Agenda item

            (Ms. R. Crozier, Head of ISB, attended in connection with this item.)

 

            The Committee noted a report which provided an update on performance and the resilience of the Council’s IT infrastructure.  A copy of the report is set out hereunder:

 

“Relevant Background Information

 

      At April’s Strategic Policy and Resources Committee Elected Members raised the issue of performance and resilience of the Council’s internet service. This was raised in the context of the Council’s website development and the proposed addition of on-line transactions enabling the public to use Council services via the internet.

 

      In the past two years ISB has worked with the Council’s Audit, Governance and Risk services and undergone a series of risk assessments for business continuity and information security.  Recommendations from these assessments have been incorporated into the business plan of the service and delivery monitored through periodic reviews of the risk registers.

 

      This report outlines the current infrastructure in place and developments to assure performance. Access to internet is dealt with specifically at point 3 but it is important to note that all components of the infrastructure are important and each has an impact on the other.

Key Issues

 

      The key issues in providing infrastructure services are:

 

1.   Availability and accuracy of information

2.   Internal network connectivity

3.   External connectivity and information security.

 

      As demand for internet services increases and the Council changes ways of working and ways of delivering services, it is critical that we have a robust infrastructure to support these needs.

 

      The following points summarise the position in relation to infrastructure services.

 

      1. Information Availability

 

      The Council’s PCs and servers are connected to the council’s network enabling access to documents, email and information held on databases.

 

 

Fig.1

 

      The above diagram show servers that hold information connected to the council network thus allowing access from PCs connected to the same council network. Access to the network is controlled by username and password.

 

      Servers storing data

 

      Most servers are hosted at ISB’s site in Gloucester St, but servers that hold critical information to users such as documents and email are duplicated at the council’s Duncrue Complex site. ISB commissioned a 2^nd server room at Duncrue in 2007 and both rooms have their own emergency power supply, are secure, and  have air-conditioning and fire protection systems. All data held on those servers in ISB deemed critical is automatically duplicated in real time at the 2^nd site in Duncrue. These servers currently include those that store data for the following services:

 

Documents in secure file shares,

Email

 

      There is currently an active project implementing data duplication for Financial systems.

 

      All of the data on all servers is backed up every night onto magnetic tape, held temporarily at ISB in a fire-proof cabinet, and periodically moved to an off-site location.

 

      Servers delivering data

 

      Modern technology and industry best practice requires the separation of servers that store data, called data servers and servers that actually deliver that data to users, called application servers.

 

      At present, the application servers that deliver documents and email services to users are duplicated at ISB and Duncrue. If there are problems with any of the servers in ISB, then their counterparts in Duncrue can be quickly brought into service. There is currently an active project implementing duplication of the financial systems application servers.

 

      ISB are currently working with the Council’s Audit, Governance and Risk service to ascertain what other duplication of application and data servers is required and the priority of work.

 

      2. Network Resilience

 

      BelfastCity council staff are distributed across a number of sites around the city. The council network has been designed in order to provide connectivity between all sites in such a way as to be totally transparent to the user.

 

Fig.2

 

 

      Key sites are connected together using fibre-optic technology mainly provided by BT. All key sites’ connections have a capacity in excess of that required by normal working activity and also any periodic peaks in activity.

 

      In addition to this, redundant links are used as a contingent against the failure of a link or of equipment at a key site. In effect, all key sites are triangulated so that a failure of one link or site will not result in the loss of network services.

 

      The diagram shows the links between the key council sites and also indicates that there are alternative routes available should any link or site become unavailable.

 

      This design is under constant review and more links will be added to the network as required.

 

      3. External connectivity

 

      Users connected to the council’s network may also use internet-based services such as email and web page browsing.

 

      There is also a requirement for users to connect to the council’s network from locations that are not part of the council estate (for example from home).

 

 

      Any external connection to outside the council’s network must be made secure against viruses, malware and other attacks. ISB have installed a secure and resilient web architecture that is shown above in simplified terms for clarity.

 

      Entrance to the council network is granted only when authenticated as a council user and also by being granted access by a 2 layer firewall.

 

      Each layer in the firewall is duplicated for resilience purposes; the 2^nd firewall becoming active when the primary firewall fails for some reason.

 

      The firewall at each layer is also of a complementary type of technology and built by different manufacturers as per industry best practice.

 

      Home users with their own broadband connection can use the council’s virtual private network (VPN) that is a fast, secure, encrypted connection via the internet from a PC outside the council network through the secure web connection (including the 2 layers of firewall) onto the council network.

 

      Some other home users use an older method of connection called BT Central. This is a BT managed service that gives a secure encrypted connection via the internet and BT’s own network from a PC outside the council network onto the council network. BT supplies a trusted connection onto our network and BT manages the security of that.

 

      4. Infrastructure  performance

 

      Access to information and network resilience elements (points 1 and 2) of the Council’s infrastructure are very robust because of the Council’s investment over a number of years.

 

      External connectivity (point 3) does have considerable capacity with contingency for failure built in. The web sites hosted by the council at the ISB site in Gloucester St. currently receive on average 50,000-80,000 hits per day.  However the infrastructure is capable of handling much more than that. One example is the recent Billy Connelly concert ticket sales when the number of hits received that day was over 436,000.

 

      It has been the case though in recent months where problems have occurred with the inner layer of the firewall. This piece of equipment is reaching the end of its life and has on occasions failed and the secondary firewall has failed to start operating in this instance.  The result of this is that all network traffic to and from the internet is blocked – effectively blocking all web page access and emails to users connected to the council network either in council premises or at home.

 

      ISB are currently selecting a replacement firewall. The timescale for implementing the new equipment is June 2008. In the meantime, ISB are operating an out of hours service where a telephone support service is manned 9:00am-9:00pm. If there is a problem with internet access ISB staff will correct the failure in the inner firewall which will restore internet and email access.

 

      It is planned to continue this service even after the new firewall is in place and ISB are working with Business Improvement to introduce a more formal provision for staff out of hours cover in expectation of an increased demand for out of hours support for a growing number of services such as on-line transactional services.

 

      ISB will bring forward periodic reports on infrastructure performance.

 

      Planned improvements to the web infrastructure

 

      ISB management are assessing the costs and benefits of having a 2^nd connection to the internet (called a point of presence or POP) based at the 2^nd server site at the Duncrue complex. The main reason for having a 2^nd internet connection at Duncrue is to have a contingency for external access to the internet (and thus backup web page, email and VPN services) in the instance of the Gloucester St site being lost for any reason. While the prime reason for having a second POP is for providing greater resilience, it will also allow the spreading of web traffic across the 2 connections delivering greater performance and enabling the council’s web sites to handle even greater volumes of traffic it currently experiences.

 

Recommendations

 

      Members are requested to:

 

      Note the contents of the report.”