Securing software and data for today's dispersed project teams
The reliance on the Internet as a collaborative information access asset increases daily as the economy continues to globalize. But the decision to make business-critical information available to dispersed project teams by means of the Internet carries with it real security risks—not to mention significant burden on internal IT staffs and budgets. With most IT groups already overly taxed defending what’s behind the corporate firewall, the complexity of figuring out—and executing—a security strategy for vital information hosted on the Internet can be overwhelming.
There are numerous industries where business-critical documents need to be shared globally, such as financial and real estate services, construction, energy, and heavy equipment manufacturing. Many of the larger construction firms in the United States have contracts for specialized projects with the U.S. military, government agencies, utilities, and multi-national corporations in the United States and in select overseas locations, including Eastern Europe and the Middle East where network infrastructure can be non-existent. Effectively managing such geographically dispersed projects requires remote teams to have real-time access to critical project management software and data without disrupting the security of the company’s internal network or sensitive project documents.
The challenge for IT organizations is to determine how to effectively set-up, protect, and manage a corporate local area network (LAN) environment while also granting access to business-critical software and data to global project management teams, which typically include subcontractors or other users from outside the company.
Case Study Background
In September 2003, our company was approached by a leading construction management firm (CMF) to provide temporary access to several software packages for their remote project teams located in three Middle Eastern countries. The CMF understood that it could get a system up and running for its project team while it studied the ability of sourcing its own remote software access using internal IT staff and equipment.
In addition to providing access to software over the Internet, the CMF also needed a way to provision new user access to the system, modify and execute application setup and assignments, provide a large online data repository for template files and images, and develop a process for handling support from country’s where the time zone was 7 to 8 hours ahead of that in the eastern United States. All of these elements, of course, needed be simple from the user’s perspective and highly secure from an IT and management perspective.
The Five Challenges
There are five fundamental challenges that make remote access to software and data challenging, particularly when there is a need to share access with business partners.
- Business Focus – Companies must first address the business challenge of focusing its IT staff on access to software and data. There is no question that there is a wide array of technologies that IT professionals have at their disposal to web-enable a software package, including VPNs, Citrix, SSL, Terminal Services, etc. The challenge occurs when the company needs to decide if it really wants to focus core IT staff on managing such a complex and often diverse network that ultimately may or may not contribute to the bottom line of that organization.
- Security – Most IT professionals are trained to defend an internal private network from outside intrusion. Asking them to now enable access to that same protected network, but on a limited basis, significantly complicates everything in the network. Furthermore, expertise with the technologies used to enable this type of access may not exist in any given organization, so IT professionals must also learn while implementing. This is not always the best way to deploy a system that is intended to be secure.
- User Simplicity – Too often, the technologies used to deploy remote access to software and data are relatively routine to IT professionals, but a mystery of smoke and black magic to the average employee. Even fairly common technologies like VPNs work fine in the hands of a somewhat technically savvy project manager, but never seem to work for the typical office worker, especially when their computing environment may change monthly or even daily.
- System Management – In addition to managing the internal private network, corporate IT must now manage this external environment. This creates an environment that quickly becomes overly complex and requires intervention by the coordinating IT department whenever changes to user accounts, software, or even client computers are involved. IT professionals can quickly become overwhelmed by managing access, never mind coordinating updates to the software that is remotely deployed.
- Support – Finally, providing end-user support to a remote access system can be a nightmare for corporate employees and virtually impossible when external business partners are involved. These challenges include trying to manage access for a user on the other side of the world or from computers that are not maintained by your own corporate IT staff.
When the CFM came to us several years ago, they did not understand the business challenges they faced when attempting to deploy a remote software access system for its growing collaboration demands. Of course, all companies try to manage costs, but few, even as recently as a couple of years ago, understood the concept of business as it relates to IT. If you sampled the IT managers of all Fortune 500 companies two years ago, it is likely that about 500 would come back and tell you that their IT staff was overworked with too many projects to complete within the timeframe required. If you asked those same companies how the projects assigned to them related to achieving their companies revenue objectives, you would probably get less than a dozen responses.
The CFM was learning this in real-time back in 2003. At the time, the IT staff estimated that they could complete their in-house solution in about three months with hardware costs estimated at about $35,000 using two dedicated full-time IT resources. What they didn’t consider was that now those two dedicated IT resources would no longer be available to assist with internal support for sales reps, operations personnel and project managers who were trying to increase sales for the company.
The CFM was concerned about security and ensuring that the system it deployed was significantly more secure than any project it had attempted in the past. Part of this concern came from the fact that it was granting access to its server and software resources from outside its private network. But a special concern was raised because access would be initiated in countries that not only had little technical infrastructure, but in several cases had little or no political and governmental infrastructure. Additionally, they were working with multiple U.S. governmental agencies along with various subcontractors, some from the U.S., some from other countries, but all requiring the same access as their remote field employees. Clearly, the security requirements of this project would require high technology, high encryption, and procedures beyond the scale typically deployed by the CFM.
Too often, IT professionals deploy solid technical solutions that require a more-than-basic understanding at the user level. VPNs, SecureID, and Citrix clients are common technologies deployed to users that work in the office on controlled computer systems where the IT support staff is only a phone call or web support request away. In the field, however, it can take hours, even days, for the support staff to first understand the users’ problems and even more time to work with the users in an attempt to resolve the issues. Often the solution is for the user to either send their remote computer to headquarters for correction, or wait until they return to the office so IT can debug and correct. This becomes an even more daunting task when you factor in the myriad of security products, such as antivirus, anti-spam, anti-spyware and the Microsoft patch updates which are constantly updating these remote computers and increasing the chance of conflicts with the remote access client software.
Users, on the other hand, really only want to access and run their project-related software. They have deadlines to meet, people to manage, and decisions to make. Users rely on remote access to their software and data daily; therefore any system that is not simple degrades acceptance and ultimately use of the technology designed to make their jobs easier. This is true for any Internet-based technology—if it isn’t easy to access and simple to use, it won’t be accessed and it won’t be used.
System management is often synonymous with technology infrastructure management. Deploying firewalls, setting up networks, securing web sites, and patching are all examples of systems requiring initial setup and management. When deploying remote software access, however, system management can take on a whole new meaning as it relates to adding new users, provisioning software to remote users and managing client software deployments. It also includes managing a new layer of infrastructure that isn’t required when the software is accessed on the local network. Technologies like Citrix MetaFrame are great at enabling access to standard software using web pages, until patches for this Citrix environment create challenges when operating or accessing the software deployed. The new level of complexity makes it a very significant challenge for IT professionals and starts to weigh against the focus of the company as mentioned previously.
Furthermore, remote access is increasingly referring to global access. This means that any time a user needs access to the system, time zones start to become a communication nightmare between the project manager and system administrator back at headquarters. The CMF was dealing with projects that were being managed by users in time zones that were 7 to 8 hours in advance of the U.S. Whenever the project manager needed to add a user to the system, it would often take 2 to 3 days of emailing and voicemails to get a single user setup with the ability to access the remote software. For a single project deployed, this would cost the CMF $16,000 per day in lost productivity, not to mention the risk to project deadlines, which could result in hundreds of thousands in losses due to penalties.
Supporting local users on a private LAN running software on controlled computers can be a significant challenge with today’s streamlined IT staffs. Too often we hear the stories of employees waiting hours or even days for a return call from the IT support staff. Managing support for remote access users, particularly those who do not work for your organization can be daunting at best but virtually impossible under average circumstances. In addition to the basic access issues that arise, there is the issue of the software being accessed itself. Consider the complexities of printing a drawing that is stored on a server in California, USA, but accessed by a remote user in Beijing, China. There could be a problem with the local printer in Beijing, or the problem could be the print drivers installed on the server in California.
Time zones again become a challenge for supporting organizations as well. Our CFM was having problems at 10:00 a.m. local time, but that was 3:00 a.m. Eastern Time. Supporting these remote users throughout their work day would require hiring an IT staff that worked after hours for a premium rate. As mentioned earlier, IT staffs are already overbooked with assigned projects, personnel are being scaled back, and budgets are being slashed. Now, trying to provide IT support staff to cover off-hour times becomes a very expensive immediate consideration.
The technology CMF needed to implement included three components
1.) Application Services
2.) Managed Services
3.) Proprietary web software fronting the infrastructure.
We also needed to work with the customer to determine their business focus and whether this solution fit with their objectives. It was important to first understand which applications would be considered mission-critical versus business-critical. Mission-critical applications were identified as containing extremely sensitive data or were simply too important to outsource management to a third party. Business-critical applications were considered important to the customer and remote users, but did not require the absolute focus of their IT staff. The company could now make easy business decisions by classifying applications and access needs as either mission- or business-critical. If mission-critical, the solution was to employ in-house IT staff; if business-critical, the business would outsource to companies that specialize in securing these documents.
Using outsourced application services immediately eliminated the need for provisioning and managing expensive hardware, network equipment, and security software. Furthermore, the equipment provisioned was tested and proven for the remote access environment based upon years of experience with thousands of users from countless customers. The equipment was housed in a Class A data center facility designed for security and scalability at a cost level, usually not attainable by the typical company.
In addition to the facility, hardware, and software, the CMF sought real-time system management services to properly monitor all components and respond to potential issues before they happened. By relying on a company in the business of delivering remote access, the CMF gains monitoring and maintenance systems that are state-of-theart and critical to the success of any deployment project. This provides not only peace of mind, but guaranteed service level agreements to assure that the CMF system would be available 24 x 7 and backed by a financial incentive to meet the uptime requirements.
Web Management Access
A proprietary web access and management system was the final piece of the puzzle. Users access the system by going to a corporate site, logging in then launching their software applications through a simple web interface. The system analyzes their local client software configuration and web settings at each login to ensure they have the appropriate software installed and meet the required security configuration settings. This ensures that users can access the system from any computer in the world and, if it is not configured properly, the software will walk them through the process automatically, thereby simplifying the remote access process.
Also included is a system management set of features that enables project managers to provision their users, assign applications, and report on system usage in real-time. Project managers no longer need to contact their local IT staff to add a user to the system; they can execute these features from a very easy to use interface. This technology not only creates the user and assigns applications, but will actually test the new user login automatically to ensure that the user is setup and ready to use. A process that used to take 2 to 3 days, now takes about 30 seconds.
Finally, the web management solution delivered includes a remote support system that guarantees a response based upon priority. Once a support issue is submitted, it is then tracked and monitored in a database sending alerts to various key support personnel when the issue is not responded to in a time required by the priority set.
This paper highlights the process created for a company that needed to manage remote software and data access from several globally dispersed locations without compromising network security. Through a combination of applications services, managed services and proprietary web management software, the company was able to attain secure access to project management software at a fraction of the cost while enabling the company to focus on mission-critical IT objectives and security that helped grow the corporate bottom line.
©2007, Eric Leighton
Originally published as a part of 2007 PMI Global Congress Proceedings – Atlanta, GA, USA