Updates on Cloud Transformation Journey

STEVEN WONG, ASSISTANT DIRECTOR (IT INFRASTRUCTURE)

Last year ITSC had begun to adopt a “Cloud-First Strategy” whereby for any new IT undertakings, we will first consider the feasibility of leveraging cloud technology where possible.  In the beginning of the new academic year, we would like to provide the latest updates on our Cloud Transformation journey, including those Cloud Initiatives that we have embarked on:


Wider Adoption of Microsoft 365 Cloud-based Productivity & Collaboration Suite

  • Migration of all staff email to Exchange Online – completed in Jul 2020

(Remarks:  Student email already using Exchange Online since 2014)

  • Enjoy up to 100GB mailbox quota per user
  • Latest mail features and functionalities are immediately made available when released
  • Enhanced built-in spam and malware filtering capabilities


  • Growing usage in Microsoft 365 (formerly called Office 365):
    • Percentage increase in number of active users over past 6 months:

ExchangeOneDriveSharePointTeams
Staff16%52%91%52%
Students10%14%8%39%


  • OneDrive for Business personal file store – support file sharing and collaboration, and access as a network drive; provide default 5TB storage with file versioning and enhanced security like 2FA support, ransomware protection, data protection, etc.

  • SharePoint Online departmental file repository – support file sharing and collaboration, and access as a network drive; with auditing, rich accessibility, security, and administrative control, and facilitate
    • 41 SharePoint sites have been created for storing departmental files, versus a few pilot sites one year ago

  • Teams – a modern communication and collaboration platform that support chats, video-based meetings, task management (especially in a team setting), collaboration and application integration

  • Observed increased usage of the following Microsoft 365 tools:
    • Power Platform – a collective suite of software (Power BI, Power Apps, Power Automate, etc.) to facilitate task automation, apps building, getting data insights using a so-called “low-code / no-code” approach to automate tasks with very minimal or even no programming
    • Forms – provide easy means to create online forms, surveys and polls, etc.
    • Stream – enable video streaming and sharing, and can serve as a “YouTube” like portal for video distribution; right now using this technology for sharing online trainings organized by ITSC

Cloud-based Virtual Desktop Infrastructure (VDI)

  • At present we are leveraging VDI technology (using VMware Horizon on our on-premises private cloud environment) to provide our Virtual Barn service to supplement our physical Computer Barns – this Virtual Barn service is becoming more important in the hybrid teaching mode setting

  • Now actively exploring how to leverage public cloud VDI services for higher agility, flexibility and scalability:
    • Microsoft Azure Lab Services (ALS) – began to use ALS for scheduled classes that require PC lab sessions for teaching and learning purpose, such that computing lab sessions can be conducted virtually instead of in a computer barn setting
    • Microsoft Windows Virtual Desktop (WVD) – working closely with Microsoft to leverage their newly released WVD solution to provision cloud-based VDI services for general and on-demand needs of virtual desktops;  plan to parallel run on-premises VDI and cloud-based WVD to serve the Virtual Barn in this Fall Semester, with full migration in 2021 Spring Semester

Deployment of Cloud DNS Service – completed in Mar 2020

  • Implemented a high-availability cloud-based DNS service (Akamai Fast DNS) for Internet domain name resolution

  • Provide robust and faster name resolution response, with enhanced security, e.g. protection from DDoS attacks (Distributed Denial of Service) and DNS hijacking

  • Off-campus access to cloud-based services (like Canvas, Exchange Online, etc.) no longer depends on the on-premises DNS service

Cloud Storage for Data Backup – target to be completed in Q1 2021

  • Early this year ITSC started to leverage a modern enterprise backup solution (Veeam) which can easily backup data to cloud repository in additional to on-premises data repository –  now testing its functionalities, and plan for pilot deployment by end of 2020

  • Plan to implement the “3-2-1 backup rule” for crucial data and phase out the unreliable tape backup –  this means keeping at least three (3) copies of our data, and store two (2) backup copies on different storage media in our two data centers, with another one (1) of them located in offsite cloud storage 
3-2-1 backup rule

Cloud-based Security Enhancement

  • Office 365 Advanced Threat Protection (ATP) – provide AI-based security protection features for Office 365 applications (including Exchange Online, OneDrive, SharePoint, Teams, etc.)
    • Now in pilot deployment of “anti-phishing” feature for staff email, and will extend to student email by end of Sep
    • “Safe Links” and “Safe Attachments” features also deployed to around 300 administrative users constantly involved in handling sensitive or confidential data/information
    • Overall effectiveness will be reviewed in early 2021 to see if it is cost justified to further extend the security coverage to more users

  • Azure Information Protection (AIP) – serve to protect documents and data by classifying files with a label and encrypting sensitive or confidential files, and provide access control based on users’ rights
    • Introduced to all staff in late Jun, and so far around 1,000 staff were trained on this data protection mechanism
    • Almost 1,100 staff have leveraged on this technology, with 700+ daily active users and 100,000+ files labelled

  • Intune – a cloud-based endpoint management solution for desktops (Windows and macOS) and mobile devices (iOS and Android)
    • Worked out a pilot implementation for ITSC and ISO in Aug/Sep
    • Will extend this to some administrative departments for our next phase in Oct

  • Microsoft Defender Advanced Threat Protection (MDATP) – a cloud-based endpoint detection and response solution, providing security threat and vulnerability management based on AI and behavioral technologies
    • To be introduced to users together with Intune setup above

Cloud-based Container-based Application Platform

  • Moving forward from the conventional “Virtual Machine” technology, now we have switched to leverage the modern “Docker-based container technology” to package an IT application or service in a so-called “container” environment – offers better performance with less resources overhead, enhanced security with better resources isolation, and higher portability especially for migration to public cloud environments

  • As more and more containers are used in our environment, we are looking into the “container orchestration” tool to facilitate the deployment and management of the growing number of containerized applications:
    • deploy Microsoft Azure Kubernetes Service (AKS) for new LAMP-based applications – pilot in Q4 2020
    • deploy AKS for any kind of Docker-based applications – in Q2 2021

Disaster Recovery (DR) on Cloud

  • Pilot tested moving some of our core infrastructure services (like authentication and domain name service) to the public cloud, with the objective to facilitate disaster recovery of crucial IT services using cloud resources

  • Further work on this with the target of leveraging cloud services, where feasible, for DR purpose in 2021

Governance of Cloud Usage

  • Started reviewing related aspects like risk assessment and personal data privacy issue

  • Formulated some guidelines for users when considering a cloud solution from a Cloud Service Provider (CSP):

https://itsc.ust.hk/services/cyber-security/guidelines-choosing-cloud-service-provider