1

MODULE 10 :Assuring Reliable and Secure IT Services

Matakuliah : J0422 / Manajemen E-Corporation

Tahun : 2005

Versi : 1 / 2

2

Learning Outcomes

In this chapter, we will study: How to build high-availability facilities like Physical

Security, Uninterruptible Electric Power, Climate Control and Fire Suppression, etc.

Responsible managers must build defenses against these threats to secure a company’s information-related assets—its data, infrastructure components, and reputation

Defense against hackers is difficult. The threats are varied, sophisticated and ever-evolving, and security is a matter of degree rather than absolutes.

3

Outline Topic

Availability Math.Securing Infrastructure against Malicious

Threats.Risk Management of Availability and

Security.

4

Content

The emergence of Web-based commerce has accelerated the expansion of a world-wide network capable of transmitting information reliably and securely across vast distances.

The inherent reliability of modern Internetworks is a legacy of U. S. Dept. of Defense research in the 1960s that led to technologies robust enough to withstand a military attack.

The key to this inherent reliability is redundancy.

Some components of a firm’s infrastructure are not inherently reliable.

The reliability of processing systems, for example, is a function of how they are designed and managed.

As with Internetworks, the key to reliable systems is redundancy.

5

Assuring Reliable and Secure IT Services

Reliability through redundancy comes at a price. It means buying extra equipment (computers, switches, software, electric generators) to guard against failures. Every increment of additional redundancy makes outages less likely, but every increment increases expenses as well.

How much reliability to buy is a management decision highly contingent on numerous, mostly business, factors.

Some costs of failures are intangible and hard to quantify. It may be possible to estimate, for example, the direct revenues your company will lose if your Web-based retail site goes down for two hours in the middle of the day, but it is harder to gauge how many customers will never return. In addition, it is difficult to estimate the probabilities of such events.

6

Assuring Reliable and Secure IT Services

Redundant systems are more complex than non redundant systems, and this complexity must be managed.

Businesses need policies that determine how to integrate redundant elements into a company’s overall infrastructure: How backup systems and equipment will be brought online How problems will be diagnosed and triaged Who will be responsible for responding to incidents.

Managers also must guard against malicious threats to computing infrastructure. Malicious threats, similar to accidental failures in their potential cost and unintended ripple effect, are designed specifically to damage a company’s business.

Instigators of malicious threats, called hackers, range from pranksters to organized criminals and even international terrorists.

Increasingly, attacks are automated and systematic, carried out by wrecking routines loose on the Internet to probe for vulnerabilities and inflict damage.

7

Availability Math

The reliability of computing infrastructure is often discussed in terms of the availability of a specific information technology (IT) service or system.

A system that is 98% available is on average up and ready to be used 98% of the time.

A business’s tolerance for outages varies by system and situation. Downtime that occurs in large chunks of time might be more of a

problem than the same total amount of downtime occurring in increments that never exceed three minutes in a single outage.

We can better appreciate how difficult it is to achieve high levels of reliability if we consider how rates of availability for components combine into overall system or service availability.

Most IT services are not delivered by a single component but by a number of components working together.

8

Availability of Components in Series

Suppose you have five components connected in that together deliver an IT service. Assume that each component has an availability of of 98 percent, which means a half hour per day of downtime for each component on average. Computation of service availability is straightforward .

For the service to be up and running, all five components must be up and running.

At any given time the probability that a component is up and running is .98 (meaning 98% availability) so the probability that Component 1 and Component 2 and Component 3 and Component 4 and Component 5 are all up and running is .98 x .98 x .98 x .98 x .98 = .9

The overall service availability is 90% which means the service is unavailable 10% of the time or almost 2-1/2 hours a day.

9

The Effect of Redundancy on Availability

Suppose you have five components connected in parallel involved in the provision of an IT service. the components are identical, and any one of them can perform the functions needed to support the service.

As in the earlier example, each individual component has an availability of 98% and each component experiences outages randomly. The computation for the overall availability of these parallel components is also straightforward.

The overall availability of these components combined in parallel therefore is 99.99999968, which is eight nines of availability.

10Chapter 6 Figure 6-4

Redundancy Increases Overall Availability

98.0%

98.5%

99.0%

99.5%

100.0%

1 2 3 4 5 6 7 8 9 10

Number of Components In Parallel (each 98% available)

Av

ail

ab

ilit

y

Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.

The Effect of Redundancy on Availability

11

Data centers provide a concrete sense of the availability decisions faced by infrastructure managers.

Today’s state-of-the-art facilities offer the following features: Uninterruptible Electric Power Delivery Physical Security Climate Control and Fire Suppression Network Connectivity Help Desk and Incident Response Procedures

High Availability Facilities

12

N + 1 and B + N Redundancy

Most modern data centers try to maintain an “N + 1” level of redundancy of mission-critical components.

N + 1 means that for each type of critical component there should be at least one unit standing by.

Some companies aspire to higher levels of infrastructure redundancy. “N + N” redundancy requires twice as many mission-critical components as are necessary to run a facility at any one time.

Not surprisingly, high levels of availability are costly. Indeed management decisions about the design of IT

infrastructures always involve trade-offs between availability and the expense of additional components.

The answer boils down to one word: money.

13

N + 1 and B + N Redundancy

Chapter 6 Figure 6-5

A Representative E-Commerce Infrastructure

Router

Firewall 1

Firewall 2

Switch

Web Server1

Web Server2

DatabaseServer

Disk Array

PolicyServer 1

PolicyServer 2

ApplicationServer 1

ApplicationServer 2

Inte

rnet

Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.

14

The threat is growing. Ninety-one percent of companies and agencies that

responded to a 2001 survey conducted by the Computer Security Institute and the U. S. Federal Bureau of Investigation said they had detected security breaches in the last 12 months.

Who are the attackers? Some are thrill seekers, people who like the challenge of defeating

defenses or getting in where they are not supposed to be. Even if they intend no damage, they are unknown elements interacting

with the complexity of IT infrastructure in unpredictable ways which can precipitate accidents.

Other attackers have a specific dislike to a company and intend to do it harm.

All attacker represent serious threats. Even a thrill seeker who gains access but does no damage can harm a

company’s reputation if word of a breach gets out.

Securing Infrastructure against Malicious Threats

15

Chapter 6 Figure 6-7

A Distributed Denial of Service Attack

Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.

W ebsiteServer

Attacker 1

Attacker 3

Attacker 2

Attacker 5

Attacker 4

Attacker 6

Attacker 7

Attacker 8

Attack Leader

Attack Leader facilitates SYN floods from multiple sources.

Securing Infrastructure against Malicious Threats

16

Securing Infrastructure against Malicious Threats

Many hackers who penetrate a company’s defenses set up routes through which they can return, opening doors that they hope company managers will not notice.

Responsible managers must build defenses against these threats to secure a company’s information-related assets--its

data, infrastructure components, and reputation.

17

Classification of Threats

Threats can be divided into categories:» External» Intrusion» Viruses and Worms

18

Defensive Measures

Defense against hackers is difficult. The threats are varied, sophisticated and ever-evolving, and security is a matter of degree rather than absolutes.

There is no master list against which a company can compare its defenses and, after checking everything, declare its infrastructure secure.

19

Defensive Measures

Security Policies To defend computing resources against inappropriate use, a

company must specify what is meant by “inappropriate.”

Security policies address questions such as the following:

What kinds of passwords are users allowed to create for use on company systems and how often should they change?

Who is allowed to have accounts on company systems? What security features must be activated on a computer before it

can connect to a company network? What services are allowed to operate inside network? What are users allowed to download? How is the security policy enforced?

20

Defensive Measures

Firewalls A firewall is a collection of hardware and software designed to prevent unauthorized access to a

company’s internal computer resources.

Authentication Authentication describes the variety of techniques and software used to control who accesses

elements of computing infrastructure.

Encryption Encryption renders the contents of electronic transmissions unreadable by anyone who might

intercept them.

Patching and Change Management A Surprising number of attacks exploit weakness in systems for which “patches” already exist at

the attack.

Intrusion Detection and Network Monitoring Intrusion detection and network monitoring work together to help network administrators

recognize when their infrastructure is or has been under attack.

Network monitoring automatically filters out external attack traffic at the boundary of company networks.

21

A Security Management Framework

The following principles of security management remain relevant:

Make Deliberate Security Decisions Consider Security A Moving Target Practice Disciplined Change Management Educate Users Deploy Multilevel Technical Measures, as Many as You can

Afford

22

Risk Management of Availability and Security

Companies cannot afford to address every threat to the availability and security of IT infrastructure with equal aggressiveness.

Management actions to mitigate risks must be prioritized with an eye to their costs and potential benefits.

Managing Incidents Before They Occur

Pre-crisis practices the make incidents more manageable:

• Sound infrastructure design• Disciplined execution of operating procedures• Careful documentation• Established crisis management procedures• Rehearsing incident response

23

Risk Management of Availability and Security

Managing During an Incident

When faced with a crisis, some obstacles include:

Emotional responses, including confusion, denial, fear and panic

Wishful thinking and groupthink

Political maneuvering, diving for cover, and ducking responsibility

Leaping to conclusions and blindness to evidence that contradicts current beliefs

24

Risk Management of Availability and Security

Managing After an Incident After an incident, infrastructure managers often need to rebuild parts

of the infrastructure. Sometimes erasing and rebuilding everything from scratch is the only way to be sure the infrastructure is restored to its pre incident state.

Figuring out exactly what caused an incident is sometimes difficult, but it must be done regardless of the cost.

25

Chapter Summary

Executives can use the following questions to access their own preparedness for these 21st-century challenges:

How available do the systems in our application portfolio need to be?

Are our infrastructure investments in availability aligned with requirements?

Are we taking security threats seriously enough? How secure is our current infrastructure? How do we assess information security on an ongoing basis? Have IT staff members received adequate training? How do we compare with information security best-in-class

organizations?

26

Chapter Summary

Do we have a solid security policy in place? Were business managers as well as IT managers involved in

creating it? Do users know about it and understand it? Do they accept it? How is the policy enforced?

Do we have plans for responding to infrastructure incidents?Do we practice them on a regular basis?

Are staff members trained in incident response? What are our plans and policies for communicating information about

incidents to external parties such as customers, partners, the press, the public?