Disseminating Organizational IT Security and Troubleshooting Best Practices
Part 1
Memo: Action Plan
Attn: All Employees
The strategy to improve security of the company’s IT infrastructure in response to a recent series of enterprise network systems breaches is a multi-level plan for controlling risk to data and operations. The deployment of the IT user authentication plan will ensure that designated user access to the network is effective enough to sustain future security breaches; and including threats posed by social engineering. The Action Plan outlines the : 1) wireless encryption; and 2) designated user credential process, as well as cloud data storage and the company’s contingency plan for recovery time to objectives (RTO) in case of systems failure.
Objectives to the User Authentication Policy
The IT Department plan of action for authentication and authorization in configuring secure user accounts coincides with a broader strategy that includes definition of technical guidelines to RTO and operating system troubleshooting techniques. Threats to 1) the company’s network security infrastructure where virus or other malicious intrusion may pose systems failure; or 2) to data integrity important to the operations of the business present the two major network security breach scenarios. To this end, implementation of the authentication policies for: 1) wireless encryption; and 2) designated user access to the company’s cloud data storage will eliminate major risks to the company’s enterprise system network and key organizational information. Prevention planning also includes the contingency plan (CP) to ensure recovery time to operations is met according to schedule.
Companywide Security Protocol
The company has established four (4) security best practices to inform the security protocol to control risk of network breach:
- As soon as the WLAN router goes live, user administrators should change the default password;
- Alphanumeric passwords assigned to employees accessing the system and the cloud;
- Compatible WPA/WEP encryption to scramble messages sent over wireless networks so that they cannot be readily discerned; and
- SSID broadcast should be turned off in order to distort invisibility to others.
Continuous monitoring and reporting on system access, as well as auto upload of data to the company’s cloud is added provision that information is stored and protected from occlusion.
Contingency Plan
The troubleshooting steps in case of actual systems failure or loss of integrity to company data in the Action Plan are outlined in the Contingency Plan (CP). The CP is designed to fulfill company security risk management protocols. Operating system troubleshooting techniques coincide with the three (3) main scenarios where authentication fails: 1) Wireless Encryption (i.e. hacking), 2) Violation of designated user credentials; or 3) other threat to Cloud security infrastructure that may compromise the company network or its data.
The specific IT administration activities required to solve enterprise systems failure are cited in the Contingency Plan (CP). Company policy guiding the development of authentication policies is designed to 1) monitor intrusion of network security, and defines 2) recovery time to operations. Modeling of the CP is illustrated in the drill down of three contiguous areas of risk: 1) Incident Response (IR), 2) Disaster Recovery, and 3) Business Continuity (BC) strategies (Figure 1).
Figure 1. CP guides IT administration of RTO in case of enterprise systems failure, or compromise of data security.
Part 2
Threats to 1) the company’s network security infrastructure where virus or other malicious intrusion may pose systems failure; or 2) to data integrity important to the operations of the business present the two major network security breach scenarios. Prevention planning also includes the contingency plan (CP) to ensure recovery time to operations is met according to schedule. To this end, implementation of the authentication policies for: 1) wireless encryption; and 2) designated user access to the company’s cloud data storage are outlined in the strategy:
Wireless Encryption
Wireless networking that enables shared access to the internet by means of an external device called a Router, and internal WiFi component, the Modem. As soon as the WLAN router goes live, user administrators should change the default password. Alphanumeric passwords are recommended so that intruders may not readily hack into the account. Turn on compatible WPA/WEP encryption to scramble messages sent over wireless networks so that they cannot be readily discerned.
Several encryption technologies now exist for Wi-Fi. The SSID broadcast should be turned off in order to distort invisibility to others. Default SSID is generally an indication of a weak network configuration; broadcasting the system to hackers as available and vulnerable. Some wireless routers offer the option of signal range reduction to limit users outside the dedicated location. Remote administration should remain turned off in the default setting, and double-checked frequently. When the service is turned on, open accessibility to the router is possible.
Security Protocol
The IT Department has recognized that wireless network security support are the relatively weak options available compared to wired infrastructure. At present, there are three (3) main security protocols for home wireless networks: WEP, WPA, and WPA2.
The WEP (Wired Equivalent Privacy) is the oldest of the standard wireless protocols. It also the most readily compromised. WEP uses standard 40-bit encryption. Some products offer 104-bit encryption which scramble data better. WEP encryption is restricted to command between the access point and the wireless device, and may disappear while transmitting in certain networks. WEP algorithm is faulty compared to newer protocols to network security, which makes it easy to access. Upgrade to WPA or WPA2 encryption is recommended.
WPA, Wi-Fi Protected Access solved many of the problems that WEP posed to secure network use. WPA integrity check is competent in search for encryption keys and user authentication via EAP (Extensible Authentication Protocol) (Seddon and Calvert, 2010). EAP encrypts user names and passwords effectively. WPA2 advances the capabilities of the WPA in home wireless router access, and uses enhanced AES (Advanced Encryption Standard).
Integration of a third party cloud as part of the security plan offers a high level of adaptability. For example, IaaS Amazon EC2 enables client users to rent preconfigured machines compatible with selected operating systems to run applications. PaaS run web applications on search engine infrastructure. SaaS drive cloud-applications are the developer and programmer tools used to integrate cloud computing services in the enterprise environment. For instance, Oracle SaaS Platform assists independent software developers to build, deploy and administer SaaS and cloud-based applications. Licensure and support for Oracle SaaS Platform components is paid for by the company on a monthly basis.
Cloud computing companies make use of virtualization and service-oriented architecture. Efficiency instruments for delivery of scalable computing services to client users, the cloud is critical to continuity of the company’s lean and agile IT infrastructure strategy. Expansion of service menu to vital infrastructure in the form of file storage and CPU cycles, as well as, development platforms (e.g., open source, and service-oriented architecture) and software enterprise applications is part of the strategy to improve our enterprise (Jensen & Schwenk 2009). Four (4) capabilities available through the cloud service architecture are part of the company’s IT infrastructure at present (Table 1).
Cloud computing increases network security in the following three (3) ways:
- Data Lock-in – extraction of data and programs in transfer from one site to run elsewhere is a concern. Data lock-in has prevented some organizations from adopting cloud service infrastructure. Standardisation of APIs allows for new configuration of software infrastructure used in both private and public cloud environments. Adaptive application for scaling fault intolerance is one such solution (Radhakrishnan 2012).
- Data Confidentiality – cloud service offerings are open source networks. Exposure to attacks is a threat. Encrypted storage, Virtual Local Area Networks (VLAN), and network middle boxes are solutions used to mitigate compromise to privacy. Cloud SaaS providers and SaaS users find more flexibility in storage in this manner. For instance, Amazon S3 services in the US and Europe allow users to locate data in either jurisdiction.
- Data Transfer – runs at 80 GBP to 120 GBP per terabyte during data transfer. High cost of web based transfers is mitigated by ship disks. The least expensive method of forwarding data is via physical disk. File retention is promoted in order to occlude reason for data to leave a cloud for reduction of bottleneck issues. Cluster transfer means that data migration may move from cloud to cloud, yet user subscribers have access to it no matter what location.
Cloud hosting is supportive of any private, public, partner or hybrid information systems network environment that might be interfaced in the future. While privately hosted cloud services are considered to be safer, dedicated services are more expensive than shared-tenancy settings. Encrypted security and ‘scrambling’ of file data from different clients stored on a single physical machine is said to be the solution. Benefits and risks to cloud integration in the company system were reviewed prior to selection of a service provider (Figure 1).
Figure 1. Cloud Computing Model for Pros and Cons (Hinchcliffe nd.).
Danger once posed to internal storage of files and data has been greatly reduced by use of cloud computing on the network. Risk attribution is measured on a five (5) point scale of probability to consequence ratio (i.e. impact). Ratio of risk probability of ‘near certain’ to ‘remote’ on a continuum of risk designating potential hazard according to ‘insignificant’ to ‘catastrophic risk’. As with any IT web based service, contingency must be considered by enterprise system client users upon decision to contract cloud computing services (Chart 1).
Chart 1. Five (5) point risk matrix, Probability: Consequence ratio.
Major risk factors are illustrated in risk analysis of cloud computing service threats, characterized by the ten (10) most common risks in ordinal audit, as well as in nominal designation of ratio of event probability and impact in the analysis (Appendix A). Cloud service risk ratios indicate response according to intensity and impact (Graph 1).
Graph 1. Cloud Service Risk Ratios designate response according to level of intensity and impact.
Minor risks in cloud computing service are seen in limitations in software application interface, maturity of solutions, lack of confidence in security and user competencies, legal protections (i.e. intellectual property rights) and variance in organizational support. Most organizations are faced with multi-scale risk in consideration of transfer of important data to a cloud (Bender 2012, CSA 2012, Determann 2011, Fleishman 2012, Hon 2012, Julisch 2010, Messmer 2009, Mohammed 2011, Trapani 2009, Wang et al. 2009, Ward & Janice 2010, Ward & Marie 2012, and Weier 2011).
Contingency Strategy
The IT Department’s recovery strategy is part of the company’s disaster response network plan to ensure that operations are sustained and data integrity is protected at all times (Appendix B). The system contains a complete list of all employees who must be contacted to implement recovery efforts. RTO of Work Area/Software: 3 days.
Appendix A
Appendix B
Keyword Descriptions
References
Antonopoulos, N. & Gillam, L. (2010). Cloud computing: - principles, systems and application. London: Springer.
Armbrust, M. & Fox, A. (2009). Above the clouds. Berkeley, CA: University of California.
Bender, D. (2012). Privacy and Security Issues in Cloud Computing. Computer & Internet Lawyer 29 (10), 1-15.
Buyya, R., Broberg, J. & Goscinski, A. (2011). Cloud computing: Principles and paradigms. London: Wiley-Blackwell.
Buyya, R. et al. (2008). Cloud computing and emerging IT platforms. Elsevier, 22-48.
Catteddu, D & Hogben, G, eds. (2009). Cloud computing: Benefits, risks and recommendations for information security. European Network and Information Security Agency.
Chang, F.L. (2012). Mitigating High Latency Outliers for Cloud-Based Telecommunication Services. Bell Labs Technical Journal 17 (2), 121-142.
Chang, Y. (2012). Scalable and Elastic Telecommunication Services in the Cloud. Bell Labs Technical Journal 17 (2), 81-96.
CSA (2012). Top threats to cloud computing. CSA.
Determann, L. (2011). Data Privacy in the Cloud: A Dozen Myths and Facts. Computer & Internet Lawyer, 28 (11), 1-8.
Fleishman, G. (2012). Control the Keys to Your Cloud Vault. PC World 30 (10), 37-40.
Foster, I, Zhao, Y., Raicu, I & Lu, S. (2008). Cloud Computing and Grid Computing 360-Degree Compared.
Hon, W.K. (2012). Data protection jurisdiction and cloud computing – when are cloud users and providers subject to EU data protection law? The cloud of unknowing. International Review of Law, Computers & Technology 26 (2), 129-164.
Jensen, Meiko & Schwenk, J. (2009). On Technical Security Issues in Cloud Computing. 2009 IEEE International Conference on Cloud Computing.
Julisch, K. (2010). Security and Control in the Cloud. Information Security Journal: A Global Perspective 19 (6), 299-309.
Mell, P. & Grance, T. (2011). The NIST definition of cloud computing. CSRC NIST. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Messmer E. (2009). Gartner on cloud security: Our nightmare scenario is here now. Computerworld 22 October. Retrieved from: http://www.networkworld.com/news/2009/102109-gartner-cloud-security.html
Mohammed, D. (2011). Security in Cloud Computing: An Analysis of Key Drivers and Constraints. Information Security Journal: A Global Perspective 20 (3), 123-127.
Radhakrishnan, G. (2012). Adaptive Application Scaling for Improving Fault-Tolerance and Availability in the Cloud. Bell Labs Technical Journal 17 (2), 5-14.
Seddon, P.B. and Calvert, C. A (2010). Multi-Project Model of Key Factors Affecting Organizational Benefits from Enterprise Systems. MIS Quarterly 34(2), 305.
Trapani, G. (2009). The hidden risks of cloud computing. LifeHacker. Retrieved from: http://lifehacker.com/5325169/the-hidden-risks-of-cloud-computing
Wang, C, et al. (2009). Ensuring Data Storage Security in Cloud Computing. Techrepublic. Retrieved from: http://www.techrepublic.com/whitepapers/ensuring-data-storage-security-in-cloud-computing/1188563?tag=mantle_skin;content
Ward, Classan & Marie, H.F. (2012). Avoiding Turbulence in the Cloud: Licensing and Contractual Issues for Licensors, Cloud Providers and End Users. Computer & Internet Lawyer 29 (2), 1-15.
Ward, B.T.S. & Janice, C. (2010). The Internet Jurisdiction Risk of Cloud Computing. Information Systems Management 27 (4), 334-339.
Weier, Mary Hayes. (2011). The Truth About SaaS & Security. Workday Feature Articles. Retrieved from:http://www.workday.com/innovation/featured_articles/the_truth_about_saas_and_security.php