MHADA Cloud Infra

Volksara. Cloud Infrastructure. MHADA. nn.

Volksara. SCOPE OF WORK. The broad project scope includes having a single service provider to provide cloud hosting and managed services for cloud infrastructure. The department intends to provide the ‘Cloud Hosting & Managed Services for the MHADA applications. The shortlisted service provider shall provide the GCC / VPC with Managed for the period of 3 years post Go- Live. The proposed solution shall be scalable, extensible, highly configurable, secure, and very responsive and shall support integration and optimization including scale up and scale down of required services and solutions (existing legacy and acquired in future), designed for or used by the department or department may undergo in up-gradation..

Volksara. VM Creation, Security Compliance Integration and Monitoring Controls.

1. VM CREATION IN AZURE 2. VM BUILDER / BASE CONFIGURATION Disks 3. AUTOMATIC ONBOARDING TO ARCON PAM VM Creation Trigger (Azure Event Automation) A arcon Privileged Access Management 4. ACCESS CONTROL THROUGH ARCON PAM (NO DIRECT ACCESS TO AZURE Ws) Microsoft Azure Azure Azure CLI Terraform Resource Group - Virtual Network O Subnets / NSG Network Security o Azure Key Vault (Secrets) Log Analytics Workspace (Optional) OS Image (Windows / Linux) VM Size Public Private IP Tags (Vendor. Project, Environrnent) Monitoring Extensions (Azure Monitor) Output VM Created Successfully VENDOR USERS Login to PAM Portal Factor Authentication aca-a Motadata Server Email Recipients Cloud Team Vendor Group Others arcon PAM Gateway NO Direct Access to Azure VMS Secure RDP / SSH Access (One—Click) VWs (PRIVATE VM - Vendor A VM - Vendor B VM - Vendor C O CA" V W Access) Vendor (Access to their respective VMS only) 5. POST VM PROVISIONING — AGENT INSTALLATION Install Kaspersky Agents VM Assets Added in PAM Base Hardening & Configuration Windows / Linux Updates Firewall Configuration User A:cess Control Security Backup Configuration Report Delivery (Automatic & Manual) 6. MONITORING WITH MOTADATA Monitoring Metrics Install Motadata Agent Motadata Agent -s CPU Kaspersky Security Network Agent (KSNA) Endpoint Security (KES) Automatic Reports (Scheduled) 7. REPORTING & ALERTS Manual Reports Memory Alert Engine & Thresholds KEY BENEFITS NO direct access to Azure VMS — access only through PAM Vendor Wise access control & Cloud team Visibility to all Secured. audited and monitored access Endpoint & network level protection with Kaspersky 24x7 rnonitoring With Motadata & reports Via Daily Report Create VM in Azure On Demand Report A arcon VM Onboarded to PAM Export (PDF / Excel) Email Dash board ARCHITECTURE FLOW SUMMARY Access VMS Only via PAM Kasper*y ns•.adata Motadata Metrics Col lection & Reports Generated Analysis Re-prts Sent (Email Manual).

Volksara. Azure Disaster Recovery Architecture.

PRIMARY REGION (PRODUCTION) Azure Region – Central India.

Volksara. Backup Management in Azure.

A. AZURE INFRASTRUCTURE BACKUP PLAN AZURE BACKUP SERVICE SOURCE WORKLOADS Virtual Machines (VMs) o Select Recovery Point Choose the required restore point as per restoration policy 2 3 4 Backup Type Incremental Full Full Full Backup Frequency Daily Weekly Monthly Yearly Backup Policy Assignment Backup policies are defined and assigned to VMS Scheduled Backup Execution Backups are taken as per the configured frequency Backup Storage vault (RSV) Backups are stored in a secure and redundant vault Retention & Lifecycle Management Backups are retained as per policy and autornatically expired B. INDICATIVE BACKUP PLAN (VMS) Backup Type Full Full Backup Frequency Daily On-Demand Retention Period 7 Days 1 Month 12 Months Till Contract Exist Retention Period 7 Days C. RESTORATION POLICY Restore Point Age Backup taken in last month Backup taken in last quarter KEY HIGHLIGHTS 2 2 Restoration Frequency Once in a Month Once in a Quarter Validate & Approve Validate the backup and approve the restoration request RESTORATION WORKFLOW Restore VM Restore the VM to original or alternate location Validation & Verification Validate the restored VM for data consistency and availability Reporting & Compliance Log restoration activity and maintain reports for audit and compliance • • • • Policy-based backup for Virtual Machines Automated retention and lifecycle management Secure and geo-redundant storage in Recovery Services Vault On-demand and scheduled backup support Periodic restoration as per defined policy Monitoring, alerting and reporting for complete visibility.

Volksara. Integrated Security Controls for Application and Infrastructure Protection.

Volksara. Server Monitoring.

MONITORED SERVERS Application Server (VM / Physical) Database Server (VM / Physical) Web Server (VM / Physical) File Server (VM / Physical) Other Servers (VM / Physical) More Servers KEY CAPABILITIES Real-time Monitoring Threshold-based Alerting Multi-vendor Support Agent / Agentless Monitoring Custom Dashboards Automated & Manual Reporting Email Notifications & Escalations Historical Data & Trend Analysis motadata MOTADATA PLATFORM Based / Agentless Monitoring (SNMp / WMI / API / SSH) DATA COLLECTION . Metrics Collection • Discovery • Health Checks DATA PROCESSING • Normalization • Aggregation • Correlation THRESHOLD EVALUATION • Threshold Matching • Anomaly Detection • Event Generation ALERTING & NOTIFICATIONS Threshold Exceeded (CPU / Memory / Disk / lops / Network) Alerts Generated Notification Triggered Escalation (if configured) REPORTING & DELIVERY MONITORED METRICS & THRESHOLDS ALERT ENGINE • Alert Generation • Escalation • Notification Metrics Threshold (as defined) 5 REPORT TYPES • Inventory Report • Performance Report • Availability Report • Alert Summary • Custom Reports IT Operations Team Administrators NOTE DELIVERY OPTIONS Email Delivery (Automatic / Scheduled) Manual Email (On Demand) CPU utilization Thresh Old (e.g. > 80%) m Otadåta Data Processing Utilization Threshold > 80%) 98% Disk Utilization Threshold lops Threshold (e.g. > 1000) DASHBOARDS & VISUALIZATION Network In/Out Threshold (e.g_ > 80%) Reporting & Delivery Managemen t External Stakeholders (If required) LÄ 12 - DATA FLOW Threshold Evaluation 245 Alert Engine Reports Can be scheduled (Daily / Weekly / Monthly) or generated manually as per requirement and delivered via email to the intended recipients. All metrics are compared with defined thresholds to ensure optimal performance and quick issue resolution. Servers Data Collection Recipients.

Volksara. Kaspersky Security Workflow.

AZURE ENVIRONMENT Azure VNet KASPERSKY SECURITY CENTER CLOUD CONSOLE Secure TLS (Port 443) and incident THREAT DETECTION (REAL-TIME) Network Attacks Detects and blocks brute force. port scannmg. DoS/DDoS. exploit attempts. Vulnerabilities & Exploits Detects missing patches, misconfigurations and blocks exploit atternptS. Malware & Ransomware Detects known. unknown and behavior—based malware and Suspicious Activity Detects unusual behavior. privilege escalation, lateral movement. unauthorized changes. Web & Email Threats Blocks malicious websites. phishing pages and harmful downloads. AUTOMATIC BLOCKING & RESPONSE Block Malicious IPs (Host Firewall / Network Firewall) Terminate M aficious Quarantine Infected Files Block Exploit / Attack (Web. Network, Application Control) SQL k Windows Server (Web Server) Linux Server (Application Server) SQL Server (Database Server) File Server (File Server) Other Servers (AD. Mail, etc.) k Management 8 Users & Roles e Data Storage Security Policies Vulnerability Assessment Task & Deployment Management Reports & Dashboards web control & Device Control CLOUD INFRASTRUCTURE Kaspersky Security Network (KSN) update Servers & Repositories Alerts & Intelligence High Availability & Scalability o Disable Compromised Account (via AD Integration) Isolate Infected Host (from network) Kaspersky Endpoint Security Agent Installed DATA FLOW Security Data & Telemetry Threat Detection & Analysis Blocking & Response Policy & Updates Reports & Logs against network attacks. malware & threats THREAT ANALYSIS ENGINE A1 / Machine Learning Signature Based + Behavioral Analysis (Cloud Assisted) SECURITY DASHBOARD & REPORTS e Healthy Threats Detected Attacks Top Affected Devices Reports o o e o HOW IT WORKS (FLOW) Kaspersky Agent on Azure servers collects events and security data. Data is secruely sent to Kaspersky Cloud Console via TLS (Port 443). Cloud Console analyzes data using A1, threat intelligence and signatures. Threats, vulnerabilities and suspicious activities are detected in real-tirne. Automatic actions are taken to block, quarantine or prewnt the threats. Dashboard and reports are updated for visibility and management. KEY BENEFITS Vulnerability detection and patch Centralized cloud managemern from and visibility for all Azure.

Volksara. Traffic Load Distribution During MHADA Lottery Events.

USERS Web Users Mobile Users External Systems / Integrations TRAFFIC FLOW DNS DNS DNS lottery.mhada.gov.in AZURE CDN Global Edge Locations Static Content (Images, CSS, JS) • Caching DDoS Protection (Edge) • • SSL/TLS Offload (Edge) Reduces Latency Improves Performance KEY BENEFITS AZURE FIREWALL Central Ingress / Egress Stateful Traffic Inspection Threat Intelligence • Network Filtering • NAT / DNAT • Deny by Default Secure Gateway Protects VNet 1. Users request via DNS 2. Content served via CDN (cached/static) 3. Secure traffic to Azure Firewall 4. Inspected traffic to WAF Load Balancer 5. Distributed to Application Servers High Availability & Scalability Improved Performance with CDN Centralized Security with Azure Firewall Advanced Protection with WAF Resilient & Secure Lottery Platform • • • WAF LOAD BALANCER Layer 7 Load Balancing Web Application Firewall • (OWASP Top 10) • SSL Termination (Centralized) Health Probes Session Affinity (If Required) DDoS Protection (L7) • MI-IADA LOTTERY EVENTS Lottery Draw Scheduled Application Submitted Payment Success / Failure Lottery Draw Completed Winner Declaration Notifications Triggered AZURE VIRTUAL NETWORK MHADA LOTTERY APPLICATION SERVERS App Server 1 App Server 2 App Server 3 App Server N NOTES All components are deployed in Azure Cloud. WAF Load Balancer provides Layer 7 security and traffic distribution. Auto Scale ensures application availability during peak loads (e.g., lottery draw days)..

Volksara. Azure CSPM and Workload Protection Architecture.

This architecture ensures continuous security posture assessment using Azure CSPM, protects compute workloads (servers), secures storage workloads, and detects & prevents malware in storage for the MHADA Lottery project. MHADA LOTTERY - AZURE ENVIRONMENT Azure Virtual Network — — — — — — — — — — — — — — Compute Workloads (Servers) Application Server Database Server Web Server Storage Workloads Blob Storage (Lottery Documents, Reports, Media) Azure Files (Shared Data) Azure Table Storage (Logs, Telemetry) AZURE SECURITY SERVICES 1. AZURE CSPM (Azure Cloud Security Posture Management) • Continuously assesses Azure resources for misconfigurations, vulnerabilities and compliance. • Monitors against security benchmarks (CIS, Microsoft, etc.). • Provides secure score, recommendations and remediation guidance. 2. WORKLOAD PROTECTION FOR SERVERS (Defender for Servers) • Continuous vulnerability assessment for servers. Threat & exploit detection using behavior analysis. • file Integrity Monitoring (FM). • Security recommendations and auto remediation. 3. WORKLOAD PROTECTION FOR STORAGE (Defender for Storage) Monitors storage accounts for threats and anomalies. Detects suspicious activities and unusual access patterns. Provides security alerts and recommendations. 4. ANTIMALWARE FOR STORAGE (Microsoft Defender Antivirus) Scans blobs and files in storage for malware. Detects viruses, trojans, ransomware and other malicious content. Blocks threats and quarantines infected files. Supports scheduled and on-upload scanning. O All security services are natively integrated with Microsoft Defender for Cloud and provide centralized visibility, alerts and remediation..

Volksara. Secure Vendor Access to Azure Servers.

VENDOR Vendor User (Remote Location). CLOUD TEAM Approves Requests & Provides VPN Access.