This document summarizes Jim Rutt's experience transforming the Dana Foundation's IT infrastructure to the cloud. Some key points:
- The Dana Foundation moved locations in 2011, prompting a review of their on-premise infrastructure which faced issues like complexity, downtime, and resource constraints.
- They migrated Exchange to Office 365 in 2011-2012, addressing these issues. They also implemented Okta for single sign-on and identity management across SaaS apps like Salesforce.
- Other moves to the cloud included moving their ERP system to Azure and adopting Zendesk for help desk support.
- Lessons included calculating risks carefully, crafting a governance model, and adopting next-gen security
2. PERSONAL BACKGROUND
• 20 years of client-side practioning in technology
• Primarily in healthcare (payer/managed care) but also significant experience in
financial and pharmaceutical.
• As Director of IT for The Dana Foundation, responsible for all domains
encompassing the use of technology (infrastructure, application development, data,
network, etc.)
• First experience in the non-profit sector
3. DANA FOUNDATION BACKGROUND
• http://www.dana.org
• Founded in 1950
• Endowment based foundation supporting brain research through grants,
publications and educational programs
• Chief importance centered around scientific inquiry (funding of research into
neuroscience) and the engagement of the general public (publications and
programs)
5. BEGINNING STATE
• Traditional on-premise infrastructure with a limited amount of IaaS/private cloud
• Limited human resources
• No application lifecycle
• No real strategy around risk, security, compliance
• Traditional problems (too much time spent supporting infrastructure issues and not
enough time developing new features and enhancing end-user experience)
6. MARCH 2011: TRIGGER EVENT
• Foundation moved to new location
• Opportunities for consolidation as well as re-thinking existing cloud environment,
with an eye towards optimizing from a performance, security, and cost perspective.
• Addressing macro trends affecting everyone in our industry (consumerization of IT,
rise of mobile, demographic trends).
• Time to test the waters with the first application…
7. OFFICE 365
• Existing Exchange Server environment:
• Total of 15 VM’s, way too complex
• Uptime way below five nines
• All resources (CPU/RAM/storage) reaching 100% utilization
• Active Directory environment supporting Exchange badly neglected with serious
integrity issues.
• Maybe an opportunity to embrace a new security model rather than pour significant
resources into maintaining AD.
8. OFFICE 365: APRIL 2011-JAN 2012
• Migration considerations specific to governance:
• Ruled out AD Federation due to previously identified issues with AD.
• However, slightly complicating authentication model temporarily (going from AD pass
through authentication to adding an additional Office 365 credential in addition to
existing AD)
• Already risking “password fatigue” with end users.
• Time to look at a possible new solution for cloud-based identity…..
9. OKTA (ID AS A SERVICE)
• Essentially a single sign on solution primarily for SaaS
• Great leverage with web based SaaS offerings,also integratable with AD
• Also streamlines provisioning/deprovisioning.
• Clean user interface and simple administrative console
• We began to see this model as the future.
13. COMPLIANCE/GOVERNANCE
CONSIDERATIONS
• No technology audits prior to 2010.
• Using the new technologies and strategies we were able to craft a compliance
structure, along with guiding our external auditors, that truly represented an
actionable governance program, rather than just a checklist of useless items.
14. NEXT GENERATION SECURITY
SOLUTIONS
• Netskope (CASB)
• Vera (hardening at the actual file level)
• Menlo Security (malware isolation)
• Ensilo (Exfiltration
• Lesser reliance on legacy antivirus solutions
16. RETURN ON INVESTMENT
• Signifigant security cost/risk mitigation now transferred to top tier providers
(Microsoft, Salesforce, etc.)
• Trust factor is this case resembles a reverse of the “prisoners dilemma” theory.
17. LESSONS LEARNED ALONG THE WAY
• Calculated risk moving our most visible application (Exchange) to the cloud first, but
mitigated by existing pain felt.
18. 2016 AND BEYOND
• Eventual retirement of legacy AD
• Harden end-user devices
• Expansion of two factor authentication
• Continue to adopt next generation endpoint security solutions.