How Defence Construction Canada thwarted a ransomware attack through their cloud migration
YEARS OF EXPERIENCE
DAILY REMOTE WORKERS
Defence Construction Canada (DCC) is a Crown corporation, accountable to Parliament through the Minister of Public Services and Procurement. Created in 1951, it is a construction company that project manages third parties to build, support, and manage our defence capabilities. This involves building nuclear substations, overseeing operations of shipyards, as well as managing airports for the Air Force. DCC employs approximately 1,500 staff members in its Ottawa headquarters and distributed across the country in all the Canadian Forces Bases (CFBs).
At the time of engagement for this project, DCC was an organization at a crossroads. Since its inception, it had been fully responsible for building and maintaining its IT infrastructure. However, as the IT landscape became more complex and security threats became more sophisticated, staying on top of this aspect of the business grew to become more challenging. The technology was evolving so rapidly in their industry, DCC found it challenging to keep up with all the changes and security updates to have a secure and up-to-date posture of their IT environment. DCC wanted to focus solely on its core business, which was the construction and management of defence-related facilities. This would mean delegating this aspect to a third party, which had more expertise in this field.
Beyond freeing themselves of the burden of managing their IT infrastructure, outsourcing its data centre would enable the business to thrive in ways it could not before. By taking a more proactive approach, DCC would be better able to anticipate and adjust to the evolving requirements of DCC’s business, including Contract Services, Contract Management Services, Environmental Services, Project and Program Management Services, and Real Property Management Services.
DCC’s IT Director, Navpreet Uppal, summed up the challenges that were driving this massive undertaking. “DCC partnered with Compugen on this cloud migration journey to keep up to speed with industry, our client partners, and mitigate the risks of network downtime and Cyber threats. This would prove to be the biggest infrastructure change in the organization’s history.”
The team opted for a hybrid solution where the majority of the applications would move to Microsoft’s Azure. At the same time, the main ERP would remain on IBM proprietary hardware in a private cloud. Because the ERP was large and contained critical functions such as payroll, re-platforming it for a public cloud would have been too time-consuming; therefore, its underlying IBM AS/400 system was moved to a private cloud system at the ThinkOn Datacentre. The two clouds were connected via a Microsoft Express Route connection. The scope consisted of moving all other applications, Databases, Services, and Networking from on-premises to an Azure cloud. Compugen engaged Commvault, ThinkOn, Security Resource Group (SRG), and Fortinet as partners in the move and added security of the services once moved. Throughout this process, Microsoft Professional Services had been engaged to evaluate the designs.
Using the Cloud Migration Decision framework process, Compugen strategically aligned each application within each service definition provided by DCC to one of the three “R” cloud migration options: Rehost (IaaS), Rebuild (PaaS) or Replace (SaaS).
Once this was accomplished, the team then systematically:
• Identified the migration goals
• Gathered DCC’s requirements and constraints
• Filtered out alternatives based on evaluation criteria
• Prioritized the migration goals and matched them with remaining alternatives
• Assessed the provider QoS and interaction cost implications
Project Delivery and Final Outcome
The DCC cloud migration project was kicked off in fall 2018, where a series of planning and design workshops were conducted, leading to a final architecture design. The implementation phase was started in the early Spring of 2019.
Interestingly, the most significant endorsement for what the team ultimately accomplished came in a most unwelcome fashion. In September 2019, midway through the Microsoft Azure cloud migration, DCC fell victim to a malicious attack that encrypted all of their on-premise servers, routers, switches, files, and computers. The attack temporarily paralyzed the entire corporation coast-to-coast, causing all IT services to go down as a result.
Immediately, Compugen’s incident command and response teams sprang to action and guided DCC on what steps needed to restore services. At that point, the team had completed the Commvault implementation just two weeks earlier. This meant that all of the on-premise servers were backed up to Commvault in the cloud. This would prove to be the saving grace for this project.
“The critical piece to all this was that we had completed the backup to Commvault just two weeks prior,” explained Christine Casey, an Ottawa-based Delivery Manager for Compugen. “That enabled us to clean the file that caused the encryption, get rid of it, and restore all their data just as it was before. Had the cloud backup not been in place, they would have had no way of recovering their data.”
“Our cloud journey took a very challenging and unprecedented path as we dealt with a Cyber incident while in the middle of the project,” said Navpreet Uppal, DCC’s IT Director. “The partnership with Compugen provided us the resources, technical expertise, and experienced incident management team to deal with the challenge.”
From September to December 2019, Compugen guided DCC through the necessary steps to securely restore their services. A review of the project scope and the DCC objectives led to a decision that would have implications on everything that followed. The decision would restore the DCC services only to Microsoft’s Azure rather than back to the original physical premises, forcing the acceleration of the project and significantly changing the design of the solution, project schedule, and scope.
The remaining portion of the cloud migration project was then completed in the first few months of 2020.
It’s to be noted that the ransomware attack provided another ripple effect that could not be seen or appreciated at the time. As a result of the upgraded security protocols, DCC emerged from the project better able to withstand the effects of the global pandemic. Under their old system, they could have provided perhaps 100 staff remote connectivity to the VPN, a requirement to work offsite. The new architecture allows for much more staff to be able to connect to the VPN remotely. Amid the stay-at-home orders, DCC had approximately 550 staff a day connected to their VPN. Upgrading the firewalls to adjust to the new capacity was done remotely overnight, and DCC is reporting no latency, and their users can connect without incident.
As a result of their cloud-based data migration project run in partnership with Compugen, DCC is leaner, more secure, and better suited to adapt to the demands of the modern workspace. By outsourcing their IT support and management, DCC is now able to focus solely on what it does best - the construction and management of defence-related facilities. The new solution proved that their entire organization is more secure than ever before. This was evidenced by the thwarting of a ransomware attack that would have otherwise caused incalculable damage. The enhanced security protocols and firewall capabilities enabled DCC to smoothly transition their staff to a secure remote work environment in the wake of the 2020 pandemic. In the end, this project has directly led to DCC being more agile and secure in 2020 and moving forward.