Transcript CS RP RH - ITL Capstone - Presentationx

By Romona Harris, Reginald Parks, and Cary Summers
PERSONAL AND CONFIDENTIAL
•
Background
•
•
•
Funding Sources
•
•
•
•
K-12 school located in Northwest Philadelphia
Specializes in educating and nurturing students with various
physical and mental disabilities
School District allotted operational budget:
• FY 2009: $321,000
FY 2012: $256,710
Title I Funding
Annuity funding through the family of the school’s founder
Funding Difficulties
•
•
Business budgeting vs. Educational budgeting
Fluctuating basis of budget allocations
PERSONAL AND CONFIDENTIAL
•
Family Educational Rights and Privacy Act
• “schools must have written permission from the parent or eligible student
in order to release any information from a student's education record”
• Protects test records, IEPs, written/recorded student work,
•
or any educational information used to identify a student
Health Insurance Portability and Accountability Act
• “requires adequate information security to be implemented for health
records that are transmitted or maintained through electronic or
traditional physical media”
• Protects student medical and psychological records (very important)
•
Individuals with Disabilities Education Act
• “it is the school’s duty to ensure that the best effort is made to cater to the
needs of children with disabilities”
• Promotes importance of IEPs and assistive technologies
PERSONAL AND CONFIDENTIAL
•
Network Architecture
• Server hardware configuration (2 servers)
• 1 Windows-based Dell PowerEdge 6850 server [2006]
• 1 MacOS-based Mac Pro server tower [2008]
• Both servers have been upgraded to the maximum hardware
specification as allowed by their capacity, but are still outdated
• “Six-wing” Network Layout




The upper school wing (high school ages; grades 9-12)
The middle school wing (middle school age; grades 6-8)
The lower school wing (elementary school ages; grades K-5)
The cafeteria, gymnasium and Speech, Physical and Occupational Therapy wing (as
well as faculty offices)
 The school’s Main Office (administrative staff)
 The school’s library, music room, and technical staff wing
PERSONAL AND CONFIDENTIAL

Client hardware configurations (~400 endpoints)
▪ Desktops
▪ Windows-based: Various 2006-2009 model year Dell,
Compaq and HP machines with Windows XP Professional
(majority), 5-to-10 Windows 2000 machines
▪ MacOS-based: iMacs (teachers and staff), as well as two
iMac student computer labs consisting of 8 machines each
▪ Laptops and Roving Devices
▪ Windows-based: Various 2009 model year Dell laptops with
Windows 7 Professional, as well as 2006-2008 model year
Gateway machines with Windows XP Professional
▪ MacOS-based: Various 2006-2009 model year MacBook Pro
laptops (for teachers and staff), as well as three mobile
laptop carts and 10 iPads
PERSONAL AND CONFIDENTIAL
PERSONAL AND CONFIDENTIAL

Critical hardware and software

Assistive hardware technologies
 iSight
 Promethean Smartboards

Key software technologies
 Inspiration / Kidspiration
 KeyMath
 SchoolNet
All (and others) require client hardware to be functional and
available for these technologies to be useful and perform their
duties in the educational environment.
•
Through our research, we identified the
following areas of issue within the school’s IT
infrastructure:
•
•
•
•
•
Lack of accurate inventory of hardware and software
assets
Lack of proper system authentication
Lack of effective role-based permissions
Inadequate storage, backup and disaster recovery
capabilities
Inconsistent patch maintenance
PERSONAL AND CONFIDENTIAL


Implementing Industry Best Practices
Virtualizing Infrastructure Components

Moving Resources to the Cloud

Taking Network Inventory

Implement the use of automated network inventory
software
 SpiceWorks, LANSweeper, Windows PowerShell
 Adds the ability to offer automated scripting and software
agents to help reconcile any gaps in inventory that are
present from the current paper-based inventory system
 Allows local IT staff to gain information (i.e., machine
names, IP addresses) on each machine to promote remote
administration of client infrastructure
PERSONAL AND CONFIDENTIAL

Overhaul of Authentication and Access Control
Policies
 Implementation of an Active Directory domain
 Create role-based permissions and access controls for
client systems
 Obtain feedback from fellow staff members about
which roles need to be defined
 Provides adequate access to users for tasks that they
perform on a daily basis
 Eliminates unneeded problems caused by users who have
unnecessarily elevated permissions
PERSONAL AND CONFIDENTIAL

Addressing Storage, Backups and Disaster Recovery
 Create a centralized data storage and backup solution
 Network-Attached Storage vs. Storage Area Network
 NAS - developed for file-level storage (i.e., common files
such as documents, pictures, videos, etc.)
 SAN - developed for large block-level storage (i.e., machine
image and backup storage, large-scale enterprise data
storage)
 Cheaper, and more within the school’s operational scope,
to implement a NAS system as opposed to a SAN system
 Implement a cloud-based storage and educational ecosystem

Examples: Microsoft Office 365, Google Apps for Education,
Inspiration/Kidspiration (cloud licensing)
 Provides off-site user data storage and disaster recovery
solution
PERSONAL AND CONFIDENTIAL

Addressing System Patching and Update
Maintenance

Develop a patch maintenance plan
 Implement central patch deployment methods
 Windows Server Update Services (WSUS)
 MacOS Software Update Services
 Prioritize which systems need to patched before others
 Example: systems that interact with sensitive data may
need additional security updates sooner than other clients
 Develop a schedule to test and implement patches
 Example: test patches at specified periods and deploy
patches to production systems at off-peak hours
PERSONAL AND CONFIDENTIAL

Are Hardware and Software Upgrades Needed?

Server hardware/software infrastructure needs to be upgraded
to accommodate further changes to the network
 i.e. – domain controllers, system update servers, etc.

Client hardware
 Develop a plan to consistently upgrade client hardware

 Costly to upgrade all machines at the same time: use a phased
approach
Upgrade client OSes to Windows 7 and the latest MacOS versions
to better match upgraded server configurations as well as overall
modern IT practices and the networking and administrative
capabilities afforded to them
PERSONAL AND CONFIDENTIAL
•
Key benefits of virtualization
• Improves infrastructure scalability and expandability
• Dramatically improves efficiency of disaster recovery operations
• Can create, delete, backup, and restore system environments without manual reimaging or purchase/replacement of physical hardware
• Decreases the time used on tasks of the schools IT personnel
• Centralizes management of virtualized desktops and devices on server(s)
•
Windows Virtualization: VMware vs. Hyper-V
•
•
HyperV and VMware enables administrators to consolidate workstations onto a single physical server and
provides system administrators with a central viewpoint to create, modify, administrate and monitor virtual IT
infrastructure
Both methods offer cost effective ways for the school to save money and time
•
•
•
Can virtualize other infrastructure that would otherwise entail physical hardware (domain controllers, patch deployment
servers, etc.)
Can virtualize client environments and relieve resource usage on older hardware, thus extend their useful life
MacOS Virtualization: Restrictions
• Can not be virtualized on non-Apple hardware
• MacOS system software can only be virtualized on Apple hardware
• Each MacOS license can be virtualized up to two times
• To create virtual client or server environments, Parallels Desktop, VirtualBox or a similar
solution can be purchased to take advantage of MacOS virtualization capabilities.
PERSONAL AND CONFIDENTIAL
•
VMware View and Microsoft’s Hyper-V solutions
• VMware solutions consist of separate “modules”/components such
as VMware vSphere, Composer, View manager View Client, and
View Agent.
• Hyper-V components are included in Windows Server operating
systems and can be used through Microsoft System Center and
Configuration Manager, Active Directory and RDP/Terminal
Services
PERSONAL AND CONFIDENTIAL
Two Implementation Models
•
Full Client Virtualization
• One virtual machine for every physical client present
• Each user would have his or her own environment to work in
• Licensing implications
• Many (~250 Windows + MacOS licenses) individual operating system licenses and
would be needed to implement this approach and could prove to be costly as the
total number of machine grows
• Possible BIOS Incompatibility Issues
• Older client hardware would require manual BIOS/firmware updates and activation
of hardware virtualization options in the BIOS menu of each machine
• Needed for client machines to simulate/inherit the processing and memory
needed to power a virtual machine from server infrastructure
• Further incentive for the school to implement a plan to upgrade to modern client
hardware
Two Implementation Models
•
Template-based Approach
• Limits the need for costly individual client OS licenses
• Users connect to a set of templates that are created for certain user groups to utilize
• Example configuration/distribution of templates:
 Administrative Staff and Faculty
(1 – 3 VMs to spread user load)
 Teachers and Therapists
(separate VM environments for Math, Science, English/English as a Second
Language, and Therapy
 Students
(separate VM environments for Math, Science, English/English as a Second
Language, and Therapy)
Three in each category (Elementary (K – 5), Middle (6-8), High
School (9-12)
• Each virtual machine will be tailored (based on the template / Active Directory
group[s]) to present the most relevant software, tools, and bookmarks and increase
the ease-of-use for users
Cost and Licensing Implications
•
VMware vs. Hyper-V
• Example scenario: two hardware servers (VM hosts), four cores each
• Hyper-V is nothing more than an add-on server role to existing Windows Server
configurations
• Inherits Windows Server Datacenter 2012 “per-2-processor” licensing model
($9,618 total for both OS licenses) (not including client OS licenses)
• VMware licensing uses component bundles called “Kits”
• Separate components include vSphere/vCenter, View Composer, View
Manager, View Client/Agent
• Similar features in Windows Server Hyper-V at no extra charge (Microsoft
System Center, Live Migration, Remote Desktop/Terminal Services)
• With VMware’s solution, the bundled package with the above components and
key beneficial technologies (thin provisioning [dynamic allocation of resources],
dynamic bandwidth management and VM recovery/migration) will cost the
school ~$21,995 per license ($43,990 total for both servers).
• Included in Windows Server Hyper-V at no extra licensing costs
• Solely based on licensing costs and the level of comfort that local IT staff has with
Microsoft products, we feel that Hyper-V should be the prevailing solution that
they eventually use.
PERSONAL AND CONFIDENTIAL
Security and Compliance Implications

Documentation within the school will consist of : Employee records,
student grades, health and psychological records, disciplinary
records, and other personal information covered under FERPA and
HIPAA
• Any VM infrastructure implemented will be built in-house which
lessens external risk of attacks
• To be successful, any systems or information that are stored and
secured on servers must be implemented with the CIA triad in
mind
• Centralized solution = More manageable solution
• In-house appliances, administrative access to servers and
applications, will be regulated to the extent that complies with the
FERPA and HIPAA regulations.
PERSONAL AND CONFIDENTIAL
Authentication and Access Control Policies
•
Inherit a role-based permission user account system from Active
Directory
• All virtual machines will be placed on AD domain
• System administrators will have centralized control of virtual systems
• Through vSphere/vCenter (VMware), or Microsoft System Center (Hyper-V)
• Users will access virtual machines remotely
• Through Remote Desktop Services (Hyper-V or VMware View), VMware Client and
VMware Agent (VMware only)
•
“Connection Broker” system creates a user-friendly system that allows
users an easy-to-navigate virtual ecosystem
• Inherits Active Directory permissions, as well as providing “Single Sign-On”
capabilities through relaying previously authenticated physical client
sessions to the virtual machine
PERSONAL AND CONFIDENTIAL
Impact on Storage, Backups and Disaster
Recovery
•
Storage
•
No inherent benefits on storage with Virtualization
•
•
•
Virtualization does not revolutionize storage capabilities as a whole, but merely how storage can be
used most effectively within a solution
Still would require NAS or SAN options for external storage
VMware and Hyper-V allow similar capabilities to optimize storage usage
•
•
‘Thin Provisioning’
Backups and Disaster Recovery
•
•
•
Easily create, delete, backup and restore virtual machines
Template-based approach allows for “clean” images to be kept, and replicated to a nonfunctioning environment for enhanced system availability
Architecture based on virtual machines with separate, back-end storage allows for VMs to
be backed-up and restored as needed with little effect on user data
PERSONAL AND CONFIDENTIAL
Impact on System Patching and Update Maintenance
•
Virtualization of physical infrastructure reduces the need for
chaotic workstation to workstation activity
•
Access of virtual machines through Remote Desktop or from VMware vSphere
and Microsoft Windows System Center allows for centralized access from a
single location
•
•
In a similar fashion to how Remote Desktop allows for central access to any hardware
client in the school in a non-virtualized environment
Virtualization allows for quick access to environment for testing
system updates
•
•
Virtual machine infrastructure can be used to create easily accessible
environments to ensure the full compatibility of system updates and software
patches before they are implemented to a production environment
Central update deployment (WSUS/MacOS SUS) servers can also be
implemented in a virtual manner to reduce the need for additional physical
hardware
PERSONAL AND CONFIDENTIAL
The US National Institute of Standards and Technology
(NIST) defines cloud computing as:
“a model for enabling ubiquitous , convenient, on-demand network
access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction” (Bender, pg. 1)
PERSONAL AND CONFIDENTIAL
•
Key Benefits of Cloud Computing
•
Cost
• Economical
• Ex. Public Cloud “ Public cloud operations can deliver an 80 percent
reduction in total cost ownership compared to non-Cloud
environment.” (2010 Microsoft Study)
•
Flexibility
• Private cloud – “exclusive use by a single organization comprising multiple
consumers”
• Community cloud – “exclusive use by a specific community of consumers from
organizations that have shared concerns”
• Public cloud – “provisioned for open use by the general public”.
• Hybrid cloud - “composition of two or more distinct cloud infrastructures
(private, community, or public) , (NIST)
•
Accessibility
• Files, Data and Services can be accessed anytime and anywhere
PERSONAL AND CONFIDENTIAL
•
Implementation Service Models
• IaaS (Infrastructure as a Service)
• “The capability provided to the consumer is to provision processing, storage,
networks, and other fundamental computing resources where the consumer is able
to deploy and run arbitrary software, which can include operating systems and
applications.”
•
PaaS (Platform as a Service)
• “The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using programming languages,
libraries, services, and tools supported by the provider.”
•
SaaS (Software as a Service)
• “The capability provided to the consumer is to use the provider’s applications
running on a cloud infrastructure. The applications are accessible from various
client devices through either a thin client interface, such as a web browser (e.g., webbased email), or a program interface”. (NIST)
PERSONAL AND CONFIDENTIAL
•
Cloud Service Model Characteristics
•
On-Demand Self Service
• Users can initiate computing capabilities as desired automatically with
service provider without human interaction (Binder p 2)
•
Rapid Elasticity
• Resources can be deployed and scaled back on-demand
• Cloud resources can be provisioned to scale inward or outward to support
user demand
•
Broad network access
• “Capabilities over the network and access through standard mechanisms that
promote use by heterogeneous thin or thick client platforms” (NIST)
•
Resource Pooling
• Manage bandwidth capacity on servers using a multi-tenant model
• Providers, transparent to users, allocate and reallocate users to different
servers to load level network traffic
•
Measured service
• Resource usage can be monitored, controlled, and reported, providing transparency
for both the provider and consumer of the utilized service” (NIST)
PERSONAL AND CONFIDENTIAL
•
Cost and Licensing Implications
•
Cost
• Pay-as -you -go for only services used
•
Licensing
• Cloud services do not require subscribers to purchase
individual licenses
PERSONAL AND CONFIDENTIAL
Security and Compliance Implications
•
Documentation within the school will consist of : Employee records,
student grades, health and psychological records, disciplinary records,
and other personal information covered under FERPA and HIPAA
• Cloud providers security responsibilities include:
• Data Confidentiality
• Maintain Data Integrity
• System Availability
• Outstanding Security Issue within Cloud Data Centers
• Privacy concerns for data aggregation
• Security tools used by Cloud Providers
• Intrusion Detection and Prevention
• Firewalls to prevent DDoS (Denial-of Service) attacks
PERSONAL AND CONFIDENTIAL
Security and Compliance Standards
•
•
•
•
•
•
•
Cloud Security Alliance (CSA)
Federal Trade Commission (FTC)
The Desktop Management Taskforce (DMTF)
Org. for the Advancement of Structured Information
Standards (OASIS)
Storage Networking Industries Association (SNIA)
Checklist before Subscribing with Cloud Provider
NIST - Cloud Security Resources:
PERSONAL AND CONFIDENTIAL
Impact on Storage, Backups and Disaster Recovery
•
Storage (Cloud services in-conjunction with NAS)
•
•
•
Data Integrity Preservation
Data Synchronization
Data Backup and Disaster Recovery
•
•
•
•
•
Offsite storage system
Subscribers can retrieve data from a central location
Systems administrators benefit; Data backup is automated
Data Off-Site Storage
Synchronization and Restoration of User Home Drive
PERSONAL AND CONFIDENTIAL
Authentication and Access Control Policies
•
Local IT staff is not completely absolved
• Staff needed to support routine maintenance and to
secure the endpoints that are used to access the cloud
PERSONAL AND CONFIDENTIAL
Are Hardware and Software Upgrades Needed?
•
•
Hardware and software upgrades would not likely to be
needed as the basis of cloud infrastructure would be delivered
through the Internet.
From a system administration standpoint, hardware upgrades
will be managed by the cloud provider. In conjunction with
the cloud provider, internal system administrators will simply
perform tasks at a logical asset level.
• Cloud services take place at a remote site separate from the realm of
the end-user; processing and resources are maintained from a
central server environment provided by a Cloud service provider.
•
Patching and Update Maintenance
•
Deployed via the internet
PERSONAL AND CONFIDENTIAL
•
Implementing Industry Best Practices
•
Upgrade server hardware and software
• Windows Server 2012
•
Upgrade client operating systems
• Windows-based: Windows 7 Professional licenses
• MacOS-based: upgrades are included in existing
licenses at no extra cost
Implement an electronic network inventory system
• Implement an Active Directory environment that is
consistent with the users’ physical roles in the school
•
PERSONAL AND CONFIDENTIAL
•
Implementing Patch and Update Maintenance
•
•
Implement centralized patch deployment systems
Develop Patch Maintenance Plan
• Outstanding system updates and software patches will be
reviewed and prioritized based on improvements they offer
• Designated patches will be deployed to virtualized test
environments
• Approved patches will be automatically deployed to
production systems (client machines) on a scheduled
weekend every month
• Consult with fellow staff members to address the patching of
machines that are not always on the school’s network (takehome laptops)
• If a system update is found to adversely affect system
performance, it will be uninstalled until further testing can
be completed, or a workaround can be developed.
PERSONAL AND CONFIDENTIAL
•
Improving Storage, Backups and System Recovery
•
Cloud solution for curriculum-related work
• Microsoft Office 365 or Google Apps for Education
• Both solutions are free for academic institutions
• Allows students and staff to complete work anywhere with an
internet connection
• Provide inherent off-site backup and data recovery capabilities
•
On-site NAS system to centrally store sensitive information
• Allows the school (and school district) to maintain control of
sensitive data
• NOTE: For off-site backup and disaster recovery capabilities,
the school will need to consult with school district officials to
develop storage at a geographically separate location, or
determine if a cloud solution would be allowed
PERSONAL AND CONFIDENTIAL
•
Replacing Client Hardware in the Future
•
To save budget costs, implement a phased approach
• Example: 2011 model year Dell OptiPlex 580
(w/monitor) $865 per system ($216,250 for ~250
machines)
• Determine how much of the budget can be set aside for
client hardware upgrades
• Prioritize which machines need to be upgraded first
(example: pre-2006 Windows 2000 machines)
• Allows school to plan on implementing a fully virtualized
client environment in the future
PERSONAL AND CONFIDENTIAL
•
Tracking Project Success
•
•
•
•
•
Track overall system downtime (before and after changes)
Track hours used on perform system administration tasks (before and
after changes)
Implement the use of a network bandwidth monitoring tool to
determine the amount of network usage (before and after changes)
• Data can be used to justify a request for more bandwidth (or better
network equipment) if needed
Track the level of delinquency of patch updates for each system
(before and after changes)
Determine overall user satisfaction through scheduled meetings and
day-to-day interactions with students and staff representatives
PERSONAL AND CONFIDENTIAL
PERSONAL AND CONFIDENTIAL