
Platform Logs
Ticketing System
& Event Logs
Data Flow Legend
Customer data
Update Sources
CSP Access
Log/Security Traffic
Code Release
Short-Term
Storage
Long-Term
Storage
Short-Term
Storage
Long-Term
Storage
Short-Term
Storage
Long-Term
Storage
Long-Term
Storage
Short-Term
Storage
SSL VPN over TLS
1.2.
Short-Term
Storage
Long-Term
Storage
Short-Term
Storage
Long-Term
Storage
Short-Term
Storage
Long-Term
Storage
Short-Term
Storage
Long-Term
Storage
Platform
Health
Monitoring
CDN
Service
Platform
Health
Monitoring
CDN
Service
Platform
Health
Monitoring
CDN
Service
The alerting service forces TLS encryption
by default for all email alerts. Recipient
domains that do not allow for transmission
of TLS emails will receive unencrypted
alerts.
Customer email alerts are limited to
categorical information. Details of the alert
require customer authentication.
Alerting service can also provide text-based
out of band / temporary passwords for
platform-based authentication.
CDN
Service
Remote Access for both vectors are
MFA-enabled (TOTP via platform's native
MFA service), and leverage FIPS validated
crypto modules for session protection.
Information System endpoints share the same
authentication domain as the bastion server,
therefore only one layer of MFA is in place.
CDN
Service
PHM module is limited to
Meta-Data. No customer
data is directly monitored
through this service.
CDN
Service
CDN
Service
CDN
Service
The alerting service forces TLS encryption
by default for all email alerts. Recipient
domains that do not allow for transmission
of TLS emails will receive unencrypted
alerts.
Customer email alerts are limited to
categorical information. Details of the alerts
require customer authentication.
Alerting service can also provide text-based
out of band / temporary passwords for
platform-based authentication.
Security Components
are segmented from
itnernal information
system components.
V1.0 12-15-2020
