ISQS 5231 – IT for Managers

iPremier Case Analysis

Professor: Dr. Qing Cao

Team # 4
Dalal Ahmad Sayed Almohri Aliza Levinsky Andy Rupp Avinash Sikenpore

.............................................................................................................................................. 5 4) An in-between solution: ................................................................................................................................................................................ 9 Appendix B: Matrices ......................................................................................................................................................................................... 16 ................................................................................................................................................................................ 4 Evaluation of Alternatives: ........................................................................................................................................................................IT ISQS 5231 – IT for Managers| 5/4/2010 1 Table of Contents Background ............................ 4 3) Develop in-house IT infrastructure: .......................................................................... 4 1) Staying with Qdata: .................................................. 15 Bibliography .......... 5 Plan to Implement the Recommendations .......................................................................................................................................................................................................................................................................... 12 Appendix D: SWOT Analysis ...................................................................................................... 10 Appendix C: DOS Attack & SYN-Flood ............. 5 Recommendations:..................................................................... 14 Appendix E: Total Productive Maintenance ................................................................................. 6 Lessons learnt from the attack......... 4 2) Outsourcing to another IT service provider: ................................................................. 2 Analysis of the Problem ...................................................................................................................................................................... 3 Alternative Solutions: .................... 8 Appendix A: DOS Attack Timeline .......................................................................................................................

1 million with a sales of $32 million. There perpetrated a “doing whatever it takes” type of culture in the company which meant that employees will do whatever it takes to get the project done on time. Based in Seattle. At that time the CIO. commitment to delivering results. Bob Turley was out of town and the situation was not handled in the best possible manner. Apart from that the top management at iPremier felt a commitment to Qdata due to its cordial and friendly relations for last so many years which was delaying the process further. Since the cost and time involving this move would be significant. iPremier became one of the few success stories in the web based commerce industry.IT ISQS 5231 – IT for Managers| 5/4/2010 2 Background iPremier was found in 1996 by two students from Swarthmore College. professionalism. and partnerships for achieving profits. iPremier had planned to move their IT infrastructure and computing resources to another facility however this wasn’t iPremier’s top priority. The standard operating procedures in such emergencies was unknown and everyone in the company started acting in their own way being mindful of their interests only. iPremier raised money through an initial public offering and even though there were problems in the late 1990s and early 2000s by 2006 profits were $2. In 1998. On 12th January. many members of iPremier perceived it as a disruption to normal business for the customers and therefore showed reluctance. The work environment at iPremier can be described as one filled with discipline. 2007 iPremier’s website had a Denial of Service Attack. (A more detailed timeline is given in Appendix A) . rare and vintage goods. The problem escalation was also unstructured and everyone started calling everyone. especially when it comes to IT. The colocation facility at Qdata did not have the required personal to deal with the problem. To understand iPremier’s IT structure we need to keep in mind that iPremier outsources most of its management of technical architecture to Qdata. iPremier was an online retailer selling luxury. The management of iPremier consisted mostly of young people who had been with the company from the beginning and more experienced managers who were hired as the company grew. The report will discuss in details the various issues pertaining to the attack and how they were handled as well as the possible ways to have mitigated the risks of such an attack or handled in a better manner.

Therefore we have used a group of matrixes (Appendix B) to investigate the situation and provided the following insights. this suggests that upsetting these clients due to lack of security measures in safeguarding their data and credit card information will cost iPremier a fortune ! Furthermore. and the absence of detailed transaction logs. and higher probability of declining IT performance. Moreover the “coupling interaction matrix” shows that iPremier’s IT processes are reasonably tight and complex. a SWOT analysis revealed that iPremier’s main weakness resides on its lack for a Total Productive Maintenance approach (TPM) which in turn sheds light on three other major weaknesses: absence of a reliable IT provider. the ”IT impact matrix” shows IT being the core of iPremier’s business and any failure for even a very short duration will cause losses and have a negative consequence both internally and externally. public relations as well as the impact on stock price after the attack. It might be liable for identity theft of its customers and responsible for legal actions as well.when applying the “governance &ownership analysis” we notice that the outsourcing relationship places iPremier in the alliance form of ownership. In light of all this the stock price of the firm may also go down. deficiencies in internal communication & escalation.Also . To gain a holistic view and to gain an insight into iPremier’s situation a SWOT analysis (Appendix D) was done. Despite their strengths. which suggests that the whole business can easily go down if one part of its IT is not functioning. major ones being increased vulnerability toward security breaches. this implies that the backbone of iPremier is not within its own hand therefore selecting reliable outsourcer is imperative for its proper functioning.IT ISQS 5231 – IT for Managers| 5/4/2010 3 Analysis of the Problem Understanding the business environment and the IT impact on iPremier is critical to analyze different aspects of the problem. (Appendix E shows the TPM pillars) Apart from that iPremier also has to worry about the legal aspects. Because of its weaknesses iPremier was susceptible to many threats. The “product/market” analysis shows how iPremier is serving a niche market of affluent customers by providing them with high value products. like the DOS Attack (Appendix C). increased chances of repeated attacks. .

2. Stay with Qdata Outsource to another IT services provider Develop in-house IT infrastructure Develop an in-between solution (some outsource. some in-house) Evaluation of Alternatives: 1) Staying with Qdata: The first and easiest alternative available is to stay with the current service provider which is Qdata Company. where new systems and opportunities are created every day. it might be a good idea to stick with Qdata till the time other alternatives are evaluated.IT ISQS 5231 – IT for Managers| 5/4/2010 4 Alternative Solutions: In evaluating the iPremier company and the case situation in hand. it can be assessed as a semi-viable alternative. the company needs to take the following actions:   Work cooperatively with Qdata to find the potential problems and try to fix them. Create set of requirements to be met by Qdata as pre-requisites in order to continue using their services. and providing a real 24/7 support. 2) Outsourcing to another IT service provider: In the dynamic and rapidly changing world of information technologies. For example being more responsible about their services. having an up-todate and top notch IT service provider is a crucial requirement for an online merchant like iPremier . However. 4. if Qdata could successfully accept and accomplish these requirements. in order to make this alternative viable. Considering the iPremier's long-term relationships with that company and the overhead costs associated with establishing new contracts with other providers. Although we strongly discourage this alternative.  Obtain higher levels of authorization for iPremier’s engineers to access the facilities in case of emergencies. we reached to the following conclusion about the available alternatives for the company after the attack: 1. 3.

especially when the company deals with critical data like credit card information of its customers. 4) An in-between solution: Sometimes we can find a middle solution that can satisfy the privacy requirements of the customers and decrease the costs of the company through outsourcing. 3) Develop in-house IT infrastructure: In a long term planning developing its own in-house IT infrastructure is always an attractive option. we can both enhance our security and create a cost efficient alternative. highly secured servers with multiple backups and outsource the other IT requirements to an outsider IT provider. Create a standard protocol assigning roles and responsibilities and escalation of communication in such situations 3. which might hamper the profits and cash flow for the initial years. the company should make an in-depth research on the various available IT service providers and identify the best choice which fits its requirements in the most economical way. Allocate appropriate resources towards IT security 2. Recommendations: The following courses of actions have been recommended after the attack. Keeping this in mind. Even though in-house development is a very expensive and costly decision requiring huge up front investment. Our suggestion for the time being is to go with one of the top giants in this market like IBM or HP. These companies have a long-term experience in this area and have thousands of large and satisfied customers worldwide. It has been divided into three areas:Management 1. future cost savings might make it seem worth all the efforts and investments. They also have auditing programs which can find problems and opportunities for their customers to enhance their performance and to increase their market share. For example if we store the critical information of the company in in-house. Implementation of a disaster recovery and business continuity plan (alternate website) .IT ISQS 5231 – IT for Managers| 5/4/2010 5 company. this action might allow the firm to create a competitive advantage over the competition and would provide the opportunity for further expansion of the services. Also.

hardware and network requirements for the company based on their nature of the business.IT ISQS 5231 – IT for Managers| 5/4/2010 6 4. 5. Appoint an external audit committee for risk assessment and management IT Department 1. 3. Inform the press about investment in state of the art network security systems. Implement a robust firewall. Plan to Implement the Recommendations First step for iPremier is to hire a well reputed IT consultant to evaluate the situation. Review management culture orientation of focusing on just the end-results which leads to managers taking shortcuts to expedite delivery of software systems and ignore the controls. Switch the IT services to IBM or HP. Use external vulnerability assessment services to periodically check the security level maintained by the IT department. Then the IT consultant can come up with a design for the preferred solution’s implementation. Train and educate all staff on basic systems security. . 2. 5. Performing an in-depth analysis and evaluation of the collocation facility. Install Network-based intrusion detection software. 2. Enable logging and regularly monitor them. He shall define the software. The iPremier management team should then review the plan and approve of the necessary funds to implement it. 4. Public Relations 1. Provide guidelines and information regarding people to contact when issues arise 7. Encrypt sensitive information on the servers 6. 6. 3. Inform that all customer data on its servers will be encrypted.

iPremier should develop a standard protocol within its IT department for escalation of any issue as well as the contacting the appropriate person in case of a crisis. If serious penalties are levied on the party that breaks the contract. . it should collaborate with IBM for securely transferring data from the servers of Qdata and setting up a new computing facility with IBM. assuming there are no major financial implications of ending the contract. The contract should provide adequate protection to iPremier in case data theft or damage. however it will reduce the possibility of such incident to a manageable level. we feel the for moving from Qdata to IBM for their IT service requirements they need to first carefully the terms in their contract with Qdata. Even though the actual task would be based on the recommendations of the IT consultant.IT ISQS 5231 – IT for Managers| 5/4/2010 7 Second step would be to create a project team comprising of the key personal responsible for a smooth and trouble free transition to the new system. we need to work out a solution with Qdata at least till the end of the contract period. These steps will not completely eliminate the risks of attack or secure the iPremier website completely. It should check and review all the terms of the contract as well as the obligations on the part of IBM and iPremier in safeguarding and handling information. A standardized approach for dealing with an unusual event would reduce the downtime or at least enable the troubleshooters fix it faster. Finally after the project has been successfully implemented. All the staff at iPremier needs to be given training on basic computer security and how to avoid the common mistakes in regard to secure computing. Thirdly.

even though lasted for only a short time. Handling core business operations in a responsible and careful manner (make sure the core business is in the right hands) 3. Importance of support from senior executives 4. Importance of contingency planning 2.IT ISQS 5231 – IT for Managers| 5/4/2010 8 Lessons learnt from the attack The attack. Unconditional collaboration in moments of crisis 5. innovations. Regular evaluation of the IT infrastructure (vulnerability analysis. provided some valuable lessons to be learnt. update protocols) . We have enlisted the list of several things taught by this incident: 1. team collaboration) 6. Importance of a good cultural environment (relationships. entrepreneurship. Define protocols and clear channels of communication 7.

•Discovers from Leon that Joanne is on her way to Qdata.IT ISQS 5231 – IT for Managers| 5/4/2010 9 Appendix A: DOS Attack Timeline 5:46am: The attack stops. •Bob Turley discovers from Joanne that the attack was a SYN flood type which is a DoS attack. 5:27am: Bob Turley receives a call from the CEO Jack Samuelson. •Bob Turley begins to contemplate pulling the plug due to the liability of credit card information getting stolen. •He asks the CEO to contact Qdata’s upper management to let Joanne get access to The Network Operation Center (NOC). •iPremier’s upper management begins to contact Turley wanting to know about the situation. 4:39am: Joanne contacts Bob Turley and promises to keep him updated on 4:31am: Bob Turley receives a call about an attack on iPremier’s webserver. . the situation.

but with its plans for growth it is moving up to reach BROAD . Product and market positioning Since iPremier currently serves a niche market (mostly affluent) we categorized it as NARROW . A formal contract is not formed in a B2C relationship which places iPremier in the MARKET section of the matrix as it provides goods. Since it sells luxury-rare items we recognize it as VALUE ADDED.IT ISQS 5231 – IT for Managers| 5/4/2010 10 Appendix B: Matrices Governance and Ownership Matrix In our presentation we places iPremier as a CORPORATION since it consisted of a legally defined organization with different departments like legal. this implies that the backbone of iPremier is not within its own hand therefore selecting reliable outsourcer is imperative for its proper functioning. . processes payments and maintains customer profiles. IT etc. marketing. After a more in depth analysis we notice that the outsourcing relationship places iPremier in the ALLIANCE form of ownership.

It is also reasonably tight COUPLING because its operations are interdependent . Since it’s an online business IT impact on operations is HIGH. Later on when competitors entered the market the IT strategic impact became LOW.IT ISQS 5231 – IT for Managers| 5/4/2010 11 IT Impact At the early beginnings of the company it’s IT placed it in a HIGH strategic impact position . Coupling-Interaction Since all the operations of an e-commerce are mostly online iPremier is reasonably COMPLEX.

Although the means to carry out. it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all. . and targets of a DoS attack may vary.IT ISQS 5231 – IT for Managers| 5/4/2010 12 Appendix C: DOS Attack & SYN-Flood Denial of Service attack A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. temporarily or indefinitely. motives for.

The client requests a connection by sending a SYN (synchronize) message to the server. When the attacking computer doesn’t reply to the SYN-ACK sent by the server it consumes resources and when this process is repeated a large number of times the server is rendered incapable of responding. SYN-Flood is a type of DoS attack. . and the connection is established. 2. The client responds with an ACK. 3.IT ISQS 5231 – IT for Managers| 5/4/2010 13 SYN Flood attack SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. Normally runs like a three way handshake: 1. The server acknowledges this request by sending SYN-ACK back to the client.

possibility of repeated attack. •IT operations outsourced to Qdata. . Weaknesses: •Problem in internal communication and escalation deficiencies.IT ISQS 5231 – IT for Managers| 5/4/2010 14 Appendix D: SWOT Analysis Strengths: •Leaders in the e-commerce •Resourceful pool of employees (talented young people. Opportunities: •iPremier is one of the few success stories of e-commerce business •Given that iPremier established a very strong high-end customer base. (don’t have required immediate access and control over their data center and network). •Credit limits on charge cards are rarely an issue. •iPremier targeted at high-end customers and had flexible return policies. •iPremier does not have detailed transaction logs as it involves a trade off with speed •Building all of their systems on poor performance IT services provider. experienced managers) with reputations of high performance. •Qdata was not investing in advanced technology and upgrades. it now has the opportunity of extending and tapping into the mid-class consumer base as well Threats: •Security issues that can harm the overall performance and success of iPremier •Due to the lack of detailed transaction logs.

IT ISQS 5231 – IT for Managers| 5/4/2010 15 Appendix E: Total Productive Maintenance iPremier could support its operation in the Total Productive Maintenance five pillars      Elimination of main problem: Outsource its core business Autonomous maintenance: Take responsibility in its own hands Planned Maintenance: Create policies and contingency plans Early Management of new equipment: Invest smartly in security of its infrastructure Education and training on the job: Prepare the personnel to deal with common IT related problems that it can face. .

2010.com/blog/ Garafalo. L. (2004. (2008. (A): Denial of Service Attack.edu Lynda M Applegate. D. Austin. Retrieved 04 28. Harvard Business Publishing. L. D. Retrieved from Management of Information Systems: http://web. McGraw-Hill/Irwin. iPremier Co. (2008).Training and Learning Center: www. Robert D. (2007.ecomaxmc.njit. 07 26). . J. Corporate Information Strategy and Management: Text and Cases. R. from Eco Max .IT ISQS 5231 – IT for Managers| 5/4/2010 16 Bibliography The Advantages of TPM. 02 16). IST University Computing Systems. 03 28).

Sign up to vote on this title
UsefulNot useful