Cloud Readiness Assessment Sample Report prepared by: Akins Executive Summary

Akins IT was commissioned to assess Cloud Readiness posture and cost analytics based on two prediction models for client. This assessment presents an exercise to refine the prediction models based on experience, additional recommendations and ancillary solutions.

We focus on the impact to Users, Applications, Data and Infrastructure to facilitate the cloud journey. In the analysis that follows, we look at Azure as the cloud platform and the Microsoft ecosystem for security and modern workplace frameworks. This document serves to identify current system, network and server topology at client and road maps the digital transformation story.

Strategically, we purview the three main options ahead of us: Move the Data Center gear to Beverly Hills, Do Nothing, or move to Azure as the central operations arena.

We recommend replacing the current Irvine Data Center with operations moved entirely to Azure.

Not only is there fiscal justification, but we benefit from the scalability, agility, disaster recovery

and security posture offered by the Microsoft cloud.

Page|2

We also recommend pursuing Software as a Service [SaaS] based solutions with the long term

goal being serverless infrastructure.

INFRASTRUCTURE

Business Site Topology

Current: Data Center in Irvine, HQ in Beverly Hills and a Branch Site in Orange County.

Page|3

Proposed: Data Center in Azure, HQ in Beverly Hills and a Branch Site in Orange County. Recommended network topology referenced below.

Page|4

Business Network Topology Current: The overall client network consists of a modified hub and spoke topology. The Datacenter serves as the central “hub” network with full mesh connectivity between the Irvine and Beverly Hills sites. Direct connectivity between Beverly Hills and the Datacenter is done with a primary MPLS circuit and multiple failover circuits. Irvine networks connect over an IPSEC tunnel via a cable internet circuit.

Page|5

Proposed: The Datacenter networks will be decommissioned. Core topology type will continue to operate in a full-mesh “Hub and Spoke” network while the MPLS will be removed.

Network Services – DHCP / DNS DHCP services allow network connectivity by leasing IP addresses to endpoints and other infrastructure. Due to the nature of DHCP being a multicast protocol, it is not recommended to run DHCP services over an IPSEC or VPN tunnel. DNS entries are nameservers that allow translation of an IP address to a hostname. Current: DHCP is contained at each location. A DHCP server will administers IP addresses at the Datacenter and Beverly Hills locations. The firewall/switch at the Irvine location handles DHCP services. DNS entries are based on internal DNS servers with a tertiary “outside” option for failover.

Proposed: DHCP services will largely remain the same at each location. The Beverly Hills DHCP server will continue handing out DHCP and DNS entries. Similarly, the Irvine location will continue to use the firewall/switch for DNS/DHCP.

VPN Connectivity - Endpoints Current: Presently, the Barracuda firewall(s) located at the datacenter act as the VPN termination point for endpoints. Once connected, endpoints have access into all datacenter resources as well as access to the Beverly Hills networks. Endpoints have the Barracuda VPN client installed and establish VPN links via a non-proprietary IPSEC tunnel.

Page|6

Proposed: VPN termination will be moved directly into the Azure cloud. Through software defined routing, endpoints will connect directly into a termination point located at the virtual network edge. The client will have access into all Azure resources as well as the Beverly Hills networks. The changes in network access will be transparent to the end user and have no front-end impact. VPN Connectivity Between Sites Current: Site-to-site IPSEC VPN tunnels are connected between the Datacenter, Beverly Hills location, and Irvine location. This is referred to as a full mesh topology. All resources are accessible between each site. Additionally, failover is configured between sites should the primary transport connection (MPLS) goes down between the Beverly Hills and Datacenter networks. Proposed: Multiple site-to-site IPSEC tunnels will be created between the Azure cloud networks and the Irvine and Beverly Hills locations. Failover will still exist between Beverly Hills and Azure by making use of the failover internet circuits at this location. A full-mesh topology will still exist after the datacenter networks are decommissioned.

VPN Client Configuration Current: Clients access resources with the Barracuda IPSEC client. All networks between Irvine, Datacenter, and Beverly Hills locations are accessible with this client. Proposed: Client VPN access will be modified to terminate directly into the Azure cloud while maintaining routes back to the Irvine and Beverly Hills networks. ISP Services Current: There are several transport circuits existing amongst the different sites. The Beverly Hills branch has three separate internet circuits for redundancy and failover. Resources are primarily accessed via an MPLS connection between the Beverly Hills networks and the Datacenter networks. Failover is done via an IPSEC tunnel that will self-establish during an MPLS failure situation. The Irvine location has a single internet circuit. Proposed: The MPLS will be decommissioned since direct connection to an on-premise datacenter is not needed in a cloud environment. Failover will still exist with multiple internet connections from Beverly Hills to Azure cloud networks. Azure Bandwidth Test Latency is typically calculated as the delay in time to request data from a website, application, or other network-based service. While bandwidth is the calculation of overall speed of a transport circuit, latency is based on the delay of data requests through the transport circuit. In real-world tests, “acceptable” latency is typically anything <100ms. Latency >100ms and will begin to present noticeable issues with responsiveness on endpoints. An Azure bandwidth test

Page|7

was conducted to determine overall latency to major Microsoft datacenters. This will typify the actual latency experienced when connecting to resources over the public cloud.

In the diagram above, average latency between on-premise networks to West US and West US 2 datacenters are 29ms average and 52ms average, respectively. This falls within the acceptable limit of latency. West US would be our primary data center. Azure Cost Analysis: Hardware Pay-As-You-Go and Workload Pay-As-You-Go

Infrastructure Overview Utilizing data collected over a month of activity, Akins IT evaluated your current infrastructure. The data that was uncovered and your savings potential are found below:

Total Nodes 18 Total Disk 28

Total Bytes/month (GB) 1.6k Hardware – Pay as you go $XXX Workload – Pay as you go $XXX

Refined Workload – Pay as you go $XXX

Page|8

Refined Workload Details & Server Exclusions

Server Exclusions

We omit the DC’s since only a primary and secondary DC in Azure is needed. A primary is currently already running, meaning only one additional DC is needed to be brought to the Azure space. The two extra DC’s currently running at the data center can be decommissioned.

File Servers are also not shown as part of the Azure shift. The data hosted on the File Servers has cloud-based homes in OneDrive for personal data, and SharePoint for co-op data. This is reflected in our road map found at the conclusion of this document.

Finally, the former iManage servers are not included in the migration effort and we recommend data archival and decommissioning of these workloads.

Approach Akins IT used BitTitan which analyzes your workload and projects it as an Azure environment. The platform provides workload mapping to Azure across a number of pricing plans. Below are a set of these plans created from data set collected.

Hardware Mapping This is a like-to-like mapping of the system configurations to an equivalent Azure instance and storage size. This mapping is based on system hardware specifications (e.g. number of CPUs, CPU speed, and assigned memory, disk size, etc.). This does not take actual workload or usage into account. TCO is estimated based on this configuration.

Workload Mapping This mapping takes the system configurations into account and incorporates actual workload and usage characteristics. That data is then projected to an Azure environment. Mapping of

Page|9

instance sizes, storage, and network demand is provided and the TCO is estimated based on the suggested configuration. Some of the parameters considered when constructing your optimal plan include: peak CPU usage, disk occupancy, peak disk usage, peak network usage, unused compute or storage resources, and disk IOPS and usage patterns. Pricing Plans Pay-as-you-go pricing plans utilize Azure's hourly rates that require no up-front spending. Optimal pricing plans takes usage hours of each machine and computes the recommendation that is most cost efficient.

Total Cost of Ownership Overview Azure offers Pay-as-you-go pricing plans. The following analysis includes hardware and workload mappings for Pay-as-you-go pricing plans, and optimal pricing scenarios. To determine your optimal mapping, BitTitan looks at three categories of workload optimization: Compute, Storage, and Network.

Compute Storage Network Total Hardware: Pay

as you go $XXX $XXX $XXX $XXX

Workload: Pay as you go

$XXX $XXX $XXX $XXX

Hardware: Pay-as-you-go This table presents the estimated annual cost of running your current data center machines with a baseline mapping of equivalent Azure instances using Pay-as-you-go pricing plan. Workload: Pay-as-you-go Using the information gathered during the assessment process BitTitan determined an optimized instance sizes that meets the workload and usage requirements. In this table, we show the estimated annual cost of running these optimized instances using Pay-as-you-go pricing plan.

Data Center

Instances Est. Annual Compute Cost

Disks Storage (GB)

Est. Annual Storage Cost

Est Annual Storage IO Cost

Est. Annual Network IO Cost

Cost by Data Center

RF-ZAYO 18 $XXX 28 15,122 $XXX $XXX $XXX $XXX

Total 18 $XXX 28 15,122 $XXX $XXX $XXX $XXX

Page|10

USERS Active Directory Topology Readiness The identity practice will not change since we maintain dependency on local AD for application authentication. The user login experience will not be affected at the workstation / laptop level. As we move forward, devices should be joined to Azure AD, or hybrid joined to Azure AD at a minimum.

This would allow the build out of Active Directory based controls leveraging InTune policy for advanced security and Conditional Access controls.

Active Directory Integrations Executing an EMS project and initiative for identity unification across all applications is already a business objective. We have kicked off integrations with iManage running in the cloud. Please refer to the identity model diagrammed below.

The vision is for users to launch ALL business applications from the myapps portal shown below.

https://myapps.microsoft.com

Page|11

User Experience Review

The user experience when working remotely will be adjusted such that VPN terminates directly in Azure, (where the applications live) to provide the best connectivity experience. VPN remains a requirement for ProLaw and Concordance specifically, and access to File Server if OneDrive and SharePoint are not adopted.

Building on the OneDrive implementation, this would also allow the use of Group Policy to enforce the use of OneDrive as the Desktop and MyDocuments local folders to avoid data loss when a device is lost, stolen, broken or corrupted. A user would be able to login to any domain joined computer and achieve a similar data access experience.

Page|12

File Locations U drive folders → OneDrive Z drive folders → SharePoint Libraries IT Shares → SharePoint Libraries Collaboration Capability Review SharePoint and OneDrive both support real time document collaboration in the form of co-authoring. Changes are automatically versioned and are restorable. This is not possible with data stored on a traditional file server.

Page|13

Personal Data Storage Current: Users personal drives are located on RF-FS02. The share contains 580GB worth of data. Proposed: The files will be migrated to OneDrive for Business and users will have a 1TB storage capacity. The necessity to access files over a VPN will be eliminated and security will be improved with the use of EMS licensing. Files can also be accessed on the go through a web browser or a user's respective mobile app.

DATA File Sharing Platform Review Current: File sharing is limited when using email due to limited attachment sizes or attempting to

Page|14

access the same file on a file server. Collaboration is also limited because users must take turns on checking out a file. Proposed: OneDrive Sharing would allow users to not only bypass the sharing limits of traditional email. Office files that are accessed through OneDrive or SharePoint by multiple users can collaborate instantly and changes are synced live. When attaching files, users are presented with the option to either attach a shareable link for collaboration with co-workers, a viewable link for users outside their organization, or to simply attach a copy of the file.

Fi le Security and Rights Management Capabil it ies Current: NTFS permissions with the on-premise file server.

Proposed: With EMS Licensing and Azure Information Protection, labels can be applied to sensitive data and emails within the company allowing encryption and expiration to be added as a layer of security. Rights Management Services is the technology that Azure Information protection is built on top of. Templates can be constructed to satisfy different departments and layers of security within the organization. These changes can also be made as needed. Documents can also be automatically protected based on the type of data that Azure Information Protection detects such as Personal, Financial or HIPAA related. With Azure Information protection, your data is protected no matter which device it is being accessed from.

Page|15

There is additional integration with Office 365 Email and RMS which is the ability to encrypt outgoing emails and mark them as not forwardable. This integration with RMS allows emails to be protected with assurance that they can access it from any device or mail service. Here is how it would look for a Gmail user receiving and encrypted email.:

Tracking and Revocation Capabilities/ Information Protection Current: There is currently no option to track and revoke files in the current file server infrastructure. Proposed: Once a file is labeled and protected, users and administrators can track the document to see when and where it is being accessed from. If the document appears to be being mishandled, the document can also be revoked.

Page|16

Security Considerations Current: Today we cannot prevent data theft, loss, by malicious intent or otherwise. Nor can we detect which applications our users are using while on our business networks.

Proposed: With EMS Licensing and Cloud App Security, the ability to identify cloud apps that are present on the network becomes available. With Cloud App Security, the designated administrators can monitor risks within their network and Office 365 suite. SharePoint and OneDrive can be monitored for Ransomware that is present. Cloud App Security also assists with data loss prevention and taking steps towards getting your data compliant and adherent to regulations.

Disaster Recovery & Availability Options Current: On-premise Barracuda backup that is discussed in detail below. Proposed: All SharePoint files including personal OneDrive folders are automatically stored in the cloud in addition to being cached on the local machine adding a form of redundancy. OneDrive Files Restore also allows users in the case of a ransomware attack or file corruption to rollback their entire OneDrive or specific files to a specific point in time.

Page|17

APPLICATIONS Applications & Data Client is commendably moving towards SaaS applications hosted in the Cloud Environment, as we have seen with the recent Worksite iManage migration. Current on-prem applications requiring Azure Infrastructure are Active Directory, ProLaw and Concordance.

An important decision will be to assess whether the existing File Servers need to be migrated in addition to exploring the requirement for the retired iManage servers. Another discussion point is the continued use of the Accounting systems, currently used to run reports against ProLaw.

LOB Application Review Current workloads can be separated into five main categories: Active Directory – Identity and Access Management:

Page|18

ProLaw:

Concordance & Components:

iManage – Legacy Servers:

File Servers:

Each of these applications has a migration path to SaaS based offerings within the recommendations documented at the conclusion of this assessment.

Serverless as a Future Assuming:

1. Active Directory, with 100% Windows 10 adoption, could move to the Azure AD only model, where we replace GPO with InTune controls.

2. ProLaw is replaced with a cloud counterpart, or the same solution as a SaaS offering. 3. Concordance is replaced cloud counterpart, or the same solution as a SaaS offering. 4. File Servers and Data are migrated to OneDrive and SharePoint as described above. 5. IManage servers are decommissioned before requiring lift and shift to Azure.

Serverless architecture is not a dream, it is very much on the road map!

Page|19

Security, Insights and Governance Inheriting Azure infrastructure and Data Centers provides the tools and controls we need to achieve any compliance the firm wishes to attain, through its own volition or due to needing to satisfy a client requirement. Role Based Access Control and full auditing and insights are huge pluses of the cloud ecosystem.

Disaster Recovery & Availability Options Currently, Disaster Recovery is a factor of days – we do have a copy of all server images offsite in Barracuda’s cloud, but the environment is not usable from a business continuity perspective.

Page|20

Barracuda Backup expected cost is 22K per year, offsetting on its own, 75% of the entire run time cost of Azure. Azure would offer a much-reduced Recovery Time Objective [RTO]. We could restore corrupt servers in hours, versus waiting for a hydrated unit and also having to purchase on-premise hardware in order to initiate a restore. In addition, with availability design, we could failover servers to sister instances at an increased cost. Azure provides the tools to achieve the uptime we wish to achieve.

Azure Automation During the first few months of usage, Azure runtime data will be collected. We can then use Azure Automation to power down servers when they are not being used, or simply scale them down in resources during off-peak hours. Conservatively this approach can be used to optimize spend and reduce costs by at least 10%. Some environments have seen up to 40% reduction using scale down / power off operations. The Run, Monitor and Optimize model is used here, in a constant fashion.

Page|21

App Contingency Plans There are contingency plans in place if issues with ProLaw running in Azure were experienced. We plan to explore both the use of the Application Proxy solution [an EMS feature] to present the app as a single click launch option through the myapps portal. Alternatively, it can be presented as a remote app on an RDS server, which the ProLaw solution is already including in the form of PL-RDS. Cloud Road Map Recommendations and Migration Tactics(Costs depict projected Professional Services and BoM items – not recurring Azure expenses estimates ONLY) First 30 Days OneDrive migration for U Drive data $XXX Deploy Azure Site Recovery [for migration purposes] $XXX Move Active Directory DC’s and AAD Connect to Azure $XXX Decommission on-prem DC’s at Data Center $XXX Move IT Data to SharePoint Doc Library $XXX BH Firewall Upgrade – HA Fortinet Solution with SD WAN & WAN Optimization for Failover and Redundancy

$XXX

Azure Fortinet Firewall Configuration – Modify virtual network infrastructure within Azure cloud

$XXX

Create Site-To-Site IPSEC tunnels between on-premise networks and Azure cloud networks

n/a

Migration of Aerohive CVG from datacenter to Azure cloud $XXX Configure CAS integration with Fortinet Firewall $XXX Azure Backup – Recovery Services Vault $XXX 30 – 90 Days Move Concordance Apps $XXX Move ProLaw Application Servers $XXX Client VPN migration and configuration to Azure $XXX Client VPN endpoint provisioning, configuration and activation n/a SharePoint migration for Shared data [Z Drive] $XXX

Page|22

Decommission RF-FS01 and RF-FS02 $XXX Azure Automation to optimize costs [estimating 10% reduction] n/a 90 – Long Term Goals Integration of all business sanctioned applications to Azure AD n/a Windows 10 – 100% deployed to all users n/a InTune Adoption for Cloud Based control and security Policy $XXX Conditional Access deployment for situational security per application $XXX Serverless – remove dependencies on AD, ProLaw and Concordance n/a Removed Costs Barracuda Backup yearly renewal $XXX No move to Beverly Hills (one time) $XXX Data Center rental fees per year $XXX MPLS DC-LA per year $XXX Nimble Support per year $XXX VMware Licensing Support per year $XXX Silverpeak solution – 3 year term – 12K, 4K per year $XXX Comprehensive Cost Analysis ON-PREM BEV HILLS 3 Year Projections: ITEM Year 1 Year 2 Year 3 Move to Beverly Hills DC $XXX $XXX $XXX Data Center Rental $XXX $XXX $XXX Barracuda Backup $XXX $XXX $XXX MPLS DC-LA $XXX $XXX $XXX Nimble Support $XXX $XXX $XXX VMware Licensing $XXX $XXX $XXX SilverPeak [3 year term] $XXX $XXX $XXX Hardware Refresh $XXX $XXX $XXX Firewall Fortinet Upgrade $XXX $XXX $XXX Fortinet Deploy & Config $XXX $XXX $XXX Aerohive CVG to Bev Hills $XXX $XXX $XXX CAS for Fortinet $XXX $XXX $XXX Client VPN to Bev Hills $XXX $XXX $XXX Microsoft Server Licensing $XXX $XXX $XXX Assuming no significant growth in data and applications: Totals $XXX $XXX $XXX Projected 3 Yr Costs $XXX

Page|23

DO NOTHING! 3 Year Projections:

ITEM Year 1 Year 2 Year 3

Move to Beverly Hills DC $XXX $XXX $XXX

Data Center Rental $XXX $XXX $XXX

Barracuda Backup $XXX $XXX $XXX

MPLS DC-LA $XXX $XXX $XXX

Nimble Support $XXX $XXX $XXX

VMware Licensing $XXX $XXX $XXX

SilverPeak [3 year term] $XXX $XXX $XXX

Hardware Refresh $XXX $XXX $XXX

Firewall Fortinet Upgrade $XXX $XXX $XXX

Fortinet Deploy & Config $XXX $XXX $XXX

Aerohive CVG to Bev Hills $XXX $XXX $XXX

CAS for Fortinet $XXX $XXX $XXX

Client VPN to Bev Hills $XXX $XXX $XXX

Microsoft Server Licensing $XXX $XXX $XXX

Assuming no significant growth in data and applications:

Totals $XXX $XXX $XXX Projected 3 Yr Costs $XXX Azure 3 Year Projections:

ITEM Year 1 Year 2 Year 3

Azure Infra $XXX $XXX $XXX

Azure Backup $XXX $XXX $XXX

OneDrive $XXX $XXX $XXX

Deploy ASR $XXX $XXX $XXX

Re-home AD, AADC $XXX $XXX $XXX

Cleanup AD $XXX $XXX $XXX

SharePoint IT $XXX $XXX $XXX

Firewall Fortinet Upgrade $XXX $XXX $XXX

Azure Fortinet Deploy & Config $XXX $XXX $XXX

Page|24

Aerohive CVG to Azure $XXX $XXX $XXX

CAS for Fortinet $XXX $XXX $XXX

Azure Backup Config $XXX $XXX $XXX

Migrate Concordance $XXX $XXX $XXX

Migrate ProLaw $XXX $XXX $XXX

Client VPN to Azure $XXX $XXX $XXX

SharePoint Z Drive $XXX $XXX $XXX

SPO Extra File Storage [2TB] $XXX $XXX $XXX

Decommission File Servers $XXX $XXX $XXX

* MPLS $XXX $XXX $XXX

* Barracuda Backup $XXX $XXX $XXX

* Data Center Rental $XXX $XXX $XXX

$XXX $XXX

Totals $XXX $XXX $XXX

Projected 3 Yr Costs $XXX

INITIATIVE YEAR 1 YEAR 2 YEAR 3 TOTAL 3 YEAR COST

BEV HILLS $XXX $XXX $XXX $XXX

DO NOTHING $XXX $XXX $XXX $XXX

AZURE $XXX $XXX $XXX $XXX The analysis above compares our three, primary, go-forward strategic options. The Azure strategy indicates our migration costs in year 1 and quickly achieves a baseline. In year 1 of Azure, we carry a few data center costs since we need to rely on existing infrastructure during the transition. Our data on cost analytics form the basis of our recommendation as a long-term strategy.