ISQS 5231 IT for Managers

iPremier Case Analysis

Professor: Dr. Qing Cao
Team # 4
Dalal Ahmad Sayed Almohri Aliza Levinsky Andy Rupp Avinash Sikenpore

IT ISQS 5231 IT for Managers| 5/4/2010

1
Table of Contents
Background .....................................................................
........................................................................ 2 Analy
sis of the Problem .............................................................
............................................................. 3 Alternative Solu
tions: .........................................................................
.................................................... 4 Evaluation of Alternative
s: .............................................................................
........................................ 4 1) Staying with Qdata: ..............
................................................................................
.......................... 4 2) Outsourcing to another IT service provider: ....
...............................................................................
4 3) Develop in-house IT infrastructure: .......................................
......................................................... 5 4) An in-between sol
ution: .........................................................................
......................................... 5 Recommendations:....................
................................................................................
.............................. 5 Plan to Implement the Recommendations .........
................................................................................
...... 6 Lessons learnt from the attack.........................................
........................................................................ 8 Appen
dix A: DOS Attack Timeline .....................................................
................................................... 9 Appendix B: Matrices .....
................................................................................
...................................... 10 Appendix C: DOS Attack & SYN-Flood ...
................................................................................
........... 12 Appendix D: SWOT Analysis .......................................
........................................................................ 14 Appe
ndix E: Total Productive Maintenance ...........................................
.............................................. 15 Bibliography .................
................................................................................
............................................ 16

IT ISQS 5231 IT for Managers| 5/4/2010

2
Background
iPremier was found in 1996 by two students from Swarthmore College. iPremier bec
ame one of the few success stories in the web based commerce industry. Based in
Seattle, iPremier was an online retailer selling luxury, rare and vintage goods.
In 1998, iPremier raised money through an initial public offering and even thou
gh there were problems in the late 1990s and early 2000s by 2006 profits were $2
.1 million with a sales of $32 million. The management of iPremier consisted mos
tly of young people who had been with the company from the beginning and more ex
perienced managers who were hired as the company grew. The work environment at i
Premier can be described as one filled with discipline, professionalism, commitm
ent to delivering results, and partnerships for achieving profits. There perpetr
ated a doing whatever it takes type of culture in the company which meant that emp
loyees will do whatever it takes to get the project done on time, especially whe
n it comes to IT. To understand iPremiers IT structure we need to keep in mind th
at iPremier outsources most of its management of technical architecture to Qdata
. iPremier had planned to move their IT infrastructure and computing resources t
o another facility however this wasnt iPremiers top priority. Since the cost and t
ime involving this move would be significant, many members of iPremier perceived
it as a disruption to normal business for the customers and therefore showed re
luctance. Apart from that the top management at iPremier felt a commitment to Qd
ata due to its cordial and friendly relations for last so many years which was d
elaying the process further. On 12th January, 2007 iPremiers website had a Denial
of Service Attack. At that time the CIO, Bob Turley was out of town and the sit
uation was not handled in the best possible manner. The colocation facility at Q
data did not have the required personal to deal with the problem. The standard o
perating procedures in such emergencies was unknown and everyone in the company
started acting in their own way being mindful of their interests only. The probl
em escalation was also unstructured and everyone started calling everyone. The r
eport will discuss in details the various issues pertaining to the attack and ho
w they were handled as well as the possible ways to have mitigated the risks of
such an attack or handled in a better manner. (A more detailed timeline is given
in Appendix A)

IT ISQS 5231 IT for Managers| 5/4/2010

3
Analysis of the Problem
Understanding the business environment and the IT impact on iPremier is critical
to analyze different aspects of the problem. Therefore we have used a group of
matrixes (Appendix B) to investigate the situation and provided the following in
sights. The product/market analysis shows how iPremier is serving a niche market o
f affluent customers by providing them with high value products; this suggests t
hat upsetting these clients due to lack of security measures in safeguarding the
ir data and credit card information will cost iPremier a fortune ! Furthermore;
the IT impact matrix shows IT being the core of iPremiers business and any failure
for even a very short duration will cause losses and have a negative consequence
both internally and externally. Moreover the coupling interaction matrix shows th
at iPremiers IT processes are reasonably tight and complex; which suggests that t
he whole business can easily go down if one part of its IT is not functioning, l
ike the DOS Attack (Appendix C).Also ,when applying the governance &ownership ana
lysis we notice that the outsourcing relationship places iPremier in the alliance
form of ownership; this implies that the backbone of iPremier is not within its
own hand therefore selecting reliable outsourcer is imperative for its proper f
unctioning. To gain a holistic view and to gain an insight into iPremiers situati
on a SWOT analysis (Appendix D) was done. Despite their strengths, a SWOT analys
is revealed that iPremiers main weakness resides on its lack for a Total Producti
ve Maintenance approach (TPM) which in turn sheds light on three other major wea
knesses: absence of a reliable IT provider, deficiencies in internal communicati
on & escalation, and the absence of detailed transaction logs. Because of its we
aknesses iPremier was susceptible to many threats, major ones being increased vu
lnerability toward security breaches, increased chances of repeated attacks, and
higher probability of declining IT performance. (Appendix E shows the TPM pilla
rs)
Apart from that iPremier also has to worry about the legal aspects, public relat
ions as well as the impact on stock price after the attack. It might be liable f
or identity theft of its customers and responsible for legal actions as well. In
light of all this the stock price of the firm may also go down.

IT ISQS 5231 IT for Managers| 5/4/2010

4
Alternative Solutions:
In evaluating the iPremier company and the case situation in hand, we reached to
the following conclusion about the available alternatives for the company after
the attack: 1. 2. 3. 4. Stay with Qdata Outsource to another IT services provid
er Develop in-house IT infrastructure Develop an in-between solution (some outso
urce, some in-house)
Evaluation of Alternatives:
1) Staying with Qdata: The first and easiest alternative available is to stay wi
th the current service provider which is Qdata Company. Although we strongly dis
courage this alternative, it might be a good idea to stick with Qdata till the t
ime other alternatives are evaluated. However, in order to make this alternative
viable, the company needs to take the following actions:
Work cooperatively wit
h Qdata to find the potential problems and try to fix them. Create set of requir
ements to be met by Qdata as pre-requisites in order to continue using their ser
vices. For example being more responsible about their services, and providing a
real 24/7 support. Obtain higher levels of authorization for iPremiers engineers
to access the facilities in case of emergencies. Considering the iPremier s long
-term relationships with that company and the overhead costs associated with est
ablishing new contracts with other providers, if Qdata could successfully accept
and accomplish these requirements, it can be assessed as a semi-viable alternat
ive. 2) Outsourcing to another IT service provider: In the dynamic and rapidly c
hanging world of information technologies, where new systems and opportunities a
re created every day, having an up-todate and top notch IT service provider is a
crucial requirement for an online merchant like iPremier

IT ISQS 5231 IT for Managers| 5/4/2010

5
company. Keeping this in mind, the company should make an in-depth research on t
he various available IT service providers and identify the best choice which fit
s its requirements in the most economical way. Our suggestion for the time being
is to go with one of the top giants in this market like IBM or HP. These compan
ies have a long-term experience in this area and have thousands of large and sat
isfied customers worldwide. They also have auditing programs which can find prob
lems and opportunities for their customers to enhance their performance and to i
ncrease their market share. 3) Develop in-house IT infrastructure: In a long ter
m planning developing its own in-house IT infrastructure is always an attractive
option, especially when the company deals with critical data like credit card i
nformation of its customers. Even though in-house development is a very expensiv
e and costly decision requiring huge up front investment, which might hamper the
profits and cash flow for the initial years, future cost savings might make it
seem worth all the efforts and investments. Also, this action might allow the fi
rm to create a competitive advantage over the competition and would provide the
opportunity for further expansion of the services. 4) An in-between solution: So
metimes we can find a middle solution that can satisfy the privacy requirements
of the customers and decrease the costs of the company through outsourcing. For
example if we store the critical information of the company in in-house, highly
secured servers with multiple backups and outsource the other IT requirements to
an outsider IT provider, we can both enhance our security and create a cost eff
icient alternative.
Recommendations:
The following courses of actions have been recommended after the attack. It has
been divided into three areas:Management 1. Allocate appropriate resources towar
ds IT security 2. Create a standard protocol assigning roles and responsibilitie
s and escalation of communication in such situations 3. Implementation of a disa
ster recovery and business continuity plan (alternate website)

IT ISQS 5231 IT for Managers| 5/4/2010

6
4. Use external vulnerability assessment services to periodically check the secu
rity level maintained by the IT department. 5. Review management culture orienta
tion of focusing on just the end-results which leads to managers taking shortcut
s to expedite delivery of software systems and ignore the controls. 6. Appoint a
n external audit committee for risk assessment and management
IT Department 1. Implement a robust firewall. 2. Enable logging and regularly mo
nitor them. 3. Install Network-based intrusion detection software. 4. Train and
educate all staff on basic systems security. 5. Encrypt sensitive information on
the servers 6. Provide guidelines and information regarding people to contact w
hen issues arise 7. Switch the IT services to IBM or HP.
Public Relations 1. Inform the press about investment in state of the art networ
k security systems. 2. Performing an in-depth analysis and evaluation of the col
location facility. 3. Inform that all customer data on its servers will be encry
pted.
Plan to Implement the Recommendations
First step for iPremier is to hire a well reputed IT consultant to evaluate the
situation. He shall define the software, hardware and network requirements for t
he company based on their nature of the business. Then the IT consultant can com
e up with a design for the preferred solutions implementation. The iPremier manag
ement team should then review the plan and approve of the necessary funds to imp
lement it.

IT ISQS 5231 IT for Managers| 5/4/2010

7
Second step would be to create a project team comprising of the key personal res
ponsible for a smooth and trouble free transition to the new system. Even though
the actual task would be based on the recommendations of the IT consultant, we
feel the for moving from Qdata to IBM for their IT service requirements they nee
d to first carefully the terms in their contract with Qdata. If serious penaltie
s are levied on the party that breaks the contract, we need to work out a soluti
on with Qdata at least till the end of the contract period. Thirdly, assuming th
ere are no major financial implications of ending the contract, it should collab
orate with IBM for securely transferring data from the servers of Qdata and sett
ing up a new computing facility with IBM. It should check and review all the ter
ms of the contract as well as the obligations on the part of IBM and iPremier in
safeguarding and handling information. The contract should provide adequate pro
tection to iPremier in case data theft or damage. Finally after the project has
been successfully implemented, iPremier should develop a standard protocol withi
n its IT department for escalation of any issue as well as the contacting the ap
propriate person in case of a crisis. All the staff at iPremier needs to be give
n training on basic computer security and how to avoid the common mistakes in re
gard to secure computing. These steps will not completely eliminate the risks of
attack or secure the iPremier website completely; however it will reduce the po
ssibility of such incident to a manageable level. A standardized approach for de
aling with an unusual event would reduce the downtime or at least enable the tro
ubleshooters fix it faster.

IT ISQS 5231 IT for Managers| 5/4/2010

8
Lessons learnt from the attack
The attack, even though lasted for only a short time, provided some valuable les
sons to be learnt. We have enlisted the list of several things taught by this in
cident: 1. Importance of contingency planning 2. Handling core business operatio
ns in a responsible and careful manner (make sure the core business is in the ri
ght hands) 3. Importance of support from senior executives 4. Unconditional coll
aboration in moments of crisis 5. Importance of a good cultural environment (rel
ationships, innovations, entrepreneurship, team collaboration) 6. Define protoco
ls and clear channels of communication 7. Regular evaluation of the IT infrastru
cture (vulnerability analysis, update protocols)

IT ISQS 5231 IT for Managers| 5/4/2010

9
Appendix A: DOS Attack Timeline
5:46am: The attack stops. 5:27am: Bob Turley receives a call from the CEO Jack S
amuelson.
He asks the CEO to contact Qdatas upper management to let Joanne get access to The
Network Operation Center (NOC). Bob Turley discovers from Joanne that the attack
was a SYN flood type which is a DoS attack.
4:39am: Joanne contacts Bob Turley and promises to keep him updated on 4:31am: B
ob Turley receives a call about an attack on iPremiers webserver.
Discovers from Leon that Joanne is on her way to Qdata. the situation. Bob Turley
begins to contemplate pulling the plug due to the liability of credit card infor
mation getting stolen. iPremiers upper management begins to contact Turley wanting
to know about the situation.

IT ISQS 5231 IT for Managers| 5/4/2010

10
Appendix B: Matrices
Governance and Ownership Matrix In our presentation we places iPremier as a CORP
ORATION since it consisted of a legally defined organization with different depa
rtments like legal, marketing, IT etc. After a more in depth analysis we notice
that the outsourcing relationship places iPremier in the ALLIANCE form of owners
hip; this implies that the backbone of iPremier is not within its own hand there
fore selecting reliable outsourcer is imperative for its proper functioning. A f
ormal contract is not formed in a B2C relationship which places iPremier in the
MARKET section of the matrix as it provides goods, processes payments and mainta
ins customer profiles.
Product and market positioning Since iPremier currently serves a niche market (m
ostly affluent) we categorized it as NARROW , but with its plans for growth it i
s moving up to reach BROAD . Since it sells luxury-rare items we recognize it as
VALUE ADDED.

IT ISQS 5231 IT for Managers| 5/4/2010

11
IT Impact At the early beginnings of the company its IT placed it in a HIGH strat
egic impact position . Later on when competitors entered the market the IT strat
egic impact became LOW. Since its an online business IT impact on operations is H
IGH.
Coupling-Interaction Since all the operations of an e-commerce are mostly online
iPremier is reasonably COMPLEX. It is also reasonably tight COUPLING because it
s operations are interdependent

IT ISQS 5231 IT for Managers| 5/4/2010

12
Appendix C: DOS Attack & SYN-Flood
Denial of Service attack A denial-of-service attack (DoS attack) or distributed
denial-of-service attack (DDoS attack) is an attempt to make a computer resource
unavailable to its intended users. Although the means to carry out, motives for
, and targets of a DoS attack may vary, it generally consists of the concerted e
fforts of a person or people to prevent an Internet site or service from functio
ning efficiently or at all, temporarily or indefinitely.

IT ISQS 5231 IT for Managers| 5/4/2010

13
SYN Flood attack SYN flood is a form of denial-of-service attack in which an att
acker sends a succession of SYN requests to a target s system. Normally runs lik
e a three way handshake:
1. The client requests a connection by sending a SYN (synchronize) message to th
e server. 2. The server acknowledges this request by sending SYN-ACK back to the
client. 3. The client responds with an ACK, and the connection is established.
When the attacking computer doesnt reply to the SYN-ACK sent by the server it con
sumes resources and when this process is repeated a large number of times the se
rver is rendered incapable of responding. SYN-Flood is a type of DoS attack.

IT ISQS 5231 IT for Managers| 5/4/2010

14
Appendix D: SWOT Analysis
Strengths:
Leaders in the e-commerce Resourceful pool of employees (talented young people, ex
perienced managers) with reputations of high performance. iPremier targeted at hi
gh-end customers and had flexible return policies. Credit limits on charge cards
are rarely an issue.
Weaknesses:
Problem in internal communication and escalation deficiencies. iPremier does not h
ave detailed transaction logs as it involves a trade off with speed Building all
of their systems on poor performance IT services provider.
Opportunities:
iPremier is one of the few success stories of e-commerce business Given that iPrem
ier established a very strong high-end customer base, it now has the opportunity
of extending and tapping into the mid-class consumer base as well
Threats:
Security issues that can harm the overall performance and success of iPremier Due
to the lack of detailed transaction logs, possibility of repeated attack. IT oper
ations outsourced to Qdata, (dont have required immediate access and control over
their data center and network). Qdata was not investing in advanced technology a
nd upgrades.

IT ISQS 5231 IT for Managers| 5/4/2010

15
Appendix E: Total Productive Maintenance
iPremier could support its operation in the Total Productive Maintenance five pi
llars
Elimination of main problem: Outsource its core business Autonomous mainte
nance: Take responsibility in its own hands Planned Maintenance: Create policies
and contingency plans Early Management of new equipment: Invest smartly in secu
rity of its infrastructure Education and training on the job: Prepare the person
nel to deal with common IT related problems that it can face.

IT ISQS 5231 IT for Managers| 5/4/2010

16
Bibliography
The Advantages of TPM. (2008, 02 16). Retrieved 04 28, 2010, from Eco Max - Trai
ning and Learning Center: www.ecomaxmc.com/blog/ Garafalo, D. J. (2004, 03 28).
IST University Computing Systems. Retrieved from Management of Information Syste
ms: http://web.njit.edu Lynda M Applegate, R. D. (2008). Corporate Information S
trategy and Management: Text and Cases. McGraw-Hill/Irwin. Robert D. Austin, L.
L. (2007, 07 26). iPremier Co. (A): Denial of Service Attack. Harvard Business P
ublishing.