1 / 28

Week 6 Monday, February 27

Week 6 Monday, February 27. IT Infrastructure Reliability and Security of IT Services Security. IT Infrastructure, Another View…. IT Architecture and Advances in IT. Era I - Mainframe (1950’s - 1970s) IT paradigm Centralized computing Automated functions Information management

ruppert
Télécharger la présentation

Week 6 Monday, February 27

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 6Monday, February 27 IT Infrastructure Reliability and Security of IT Services Security

  2. IT Infrastructure, Another View…

  3. IT Architecture and Advances in IT • Era I - Mainframe (1950’s - 1970s) • IT paradigm • Centralized computing • Automated functions • Information management • Focus on data (i.e., data processing and efficiency) • Fixed reporting • File-based

  4. IT Architecture and Advances in IT • Era II - PC (1970’s - 1980s) • IT paradigm • Microcomputer • Decentralized, end-user developed computing • Information management • Focus on information (i.e., specialized applications) • Specialized and personal software (i.e., electronic spreadsheets, word processing, file management) • Islands of information

  5. IT Architecture and Advances in IT • Era III - Network (1990’s - present) • IT paradigm • Client/server (fat and thin clients) • Internet, intranet (within the organization), extranet (between the organization and its suppliers/partners) • End-user computing • Information management • Focus on knowledge (i.e., OLAP tools, data warehousing/mining) • Relational and OO database (centralized data repository)

  6. InfrastructureDelivering the right information to the right people at the right time • Delivering IT resources to support users throughout the organization • Four layer infrastructure (Weill and Broadbent) • IT components • Human IT infrastructure • Shared IT services – services that users can draw upon and share to conduct business • Shared and standard IT applications – stable applications that change less frequently

  7. Structure of the IT Infrastructure Local applications IT infrastructure Shared and standard IT applications Shared IT services Human IT infrastructure IT components

  8. Three Views of IT Infrastructure • Economies of scale (utility) – providing IT/IS as a service to the business to facilitate operations • Emphasis on reducing costs • Support for business programs (dependent) – IT tied to business plan and value-added initiatives • Flexibility to meet changes in the marketplace (enabling) – IT planning tied to business strategic plan • Co-alignment between business strategy and IT strategy • Strategic IT and strategic IT planning

  9. Strategic Grid: Placing Infrastructure Planning and Management in Perspective High Mission Critical Strategic Strategic IT plan, initiatives Factory Operational IT Impact of Existing IT applications Support Basic elements Turnaround Gradual adoption Less critical Low Low High Impact of Future IT applications How we view reliability and security depends on where the organization lies on the strategic grid.

  10. Reliability and Availability of the Infrastructure

  11. Infrastructure Reliability • Ensuring continuous operations in support of the organization • 27 x 7 operation (if important) • Redundancy of components • Cost of maintaining continuous operations vs. cost of failure • Threats and countermeasures

  12. Availability Component 1 98% availability Component 2 98% availability Component 3 98% availability Component 4 98% availability Component 5 98% availability 100% .98 x .98 x .98 x .98 x .98 = .9039 Overall service availability Complexity of the system increases as the number of components increase Availability 0% Number of components

  13. Availability Component 1 98% availability Component 2 98% availability Component 3 98% availability Component 4 98% availability Component 5 98% availability .98 x .98 x .98 x .98 x .98 = .9039 Component 1 98% availability Redundancy: If each component has a failure rate of .02, then a complete failure of the system is .02 x .02 x .02 x .02 x .02 = .000000032 Component 2 98% availability Component 3 98% availability Components running in parallel (i.e., each component is capable of doing all functions) Component 4 98% availability Component 5 98% availability

  14. Making a High-Availability Facility • Uninterruptible electric power delivery • Physical security • Climate control and fire suppression • Network connectivity • N+1 and N+N redundancy of mission critical components

  15. Malicious Threats and Defensive Measures • Types of threats: • External attacks – denial of service (DoS) • Intrusion – access via the IT infrastructure • Viruses and worms • Defensive measures • Security policies – defines security by recognizing IT as a resource • Firewalls • Authentication • Encryption • Patching and change management • Intrusion detection and network monitoring

  16. Risk Management • Risk of failure or a breach of security • Must be classified (i.e., critical, not critical, etc.) • Addressed in proportion to their likelihood and potential consequences • Management action to mitigate risks • Costs vs. potential benefits • Expected loss (probability of a threat occurring x cost)

  17. Prioritization of Risks High Fire Hacking Earthquake Intrusion Critical Threats Corporate espionage Consequences Construction Minor Threats Flooding Lightning Low 1 0 Probability

  18. Managing Threats and Risks • Sound infrastructure design • Disciplined execution of operating procedures • Careful documentation • Established crisis management procedures • Rehearsing incident response • Security audit • Recovery procedures

  19. Another View of Security and Threats…

  20. Threats • Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently the organization. • Tangible losses (hardware, software, data) • Intangible losses (credibility, confidentiality) Countermeasures and Contingency Plans

  21. Threats and Countermeasures • Initiate countermeasures to overcome threats • Consider the types of threat and their impact on the organization • Cost-effectiveness • Frequency • Severity

  22. Threats and Countermeasures • Objective is to achieve a balance between a reasonable secure operation, which does not unduly hinder users, and the costs of maintaining it. • Risks are independent of the countermeasures Secured Operations Costs Countermeasures Risks

  23. Countermeasures • Computer-based vs. Non-computer-based Implemented through the operating system and/or DBMS Management policies and procedures

  24. Computer-Based Controls • Authorization • Backup (and recovery) • Journaling • Integrity controls • Encryption • Associated procedures

  25. Noncomputer-Based Controls • Security policy and contingency plans • Personnel controls • Securing positioning of equipment • Secure data and software • Escrow agreements • Maintenance agreements • Physical access controls • Building controls • Emergency arrangements Management- oriented

  26. Non-Computer-Based Controls:Countermeasures • Security policy and contingency plan • Security - covers the operations of the database • Contingency plan - addresses plans for catastrophic events • Procedures to follow • Line of command • Personal controls • Assessing and monitoring employees • Training • Responsibilities - sharing and splitting • Job controls

  27. Non-Computer-Based Controls:Countermeasures • Securing: • Hardware • Data and software • Physical access controls • Internal and external • Emergency arrangements • Cold, warm and hot sites

  28. Non-Computer-Based Controls:Countermeasures • Risk analysis • Identify assets • Identify threats and risks • Establish their costs relative to losses • Determine countermeasure • Establish effectiveness of the countermeasure • Establish cost of implementing the countermeasure • Examine cost/benefit of countermeasure • Make recommendation

More Related