case analysis - ipremier

ISQS 5231 – IT for Managers

iPremier Case Analysis

Professor:

Dr. Qing Cao

Team # 4 Dalal Ahmad

Sayed Almohri

Aliza Levinsky

Andy Rupp

Avinash Sikenpore

IT ISQS 5231 – IT for Managers| 5/4/2010 1

Table of Contents Background ............................................................................................................................................. 2

Analysis of the Problem .......................................................................................................................... 3

Alternative Solutions: ............................................................................................................................. 4

Evaluation of Alternatives: ..................................................................................................................... 4

1) Staying with Qdata: ........................................................................................................................ 4

2) Outsourcing to another IT service provider: ................................................................................... 4

3) Develop in-house IT infrastructure: ................................................................................................ 5

4) An in-between solution: .................................................................................................................. 5

Recommendations:.................................................................................................................................. 5

Plan to Implement the Recommendations ............................................................................................... 6

Lessons learnt from the attack................................................................................................................. 8

Appendix A: DOS Attack Timeline ........................................................................................................ 9

Appendix B: Matrices ........................................................................................................................... 10

Appendix C: DOS Attack & SYN-Flood .............................................................................................. 12

Appendix D: SWOT Analysis ............................................................................................................... 14

Appendix E: Total Productive Maintenance ......................................................................................... 15

Bibliography ............................................................................................................................................. 16


Background

iPremier was found in 1996 by two students from Swarthmore College. iPremier became one of the few

success stories in the web based commerce industry. Based in Seattle, iPremier was an online retailer

selling luxury, rare and vintage goods. In 1998, iPremier raised money through an initial public offering

and even though there were problems in the late 1990s and early 2000s by 2006 profits were $2.1 million

with a sales of $32 million. The management of iPremier consisted mostly of young people who had been

with the company from the beginning and more experienced managers who were hired as the company

grew. The work environment at iPremier can be described as one filled with discipline, professionalism,

commitment to delivering results, and partnerships for achieving profits. There perpetrated a “doing

whatever it takes” type of culture in the company which meant that employees will do whatever it takes to

get the project done on time, especially when it comes to IT. To understand iPremier’s IT structure we

need to keep in mind that iPremier outsources most of its management of technical architecture to Qdata.

iPremier had planned to move their IT infrastructure and computing resources to another facility however

this wasn’t iPremier’s top priority. Since the cost and time involving this move would be significant,

many members of iPremier perceived it as a disruption to normal business for the customers and therefore

showed reluctance. Apart from that the top management at iPremier felt a commitment to Qdata due to its

cordial and friendly relations for last so many years which was delaying the process further.

On 12th January, 2007 iPremier’s website had a Denial of Service Attack. At that time the CIO, Bob

Turley was out of town and the situation was not handled in the best possible manner. The colocation

facility at Qdata did not have the required personal to deal with the problem. The standard operating

procedures in such emergencies was unknown and everyone in the company started acting in their own

way being mindful of their interests only. The problem escalation was also unstructured and everyone

started calling everyone. The report will discuss in details the various issues pertaining to the attack and

how they were handled as well as the possible ways to have mitigated the risks of such an attack or

handled in a better manner. (A more detailed timeline is given in Appendix A)


Analysis of the Problem

Understanding the business environment and the IT impact on iPremier is critical to analyze different

aspects of the problem. Therefore we have used a group of matrixes (Appendix B) to investigate the

situation and provided the following insights. The “product/market” analysis shows how iPremier is

serving a niche market of affluent customers by providing them with high value products; this suggests

that upsetting these clients due to lack of security measures in safeguarding their data and credit card

information will cost iPremier a fortune ! Furthermore; the ”IT impact matrix” shows IT being the core of

iPremier’s business and any failure for even a very short duration will cause losses and have a negative

consequence both internally and externally. Moreover the “coupling interaction matrix” shows that

iPremier’s IT processes are reasonably tight and complex; which suggests that the whole business can

easily go down if one part of its IT is not functioning, like the DOS Attack (Appendix C).Also ,when

applying the “governance &ownership analysis” we notice that the outsourcing relationship places

iPremier in the alliance form of ownership; this implies that the backbone of iPremier is not within its

own hand therefore selecting reliable outsourcer is imperative for its proper functioning.

To gain a holistic view and to gain an insight into iPremier’s situation a SWOT analysis (Appendix D)

was done. Despite their strengths, a SWOT analysis revealed that iPremier’s main weakness resides on

its lack for a Total Productive Maintenance approach (TPM) which in turn sheds light on three other

major weaknesses: absence of a reliable IT provider, deficiencies in internal communication & escalation,

and the absence of detailed transaction logs. Because of its weaknesses iPremier was susceptible to many

threats, major ones being increased vulnerability toward security breaches, increased chances of repeated

attacks, and higher probability of declining IT performance. (Appendix E shows the TPM pillars)

Apart from that iPremier also has to worry about the legal aspects, public relations as well as the impact

on stock price after the attack. It might be liable for identity theft of its customers and responsible for

legal actions as well. In light of all this the stock price of the firm may also go down.


Alternative Solutions:

In evaluating the iPremier company and the case situation in hand, we reached to the following

conclusion about the available alternatives for the company after the attack:

1. Stay with Qdata

2. Outsource to another IT services provider

3. Develop in-house IT infrastructure

4. Develop an in-between solution (some outsource, some in-house)

Evaluation of Alternatives:

1) Staying with Qdata: The first and easiest alternative available is to stay with the current

service provider which is Qdata Company. Although we strongly discourage this alternative, it might be a

good idea to stick with Qdata till the time other alternatives are evaluated. However, in order to make this

alternative viable, the company needs to take the following actions:

Work cooperatively with Qdata to find the potential problems and try to fix them.

Create set of requirements to be met by Qdata as pre-requisites in order to continue using their

services. For example being more responsible about their services, and providing a real 24/7

support.

Obtain higher levels of authorization for iPremier’s engineers to access the facilities in case of

emergencies.

Considering the iPremier's long-term relationships with that company and the overhead costs associated

with establishing new contracts with other providers, if Qdata could successfully accept and accomplish

these requirements, it can be assessed as a semi-viable alternative.

2) Outsourcing to another IT service provider: In the dynamic and rapidly changing world

of information technologies, where new systems and opportunities are created every day, having an up-to-

date and top notch IT service provider is a crucial requirement for an online merchant like iPremier


company. Keeping this in mind, the company should make an in-depth research on the various available

IT service providers and identify the best choice which fits its requirements in the most economical way.

Our suggestion for the time being is to go with one of the top giants in this market like IBM or HP.

These companies have a long-term experience in this area and have thousands of large and satisfied

customers worldwide. They also have auditing programs which can find problems and opportunities for

their customers to enhance their performance and to increase their market share.

3) Develop in-house IT infrastructure: In a long term planning developing its own in-house

IT infrastructure is always an attractive option, especially when the company deals with critical data like

credit card information of its customers. Even though in-house development is a very expensive and

costly decision requiring huge up front investment, which might hamper the profits and cash flow for the

initial years, future cost savings might make it seem worth all the efforts and investments. Also, this

action might allow the firm to create a competitive advantage over the competition and would provide the

opportunity for further expansion of the services.

4) An in-between solution: Sometimes we can find a middle solution that can satisfy the

privacy requirements of the customers and decrease the costs of the company through outsourcing. For

example if we store the critical information of the company in in-house, highly secured servers with

multiple backups and outsource the other IT requirements to an outsider IT provider, we can both enhance

our security and create a cost efficient alternative.

Recommendations:

The following courses of actions have been recommended after the attack. It has been divided into three

areas:-

Management

1. Allocate appropriate resources towards IT security

2. Create a standard protocol assigning roles and responsibilities and escalation of communication in

such situations

3. Implementation of a disaster recovery and business continuity plan (alternate website)


4. Use external vulnerability assessment services to periodically check the security level maintained

by the IT department.

5. Review management culture orientation of focusing on just the end-results which leads to

managers taking shortcuts to expedite delivery of software systems and ignore the controls.

6. Appoint an external audit committee for risk assessment and management

IT Department

1. Implement a robust firewall.

2. Enable logging and regularly monitor them.

3. Install Network-based intrusion detection software.

4. Train and educate all staff on basic systems security.

5. Encrypt sensitive information on the servers

6. Provide guidelines and information regarding people to contact when issues arise

7. Switch the IT services to IBM or HP.

Public Relations

1. Inform the press about investment in state of the art network security systems.

2. Performing an in-depth analysis and evaluation of the collocation facility.

3. Inform that all customer data on its servers will be encrypted.

Plan to Implement the Recommendations

First step for iPremier is to hire a well reputed IT consultant to evaluate the situation. He shall define the

software, hardware and network requirements for the company based on their nature of the business. Then

the IT consultant can come up with a design for the preferred solution’s implementation. The iPremier

management team should then review the plan and approve of the necessary funds to implement it.


Second step would be to create a project team comprising of the key personal responsible for a smooth

and trouble free transition to the new system. Even though the actual task would be based on the

recommendations of the IT consultant, we feel the for moving from Qdata to IBM for their IT service

requirements they need to first carefully the terms in their contract with Qdata. If serious penalties are

levied on the party that breaks the contract, we need to work out a solution with Qdata at least till the end

of the contract period.

Thirdly, assuming there are no major financial implications of ending the contract, it should collaborate

with IBM for securely transferring data from the servers of Qdata and setting up a new computing facility

with IBM. It should check and review all the terms of the contract as well as the obligations on the part of

IBM and iPremier in safeguarding and handling information. The contract should provide adequate

protection to iPremier in case data theft or damage.

Finally after the project has been successfully implemented, iPremier should develop a standard protocol

within its IT department for escalation of any issue as well as the contacting the appropriate person in

case of a crisis. All the staff at iPremier needs to be given training on basic computer security and how to

avoid the common mistakes in regard to secure computing.

These steps will not completely eliminate the risks of attack or secure the iPremier website completely;

however it will reduce the possibility of such incident to a manageable level. A standardized approach for

dealing with an unusual event would reduce the downtime or at least enable the troubleshooters fix it

faster.


Lessons learnt from the attack

The attack, even though lasted for only a short time, provided some valuable lessons to be learnt. We

have enlisted the list of several things taught by this incident:

1. Importance of contingency planning

2. Handling core business operations in a responsible and careful manner (make sure the core

business is in the right hands)

3. Importance of support from senior executives

4. Unconditional collaboration in moments of crisis

5. Importance of a good cultural environment (relationships, innovations, entrepreneurship,

team collaboration)

6. Define protocols and clear channels of communication

7. Regular evaluation of the IT infrastructure (vulnerability analysis, update protocols)


Appendix A: DOS Attack Timeline

4:31am: Bob Turley receives a call about an attack on iPremier’s webserver.

•Discovers from Leon that Joanne is on her way to Qdata.

4:39am: Joanne contacts Bob Turley and promises to keep him updated on the situation.

•Bob Turley begins to contemplate pulling the plug due to the liability of credit card information getting stolen.

•iPremier’s upper management begins to contact Turley wanting to know about the situation.

5:27am: Bob Turley receives a call from the CEO Jack Samuelson.

•He asks the CEO to contact Qdata’s upper management to let Joanne get access to The Network Operation Center (NOC).

•Bob Turley discovers from Joanne that the attack was a SYN flood type which is a DoS attack.

5:46am: The attack stops.


Appendix B: Matrices

Governance and Ownership Matrix

In our presentation we places iPremier as a CORPORATION since it consisted of a legally defined

organization with different departments like legal, marketing, IT etc. After a more in depth analysis we

notice that the outsourcing relationship places iPremier in the ALLIANCE form of ownership; this

implies that the backbone of iPremier is not within its own hand therefore selecting reliable outsourcer is

imperative for its proper functioning. A formal contract is not formed in a B2C relationship which places

iPremier in the MARKET section of the matrix as it provides goods, processes payments and maintains

customer profiles.

Product and market positioning

Since iPremier currently serves a niche market (mostly affluent) we categorized it as NARROW , but

with its plans for growth it is moving up to reach BROAD . Since it sells luxury-rare items we recognize

it as VALUE ADDED.


IT Impact

At the early beginnings of the company it’s IT placed it in a HIGH strategic impact position . Later on

when competitors entered the market the IT strategic impact became LOW. Since it’s an online business

IT impact on operations is HIGH.

Coupling-Interaction

Since all the operations of an e-commerce are mostly online iPremier is reasonably COMPLEX. It is also

reasonably tight COUPLING because its operations are interdependent


Appendix C: DOS Attack & SYN-Flood

Denial of Service attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt

to make a computer resource unavailable to its intended users. Although the means to carry out, motives

for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or

people to prevent an Internet site or service from functioning efficiently or at all, temporarily or

indefinitely.

http://en.wikipedia.org/wiki/Internet

http://en.wikipedia.org/wiki/Website

http://en.wikipedia.org/wiki/Web_service


SYN Flood attack

SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests

to a target's system. Normally runs like a three way handshake:

1. The client requests a connection by sending a SYN (synchronize) message to the server.

2. The server acknowledges this request by sending SYN-ACK back to the client.

3. The client responds with an ACK, and the connection is established.

When the attacking computer doesn’t reply to the SYN-ACK sent by the server it consumes resources and

when this process is repeated a large number of times the server is rendered incapable of responding.

SYN-Flood is a type of DoS attack.

http://en.wikipedia.org/wiki/Denial-of-service_attack

http://en.wikipedia.org/wiki/SYN_%28TCP%29


Appendix D: SWOT Analysis

Strengths: •Leaders in the e-commerce

•Resourceful pool of employees (talented young people, experienced managers) with reputations of high performance.

•iPremier targeted at high-end customers and had flexible return policies.

•Credit limits on charge cards are rarely an issue.

Weaknesses: •Problem in internal communication and escalation deficiencies.

•iPremier does not have detailed transaction logs as it involves a trade off with speed

•Building all of their systems on poor performance IT services provider.

Opportunities: •iPremier is one of the few success stories of e-commerce business

•Given that iPremier established a very strong high-end customer base, it now has the opportunity of extending and tapping into the mid-class consumer base as well

Threats: •Security issues that can harm the overall performance and success of iPremier

•Due to the lack of detailed transaction logs, possibility of repeated attack.

•IT operations outsourced to Qdata, (don’t have required immediate access and control over their data center and network).

•Qdata was not investing in advanced technology and upgrades.


Appendix E: Total Productive Maintenance

iPremier could support its operation in the Total Productive Maintenance five pillars

Elimination of main problem: Outsource its core business

Autonomous maintenance: Take responsibility in its own hands

Planned Maintenance: Create policies and contingency plans

Early Management of new equipment: Invest smartly in security of its infrastructure

Education and training on the job: Prepare the personnel to deal with common IT related

problems that it can face.


Bibliography The Advantages of TPM. (2008, 02 16). Retrieved 04 28, 2010, from Eco Max - Training and Learning

Center: www.ecomaxmc.com/blog/

Garafalo, D. J. (2004, 03 28). IST University Computing Systems. Retrieved from Management of

Information Systems: http://web.njit.edu

Lynda M Applegate, R. D. (2008). Corporate Information Strategy and Management: Text and Cases.

McGraw-Hill/Irwin.

Robert D. Austin, L. L. (2007, 07 26). iPremier Co. (A): Denial of Service Attack. Harvard Business

Publishing.

case analysis - ipremier

Documents