Case Analysis IPremier

ISQS 5231 ± IT for Managers iPremier Case Analysis Professor: Dr. Qing Cao Team # 4 Dalal Ahmad Sayed Almohri Aliza Levinsky Andy Rupp Avinash Sikenpore

IT ISQS 5231 ± IT for Managers| 5/4/2010 1 Table of Contents Background ..................................................................... ........................................................................ 2 Analy sis of the Problem ............................................................. ............................................................. 3 Alternative Solu tions: ......................................................................... .................................................... 4 Evaluation of Alternative s: ............................................................................. ........................................ 4 1) Staying with Qdata: .............. ................................................................................ .......................... 4 2) Outsourcing to another IT service provider: .... ............................................................................... 4 3) Develop in-house IT infrastructure: ....................................... ......................................................... 5 4) An in-between sol ution: ......................................................................... ......................................... 5 Recommendations:.................... ................................................................................ .............................. 5 Plan to Implement the Recommendations ......... ................................................................................ ...... 6 Lessons learnt from the attack......................................... ........................................................................ 8 Appen dix A: DOS Attack Timeline ..................................................... ................................................... 9 Appendix B: Matrices ..... ................................................................................ ...................................... 10 Appendix C: DOS Attack & SYN-Flood ... ................................................................................ ........... 12 Appendix D: SWOT Analysis ....................................... ........................................................................ 14 Appe ndix E: Total Productive Maintenance ........................................... .............................................. 15 Bibliography ................. ................................................................................ ............................................ 16

IT ISQS 5231 ± IT for Managers| 5/4/2010 2 Background iPremier was found in 1996 by two students from Swarthmore College. iPremier bec ame one of the few success stories in the web based commerce industry. Based in Seattle, iPremier was an online retailer selling luxury, rare and vintage goods.  In 1998, iPremier raised money through an initial public offering and even thou gh there were problems in the late 1990s and early 2000s by 2006 profits were $2 .1 million with a sales of $32 million. The management of iPremier consisted mos tly of young people who had been with the company from the beginning and more ex perienced managers who were hired as the company grew. The work environment at i Premier can be described as one filled with discipline, professionalism, commitm ent to delivering results, and partnerships for achieving profits. There perpetr ated a ªdoing whatever it takesº type of culture in the company which meant that emp loyees will do whatever it takes to get the project done on time, especially whe n it comes to IT. To understand iPremier's IT structure we need to keep in mind th at iPremier outsources most of its management of technical architecture to Qdata . iPremier had planned to move their IT infrastructure and computing resources t o another facility however this wasn't iPremier's top priority. Since the cost and t ime involving this move would be significant, many members of iPremier perceived  it as a disruption to normal business for the customers and therefore showed re luctance. Apart from that the top management at iPremier felt a commitment to Qd ata due to its cordial and friendly relations for last so many years which was d elaying the process further. On 12th January, 2007 iPremier's website had a Denial  of Service Attack. At that time the CIO, Bob Turley was out of town and the sit uation was not handled in the best possible manner. The colocation facility at Q data did not have the required personal to deal with the problem. The standard o perating procedures in such emergencies was unknown and everyone in the company started acting in their own way being mindful of their interests only. The probl em escalation was also unstructured and everyone started calling everyone. The r eport will discuss in details the various issues pertaining to the attack and ho w they were handled as well as the possible ways to have mitigated the risks of such an attack or handled in a better manner. (A more detailed timeline is given  in Appendix A)

IT ISQS 5231 ± IT for Managers| 5/4/2010 3 Analysis of the Problem Understanding the business environment and the IT impact on iPremier is critical  to analyze different aspects of the problem. Therefore we have used a group of matrixes (Appendix B) to investigate the situation and provided the following in sights. The ªproduct/marketº analysis shows how iPremier is serving a niche market o f affluent customers by providing them with high value products; this suggests t hat upsetting these clients due to lack of security measures in safeguarding the ir data and credit card information will cost iPremier a fortune ! Furthermore; the ºIT impact matrixº shows IT being the core of iPremier's business and any failure for even a very short duration will cause losses and have a negative consequence  both internally and externally. Moreover the ªcoupling interaction matrixº shows th at iPremier's IT processes are reasonably tight and complex; which suggests that t he whole business can easily go down if one part of its IT is not functioning, l ike the DOS Attack (Appendix C).Also ,when applying the ªgovernance &ownership ana lysisº we notice that the outsourcing relationship places iPremier in the alliance  form of ownership; this implies that the backbone of iPremier is not within its  own hand therefore selecting reliable outsourcer is imperative for its proper f unctioning. To gain a holistic view and to gain an insight into iPremier's situati on a SWOT analysis (Appendix D) was done. Despite their strengths, a SWOT analys is revealed that iPremier's main weakness resides on its lack for a Total Producti ve Maintenance approach (TPM) which in turn sheds light on three other major wea knesses: absence of a reliable IT provider, deficiencies in internal communicati on & escalation, and the absence of detailed transaction logs. Because of its we aknesses iPremier was susceptible to many threats, major ones being increased vu lnerability toward security breaches, increased chances of repeated attacks, and  higher probability of declining IT performance. (Appendix E shows the TPM pilla rs) Apart from that iPremier also has to worry about the legal aspects, public relat ions as well as the impact on stock price after the attack. It might be liable f or identity theft of its customers and responsible for legal actions as well. In  light of all this the stock price of the firm may also go down.

IT ISQS 5231 ± IT for Managers| 5/4/2010 4 Alternative Solutions: In evaluating the iPremier company and the case situation in hand, we reached to  the following conclusion about the available alternatives for the company after  the attack: 1. 2. 3. 4. Stay with Qdata Outsource to another IT services provid er Develop in-house IT infrastructure Develop an in-between solution (some outso urce, some in-house) Evaluation of Alternatives: 1) Staying with Qdata: The first and easiest alternative available is to stay wi th the current service provider which is Qdata Company. Although we strongly dis courage this alternative, it might be a good idea to stick with Qdata till the t ime other alternatives are evaluated. However, in order to make this alternative  viable, the company needs to take the following actions:   Work cooperatively wit h Qdata to find the potential problems and try to fix them. Create set of requir ements to be met by Qdata as pre-requisites in order to continue using their ser vices. For example being more responsible about their services, and providing a real 24/7 support.  Obtain higher levels of authorization for iPremier's engineers to access the facilities in case of emergencies. Considering the iPremier s long -term relationships with that company and the overhead costs associated with est ablishing new contracts with other providers, if Qdata could successfully accept  and accomplish these requirements, it can be assessed as a semi-viable alternat ive. 2) Outsourcing to another IT service provider: In the dynamic and rapidly c hanging world of information technologies, where new systems and opportunities a re created every day, having an up-todate and top notch IT service provider is a  crucial requirement for an online merchant like iPremier

IT ISQS 5231 ± IT for Managers| 5/4/2010 5 company. Keeping this in mind, the company should make an in-depth research on t he various available IT service providers and identify the best choice which fit s its requirements in the most economical way. Our suggestion for the time being  is to go with one of the top giants in this market like IBM or HP. These compan ies have a long-term experience in this area and have thousands of large and sat isfied customers worldwide. They also have auditing programs which can find prob lems and opportunities for their customers to enhance their performance and to i ncrease their market share. 3) Develop in-house IT infrastructure: In a long ter m planning developing its own in-house IT infrastructure is always an attractive  option, especially when the company deals with critical data like credit card i nformation of its customers. Even though in-house development is a very expensiv e and costly decision requiring huge up front investment, which might hamper the  profits and cash flow for the initial years, future cost savings might make it seem worth all the efforts and investments. Also, this action might allow the fi rm to create a competitive advantage over the competition and would provide the opportunity for further expansion of the services. 4) An in-between solution: So metimes we can find a middle solution that can satisfy the privacy requirements of the customers and decrease the costs of the company through outsourcing. For example if we store the critical information of the company in in-house, highly secured servers with multiple backups and outsource the other IT requirements to  an outsider IT provider, we can both enhance our security and create a cost eff icient alternative. Recommendations: The following courses of actions have been recommended after the attack. It has been divided into three areas:Management 1. Allocate appropriate resources towar ds IT security 2. Create a standard protocol assigning roles and responsibilitie s and escalation of communication in such situations 3. Implementation of a disa ster recovery and business continuity plan (alternate website)

IT ISQS 5231 ± IT for Managers| 5/4/2010 6 4. Use external vulnerability assessment services to periodically check the secu rity level maintained by the IT department. 5. Review management culture orienta tion of focusing on just the end-results which leads to managers taking shortcut s to expedite delivery of software systems and ignore the controls. 6. Appoint a n external audit committee for risk assessment and management IT Department 1. Implement a robust firewall. 2. Enable logging and regularly mo nitor them. 3. Install Network-based intrusion detection software. 4. Train and educate all staff on basic systems security. 5. Encrypt sensitive information on  the servers 6. Provide guidelines and information regarding people to contact w hen issues arise 7. Switch the IT services to IBM or HP. Public Relations 1. Inform the press about investment in state of the art networ k security systems. 2. Performing an in-depth analysis and evaluation of the col location facility. 3. Inform that all customer data on its servers will be encry pted. Plan to Implement the Recommendations First step for iPremier is to hire a well reputed IT consultant to evaluate the situation. He shall define the software, hardware and network requirements for t he company based on their nature of the business. Then the IT consultant can com e up with a design for the preferred solution's implementation. The iPremier manag ement team should then review the plan and approve of the necessary funds to imp lement it.

IT ISQS 5231 ± IT for Managers| 5/4/2010 7 Second step would be to create a project team comprising of the key personal res ponsible for a smooth and trouble free transition to the new system. Even though  the actual task would be based on the recommendations of the IT consultant, we feel the for moving from Qdata to IBM for their IT service requirements they nee d to first carefully the terms in their contract with Qdata. If serious penaltie s are levied on the party that breaks the contract, we need to work out a soluti on with Qdata at least till the end of the contract period. Thirdly, assuming th ere are no major financial implications of ending the contract, it should collab orate with IBM for securely transferring data from the servers of Qdata and sett ing up a new computing facility with IBM. It should check and review all the ter ms of the contract as well as the obligations on the part of IBM and iPremier in  safeguarding and handling information. The contract should provide adequate pro tection to iPremier in case data theft or damage. Finally after the project has been successfully implemented, iPremier should develop a standard protocol withi n its IT department for escalation of any issue as well as the contacting the ap propriate person in case of a crisis. All the staff at iPremier needs to be give n training on basic computer security and how to avoid the common mistakes in re gard to secure computing. These steps will not completely eliminate the risks of  attack or secure the iPremier website completely; however it will reduce the po ssibility of such incident to a manageable level. A standardized approach for de aling with an unusual event would reduce the downtime or at least enable the tro ubleshooters fix it faster.

IT ISQS 5231 ± IT for Managers| 5/4/2010 8 Lessons learnt from the attack The attack, even though lasted for only a short time, provided some valuable les sons to be learnt. We have enlisted the list of several things taught by this in cident: 1. Importance of contingency planning 2. Handling core business operatio ns in a responsible and careful manner (make sure the core business is in the ri ght hands) 3. Importance of support from senior executives 4. Unconditional coll aboration in moments of crisis 5. Importance of a good cultural environment (rel ationships, innovations, entrepreneurship, team collaboration) 6. Define protoco ls and clear channels of communication 7. Regular evaluation of the IT infrastru cture (vulnerability analysis, update protocols)

IT ISQS 5231 ± IT for Managers| 5/4/2010 9 Appendix A: DOS Attack Timeline 5:46am: The attack stops. 5:27am: Bob Turley receives a call from the CEO Jack S amuelson. ·He asks the CEO to contact Qdata's upper management to let Joanne get access to The  Network Operation Center (NOC). ·Bob Turley discovers from Joanne that the attack  was a SYN flood type which is a DoS attack. 4:39am: Joanne contacts Bob Turley and promises to keep him updated on 4:31am: B ob Turley receives a call about an attack on iPremier's webserver. ·Discovers from Leon that Joanne is on her way to Qdata. the situation. ·Bob Turley begins to contemplate pulling the plug due to the liability of credit card infor mation getting stolen. ·iPremier's upper management begins to contact Turley wanting  to know about the situation.

IT ISQS 5231 ± IT for Managers| 5/4/2010 10 Appendix B: Matrices Governance and Ownership Matrix In our presentation we places iPremier as a CORP ORATION since it consisted of a legally defined organization with different depa rtments like legal, marketing, IT etc. After a more in depth analysis we notice that the outsourcing relationship places iPremier in the ALLIANCE form of owners hip; this implies that the backbone of iPremier is not within its own hand there fore selecting reliable outsourcer is imperative for its proper functioning. A f ormal contract is not formed in a B2C relationship which places iPremier in the MARKET section of the matrix as it provides goods, processes payments and mainta ins customer profiles. Product and market positioning Since iPremier currently serves a niche market (m ostly affluent) we categorized it as NARROW , but with its plans for growth it i s moving up to reach BROAD . Since it sells luxury-rare items we recognize it as  VALUE ADDED.

IT ISQS 5231 ± IT for Managers| 5/4/2010 11 IT Impact At the early beginnings of the company it's IT placed it in a HIGH strat egic impact position . Later on when competitors entered the market the IT strat egic impact became LOW. Since it's an online business IT impact on operations is H IGH. Coupling-Interaction Since all the operations of an e-commerce are mostly online  iPremier is reasonably COMPLEX. It is also reasonably tight COUPLING because it s operations are interdependent

IT ISQS 5231 ± IT for Managers| 5/4/2010 12 Appendix C: DOS Attack & SYN-Flood Denial of Service attack A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource  unavailable to its intended users. Although the means to carry out, motives for , and targets of a DoS attack may vary, it generally consists of the concerted e fforts of a person or people to prevent an Internet site or service from functio ning efficiently or at all, temporarily or indefinitely.

IT ISQS 5231 ± IT for Managers| 5/4/2010 13 SYN Flood attack SYN flood is a form of denial-of-service attack in which an att acker sends a succession of SYN requests to a target s system. Normally runs lik e a three way handshake: 1. The client requests a connection by sending a SYN (synchronize) message to th e server. 2. The server acknowledges this request by sending SYN-ACK back to the  client. 3. The client responds with an ACK, and the connection is established. When the attacking computer doesn't reply to the SYN-ACK sent by the server it con sumes resources and when this process is repeated a large number of times the se rver is rendered incapable of responding. SYN-Flood is a type of DoS attack.

IT ISQS 5231 ± IT for Managers| 5/4/2010 14 Appendix D: SWOT Analysis Strengths: ·Leaders in the e-commerce ·Resourceful pool of employees (talented young people, ex perienced managers) with reputations of high performance. ·iPremier targeted at hi gh-end customers and had flexible return policies. ·Credit limits on charge cards are rarely an issue. Weaknesses: ·Problem in internal communication and escalation deficiencies. ·iPremier does not h ave detailed transaction logs as it involves a trade off with speed ·Building all of their systems on poor performance IT services provider. Opportunities: ·iPremier is one of the few success stories of e-commerce business ·Given that iPrem ier established a very strong high-end customer base, it now has the opportunity  of extending and tapping into the mid-class consumer base as well Threats: ·Security issues that can harm the overall performance and success of iPremier ·Due to the lack of detailed transaction logs, possibility of repeated attack. ·IT oper ations outsourced to Qdata, (don't have required immediate access and control over  their data center and network). ·Qdata was not investing in advanced technology a nd upgrades.

IT ISQS 5231 ± IT for Managers| 5/4/2010 15 Appendix E: Total Productive Maintenance iPremier could support its operation in the Total Productive Maintenance five pi llars      Elimination of main problem: Outsource its core business Autonomous mainte nance: Take responsibility in its own hands Planned Maintenance: Create policies  and contingency plans Early Management of new equipment: Invest smartly in secu rity of its infrastructure Education and training on the job: Prepare the person nel to deal with common IT related problems that it can face.

IT ISQS 5231 ± IT for Managers| 5/4/2010 16 Bibliography The Advantages of TPM. (2008, 02 16). Retrieved 04 28, 2010, from Eco Max - Trai ning and Learning Center: www.ecomaxmc.com/blog/ Garafalo, D. J. (2004, 03 28). IST University Computing Systems. Retrieved from Management of Information Syste ms: http://web.njit.edu Lynda M Applegate, R. D. (2008). Corporate Information S trategy and Management: Text and Cases. McGraw-Hill/Irwin. Robert D. Austin, L. L. (2007, 07 26). iPremier Co. (A): Denial of Service Attack. Harvard Business P ublishing.