Page 1 of 4 Written by Dr.

Bess
August, 2014

Case Study – Cloud Computing

Better Payments Incorporated Ventures into the Cloud

This case study was written by Dr. Bess and is purely fictional in nature. Better Payments Incorporated
within this case study is a purely fictional entity. Any similarities to names of actual organizations are
purely coincidental. This case discusses certain aspects of the electronic payments processing industry
and common scenarios faced by organizations considering cloud deployments. The names of several
specific card associations are mentioned only to provide clarity to the students with regards to the types
of services offered by BPI as an electronic payments organization. This allows the student to better
understand the type of services the fictional entity BPI provides to its clients. This case is intended to
provide students with a scenario with which to better consider the security implications of cloud security.

Background
Congratulations, it is March, and you have just been hired as the first CSO of a 5 year old startup
company called, Better Payments Incorporated (BPI). BPI is a multinational payments organization that
is headquartered in Miami, Florida and is privately funded by venture capital investors. BPI has created
an electronic payment processing platform that allows its clients (usually large retailers with multiple
physical stores, banks or online merchants) to create electronic payment instruments in the form of
stored value Visa, Mastercard or American Express branded cards. These are not credit cards or debit
cards, but are electronic payment cards where BPI maintains the card balances which are typically
funded by the card holder, employer or client. Some of the cards are actual plastic cards that can be
purchased at large retail outlets as gift cards for example, while other cards are payroll cards issued by
employers instead of payroll checks for those employees who do not have bank accounts (commonly
referred to as unbanked customers). Some of the cards are virtual cards, where no actual plastic card is
issued.

BPI has partnered with several large banks to sponsor the BINs (first four to six digits on a credit, debit
or similar card). Banks are assigned BIN ranges and required for the correct routing of transactions for
the cards to be processed and ultimately clearing of financial transactions. Some examples of the card
programs developed by BPI include but are not limited to; payroll cards, gift cards, flexible spending
cards, loyalty cards, travel money cards and virtual cards for person to person mobile payments.

Employee Base
BPI has approximately 800 employees that span the globe in countries such as the United States, Spain,
India, Canada and various countries in Latin America. The corporate office in Miami has approximately
400 employees, which are comprised of a cross section of the organization including finance, operations,

Copyright 2014 © Dr. Bess. All right reserved. Duplication or Distribution is strictly prohibited without
expressed written permission.
Page 2 of 4 Written by Dr. Bess
August, 2014

software and systems development, quality assurance, data center operations, human resources,
business development and client management. There is also a 100 seat call center located in Dallas
Texas, and a 100 seat call center located in Mumbai India. There are approximately 20 different sales
offices globally containing various sales and business development teams which typically contain three
to ten employees at each location.

Production Payments Technology Platform

BPI has built over the past 5 years a payments processing platform that is based on a combination of
custom payments software written in house and external third party services. This platform runs on Red
Hat Linux Enterprise edition and has used extensive integration with various external partners. The
payments processing platform consists of the following logical components.

System Name Function

Authorization System Approves or declines transactions as they come in from
merchants
Settlement System Moves money from one account to another
Integrated Voice Response (IVR) Handles calls coming in from the card holders for balance
inquiries, report cards lost or stolen and card activation
Call Center Application Used by customer service representatives to lookup
cardholder activity, answer card holder questions and assist
with replacement of lost or stolen cards.
Fraud System Allows internal BPI fraud teams to identify fraudulent card
activity and money laundering activity. Uses both internally
developed systems and connections to external partners.
Also has some business rules such as card usage velocity,
AVS, card load rules and others as needed by the business.
Reporting System Produces standard reports for merchants to look at card
usage activity, card creation, fraud reports, and card
inventory at various locations
Back Office System Allows for clients and client management teams to create
new card programs, issue new cards to stores, setup business
rules for the cards, and new cardholders or program
managers.
Card Embossing Process that actually creates the plastic cards. This also
includes services provided that mails the card to the
cardholder.

BPI has not developed a disaster recovery capability or plan nor does it have a business continuity plan.
BPI does not have a backup site for any of its operations. BPI currently has a 3,000 foot data center
located on the 4th floor of their corporate headquarters. The data center is supported by a large
generator and battery backup system. There is enough fuel onsite to run critical payment processing
systems for 48 hours before refueling is needed. They have approximately 150 servers, 2 SANS storage
arrays, 30 different networking devices (routers, switches and firewalls) two large public branch
exchange (PBX) systems supporting the two 100 seat call centers. BPI has considered migrating the

Copyright 2014 © Dr. Bess. All right reserved. Duplication or Distribution is strictly prohibited without
expressed written permission.
Page 3 of 4 Written by Dr. Bess
August, 2014

legacy call center technology stack to use VOIP to better integrate with the rest of the organization but
has not done so yet.

End user Support Systems

In addition to the production payments processing platform, BPI’s data center also contains internal
support servers for BPI users worldwide providing the following services.

Email services (Web mail) Image library

File services Development, QA and Test servers
Print Services Patch and Antivirus servers
Source code library Bug tracking system

BPI, like many organizations has a significant investment in end user hardware and software. After 5
years many of the laptop and desktop systems are struggling to keep up with the CPU and memory
requirements of the latest editions of operating systems and desktop applications. Some of its
departments have standardized on various Microsoft and other commercial products for both the
operating system and common desktop applications for word processing, spreadsheets, and design
documents. Other departments have chosen to standardize on the Apple platform, for creative design
work, sales and marketing activities. BPI pays a significant amount of capital each year to desktop
related software which continues to rise in cost every year on a linear basis with its hiring.

The development team has chosen to run Red Hat for their development workstations and to run
various source code repositories and trouble ticketing systems. The company has an aging telephone
system shared with the call center, which is largely unused due to its new implementation of desktop
voice over IP phones and an internal communications and video conferencing system that runs on user’s
desktops. Currently users today at BPI have approximately 30 different applications they need to
authenticate to, some of which use an integrated directory services server, while others are standalone
systems. The IT department has expressed a need for integrated identity and access management
solution. It was recently discovered that many users are also using external mail service providers for
company communication to clients. Users have also started to make use of external file storage from
cloud based providers based on what the department manager’s preference was to use.

Challenges
BPI has doubled in size every year in both sales and numbers of employee’s hired. It has opened up
offices in 4 new countries this past year alone, and it struggling to keep up with demand in the market
place. Despite its excellent sales growth, BPI’s expenses have increased at nearly double the revenue
rate and rising expenses are quickly eliminating any profit that BPI previously had projected. BPI is now
facing significant budget challenges and struggling to make its profit projections while maintaining
sufficient operating cash. To make matters worse, BPI recently experienced a data breach where hackers
were able to take advantage of several un-patched workstations and servers to install malware and

Copyright 2014 © Dr. Bess. All right reserved. Duplication or Distribution is strictly prohibited without
expressed written permission.
Page 4 of 4 Written by Dr. Bess
August, 2014

create back doors into the organizations systems. BPI also suffered a distributed denial of service attack
last month. BPI servers are currently at 95% utilization rates and are almost out of disk space, despite a
recently unsuccessful project to archive and remove “old” data that was no longer needed. BPI also
does not know the extent of what regulated data (PII and financial information) exists outside its system
boundaries and in various free cloud services providers systems.

The CIO has been given the mandate to reduce cost, increase security and enable the business to
expand more readily in remote geographic regions across the globe. Frustrated with sluggish
performance, there are also rumors of a growing push by department managers for a technology refresh
across the organization.

The CIO has scheduled a meeting with you to discuss various cloud computing options he will present to
the CEO later in the week. The CIO wants to better understand the security implications of utilizing cloud
services. The CEO and CIO met the previous week and agreed that aside from the above mandates,
there are four business objectives that the organization must satisfy at a minimum with its cloud
approach. They are as follows;

1) Prepare BPI to scale to quadruple the transaction volume on the platform for the upcoming
fiscal year during the months of November, December and January based on the current growth
projection. BPI must be able to cost effectively scale back after January to an appropriate level.
This needs to occur without the purchase of new equipment or expansion of the existing data
center.

2) Decrease capital expenditures on end user workstations and software licensing expenses while
allowing quicker on boarding of employees around the globe. Reduce overall internal disk
storage use. Provide easier and quicker collaboration and sharing of files and other data across
the globe.

3) Provide an online sales lead and tracking application to better coordinate business development
activities.

4) Establish a disaster recovery capability and a business continuity capability that ensures that BPI
can continue to operate if its Miami center were destroyed in a category 5 hurricane.

It is your job as the CSO to assist the CIO in his decision and recommendations to BPI.

Copyright 2014 © Dr. Bess. All right reserved. Duplication or Distribution is strictly prohibited without
expressed written permission.