Question IT Risk, Security And Management

09 Jun Question IT Risk, Security And Management

Question
IT Risk, Security And Management

Task

back to top

Read the DTGOV Case Study before you attempt this assignment

A chief strategic objective of the standardisation of DTGOV’s service portfolio is to achieve increased levels of cost-effectiveness and operational optimisation.

DTGOV is considering the following strategic proposal:

They plan to retain one (1) of their three (3) data centres solely for data storage. This would entail updating their Active Directory and data storage infrastructure, and moving all other infrastructure into the Cloud.
They plan to initially move all their Web Services into the Cloud in order to provide an increased level of HA (High Availability) as well as a better degree of flexibility in supplying data to their customers and employees. This would entail changing their current web software architecture to take advantage of the flexibility and scalability that can be gained by moving to a Microservices model (this would entail the use of such services as AWS Lambda or Azure Functions, Containers, Data Services, and Cloud Edge capability and monitoring).
They also plan to migrate their LoB (Line of Business) applications to Public Cloud infrastructure to increase their flexibility and availability.
The DTGOV Board is contemplating this strategy as a way to increase the company’s flexibility and responsiveness. The Board also expects to achieve significant savings on the cost of maintaining their ICT infrastructure by eventually closing the other two (2) existing data centres. They appreciate that this would entail retraining for their existing ICT staff so that they can manage the new Cloud based infrastructure.

DTGOV has again approached you to advise them on this strategy. You have previously advised DTGOV that this strategic approach will mean that they will need to ultimately design and operate a “Hybrid Cloud” methodology, where part of their data centre is “on premise” and another part in a Cloud.

DTGOV also plan to run a Risk and Security Workshop to assess the risks, security issues and possible methods of control that will be required with this “Hybrid Cloud” approach. You will be required to organise, run and facilitate this workshop.

The Board is also concerned about how this strategy will affect their BCP (Business Continuity Plan) and their backup and disaster recovery strategies.

Tasks
Your team has been engaged to provide a report for DTGOV in their planned move to a Hybrid Cloud strategy.

Team Setup
This assignment is a team assignment. The rationale for using a team approach is that most IT risk management assessments are normally done by teams of between 2-5 Architects, Information Security experts, Operations and Business leaders for each problem. You will be assigned to a team and the team, as a whole, will be responsible for the development of the risk assessment.

Team Member Responsibilities
Each team member will be assessed on:

The final risk assessment presented by the team;
The individual contributions that they have made to the risk assessment. This will be shown by the entries that they have made in the Team forum;
Team members should note that:
A total of 20% of the total marks for this assignment are for individual contributions to the team task;
A team member without any individual contributions in the Team Forum will be regarded as having not contributed to the risk assessment. This will result in either reduced marks or no marks being awarded to that team member for this assignment.
The tasks:
The team’s task is to prepare a report for DTGOV that discusses the following:

Describe which Cloud architectures you would employ to assist DTGOV to meet the Board’s strategy?
Describe each of the architectures that you would use, along with your reasons for deploying it. (10 marks)
Describe the benefits and issues that would be the result of your deployment of these architectures. (10 marks)
Describe the risks that you see associated with this new Hybrid Cloud and Microservices strategy. You should name and describe each risk that you identify, and then describe a possible control for the risk. This should be presented in a tabular form. (20 marks)
Describe the general Information Security steps and controls that you would recommend to the Board to secure the Hybrid Cloud. You will need to explain to the Board your reasons for recommending these particular security steps. (20 marks)
Discuss briefly what you would recommend should be included in DTGOV’s BCP as a result of their adoption of a Hybrid Cloud and Microservices approach. You will need to consider, as a minimum, the issues of application resilience, backup and disaster recovery in a Hybrid Cloud environment. This section should be no more than 2 pages. (10 marks)
Discuss the requirements that DTGOV will need to consider in order to conduct remote server administration, resource management and SLA management for its proposed IaaS and PaaS instances (it may be useful to consider Morad and Dalbhanjan’s operational checklists for this section). This section should be no more than two to three pages in length. (10 marks)

The team is to provide a written report with the following headings:

Proposed Architectures for a Hybrid Cloud
Risk report for Hybrid Cloud and Microservices
Proposed Information Security controls
BCP Changes
Hybrid Cloud Administration and SLA Management
As a rough guide, the report should not be longer than about 6,000 words. The report is to be loaded into the Team Resource area in Interact.

All risk assessment discussions in the team forum should be exported into a single document and loaded into the Team Resource area in Interact.

It is suggested that the report should be written using Google Docs using MS Word format. Google Docs allows multiple authors to contribute to a single document, and their individual contributions can be more easily assessed.

Your team report MUST be presented in MS Word format. Your report should:

Use Calibri, or a similar font, in 11 or 12 point type.
All diagrams and images are to be embedded in the document. Diagrams and images that are suppliued separately will not be marked.
All text should be left-justified.
Each page must have a header or footer with your name and student number. Page numbers must be shown in the footer of each page, except on the title page.

DTGOV – A Case Study

Background

DTGOV is a public company that was created in the early 1980’s by the Ministry of Social Security. The decentralisation of the Ministry’s IT operations to a public company under company law gave DTGOV an autonomous management structure with significant flexibility to govern and evolve its IT operations and structure.

At the time of its creation, DTGOV had approximately 1,000 employees, operational branches in 60 different localities nationwide, and operated two mainframe-based data centres. Over time, DTGOV has expanded to more than 3,000 employees with branch offices in 300 different localities. DTGOV now has three data centres running both mainframe and Intel x86 platform environments. Its main services are related to processing social security benefits across the nation.

DTGOV has enlarged its Government customer portfolio in the last two decades. It now serves other public sector organisations and provides basic IT infrastructure and services, such as server hosting and server co-location. Some of its customers have now outsourced the operation, maintenance and development of applications to DTGOV.

DTGOV has sizable customer contracts that encompass various IT resources and services. However, these contracts, services and the associated service levels are not standardised – negotiated service provisioning contracts are typically modified for each customer individually. DTGOV’s operations are becoming increasingly complex and difficult to manage, which has led to inefficiencies and inflated costs.

The DTGOV Board of Management realised, some time ago, that the overall company structure could be improved by standardising its services portfolio. This standardisation implies the redesign and re-engineering of both IT Operational and Management models. This process has started with the standardisation of the DTGOV hardware platform through the creation of a clearly defined technological lifecycle, a consolidated procurement policy and the establishment of new acquisition practices.

Technical Infrastructure and Environment

DTGOV operates three data centres:

? One is dedicated solely to Intel x86 platform servers. These servers use Windows Server 2012 R2 (approximately 70%) and Red Hat Enterprise 5 (approximately 30%);

? The remaining two have both Mainframe and Intel x86 platforms. The Mainframe platforms are used exclusively for the Ministry of Social Security and are therefore not available for outsourcing. The Intel x86 platform servers in these data centres have the same mix as that of the first data centre.

The data centre infrastructure occupies approximately 1,860 square metres (20,000 square feet) of computer room space and hosts approximately 100,000 servers with different hardware types and configurations. The total storage capacity of DTGOV’s data centres is 10,000 Terabytes (10 Petabytes). DTGOV’s network has redundant high speed data links (minimum speed of 100 Mbit/sec) connecting the data centres in a full mesh topology. Their Internet connection is considered to be provider-independent as their network connects to all major national telecom carriers.

A server consolidation and virtualisation project has been in place for five years, and has had some success in considerably decreased the diversity and number of hardware platforms. As a result, systematic tracking of the investments and operational costs related to the hardware platform has revealed significant improvement. However, there is still considerable diversity in the DTGOV

software platforms and configurations due to the many different customer service level agreements and service customisations.

Business Goals and Strategy

A chief strategic objective of the standardisation of DTGOV’s service portfolio is to achieve increased levels of cost-effectiveness and operational optimisation. An internal executive level working party was established to define the directions, goals and strategic roadmap for this initiative. The working party has identified cloud computing as a guidance option which offers an opportunity for further diversification, improvement of customer services and customer portfolios.

The roadmap addresses the following key points:

? Business Benefits – Concrete business benefits associated with the standardisation of service portfolios under the umbrella of cloud computing delivery models need to be defined. For example, how can the optimisation of IT infrastructure and operational models result in direct and measurable cost reductions?

? Service Portfolio – Which services should become cloud based, and which customers should they be extended to?

? Technical Challenges – The limitations of the current technology infrastructure in relation to the runtime processing requirements of cloud computing models must be understood and documented. Existing infrastructure must be leveraged to the greatest extent possible in order to minimise up-front costs assumed by the development of the cloud based service offerings.

? Pricing and SLAs – An appropriate contract, pricing and service level strategy has to be defined. Suitable pricing and SLAs must be developed to support the initiative.

One outstanding concern relates to changes to the current format of contracts and how they may impact business. Many customers may not want to – or may not be prepared to – adopt cloud contracting and services delivery models. This becomes even more critical when considering the fact that 90% of DTGOV’s current customer portfolio consists of public organisations, such as Government Departments, Government Agencies and Community-based organisations and agencies, that typically do not have the autonomy or the agility to switch operating methods and models on short notice. Therefore, the migration process is expected to be long term. This may add to DTGOV’s risk if the roadmap is not clearly defined. A further outstanding issue relates to IT contract regulations in the Public Sector – existing regulations may become irrelevant or unclear when applied to cloud technologies.

Roadmap and Implementation Strategy

Several assessment activities were initiated to address the aforementioned issues. The first was a survey of existing customers to probe their level of understanding, on-going initiatives and plans regarding cloud computing. Most of the respondents were aware of and knowledgeable about cloud computing trends, which was considered a positive finding.

With these findings, the working party decided to:

1. Choose IaaS as the target delivery platform to start the cloud computing provisioning initiative;

2. Hire a consulting firm with sufficient cloud provider expertise and experience to correctly identify and rectify any business and technical issues that may afflict the initiative;

3. Deploy new hardware resources with a uniform platform into two different data centres, aiming to establish a new, reliable environment to use for the provisioning of initial IaaS- hosted services;

4. Identify three customers that plan to acquire cloud-based services in order to establish pilot projects and define contractual conditions, pricing and service-level policies and models;

5. Evaluate service provisioning of the three chosen customers for the initial period of six months before publically offering the service to other customers.

As the pilot project proceeds, a new Web-based management environment is released to allow for the self-provisioning of virtual servers, as well as SLA and financial tracking functionality in real-time. The pilot projects are considered highly successful, leading to the next step of opening the cloud- based services to other customers.