R. Ching, Ph.D. MIS Area California State University, Sacramento 1 Week 6 Monday, February 27 IT InfrastructureIT Infrastructure Reliability and Security

R. Ching, Ph.D. • MIS Area • California State University, Sacramento 1

Week 6Week 6Monday, February 27Monday, February 27

• IT InfrastructureIT Infrastructure• Reliability and Security of IT ServicesReliability and Security of IT Services

• SecuritySecurity


IT Infrastructure, Another View…IT Infrastructure, Another View…


IT Architecture and Advances in ITIT Architecture and Advances in IT

• Era I - Mainframe (1950’s - 1970s)Era I - Mainframe (1950’s - 1970s)– IT paradigmIT paradigm

• Centralized computingCentralized computing• Automated functionsAutomated functions

– Information managementInformation management• Focus on Focus on data data (i.e., data processing and (i.e., data processing and

efficiency)efficiency)• Fixed reportingFixed reporting• File-basedFile-based



• Era II - PC (1970’s - 1980s)Era II - PC (1970’s - 1980s)– IT paradigmIT paradigm

• MicrocomputerMicrocomputer• Decentralized, end-user developed computingDecentralized, end-user developed computing

– Information managementInformation management• Focus on Focus on informationinformation (i.e., specialized (i.e., specialized

applications)applications)• Specialized and personal software (i.e., Specialized and personal software (i.e.,

electronic spreadsheets, word processing, file electronic spreadsheets, word processing, file management)management)

• Islands of informationIslands of information



• Era III - Network (1990’s - present)Era III - Network (1990’s - present)– IT paradigmIT paradigm

• Client/server (fat and thin clients)Client/server (fat and thin clients)• Internet, intranet (within the organization), Internet, intranet (within the organization),

extranet (between the organization and its extranet (between the organization and its suppliers/partners)suppliers/partners)

• End-user computingEnd-user computing– Information managementInformation management

• Focus on Focus on knowledgeknowledge (i.e., OLAP tools, data (i.e., OLAP tools, data warehousing/mining)warehousing/mining)

• Relational and OO database (centralized data Relational and OO database (centralized data repository)repository)


InfrastructureInfrastructureDelivering the right information to the right people at the right timeDelivering the right information to the right people at the right time

• Delivering IT resources to support users Delivering IT resources to support users throughout the organizationthroughout the organization

• Four layer infrastructure (Four layer infrastructure (Weill and BroadbentWeill and Broadbent))– IT componentsIT components– Human IT infrastructureHuman IT infrastructure– Shared IT services – services that users can Shared IT services – services that users can

draw upon and share to conduct businessdraw upon and share to conduct business– Shared and standard IT applications – stable Shared and standard IT applications – stable

applications that change less frequently applications that change less frequently


Structure of the IT InfrastructureStructure of the IT Infrastructure

IT componentsIT components

Shared IT servicesShared IT services

Human IT infrastructureHuman IT infrastructure

Shared and standard Shared and standard IT applicationsIT applications

Local applicationsLocal applications

IT infrastructureIT infrastructure


Three Views of IT InfrastructureThree Views of IT Infrastructure

• Economies of scale (utility) – providing IT/IS as a Economies of scale (utility) – providing IT/IS as a service to the business to facilitate operationsservice to the business to facilitate operations– Emphasis on reducing costsEmphasis on reducing costs

• Support for business programs (dependent) – IT Support for business programs (dependent) – IT tied to business plan and value-added initiativestied to business plan and value-added initiatives

• Flexibility to meet changes in the marketplace Flexibility to meet changes in the marketplace (enabling) – IT planning tied to business strategic (enabling) – IT planning tied to business strategic planplan– Co-alignment between business strategy and IT Co-alignment between business strategy and IT

strategystrategy– Strategic IT and strategic IT planningStrategic IT and strategic IT planning


Strategic Grid: Placing Infrastructure Strategic Grid: Placing Infrastructure Planning and Management in Planning and Management in PerspectivePerspective

HighHigh

LowLowHighHighLowLow

Impact of Impact of Existing IT Existing IT

applicationsapplications

Impact of Future IT applicationsImpact of Future IT applications

FactoryFactoryOperational ITOperational IT

SupportSupportBasic elementsBasic elements

TurnaroundTurnaroundGradual adoptionGradual adoption

StrategicStrategicStrategic IT plan, Strategic IT plan,

initiativesinitiatives

Mission CriticalMission Critical

Less criticalLess critical

How we view reliability and security depends on where the How we view reliability and security depends on where the organization lies on the strategic grid.organization lies on the strategic grid.


Reliability and Availability of the Reliability and Availability of the InfrastructureInfrastructure


Infrastructure ReliabilityInfrastructure Reliability

• Ensuring continuous operations in support of the Ensuring continuous operations in support of the organizationorganization– 27 x 7 operation (if important)27 x 7 operation (if important)– Redundancy of componentsRedundancy of components– Cost of maintaining continuous operations Cost of maintaining continuous operations

vs. cost of failurevs. cost of failure– Threats and countermeasuresThreats and countermeasures


AvailabilityAvailabilityA

vail

abil

ity

Ava

ilab

ilit

y

100%100%

0%0%

Number of componentsNumber of components

Component 1 Component 1 98% 98%

availabilityavailability









.98 x .98 x .98 x .98 x .98 = .9039.98 x .98 x .98 x .98 x .98 = .9039

Overall service availabilityOverall service availability

Complexity of the system increases as Complexity of the system increases as the number of components increasethe number of components increase


AvailabilityAvailability











.98 x .98 x .98 x .98 x .98 = .9039.98 x .98 x .98 x .98 x .98 = .9039Component 1 Component 1

98% 98% availabilityavailability









Redundancy:Redundancy:

If each component has a failure rate of .02, If each component has a failure rate of .02, then a complete failure of the system isthen a complete failure of the system is

.02 x .02 x .02 x .02 x .02 = .000000032.02 x .02 x .02 x .02 x .02 = .000000032

Components running in parallel Components running in parallel (i.e., each component is capable (i.e., each component is capable of doing of doing allall functions) functions)


Making a High-Availability FacilityMaking a High-Availability Facility

• Uninterruptible electric power deliveryUninterruptible electric power delivery• Physical securityPhysical security• Climate control and fire suppressionClimate control and fire suppression• Network connectivityNetwork connectivity• N+1 and N+N redundancy of mission critical N+1 and N+N redundancy of mission critical

componentscomponents


Malicious Threats and Defensive Malicious Threats and Defensive MeasuresMeasures

• Types of threats:Types of threats:– External attacks – denial of service (DoS)External attacks – denial of service (DoS)– Intrusion – access via the IT infrastructureIntrusion – access via the IT infrastructure– Viruses and wormsViruses and worms

• Defensive measuresDefensive measures– Security policies – defines security by Security policies – defines security by

recognizing IT as a resourcerecognizing IT as a resource– Firewalls Firewalls – AuthenticationAuthentication– EncryptionEncryption– Patching and change managementPatching and change management– Intrusion detection and network monitoringIntrusion detection and network monitoring


Risk ManagementRisk Management

• Risk of failure or a breach of securityRisk of failure or a breach of security• Must be classified (i.e., critical, not critical, etc.)Must be classified (i.e., critical, not critical, etc.)• Addressed in proportion to their likelihood and Addressed in proportion to their likelihood and

potential consequencespotential consequences• Management action to mitigate risksManagement action to mitigate risks

– Costs vs. potential benefitsCosts vs. potential benefits– Expected loss (probability of a threat occurring Expected loss (probability of a threat occurring

x cost)x cost)


Prioritization of RisksPrioritization of Risks

Con

sequ

ence

sC

onse

quen

ces

HighHigh

LowLow

ProbabilityProbability00 11

Critical Critical ThreatsThreats

Minor Minor ThreatsThreats

FloodingFlooding

EarthquakeEarthquake

LightningLightning

ConstructionConstruction

HackingHacking

IntrusionIntrusion

FireFire

Corporate espionageCorporate espionage


Managing Threats and RisksManaging Threats and Risks

• Sound infrastructure designSound infrastructure design• Disciplined execution of operating proceduresDisciplined execution of operating procedures• Careful documentationCareful documentation• Established crisis management proceduresEstablished crisis management procedures• Rehearsing incident responseRehearsing incident response

– Security auditSecurity audit• Recovery proceduresRecovery procedures


Another View of Security and Another View of Security and Threats…Threats…


Countermeasures and Contingency PlansCountermeasures and Contingency PlansCountermeasures and Contingency PlansCountermeasures and Contingency Plans

ThreatsThreats

• Any situation or event, whether intentional or Any situation or event, whether intentional or unintentional, that will adversely affect a system unintentional, that will adversely affect a system and consequently the organization.and consequently the organization.– Tangible losses (hardware, software, data)Tangible losses (hardware, software, data)– Intangible losses (credibility, confidentiality)Intangible losses (credibility, confidentiality)


Threats and CountermeasuresThreats and Countermeasures

• Initiate countermeasures to overcome threatsInitiate countermeasures to overcome threats– Consider the types of threat and their impact Consider the types of threat and their impact

on the organizationon the organization• Cost-effectivenessCost-effectiveness• FrequencyFrequency• SeveritySeverity


Threats and CountermeasuresThreats and Countermeasures

• Objective is to achieve a balance between a Objective is to achieve a balance between a reasonable secure operation, which does not reasonable secure operation, which does not unduly hinder users, and the costs of maintaining unduly hinder users, and the costs of maintaining it.it.

• Risks are independent of the countermeasuresRisks are independent of the countermeasures

CountermeasuresCountermeasuresCountermeasuresCountermeasures

CostsCostsCostsCosts SecuredSecuredOperationsOperationsSecuredSecured

OperationsOperations

RisksRisks


CountermeasuresCountermeasures

• Computer-based vs. Non-computer-basedComputer-based vs. Non-computer-based

Implemented Implemented through the through the operating system operating system and/or DBMSand/or DBMS

Management Management policies and policies and proceduresprocedures


Computer-Based ControlsComputer-Based Controls

• AuthorizationAuthorization• Backup (and recovery)Backup (and recovery)• JournalingJournaling• Integrity controlsIntegrity controls• EncryptionEncryption• Associated proceduresAssociated procedures


Noncomputer-Based ControlsNoncomputer-Based Controls

• Security policy and contingency plansSecurity policy and contingency plans• Personnel controlsPersonnel controls• Securing positioning of equipmentSecuring positioning of equipment• Secure data and softwareSecure data and software• Escrow agreementsEscrow agreements• Maintenance agreementsMaintenance agreements• Physical access controlsPhysical access controls• Building controlsBuilding controls• Emergency arrangementsEmergency arrangements

Management-Management-orientedoriented


Non-Computer-Based Controls:Non-Computer-Based Controls:

Countermeasures Countermeasures

• Security policy and contingency planSecurity policy and contingency plan– Security - covers the operations of the databaseSecurity - covers the operations of the database– Contingency plan - addresses plans for Contingency plan - addresses plans for

catastrophic eventscatastrophic events• Procedures to follow Procedures to follow • Line of commandLine of command

• Personal controlsPersonal controls– Assessing and monitoring employeesAssessing and monitoring employees– TrainingTraining– Responsibilities - sharing and splittingResponsibilities - sharing and splitting– Job controlsJob controls


Non-Computer-Based Controls:Non-Computer-Based Controls:

CountermeasuresCountermeasures

• Securing:Securing:– HardwareHardware– Data and softwareData and software

• Physical access controlsPhysical access controls– Internal and externalInternal and external

• Emergency arrangementsEmergency arrangements– Cold, warm and hot sitesCold, warm and hot sites


Non-Computer-Based Controls:Non-Computer-Based Controls: Countermeasures Countermeasures

• Risk analysisRisk analysis– Identify assetsIdentify assets– Identify threats and risksIdentify threats and risks– Establish their costs relative to lossesEstablish their costs relative to losses– Determine countermeasureDetermine countermeasure

• Establish effectiveness of the Establish effectiveness of the countermeasurecountermeasure

• Establish cost of implementing the Establish cost of implementing the countermeasurecountermeasure

– Examine cost/benefit of countermeasureExamine cost/benefit of countermeasure– Make recommendationMake recommendation

Documents

R. Ching, Ph.D. MIS Area California State University, Sacramento 1 Week 6 Monday, February 27 IT InfrastructureIT Infrastructure Reliability and Security