Executive Summary

Upward Bound airline is a U.S. legacy carrier that is facing some challenging conditions
during its effort to transform into a cost leader as well as a market leader. It is facing fierce
competition. Under the pressure of fierce competition, along with the cash crunch and aging
jet fleet, Upward Bound needs a comprehensive response to solve the efficiency of its
operation and retain profitability. In order to remain competitive, Upward Bound must
modernize its fleet with fuel-efficient aircraft. This project will pressure the airlines cash
position significantly. The firm has decided to cut costs by eliminating 20% of the workforce
and out-sourcing IT functions to cloud service providers. The firm needs to determine how
the process of out-sourcing IT should be handled and what new policy and procedures need
to be developed for operating in a new IT environment to ensure security remains adequate.
As with any major corporate change, directors and management need to ensure that new
plans work to achieve corporate goals, realize benefits, optimize risk, and use resources
effectively.
Company Background
Founded in 1980, Upward Bound has grown to small to mid-sized airline serving 31 cities, 16
in the United States and 15 abroad. It employs 9,000 employees and generated $19 million in
net income on $296 million of revenue- a net margin of 6.4%. Upward Bound is a public
company carrying $110 million in debt.
Company Analysis (SWOT Analysis)
Strength: Upward Bound is known for its reliability, attractive ticket price and operation
efficiency. Upward Bound has a strong brand image, along with its high operational
efficiency and lower cost structure compared to other legacy airlines. Specially, it has the
lowest time per repair in industry. It also boasts the best on-time record in the industry. Its
board of directors consists of highly qualified professionals.
Weakness: Its fleets operating costs are high because it is aging and aircraft arent fuelefficient. Doesnt offer as many flights or destinations as its larger competitors, like the major
airlines. The Majors are able to offer convenience and a broad array of flight itinerary

options, allowing many consumers to fly non-stop, anywhere at anytime. While this is a
weakness for Upward Bound, it is shared by all smaller airlines. However, Upward bound has
capitalized on its strengths to differentiate itself from the competition and deliver value to its
customers.
Opportunities: Upward Bound has opportunities in international market to boost its sales for
the reason that it has relatively low cost and reliability. The firms revenues are highly
responsive to marketing efforts, as each additional dollar of marketing spend generates a
considerable amount of additional revenue. Currently, the airline cant afford to increase its
marketing budget, because it needs to save cash to replace its fleet. Outsourcing most its IT
operations by moving to cloud computing services will allow it to mitigate the cash crunch,
and to replace its current jet fleet. Down the road, the firm will realize significant cost
savings from outsourcing IT and its cost-efficient fleet. This will position the firm to focus
efforts on marketing, especially since it is the firms most effective tool for increasing sales.
Threats: Upward Bound faces three types of competitive threats, including aging jet fleets,
decreasing competition in marketing and, draining cash reserves. Upward Bound competes
by offering attractive pricing. It is not in a position where it can raise fares and still retain
customers. The airline is at a cost-disadvantage to competitors operating modern, fuelefficient fleets. If the airline doesnt reduce its operating costs, it will not be able to compete.
Upward Bounds Problems
Upward Bound must evaluate which cloud services it needs, and how to utilize them to
achieve its corporate goals. Upward Bound must identify and address the risks of moving to
the cloud. It must also determine which IT infrastructure and personnel will need to be
retained and managed internally. New policies and procedures need to be written detailing the
administrative responsibilities, usage policies, and procedures for managing, monitoring, and
auditing the cloud services available to the firm. In addition, firm must develop a new
security architecture that reflects the changes in the corporate IT function.
Cloud Services
There are many benefits to moving to the cloud, primarily the cost savings it provides. Cloud

services reduce the need for company owned and operated IT hardware as well as reducing
the amount of IT personnel. The company only has to pay for the capacity and services it
needs. New software and updates dont have to be applied to every single company desktop
since applications are hosted online.
There are also many drawbacks and risks for using cloud services. First, the company no
longer has full control over the IT function. Second, company data now resides outside the
organization. This can be a major security concern since cloud service providers (CSPs) are
high value targets for attacks due to the colossal amount of sensitive data they host. Multitenant environments introduce the risk of data leakage. This is when either a bug or
intentional act causes company data to be exposed to other tenants. Third, there can be
service disruptions and availability issues.
Cloud Risks Facing Upward Bound
Upward Bound cant afford to have service disruptions that could impact its operations, such
as losing the ability to sell tickets and book flights, board passengers and freight, and perform
aircraft maintenance. If service disruptions become severe, it could cause the airline to
cancel flights. This is huge risk since lost revenue cant be made up by flying two flights the
next day. Once a flight is canceled, it is very likely that the associated revenue is lost
permanently.
Upward Bound has spent decades building its brand image of being on time and reliable. If
IT issues translate into flight service delays or cancelations, then the airline would lose one of
its primary competitive advantages. The cloud brings the opportunity to increase reliability
and efficiency to the airline; at the same time, cloud computing poses a risk that could cripple
it if disruptions arent managed effectively.
Security and protection of company and customer data is a major risk. Due to air travel
security regulations, passengers must hand over their personal information. In addition,
nearly all sales are conducted electronically (credit or debit cards), this presents the risk of
payment data theft. Last, passenger flight history and interactions with the airline are
collected for loyalty programs and business intelligence. Any leak or theft of this sensitive

data could be a public relations nightmare. Consumers might perceive the airline as one that
cuts corners and is irresponsible. They might wonder if Upward Bound cant safeguard our
personal data, how they assure our physical safety? This could drive loyal customers to
other airlines. It has been commonly observed, that once a company loses trust, it is very hard
to regain. This especially true in competitive industries where consumers have a broad array
of alternatives.
Addressing Upward Bounds Major Risks
The firm needs to envision every possible scenario where access to the cloud could be
disrupted. For each possibility, IT planners need to design redundancy and fall back systems
to preserve continuity of operations. Amazon Web Services has a strong record of reliability,
but this can be further enhanced by contracted service at an additional AWS data center in
another availability zone. Each availability zone operates independently of each other, hence
any disruption in one zone has no impact on the operability of others. The firm can mirror
critical data in real-time to two independent AWS data centers. If one goes offline,
connectivity switches over to the secondary center. Not only does this provide assurance of
availability, but also serves back-up and disaster recovery roles as well.
To protect sensitive data, the airline should require strong encryption of data in transit as well
as data in storage. Firewalls should be installed on the server at application and database
gateways, and configured to only allow access from approved traffic and devices. For the
most sensitive data, the firm should check if it is possible to lease a dedicated server as the
sole tenant. This would partition the firms data from other tenants and eliminate the risk of
data leakage.
Migrating to the Cloud
Ensure that multiple vendors are evaluated and involved in the bid process, so that can
provide for competitive bidding and lower price and thus saves the cost; determine whether
the vendors financial stability was investigated as part of the evaluation process; determine
whether the vendors experience with providing support for companies of similar size to
yours or in a similar industry was evaluated; ensure the vendors technical support

capabilities were considered and evaluated; ensure each vendor was compared against
predefined criteria, providing for objective evaluations; determine whether there was
appropriate involvement of procurement personnel to help negotiate the contract, of operation
personnel to provide expert evaluations as to the vendors ability to meet requirements, and
of legal personnel to provide guidance on potential regulatory and other legal ramification of
the outsourcing arrangement; ensure that theres a thorough cost analysis was performed. The
total cost of performing the operation in-house should be include all relevant costs, including
costs for one-time startup activities, hardware and related power and cooling, software,
hardware maintenance, software maintenance, storage, support.

Cloud Service Options

1: SaaS Google for Gmail. Zoho will be for business applications, spreadsheets, dashboard,
and business reports. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, or storage, but has control over
the deployed applications and possibly application hosting environment configurations. The
organization pushes almost all security concerns to the Cloud.
2: IaaS Amazon. Web-based services for airline website hosting and storage for database.
The consumer does not manage or control the underlying cloud infrastructure but has control
over operating systems, storage, deployed applications, and possibly limited control of select
networking components (e.g., host firewalls). The organizations has even greater control over
security pushed to the Cloud
3: PaaS Airlines build their custom applications for reservation systems, flight
management, and maintenance and ground operations. The airline does not manage or control
the underlying cloud infrastructure including network, servers, operating systems, or storage,
but has control over the deployed applications and possible application hosting environment
configurations. The organizations have some control over the security pushed to the Cloud.
Existing Security Architecture
The existing security architecture contains the following elements:

Policy and security standards that cover all major types of computing and
network technologies

Screening routers, stateful firewalls and a virus wall at each exterior gateway

Spam filter and antivirus software on each mail server

Network-based intrusion detection in each of Upward Bounds six networks and

sensors distributed within each network

Endpoint security (antivirus plus antispyware plus personal firewall) on each

Windows workstation

Application firewalls in front of each web server farm

VPN connectivity from the outside to each of the six Upward Bound
networks via a VPN server

A central log aggregation server in each network

Encryption of all connections to and from each business critical server

Tripwire (a file and directory integrity checking tool) on each business

critical server

A hot site at which critical business operations can be up and running

within three hours

Revised Security Architecture

Firewalls, screening routers, and virus protection will be needed at each gateway on the client
side of the network. While no data is stored on the corporate side of the network since only
desktops serving as thin clients are connected, there still is the risk of malware infections.
Malware could enter through the client side of the network and infect desktop workstations.
From there, it could be transmitted up to the firms cloud infrastructure through a trusted and
secure connection. All devices that connect to the cloud network must remain secure so that
they dont provide an access point for unauthorized connections and rogue applications. Virus
protection and user authentication protocols on company provisioned devices need to remain

robust to that the cloud network is not contaminated.

Since Google will be handling email, antivirus and spam filtering on mail servers are no
longer the responsibility of the airline. Google will provide those services; however, files
downloaded will need to be screened by anti-malware software on the device as an extra
precaution.
Intrusion detection isnt needed on company networks since they are only serving as a
connection to the cloud. Intrusion detection is needed for the cloud networks and AWS offers
that functionality. IT needs to configure the logs to track access connections as well as user
activity. They also need to be reviewed regularly for abnormalities.
End-point security is the major function that will remain a responsibility of the internal IT
department. Malware, firewalls, security patches, and system software must be kept up-todate on company devices. End to end encryption must be configured. VPN connectivity to
desktop workstations is no longer needed. It only adds to ITs workload and is another
potential risk. Instead, company provisioned devices configured for a high level of security
will be distributed to personnel with the need and authorization for remote access. Tripwire
will no longer be needed since AWS manages the servers. The firm needs to ensure AWS
provides this type of functionality to ensure files arent corrupted when written or while at
rest.
Company policy is to have a hot site that can be up and running within 3 hours if offices need
to be evacuated. Under the companys current IT structure, it is very costly since data centers,
servers, networks, etc. need to be replicated at a secondary site. Also, they need to be
maintained so that applications and data are kept up-to-date. Moving to the cloud reduces this
expensive headache. A disaster recovery site only needs to be equipped with desktop
workstations and a provisioned network to connect to CSPs. Regional offices could serve as a
DRP site if they are in close proximity. However, DRPs need to be far way enough so that if a
hurricane or earthquake occurred, they would be outside the disaster zone.
Managing Controls for Cloud Services
SLA agreements need to be written to ensure they comply with corporate policies and

provide adequate IT security controls. SLAs need to specify the requirements for availability
and performance, and how they will be measured. They also need to specify penalties for
non-compliance. The requirements for security controls need to be specified. SLAs need to
contain clauses prohibiting CSP from using company data for its own purposes. It also needs
to include non-disclosure agreements and restrict access to unauthorized users. CLAs need to
specify the requirements for encryption and breach notification. AWS can provide many of
the needed security controls which can be specified to follow COBIT 5 guidelines.

Risk Management Strategies

Mitigation - Establish physical, administrative and/or technical controls or systems the
potential for problems
Avoidance - Make changes to avoid the risk
Transfer - Transfer the risk to another party; Buy insurance to cover consequences of risk
occurrence.
Governance and Risk Management:
Constantly Detect, Manage, and Review Risk
Establish Risk appetite
COBIT 5 from ISACA
Provides a comprehensive framework
Assists organizations in achieving their objectives in using cloud
Governance considerations for cloud: For whom are the benefits? Who bears the risk? What
resources are required?
Management:
Knows and understands the benefits of Cloud; Evaluates and monitors benefits realization;
Understands cloud computing risk; Can quickly respond to changing risks; Seeks periodic

assurance to ensure SaaS effectiveness; Has established acquisition, deployment and

operations roles and responsibilities.

Ensure that the service provided by the Cloud Service Provider has:
Availability - 24/7 operations must have 24/7 security
Privacy - Ensure that provider has effective controls to ensure privacy of data
Data security - Security Information and Event Management
Protect CIA (Confidentiality, Integrity, and Availability) of information.
Location - Locations requirements for jurisdiction and legal obligations that must be ensured.
Compliance - Ensure provider complies with all relevant information security laws and
regulations

Recommendations (Problem 9)
After analyzing the financial comparison across airlines, our consulting group concludes that
it is not appropriate for Upward Bound airline to follow its current strategy as a cost leader
since internal costs are hard to cut for Upward Bound. Our specific suggestions include:
Jet fleet:
Cost - Upward Bound will only pay for the services and resources it uses, as it uses them. By
moving security services and maintenance workloads to a cloud platform, Upward Bound has
the ability to instantly increase or decrease resources, depending on the immediate needs of a
particular workload. Web-site vulnerability scans, security monitoring and incident response,
identity access management and data encryption services are some of the security services
that can be moved to the cloud, controlled, and paid for only when used. With cloud, very
limited up-front capital investment is required for hardware and software, ongoing software
licenses costs are eliminated, the need for complex technologies is limited and services can
be delivered and accessed from almost anywhere in the world. Fewer servers running security
applications means a smaller data center footprint. That can translate to direct savings on real
estate, power and cooling and indirect savings on facilities maintenance. it is less expensive

to use cloud-based applications and that the end-user is relieved of the expense of setting-up
their own servers and data storage areas.
On-site infrastructure (control panels, conduit, wiring and related hardware)
Hardware (Application & Archive Servers) Cloud does not require
Application Software Licensing - Cloud does not require
Application monitoring, maintaining, upgrading and training - Cloud does not require
Cloud Subscription fees
On-site Deployment Costs
On-site Support Costs (system maintenance)
Data Center Staffing costs - Cloud does not require
Data Center Space Costs - Cloud does not require
Data Center Operation and Maintenance Costs - Cloud does not require
Ease of management and operations - The vendor provider is responsible for the management
and operation of hardware and software that is used to deliver services to Upward Bound.
Using a web-interface console, Upward Bound can view the security environment and
activities and perform the control tasks that it chooses to manage. The console alerts the
Upward Bound of security incidents that require its attention and provides auditable reports
on security activity and compliance. The service removes the tasks of log management,
compliance reporting and security event monitoring. By moving these tasks and others to
cloud, Upward Bound eliminates the need for dedicated IT resources and their management.
Availability of planning and design information from SaaS professionals based on their
experience with other similarly sized projects;
Elimination of headend-equipment (system and archive servers) costs;
Elimination of application software license costs;
Elimination of application and system management and maintenance costs;
Reduction in design and implementation time;
Reduction in system performance measurement costs;
Reduction in data center space requirements for system head-end equipment;

Reduction in the amount of data storage at the end-user facility or operation;

Reduction in system expansion planning, and design costs.
Ability to increase and decrease capabilities on-demand.
Overall, significantly diminished capital expenditure requirements.
Before making decision to deploy, following questions need to be considered and ask cloud
security service provider: What is the cloud service model that is best suited for the needs?
Will the service process and/or store confidential information (network, vulnerability
information, key material, etc.)? Where are important security data (audit logs, user
credentials, etc.) stored and can they be accessed when needed? Is the access controlled?
Where will the information be located and what retention policies will apply? What are the
destruction and archival procedures? How will data ownership be determined? How will the
information be protected (physical and logical controls)? What are the contractual
obligations, and how will they be enforced? What are the gaps between the service and a
comprehensive security program? How will the gaps be addressed? How will we include the
provider and outsourced services in the business continuity and disaster recovery plans? Can
data be transferred to another provider if the contract is terminated? What is the contractual
agreement for responsibility?
Sell to Ebay? much money to sell is it worth. Hard drives might not worth a lot of money
plus it put Customers information and data at risk
Conclusions
Even though Upward Bound Airlines is facing several problems in the current period, our
group believes that the resources and strengths Upward Bound possesses could still allow
Upward Bound to establish a competitive edge in the industry. Bases on our analysis of the
industry and the company, we strongly recommend Upward Bound to Our group also
generates a comprehensive solution for Upward Bound to adapt in order to solve current
problems. With our recommendations, we strongly believe that Upward Bound is able to
regain profitability and achieve long-term growth. A key driver for potential end-users are
the savings that accrue through elimination of multiple software application licenses and the

financial return on eliminating the time and effort to maintain the application itself, as much
of the responsibility is moved to the cloud provider. This responsibility will also normally
include complementary software upgrades and full support of the applications
environment.Another important benefit is an increase in consistent capability. In addition to
transferring the responsibility of maintaining the software application to the cloud provider,
the end-user also benefits from the speed at which the application is updated following
improvements to the application itself.
Problem 4: Data security - Determine how data is segregated from the data of the other
customers; review and evaluated the usage of the encryption to protect company data stored
at and transmitted to the vendors site; determine how vendor employees access your systems
and how data is controlled and limited; review and evaluate process for controlling nonemployee logical access to internal systems; ensure the data stored at vendor locations is
being protected in accordance with internal policies; review and evaluate controls to prevent,
detect, and react to attacks (instruction detection, intrusion prevention, incident response,
discovering and remediating vulnerabilities, logging, patching, protection from viruses and
other malware); determine id mgt is performed for cloud-based and hosted systems; ensure
that data retention and destruction practices for data stored offsite comply with internal
policy; review and evaluate the vendors physical security. Entire intrusion detection
solutions can be managed via cloud. Sensors and a control panel are located at the premises,
with all management and data forwarding occurring remotely. Access control: in the cloud
computing model, each edge sensor, networked keypad, or device containing intelligence,
reports directly to software in the cloud. Management, administration and reporting are
similarly handled in the cloud with the user input being provided via a web interface.
Responsibility for managing the system may remain with the client or be provided by
personnel as a managed service for the customer. In either case, the management activities
are carried out on the service providers equipment.
Review and evaluate Upward Bounds process for monitoring the quality of the outsourced
operations. Determine how compliance with SLAs is monitored. Ensure that adequate

disaster recovery processes are in place to provide for business continuity in the event of a
disaster. Determine whether appropriate governance processes are in place over the
engagement of the new cloud services by Upward Bounds employees. Review and evaluate
Upward Bounds plans in the event of expected or unexpected termination of the outsourcing
relationship. If IT services have been outsourced, review the service providers processes for
ensuring quality of staff and minimizing the impact of turnover. If those services are being
performed offshore, look for additional controls to ensure employee attendance and effective
communication and hand-offs with the home office.

Determine how compliance with

applicable privacy laws and other regulations is ensured. Review and evaluate processes for
ensuring that the company is in compliance with applicable software licenses for any
software offsite or used by non-employees.
Upward Bound can outsource informatio i n security services, but not accountability for
security. Upward Bound remains responsible for all of its sensitive information. Laws and
regulations enforce this accountability. Upward Bound must know the information and IT
assets that are critical to its organization, its customers and its stakeholders and the risk that is
associated with these critical assets. Determine how compliance with the SLAs is monitored;
(Problem 7): a. the situation of stop selling tickets, the entire operation going to be down. an
airline cannot afford losing control of operation based on its nature b. Information security: if
the passengers data got hacked, all the personal privacy and information, including the
financial information like credit cards, will be in risk. C. the end user has little or no control
over version and feature changes to the application itself. Security issues related to having
their business data 'out' on the Internet seem to be the number one concern of small business
owners.

Problem 8 Ensure that multiple vendors are evaluated and involved in the bid process, so that
can provide for competitive bidding and lower price and thus saves the cost; determine
whether the vendors financial stability was investigated as part of the evaluation process;
determine whether the vendors experience with providing support for companies of similar

size to yours or in a similar industry was evaluated; ensure the vendors technical support
capabilities were considered and evaluated; ensure each vendor was compared against
predefined criteria, providing for objective evaluations; determine whether there was
appropriate involvement of procurement personnel to help negotiate the contract, of operation
personnel to provide expert evaluations as to the vendors ability to meet requirements, and
of legal personnel to provide guidance on potential regulatory and other legal ramification of
the outsourcing arrangement; ensure that theres a thorough cost analysis was performed. The
total cost of performing the operation in-house should be include all relevant costs, including
costs for one-time startup activities, hardware and related power and cooling, software,
hardware maintenance, software maintenance, storage, support. The cost for monitoring the
cloud computing also needs to be considered. Hardware security components (e.g., Access
Control and Video Surveillance hardware) are also subject to regulatory and life safety code
requirements for compliance. The Code establishes minimum criteria for the design of egress
facilities to allow prompt escape of occupants from buildings or, where desirable, into safe
areas within buildings
Small companies that may not otherwise afford the purchase of the physical security
infrastructure that they require may find it desirable to share services with other companies
when delivered in a common pay-as-you-go model.
A comprehensive review of the total cost of ownership is required for a substantial
comparison to any alternative model under consideration. The components of service,
hardware, maintenance and IT cost associated need to be identified. For example, a
traditional implementation of an access control system factors in IT, software and server costs
that are removed in the typical shared computing model that cloud provides, and capital
expenditure is replaced or augmented by an operational expenditure model. Consideration
therefore, needs to be given to these differences, using business logic and financial analysis.
If there is already a physical security system in place, there may be an opportunity to utilize
some of the existing equipment when converting to cloud. Likely items are door locking
hardware, request to exit (REX) switches, alarm sensors, existing cabling, and cameras.

Cable reutilization requires evaluation of plans regarding structured cabling and Power over
Ethernet (PoE)
Technology which are leveraged in cloud deployments. Generally, the investment in locking,
readers, door position switches, accessories, power supplies and cabling infrastructure may
be retained as part of the existing in-place systems. Installation of network connected access
control panels (hardware) replacing the direct-connected access control panel, and software
application conversion from dedicated systems to cloud solutions supporting reuse and
conversion
Current physical security policies should be reviewed to establish which policies might
require refinement or implementation when migrated to cloud. For example, what is the
service level available to the site administrator in the event that the Internet connection
becomes unavailable? What is the role of IT in supporting connectivity to the system?