The Practical Implementation of

Document Sample
The Practical Implementation of Powered By Docstoc
					                               Hosting Breakfast Briefing

              The Practical Implementation
                 of Selective Sourcing
                                           July 2005

                                                            Glen Noble
                                         Head of Convergent Programmes
delivering for business and government
 Macquarie Telecom

        Telecommunications Carrier, formed 1992

        Voice, Mobile, Data, Hosting Solutions

        IT&T Solutions to Business & Government

        Australia & Asia

        Hosting Solutions
          –    World class facility : DSD Gateway, AS17799, Sun Tone, RedHat
          –    Broadband multi-homed, carrier independent
          –    Managed Hosting, Managed Security
          –    BCP / DR, Managed Storage, WAN Integration

delivering for business and government
 Today’s presentation

        Defining Selective Sourcing, Managed Hosting & Security
        Customer trends in Selective Sourcing
        Why outsourcing must be evaluated
        The challenge balancing cost with security
        SLGs – are they worth it?
        Checklist for selective sourcing contracts

delivering for business and government
 Defining Selective Outsourcing

       Full Outsourcing
       Full Outsourcing                   Balanced approach
                                          Balanced approach                   Full Insourcing
                                                                              Full Insourcing

     Organisation hands over             Right Mix – Selective sourcing   Organisation relies on internal
     the majority of IT                                                   resources, and is more
     responsibilities to an              Offers greater control as the    common when the scale of IT
     external company.                   specific functions are           infrastructure is small.
                                         managed separately, allowing
     Typically a long-term               the organisation to retain
     agreements designed to              skills in-house as well as
     give higher control and             having access to external
     transparency on costs               best-practice resources.
     with a fixed-price

delivering for business and government
 Defining Managed Hosting &
 Security Solutions

        Managed Security                         Managed Hosting
          – Managed Firewall                      – Dedicated Hosting
          – Clean Internet                              Linux, Windows, Unix
                AV, AS, CF                              Clustering, Load Balancing,
          – 24x7 SOC                                    Virtual Machines
                Countermeasures, IDS              – Managed Co-location
                Reporting, correlation engines    – Managed storage
          – Patching                                    NAS, SAN, BU, recovery
                server, FW, AV, IDS               – Data network integration
          – IP VPN
                IP Sec, AAA, PKI
          – Professional Services
                Design, audits, TRA, Pen,
                Testing, Vul Assess

delivering for business and government
 Customer Trends

        As Web sites becoming more business critical..
           – architecture moving to
                 Clustering, load balancing, Virtual machines
           – Reports & analysis
           – Certifications (vendor & third party)
           – Port based pricing
           – Renaissance of Managed Storage
           – Integration of the islands : data network, internet, hosting with
             security wrap

delivering for business and government
 The reasons Selective Outsourcing
 MUST be at least evaluated

  1.       Access to required Skill Sets
  2.       Security
  3.       Improved Service / Improved Reliability
  4.       Cost savings
  5.       Focus on core competency

  6.       Others
           •       Data Network integration
           •       The necessity of 24x7
           •       Corporate Governance and BCP / DR

delivering for business and government
 Hosting User Trends

                       Internal drivers                                                           external drivers
                                                                        Access to required
         Better control of Web site                                           skills

               More cost effective                                                 Security
                                                                            Better service
 No perceived value in outsourcing                                              quality
                                                                        Improved reliability
                           Security                                       and availability
                                                                             Cost Benefits
              Have skills internally
                                                                            Focus on core
                Historical Reason
                                                                         Historical Reason
                  No good reason                                        Network/Bandwidth
                             Other                                                   Other

                       Don't Know                                              Don't Know

                                     0%   10%   20%   30%   40%   50%                        0%     5%   10%   15%   20%   25%   30%

delivering for business and government
 1. Access to Skills : Example
 Hosting Customer Ozjet

           – New Business Class airline, economy rates
           – Expect 90 % flights to be sold online
        Macquarie to provide
           –    hosted Web site & internal infra inc DBs, email, SABA gateway
           –    integrate 5 – 10 offices IP VPN data network
           –    Managed security services
           –    Load balanced & clustered architecture for high availability
        Why ?
           – Single point of accountability
           – Speed of implementation
           – Saves Capex in setting up IT infra & data centre

                        Access to skills, resources & capabilities
delivering for business and government
 2. Security

        Example : Government Managed Security Customer
                       Did not have sufficient IT security skills & systems in house
                       Hosts business critical transactional web site with Macquarie
                       Internet connectivity & IP VPN
                       Outsourced Solution requires
                          – AV, CF, AS, MFW
                          – 24x7 SOC, reporting & analysis
                          – DSD Gateway, DDoS protection, IDS

delivering for business and government
 2. Example Managed Security
     Customer (May 2005)

                      www                                                               Extract from Virus List
                                                                W32/Sober-N                                 12338
                                                                W32/Netsky-P                                3300
                                                                SAVI_FILE_PART_VOL                          1820
                                                                W32/Netsky-Z                                406
                                                                W32/Netsky-C                                391
                                                                W32/Netsky-D                                381
                                                                W32/Netsky-S                                282
                                                                W32/Zafi-B                                  102
                                                                SAVI_FILE_ENCRYPTED                         57
                                                                W32/Bagle-AI                                54
                                                                W32/Bagle-AG                                41
                                                                W32/Mimail-I                                40
                                                                W32/Bagle-Zip                               38
                                                                W32/Netsky-AE                               32
                                                                W32/Netsky-B                                32
                                                                W32/Mimail-A                                30
                                                                SAVI_FILE_CORRUPT                           29
    Server   Server    Server
                                         Number emails deliveredW32/Mabutu-A     513572                     25
                                         Bytes emails delivered W32/MyDoom-O     20807282047                16
                                         Number of Mass Mail Viruses Discarded         17449
                                         Number Quarantined with suspect attachments   38
                                         Number Quarantined from custom blacklist      0
                                         Number Quarantined as spam                    74852
                                         Number of viruses detected                    19544
                                         Number of spams tagged                        5366

delivering for business and government
 2. Example Managing Security
 Customer (May 2005)

                      www                            Item              Event Name
                                                                                                       High Priority
                                                                                                       Event Count
                                                       1.    Email_Virus_Suspicious_Zip        High       32419
                                                       2.    HTTP_IE_HTML_Embed_Overflow       High        643
                                                       3.    HTTP_Code_Red_II                  High        551
                                                       4.    HTTP_Windows_Executable           High        192
                                                       5.    DNS_Windows_SMTP_Overflow         High        167
                                                       6.    Email_Pipe                        High         65
                                                       7.    TCP_Data_Changed                  High         62
                                                       8.    HTTP_Mozilla_Nonascii_URL_BO      High         48
                                                       9.    HTTP_IE_Script_HRAlign_Overflow   High         34
                                                       10.   SSL_PCT1_Overflow                 High         28
                                         Top 10 Origin
                                         Qinghai Medical college - China
                                         MicroLink Data – Lithuania
                                         XXXXXXX - Australia
    Server   Server    Server
                                         Affinity Internet, Inc – USA
                                         XXXXXXX – Australia
                                         Bigpond – Australia
                                         XXXXXXXX – Australia
                                         LIANXINGFUCAIHOUJIE - China
                                         Taiwan Academic Network - Taiwan

delivering for business and government
 3. Improved Quality / Improved

        Infrastructure & scale
           –    Power systems, batteries / diesel
           –    Security systems (IDS, Correlation engines, etc)
           –    Management tools
           –    Skilled People
        Genuine broadband telco & internet connectivity
           – Multi-carrier, GE, broadband
        24 x 7 SOC
        Core focus of outsourcer
        Independent certifications & accreditations
        SLGs / rebates

delivering for business and government
 4. Cost: What is the true cost of
 your Security Breach?

  Productivity                                        Financial Performance
  • Number of employees                              • Revenue recognition
    impacted X hours out X                           • Cash flow
    burdened hourly rate                             • Compensation
                                                     • Payment guarantees
                                                     • Credit rating
   Damaged Reputation                                • Stock price
  • Customers
  • Suppliers                                         Other Expenses
  • Financial markets                                 • Temporary employees
  • Banks                                             • Equipment rental
  • Business partners                                 • Overtime costs
                                                      • Extra shipping costs
                                                      • Travel expenses

           BIA : Business Impact Assessment
           Know your downtime costs; per hour, per day, two days...
delivering for business and government
 4. Cost : Total Cost of Ownership
 of Security

           – Capex
                FW, IDS, Servers, BU, AV, AS, CF                   $20k-$1m
                Professional Services Consulting                   $50k – $1m
           – Opex
                Maintenance & licensing                            $20k-250k pa
                Staff {9 - 5 vs 24- 7}                             $150k- $1m pa
           – TCO
                over 3 years                                       $250k-$4m
           – Service fee per month                           $400-$8k pm
                  Can you afford to do In-House security ?
delivering for business and government
 4. Cost : Total Cost of Ownership

  Cusctomer's Internal Costs
  Start-up Cost
     2 Compaq DL360, incl ethernet card, 36 G Harddrive                                          $17,600
                                                                                                 $ 6,600
     Tape Back Up system
     Firewall & IDS                                                                              $ 3,890
     Rack Hardware including side panel, fan kit and rack switch box                             $ 1,460
     Other equipment inc keyboard and monitor, cabling, etc                                      $ 4,200
     UPS (Uninterrupted Power Supply) and PDU (Power Distribution Unit)                     $2,180 pm

  Monthly over 24 months
                                                                                                 $ 1,250
  Monthly Ongoing Costs                                                                          $ 2,700
      2 x 2 Mbits/s Bandwidth Access incl 20GB                                                   $ 360
                                                                                                 $ 500
      1/4 Full time person ($130k loaded) - monitoring, patching, changes, fault, etc
                                                                                                 $ 300
      Real Estate contrib (2 sqm computer room)
                                                                                            $ 5,110 pm
      Security - Physical and online
                                                                        ng s                $ 87,600 pa
      Power/Ports                                              al  Savi
  Total Ongoing Monthly Cost                           A nnu
  Total Annual Cost                                                                              $ 3,200
                                                                                                 $ 400
  Hosting Charges                                                                           $43,200 pa
      2 Macquarie Business Class Dedicated Hosting
      Security, BU, internet
  Annual Total
                             Capex & risk becomes scaling opex
                            => Scale as you grow : pay as you go
delivering for business and government
 5. Focus :
 A question ?

                                                    X      ed

           – ~100% of govt & business organisations have a permanent
             internet connection (ie 24x7x365)
                                                  C       da
                                                    Nim a
           – 95%+ organisations have a online presence

                                                       e lch
           – 95% + of virus’ are preventable with patch processes

                                                    W       er

                                                      Bl ast
           – how come AUSCERT 2005 survey shows 85% organisations had
             data integrity threats from virus?

               Organisations have failed to protect themselves !
delivering for business and government
 6. Other : The need for 24x7
 staff coverage

  The Issue : “How do you protect your transactional web site,
    which is connected to the internet, after business hours?”
    Protection requires human Monitoring & responses 24x7
           – Interpretations of correlation engines, alarms, etc
           – Rapid root cause analysis (assuming you have the tools to do it!)
           – Escalations & communications
                 Customers, authorities, management, up / down internet
           – Filtering & threshold dumping
           – Countermeasures, IP address blocking & quarantining
        But it carries a significant cost
           – 1 staff x 9-5 + 2 staff x 2 shifts + 2 for hols / sick leave = 7
           – $100k + 50% on costs x 7 staff = $1 m pa

delivering for business and government
 6. Other : Corporate Governance &
 Business Continuity Planning

         Privacy (Private Sector) Amendment Act 2000
         Cybercrime Act 2001
         Commonwealth Criminal Code
         Corporate Culture Offences
         NOIE/AGs Business Govt Task Force 2002
         Sarbanes – Oxley
         ASX Principles 4 & 7

    Corporate Governance has now pushed Business Continuity
            Planning from the board room back to IT
delivering for business and government
 6. Other : Data Network

                                    Hackers Viruses   Spam      Content


     Customer or                                             Hosting Center                    Router    and/or
                                                         Intranet or                                    Encryptor
     Vendor                                              Extranet
                                                                          Security   IP VPN
                                     Internet                                                      Branch Office

   Customer or                                                                                 Customer or
   Vendor                                                                                      Vendor

              Secure with QoS
              Secure without QoS                      Mobile/Telecommuters/
                       Integrated Hosting, Data Network, Internet,
                                   with Security Wrap
delivering for business and government
 Why Selective Outsourcing
 MUST be at least considered

  1.      Access to required Skill Sets
  2.      Security
  3.      Improved Service / Improved Reliability
  4.      Cost savings
  5.      Focus on core competency

  6.      Others
           –      Data Network integration
           –      The necessity of 24x7
           –      Corporate Governance and BCP / DR

               Outsourcing provides selective options to improve
                    e-business deployment & performance
delivering for business and government
 Service Level Agreements

           – Look for SLGs (Guarantees) not SLAs
           – Check fine print for targets vs rebates
           – How are rebates paid? (auto or “get your lawyer”)
        Metrics ?
           – Provisioning, MTTR, Availability etc now common
           – Security ?
           – What about degraded performance?
                 Internet variances v customer app issue v supplier v ??
        Certifications & accreditations - the new SLG !

delivering for business and government
 Selective Sourcing Checklist

           You                           Service Provider
           –Asset audit                  –Certifications
           –BCP                                 Vendors
           –IT capabilities assessment          Independent third parties
           –Strategic Linkage between    –SLGs
             IT & the business           –Data network integration ?
           –What is core? What’s not?    –Security capabilities
           –Outsourcing Business         –References
           Case                          –Grow in scale ?
                                         –Solutions leadership?
                                         –Alliance Partner strategy

delivering for business and government

        Organisations are obliged to at least evaluate Managed
           – Cost, skills access, security, focus, corporate governance, etc

        All orgs have data network, web site, & internet
        connection, all have 24x7x365 security problem

        Managed Hosting & Managed Security provide a
        selectable scaling outsourcing options

        You just have to Select which parts to be done internally
        vs outsourced

delivering for business and government
 Some Questions to Consider ?

        If your organisation’s security was compromised, what would that do
        to your personal reputation?
        If you lost power to your HQ data centre for 8 hours, what impact
        would this have on; your users? other offices? customers ? business?
        If you were audited today, would you be able to present a current …?
          – BCP, IT security policy, results simulated DRP test

        Is the ongoing investment in specific IT systems & resources directly
        contributing to your organisations business goal ?
        Can this function be performed cheaper or better by third party ?

delivering for business and government

Shared By: