Inhaltsverzeichnis
1. Gesamtübersicht
Timeline 2026–2027
2026 2027 Q1 Q2 Q3 Q4 Q1 Q2 | | | | | | ├───────────┤ | | | | │ PHASE 0 │ | | | | │ Foundation│ | | | | ├───────────┴───────────┤ | | | │ PHASE 1 │ | | | │ MVP │ | | | │ ├───────────┤ | | │ │ PHASE 2 │ | | │ │ Security │ | | │ │ + Add-ons │ | | │ ├───────────┴───────────┤ | │ │ PHASE 3 │ | │ │ Intelligence │ | │ │ + Add-ons Erw. │ | │ │ ├───────────┤ │ │ │ PHASE 4 │ │ │ │ ITSM │ └───────────────────────┴───────────────────────┴───────────┘
2. Phase 0 – Foundation (Monate 1–3)
Ziel: On-Premises Infrastruktur & Kubernetes-Cluster aufbauen
Monat 1 – VMware vSphere & Netzwerk
- VMware vSphere Cluster aufsetzen
- ESXi Hosts installieren und konfigurieren
- vCenter Server Appliance deployen
- DRS, HA, vMotion konfigurieren
- Storage Policies (NVMe, SSD, HDD Tiers)
- Netzwerk-Infrastruktur
- VLAN-Struktur aufbauen (10, 20, 30, 40, 50, 60)
- Firewall (HA) konfigurieren
- DNS-Zonen anlegen (hafs.local, *.hafs.internal)
- Internet-Breakout (VLAN 99, Whitelist-Proxy)
- Terraform IaC Grundgerüst
- vSphere Provider konfigurieren
- VM-Templates erstellen (RHEL / Ubuntu)
- State Backend (MinIO / S3-kompatibel)
Monat 2 – RKE2 Cluster & Daten-Stack
- RKE2 Kubernetes Cluster Deployment
- 3x Control Plane VMs (HA mit etcd)
- 4x Worker App Nodes + 3x Worker Data Nodes
- 2x Worker Infra Nodes
- Calico CNI + MetalLB Load Balancer
- Rancher Management UI
- Daten-Stack Setup
- PostgreSQL Patroni Cluster (3 Nodes)
- MongoDB ReplicaSet (3 Nodes)
- Redis Sentinel (3 Nodes)
- Elasticsearch Cluster (3 Nodes)
- MinIO (Erasure Coding, Object Storage)
- RabbitMQ / NATS Cluster
- Identity & Secrets
- Active Directory Integration (LDAPS)
- HashiCorp Vault (HA, 3 Replicas)
- cert-manager + Vault PKI Backend
- Azure AD Connect (Hybrid Sync für M365)
Monat 3 – CI/CD, Monitoring & Security Baseline
- CI/CD Pipeline aufbauen
- GitLab / GitHub Repositories
- Harbor Container Registry
- Flux v2 GitOps Setup
- SonarQube + Trivy (SAST + Container Scanning)
- Monitoring Stack
- Prometheus + Grafana + Loki
- OpenTelemetry Collector + Jaeger
- Alertmanager (Teams + E-Mail Integration)
- VMware Exporter, Node Exporter, kube-state
- Security Baseline
- NGINX Ingress + ModSecurity (OWASP CRS)
- Calico NetworkPolicies (Default Deny)
- OPA / Gatekeeper Policies
- Kong / Traefik API Gateway
- Dev/Test Environment
- Namespace-Trennung (dev, staging, prod)
- Portal Shell / Design System Prototyp
- Architektur-Review & Load-Test Infrastruktur
Meilenstein Phase 0
On-Premises Infrastruktur produktionsbereit. VMware vSphere Cluster mit 3+ ESXi Hosts live. RKE2 Kubernetes Cluster mit allen Node Pools. Datenbank-Stack (PostgreSQL, MongoDB, Redis, ES, MinIO) hochverfügbar. HashiCorp Vault + AD Integration konfiguriert. CI/CD Pipeline mit Harbor + Flux v2 operativ. Monitoring und Security Baseline aktiv.
3. Phase 1 – MVP (Monate 3–6)
Ziel: Kernfunktionalität live – Ticketsystem, Chatbot, Service-Katalog
Module: M1 (Tickets), M2 (AI Basis), M5 (Katalog), M6 (KB Basis), M11 (Admin)
Monat 3–4: Ticketsystem, AI & Portal
- Ticketsystem (M1)
- Ticket-Datenmodell & API (Nest.js, PostgreSQL)
- Ticket-Erstellung (Web-Formular), Queue & Agent-Dashboard
- Status-Workflow & Kommentare
- SLA-Engine (Basis)
- E-Mail Intake (via Graph API + SMTP)
- AI Services (M2 – Basis)
- AI Gateway (Node.js, Anthropic Claude SDK)
- Guardrails (PII-Filter, Prompt Sanitization)
- Self-Help Chatbot (v1, Claude Haiku 4.5)
- Auto-Kategorisierung (Claude Haiku 4.5)
- RAG Pipeline (Elasticsearch Vector Search)
- Portal Frontend
- Portal Shell & Navigation (React 19, Next.js 15)
- SSO / AD Login (OIDC via On-Prem AD)
- Dashboard (Benutzer & Agent)
Monat 5–6: Service-Katalog, Knowledge Base & Teams
- Service-Katalog (M5)
- Service Directory, Request-Formulare (Top 20 Services)
- Approval-Workflows (1-stufig)
- Self-Service Passwort-Reset
- Knowledge Base (M6 – Basis)
- Artikel-CMS
- Suche (Elasticsearch Volltext + Vektor)
- Initial-Befüllung (Top 50 Artikel)
- Admin (M11)
- User & Rollen-Management
- Ticket-Kategorien konfigurierbar
- SLA-Konfiguration
- Teams Integration
- Teams Bot (Chatbot via Bot Framework)
- Teams Notifications (Graph API)
- Adaptive Cards für Tickets
- Testing & Pilot
- UAT mit Pilotgruppe (IT-Abteilung)
- Performance & Security Testing
- Bug-Fixing & Optimierung
Meilensteine Phase 1
MVP live für Pilotgruppe. Go-Live für alle Mitarbeiter. Ticketsystem live (Web + E-Mail + Teams), Self-Help Chatbot aktiv (Claude-basiert), Top-20 Services im Katalog, Knowledge Base mit 50+ Artikeln.
4. Phase 2 – Security, Governance & Add-ons (Monate 6–9)
Ziel: Security Center, IAM/PAM Add-on, SIEM Add-on, Governance-Modul
Module: M3 (Security), M4 (Governance), M7 (Norm Automation)
Add-ons: IAM/PAM Add-on, SIEM Add-on (Basis)
Monat 6–7: IAM/PAM Add-on & Security Center
- IAM/PAM Add-on (Basis)
- Identity Lifecycle (Joiner/Mover/Leaver) – AD-Provisionierung automatisiert
- M365-Lizenz-Zuweisung via Graph API
- Self-Service Access Requests mit AI-Risk-Scoring
- SoD-Checks (Segregation of Duties)
- Mehrstufige Approval-Workflows
- PAM Vault (HashiCorp Vault Backend) – Password Checkout & Auto-Rotation
- JIT Access (zeitlich begrenzt)
- Access Reviews (quartalsweise, AI-Empfehlungen für Unused Access)
- Security Center (M3)
- Security Dashboard
- Security Incident Meldung (Phishing-Report, Incident-Workflow)
- Vulnerability Management (Qualys/Nessus + Trivy, AI-Priorisierung)
Monat 7–8: IAM/PAM Erweitert, SIEM & Governance
- IAM/PAM Add-on (Erweitert)
- Session Recording (RDP/SSH/Web)
- Break Glass Procedure
- Service Account Management
- SIEM Add-on (Basis)
- Elasticsearch SIEM Cluster
- Log Collection (Fluent Bit DaemonSet) – K8s Audit Logs, AD Logs, Firewall, DNS
- Alert Engine (Basis-Regeln)
- SOC Dashboard (Basis)
- Portal-Integration (Security-Tickets aus Alerts)
- Governance (M4)
- Policy Management, Risk Register
- Compliance Dashboard (BaFin, DSGVO, ISO 27001)
- Audit Trail (vollständig)
Monat 8–9: Automation & AI Erweitert
- Automation Engine (M7 – Norm)
- Norm Deployment auf K8s (Docker/Helm) + Portal-Anbindung via REST API
- Custom Module (TypeScript) für AD, IAM/PAM, SIEM, Ticketsystem
- Top-10 Norm Flows: Onboarding, Offboarding, Standard-Berechtigungsanfrage, Passwort-Reset, Software-Installation, VPN-Troubleshooting, Postfach-Zugriff, Hardware-Anfrage, MFA-Reset, Drucker-Setup
- AI Services (M2 – Erweitert)
- Agent Copilot (v1, Claude Sonnet 4.5)
- Auto-Resolve für Top-5 Szenarien
- Sentiment Analysis
- Knowledge AI (Auto-Artikel-Draft)
Meilensteine Phase 2
IAM/PAM Add-on v1 live. SIEM Add-on (Basis) live. Security Center live. Norm live, 10 Flows automatisiert.
5. Phase 3 – Intelligence, Analytics & Add-on Erweiterung (Monate 9–12)
Ziel: Erweiterte AI, Analytics, IT Monitor Add-on, vollständige Automatisierung
Module: M8 (Analytics), M7 (Erw.), M2 (AI Erw.)
Add-ons: IT Monitor Add-on, SIEM (Erw.), IAM/PAM (Erw.)
Monat 9–10: Analytics, IT Monitor & AI Advanced
- Analytics & Reporting (M8)
- Real-Time KPI Dashboard, SLA Reporting, Trend-Analysen
- Custom Report Builder
- Executive Summary (AI-generiert, Claude Sonnet)
- IT Monitor Add-on (Basis)
- Infrastruktur-Dashboard (VMware, K8s, Storage)
- Service Health Map
- Alerting Engine (Multi-Level)
- CMDB-Light (Auto-Discovery K8s + VMware)
- SLA Monitoring
- AI Services (M2 – Advanced)
- Predictive Analytics (Incident Prediction, Load Forecasting, SLA Risk Scoring)
- Agent Copilot (v2) – Impact Analysis, Smart Routing (Expertise-basiert)
- Proaktive Alerts
Monat 11–12: SIEM Erw., IT Monitor Erw. & Automation
- SIEM Add-on (Erweitert)
- Sigma Rules Engine
- MITRE ATT&CK Mapping
- Threat Intelligence Feeds (CERT-Bund, MISP)
- SOAR Playbooks (Auto-Containment)
- Forensik-Workspace
- IT Monitor Add-on (Erweitert)
- Capacity Planning & Forecasting
- Runbook Integration (Ansible/Terraform)
- Executive Dashboard
- Network Monitoring (SNMP)
- Automation Engine (M7 – Norm Erweitert)
- 50+ Norm Flows (inkl. AI-Module, Self-Healing)
- Runbook Automation via Norm Module (Ansible/Terraform)
- Scheduled Flows & Maintenance Automation
- AI-Module (Claude) für intelligente Entscheidungen in Flows
- Governance (M4 – Erweitert)
- Automatisierte Control Tests
- DORA Compliance Dashboard
- Automated Board Reporting, Exception Management
- Vulnerability Management
- Qualys/Nessus + Trivy Integration
- AI-Priorisierung (Claude)
- Auto-Ticket für Critical/High
Meilensteine Phase 3
IT Monitor Add-on live. SIEM Add-on vollständig. Self-Service-Quote > 70%. Predictive Analytics aktiv. Compliance Dashboard vollständig.
6. Phase 4 – ITSM Complete (Monate 12–15)
Ziel: Vollständiges ITSM mit Asset & Change Management
Module: M9 (Assets), M10 (Change)
- CMDB / Asset Management: Auto-Discovery (VMware + Kubernetes + SNMP), Asset Lifecycle Tracking, Software Inventory & Lizenzen, Dependency Mapping, Integration mit IT Monitor Add-on CMDB-Light
- Change Management: Change Request Workflows, CAB Integration, AI Impact Analysis (Claude Sonnet 4.5), Change Calendar, Post-Implementation Review
- Problem Management: Root Cause Analysis (AI-assisted), Known Error Database, Problem-Ticket Verknüpfung
Meilenstein Phase 4
Vollständiges ITSM-Tool mit allen 11 Modulen live.
7. Add-on Rollout-Übersicht
Add-on Deployment Timeline
IAM/PAM Add-on ├── Phase 2 (Monat 6-7): Basis (Lifecycle, Access Requests, PAM Vault) ├── Phase 2 (Monat 7-8): Erweitert (Session Recording, Break Glass) └── Phase 3 (Monat 9+): Analytics & Runbooks SIEM Add-on ├── Phase 2 (Monat 7-8): Basis (Log Collection, Alerts, SOC Dashboard) ├── Phase 3 (Monat 11): Sigma Rules, MITRE ATT&CK └── Phase 3 (Monat 12): SOAR, Forensik, Threat Intelligence IT Monitor Add-on ├── Phase 3 (Monat 9-10): Basis (Dashboard, Health Map, CMDB-Light) └── Phase 3 (Monat 11-12): Erweitert (Capacity, Runbooks, SNMP)
8. Team-Struktur
8.1 Projektteam
| Rolle | Anzahl | Verantwortung |
|---|---|---|
| Product Owner | 1 | Vision, Backlog, Stakeholder-Management |
| Projektleiter | 1 | Timeline, Budget, Risiken |
| Solution Architect | 1 | On-Prem Architektur, K8s, Datenbanken |
| Backend-Entwickler | 2–3 | Nest.js Microservices, APIs, Integrationen |
| Frontend-Entwickler | 1–2 | React/Next.js, Portal UI, Teams Bot |
| AI/ML Engineer | 1–2 | Claude-Integration, RAG, AI Gateway |
| Platform Engineer | 1–2 | VMware, RKE2, Terraform, Monitoring, GitOps |
| Security Engineer | 1 | IAM/PAM Add-on, SIEM Add-on, Vault |
| UX Designer | 1 (Teilzeit) | User Research, UI Design |
| QA Engineer | 1 | Testing, Qualitätssicherung |
8.2 Stakeholder
| Stakeholder | Rolle im Projekt |
|---|---|
| CIO | Executive Sponsor, Budgetfreigabe |
| CISO | Security-Anforderungen, Abnahme Security-Module & Add-ons |
| IT-Operations Lead | Fachliche Anforderungen, Pilotgruppe |
| Compliance Officer | Regulatorische Anforderungen (BaFin, DSGVO) |
| HR | Onboarding/Offboarding Prozesse (IAM/PAM Add-on) |
| Fachbereichsleiter | Service-Anforderungen, Adoption |
9. Risiken & Mitigierung
| Risiko | Wahrsch. | Impact | Mitigierung |
|---|---|---|---|
| On-Prem Infrastruktur-Komplexität | Hoch | Hoch | Erfahrener Platform Engineer, PoC in Phase 0, Terraform IaC |
| AI-Qualität nicht ausreichend | Mittel | Hoch | Iteratives Feedback, Guardrails, Claude-Modell-Upgrades, Fallback |
| Nutzerakzeptanz gering | Mittel | Hoch | Frühzeitig Pilotgruppe, UX-Fokus, Change Management |
| Kubernetes-Betrieb Expertise fehlt | Hoch | Mittel | Schulung, Rancher für Management-UI, externe Beratung Phase 0 |
| Hardware-Lieferzeiten | Mittel | Mittel | Frühzeitige Bestellung, Reserve-Kapazität, stufenweiser Ausbau |
| Add-on Eigenentwicklung aufwändig | Hoch | Mittel | MVP-Ansatz, Priorisierung, Open-Source Basis (Elasticsearch, Vault) |
| Regulatorische Änderungen | Niedrig | Hoch | Flexible Architektur, Compliance-Monitoring |
| Key-Person-Risiko | Mittel | Mittel | Dokumentation, Knowledge Transfer, Pair Programming |
| Claude API Abhängigkeit | Niedrig | Mittel | Prompt Caching, Response Caching (Redis), Fallback-Strategie |