IT Strategy 2009
Draft V1.0 5 November 2009 Chris Rundell
This section provides a summary of the architecture and technologies used to
provide the IT infrastructure. It is divided into the following components:
Office IT Equipment
; Corporate ownership
; Desktop and laptop PCs
; Mobile services
Core Universal Services
; Remote Access
; File storage
; Server architecture
; Geographical Information Systems ; Database technologies
Security and authentication
; Security architecture
; Controlled access to council systems ; Virus protection
; Cambridgeshrie Community Network ; Connection to small offices
; Voice over IP
; Government Connect and NHS connection Web Infrastructure
; Web infrastructure and technologies ; Public access provision
Office IT Equipment
Corporate Ownership of Office IT Equipment
In a change made two years ago, office IT equipment has moved into corporate ownership, supported by centralised budgets.
Office IT equipment includes: Desktop and laptop PCs, screens, keyboards and mice, the standard universal software suite (including Outlook and Microsoft Office Standard: Word, Excel, and PowerPoint, remote access (Netilla key fobs), printers, plotters and scanners, some Multi Functional Devices (MFDs).
This has allowed us to realise a number of benefits:
; Standardisation of workstations in support of WorkWise, flexible
; Reduced support costs due to standardisation – in fact we are
supporting more workstations with no more resource.
; Purchase of Microsoft desktop licences by Enterprise Agreement, an
organisation-wide scheme that as well as pricing advantages brings
additional benefits such as technical and user training, technical
support and consultancy, at no extra cost.
; Equitable provision of equipment determined by what people need
rather than local budgets.
; Relieving local budget managers of the responsibility for planning for
; Computers can be left in place when staff move offices, rather than
being taken with them.
; Better use of equipment by cascading and re-allocating serviceable
Desktop and Laptop Personal Computers
The PC estate consists of approximately 4,500 PCs, of which just under 1,000 are laptop machines most with integrated Wi-Fi and 3G connectivity. We have standardised on Dell Computers, based on an analysis of whole-life costs, usability and performance. A standard software set is installed on all machines, to make each useable by any user who logs on. Operating system and office automation software is Microsoft-based, supported by a mixture of academic and Enterprise Agreement licensing. A “locked down” configuration
is being rolled out which prevents variation from the standard configuration. Printing
Printing is delivered by a mixture of networked laser printers, and Multi-Functional Devices (MFDs) which provide printing, photocopying, fax and scanning from one device. We are in the process of transition from separate devices to corporately owned MFDs which, when used as part of a county-wide print strategy covering what we print as well as how we print it, offers significant savings for the future.
As well as supporting data communications, Cambridgeshire Community Network is used to provide telephone services for an increasing number of
staff. Starting in 2006, the authority has been migrating over from its existing legacy telephone system to a Voice over IP (VoIP) based solution. The system is based around the Avaya Communication Manager technology and has currently rolled out over 2,000 VoIP handsets. Users can log in to these anywhere on the network, helping deliver the concept of flexible working and shared workstations.
As well as faxing from MFDs, the VoIP telephone system offers Fax over IP (FoIP), allowing faxes to be sent and received like email from the PC, which will be rolled out in the near future.
Mobility connectivity is becoming increasingly important, and will be crucial to the changes in the way we work in the future. We currently have over 2,500 mobile phone users, and 600 plus BlackBerry Smartphone users who have constant access to their emails and diary, supported by a corporate BlackBerry Enterprise Server which provides the link between wireless devices, the wireless network and the councils other systems, principally email at this stage. Mobile „phones and BlackBerries are not currently included in the corporate ownership with other office IT, but we will promote discussion with a view to considering these as part of the overall eligibility-based allocation of equipment to users.
All laptops are or can be enabled for connection to our own wireless “hot-
spots” and as a guest to other wireless services.
Core Universal IT Services
Universal systems (those available to all users) are delivered using tried and trusted technologies, for best performance and reliability at low cost. Email
Email is a core system for all users. Our email system processes 4 million emails each year, or which 3.2 million are spam, filtered out by our security systems.
The core system is MS Exchange 2003 complimented by Microsoft Outlook on PCs .
To manage the large amount of emails that we build up, we have implemented an email archive system which automatically copies email to a secure repository which stores them more efficiently, while leaving them accessible and searchable from Outlook. We use KVS Enterprise Vault as the product for this.
Remote access has been one of the success stories of the previous strategy lifetime. Providing secure access to applications has allowed staff and members to use systems from home, or anywhere else with Internet access. It has also been the mechanism by which we have made county council system available to partners, and to NHS staff in the integrated adult social care teams.
The level of take-up has brought its own challenges, around capacity, compatibility with users home environments, and the range of applications
available. We have responded to this, through increasing capacity, training and advice, and making sure that new and upgraded systems are available remotely, and building on and extending remote access services will be a key part of the strategy going forward.
The technology platform for remote access is:
; Entrust for authentication (confirming that the user is authorised to
access county council systems), with Vasco and Entrust key fobs.
; Netilla as the secure gateway to the desktop screen and applications.
; Microsoft Windows Terminal Services (WTS) and Citrix to make
server-based applications available to thin clients (Internet browsers). File Storage
Vast quantities of data are held securely on 250 individual databases; in total we have the capacity to hold 30Terabytes (30 times 1,000 gigabytes) of information using a Storage Area Network (SAN). We are in the process of upgrading our end-of-life SAN to a NetApp vFiler model which takes advantage of developments that have occurred in the interim to hold data more efficiently and include service and backup advantages. A regime of archiving and backups makes this data safe and secure, including off-site storage of backup tapes.
Servers are the computers that run applications and store data, which are then distributed over the network. We have 220 servers, most of them located in a secure computer room in the Octagon building in Cambridge. As well as data storage and universal office applications, these servers provide the platform for some 30 service-specific business applications. Where possible we are moving to “virtual” servers. These reduce space,
power consumption and materials by sharing common components, as well as being more efficient to set up and manage. 70 of our 220 servers are now virtual.
Our server hardware is provided by Hewlett Packard. The virtual environment is based on VMware ESX platform. Server operating systems are mainly Windows 2003 specific applications run on UNIX and other platforms where required by the application.
Geographical Information Systems (GIS) and mapping
CCC has been using GIS solutions since the late 1980s. Background maps are supplied by Ordnance Survey in electronic format under a national arrangement, the Mapping Services Agreement (MSA). Data can then be manipulated by GIS systems which use these underlying maps to display information in a meaningful way.
The principal GIS systems in uses are:
; Desktop mapping/GIS, for which Pitney Bowes MapInfo is the
corporate standard tool;
; Intranet mapping, for which PlanWeb is used;
; Internet mapping for which MapPortal/PlanAccess is used. Other more specialist GIS systems in use are:
; AutoCAD, AutoCAD map - in Property, and Traffic Accidents for
; Accession - DfT prescribed system for access to public transport data;
; Insight Mapping – part of the Insight Highways Asset Management
; Cloud Amber - Urban Traffic Management and Control system.
Essentially any data with a locational reference can be mapped. As well as electronic maps, the MSA provides us with: address, spot height, contour, and terrain data. We also have available to us: aerial photography, geological data, scanned historic maps, extracts from national reference datasets such as Sites of Special Scientific Interest, and a significant quantity of locally generated data from many services across the authority.
The requirement for address information is common to a number of business areas, including the Contact Centre, One and Swift social care systems, and the Planning service Acolaid system. Most use the National Land and Property Gazetteer (NLPG), some uses other sources such as OS
AddressPoint; all update their data independently. There is clearly room for a strategic address database which can be drawn on by all applications. We also provide mapping and data to contractors commissioned by the council, on a zero cost licence basis.
Partnership working relies increasingly on data sharing, current examples include county and district defined planning constraints: green belt, conservation areas and rights of way. There is potential to both improve effectiveness, by sharing more relevant data, and reduce cost, through economies of scale. To explore this a proof of concept solution with Cambridge City and South Cambridgeshire (the Cambridgeshire GIS Partnership) is under way, with a shared data repository being hosted by SCDC and accessed by the other partners.
Databases are in widespread use, and this is an area where standardisation is particularly important, as we cannot sustain the cost of development and administration tools for multiple databases. We therefore focus on Microsoft SQL Server and its cousin Microsoft SQL Server Desktop Engine (MSDE) for
internal developments, and maintain Oracle database administration resources for the large business systems such as SWIFT that are based on Oracle.
There are a number of older databases using Microsoft Access technology. Some of these have been written and supported internally, and some by external providers, and their use ranges from small personal productivity tools to systems that are mission-critical to their business unit. Because of their vulnerability, inability to share information with other systems, and as part of the rationalisation of technical skills, we no longer develop or support these databases internally, and are phasing them out.
Security and Authentication
IT Security architecture
A robust security architecture has been built to satisfy the multiple requirements of sharing systems with trusted partners, information with the public, and the necessary privacy of internal council systems. The network topology employed uses a three zone architecture to allow controlled sharing and provide secure areas for sensitive systems. Other features include; ; Virus and spam protection for traffic entering the architecture ; strong authentication of remote users, requiring user name, password
and key fob code.
; filtering of all PC Internet access to identify and block use of unsuitable
Controlled access to council systems
To connect to the councils network, either remotely or at a PC in a council office, a network user name and password is required. Once logged on , Microsoft Active Directory (AD) is used to manage access rights to the files and systems on the network (with the exception of some specific systems such as our social care systems which require their own passwords and access rights). Requests for changes to access rights are made to the Business Support Helpdesk, who require line management authority before making any changes.
An internal Domain Naming Service (DNS) is used to translate individual or group domains into machine addresses which allow the connections to be made. Dynamic Host Configuration Protocol (DHCP) and servers are used to allocate automatically network parameters to devices when they are connected to the network.
There are multiple external malicious software (malware) threats, which can come from email, internet sites and removable memory media, including viruses, worms, Trojan horses, rootkits, spyware, dishonest adware, and crimeware. These are constantly evolving. To combat these we use, in line with to best practice, a combination of anti-virus products, with subscriptions that provide regular updates to anticipate and combat new threats as they develop.
The technology products in use are McAfee on servers and PCs, Antigen for the email service, Forefront on servers. We will soon be updating to AVG on desktops, which will enhance risk management by increasing the “spread” of products, as well as offering other technical and cost advantages.
Almost all IT systems now rely on communication with others, so the computer network has become an essential part of the IT infrastructure upon which everything else depends. The network also provides connection to our partners, and to the Internet.
Cambridgeshire Community Network (CCN)
CCN is a PFI funded outsourced network service, delivered by NTL Telewest. Its component parts are:
; The Wide Area Network (WAN). A Gigabit core connects main hub sites,
with dedicated links of 2Mbit/s to 100Mbit/s linking 500 other remote sites.
; The Local Area Network (LAN). This provides the network connectivity
within buildings, and is based on switched Ethernet technology. NTL sub
contract support of LANs to Serco. As well as conventional hard wired
network connection points, the service is now being extended to deliver
wireless access, which is currently available to county council and guest
laptop users in Noble House, Ely; Sackville House, Cambourne; Scott
House, Huntingdon, Hereward Hall, march; and a number of buildings on
the Shire Hall Site.
; Internet connection. To carry all of our outgoing and incoming Internet
traffic via a web security gateway, Websense, and firewall. Websense
allows web filtering and blocking of particular sites or categories of sites,
and provides alerts of attempts to access unauthorised sites. The firewall
only allows authorised communication types to pass to and from the
Connections to small offices
For some small offices with a small number of users, the costs of a CCN link cannot be justified. In this case either broadband or IP Virtual Private Network (IPVPN) technologies are used to provide a connection. Voice over IP (VoIP)
VoIP technology is allowing us to use the data network to provide telephone services, reducing cost and increasing flexibility by allowing users to log into their telephone anywhere on the network. Future benefits will be: using Outlook to manage all types of message; seeing the availability of colleagues so that you can choose the most efficient way to contact them, audio and video conferencing with web-based application sharing, instant messaging without the need for email, and mobile phone integration.
Government Connect and NHS connection
Our network also provides connection to Government Connect. This is a pan-
government programme providing an accredited and secure network between central government, and the NHS and every local authority in England and Wales. The network is known as GCSX (Government Connect Secure Extranet). GCSX is part of the wider Government Secure Intranet (GSi). The services that are available over GCSX include secure email, and secure access to government departments‟ databases and services.
Government Connect will also give us the ability to exchange sensitive data with the NHS securely, and is in addition to the N3 link we have to the NHS network.
Both the NHS N3 and Government Connect require the implementation of strict technical, policy and procedural standards to ensure the security of everyone on the wider network. We have made the necessary changes to accommodate these, the requirement to move to more complex passwords being an example.
Web server Infrastructure and technologies
Web technology is now used extensively to deliver services, both externally over then Internet, and internally using the intranet (CamWeb). Since this is a common technology, a common platform is used, distributed within the security architecture to offer access to users while maintaining security. The web platform is based on Microsoft technology.
Microsoft Content Management System (CMS) is used to manage and publish the large number of pages, and allows the information owners within the council to publish and edit their own content without the need to refer to specialist IT staff.
Microsoft Commerce Server adds transactional functionality, with online credit card payment handling being delivered by the NetBanx service. Electronic forms (eForms) and the associated processes are created using NonStopGov.
Microsoft Office SharePoint Server (MOSS) has recently been added and allows greater flexibility in the way the information is organised and presented, So that what appear to be separate sites can be created for particular applications, linked to collaboration workspaces for teams, integrated with other Microsoft applications and drawing on other types of information stores within the authority.
The data is held on Microsoft SQL Server databases. GIS web mapping applications and data are held on a Windows server (see the separate GIS Section of this document for more detail).
Secure delivery of the sites to the relevant audiences is provided by linked Microsoft Internet Security and Acceleration (ISA) Servers within the appropriate security zones. Traffic through these is optimised and load balanced Zeus Extensible Traffic Manager (ZXTM).
There are some older applications in use which are based on Lotus Notes and Adobe ColdFusion. These are no longer part of the councils strategic product set and are being phased out of use.
Public access provision
Public access to computer facilities including the Internet are provided in libraries, CCN community access points and Connexions offices. A specific public access configuration is used on these PCs to provide the facilities people need, while at the same time safeguarding against misuse and security threats.