Platform Services: Identity, Access, and Security Operations

This module defines the platform services that sit on top of the data center fabric and HCI architecture. It focuses on identity and access management, virtual desktop infrastructure, and security operations. These services form the control plane of the enterprise environment and are critical to any zero trust implementation.

The objective is to provide a reusable, vendor neutral pattern that can be implemented in the Primary Data Center, Disaster Recovery Data Center, and Out-of-Region DR site.

Architectural Role of Platform Services

Platform services provide:

• Centralized identity and authentication
• Policy based access control and authorization
• Secure delivery of desktops and applications
• Centralized logging, monitoring, and detection
• A feedback loop that supports continuous verification

These services are deployed primarily on the Infrastructure HCI Block with selected components in the DMZ HCI Block and Application Hosting HCI Block, according to their exposure and trust level.

Identity and Access Management (IdAM)

Identity and access management is the authoritative source of truth for users, groups, service accounts, and application identities.

Core Functions

• Directory services for user and computer accounts
• Authentication services such as Kerberos, LDAP, and modern identity protocols
• Authorization through roles, groups, and policies
• Federation for external cloud and SaaS applications
• Lifecycle management for account provisioning and deprovisioning

Deployment Pattern

The IdAM tier is deployed as a multi site, multi region service:

• Domain controllers or directory replicas in Primary and DR data centers
• Limited but critical replicas in the Out-of-Region DR site
• Secure management and backup procedures for directory infrastructure
• Strong separation between Tier 0 identity assets and other management systems

IdAM communication traverses dedicated infrastructure and management segments, not general purpose user networks.

Public Key Infrastructure (PKI)

PKI provides certificate based trust for users, devices, workloads, and services.

Core Functions

• Root and issuing certificate authorities
• Certificate templates and enrollment policies
• Certificate lifecycle management
• Certificate based user and device authentication
• TLS certificate issuance for internal services

Deployment Pattern

PKI is treated as a high sensitivity component. Typical characteristics are:

• Root CA kept offline or in a highly restricted environment
• Issuing CAs placed in the Infrastructure HCI Block with strict access controls
• Integration with IdAM for auto enrollment and certificate mapping
• Publish and retrieval endpoints for certificate revocation lists and OCSP responses

PKI events, including certificate issuance and revocation, are logged to centralized SIEM for visibility.

Authentication and Federation Services

Modern enterprise environments require support for multiple protocols:

• SAML
• OpenID Connect
• OAuth 2.0
• Legacy web based sign in patterns

Core Functions

• Central identity provider for web and API applications
• Single sign on across internal, cloud, and SaaS workloads
• Step up authentication for higher risk actions
• Risk based or context aware access policies

Deployment Pattern

Federation and authentication services are deployed with both internal and DMZ presence:

• Internal identity provider endpoints for internal applications
• Reverse proxies or secure application gateways in DMZ exposing external sign in flows
• Tight integration with IdAM and PKI for credential and certificate validation
• Policy engines that evaluate user, device, location, and application context

These components are a key part of the identity aware flow in the zero trust model.

Multi Factor Authentication (MFA)

MFA provides additional assurance beyond passwords or single factor credentials.

Supported Factors

• Hardware security keys using WebAuthn
• Platform authenticators on managed devices
• Push based mobile applications
• Time based one time passwords (TOTP) as a fallback
• Certificate based authentication for specialized use cases

Deployment Pattern

MFA services are integrated into:

• Primary identity provider flows
• Remote access solutions
• Administrative access pathways
• Privileged access workflows

MFA events and failures are sent to SIEM for correlation, anomaly detection, and continuous verification.

Virtual Desktop Infrastructure (VDI)

VDI provides centralized desktops and application delivery, enhancing control and security for sensitive workloads.

Core Functions

• Virtual desktop and application delivery controllers
• Connection brokers and gateways
• Profile and user data management
• Integration with IdAM and MFA

Deployment Pattern

VDI spans multiple zones:

• Core control plane components in the Infrastructure HCI Block
• Session hosts and VDI desktops in the Application Hosting HCI Block
• Secure external gateways in the DMZ HCI Block for remote access

Key considerations:

• Strong segmentation between VDI control plane, session hosts, and user networks
• Integration with identity aware network access and MFA
• Logging of session activity to SIEM for behavioral analysis

VDI can act as a secure jump environment for administrative access, with additional controls applied.

Security Operations: Logging and SIEM

Security operations are driven by complete and reliable telemetry.

Core Functions

• Central collection of logs from firewalls, routers, switches, servers, endpoints, and applications
• Normalization and enrichment of events
• Correlation rules and detections for known attack patterns
• Search and investigation capabilities for incidents
• Dashboards and reports for compliance and operations

Deployment Pattern

The SIEM platform is distributed for resilience:

• Primary collectors and indexers in the Primary DC
• Secondary collectors and limited storage in the DR DC
• Long term archival and cold storage for compliance driven retention
• Secure ingestion paths from all network zones and remote sites

SIEM forms a central part of the continuous verification loop for the zero trust model.

Vulnerability Management and Scanning

Vulnerability management identifies weaknesses in infrastructure, platforms, and applications.

Core Functions

• Scheduled and on demand scanning of servers, endpoints, and network devices
• Discovery of missing patches, misconfigurations, and known vulnerabilities
• Risk scoring and prioritization of remediation
• Integration with ticketing and change management workflows

Deployment Pattern

Scanning components are deployed close to targets but controlled by central management:

• Scanning engines in Infrastructure and Application HCI Blocks
• Dedicated VLANs for scan traffic where required
• Limited exposure of scanning credentials, managed by secure vaults
• Integration with SIEM to correlate vulnerability data and security events

Endpoint Detection and Response (EDR)

EDR provides deep visibility into endpoint behavior and supports rapid response to threats.

Core Functions

• Telemetry collection from workstations, servers, and sometimes containers
• Behavioral analytics and detection of malicious activity
• Containment actions such as network isolation or process blocking
• Forensic data to support incident investigation

Deployment Pattern

EDR agents or sensors are:

• Deployed on servers in all HCI blocks where supported
• Installed on VDI session hosts and golden images
• Integrated with central EDR consoles and SIEM

Policies align with zero trust requirements by limiting execution of untrusted binaries and monitoring high value systems more aggressively.

Monitoring and Observability

Monitoring and observability provide operational awareness for infrastructure and platform services.

Core Functions

• Metrics collection for CPU, memory, storage, and network usage
• Uptime and synthetic checks for critical services
• Threshold and anomaly based alerting
• Visualization through dashboards for infrastructure, applications, and user experience

Deployment Pattern

Monitoring components include:

• Collectors and time series databases in the Infrastructure HCI Block
• Exporters and agents on network devices, servers, and containers
• Synthetic probes in critical network segments to measure end to end performance

Monitoring data complements SIEM by providing operational context for security events.

Zero Trust Alignment

Platform services are central to the three pillars of the zero trust model used in this reference architecture.

Identity Aware Flows

• All major access decisions rely on IdAM, federation, and MFA
• Administrative access to infrastructure and security systems passes through VDI or hardened jump environments authenticated by IdAM and PKI
• Application access is brokered through identity providers and reverse proxies rather than direct network reachability

Microsegmentation

• Platform services are placed in dedicated Infrastructure, Management, and Security Operations zones
• VDI control plane, IdAM, PKI, and SIEM are segmented from general server and user networks
• Access between tiers is controlled by policy and identity, not by shared flat networks

Continuous Verification

• SIEM, EDR, and monitoring platforms continuously collect and analyze telemetry
• Anomalies in authentication, MFA, VDI usage, endpoint behavior, and network flows trigger alerts and automated responses
• Vulnerability data feeds into risk scoring and helps adjust protection priorities over time

Implementation Options

The following vendors and products are representative examples that can implement the patterns described in this module. Equivalent platforms can be used as long as they fulfill similar functional and security requirements.

IdAM and Directory

• Microsoft Active Directory and Entra ID
• FreeIPA or Red Hat Identity Management
• Enterprise grade LDAP directories

Federation and SSO

• Okta and Auth0
• Ping Identity
• Keycloak
• Authentik

PKI

• Microsoft Active Directory Certificate Services
• PrimeKey or EJBCA based platforms
• Cloud based CA services aligned to enterprise security requirements

MFA

• Identity provider native MFA solutions
• FIDO2 and WebAuthn capable hardware keys
• Push based mobile authentication platforms

VDI

• Citrix Virtual Apps and Desktops
• VMware Horizon
• Microsoft AVD, aligned to the same architectural principles when extended into cloud

SIEM and Logging

• Splunk
• Elastic Stack
• Microsoft Sentinel
• Other enterprise SIEM platforms with robust ingestion and correlation capabilities

Vulnerability Management

• Tenable
• Qualys
• Rapid7

EDR and Endpoint Security

• CrowdStrike
• Microsoft Defender for Endpoint
• SentinelOne
• Other EDR platforms that integrate with SIEM and support containment actions

Monitoring and Observability

• Prometheus and Grafana
• Zabbix or similar infrastructure monitoring tools
• Datadog, New Relic, or comparable SaaS observability platforms

Related Entries

• Data Center Fabric and HCI Architecture - Infrastructure foundation for these services
• Enterprise Hybrid HCI Platform Overview - Overall architecture context
• Authentik OIDC for Proxmox - Specific implementation example

Platform services, identity, and security operations collectively provide the control plane for the Enterprise Hybrid HCI Platform. They are essential to achieving a practical and enforceable zero trust posture at enterprise scale.