ICE

The Internet Connected Environment (ICE) is an accredited and supported Hyperscale Public Cloud environment available for MoD customers who want to migrate and modernise their applications.

It is suitable for workloads up to OFFICIAL-SENSITIVE (including all caveats and descriptors) and is hosted within Authority Zone 3 (AZ3).

ICE is available on both Baseline and Enhanced Service Offerings.

ICE Baseline Service Offering

MODCloud build an Amazon Web Services (AWS) account that has well- defined configuration and security boundaries in place and enforced. Boundaries and security layers are assessed against the Center for Internet Security Benchmarks. MODCloud will provide monitoring and assurance of the customer's account up to the account level, using MODCloud core services.

Customers will be responsible for building out all the infrastructure for their application, and managing and delivering a service fully compliant to JSP 604. This will include providing their own protective monitoring, anti-virus, inbound and outbound network security, and user /permissions management. This will give customers more autonomy and flexibility to deploy and utilise Platform as a Service (PaaS) services and machine images that are not currently supported by MODCloud.

Customers can access their account via the AWS Console or the AWS API.

Consumable Cloud Services

Customers can consume any of the AWS Cloud services available, but they will need to obtain appropriate accreditation to use them.

Provided Operating Systems (Golden Images)

MODCloud provides a library of endorsed, assessed and managed Golden Images. It is not mandated to use these Golden Images in Baseline Service Offering, but they are available for use. Customers wanting to use operating systems outside of the accredited list will need to obtain appropriate accreditation to use them.

Connectivity

ICE is AWS with connectivity to the MoD Core Network (MCN) via the Boundary Protection Service (BPS). Traffic is currently limited to HTTP/S.

End users can access externally published websites via the internet and MODNET.

Developers will need to use internet-facing machines to access their accounts.

Access to administer the platform itself is possible from MODNET via the AWS Console and the internet. However, the internet-facing machine must comply with the National Cyber Security Centre (NCSC) Cyber Essentials certification or equivalent (the Security Operating Procedures (SyOPs) provide more information).

ICE Enhanced Service Offering

Customers will receive an Amazon Web Services (AWS) account. MODCloud will retain the root credentials and several roles, including an Administrator role. MODCloud will provide a Virtual Private Cloud (VPC) connected to the Core Security Services, including anti-virus and Security Information and Event Management (SIEM) systems.

MODCloud will also provide a secure ingress and egress points to the environment in the form of a Virtual Private Network (VPN) and inbound /outbound proxies, such as how admins and application users will securely access applications and services. Customers will then be responsible for deploying the private subnets, Security Groups nd Virtual Machines. These will be based on the mandated Golden Images available within a customer's account.

Customers can also access their account via the AWS Console or the AWS API.

Consumable Cloud Services

MODCloud have a selection of AWS Cloud services. However, the services available have been assessed and accredited for Enhanced Service Offering accounts as part of the service wrap.

Provided Operating Systems (Golden Images)

MODCloud provides a library of endorsed, assessed and managed Golden Images that are mandated for use in Enhanced Service Offering.

Connectivity

ICE is AWS with connectivity to the MoD Core Network (MCN) via the Boundary Protection Service (BPS) as standard. Traffic is currently limited to HTTP/S. There is an option to request connectivity via Direct Connect instead of BPS. Direct Connect is used to create private connections between an AWS Direct Connect location and on-premises infrastructure via a dedicated private link. For MODCloud, this is from MODNET to MODCloud ICE via a dedicated list of ports and protocols. This is not provided by default and must be enabled via a Change Request.

End users can access externally published websites via the internet and MODNET.

Developers will need to use internet-facing machines to access their accounts.

Access to administer the platform itself is possible from MODNET via the AWS Console and the internet. However, the internet-facing machine must comply with the National Cyber Security Centre (NCSC) Cyber Essentials certification or equivalent (the Security Operating Procedures (SyOPs) provide more information).

Outbound Proxy

ICE outbound connections to the internet are monitored and controlled via a proxy boundary outbound service. HTTP/S connections are routed automatically via the network to the outbound proxy and from there, assuming there is a matching entry on the allow list, out to the internet. If there is no matching entry on the allow list the connection is stopped and logged.