upward bound muller chen

8/10/2019 Upward Bound Muller Chen

1/16

Executive Summary

Upward Bound airline is a U.S. legacy carrier that is facing some challenging conditions

during its effort to transform into a cost leader as well as a market leader. It is facing fierce

competition. Under the pressure of fierce competition, along with the cash crunch and aging

jet fleet, Upward Bound needs a comprehensive response to solve the efficiency of its

operation and retain profitability. In order to remain competitive, Upward Bound must

modernize its fleet with fuel-efficient aircraft. This project will pressure the airlines cash

position significantly. The firm has decided to cut costs by eliminating 20% of the workforce

and out-sourcing IT functions to cloud service providers. The firm needs to determine how

the process of out-sourcing IT should be handled and what new policy and procedures need

to be developed for operating in a new IT environment to ensure security remains adequate.

As with any major corporate change, directors and management need to ensure that new

plans work to achieve corporate goals, realize benefits, optimize risk, and use resources

effectively.

Company Background

Founded in 1980, Upward Bound has grown to small to mid-sized airline serving 31 cities, 16

in the United States and 15 abroad. It employs 9,000 employees and generated $19 million in

net income on $296 million of revenue- a net margin of 6.4%. Upward Bound is a public

company carrying $110 million in debt.

Company Analysis (SWOT Analysis)

Strength: Upward Bound is known for its reliability, attractive ticket price and operation

efficiency. Upward Bound has a strong brand image, along with its high operational

efficiency and lower cost structure compared to other legacy airlines. Specially, it has the

lowest time per repair in industry. It also boasts the best on-time record in the industry. Its

board of directors consists of highly qualified professionals.

Weakness: Its fleets operating costs are high because it is aging and aircraft arent fuel -

efficient. Doesnt offer as many flights or destinations as its larger competitors, like the major

airlines. The Majors are able to offer convenience and a broad array of flight itinerary


2/16

options, allowing many consumers to fly non-stop, anywhere at anytime. While this is a

weakness for Upward Bound, it is shared by all smaller airlines. However, Upward bound has

capitalized on its strengths to differentiate itself from the competition and deliver value to its

customers.

Opportunities:Upward Bound has opportunities in international market to boost its sales for

the reason that it has relatively low cost and reliability. The firms revenues are highly

responsive to marketing efforts, as each additional dollar of marketing spend generates a

considerable amount of additional revenue. Currently, the airline cant afford to increase its

marketing budget, because it needs to save cash to replace its fleet. Outsourcing most its IT

operations by moving to cloud computing services will allow it to mitigate the cash crunch,

and to replace its current jet fleet. Down the road, the firm will realize significant cost

savings from outsourcing IT and its cost-efficient fleet. This will position the firm to focus

efforts on marketing, especially since it is the firms most effective tool for increasing sales.

Threats:Upward Bound faces three types of competitive threats, including aging jet fleets,

decreasing competition in marketing and, draining cash reserves. Upward Bound competes

by offering attractive pricing. It is not in a position where it can raise fares and still retain

customers. The airline is at a cost-disadvantage to competitors operating modern, fuel-

efficient fleets. If the airline doesnt reduce its operating costs, it will not be able to compete.

Upward Bounds Problems

Upward Bound must evaluate which cloud services it needs, and how to utilize them to

achieve its corporate goals. Upward Bound must identify and address the risks of moving to

the cloud. It must also determine which IT infrastructure and personnel will need to be

retained and managed internally. New policies and procedures need to be written detailing the

administrative responsibilities, usage policies, and procedures for managing, monitoring, and

auditing the cloud services available to the firm. In addition, firm must develop a new

security architecture that reflects the changes in the corporate IT function.

Cloud Services

There are many benefits to moving to the cloud, primarily the cost savings it provides. Cloud


3/16


4/16


5/16

capabilities were considered and evaluated; ensure each vendor was compared against

predefined criteria, providing for objective evaluations; determine whether there was

appropriate involvement of procurement personnel to help negotiate the contract, of operation

personnel to provide expert evaluations as to the vendors ability to meet requirements, and

of legal personnel to provide guidance on potential regulatory and other legal ramification of

the outsourcing arrangement; ensure that theres a thorough cost analysis was performed. The

total cost of performing the operation in-house should be include all relevant costs, including

costs for one-time startup activities, hardware and related power and cooling, software,

hardware maintenance, software maintenance, storage, support.

Cloud Service Options

1: SaaS Google for Gmail. Zoho will be for business applications, spreadsheets, dashboard,

and business reports. The consumer does not manage or control the underlying cloud

infrastructure including network, servers, operating systems, or storage, but has control over

the deployed applications and possibly application hosting environment configurations. The

organization pushes almost all security concerns to the Cloud.

2: IaaS Amazon. Web-based services for airline website hosting and storage for database.

The consumer does not manage or control the underlying cloud infrastructure but has control

over operating systems, storage, deployed applications, and possibly limited control of select

networking components (e.g., host firewalls). The organizations has even greater control over

security pushed to the Cloud

3: PaaS Airlines build their custom applications for reservation systems, flight

management, and maintenance and ground operations. The airline does not manage or control

the underlying cloud infrastructure including network, servers, operating systems, or storage,

but has control over the deployed applications and possible application hosting environment

configurations. The organizations have some control over the security pushed to the Cloud.

Existing Security Architecture

The existing security architecture contains the following elements:


6/16

Policy and security standards that cover all major types of computing and

network technologies

Screening routers, stateful firewalls and a virus wall at each exterior gateway

Spam filter and antivirus software on each mail server

Network-based intrusion detection in each of Upward Bounds six networks and

sensors distributed within each network

Endpoint security (antivirus plus antispyware plus personal firewall) on each

Windows workstation

Application firewalls in front of each web server farm

VPN connectivity from the outside to each of the six Upward Bound

networks via a VPN server

A central log aggregation server in each network

Encryption of all connections to and from each business critical server

Tripwire (a file and directory integrity checking tool) on each business

critical server

A hot site at which critical business operations can be up and running

within three hours

Revised Security Architecture

Firewalls, screening routers, and virus protection will be needed at each gateway on the client

side of the network. While no data is stored on the corporate side of the network since only

desktops serving as thin clients are connected, there still is the risk of malware infections.

Malware could enter through the client side of the network and infect desktop workstations.

From there, it could be transmitted up to the firms cloud infrastructure through a trusted and

secure connection. All devices that connect to the cloud network must remain secure so that

they dont provide an access point for unauthorized connections and rogue applications. Virus

protection and user authentication protocols on company provisioned devices need to remain


7/16

robust to that the cloud network is not contaminated.

Since Google will be handling email, antivirus and spam filtering on mail servers are no

longer the responsibility of the airline. Google will provide those services; however, files

downloaded will need to be screened by anti-malware software on the device as an extra

precaution.

Intrusion detection isnt needed on company networks since they are only serving as a

connection to the cloud. Intrusion detection is needed for the cloud networks and AWS offers

that functionality. IT needs to configure the logs to track access connections as well as user

activity. They also need to be reviewed regularly for abnormalities.

End-point security is the major function that will remain a responsibility of the internal IT

department. Malware, firewalls, security patches, and system software must be kept up-to-

date on company devices. End to end encryption must be configured. VPN connectivity to

desktop workstations is no longer needed. It only adds to ITs workload and is another

potential risk. Instead, company provisioned devices configured for a high level of security

will be distributed to personnel with the need and authorization for remote access. Tripwire

will no longer be needed since AWS manages the servers. The firm needs to ensure AWS

provides this type of functionality to ensure files arent corrupted when written or while at

rest.

Company policy is to have a hot site that can be up and running within 3 hours if offices need

to be evacuated. Under the companys current IT structure, it is very costly since data centers,

servers, networks, etc. need to be replicated at a secondary site. Also, they need to be

maintained so that applications and data are kept up-to-date. Moving to the cloud reduces this

expensive headache. A disaster recovery site only needs to be equipped with desktop

workstations and a provisioned network to connect to CSPs. Regional offices could serve as a

DRP site if they are in close proximity. However, DRPs need to be far way enough so that if a

hurricane or earthquake occurred, they would be outside the disaster zone.

Managing Controls for Cloud Services

SLA agreements need to be written to ensure they comply with corporate policies and


8/16

provide adequate IT security controls. SLAs need to specify the requirements for availability

and performance, and how they will be measured. They also need to specify penalties for

non-compliance. The requirements for security controls need to be specified. SLAs need to

contain clauses prohibiting CSP from using company data for its own purposes. It also needs

to include non-disclosure agreements and restrict access to unauthorized users. CLAs need to

specify the requirements for encryption and breach notification. AWS can provide many of

the needed security controls which can be specified to follow COBIT 5 guidelines.

Risk Management Strategies

Mitigation - Establish physical, administrative and/or technical controls or systems the

potential for problems

Avoidance -Make changes to avoid the risk

Transfer - Transfer the risk to another party; Buy insurance to cover consequences of risk

occurrence.

Governance and Risk Management:

Constantly Detect, Manage, and Review Risk

Establish Risk appetite

COBIT 5 from ISACA

Provides a comprehensive framework

Assists organizations in achieving their objectives in using cloud

Governance considerations for cloud: For whom are the benefits? Who bears the risk? What

resources are required?

Management:

Knows and understands the benefits of Cloud; Evaluates and monitors benefits realization;

Understands cloud computing risk; Can quickly respond to changing risks; Seeks periodic


9/16

assurance to ensure SaaS effectiveness; Has established acquisition, deployment and

operations roles and responsibilities.

Ensure that the service provided by the Cloud Service Provider has:

Availability -24/7 operations must have 24/7 security

Privacy -Ensure that provider has effective controls to ensure privacy of data

Data security -Security Information and Event Management

Protect CIA (Confidentiality, Integrity, and Availability) of information.

Location -Locations requirements for jurisdiction and legal obligations that must be ensured.

Compliance - Ensure provider complies with all relevant information security laws and

regulations

Recommendations (Problem 9)

After analyzing the financial comparison across airlines, our consulting group concludes that

it is not appropriate for Upward Bound airline to follow its current strategy as a cost leader

since internal costs are hard to cut for Upward Bound. Our specific suggestions include:

Jet fleet:

Cost -Upward Bound will only pay for the services and resources it uses, as it uses them. By

moving security services and maintenance workloads to a cloud platform, Upward Bound has

the ability to instantly increase or decrease resources, depending on the immediate needs of a

particular workload. Web-site vulnerability scans, security monitoring and incident response,

identity access management and data encryption services are some of the security services

that can be moved to the cloud, controlled, and paid for only when used. With cloud, very

limited up-front capital investment is required for hardware and software, ongoing software

licenses costs are eliminated, the need for complex technologies is limited and services can

be delivered and accessed from almost anywhere in the world. Fewer servers running security

applications means a smaller data center footprint. That can translate to direct savings on real

estate, power and cooling and indirect savings on facilities maintenance. it is less expensive


10/16

to use cloud-based applications and that the end-user is relieved of the expense of setting-up

their own servers and data storage areas.

On-site infrastructure (control panels, conduit, wiring and related hardware)

Hardware (Application & Archive Servers) Cloud does not require

Application Software Licensing -Cloud does not require

Application monitoring, maintaining, upgrading and training -Cloud does not require

Cloud Subscription fees

On-site Deployment Costs

On-site Support Costs (system maintenance)

Data Center Staffing costs -Cloud does not require

Data Center Space Costs -Cloud does not require

Data Center Operation and Maintenance Costs -Cloud does not require

Ease of management and operations -The vendor provider is responsible for the management

and operation of hardware and software that is used to deliver services to Upward Bound.

Using a web-interface console, Upward Bound can view the security environment and

activities and perform the control tasks that it chooses to manage. The console alerts the

Upward Bound of security incidents that require its attention and provides auditable reports

on security activity and compliance. The service removes the tasks of log management,

compliance reporting and security event monitoring. By moving these tasks and others to

cloud, Upward Bound eliminates the need for dedicated IT resources and their management.

Availability of planning and design information from SaaS professionals based on their

experience with other similarly sized projects;

Elimination of headend-equipment (system and archive servers) costs;

Elimination of application software license costs;

Elimination of application and system management and maintenance costs;

Reduction in design and implementation time;

Reduction in system performance measurement costs;

Reduction in data center space requirements for system head-end equipment;


11/16

Reduction in the amount of data storage at the end-user facility or operation;

Reduction in system expansion planning, and design costs.

Ability to increase and decrease capabilities on-demand.

Overall, significantly diminished capital expenditure requirements.

Before making decision to deploy, following questions need to be considered and ask cloud

security service provider: What is the cloud service model that is best suited for the needs?

Will the service process and/or store confidential information (network, vulnerability

information, key material, etc.)? Where are important security data (audit logs, user

credentials, etc.) stored and can they be accessed when needed? Is the access controlled?

Where will the information be located and what retention policies will apply? What are the

destruction and archival procedures? How will data ownership be determined? How will the

information be protected (physical and logical controls)? What are the contractual

obligations, and how will they be enforced? What are the gaps between the service and a

comprehensive security program? How will the gaps be addressed? How will we include the

provider and outsourced services in the business continuity and disaster recovery plans? Can

data be transferred to another provider if the contract is terminated? What is the contractual

agreement for responsibility?

Sell to Ebay?much money to sell is it worth. Hard drives might not worth a lot of money

plus it put Customers information and data at risk

Conclusions

Even though Upward Bound Airlines is facing several problems in the current period, our

group believes that the resources and strengths Upward Bound possesses could still allow

Upward Bound to establish a competitive edge in the industry. Bases on our analysis of the

industry and the company, we strongly recommend Upward Bound to Our group also

generates a comprehensive solution for Upward Bound to adapt in order to solve current

problems. With our recommendations, we strongly believe that Upward Bound is able to

regain profitability and achieve long-term growth. A key driver for potential end-users are

the savings that accrue through elimination of multiple software application licenses and the


12/16

financial return on eliminating the time and effort to maintain the application itself, as much

of the responsibility is moved to the cloud provider. This responsibility will also normally

include complementary software upgrades and full support of the applications

environment.Another important benefit is an increase in consistent capability. In addition to

transferring the responsibility of maintaining the software application to the cloud provider,

the end-user also benefits from the speed at which the application is updated following

improvements to the application itself.

Problem 4: Data security - Determine how data is segregated from the data of the other

customers; review and evaluated the usage of the encryption to protect company data stored

at and transmitted to the vendors site; determine how vendor employees access your systems

and how data is controlled and limited; review and evaluate process for controlling non-

employee logical access to internal systems; ensure the data stored at vendor locations is

being protected in accordance with internal policies; review and evaluate controls to prevent,

detect, and react to attacks (instruction detection, intrusion prevention, incident response,

discovering and remediating vulnerabilities, logging, patching, protection from viruses and

other malware); determine id mgt is performed for cloud-based and hosted systems; ensure

that data retention and destruction practices for data stored offsite comply with internal

policy; review and evaluate the vendors physical security. Entire intrusion detection

solutions can be managed via cloud. Sensors and a control panel are located at the premises,

with all management and data forwarding occurring remotely. Access control: in the cloud

computing model, each edge sensor, networked keypad, or device containing intelligence,

reports directly to software in the cloud. Management, administration and reporting are

similarly handled in the cloud with the user input being provided via a web interface.

Responsibility for managing the system may remain with the client or be provided by

personnel as a managed service for the customer. In either case, the management activities

are carried out on the service providers equipment.

Review and evaluate Upward Bounds process for monitoring the quality of the outsourced

operations. Determine how compliance with SLAs is monitored. Ensure that adequate


13/16

disaster recovery processes are in place to provide for business continuity in the event of a

disaster. Determine whether appropriate governance processes are in place over the

engagement of the new cloud services by Upward Bounds employees. Review and evaluate

Upward Bounds plans in the event of expected or unexpected termination of the outsourcing

relationship. If IT services have been outsourced, review the service providers processes for

ensuring quality of staff and minimizing the impact of turnover. If those services are being

performed offshore, look for additional controls to ensure employee attendance and effective

communication and hand-offs with the home office. Determine how compliance with

applicable privacy laws and other regulations is ensured. Review and evaluate processes for

ensuring that the company is in compliance with applicable software licenses for any

software offsite or used by non-employees.

Upward Bound can outsource informatio i n security services, but not accountability for

security. Upward Bound remains responsible for all of its sensitive information. Laws and

regulations enforce this accountability. Upward Bound must know the information and IT

assets that are critical to its organization, its customers and its stakeholders and the risk that is

associated with these critical assets. Determine how compliance with the SLAs is monitored;

(Problem 7): a. the situation of stop selling tickets, the entire operation going to be down. an

airline cannot afford losing control of operation based on its nature b. Information security: if

the passengers data got hacked, all the personal privacy and information, including the

financial information like credit cards, will be in risk. C. the end user has little or no control

over version and feature changes to the application itself. Security issues related to having

their business data 'out' on the Internet seem to be the number one concern of small business

owners.

Problem 8 Ensure that multiple vendors are evaluated and involved in the bid process, so that

can provide for competitive bidding and lower price and thus saves the cost; determine

whether the vendors financial stability was investigated as part of the evaluation process;

determine whether the vendors experience with providing support for companies of similar


14/16

size to yours or in a similar industry was evaluated; ensure the vendors technical support

capabilities were considered and evaluated; ensure each vendor was compared against

predefined criteria, providing for objective evaluations; determine whether there was

appropriate involvement of procurement personnel to help negotiate the contract, of operation

personnel to provide expert evaluations as to the vendors ability to meet requirements, and

of legal personnel to provide guidance on potential regulatory and other legal ramification of

the outsourcing arrangement; ensure that theres a thorough cost analysis was performed. The

total cost of performing the operation in-house should be include all relevant costs, including

costs for one-time startup activities, hardware and related power and cooling, software,

hardware maintenance, software maintenance, storage, support. The cost for monitoring the

cloud computing also needs to be considered. Hardware security components (e.g., Access

Control and Video Surveillance hardware) are also subject to regulatory and life safety code

requirements for compliance. The Code establishes minimum criteria for the design of egress

facilities to allow prompt escape of occupants from buildings or, where desirable, into safe

areas within buildings

Small companies that may not otherwise afford the purchase of the physical security

infrastructure that they require may find it desirable to share services with other companies

when delivered in a common pay-as-you-go model.

A comprehensive review of the total cost of ownership is required for a substantial

comparison to any alternative model under consideration. The components of service,

hardware, maintenance and IT cost associated need to be identified. For example, a

traditional implementation of an access control system factors in IT, software and server costs

that are removed in the typical shared computing model that cloud provides, and capital

expenditure is replaced or augmented by an operational expenditure model. Consideration

therefore, needs to be given to these differences, using business logic and financial analysis.

If there is already a physical security system in place, there may be an opportunity to utilize

some of the existing equipment when converting to cloud. Likely items are door locking

hardware, request to exit (REX) switches, alarm sensors, existing cabling, and cameras.


15/16

Cable reutilization requires evaluation of plans regarding structured cabling and Power over

Ethernet (PoE)

Technology which are leveraged in cloud deployments. Generally, the investment in locking,

readers, door position switches, accessories, power supplies and cabling infrastructure may

be retained as part of the existing in-place systems. Installation of network connected access

control panels (hardware) replacing the direct-connected access control panel, and software

application conversion from dedicated systems to cloud solutions supporting reuse and

conversion

Current physical security policies should be reviewed to establish which policies might

require refinement or implementation when migrated to cloud. For example, what is the

service level available to the site administrator in the event that the Internet connection

becomes unavailable? What is the role of IT in supporting connectivity to the system?


16/16

upward bound muller chen

Documents