2023-09-13 Meeting notes

If webfarm migration is paused, are we accepting the risks, particularly to Jboss being out of support?

• Two legacy webfarms, one of which is the JBoss virtual environments

  • Bifurcate the project into dealing with the JBoss 

    • Ideally just migrate

• However, the same security concerns exist for the other legacy webfarm, of primarily Jlink webapps

  • Not possible to upgrade in place, would need to migrate all apps to new webfarm

• Risk based approach

  • All PCI and P4 has been migrated to the new webfarm

  • What is remaining is P3 data

    • Legal name is now being reclassified as P4

  • Have we classified the applications based on risks (PCI, P3/P4, business risk)

    • Where do we draw this line?

    • What resources are needed to do the work above the line?

      • Opportunity cost of this work?

        • See Jonathan's slides

    • Tech debt of the servers that won't get resolved if we don't address this

• Will these remaining vulnerable servers pop into the security metrics presented to CSOG?

  • No, once it's an approved exception, it is not on the list

Needs to make the JBoss upgrades

How do we know if the JBoss upgrade in place is possible? Upgrade existing server

Even if we upgrade the servers, the apps need to be modified (expected to be 120 hours per work)

Estimate on the time that it would take to upgrade the spring  components on the JBoss server - would be the app teams, not DIS

Resourcing decisions

Depending on work required for work in place, can make a decision on whether we pursue an exception, or secure resources to do the work?

Can this be outsourced? Yes, but will take a little longer

Remaining legacy webfarm

How to quantify the risk for the Jlink webfarm?

ISA3 classifications, and hours needed for the migration

Dalton to provide recommendation; if security and apps team disagree, come back to SMT for decision