NAPMA is the NATO Agency managing modernisation programmes for, and securing technical airworthiness of the NATO AWACS fleet. As an integral part of NAPMA’s IT infrastructure a Secure Remote Access (SRA) capability was required to work remotely with the same functionality as in-house, while complying with NATO-wide IT and IT security policies. CONET Services GmbH established, and continues to maintain and operate NAPMA’s SRA capability based on a SINA solution.[Note: This is the original text in English version. A German translation is available here / eine deutsche Version finden Sie hier.]
Initial Situation: The NAPMA IT System
NAPMA is located at Brunssum, The Netherlands, and comprised of approxi-mately 120 multi-national personnel. The agency operates a small IT environment to provide office automation. The main services provided to the users are e-mail (Exchange), document management (SharePoint) and an enterprise resource planning system (SAP).
The NAPMA IT system is accredited by the NATO Office of Security (NOS), and authorised up to and including NATO RESTRICTED (NR).
NAPMA’s requirement for a SRA capability was to enable selected staff to remotely work with the same functionality and a similar performance as the in-house NAPMA NR workstations.
The challenge was to implement a service that not only meets the user requirements, but also fits into NAPMA’s framework regarding e.g. IT security, pricing, quality of service, and implementation timelines.
An initial SRA capability has already been in place at NAPMA since around 2012 but needed to be replaced in 2015. Therefore, NAPMA conducted an international competitive bid. The contract was awarded to CONET Services GmbH, who supports the SINA solution for NAPMA.
In order to technically enhance internal collaboration and to move towards a more mobile, agile approach to business processes, NAPMA reviewed the requirement for mobile devices in early 2018 based on a functional justification. Consequentially NAPMA expanded the SINA solution and tripled the number of laptops.
Solution: Expanding NAPMA’s SRA Capability
The initial solution established by CONET back in 2015 included 30 laptops. The users were provided with two strictly separated workspaces:
- A managed workspace for NAPMA business like on any other workstation (NATO RESTRICTED)
- A less protected workspace allowing unrestricted web-browsing (e.g. no content filter on internet access to allow check-in for flights, etc.)
CONET supported to expand NAPMA’s SRA Capability: 92 laptops are in use since fall 2018. To be able to handle the additional devices, the backend was replaced by a more powerful one. The existing SINA Boxes are being reused: one as so called Trusted Network Device and one to establish a Secure Interconnection to another NATO network.
CONET Services GmbH continues to support maintaining and operating NAPMA’s SRA capability.
Benefits: 70% of NAPMA Staff Equipped with SINA Laptop
With the extension of the SINA laptops and secure smartphones, around 70% of the NAPMA staff is now equipped with a SINA laptop.
The network and system administrators benefit very much from the smooth integration of the backend and the devices into the existing IT infrastructure. Using the same software images on the SINA as well as remaining desktop computers reduces the maintenance effort significantly.
Positive feedback is also coming from IT security staff, who is pleased to see the separation of the restricted business workspace and the less protected session for internet access.
The support contract in place with CONET balances the need for additional manpower and expertise on the one hand, and NAPMA’s distinct requirement for maintaining ownership and control of information on the other hand. The fact, that in three years of using 30 SINA devices NAPMA just had to open 12 support tickets, speaks for itself.
Overview: Secure Remote Access – SRA Capability
NAPMA – NATO Airborne Early Warning & Control Programme Management Agency
Secure Inter-Network Architecture (SINA)
- Secure remote access to the NAPMA domain
- Authorised to process information up to and including NATO RESTRICTED
- Integral part of NAPMA’s IT infrastructure
- Enabling staff to work on-/off-site & on-/offline
- Same functionality and similar performance as in-house workstations
- Accreditation by NATO Office of Security (NOS)
- Secure Remote Access
- Technically enhanced internal collaboration
- Separated workspaces:
- (1) managed NAPMA workspace
- (2) workspace allowing unrestricted web-browsing
- 2x SINA L3 Box S 1G
- 2x SINA L3 Box S 30M
- 30x ThinkPad T540p
- 62x ThinkPad T470s
- workspaces: Windows 10, LinuxLite