ISQS 5231 IT for Managers

iPremier Case Analysis

Professor: Dr. Qing Cao

Team # 4
Dalal Ahmad Sayed Almohri Aliza Levinsky Andy Rupp Avinash Sikenpore

IT ISQS 5231 IT for Managers| 5/4/2010

Table of Contents
Background ............................................................................................................................................. 2 Analysis of the Problem .......................................................................................................................... 3 Alternative Solutions: ............................................................................................................................. 4 Evaluation of Alternatives: ..................................................................................................................... 4 1) Staying with Qdata: ........................................................................................................................ 4 2) Outsourcing to another IT service provider: ................................................................................... 4 3) Develop in-house IT infrastructure: ................................................................................................ 5 4) An in-between solution: .................................................................................................................. 5 Recommendations:.................................................................................................................................. 5 Plan to Implement the Recommendations ............................................................................................... 6 Lessons learnt from the attack................................................................................................................. 8 Appendix A: DOS Attack Timeline ........................................................................................................ 9 Appendix B: Matrices ........................................................................................................................... 10 Appendix C: DOS Attack & SYN-Flood .............................................................................................. 12 Appendix D: SWOT Analysis ............................................................................................................... 14 Appendix E: Total Productive Maintenance ......................................................................................... 15 Bibliography ............................................................................................................................................. 16

IT ISQS 5231 IT for Managers| 5/4/2010

Background
iPremier was found in 1996 by two students from Swarthmore College. iPremier became one of the few success stories in the web based commerce industry. Based in Seattle, iPremier was an online retailer selling luxury, rare and vintage goods. In 1998, iPremier raised money through an initial public offering and even though there were problems in the late 1990s and early 2000s by 2006 profits were $2.1 million with a sales of $32 million. The management of iPremier consisted mostly of young people who had been with the company from the beginning and more experienced managers who were hired as the company grew. The work environment at iPremier can be described as one filled with discipline, professionalism, commitment to delivering results, and partnerships for achieving profits. There perpetrated a doing whatever it takes type of culture in the company which meant that employees will do whatever it takes to get the project done on time, especially when it comes to IT. To understand iPremiers IT structure we need to keep in mind that iPremier outsources most of its management of technical architecture to Qdata. iPremier had planned to move their IT infrastructure and computing resources to another facility however this wasnt iPremiers top priority. Since the cost and time involving this move would be significant, many members of iPremier perceived it as a disruption to normal business for the customers and therefore showed reluctance. Apart from that the top management at iPremier felt a commitment to Qdata due to its cordial and friendly relations for last so many years which was delaying the process further. On 12th January, 2007 iPremiers website had a Denial of Service Attack. At that time the CIO, Bob Turley was out of town and the situation was not handled in the best possible manner. The colocation facility at Qdata did not have the required personal to deal with the problem. The standard operating procedures in such emergencies was unknown and everyone in the company started acting in their own way being mindful of their interests only. The problem escalation was also unstructured and everyone started calling everyone. The report will discuss in details the various issues pertaining to the attack and how they were handled as well as the possible ways to have mitigated the risks of such an attack or handled in a better manner. (A more detailed timeline is given in Appendix A)

IT ISQS 5231 IT for Managers| 5/4/2010

Analysis of the Problem

Understanding the business environment and the IT impact on iPremier is critical to analyze different aspects of the problem. Therefore we have used a group of matrixes (Appendix B) to investigate the situation and provided the following insights. The product/market analysis shows how iPremier is serving a niche market of affluent customers by providing them with high value products; this suggests that upsetting these clients due to lack of security measures in safeguarding their data and credit card information will cost iPremier a fortune ! Furthermore; the IT impact matrix shows IT being the core of iPremiers business and any failure for even a very short duration will cause losses and have a negative consequence both internally and externally. Moreover the coupling interaction matrix shows that iPremiers IT processes are reasonably tight and complex; which suggests that the whole business can easily go down if one part of its IT is not functioning, like the DOS Attack (Appendix C).Also ,when applying the governance &ownership analysis we notice that the outsourcing relationship places iPremier in the alliance form of ownership; this implies that the backbone of iPremier is not within its own hand therefore selecting reliable outsourcer is imperative for its proper functioning. To gain a holistic view and to gain an insight into iPremiers situation a SWOT analysis (Appendix D) was done. Despite their strengths, a SWOT analysis revealed that iPremiers main weakness resides on its lack for a Total Productive Maintenance approach (TPM) which in turn sheds light on three other major weaknesses: absence of a reliable IT provider, deficiencies in internal communication & escalation, and the absence of detailed transaction logs. Because of its weaknesses iPremier was susceptible to many threats, major ones being increased vulnerability toward security breaches, increased chances of repeated attacks, and higher probability of declining IT performance. (Appendix E shows the TPM pillars)

Apart from that iPremier also has to worry about the legal aspects, public relations as well as the impact on stock price after the attack. It might be liable for identity theft of its customers and responsible for legal actions as well. In light of all this the stock price of the firm may also go down.

IT ISQS 5231 IT for Managers| 5/4/2010

Alternative Solutions:
In evaluating the iPremier company and the case situation in hand, we reached to the following conclusion about the available alternatives for the company after the attack: 1. 2. 3. 4. Stay with Qdata Outsource to another IT services provider Develop in-house IT infrastructure Develop an in-between solution (some outsource, some in-house)

Evaluation of Alternatives:
1) Staying with Qdata: The first and easiest alternative available is to stay with the current service provider which is Qdata Company. Although we strongly discourage this alternative, it might be a good idea to stick with Qdata till the time other alternatives are evaluated. However, in order to make this alternative viable, the company needs to take the following actions: Work cooperatively with Qdata to find the potential problems and try to fix them. Create set of requirements to be met by Qdata as pre-requisites in order to continue using their services. For example being more responsible about their services, and providing a real 24/7 support. Obtain higher levels of authorization for iPremiers engineers to access the facilities in case of emergencies. Considering the iPremier's long-term relationships with that company and the overhead costs associated with establishing new contracts with other providers, if Qdata could successfully accept and accomplish these requirements, it can be assessed as a semi-viable alternative. 2) Outsourcing to another IT service provider: In the dynamic and rapidly changing world of information technologies, where new systems and opportunities are created every day, having an up-todate and top notch IT service provider is a crucial requirement for an online merchant like iPremier

IT ISQS 5231 IT for Managers| 5/4/2010

company. Keeping this in mind, the company should make an in-depth research on the various available IT service providers and identify the best choice which fits its requirements in the most economical way. Our suggestion for the time being is to go with one of the top giants in this market like IBM or HP. These companies have a long-term experience in this area and have thousands of large and satisfied customers worldwide. They also have auditing programs which can find problems and opportunities for their customers to enhance their performance and to increase their market share. 3) Develop in-house IT infrastructure: In a long term planning developing its own in-house IT infrastructure is always an attractive option, especially when the company deals with critical data like credit card information of its customers. Even though in-house development is a very expensive and costly decision requiring huge up front investment, which might hamper the profits and cash flow for the initial years, future cost savings might make it seem worth all the efforts and investments. Also, this action might allow the firm to create a competitive advantage over the competition and would provide the opportunity for further expansion of the services. 4) An in-between solution: Sometimes we can find a middle solution that can satisfy the privacy requirements of the customers and decrease the costs of the company through outsourcing. For example if we store the critical information of the company in in-house, highly secured servers with multiple backups and outsource the other IT requirements to an outsider IT provider, we can both enhance our security and create a cost efficient alternative.

Recommendations:
The following courses of actions have been recommended after the attack. It has been divided into three areas:Management 1. Allocate appropriate resources towards IT security 2. Create a standard protocol assigning roles and responsibilities and escalation of communication in such situations 3. Implementation of a disaster recovery and business continuity plan (alternate website)

IT ISQS 5231 IT for Managers| 5/4/2010

4. Use external vulnerability assessment services to periodically check the security level maintained by the IT department. 5. Review management culture orientation of focusing on just the end-results which leads to managers taking shortcuts to expedite delivery of software systems and ignore the controls. 6. Appoint an external audit committee for risk assessment and management

IT Department 1. Implement a robust firewall. 2. Enable logging and regularly monitor them. 3. Install Network-based intrusion detection software. 4. Train and educate all staff on basic systems security. 5. Encrypt sensitive information on the servers 6. Provide guidelines and information regarding people to contact when issues arise 7. Switch the IT services to IBM or HP.

Public Relations 1. Inform the press about investment in state of the art network security systems. 2. Performing an in-depth analysis and evaluation of the collocation facility. 3. Inform that all customer data on its servers will be encrypted.

Plan to Implement the Recommendations

First step for iPremier is to hire a well reputed IT consultant to evaluate the situation. He shall define the software, hardware and network requirements for the company based on their nature of the business. Then the IT consultant can come up with a design for the preferred solutions implementation. The iPremier management team should then review the plan and approve of the necessary funds to implement it.

IT ISQS 5231 IT for Managers| 5/4/2010

Second step would be to create a project team comprising of the key personal responsible for a smooth and trouble free transition to the new system. Even though the actual task would be based on the recommendations of the IT consultant, we feel the for moving from Qdata to IBM for their IT service requirements they need to first carefully the terms in their contract with Qdata. If serious penalties are levied on the party that breaks the contract, we need to work out a solution with Qdata at least till the end of the contract period. Thirdly, assuming there are no major financial implications of ending the contract, it should collaborate with IBM for securely transferring data from the servers of Qdata and setting up a new computing facility with IBM. It should check and review all the terms of the contract as well as the obligations on the part of IBM and iPremier in safeguarding and handling information. The contract should provide adequate protection to iPremier in case data theft or damage. Finally after the project has been successfully implemented, iPremier should develop a standard protocol within its IT department for escalation of any issue as well as the contacting the appropriate person in case of a crisis. All the staff at iPremier needs to be given training on basic computer security and how to avoid the common mistakes in regard to secure computing. These steps will not completely eliminate the risks of attack or secure the iPremier website completely; however it will reduce the possibility of such incident to a manageable level. A standardized approach for dealing with an unusual event would reduce the downtime or at least enable the troubleshooters fix it faster.

IT ISQS 5231 IT for Managers| 5/4/2010

Lessons learnt from the attack

The attack, even though lasted for only a short time, provided some valuable lessons to be learnt. We have enlisted the list of several things taught by this incident: 1. Importance of contingency planning 2. Handling core business operations in a responsible and careful manner (make sure the core business is in the right hands) 3. Importance of support from senior executives 4. Unconditional collaboration in moments of crisis 5. Importance of a good cultural environment (relationships, innovations, entrepreneurship, team collaboration) 6. Define protocols and clear channels of communication 7. Regular evaluation of the IT infrastructure (vulnerability analysis, update protocols)

IT ISQS 5231 IT for Managers| 5/4/2010

Appendix A: DOS Attack Timeline

5:46am: The attack stops. 5:27am: Bob Turley receives a call from the CEO Jack Samuelson.
He asks the CEO to contact Qdatas upper management to let Joanne get access to The Network Operation Center (NOC). Bob Turley discovers from Joanne that the attack was a SYN flood type which is a DoS attack.

4:39am: Joanne contacts Bob Turley and promises to keep him updated on 4:31am: Bob Turley receives a call about an attack on iPremiers webserver.
Discovers from Leon that Joanne is on her way to Qdata. the situation. Bob Turley begins to contemplate pulling the plug due to the liability of credit card information getting stolen. iPremiers upper management begins to contact Turley wanting to know about the situation.

IT ISQS 5231 IT for Managers| 5/4/2010

10

Appendix B: Matrices
Governance and Ownership Matrix In our presentation we places iPremier as a CORPORATION since it consisted of a legally defined organization with different departments like legal, marketing, IT etc. After a more in depth analysis we notice that the outsourcing relationship places iPremier in the ALLIANCE form of ownership; this implies that the backbone of iPremier is not within its own hand therefore selecting reliable outsourcer is imperative for its proper functioning. A formal contract is not formed in a B2C relationship which places iPremier in the MARKET section of the matrix as it provides goods, processes payments and maintains customer profiles.

Product and market positioning Since iPremier currently serves a niche market (mostly affluent) we categorized it as NARROW , but with its plans for growth it is moving up to reach BROAD . Since it sells luxury-rare items we recognize it as VALUE ADDED.

IT ISQS 5231 IT for Managers| 5/4/2010

11

IT Impact At the early beginnings of the company its IT placed it in a HIGH strategic impact position . Later on when competitors entered the market the IT strategic impact became LOW. Since its an online business IT impact on operations is HIGH.

Coupling-Interaction Since all the operations of an e-commerce are mostly online iPremier is reasonably COMPLEX. It is also reasonably tight COUPLING because its operations are interdependent

IT ISQS 5231 IT for Managers| 5/4/2010

12

Appendix C: DOS Attack & SYN-Flood

Denial of Service attack A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

IT ISQS 5231 IT for Managers| 5/4/2010

13

SYN Flood attack SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. Normally runs like a three way handshake:

1. The client requests a connection by sending a SYN (synchronize) message to the server. 2. The server acknowledges this request by sending SYN-ACK back to the client. 3. The client responds with an ACK, and the connection is established. When the attacking computer doesnt reply to the SYN-ACK sent by the server it consumes resources and when this process is repeated a large number of times the server is rendered incapable of responding. SYN-Flood is a type of DoS attack.

IT ISQS 5231 IT for Managers| 5/4/2010

14

Appendix D: SWOT Analysis

Strengths:
Leaders in the e-commerce Resourceful pool of employees (talented young people, experienced managers) with reputations of high performance. iPremier targeted at high-end customers and had flexible return policies. Credit limits on charge cards are rarely an issue.

Weaknesses:
Problem in internal communication and escalation deficiencies. iPremier does not have detailed transaction logs as it involves a trade off with speed Building all of their systems on poor performance IT services provider.

Opportunities:
iPremier is one of the few success stories of e-commerce business Given that iPremier established a very strong high-end customer base, it now has the opportunity of extending and tapping into the mid-class consumer base as well

Threats:
Security issues that can harm the overall performance and success of iPremier Due to the lack of detailed transaction logs, possibility of repeated attack. IT operations outsourced to Qdata, (dont have required immediate access and control over their data center and network). Qdata was not investing in advanced technology and upgrades.

IT ISQS 5231 IT for Managers| 5/4/2010

15

Appendix E: Total Productive Maintenance

iPremier could support its operation in the Total Productive Maintenance five pillars Elimination of main problem: Outsource its core business Autonomous maintenance: Take responsibility in its own hands Planned Maintenance: Create policies and contingency plans Early Management of new equipment: Invest smartly in security of its infrastructure Education and training on the job: Prepare the personnel to deal with common IT related problems that it can face.

IT ISQS 5231 IT for Managers| 5/4/2010

16

Bibliography
The Advantages of TPM. (2008, 02 16). Retrieved 04 28, 2010, from Eco Max - Training and Learning Center: www.ecomaxmc.com/blog/ Garafalo, D. J. (2004, 03 28). IST University Computing Systems. Retrieved from Management of Information Systems: http://web.njit.edu Lynda M Applegate, R. D. (2008). Corporate Information Strategy and Management: Text and Cases. McGraw-Hill/Irwin. Robert D. Austin, L. L. (2007, 07 26). iPremier Co. (A): Denial of Service Attack. Harvard Business Publishing.