Virtual Malloc Logovirtual malloc
CASE STUDY

Enterprise Mission Cloud Foundation for Classified Space Operations

Space mission supporting satellite flight operations and multi-agency mission partners under strict security, compliance, and audit constraints.

Situation

A U.S. government space mission required modernization of legacy on-premises systems while maintaining security, compliance, and operational continuity across multiple classified mission partners. Cloud usage had expanded unevenly across commercial and restricted environments, introducing cost inefficiencies and governance gaps. Leadership required a standardized foundation that could support secure multi-tenant operations and rapid mission onboarding.

Solution

A hybrid, multi-cloud enterprise foundation was designed spanning commercial and government-restricted cloud environments, integrated with newly deployed on-prem infrastructure. Identity, network security, compliance controls, and automation were embedded by default. The platform enabled isolated mission partner tenants, centralized identity, encrypted connectivity, and infrastructure-as-code provisioning. All environments were delivered in an ATO-aligned state with continuous compliance visibility.

OUTCOMES

88% reduction
in monthly cloud spend
$220K/month
AWS cost savings
Months to minutes
mission partner onboarding
100% ATO-aligned
environments
Multi-tenant
across cloud + on-prem
0 disruption
to active space operations

Background

The Earth, Ground, Satellite (EGS) mission supports satellite flight operations and classified space activities involving multiple independent mission partners. Each partner operates specialized and, in many cases, highly classified software used to plan, fly, and sustain space missions.

Historically, the EGS mission relied on trusted on-prem systems to support space operations. As mission scope expanded, cloud adoption grew organically across teams and partners, spanning Amazon Web Services and Microsoft Azure, including both public commercial regions and restricted government environments.

This organic growth introduced fragmentation across identity, networking, security controls, and cost management. At the same time, mission complexity increased:

Leadership required a foundation that could support multiple classified tenants within a single platform, without sacrificing security, compliance, or operational stability.

  • New mission partners needed to be onboarded rapidly
  • Each partner required strict isolation to run specialized and classified workloads
  • Personnel needed to be added and removed frequently under audit constraints
  • All systems required continuous ATO alignment and compliance validation

Challenges

Architecture

  • Legacy architecture – On-prem focused
  • Not cloud-scale
  • No multi-tenant design
  • Weak isolation for classified workloads
  • Manual provisioning

Governance

  • Inconsistent operations – Ad-hoc cloud usage
  • No shared standards
  • Weak tagging and controls
  • Limited visibility
  • Growing partner complexity

Identity

  • Fragmented identity – Different IAM per platform
  • Partner-specific access
  • Slow onboarding and offboarding
  • Frequent access changes

Compliance

  • Required compliance – DISA STIGs
  • ACAS scanning
  • ATO approvals
  • Ongoing audits

Cost

  • Inefficient spend – Over-provisioned resources
  • Unneeded bare metal
  • Poor cost visibility
  • Weak budget control

Solutions

01

Foundation Overview

The foundation was delivered as a shared, multi-tenant platform, supporting both commercial and restricted environments while integrating newly designed and procured on-prem infrastructure.

Core elements included:

The architecture intentionally reused working, known enterprise structures to reduce delivery risk while remaining extensible for future missions.

  • Amazon Web Services and Microsoft Azure (commercial + GovCloud / restricted regions)
  • Purpose-built on-prem datacenter infrastructure for classified and cost-sensitive workloads
  • Centralized identity and access management
  • Standardized firewalling and encrypted connectivity
  • Infrastructure-as-code provisioning and lifecycle management
  • Multi-cloud platform
  • Commercial + GovCloud
  • On-prem integration
AWSMicrosoftVMware
02

Identity & Access Management

Identity was centralized using Microsoft Active Directory, reflecting the mission's established Microsoft-centric operating model and user familiarity.

Federated authentication and verification were implemented using Okta, enabling strong authentication across hybrid environments without introducing parallel identity systems.

This design enabled:

Where mission partners required Linux-centric identity integration, FreeIPA and LDAP were incorporated—while preserving a single, unified user flow across enterprises and partners.

  • Unified access across on-prem, AWS, Azure, and restricted environments
  • Rapid onboarding and removal of mission partner staff
  • Tenant-level role-based access control for classified workloads
  • Centralized auditing, access reviews, and policy enforcement
  • Centralized identity
  • Federated auth (Okta)
  • RBAC for classified workloads
  • FreeIPA + LDAP integration
Microsoft
03

Network Architecture & Security

A standardized network security architecture was implemented using Palo Alto Networks as the enterprise firewall and inspection layer.

Key design decisions included:

This design supported zero-trust principles while enabling mission-critical satellite command and control traffic to flow securely and reliably.

  • Encrypted IKE/IPsec tunnels connecting on-prem datacenters, AWS and Azure commercial regions, and government-restricted cloud environments
  • Centralized ingress and egress for traffic inspection and control
  • Strong tenant isolation between mission partners
  • Consistent policy enforcement across all environments
  • IKE/IPsec tunnels
  • Zero-trust architecture
  • Tenant isolation
04

Compliance, Governance & ATO

Compliance was engineered as a platform capability, not a post-deployment activity.

The foundation enforced:

All systems—cloud and on-prem—were designed to move through ATO efficiently while maintaining continuous audit readiness. This posture supported executive, agency, and congressional oversight without introducing operational friction.

  • DISA STIG baselines across operating systems, hypervisors, and platform services
  • Continuous ACAS scanning and reporting
  • Centralized domain management and policy enforcement
  • ATO-aligned configurations from initial provisioning
05

Automation & Mission Self-Service

All baseline infrastructure and tenant environments were provisioned using infrastructure as code, with approval-based workflows governing every change.

Automation was critical to mission scale:

Mission partners could log into the platform console and self-service deploy approved services—such as GitLab, Nexus, VDI environments, or supporting mission tooling—directly into their isolated tenant space.

These services were provisioned, network-segmented, identity-integrated, and compliance-aligned within minutes, not months.

Equally important, tenants, services, and user access could be cleanly removed at mission completion—reducing long-term risk and sprawl.

  • Every tenant environment was created from the same hardened baseline
  • Identity, network, logging, and security controls were applied automatically
  • Changes were versioned, reviewable, and reversible
  • Self-service deployment
  • GitLab, Nexus, WorkSpaces, Tanzu
  • Minutes, not months
  • Compliance-aligned
AWSVMware