Free Research Proposal On Enterprise It Network Solution Proposal

For Kris Corporation

<Author>
<School>
<Course>

Executive Summary

According to statistics, 80% of companies that suffer major disasters have closed in three years while companies that face failure of their IT systems go out of business in less than 1 year.
These stats point to the critical nature of IT spending in an organization. For a company that has multiple remote locations and has needs of data and file sharing as well as enterprise applications that are accessed from all of these locations is at much higher risk of system failure.
The lack of proper connectivity solution across enterprise makes the entire network vulnerable to various attacks. Security breaches are more common than accepted. According to stats by IBM, the probability of a security breach incident for enterprise networks is growing at a rate of 12% every year. Thus protecting the entire enterprise network should be on top of the priority list.
Modern enterprises need to enable their employees, partners and customers to be able to access the applications and services easily and quickly from any channel web or phones. Enterprise mobility requires some important considerations that will be discussed in the document. In addition to a properly secured and planned network, every enterprise needs to implement proper backup and recovery solutions to be able to recover from unseen situations. As the experts believe that if there is 1% chance of failure it will happen, the smart organizations plan for everything. The following document will look into the issues of the client company and the possible solution in order to build a reliable and robust corporate network solution.

Introduction & Background

KRIS Corporation is the leading manufacturer of automobile parts in the country. The company has multiple offices across country in Atlanta (GA), Baltimore (MD), Chicago (IL), Seattle (WA) and San Diego (CA). The manufacturing plants currently are in Atlanta and Seattle.
Atlanta (GA) is the current headquarter with a big number of workforce deputed for various departments and operations. Since the operations are distributed among the different locations there are various needs of file and data sharing.

Problem Statement

Even though Kris Corporation has implemented various IT solutions for their operations still a lack of proper integration has left some loopholes within the corporate network and the staff/departments face difficulties in easily carrying out their regular operations.
After initial analysis, some specific problems were discovered and this proposal will specifically look into resolving these issues through the proposed network solution. The basic issues focused within this proposal are as follows:
The company has multiple locations with a strong need of data and file sharing, however each location is independent of others and no common platform is available to simplify sharing of resources and data.
The company has multiple domains (due to the independent remote locations) that not only hinders in setting up a centralized system but also stems issues for the customers.

The company is still using Active directory 2008, and this limits then several advantages of the newer version of AD.

As each location is operating on adhoc basis, each location has a huge hardware overhead as they have kept instances of same hardware everywhere.
The entire corporation lacks disaster recovery and backup plan and can face severe consequences at any stage as every location is still operating independently.
The company locations use different ways to connect to internet that not only is an issue for budget overheads but also raises security concerns as the confidential data is shared between locations and departments through public internet.

Proposed Network Architecture

The first step in designing a reliable, secure and robust solution for Kris Corporation resolving all the previously defined issues, is to design an efficient network for the corporation. Today, various options exist for companies that have multiple office locations in distant cities and as with any solution there are pros and cons to be considered before recommending the solution.
In our case, Kris Corporation needs to have a centralized location with all the major systems and enable each remote location to connect to this location in a secure and safe mechanism.
Traditionally, huge companies with several remote locations used to implement WAN to connect remote offices to the head office through LANs. The solution had a huge overhead on the hardware costs as well as lack robustness of a centralized solution.
Though modern consultants advise companies to directly migrate to cloud based infrastructure, however there still are some security and reliability concerns related to cloud based solution.
In order to provide a quick and effective solution that is safe and secure, a VPN based solution is recommended to the company that will allow all operations and transactions within a secure private network.

VPN based network

VPN or Virtual Private Network, provides a secure access channel to the main corporate system where the servers and the data resides securely. Unlike a cloud based infrastructure, in a VPN environment the system administrator is responsible to keep the servers up to date as well as implement security procedures to deal with viruses or outside attacks.
Some experts believe that cloud based infrastructure is economical, though as in our case, for a company with already a big number of users and servers the cost of cloud infrastructure cannot be seen as an advantage. Additionally, for medium to big organization, VPNs provide complete control of the system in hands of the company unlike in a cloud based setting.
The solution will allow every remote client whether from a remote office or any other location to connect to the private corporate intranet through a secure VPN tunnel as shown in the picture below:
Figure 2 Basic VPN setup
The central location will have the servers for enterprise applications, emails as well as other servers for network support and continuity that will be elaborated in the later sections. The centralized location will be secured from unwanted traffic through firewall, anti-virus and continuous monitoring of the server traffic.

Advantages of VPN based solution for Kris Corporation

The solution will provide following advantages to the corporation across its remote and central locations:
Data Security: the entire company will connect to the internet in a uniform way, through their VPN that way their data and information will stay encrypted and safe from any malicious or hacker’s attack.
Enhanced Productivity: in our case everyone will be able to securely connect to the corporate network from any location thus increasing productivity.
Data &File sharing: Since all locations are connected centrally it enables all the employees can easily share data and files in a secure and robust manner.
Secure Online identity: VPNs allow complete anonymity to access and browse through web applications and websites without any threats to identity theft.

Robust network design: VPNs greatly enhance bandwidth and efficient of the network.

Disaster & Backup Planning And Recovery
In any company with IT investment a proper monitoring, planning and mitigation of disasters is of undeniable importance. In our scenario, since in a VPN setup all our IT systems and servers are deployed at the central location (the Atlanta office), there is a need of periodical backup of all the data on the servers and planning for recovery from any mishap beforehand.

Scaling Managed Services With Third Party (For Backup & DR)

In order to maintain a reliable backup planning and services, it is proposed to scale these manage services with a third party service provider or NOC.
The third party NOC services gives the advantage to the managed services and IT department to reduce the burden of hiring, training and maintaining technical professional as well as the overheads of expensive infrastructure to trusted and reliable partner rather than affording the total cost of ownership.
Considering the fact that the operations of the company are not 24/7, thus at the day end all the updated data on the central servers will be automatically backup or mirrored to an off site server. The backup servers will be placed remotely in a secure location to keep updated copy of system files and data.
Even though a complete backup location can be managed however it will add great cost overhead for the company. On the contrary, in order to implement efficient backup, the backup services will be outsourced to a third party NOC solution provider that will manage the entire setup for backup. In order to provide reliable backup, cloud based NOC will be chosen to reduce the budget overheads from backup procedures.

In addition to this, the third party NOC will manage

24/7 monitoring and surveillance of the backup facility
Manage the facility in a location that is ideally located far from the primary site so that the effects of natural disasters can be kept minimal.

The third party NOC will also manage automatic backup schedules thus the probability of any missed backup will be almost 0%.

One additional advantage of third party NOC is an availability of network technical assistance in case of any emergency situation that might put the IT staff of the company in need to expert assistance.
These third party NOC keep their servers updated and patched up so the additional burden can be taken off from the IT staff of the company and the additional cost overheads of managing entire facility will also be reduced.
Another very important aspect of offsite backup facility managed by a third party is that in case of an emergency, these service providers manage the availability of internet connection if the primary connection of the company fails, thus the company will not only have a data backup but also a backup connectivity solution in hand.
Figure 3 Automatic Backups to public cloud by NOC
In order to ensure that the backup strategy is working fine, the IT system administrator will be required to test the backup periodically in order to be sure that the data is available anytime. In a survey conducted to analyze the backup procedures the stats showed that the companies that outsourced their managed services for backup and recovery to third party NOC spent least time in backup procedures and were always able to recover data in less than 4 hours as shown in the figure below:
Figure 4:Self-managed Vs. Outsourced Backup, http://info.databarracks.com/rs/databarracks/images/Cloud-backup-2014-infographic.pdf

DRaaS- DISASTER Recovery As A Service

Similar to outsourcing backup functionality to a third party NOC, the disaster recovery will also be managed by the same NOC. This is often referred as DRaaS where the NOC will replicate all the servers, manage the backup and recover the system data in case of any disaster. The NOC will provide a thorough SLA for DRaaS to nominate their staff along with their duties in case of any emergency and other protocols and procedures to be followed during a hazardous event.
In 2012, Aberdeen conducted a study on 136 organizations to study their experience of public cloud based backup and DR services. Their report indicated that DRaaS users faced 50% less downtimes and the average time for recovery was three times faster. The report also included the cost faced by companies due to downtime of their datacenters. The advantage of DRaaS can be analyzed by calculating the cost of downtimes combined with the average number incidents and the length of each event as shown in the chart below:
Figure 5 cost of downtime,

Centrally Integrated Corporate Network

The aim of this proposal is to provide a completely integrated solution that the company’s employees can access easily and safely from anywhere through any device since most organizations today require complete enterprise mobility and appreciate the concept of BYOD(Bring your own device).
Figure 6 centrally integrated corporate network
This solution will allow the employees to access the corporate software systems and web applications, files on other systems even remote locations, access their email and perform other voice operations all through a uniform system as shown in the image above.

The following sections discuss the capabilities of this centralized network solution:

Since the entire solution is based on the centralized VPN based architecture, all the data and fileservers will be placed in a central location. All system users will access the system through VPN.
In this scenario authentication and authorization is even more critical, typically a user might need to authenticate themselves every time they access any application of the system such the accounts system, sales system or their corporate email server. This might result into much traffic on the servers. To make the access control efficient, SSO will be implemented that will allow every system user to access the various components of the system by signing in to the system once. Thus the concern of multiple sub domains will be resolved as the users will easily browse across the sub domains. This will also resolve the issue for the customers of Kris Corporation as they will sign in with their unique ids and will be able to access the designated systems across the domains easily. The Security Assertion Markup Language (better known as SAML) version 2.0 is a standard for cross-domain web single sign-on in the enterprise environment, with support by Microsoft in Active Directory Federation Services (AD FS) version 2.0.
Figure 7 SSO with ADFS 2.0, https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services
The user logs in to the system through identity provider or AD FS2.0, this will authenticate the user across all the resources or service providers in the system without authenticating at each access point as shown in the above figure. The implementation of SSO will enable the system users to access the enterprise applications through their mobile devices too, enabling enterprise wide mobility.
Active Directory is at the center of any enterprise wide IT infrastructure.in our scenario too, AD is required to implement the enterprise wide centralized system and to fully implement the single sign on feature to facilitate the system users as well as the customers to easily interact with the system. The AD 2012 promises to support the emerging trends such as the cloud computing and modern deployment models. The hybrid deployment models will require even more concern for security and compliance for accessing corporate data and services. AD FS (2.1) is included in the 2012 release as a server role and provides:
trust management

SAML-protocol support

attribute store

Allows enterprise wide claims

Active Directory Lightweight Directory Service (AD LDS) and SQL attribute-store providers supplied out-of-the-box
In order to leverage these features of AD FS (2.1), SSO and support for newer hybrid deployment models, the system will be migrated to Windows 2012and AD 2012. The migration will assist the system to be extensible enough to be deployed fully or partially on cloud infrastructure anytime in future.
In order to implement the above discussed scenario it is important that the AD FS is a member of the Active Directory domain. It is important to create a DNS name for the AD FS that will be directed towards the AD FS Server and a certificate in IIS for the DNS name. Ideally, the DNS server will be located with the AD Server.
The DNS is omnipresent in an enterprise and has a critical position when considering security concerns as it is susceptible to threat.  In 2011, a research by Godai Group exclaimed that they obtained 120,000 corporate emails through typosquatting, a practice of registering fake names similar to an already registered name. The practice not only allows unwanted web traffic but can also result in accessing confidential corporate data. In our case since all the information about a user will be accessible of single sign on thus special attention will be required on protecting DNS from typosquatting. To protect against any such harm regular monitoring of similar domain names will be conducted. The DNS is also vulnerable to DDoS attacks, if the DNS is not capable of intelligently handling these requests then the system performance can be degraded greatly. To prevent the failing of DNS, the managed services provider will also mirror the DNS that will improve the performance as well as do the load balancing in case of such attacks. Another potential threat could be against cache poisoning, the frequency of data transactions estimated on such enterprise wide networks, it is obvious that a big amount of DNS data will be cached at various points. The cache assists in improving responses however it is highly vulnerable to poisoning attacks. These attacks could mislead a user into another fraudulent server that is managed by the attacker. To protect the DNS , digital certificate will be attached to the domain name so that the name could be validated additionally the corporate registrars will be requested to implement DNSSEC to ensure maximum protection.
In order to make the most of the deployed servers centrally, the use of virtualization will be made as the main headquarter at Atlanta doesn’t have huge server space available. The Microsoft Hyper-V Server 2012 R2 and Hyper-V Server 2012 will be utilized to enable server virtualization that will not only resolve server placements issues but will also helping managing the cost overheads for server management. Though there are various other options for virtualization available but using Hyper-V will prevent additional licensing costs as well as since most of the other server will be based on Microsoft thus there won’t be any issues of communication. However, one of the concerns is that Microsoft and its related products are relatively new in the market but the upside is the level of support available in case of any issues.
As the entire system will be available for every user with single sign on this will enhance the file sharing greatly. As the users will be authenticated at the access point thus the users can easily and quickly share files across the VPN with security and privacy. With the implementation of active directory the system will be able to manage a access control and activity log of every user thus the changes, additions or updates made to the data or files by any user will be recorded. The authentication and authorization protocols will restrict any unwanted access thus enabling robust and efficient roaming of file and data.

Conclusion

The above proposal is based on the initial concerns raised by Kris Corporation. The solution is built on the concept of enabling a centralized network solution for the company that will allow various remotely located system users to efficiently and quickly access their desired applications on the network. Various measures will be incorporated to ensure security, reliability, maximum uptime and network performance.

References

Continuum. (2012). Scaling Managed Services with a Third-Party NOC Partnership. Continuum.
Csaplar, D. (2012). Disaster Recovery-as-a-Service: It Delivers. Aberdeen.
IBM. (2014, April). Quantifying the data breach epidemic. Retrieved from IBM: http://www-935.ibm.com/services/us/en/it-services/security-services/data-breach/
Mohan, R. (2011, October 05). Five DNS Threats You Should Protect Against. Security Week.
Pivotal IT. (2012, August). 10 Backup and Disaster Recovery Statistics You Must Know. Retrieved from Pivotal IT: http://www.itispivotal.com/2012/08/05/10-backup-disaster-recovery-statistics-must-know/