View
215
Download
0
Embed Size (px)
Citation preview
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 1
Week 6Week 6Monday, February 27Monday, February 27
• IT InfrastructureIT Infrastructure• Reliability and Security of IT ServicesReliability and Security of IT Services
• SecuritySecurity
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 2
IT Infrastructure, Another View…IT Infrastructure, Another View…
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 3
IT Architecture and Advances in ITIT Architecture and Advances in IT
• Era I - Mainframe (1950’s - 1970s)Era I - Mainframe (1950’s - 1970s)– IT paradigmIT paradigm
• Centralized computingCentralized computing• Automated functionsAutomated functions
– Information managementInformation management• Focus on Focus on data data (i.e., data processing and (i.e., data processing and
efficiency)efficiency)• Fixed reportingFixed reporting• File-basedFile-based
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 4
IT Architecture and Advances in ITIT Architecture and Advances in IT
• Era II - PC (1970’s - 1980s)Era II - PC (1970’s - 1980s)– IT paradigmIT paradigm
• MicrocomputerMicrocomputer• Decentralized, end-user developed computingDecentralized, end-user developed computing
– Information managementInformation management• Focus on Focus on informationinformation (i.e., specialized (i.e., specialized
applications)applications)• Specialized and personal software (i.e., Specialized and personal software (i.e.,
electronic spreadsheets, word processing, file electronic spreadsheets, word processing, file management)management)
• Islands of informationIslands of information
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 5
IT Architecture and Advances in ITIT Architecture and Advances in IT
• Era III - Network (1990’s - present)Era III - Network (1990’s - present)– IT paradigmIT paradigm
• Client/server (fat and thin clients)Client/server (fat and thin clients)• Internet, intranet (within the organization), Internet, intranet (within the organization),
extranet (between the organization and its extranet (between the organization and its suppliers/partners)suppliers/partners)
• End-user computingEnd-user computing– Information managementInformation management
• Focus on Focus on knowledgeknowledge (i.e., OLAP tools, data (i.e., OLAP tools, data warehousing/mining)warehousing/mining)
• Relational and OO database (centralized data Relational and OO database (centralized data repository)repository)
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 6
InfrastructureInfrastructureDelivering the right information to the right people at the right timeDelivering the right information to the right people at the right time
• Delivering IT resources to support users Delivering IT resources to support users throughout the organizationthroughout the organization
• Four layer infrastructure (Four layer infrastructure (Weill and BroadbentWeill and Broadbent))– IT componentsIT components– Human IT infrastructureHuman IT infrastructure– Shared IT services – services that users can Shared IT services – services that users can
draw upon and share to conduct businessdraw upon and share to conduct business– Shared and standard IT applications – stable Shared and standard IT applications – stable
applications that change less frequently applications that change less frequently
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 7
Structure of the IT InfrastructureStructure of the IT Infrastructure
IT componentsIT components
Shared IT servicesShared IT services
Human IT infrastructureHuman IT infrastructure
Shared and standard Shared and standard IT applicationsIT applications
Local applicationsLocal applications
IT infrastructureIT infrastructure
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 8
Three Views of IT InfrastructureThree Views of IT Infrastructure
• Economies of scale (utility) – providing IT/IS as a Economies of scale (utility) – providing IT/IS as a service to the business to facilitate operationsservice to the business to facilitate operations– Emphasis on reducing costsEmphasis on reducing costs
• Support for business programs (dependent) – IT Support for business programs (dependent) – IT tied to business plan and value-added initiativestied to business plan and value-added initiatives
• Flexibility to meet changes in the marketplace Flexibility to meet changes in the marketplace (enabling) – IT planning tied to business strategic (enabling) – IT planning tied to business strategic planplan– Co-alignment between business strategy and IT Co-alignment between business strategy and IT
strategystrategy– Strategic IT and strategic IT planningStrategic IT and strategic IT planning
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 9
Strategic Grid: Placing Infrastructure Strategic Grid: Placing Infrastructure Planning and Management in Planning and Management in PerspectivePerspective
HighHigh
LowLowHighHighLowLow
Impact of Impact of Existing IT Existing IT
applicationsapplications
Impact of Future IT applicationsImpact of Future IT applications
FactoryFactoryOperational ITOperational IT
SupportSupportBasic elementsBasic elements
TurnaroundTurnaroundGradual adoptionGradual adoption
StrategicStrategicStrategic IT plan, Strategic IT plan,
initiativesinitiatives
Mission CriticalMission Critical
Less criticalLess critical
How we view reliability and security depends on where the How we view reliability and security depends on where the organization lies on the strategic grid.organization lies on the strategic grid.
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 10
Reliability and Availability of the Reliability and Availability of the InfrastructureInfrastructure
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 11
Infrastructure ReliabilityInfrastructure Reliability
• Ensuring continuous operations in support of the Ensuring continuous operations in support of the organizationorganization– 27 x 7 operation (if important)27 x 7 operation (if important)– Redundancy of componentsRedundancy of components– Cost of maintaining continuous operations Cost of maintaining continuous operations
vs. cost of failurevs. cost of failure– Threats and countermeasuresThreats and countermeasures
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 12
AvailabilityAvailabilityA
vail
abil
ity
Ava
ilab
ilit
y
100%100%
0%0%
Number of componentsNumber of components
Component 1 Component 1 98% 98%
availabilityavailability
Component 2 Component 2 98% 98%
availabilityavailability
Component 3 Component 3 98% 98%
availabilityavailability
Component 4 Component 4 98% 98%
availabilityavailability
Component 5 Component 5 98% 98%
availabilityavailability
.98 x .98 x .98 x .98 x .98 = .9039.98 x .98 x .98 x .98 x .98 = .9039
Overall service availabilityOverall service availability
Complexity of the system increases as Complexity of the system increases as the number of components increasethe number of components increase
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 13
AvailabilityAvailability
Component 1 Component 1 98% 98%
availabilityavailability
Component 2 Component 2 98% 98%
availabilityavailability
Component 3 Component 3 98% 98%
availabilityavailability
Component 4 Component 4 98% 98%
availabilityavailability
Component 5 Component 5 98% 98%
availabilityavailability
.98 x .98 x .98 x .98 x .98 = .9039.98 x .98 x .98 x .98 x .98 = .9039Component 1 Component 1
98% 98% availabilityavailability
Component 2 Component 2 98% 98%
availabilityavailability
Component 3 Component 3 98% 98%
availabilityavailability
Component 4 Component 4 98% 98%
availabilityavailability
Component 5 Component 5 98% 98%
availabilityavailability
Redundancy:Redundancy:
If each component has a failure rate of .02, If each component has a failure rate of .02, then a complete failure of the system isthen a complete failure of the system is
.02 x .02 x .02 x .02 x .02 = .000000032.02 x .02 x .02 x .02 x .02 = .000000032
Components running in parallel Components running in parallel (i.e., each component is capable (i.e., each component is capable of doing of doing allall functions) functions)
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 14
Making a High-Availability FacilityMaking a High-Availability Facility
• Uninterruptible electric power deliveryUninterruptible electric power delivery• Physical securityPhysical security• Climate control and fire suppressionClimate control and fire suppression• Network connectivityNetwork connectivity• N+1 and N+N redundancy of mission critical N+1 and N+N redundancy of mission critical
componentscomponents
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 15
Malicious Threats and Defensive Malicious Threats and Defensive MeasuresMeasures
• Types of threats:Types of threats:– External attacks – denial of service (DoS)External attacks – denial of service (DoS)– Intrusion – access via the IT infrastructureIntrusion – access via the IT infrastructure– Viruses and wormsViruses and worms
• Defensive measuresDefensive measures– Security policies – defines security by Security policies – defines security by
recognizing IT as a resourcerecognizing IT as a resource– Firewalls Firewalls – AuthenticationAuthentication– EncryptionEncryption– Patching and change managementPatching and change management– Intrusion detection and network monitoringIntrusion detection and network monitoring
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 16
Risk ManagementRisk Management
• Risk of failure or a breach of securityRisk of failure or a breach of security• Must be classified (i.e., critical, not critical, etc.)Must be classified (i.e., critical, not critical, etc.)• Addressed in proportion to their likelihood and Addressed in proportion to their likelihood and
potential consequencespotential consequences• Management action to mitigate risksManagement action to mitigate risks
– Costs vs. potential benefitsCosts vs. potential benefits– Expected loss (probability of a threat occurring Expected loss (probability of a threat occurring
x cost)x cost)
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 17
Prioritization of RisksPrioritization of Risks
Con
sequ
ence
sC
onse
quen
ces
HighHigh
LowLow
ProbabilityProbability00 11
Critical Critical ThreatsThreats
Minor Minor ThreatsThreats
FloodingFlooding
EarthquakeEarthquake
LightningLightning
ConstructionConstruction
HackingHacking
IntrusionIntrusion
FireFire
Corporate espionageCorporate espionage
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 18
Managing Threats and RisksManaging Threats and Risks
• Sound infrastructure designSound infrastructure design• Disciplined execution of operating proceduresDisciplined execution of operating procedures• Careful documentationCareful documentation• Established crisis management proceduresEstablished crisis management procedures• Rehearsing incident responseRehearsing incident response
– Security auditSecurity audit• Recovery proceduresRecovery procedures
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 19
Another View of Security and Another View of Security and Threats…Threats…
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 20
Countermeasures and Contingency PlansCountermeasures and Contingency PlansCountermeasures and Contingency PlansCountermeasures and Contingency Plans
ThreatsThreats
• Any situation or event, whether intentional or Any situation or event, whether intentional or unintentional, that will adversely affect a system unintentional, that will adversely affect a system and consequently the organization.and consequently the organization.– Tangible losses (hardware, software, data)Tangible losses (hardware, software, data)– Intangible losses (credibility, confidentiality)Intangible losses (credibility, confidentiality)
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 21
Threats and CountermeasuresThreats and Countermeasures
• Initiate countermeasures to overcome threatsInitiate countermeasures to overcome threats– Consider the types of threat and their impact Consider the types of threat and their impact
on the organizationon the organization• Cost-effectivenessCost-effectiveness• FrequencyFrequency• SeveritySeverity
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 22
Threats and CountermeasuresThreats and Countermeasures
• Objective is to achieve a balance between a Objective is to achieve a balance between a reasonable secure operation, which does not reasonable secure operation, which does not unduly hinder users, and the costs of maintaining unduly hinder users, and the costs of maintaining it.it.
• Risks are independent of the countermeasuresRisks are independent of the countermeasures
CountermeasuresCountermeasuresCountermeasuresCountermeasures
CostsCostsCostsCosts SecuredSecuredOperationsOperationsSecuredSecured
OperationsOperations
RisksRisks
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 23
CountermeasuresCountermeasures
• Computer-based vs. Non-computer-basedComputer-based vs. Non-computer-based
Implemented Implemented through the through the operating system operating system and/or DBMSand/or DBMS
Management Management policies and policies and proceduresprocedures
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 24
Computer-Based ControlsComputer-Based Controls
• AuthorizationAuthorization• Backup (and recovery)Backup (and recovery)• JournalingJournaling• Integrity controlsIntegrity controls• EncryptionEncryption• Associated proceduresAssociated procedures
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 25
Noncomputer-Based ControlsNoncomputer-Based Controls
• Security policy and contingency plansSecurity policy and contingency plans• Personnel controlsPersonnel controls• Securing positioning of equipmentSecuring positioning of equipment• Secure data and softwareSecure data and software• Escrow agreementsEscrow agreements• Maintenance agreementsMaintenance agreements• Physical access controlsPhysical access controls• Building controlsBuilding controls• Emergency arrangementsEmergency arrangements
Management-Management-orientedoriented
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 26
Non-Computer-Based Controls:Non-Computer-Based Controls:
Countermeasures Countermeasures
• Security policy and contingency planSecurity policy and contingency plan– Security - covers the operations of the databaseSecurity - covers the operations of the database– Contingency plan - addresses plans for Contingency plan - addresses plans for
catastrophic eventscatastrophic events• Procedures to follow Procedures to follow • Line of commandLine of command
• Personal controlsPersonal controls– Assessing and monitoring employeesAssessing and monitoring employees– TrainingTraining– Responsibilities - sharing and splittingResponsibilities - sharing and splitting– Job controlsJob controls
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 27
Non-Computer-Based Controls:Non-Computer-Based Controls:
CountermeasuresCountermeasures
• Securing:Securing:– HardwareHardware– Data and softwareData and software
• Physical access controlsPhysical access controls– Internal and externalInternal and external
• Emergency arrangementsEmergency arrangements– Cold, warm and hot sitesCold, warm and hot sites
R. Ching, Ph.D. • MIS Area • California State University, Sacramento 28
Non-Computer-Based Controls:Non-Computer-Based Controls: Countermeasures Countermeasures
• Risk analysisRisk analysis– Identify assetsIdentify assets– Identify threats and risksIdentify threats and risks– Establish their costs relative to lossesEstablish their costs relative to losses– Determine countermeasureDetermine countermeasure
• Establish effectiveness of the Establish effectiveness of the countermeasurecountermeasure
• Establish cost of implementing the Establish cost of implementing the countermeasurecountermeasure
– Examine cost/benefit of countermeasureExamine cost/benefit of countermeasure– Make recommendationMake recommendation