Security is a high profile issue – ensuring vital systems are protected from malware at all times is essential. As part of a comprehensive Microsoft IT estate, organizations can avail of a robust antivirus solution while ensuring that distribution to thousands of PCs is fast and hassle-free. In addition, a familiar user interface means the software is easy to manage from a central location, saving valuable time and money.
Situation
The Department of Social and Family Affairs in Ireland is responsible for delivering more than 30 social insurance and social assistance schemes such as provision for unemployment, illness, maternity, caring, widowhood, retirement and old age. All told, payments are made to nearly 950,000 people each week with over 1.5 million people directly benefiting from those payments. Working with a budget of more than €17 billion, the Department formulates appropriate social protection policies and administers and manages the delivery of statutory and non-statutory schemes and services. These services are delivered mainly at local level through 58 Social Welfare Local Offices, 69 Branch Offices and through centralised offices. All offices have access to the Department's network so that information on claims and payments is readily available to callers. Information technology is an essential part in allowing the department to provide services to the public. The technology infrastructure of more than 5,400 PCs and 230 Windows servers is used by more than 4,300 staff in carrying out their work. The Department's IT infrastructure has steadily evolved over the last 25 years. Earlier this decade, it began the migration of its established platform HP OpenVMS to a new platform built upon Microsoft .NET. "Following a tendering exercise we standardized on Microsoft and we now have to manage that environment," says Gary O'Toole, IS project manager with the department. "We're talking about System Center Configuration Manager, Operations Manager – basically the Microsoft suite of applications that would allow us to manage that environment."
The DSFA had previously enrolled in an Enterprise Agreement with Microsoft, which meant it could avail of Microsoft Forefront very cost-effectively. "As you can imagine, in the current climate security is very much a high visibility issue and one we have to address," says O'Toole. As it happens, the department's current antivirus contract was up for renewal earlier this year. Choosing Forefront to handle antivirus also bought the department valuable time in evaluating other IT security options for different areas of the organization. "We would have had to go to the market for not just AV but endpoint security as well and tie the two together. The fact that we were able to resolve our AV solution straight away gives us time to consider endpoint solutions separately," O'Toole explains. "To meet our AV deadline we would have gone to market without fully considering what our requirements are around the endpoint solutions, but it gives us time to do that now."
Solution
As with any software upgrade, there needs to be a compelling reason to change. The Department was entitled to avail of Forefront as part of the enterprise CAL licensing agreement it had signed. John Ennis, engagement manager for Microsoft Services, says it had to make the case for deploying it. "We needed to prove it was not going to be the major effort they expected," he says. "We also automated the removal of the old antivirus so it was a one-step process. We ensured there was a very minimal window in which they had reduced AV protection."
All of the Department's devices run the Microsoft System Center Configuration Manager agent, which is used to deploy the initial installation and further updates. All of this takes place from the DSFA's main data centre to all 230 offices nationwide. Active Directory is then used to deploy usage policies for Forefront. Over a six-week period the department's IT team and a group from Microsoft Consulting Services managed the automatic deployment and removal of the existing AV for all PCs and more than 50 of its servers. The rollout went better than expected, as O'Toole explains. "We had expected to do about possibly 500 PCs and about 50 servers in that period but because of the automatic distribution via Configuration Manager we were able to do all of these which we were very pleased about," he says. "We were also very pleased at the rate of installation. We had a couple of small problems that we would have expected but in the main we're very happy with the way it deployed. It's a question of ensuring our PCs are secure and we're quite happy now that with the new AV they are secure. Not only are they protected against the latest viruses but spyware and adware as well. Also that it's up in the top quadrant with the big players on that. We're getting three updates daily, so we believe that Microsoft has an AV solution that is catching stuff as soon as it hits the wild. That is a big issue."
To put the department's security concerns in context, O'Toole points out that the network would receive its fair share of malware. "In an average week we would receive 51,000 external mails; 13,000 of these would be classified as spam while another 200 would be classified as containing an inbound virus," he says. Forefront reduces the threat of any problems reaching the desktop.
Working to a tight timetable for rolling out the new AV tool, the project team worked from a programme of best practice in accelerated deployment for Forefront which was developed by Microsoft Consulting Services. "It's been proven how it works with other customers, and they can work out what is needed from a hardware and resourcing perspective," explains Ennis. Consultants from Microsoft were on site at the department for six weeks in total, starting with the design phase of the project and through to a successful first pilot which proved the concept. "We were then on site for a few days after the implementation to ensure the customer was comfortable with everything," says Ennis. "Since we left, we've had no issues reported." As part of the agreement with the Department, MCS will return six weeks after the implementation to perform a health check on the new systems.
|
Benefits
Better security
With an eye on future IT plans, O'Toole says Forefront's multiple AV signatures with five versions of anti-virus should make the servers more secure. "We will soon be deploying Microsoft Exchange and SharePoint to our entire user base and the implementation of Forefront for these packages should greatly enhance our security. Also the integration of Forefront with MOM has improved efficiency and allows us to make use of the Company Knowledge facilities in MOM to diagnose and remedy issues. Also the console and reporting tools are excellent."
Ease of use
Forefront's ease of use means one member of the DSFA IT staff needs only to dedicate part of their time to managing the software. "That's the whole point: familiarity with the tools means it's very intuitive," says O'Toole. "Because they had previously been working with System Center Configuration Manager and with Operations Manager, we can use either of those views to look at Forefront. So it has made it very easy and the transition went better than I would have expected."
Improved reporting
"We're able to get a very good feel of how the PCs are being used out there because of the reporting we're getting from Forefront," says O'Toole. "It's giving us information that we wouldn't have otherwise. It's an added bonus that we're getting from it, so we can then look at policies around power saving and so on."
Simplified management
O'Toole says the close integration with Microsoft management tools has made life easier for the IT team at the department. "Because Forefront uses Configuration manager to deploy the updates – and obviously we're using Configuration Manager anyway for general software deployment – it just means we don't need to introduce a second tool to do that, whereas with our previous AV we would have had something else deploying signatures. We then use Active Directory for policies so we're using our existing Microsoft stack to maintain Forefront. And because it's a Microsoft product, the look and feel is very similar, so the need for retraining is minimal."
Servers brought up to date
There were some unexpected benefits to the rollout project, according to O'Toole. "The fact that we were doing the Forefront deployment meant we had to bring a lot of our servers up to date, which in itself is a good thing. We brought our server estate up to date with patching." In addition, when Forefront was installed it detected 50 machines which had been infected with more than 100 forms of virus or malware, although as O'Toole points out, there is no guarantee that these infections were definitely malicious.
Low cost
The Department has realized significant cost savings by deploying Forefront as part of the enterprise CAL. "We would have expected to be spending roughly €38,000 a year on AV; we're now spending about €3,000," says O'Toole. "Obviously an organization of our size would have a substantial IS budget and it means that will now be spent on storage, servers and so on." Cost is not his primary concern, however. "It's a substantial saving but I would be more concerned that it does its job, it's easy to manage and it's seamless. I'm very happy with that so far, and when it includes a saving, great."
Summary
O'Toole is very happy with how Microsoft assisted in implementing what could have been a tricky project to manage. "Certainly they made sure they knew what we wanted before they came in, and we've found that they've delivered to – and in the case of Forefront, exceeded – our expectations," he says. "We are very happy that Forefront does what it says on the tin and we're also very happy with the integration with the Microsoft suite of software. With Microsoft's Forefront, we're getting the integration of deployment, management and monitoring for all our various tools and they sit very nicely together," he concludes.
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: http://www.microsoft.com/
© 2007 Microsoft Corporation. All rights reserved. This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published May 2008
 Solution OverviewOrganisation
Microsoft Forefront Microsoft System Center Configuration Manager and Operations Manager Microsoft Active Directory Country/Region For More InformationAbout Microsoft in Ireland:
|