IS 425 Enterprise Information LECTURE 3 Winter

IS425 Winter Session 32 Agenda IT architecture & infrastructure (cont.) Exercise reviewing Week 2 materials Risk Management Analysis Primer Software Development / Architecting Security Disaster Recovery

IS425 Winter Session 33

IS425 Winter Session 34

IS425 Winter Session 35 Hot Topics from Week 2 Web 2.0 Storage consolidation –server virtualization Staffing for PM positions E-commerce Business intelligence (data mining) Quality assurance IT information management IT staffing with business knowledge Growing the business Information & data security, identity management Disaster recovery Service oriented architecture Portfolio management IT offshore outsourcing and IT skills Service oriented architecture Regulatory Compliance Reduce architecture complexity Information and data security Software as service

IS425 Winter Session 36 Exercise How do you reconcile the issue rankings below from 1996 to the “hot topics” that we discussed last week? What pressures are different and what pressures are the same for the issues and topics? 1. Building a responsive IT infrastructure 2. Facilitating and Managing Business Process Redesign 3. Developing and managing distributed systems 4. Developing and implementing an information architecture 5. Planning and managing communication networks 6. Improving the effectiveness of software development 7. Making effective use of the data resource 8. Recruiting and developing IS human resources 9. Aligning the IS organization within the enterprise 10. Improving IS strategic planning 11. Implementing and managing collaborative support systems 12. Measuring IS effectiveness and productivity

IS425 Winter Session 37 The Debate Discussion Forum “Debate Topics”. If you have a topic that you would like to debate – add a message giving a short description of the topic. If you see a topic that interests you particularly – reply to the topic message stating you are interested giving your section number and your group’s name.

IS425 Winter Session 38 This Session Software engineering/architecting is about ensuring that certain thing happen Security engineering is about ensuring that certain things do NOT happen

IS425 Winter Session 39 Risk Management Analysis Primer A process for assessing threats and determining which ones to ignore, reduce, eliminate level of feasible support for efforts to reduce and eliminate

IS425 Winter Session 310 Risk Management Analysis Primer Expected Loss or EL = P1 x P2 x L where: P1 = Probability of attack P2 = Probability attack is successful L = Loss occurring is attack is successful PC = Prevention costs If EL < PC then ignore If EL > PC then investing in PC is reasonable

IS425 Winter Session 311 Risk Analysis Steps

IS425 Winter Session 312 Enterprise Architecture Business (process) architecture Business strategy Governance Organization Key business processes (BPs) Information Technology (IT) architecture Software infrastructure supporting BPs Information (Data) architecture Logical and physical data assets Data management resources Software/Application architecture Internal physical structure Problem models to aid developing implementation-independent models

IS425 Winter Session 313 Software Development/Architecting The design on a system from multiple viewpoints – some common are: Technology stack (physical) view Object (data) view Use (behavioral) view But need to see attributes such as: Modifiability, Build-ability, Security, Reliability, Performance, Business-oriented qualities.

IS425 Winter Session 314 Software Development/Architecting The architectural view is a component or subsystem view of the system Module approach where a module is something that can be replaced by another implementation without causing other elements to change. Relatively small amounts of information are exchanged between modules. Modules are loosely coupled Allows concurrent development

IS425 Winter Session 315 Software Development/Architecting Software Architecture definitions-- 1. the description of the elements that compose the system, their interactions, the patterns and principles that guide their composition and design, and the constraints on those patterns. 2. The observable properties of a software system (aka the form of the system) including: 1. Static forms 2. Dynamic forms 3. Encompasses OO and Analysis methodologies Software Architecting means process of creating software architectures.

IS425 Winter Session 316 Software Development/Architecting VIEWS have PHASES which Distinct – once completed Never Overlap Contain ACTIVITIES which Overlap Repeat Can contain many non-decomposable STEPS Part of problem-specific TASKS

IS425 Winter Session 317 Software Product Life Cycle Management View Software Engineering View Engineering Design View Architectural View

IS425 Winter Session 318 Management View Phases constitute a development cycle Inception when need identified Gathering or capturing requirements aka specification of requirements Construction when product is implemented (coded), unit tested & system tested When transitioned to users--

IS425 Winter Session 319 Software Engineering View Multiple chains of activities running concurrently & overlapping Inputs to activities are “whats” Outputs are “hows” RAS – understand the actual problems Design – transforming reqs into a technically feasible solution I & T – source code D & M – to users

IS425 Winter Session 320 Engineering Design View Taken from mechanical engineering Phases are sequential but can be overlapping Information flows from phase to phase PP –problem is defined and req list created CD –problem analyzed and solution concepts created/revised ED –main design or draft design DD –physical arrangement, dimensions and other material properties are specified

IS425 Winter Session 321 Architectural View Phases are sequential and milestone driven Product planning and study the entire enterprise context DA- understand completely needs of acquirers and users SD- prepares the architectural-level design DD- refining the architectural description and selecting among alternative designs BP- construct system

IS425 Winter Session 322 Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004

IS425 Winter Session 323 Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004

IS425 Winter Session 324 Pulling It Together If firms are trying to minimize costs why would they embrace “software architecting”? Is there a possible relationship between software architecting and the value chain? Is this type of software architecture prevalent now? What kind of risk analysis can be done on a software development project?

IS425 Winter Session 325 Security Engineering Definition == building systems to remain dependable in the face of Malice Error Mischance. To mitigate, reduce, the effects of threats Unintentional Intentional

IS425 Winter Session 326 Security Threats

IS425 Winter Session 327 General Controls Physical controls Physical design of data center to limit access and protect from elements Access controls Restriction of unauthorized user access to a system Data Security controls Protecting data From disclosure to unauthorized persons From destruction/modification by unauthorized Administrative Controls Issuing guidelines / monitoring compliance Programming Controls Development/Testing standards and procedures Application Controls Inputs/Processing/Output

IS425 Winter Session 328 Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004

IS425 Winter Session 329 What is the appropriate level? Source: Chokhani: Trusted products evaluation, CACM, july 92 NCSC Guidelines

IS425 Winter Session 330 Source: Chokhani: Trusted products evaluation, CACM, july 92

IS425 Winter Session 331 Security Engineering Tools Protocols Passwords Access controls Cryptography Distributed Systems Monitoring Systems

IS425 Winter Session 332 Encryption & Transaction Security Secret vs. Public Key Encryption Secret-Key Encryption (single key) Symmetric encryption, DES Use a shared secret key for encryption and decryption Key distribution & disclosure fast, for bulk data encryption Public-Key Encryption (Pair of keys) Asymmetric encryption, RSA (Rivest, Shamin, Adlemann) Private/Public keys Need digital certificates and trusted 3rd parties Slower For less demanding applications

IS425 Winter Session 333 Network Protection To protect Internet and E-Commerce Most common security measures are: Access control (PINs) Encryption Cable testers with protocol analyzers Firewall systems that enforce access control between two networks

IS425 Winter Session 334 Internet security Consumers entering highly confidential information Number of security attacks increasing Four requirements of a secure transaction Privacy – information not read by third party Integrity – information not compromised or altered Authentication – sender and receiver prove identities Non-repudiation – legally prove message was sent and received Availability Computer systems continually accessible

IS425 Winter Session 335 Disaster Recovery Planning Purpose is to keep business running after a disaster. Backups –onsite and offsite Offsite computing arrangements made in advance with hot-site vendors Offsite office arrangement made in advance with cold-site vendors Critical applications identified and recovery procedures addressed Written plan kept in several locations

IS425 Winter Session 336 Pulling It Together What kind of aptitude does a security engineer need? What skills does a security engineer need? What kind of aptitude does a software engineer need? What skills does a software architect need? Are they different?

IS425 Winter Session 337 Quiz Next Week DL students should download the quiz from COL. Complete the form and then submit it on COL.