LESSONS LEARNED THROUGH CLOUD TRANSFORMATIONJim RuttDirector of IT, Dana FoundationOctober 28, 2015

PERSONAL BACKGROUND• 20 years of client-side practioning in technology• Primarily in healthcare (payer/managed care) but also significant

experience in financial and pharmaceutical.• As Director of IT for The Dana Foundation, responsible for all domains

encompassing the use of technology (infrastructure, application development, data, network, etc.)

• First experience in the non-profit sector

DANA FOUNDATION BACKGROUND

• http://www.dana.org• Founded in 1950• Endowment based foundation supporting brain research through grants,

publications and educational programs• Chief importance centered around scientific inquiry (funding of research

into neuroscience) and the engagement of the general public (publications and programs)

DECEMBER 2010: FIRST DAY

BEGINNING STATE• Traditional on-premise infrastructure with a limited amount of IaaS/private

cloud• Limited human resources• No application lifecycle • No real strategy around risk, security, compliance • Traditional problems (too much time spent supporting infrastructure

issues and not enough time developing new features and enhancing end-user experience)

MARCH 2011: TRIGGER EVENT• Foundation moved to new location• Opportunities for consolidation as well as re-thinking existing cloud

environment, with an eye towards optimizing from a performance, security, and cost perspective.

• Addressing macro trends affecting everyone in our industry (consumerization of IT, rise of mobile, demographic trends).

• Time to test the waters with the first application…

OFFICE 365• Existing Exchange Server environment:

• Total of 15 VM’s, way too complex• Uptime way below five nines• All resources (CPU/RAM/storage) reaching 100% utilization• Active Directory environment supporting Exchange badly neglected with

serious integrity issues.• Maybe an opportunity to embrace a new security model rather than pour

significant resources into maintaining AD.

OFFICE 365: APRIL 2011-JAN 2012

• Migration considerations specific to governance:• Ruled out AD Federation due to previously identified issues with AD.• However, slightly complicating authentication model temporarily (going from

AD pass through authentication to adding an additional Office 365 credential in addition to existing AD)

• Already risking “password fatigue” with end users.• Time to look at a possible new solution for cloud-based identity…..

OKTA (ID AS A SERVICE)• Essentially a single sign on solution primarily for SaaS• Great leverage with web based SaaS offerings,also integratable with AD• Also streamlines provisioning/deprovisioning.• Clean user interface and simple administrative console• We began to see this model as the future.

SALESFORCE

GREAT PLAINS TO AZURE

ZENDESK• SaaS based Help Desk solution

COMPLIANCE/GOVERNANCE CONSIDERATIONS

• No technology audits prior to 2010.• Using the new technologies and strategies we were able to craft a

compliance structure, along with guiding our external auditors, that truly represented an actionable governance program, rather than just a checklist of useless items.

NEXT GENERATION SECURITY SOLUTIONS

• Netskope (CASB)• Vera (hardening at the actual file level)• Menlo Security (malware isolation)• Ensilo (Exfiltration

• Lesser reliance on legacy antivirus solutions

REMAINING IAAS VIRTUAL ENVIRONMENTS

RETURN ON INVESTMENT• Signifigant security cost/risk mitigation now transferred to top tier

providers (Microsoft, Salesforce, etc.)• Trust factor is this case resembles a reverse of the “prisoners dilemma”

theory.

LESSONS LEARNED ALONG THE WAY

• Calculated risk moving our most visible application (Exchange) to the cloud first, but mitigated by existing pain felt.

2016 AND BEYOND• Eventual retirement of legacy AD• Harden end-user devices • Expansion of two factor authentication• Continue to adopt next generation endpoint security solutions.

THANK YOU • Questions?