Kraft Foods Group, Inc.Agenda3• Introduction• Poll audience• Engineering Strategies / Challenges• Solution Overview – Service Definition• Identity Management• Enterprise – Engineering Core Services• Site – Engineering Core Services• RDS Core Services• Why RDS• Putting the pieces together – Use cases• Lessons Learned• Savings• Next Steps - Server 2012 Enhancements
Kraft Foods Group, Inc.Introduction4• Doug Hopler – Systems Project Engineer, Kraft Foods Group.• 1997-current: Kraft Foods• IT and Engineering Field services supporting multiple business units andsites• System administration – HP-UX, AS400, Windows, SQL Server, Oracle• Capital Project Management• 1992-1997: Anderson Consulting• Software – database development• Industries included: Transportation (Yellow Freight), Utilities (KPG&E)• 1984-1992: United States Air Force• Logistics / Supply Chain Systems• Veteran: 1st gulf war: Desert Shield / Storm 1990-1991
Kraft Foods Group, Inc.Audience Poll5• Citrix XenApp• Term Server, RDS, RDWeb, RemoteApp• Certificates• Single Sign-on• Active Directory
Kraft Foods Group, Inc.Engineering/Maintenance Strategies6• Enable standardized service delivery model for Wintelhardware and Applications• Application Lifecycle: N-1,2,3• Solution must enable migration of existing plantinfrastructure and services with little to no impact toproductivity / downtime• Simplified endpoint management for operator and techniciandevices (thin clients, hosted applications, security)• Standardized solution to enable entitlement todevices/resources required for support. Maintain appropriateisolation levels Enterprise to IO across the infrastructure
Kraft Foods Group, Inc.Engineering Environment Overview7• Decentralized management model for wintel computing devices• Sites with and without domain services• Application model shift from proprietary hardware/OS to commercial/opencomputing model• Automation applications are latency sensitive. (LAN vs. WAN)• Need for critical services to continue to function if the plant is offline from theWAN while maintaining need for critical services such as authentication, DNS• Increasing trend toward N-2/3 is departure from ‘put it in till it breaks’• Equipment and applications that are only compatible with down level versions ofWindows or AD and which would be cost prohibitive to upgrade• Sites currently have a mix of routable and non-routable networks: routing belowfirewalls in plants common however many networks do not route outside the localfirewall.
Kraft Foods Group, Inc.Engineering Environment Challenges8• HMI – End User Services• Windows OS provisioned with system commissioning as part of new processor process reconfiguration. Left pretty much as-is unless there is anapplication issue that prompts the need for patch (OS or application) orupgrade• Devices configured to auto login and auto start HMI application• No single vendor hardware standard• No standardized / managed image solution / services for hardware• Less than desirable service level when device failure occurs and requiresreplacement• Trend towards use of thin client/embedded OS and hosted applications• No standardized approach for remote support of the endpoints• Process gaps for terminated user accounts (contractors, employees)• Plant floor hmi logon account management
Kraft Foods Group, Inc.Engineering Environment Challenges9• Server – Hosting Services• Windows OS provisioned with system commissioning as part of new processor process reconfiguration. Left pretty much as-is unless there is anapplication issue that prompts the need for patch (OS or application) orupgrade• Trend towards virtualization requires additional competencies to support newtechnology• No standardized approach for remote support of the endpoints• Although there are multiple methods to provide remote access thesecurity steps involved to grant access involve different user provisioningactivities (user account) and/or the use of standardized single logon toresources (same id (SID) across all sites)
Kraft Foods Group, Inc.Enterprise Services12• VPN solutions such as Cisco AnyConnect and Citrixinfrastructure are at core of remote access• Ability to launch RemoteApps from within Citrix required publishingXenApp “Desktop”• Identity and Access Management solution that is highlyautomated while maintaining appropriate security andcontrols.• Key enabler for services such as on-demand “admin” access• Critical services such as: authentication (AD DS), DNS must behighly available• WSUS, AV, App patching services must be available to clientdevices.
Kraft Foods Group, Inc.Site Services14• Sites have a mix of routable and non-routable networks:routing below firewalls in plants common however manynetworks do not route outside the local “Engineering”firewall.• Multiple methods/solutions used to deliver applicationservices to on-site and remote support personnel. Similarbuilding blocks/tools available but no standardizedarchitecture. (RDP to terminal servers most prevalent)• Automation applications are latency sensitive. (LAN vs. WAN)• Critical services such as: authentication, DNS, SUS, AV, Apppatching services must be available to theapplications/devices running in the environment describedabove.
Kraft Foods Group, Inc.Solution Review15• 2 Primary options were considered• Win2k8 R2 RDS/RDWeb/RemoteApp• Citrix Xenapp 6.5• Why RDS/RDWeb/RemoteApp• Either solution required investment in RDS CALS.• Xenapp would require additional licensing and server infrastructure• Xenapp Pros: Larger device / client market via receiver delivery,Logical grouping of applications in Web Interface.Performance/scale economies depending on how implemented• Putting the pieces together – Server configurations, security• Implementation• Support• Strategies supported
Kraft Foods Group, Inc.Recommendation :16Windows Server 2008 R2 RDWeb / RemoteApp• No additional licensing needed beyond Server OS and RDSCALS• SSO can be maintained across session hosts• Connections and security managed within the Controlsdomain/environment• Infrastructure components can be commercialized acrosssites with only some incremental costs
Kraft Foods Group, Inc.RDS Core Services17
Kraft Foods Group, Inc.Sample Use Cases18• Site Administrator• Site Technician• OEM/Integrator
Kraft Foods Group, Inc.Site X RDWeb Interface19
Kraft Foods Group, Inc.Site X Administrator Application Entitlements20
Kraft Foods Group, Inc.Site X Technician Application Entitlements21
Kraft Foods Group, Inc.Site X Technician Asset Centre22
Kraft Foods Group, Inc.Site X OEM / Machine Support ApplicationEntitlements23
Kraft Foods Group, Inc.Site X OEM / Machine Support Asset Centre24
Kraft Foods Group, Inc.Lessons Learned25• Use AD groups versus individual logins at local OS level. Manage security at thedomain by entitling roles through group membership.• Create standard naming for groups that meets your business needs.• Carry this design into your application security model (FTD entitlements based onAD groups).• Spend time identifying the services, roles and entitlements across your business• Who needs access to what?• What are the service levels?• How will you support different service providers?• Some services may require outside management (skill sets, core business focusetc)• Build infrastructure and services and define how those services will be deliveredto the different roles in your environment• Certificate services / PKI infrastructure
Kraft Foods Group, Inc.Savings26• In the context of savings this discussion falls in categories. Business benefits willlikely vary depending on where an organization falls in transformation frommanual, decentralized processes for provisioning key security functions. A few ofthe areas identified during efforts to date include:• Standardized and automated solution for provisioning user, hmi and administrativeaccounts• Standardized and automated solution for entitling administrative accounts toresources such as servers, endpoints• Administrative entitlement granted for period of 3 days for lanid for suchthings as application support
Kraft Foods Group, Inc.Next Steps27• Commercialization efforts to implement core services / infrastructure (EnterpriseEngineering Domain and core “standardized” services at sites)• Server 2012 Enhancements – RDWeb• RD Gateway• Certificate Services – crossing Engineering and Enterprise resources (trusted oruntrusted)• High Availability• Consolidation opportunities