Enterprise Architecture Case Studies
Architecture Case Studies – Discover Why Leading Architects Choose ABACUS
CLP Power: Utility of the Future
Award winning enterprise architecture.
Objective: The CLP enterprise architecture team needed to update their architecture to set their organization up for growth. They moved from a project-siloed, application-centric architecture to a future fit architecture built around re-usable business capabilities. At the same time they built an architecture roadmap for a successful smart meter rollout.
About CLP Power Hong Kong: CLP Power provides electricity to more than 80% of Hong Kong’s population and is transitioning rapidly to renewables. Its business strategy is centered around Decarbonization, Decentralization, and Digitalization.
University of Edinburgh
Preparing to succeed.
Use Case: To bring together all metadata across the university into a single-source truth. Helping to enhance scenario analysis and build reliable roadmaps, keeping stakeholders informed of time critical decisions.
About University of Edinburgh: Considered one of the leading universities worldwide, The University of Edinburgh has a rich history and noted alumni including Olympic champions, novelists, and prime ministers. Founded in 1582, The University of Edinburgh is the sixth oldest university in the United Kingdom.
Webinar: Modern Woodman
Enterprise strategy & project execution with balanced scorecard.
One of the nation’s largest fraternal financial services organizations, Modern Woodmen of America serves nearly 730,000 members throughout the United States and manages over $17 billion in assets. Modern Woodmen relies on its EA team to help outline business strategies and determine clear routes to outcomes. The team uses Balanced Scorecard and the Business Motivation Model to capture decision-making and roadmap changes. They also use ABACUS to provide senior management with overviews of strategies and projects.
Webinar: Enstar
Mastering data: creating an effective ea repository.
By transforming your repository into a single source of truth, you help avoid data silos and allow business leaders to make informed data-driven decisions. During this webinar, the enterprise architecture team at leading global insurance company Enstar explores the key steps used to harvest their data into an effective EA repository helping to create value and master their data.
Webinar: Man Group
Understanding your application landscape and what’s important to your organisation.
Use Case: To meet the ever-changing requirements of the business, and to fully understand the application landscape and where the associated risks lie
Solution: Man Group walk through their application modeling journey incl. their challenges, solutions, and future use-cases they aim to support. Focusing on 3 key areas: Defining what is important and to whom, Identifying and modeling criticality, and Using algorithms to remove timely data inputs and provide quick insight into high-risk activities.
To read the full article, please click here.
Financial Services (Insurance and Employee Benefits)
Use Case: US insurance and financial services giant Ameritas wanted to eliminate spreadsheet sprawl and establish an authoritative source that could be referred to company-wide to guide cybersecurity, regulatory compliance, technical debt reduction and strategy.
Solution: The team is using ABACUS to integrate data from operational systems, to run impact analysis and to provide self-service access to compliance information. They have built an up-to-date inventory of data, applications, servers and operating systems. They generate architectural artifacts including infrastructure diagrams, application integration diagrams, application catalogues and roadmaps. Employees from the CIO to datacentre operators, are kept informed using enterprise architecture data.
Webinar: Amsterdam City Council
Use Case: To support the ongoing digitalization of local government in an effective and timely manner, architects benefit from a shared knowledge base.
This presentation provides insight into the ongoing journey of the architecture team of the City of Amsterdam towards this goal including the use of ArchiMate, Integrations and the move from primarily projects to also landscape contribution.
Webinar: NXP
Modeling and self-service dashboards to support business and it stakeholders.
NXP is a world leader in semiconductor, automotive, industrial IoT and communications technologies. See how their EA team use a combination of ABACUS Enterprise together with ABACUS Studio to support a wide group of users and stakeholders by creating tailored dashboards for specific stakeholders and business area and using process maps, treemaps, graph views and catalogues to communicate information and provide valuable insights
Tackling Cybersecurity Risk with Enterprise Architecture
Use Case: Sophos needed to ensure cybersecurity best-practice and secure clients’ trust by identifying potential risks within the business.
Solution: Using ABACUS, Sophos identified six steps to efficiently identify and reduce cybersecurity risks: security catalog setup, risk/security scoring, roadmapping, risk mitigation, visualization application landscapes and business capability maps, continuous risk reduction.
Jackson Life Insurance
Financial services (insurance).
Use Case: Tackle technical debt across 200+ systems. Calculate costs and risks associated with complex application code, outages, security breaches and unsupported software.
Solution: Over a period of only 6 months the team centralized technology and application data in ABACUS and ran cost and risk algorithms on their enterprise architecture models. By managing the risks associated with technical debt and legacy systems strategically, they quickly identified hard dollar savings and ways to improve IT capacity and efficiency.
Reliance Industries
Conglomerate.
Use Case: Manage and transform a massive IT landscape comprising 3000+ processes and 1500+ applications spread over 10,000+ servers.
Solution: Reliance Industries is India’s largest private sector business enterprise and amongst the Fortune 500 companies. It’s businesses span 4G Digital Services, organised retail, and energy and petrochemical products. RIL has adopted a tailored TOGAF metamodel, and is using ABACUS to co-ordinate its architecture and IT management.
Coventry Building Society
Light touch for heavy lifting.
Objective: To enhance their IT strategy and migrate successfully from Sparx and PowerPoint into a single source of truth. Ensuring the team are well positioned to deal with the demands of 2020: the move to remote working, increasing service expectations, technology transformation and changing demand of customers.
About Coventry Building Society: The Coventry Building Society is the second largest building society in the United Kingdom with total assets of more than £49 billion. The society provides a range of Mortgage and Savings products and solutions to over 1.5m members, keeping their members at the heart and focus of their company.
Technology EA Successes eBook
Achievements & successes from technology enterprise architects.
Explore how a leading UK security software firm compared risk scorings using ABACUS algorithms and discover how tailor made meta-models allowed world leading semiconductor and technology company, to encompass both project and program management, and architecture to add value.
Ready to Upgrade Your Roadmaps, Modeling & Analytics?
Contact us today.
- Please enable javascript in your browser settings and refresh the page to continue.
- Technology Research /
- Enterprise Architecture
Enterprise Architecture - Case Studies
- Infrastructure & Operations 6
- Enterprise Architecture 10
- Data & Business Intelligence 2
- Strategy & Operating Model 8
- Applications 10
- Project & Portfolio Management 8
- Data & Business Intelligence 3
- Vendor Management 8
Types of Content
- Job Descriptions 20
- Templates & Policies 175
- Case Studies 10
- Blueprints 36
- Storyboards 89
Olmsted Medical Center provides healthcare to communities in southern Minnesota via a centralized hospital and 13 clinical locations. Olmsted has recently implemented an... | |
The IT department of a mid-sized municipality wanted to build its strategic competency, but the team was of the habit of thinking and operating in tactical mode the... | |
A community-based, non-profit healthcare organization has seen a rapid increase in the complexity, scope, and volume of IT services delivered over the past two years. A... | |
The IT department of a multi-location community college located in the US mid-west had become siloed, operating independently from the needs of the organization it... | |
A large hospital with a rich and time-honored history was well-known for its innovation and academic research activities. IT needed to ensure that its data architecture... | |
An Asian-headquartered chemical manufacturing organization with an 80-year history and facilities in over 20 countries wants to assess IT risks for its operations in the... | |
A 20-person IT department in a mid-sized regional grocery retailer received a mandate from its Board of Directors to reapproach and increase its risk management... | |
A small university in the American mid-west needed to introduce its IT stakeholders to key risk concepts as part of a new, broader IT governance mission. By gaining a... | |
Increasing business complexity has been driven by both organic growth and acquisitions. IT had to align its people, projects, and resources with the Company's innovative... | |
Performance and ability to support future growth were being challenged by an increasingly complex healthcare market and ever-tightening budgets. IT needed to chart a new... |
Please confirm the appointment time and click Schedule.
Your call is being booked. A representative will be available to assist you if needed.
- Case Studies
- Project delivery process
How to Build a Successful Solution Architecture: Case Study
What is solution architecture (in terms of software development)?
Software architecture design is a fundamental procedure for successful application development. It outlines and reasons the structure of the future app. Besides, solution architecture explains how all the application components will function together to achieve the desired result.
Solution architecture is defined during the project discovery phase as it sets the cornerstones for the upcoming application development. It considers all the functional and nonfunctional requirements to configure the most suitable tech solution for your business. Besides the current state of art, a well designed app architecture should allow some flexibility for future scaling and updates.
With all said above, it’s necessary to get the application architecture right before moving to the development. Architecture redesign is an extreme measure as it brings fundamental changes to the app which modify the IT infrastructure , possibly tech stack , features performance, etc., and requires high time and cost investment.
In this article you will find the practices we use at Apiko to successfully design software architecture. Moreover, here’s our website architecture example within the cloud architecture case study. Ready? Let’s begin!
Discover the secret to uninterrupted IT system excellence with Apiko's AWS Infrastructure Support Service. Say goodbye to downtime worries, poor user experiences, and unsatisfied clients.
- 🔍 Free Infrastructure Audit: Assess your infrastructure for improvements across architecture, code, monitoring, security, and more.
- 🚀 Monthly Subscription Plan: Gain full control with continuous infrastructure audits, emergency support, and 24/7 issue resolution (starting at $300/month).
- 🔧 On-Demand DevOps Work: Access expert assistance at $60/hour.
What defines a successful solution architecture?
- Usability : Achieve maximal accordance between the solution architecture and application functionality that it enables, and future app users’ and stakeholders’ needs and requirements.
- Performance : Determine and allocate the right amount of computing resources that is necessary and enough to ensure flawless app performance and smooth user experience.
- Cost efficiency : Define the level of app quality and performance which will be enough to satisfy your business needs. We clarify this data during the project discovery phase and summarize it in a form of app functional and nonfunctional requirements. Most often it’s possible to achieve a higher level of performance at a higher cost, so there’s a need to find the middle ground.
- Reliability : Ensure that the application functions as it’s expected to at all times.
- Security : Implement the protection mechanisms to prevent any data leakage and secure the application from possible malware attacks or other destructive activities.
- Robustness for future updates and scaling : Both the business processes the application is built for and the technologies it is built with evolve with time. The overall app performance should not be affected by
- the growing number of users
- adding new app functionality
- features updates
- updates of any of the technologies the app is built with, etc.
Of course, it’s impossible to foresee all the innovations a solution may face, but it will be easier to implement them when the architecture is robust.
- Simplicity : Aim for the simplest solution that will satisfy all of the above-mentioned criteria. Don’t get it wrong: if there are simpler solutions, but they will obviously lead to technical debt, they should be omitted. Just avoid extra architecture complexity when there is no need for it.
How to reach these criteria?
Follow the best practices . When it comes to developing cloud architecture, we refer to AWS best practices to create a well-architected solution.
Collaborate tightly with the development team to get a better understanding of the application logic. Analyze the business needs and requirements to come up with the best app architecture.
Pick the proven technologies . New tools emerge nearly on a daily basis, and their functionality often looks very promising. However, many of them get replaced with the newer ones or simply vanish with nearly the same speed. Pay attention to the size of the professional community around a certain technology, and the time since it’s been launched and successfully used. The higher these numbers are, the more certain is the future support of this technology.
Finding balance between a performant infrastructure and cost efficiency is one of the most challenging parts of solution architecture design. Software architecture for different projects includes different number of variable components and there is no one-fits-all solution.
What types of software architecture are there?
Based on the fundamental structure and resulting application properties, software architecture can be divided into two types: microservices and monolithic architecture .
Monolithic approach consists in building the application as a single functional unit with tight coupling of its components. As a rule, it’s perfect for smaller projects, as it enables their straightforward and transparent functioning without extra complexity.
While implementing broad solutions may be too much to handle with a single monolithic codebase, microservices provide the required modularity. Loosely coupled components often have their own databases and function as relatively independent units. This means that you can update or modify any of them without having to worry about the overall app performance.
For even more decoupled microservices and reduced dependencies between them, one can use event-driven architecture . Some popular platforms to implement it are SQS and Kafka .
You can find more details and tips on how to choose one of these architecture types in our article Software Architecture Types: Monolith vs Microservices .
Depending on the location of computing resources we can define cloud architecture , architecture configured on on-premises servers , and hybrid architecture . While the latter one allows the owner physical access to the hardware, it requires an in-house team of software developers for its support and maintenance. In addition, app scalability depends on the hardware resources available.
Cloud-based architecture does not allow physical access to the servers. However, it eliminates the above-mentioned challenges by offering monitoring and testing automation, unlimited scalability potential, professional support services and more. No wonder why it’s the commonly used solution with a still growing popularity.
See the chart showing annual end-user expenses for public cloud services worldwide over a few past years.
Source: Statista.com
Hybrid architecture consists in using both on-premises and cloud resources. Most often it’s used to conform to certain policies and regulations, e.g. when some data must be stored on premises only, or to avoid possible latency when processing data from the cloud, etc.
None of these architecture solutions is a universally best choice for every project. It’s necessary to take into account the software peculiarities to select which approach will be the most suitable match.
What types of cloud architecture are there?
Sometimes it is necessary to have your own data center or a number of local servers. However, cloud architecture suits the majority of solutions, so let’s get familiar with its types.
Public cloud architecture is a rather cost-efficient solution when the computing resources belong to and are managed by a cloud service provider, e.g. AWS or Google. Cloud services are delivered using a multi-tenant approach, and provide customers with the capabilities required for their software projects.
Private cloud architecture is configured on a cloud that belongs to and is managed by the software owner, i.e. is private. For example, it may consist of numerous company's on-premises servers and data centers which do not necessarily have to be located in one place. As a rule, managing a private cloud is more costly than using cloud providers services. However, it allows maximal flexibility, implementing advanced security solutions, and making the most of the cloud resources available.
Multi-cloud architecture combines the computational resources of multiple public clouds and on-premises servers. Such an approach allows avoiding a dependence on a particular cloud service provider, and a possible cost reduction. It also provides flexibility to pick the services most suitable for implementation of different app features or microservices.
Hybrid architecture is often referred to as hybrid cloud architecture . It’s a subtype of multi-cloud architecture and we’ve described it in the previous paragraph.
How do we design solution architecture at Apiko? [Cloud architecture case study]
Every application is built to match some business requirements. Designing the underlying server architecture is like mimicking the app behavior. It highly depends on the app purpose and functionality, security measures, governmental regulations and restrictions, etc. So, the solution architect tightly collaborates with the development team to find out these details.
What are the stages of cloud architecture development?
- Before we begin building cloud architecture we need to consider
- business drivers
- functional + nonfunctional requirements
- constraints
- necessity to fit into the existing environment (ecosystem) where the project will be used
- flexibility.
- Then we choose a suitable type of app architecture: monolith or microservices. After it, we will be able to pick the computing resources. For example, for microservice architecture, we can choose AWS Lambdas or Elastic Container Service with the serverless approach , or pick the appropriate servers for high computing or data processing apps.
- Consider what type of cloud services we will use in our application, so that AWS Solution Architect can start configuring appropriate access policies, roles and design networks for the app.
- Configure the production-ready environment. Collaborate more with application developers to have a better vision of the application logic and how it should perform. Pay attention to what queries need to be cached, and how.
- If there is no cache, the website can be slow and low performant.
- If infrastructure caches unnecessary queries or files, it may lead to errors in website usage.
- Implement initial DoS protection, like AWS WAF , to handle suspicious requests. Without such protection the software can crash and be unable to respond to any request. The worst cases may result in personal data leakage. Some common website attacks include
- Denial-of-Service (DoS) / Distributed * Denial-of-service (DDoS)
- Web Defacement Attack
- SSH Brute Force Attack
- Cross-site scripting (XSS)
- Directory Traversal
- MITM Attack
- HTTP Response Splitting Attack
- Test the production-ready environment with load-testing tools, e.g. Gatling , to see how performant the infrastructure is in terms of scalability and efficiency. Load testing can also show us how the application performs during POST or GET requests, and what queries are slowing down the application. After that, we can decide what should be fixed, or configured for the production environment.
- After the architecture is designed, it is used by the development team to see the key components of the underlying infrastructure.
What does Apiko website architecture look like?
You can see the Apiko website architecture diagram below.
We have picked S3 as a static hosting for our website which saved us from configuring additional servers.
ECS is a container service managed by AWS which provides all the computing power. It’s a cost-effective solution, as it’s easy to scale it up or down whenever needed.
We’ve picked S3 Bucket as an object oriented storage for private or public files.
CloudFront has been chosen for caching.
Is a new solution architecture necessary for every project?
You don’t need to build new solution architecture for relatively minor projects designed to work within an environment similar to an already existing one. Those can be
- small modules
- landing pages
- content updates and minor changes to an existing application, etc.
Let’s sum it up!
It’s a must to design software architecture correctly before the very beginning of your project development. Poor architecture design always affects performance and overall user experience. For example, it can be caused by wrong server CPU or RAM configuration, or caching of the wrong queries, etc.
At Apiko, AWS-certified solution architects collaborate tightly with the development team to set the basis for well-reasoned decision making regarding the solution architecture. Even the perfect underlying infrastructure can’t really perform at its best if the application is not optimized, or is poorly designed (doesn’t use caching, has unoptimized database queries. etc.), and vice versa. Active communication with the software engineers helps us reach a much-needed balance between designing the perfect application architecture and its underlying infrastructure configuration.
We use the best practices and proven technologies to minimize any risks and future-proof software solutions. Do not hesitate to reach out if you need any assistance, have questions, or would like to discuss your ideas with us!
Might be interesting for you
AI SQL Query Optimization for Increased Accuracy of AI Assistants [Case Study]
UI and UX Optimization for Efficient Software Modernization [Case Study]
Case study: behind-the-scenes IT architecture deployment, or the cyber secret life of SMBs
At the start of a company’s activity, cybersecurity is just one of many challenges. Building an IT architecture and network is essential, and securing it is crucial. However, there’s sometimes a big gap between principle and reality when it comes to ensuring that good cyber practices are implemented as soon as an infrastructure is deployed – and from scratch at that.
Ivan Kwiatkowski, Lead Cyber Threat Researcher, who had the opportunity to carry out missions as a consultant, integrator and system administrator, shares his view on the importance of designing an IS that is “secure by design”. He discusses the concrete case of a small company he worked with in the healthcare sector.
Do you get the impression that good cyber practices are being overlooked in the design of an infra for SMEs?
Ivan Kwiatkowski : Today, I wouldn’t tend to phrase the problem like that. To begin with, a project to set up an SME from A to Z can encompass an enormous number of things: building premises (with construction site, architects, workers, etc.), a financial component involving banks, a considerable number of administrative procedures, recruitment… and generally setting up a computer network. Is cybersecurity often overlooked at this level? It certainly is. But IT is only one stage of the rocket, and I’m convinced that similar oversights occur at every stage.
The usual recommendations made by cybersecurity experts on a daily basis (applying updates as quickly as possible, having a good password policy, limiting user rights, etc.) seem simple on paper. However, when I was helping to set up a very small business, I came face to face with a number of structural obstacles that make it very difficult to put into practice. Today, the factors of cyber insecurity appear to me more clearly than ever.
What do you think is the main obstacle to implementing these cyber best practices?
I.K .: Surprisingly, it’s not about the budget. Take, for example, the project I was involved in: around 2 million euros were borrowed for the entire set-up of the practice, the majority of which was spent on creating the premises and acquiring medical equipment – some machines costing in excess of €100,000. Compared to this, IT represents a relatively minor item of expenditure, and if we’d needed a few tens of thousands of euros more to protect the network, I have no doubt we’d have found them.
The real obstacle lay elsewhere. Firstly, the initiators of this project were not IT specialists – as is the case with most entrepreneurial projects. They therefore had to rely on outside consultants to help them define their needs and carry out the installation. It turns out that, having worked in the field of cybersecurity for almost fifteen years, I had a particular sensitivity to the subject. But that’s not necessarily the case with an external service provider. What’s more, they will have committed themselves to a precise number of man-days, which will generally not allow them to take account of cybersecurity issues beyond the strict minimum. This is where the budget constraint comes back through the back door: not in terms of the customer’s initial budget, but in terms of competitiveness: a consultant who plans a solid network architecture will necessarily be more expensive than his competitors, for an invisible gain that the decision-maker is not competent to appreciate.
Having said that, this project in which I was involved had all the conditions for success: I was able to choose the hardware to be purchased, take care of the deployment… And despite the best intentions in the world, I don’t feel I managed to achieve the level of security I was hoping for. It’s a painful lesson, because despite my ambitions, my expertise, and an appropriate budget, securing the network was difficult. This suggests that in many cases where a company does not benefit from such support, the reality of deploying an IT infrastructure must be even further removed from security precepts. It is therefore crucial to upgrade the skills of external service providers called in to deploy an IT infrastructure, especially in cases where none of the company’s resources are dedicated to security.
First, how did you set up the workstations to guarantee both security and the operation of business applications?
I. K. : In the case of the company I worked with, the schedule was completely turned upside down: the launch date was brought forward by two months. Despite this time compression, suppliers need a certain amount of time to deploy hardware and software solutions, which left me with just four days to set up a minimal base: installation of ESXi on the server, commissioning of each machine, enrolment in an Active Directory, configuration of switches ( there are some 90 RJ45 wall sockets in the cabinet). .
To make matters worse, only one of the two switches was delivered on time, and for obscure administrative reasons, the company could not be connected to the Internet. A service provider graciously provided us with a 4G router, whose 80 GB of data were immediately consumed by a fleet of Windows devices, which, switched on for the first time, were all downloading their updates in chorus.
Under normal conditions, my cyber roadmap foresaw a nice network segmentation based on VLANs according to the different business lines. However, the priority was to ensure that the first service provider (of a long series) could deploy its application by Friday. In the case of the medical data centralization software, any delay in deployment prevented the installation of subsequent solutions, and thus the rescheduling of interventions by a whole herd of service providers with busy schedules. With this constraint on the one hand, and the inevitable imponderables on the other (always to be dealt with without real Internet access), we had to make do with a network that worked rather than a well-segmented one. I promised myself to rectify the situation later, knowing full well that it’s rare to be able to go back on “temporary” measures…
It’s easy to see that any IT infrastructure deployment project is fraught with unforeseen circumstances. So how do you ensure that security remains a priority, especially when it comes to using service providers?
I. K. : Let’s start by stressing that, at this stage, you don’t choose your partners. End-users designate the software they want to work with, and then you have to come to an agreement with the solution provider, whatever its practices.
An ideal installation scenario would be as follows: the service provider sends an MSI package, which is then deployed on the corresponding machines via a group policy (GPO) at Active Directory level. This deployment mode has never been proposed. I’ve been able to identify two possible scenarios.
- The service provider sends someone to the site. As this person does not have a network of technicians covering the whole of France, he or she is actually the local representative, usually available for sales questions. His role is limited to double-clicking on the installation program, carrying out any initial configuration of the software, and training users. As a result, he or she has only a limited IT culture, and none when it comes to cybersecurity.
- A technician takes control of the machines remotely to carry out the installation, using TeamViewer-type software. The profile can range from the highly skilled to the completely unskilled.
In both situations, I was astounded to discover that, barring exceptional circumstances, service providers assume that users will have administrator rights on the machines. In reality, the very concept of multisession is totally foreign to them, and I was met with looks of anguish and perplexity when I explained that the software had to work regardless of who was logged on. So I demanded that they find a permanent solution in this respect.
Ultimately, the only way to ensure that security remains a consideration when external service providers are involved is to constantly monitor them and impose best practices. You have to be prepared to impose your expertise, and possibly miss a few deadlines. When I’ve let a service provider intervene without being able to be present, I’ve always ended up having to assist them by telephone, or fix something afterwards. It’s a colossal waste of time, and in most cases, there’s rarely a dedicated IT specialist to supervise the deployment.
Last but not least, how can we ensure that end-users also feel concerned by cybersecurity issues? How can we find the right compromise between user experience and security?
I. K. : Unfortunately, the real problem lies elsewhere: technology doesn’t solve everything, especially when users are resistant to the most basic principles of digital hygiene. I’m thinking specifically of the issue of multisession: one account per user, with permissions adapted to each one, it seems obvious.
It turned out that, in the case I’m describing, the doctors and medical staff as a whole expressed strong opposition to the idea of having an account each, as it meant logging off and on again every time you went into a new consultation cubicle – which happens about once every fifteen minutes, at the very least. Typing your password a few dozen times a day is seen as an unacceptable waste of time (and to hell with the RGPD!). It also happens that a user forgets to close a patient file, resulting in it being locked: it is then impossible to remedy the situation without finding the culprit and bringing him back to the corresponding machine.
This mistrust of IT tools is widespread in the medical profession; all those interviewed attributed it to their experience in the hospital environment. For practical reasons, account sharing is ubiquitous: IT teams are overworked, there’s a lot of turnover… in the end, it’s common for all interns to use the account of a professor who retired years ago. The confraternity that reigns between practitioners does not predispose them to consider that the data of some might be inaccessible to others – on the contrary, the transmission of information must be as fluid as possible to ensure that patient care runs smoothly.
Ultimately, doctors setting up in a new practice find it hard to understand why practices tolerated in a university hospital would not be tolerated in their smaller setting. We therefore need to educate them, explaining the implications in the event of a security incident (even if they remain convinced that it only happens to others), or finding concrete examples: should employees have access to their employer’s emails and accounting documents? In the end, we came up with a compromise: everyone would have their own session, but there would be no restriction on the complexity of passwords – the only constraint being that they had to be at least 4 characters long.
We can loop back on the technology here, and hope that it provides early warning of a computer attack – the medical equivalent of treating the symptoms. But you have to bear in mind that once the practice is up and running, it no longer has dedicated IT resources. Who will read the alerts? Who will disinfect the system? Hiring the services of an MSSP can be a solution for structures that don’t have the expertise or resources to manage a cybersecurity solution. And I deplore the fact that, all too often, especially in smaller organizations, awareness of the risks and stakes comes after the worst has happened.
In conclusion, what lessons have you learned from this project?
I. K. : I’ve learned a lot, particularly about the structural causes of insecurity. When you set up a company, there are so many things to coordinate, and IT is only one piece of the puzzle. In the final analysis, despite a stated desire to put cybersecurity at the heart of the project, the end result fell short of my expectations… and this experience paints a worrying picture: in VSEs, SMEs and even ETIs, at every stage of IS deployment, cybersecurity is likely to become the fifth wheel. I identify the following causes:
- Time constraints, no doubt common to any project, make it difficult to establish a completely sound basis.
- Evolution in a software ecosystem where external service providers, whether for financial reasons or because of inexperience, actively discourage or prevent the implementation of best practices.
- A lack of understanding of the risks and stakes on the part of end-users (who also have the last word on everything).
I’ve also learned that the password issue is more fundamental than ever, and that the password managers we usually recommend are not suited to this type of user. I’ll have to look into authentication systems using physical dongles (Smart Cards ) in the future, but there’s no guarantee that they’ll be more widely accepted.
Ultimately, if we can’t change the practices of an entire sector (decision-makers, employees and service providers), we have to rely on defensive technologies. Nevertheless, I insist that security must remain a priority in IS design, because you can’t cover a whole wooden leg with band-aids!
In practical terms, you’re wondering how to deal with threats and how best to anticipate attacks? Here are 5 essential reflexes:
Antonin Garcia, CISO at Veepee: “EDR is an essential key to dealing with evolving cyberthreats.”
Veepee is Europe’s pioneer in online event sales. Founded in 2001, the retailer employs 5,000 people. Strategic choices, budget, recruitment:…
The role of human support between software editors and users
The relationship between a software editor and end-users plays an essential role, yet one that is sometimes underestimated. A close…
Evolving to pursue our mission: protecting your endpoints
HarfangLab is now 6 years old. This is an opportunity to look back at the genesis of the company’s project.…
Guillaume Dubuc, CISO at Altitude Infra, a “propagator of healthy paranoia”.
Guillaume Dubuc is CISO at Altitude Infra, France’s 3rd largest fiber optic infrastructure operator. How do you convince your board,…
IMAGES
COMMENTS
Enterprise Architecture Case Studies & Success Stories from leading Architecture and Strategy teams in Europe, Asia Pacific, North America.
IT Strategy Case Study of a Mid-Sized Municipal Government. The IT department of a mid-sized municipality wanted to build its strategic competency, but the team was of the habit of thinking and operating in tactical mode the...
An Oracle Enterprise Architecture Case Study January 2012. IT Transformation at Dell. Introduction. Michael Dell founded Dell in 1984 in Austin, Texas, with $1,000 and a unique vision of how technology should be designed, manufactured and sold.
Learn what makes a successful solution architecture and how to build it. A website architecture example is described in this case study.
Building an IT architecture and network is essential, and securing it is crucial. However, there’s sometimes a big gap between principle and reality when it comes to ensuring that good cyber practices are implemented as soon as an infrastructure is deployed – and from scratch at that.
An architecture case study (similar to precedent studies) is an in-depth analysis of a particular architectural project, focusing on various aspects such as design philosophy, construction techniques, site context, user experience, and the project’s overall impact.