Hardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA

(1)

Introduction to Information System Components

Hardware/Software Deployment Strategies

Chapter 1 Part 4 of 4 CA M S Mehta, FCA

(2)

Task Statements

1.1 Identify deployment of different components of IT and their functions: Computer Hardware, Operating system software, database management software, application software…

1.2 Recognise the configuration of hardware, operating system software, database management software and application software.

Knowledge Statements

1.1 Information Technology components of Information Systems Infrastructure and related processes in the context of practical deployment in enterprises.

1.3 Configuration management of hardware, system software, database management software and application software.

(3)

Topics Covered

Different Deployment Strategies - Centralised/distributed

IT Components of a Data Centre in Centralised CBS environment

Configuration Management

Hardening of Systems

(4)

Deployment Of IS Infrastructure

Business Goals

Business Processes IT Services

IT Infrastructure

Deployment of IT Infrastructure would be directed by business Strategy and involves Acquiring Hardware and Software and its Installation, Configuration, Running, Testing

(5)

What are Different Deployment Strategies?

(6)

Centralised Deployment Strategies

Decisions taken at the most senior or central level. There is a Central data base.

Applications are deployed on single Hardware Software Platform. Servers are the central level.

Single middleware required at central level.

(7)

Centralisation might be appropriate for

System critical for organisation’s functioning The system used by many departments

Data is drawn from several different sources

There are particular technical issues like network design.

(8)

Centralised Deployment Strategy Sharing resources

• Data used across organisation in one place,

• Easier to undertake organisation-wide activities. • Exchange of hardware, software and staff

Full replication for higher availability Achievement of economies of scale

Central policy enforcements patch management

(9)

Centralised Deployment Strategies

Single point of failure

Inflexibility to cope with local changes

Increased dependence and vulnerability

(10)

Decentralised Deployment Strategies

Databases are distributed to Decentralised Centres Applications are deployed on different Platform. Middleware required at each step.

No single point of failure.

(11)

Decentralisation might be appropriate for The system relevant only to one department. Processing requirements are subject to

frequent changes.

Where Data is drawn:

• From existing centrally-managed database, or • From a proposed locally-managed database

(12)

Decentralised Deployment Strategy

Greater fit between systems and local needs Higher usage of computerised systems

Faster system development No single point of Failure

(13)

Barriers to sharing data

Barriers to sharing other resources

Latency

Local Replication requirements

No Central control over patches, version

(14)

What are Information Technology Components In a CBS Data Centre?

(15)

IT Components in a CBS Data Centre

Bank’s data centre or an IPF (Information Processing Facility)

• Used to house computer systems and associated components • To cater to its information processing needs

• Has storage, security and communication links. • Equipped with:

• redundant or backup power supplies,

• redundant data communication connections, • environmental controls, and

(16)

IT Components in a CBS Data Centre

IT components depend upon:

• Bank’s corporate objectives, • Planned service types,

• Risk management and control mechanism • Compliance/Regulatory requirements

(17)

Core Banking Solution

Factors affecting selection of IT Components

• The type of services the solution offers, • Response time for customer transactions, • Availability requirements of services,

• Layers of security implemented, and

• Processes for building customer confidence.

Applications requiring interface to CBS may be hosted at the Data Centre.

• To meet additional availability requirements

(18)

The IT Components

Application Solutions and Services Hardware & OS Components

Network and Security Components EMS Components

(19)

Application Solutions & Services Components

Applications that are normally deployed in data centre of a bank

CBS – including Internet Banking RTGS NEFT Integrated Risk Management

solution Integrated Treasury Solution Anti-Money Laundering System Asset Liability Management

Solution Mobile Banking

Automated Data Flow &

MIS Data Archival

(20)

Application Solutions & Services Components Contd..

Web Servers Customer Call _Centre Relationship Customer Management

Human Resources Management Email System _WarehouseData

Biometric Authentication of branch Users in CBS Second factor Authentication (for Internet Banking Users) Cheque Truncation

(21)

Application Solutions Components

Applications not part of CBS requiring an Interface with CBS

could be housed in the same data centre or elsewhere.

(22)

Application Solutions & Services Components

WAN interfaced with external networks to facilitate Applications

• ATM Switch

• Reserve Bank of India’s MPLS network and NPCI • SWIFT

• Master/VISA/American Expresses Exchanges

• National Clearing Cell and Cheque truncation system • Utility service network like telephone companies

• Government Tax Departments

(23)

Hardware & OS Components

Core Banking Servers-HA (High Availability)

mode

Database Servers- HA Mode

Web Servers, Email, Anti-virus servers Application Servers for other applications

(24)

Hardware Components (Contd.)

Servers have redundant power supply Virtualisation of some servers is

implemented by banks to achieve:

• Scalability • Reliability

(25)

Some other Hardware Components

Storage

• For storage of Data

Tape Library

(26)

Network & Security Components

• One caters to the Private Segment (Core Banking Zone)

• The other the Public Segment (Internet Zone).

Network

design has two distinct zones

Each zone has different sub-nets through VLANs

(27)

Network & Security Components Devices installed

Core Routers Core Switches ISDN Routers Top of Rack Ethernet Switches

Encryption

Devices ACS Server Firewalls Internet Routers

Intrusion Detection & Protection Systems Two Factor Authentication Security Solutions for

email, and web.

End-Point Security solutions

(28)

(29)

Enterprise Management System Components

EMS Acts as an interface for the Network Operations Centre (NOC)

Used to monitor

• Servers

(30)

Enterprise Management System Components (contd.)

Set of hardware and software solution(s) for:

• Application Monitoring • Server Monitoring • Network Monitoring • Patch Management • Asset Management • SLA Management • Change Management

(31)

Enterprise Management System Components

(32)

Environmental Components Racks- to house all servers and network equipments.

Power ducts, cables, LAN (structured cabling) usually running below false floor.

Smoke Detection and Fire Suppression Systems

(33)

Environmental Components (contd.)

Video Camera Surveillance and Security Breach Alarm systems UPS power conditioning devices

Power and Optic Fibre cables

Redundant air conditioning equipment Humidity control equipment

(34)

Steps in Configuration

(35)

Configuration Management-IS Components

Identification of all significant components of IT Infrastructure

Recording the details of these components in the Configuration Management Database

(36)

Configuration Management-IS Components

Configuration

Identification Configuration Control

Configuration Status Reporting

Configuration Audit

(37)

Configuration Identification

Items (HW/SW) which are under CM

Configuration of components of these Items Configuration, version of these Items

Process of Identifying the Configuration Items (CI)

Software ( Name, Version, Licence, Configuration, Related Documentation, etc.) Hardware (Type, CPU, Memory etc.)

(38)

Configuration Control

Helps Know Items which are Controlled Process of controlling changes

Version Control

Who controls these changes

Ensures approved version of Items used.

(39)

Configuration Status Reporting

Status of proposed changes

What changes were made and at what time

Effect of those changes on different components

(40)

Configuration Audit

All Items correctly identified

All changes correctly registered,

approved, tracked and implemented

Verifying the correctness of the IS Components and their Configuration Status Reporting

(41)

(42)

System Hardening

Process of securely configuring computer systems to eliminate as many security risks as possible.

This may involve

• Applying patches

(43)

Hardening OS

Latest Patches, service packs and hotfixes installed Enable automatic notification of patch availability Set minimum password length and complexity Configure event Log Settings

Privileged Administrator root Accounts controlled Disable the guest account

(44)

Hardening OS.. Contd. Disable or uninstall unused services

Use the Internet Connection Firewall Configure file system permissions

Configure registry permissions Install and enable Security Suite

(45)

Hardening OS…Contd.

Configure a screen-saver to lock the console's screen automatically

Set a BIOS/firmware password to prevent alterations in system start-up settings

Configure the device boot order to prevent unauthorized booting from alternate media

Use Vulnerability Assessment tools like Microsoft Baseline Security Analyser or Bastille Linux

(46)

Risks and Controls in Deployment of IS Infrastructure

(47)

Risks in deployment of IS Infrastructure

Improper design –

Disruption of

services-Security

(48)

times-Controls in deployment of IS Infrastructure

Proper site selection

Disruption preparedness

Proper NOC for network monitoring and control Security solutions

(49)

(50)

Auditing IS Infrastructure

Hardware list with configurations available

Check whether hardware in accordance with computational requirements Environmental controls for Hardware

Effective hardware maintenance to reduce downtime Operating system has been hardened

Proper Access Controls operational for Operating Systems

(51)

References

• _{http://www.nsa.gov/ia/mitigation_guidance/security_conf}

iguration_guides/operating_systems.shtml

• _{http://www.configurationkit.com/index.htm} • http://www.sans.org/critical-security-controls

(52)

Different Deployment Strategies - Centralised/distributed

IT Components of a Data Centre in Centralised CBS environment

Configuration Management

Hardening of Systems

(53)