A Singapore based firm was setting up in order to create a fund to invest in Asian Renewable Energy.
They were looking to be regulated by The Monetary Authority of Singapore (MAS) and raise funds from Global investors.
The firm required a MAS compliant IT system that provided enhanced levels of Data Security and mobility as staff would be travelling throughout Asia and North America.
Starting with 5 staff, growing to 9 in year 1 and an external management board of 6.
We designed an Office365 & Microsoft Azure infrastructure for the desktop and server architecture.
Each staff member was supplied with a Lenovo Carbon X1 laptop which had a standardised image. The image was based on Office 365 (Word, Excel, Powerpoint, Outlook), Adobe Acrobat Pro, Sophos End Point Protection, Safend Endpoint Protection, Mimecast Email Client, BlueJeans, GotoMeetings, Arkadin Voice conferencing plugins The laptop had a customised the look and feel with company branding and colour schemes. All user Applications were Group Policy Driven so no administrative or end user configuration was required after the OS build.
All users were provided with an iPhone for business use. The configuration was standardised across all devices so that information would not leak.
The networking was initially provided via a Meraki system. Meraki provides very good web based remote management across its entire product range. It also embeds a content aware firewall and Data Loss Prevention capabilities.
However as the project progressed it became clear that the Meraki VPN capability was not up to the connectivity requirements for Azure, it didn’t work very well with the leased line from SingTel, the local ISP and the WiFi performance in a saturated environment was poor.
We switched the Meraki Firewall out for a pFSense Firewall and a Cisco WiFi hotspot, all the performance issues we had experienced disappeared.
The server environment was a traditional windows setup with a Domain Controller and File Server. Microsoft Azure Infrastructure as a Service (Iaas) provides all the required infrastructure from Load Balancers & Site to Site VPN through to Server Compute and storage as well as encrypted file back up and server imaging. The office location and the Azure Infrastructure were connected via a Site to Site VPN. Data traffic was routed locally for internet access.
For remote access to the system each laptop had a VPN. We experimented with the native Azure Point to Site VPN however due to a quirk in the implementation it required that users be local administrators on their machines which isn’t good for data security. Instead we went for a traditional windows RRAS provisioned SSTP vpn. We used custom certificates to ensure that only the correct users could access the VPN.
Multi Factor Authentication
For added security all Servers & Firewall access was secured with MultiFactor Authentication based on the Duo Security system. This requires that not only does an Adnin have a valid user name and password they also need a separate device in order to access the server infrastructure.
The office 365 and Azure system were also protected by MultiFactor Authentication. All users had to have the Azure Authenticator so that they could access their email, The administrators also had to Authenticate their logins with the Azure Authenticator before accessing the administrative portals.
User accounts were synchronised between the Windows Domain and Office 365 using the AD connect technology. Administrators were kept separate and not replicated for security purposes. In the basic set-up passwords are synchronised from the Windows Domain to the o365 domain so user’s have the same credentials in the office as on the web.
All passwords were set to expire on a regular basis consequently staff needed the ability to change their password remotely. We implemented Azure AD premium, a service which enables bi-directional password synchronisation. When their passwords had expired when users were logging into their webmail they were prompted to change their password. Once changed the password would synchronise back to windows. Also, if a user forgot their password they could self-service their password retrieval using the Office365 process.
Data Loss Prevention
To ensure Data Security we implemented a Remote Desktop system, initially based on Azure RemoteApp and then on a self-hosted Remote Desktop server. This service delivers the standard user desktop as remote hosted applications. These applications look and feel as if they are local versions of Word, PowerPoint, Adobe Acrobat, Excel or Outlook but in fact they are just a remote view of the application running on a server. The server they are running on is part of the company Windows domain so all the standard drives and printers are mapped. Also, any GPO’s that were in place also worked on the Applications for desktop redirection and the like. The service was configured not to interact with the local machine so a user could not copy & paste or print locally.
To ensure that data did not leak from the laptops Safend endpoint protector was used to lock down USB ports, WiFi hotspots and Printers. Sophos End Point Protection was used to prevent access to Social Media Messaging, Webmail and Document Storage sites.
Mobile devices were managed via Microsoft inTune. All devices were managed for content and access.
All devices were encrypted, laptops with Bitlocker and mobile devices with native device encryption.
This ensured a total information firewall.
Monitoring & logging
All logs from Windows, pFSense, Sophos, Safend, Azure and Office365 were shipped to an offsite collection point. This provided an invaluable Infrastructure management resource as well as a place to track any anomalous user behaviour. The monitoring system provided real time capacity information for each individual device as well as the overall system performance metrics. Individual staff day to day system access and activity could be analysed and reported/alerted upon.
The firm had a call recording requirement and wanted a light cost footprint. We provided a Cloud Hosted PABX with call recording included. The firm also used several messaging apps, Skype, Skype for Business and IP Sentinel implemented a message and call capture environment so that calls and conversations were archived and could be retrieved.
There is a regulatory requirement from the MAS to record and store ALL electronic communication. We implemented a Mimecast email wrapper around the Office 365 Email system. This had the additional benefits of Anti Spam, Anti Virus Scanning, Standardised email footers and email Business Continuity. Voice over IP calls and Skype was captured and decoded to mp3 files. Skype For business conversations were logged and stored as text files.
Video conferencing (desktop, mobile and fixed VC) was facilitated via the BlueJeans service. Part of the service was an archive of all VC’s. These were downloaded to the file system on a regular basis.
Conference Calling services were provided by Arkadin, all conferences were recorded and regularly downloaded to the file system as MP3 files.
File data and all non-email messages types are archived to an Azure Vault on a daily basis for a 5 year retention period.
IP Sentinel are UK based and the client and Infrastructure was Singapore based. This is an 8 hour time difference. To provide working day support coverage we implemented a web reporting portal and engaged a local hands company should a site visit be required. In the first 2 years the local hands were only required for a 4 hour printer engineer visit. We visited site once a quarter to perform any onsite tasks such as upgrades and re-boots. All other support was resolved via the phone.
Each laptop had a corporate copy of Team Viewer that allowed a support engineer to logon and take control of the screen, mouse and keyboard.
In order to attract Investors, pass Due Diligence and meet the regulatory requirements of the MAS the firm employed IP Sentinel’s vCTO service. This involved completing the Regulatory Audit and dealing with Due Diligence requests from potential investors and key vendors. All aspects of the IT infrastructure had to be complaint with the MAS outsourcing regulations and IP Sentinel ensured that they were.