Project Scenario
Company: A Human Resources (HR) company. You should name it.
Industry:, HR for Business
The Situation:
- The company wants to move its HR applications and HR data into a community cloud, sharing tenancy with other clients. It has not used the cloud before.
- The company will be pushing sensitive employee information, such as personally identifiable information, PII, to and from the cloud.
You:
- Member of a team within a cloud service provider.
- One of several security software architects
- Assigned to a project to provide the HR company with a plan for migrating and providing the HR company Software as a Service (SaaS) on the cloud.
Your Company: Cloud service provider offering software as a service (SAS) services to its client base. Name your company.
The Specific Assignment:
1. Deliver a Software Development Life Cycle driven report for securing data and applications in a cloud environment.
2. Conduct lab testing and use the specific results to reinforce your concepts in the report.
Template
1.0 INTRODUCTION
Inject the team into the given scenario and respond as the team of security software architects in the cloud service provider which is providing service to the HR company. Provide an introduction to yourwork which addresses migrating an HR company to the use of HR applications in thecloud and which addresses protecting that HR company's data. What does protecting mean? What assumptions are you making? What is included and what is not included? This report is aimed at senior decision makers in the HR company and will help them decide to undertake the migration. You must be specific enough for them to make decisions and take action.
2.0 PURPOSE
Describe the purpose of yourproposed architecture and solution as they relate to implementing acloud solution for the HR company. What issue(s) is(are) being addressed? Advise the HR company decision makers on the confidentiality and integrity of their data transmitted between the HR company and the cloud HR applications. What laws, regulations, industry norms, etc., if any,may need to be followed?
3.0 PROJECT CONCEPTS
Integrate concept and process information from the Step 1 activity as they pertain specifically to cloud software architecture development. Topics to include and relate to the scenario include:
3.1 Development Life Cycles
Explain the software development life cycle
Explain the securitydevelopment life cycle
Discuss how the security development life cycle fits into and/or differs fromthe software development life cycle.
Identify and discuss the software development methodologies to choose from.
What do you recommend to the senior leadership? Select and give reasons for the software development methodology that will be used for this project
3.2 Architecture and Design Models
Discuss several architecture and design models (e.g., waterfall, agile, extreme programming) that may be used in the migration to the cloud HR application and their pros and cons as they apply specifically to the project scenario. A table may be a good presentation method for clarity.
Select and give reasons for the model that will be followed.
3.3 Threat Modeling Process
Define and explain threat modeling in your own words.
Review threat modeling approaches
Explain how you will determine risk in the threat model approach you choose
3.4 Other Considerations
Include any other aspects for proceeding with project initiation (e.g., tools to be used, technologies that would be appropriate for data protection, etc.).
4.0 PROJECT DEFINITION AND SCOPE
4.1 HR Company Characteristics
Explain the mission of the HR company
Identify and discuss any special security characteristics of the current HR applications.
Explain the business need(s) for the HR company'sdesire to migrate its current HR applications to the cloud.
4.2 Cloud Options
What types of cloud services are available to the HR company?
What would the best type be for this scenario?
Provide a high-level overview of characteristics and cloud servicesoffered by Amazon Web Services, Generic Hadoop, Map-r, Cloudera or MX Azure.
Describe and explain thetopology and components of the architecture of the desired cloud environment and how the cloud HR applications will be accessed by its users. Where is it likely that data would be in plain text and where it may be encrypted?A high-level, top-layer network diagram including the critical system(s) at and between the cloud, the HR company and users should be included. Be sure to describe key aspects of the network and systems, as related to this scenario and indicate locations in the diagram.
4.3 Functional and Security Architectures
A function is an action on one or more inputs which provides one of more outputs and may be dependent on a trigger or control which initiates the action. Functions are described as verb descriptions or adjective verb descriptions (e.g. two functions might be Provide Encryption Services and Limit Access to Authorized Users)
Which of the Amazon Web Services, Generic Hadoop, Map-r, Cloudera or MX Azure offerings might be appropriate for the HR company?Explain why. Choose Hadoop.
Identify and explain parts of the functional architecture that are within scope of the security architecture for the HR company.
Identify which security features are needed to protect each component within the architecture for data at rest, in transit and in use.
Identify, describe and explain possible software and hardware components, operating systems and security protections that could be employed.
4.4 Specific Scope
Narrow the scope of your security architecture relevant to this scenario to achieve security onlyfor data in transit.
Clearly state the specific security objective(s) for the project.
What are the specific threats to data transit for this application? Where do they specifically occur?
What are the potential impacts if the threats are successful?
What is the likelihood of success?
A summary table showing this information along with the rank ordered risk would help with clarity.
5.0 FUNCTIONAL ANALYSIS
Integrate information, research and findings from Steps 2-4, as they relate to the scenario.
5.1 Methodology
Apply the SQUARE (Software Quality Requirements Engineering) methodology specifically to your scenario.
Explain what the SQUARE methodology is.
Provide the steps/process involved. Be specific about how each step is executed with respect to this scenario.
How will you specifically determine the requirements for the security technology and techniques being proposed?
What are examples of those requirements. Note that requirements are enumerated statements which are separated into different categories of applicability.
5.2 Ways for Securing Data in the Hadoop Cloud Environment
What does it take to secure data in the cloud?
Explain database models.
Discuss your results from executing the Hadoop lab, as they apply to securing data in the software development life cycle for our (data in transit) scenario. This means state the lab cases and what they were designed to show relative to data security. State the resulting specific data and what the data specifically showed.
5.3 Technology Evaluation
Provide a summary explanation of your analysis and planning for choosing the technologies and techniques of your solution.
Review and explain the following and identify your preferred options.
i. Server virtualization
ii. Benefits and features of cloud computing for this specific case.
iii. Mobile cloud computing.
Compare and discussthe different technologies and techniques regarding their efficiency, effectiveness and other factors affecting the security of the data in transit to and from the cloud. Identify and explain your preferred options.
i. Encryption
ii. Access control
iii. Other techniques
6.0 SYSTEM DESIGN
Integrate information, research and findings from Step 5, as they relate to the scenario.System infrastructure can be a physical system block diagram or hierarchy diagram. System model normally includes the system components along with their requirements/specifications. In this section, only include the security requirements.
Describe the system infrastructure/components.
Complete the system model by describing your design requirements/specifications for your data-in-transit protection model. Recall that requirements are enumerated statements which are separated into different categories of applicability. A summary table or list with reference to the components, however,may be useful for clarity.
7.0 LIFE CYCLE PLANS
Several phases make up the life cycle of a product. For example, these include software and hardware architecture, definition and development, component through integration and acceptance testing, deployment, operations and maintenance and retirement or disposal. In this section, you will cover your software development, testing and integration, deployment and retirement or disposal plans. Note that testing often includes testing that the desired feature works as intended and also how it responds to other situations. For example, a security feature on an ATM cash machine is a PIN. The PIN may be specified as 4 numerical digits. A test that the feature works as intended is to try correct and incorrect 4-digit PINs and determine if access is granted or denied. A test for an unintended case might be what happens if 8 numerical digits are entered, or 8 digits with the correct 4 digits at the beginning or 8 digits with the correct 4 digits at the end.
7.1 Software Development Plan
Explain the steps in your software development plan.
What are some of the different design and development considerations you will be deciding?
7.2 Testing and Integration
A clear and concise way of showing your test plan is by creating the enumerated requirements statements for each step in the test, each directly followed by any explanation.
Explain testing and integration.
Implementation Testing
i. Show your test plan for evaluating thetechnologies and techniques used in your system for assuring the security of data in transit.
ii. What are your expected results for test?
Integration Testing
i. Show your test plan for evaluating the compatibility of your solution with other systems.
ii. What are your expected results for each test?
7.3 Deployment
The HR company will be running its HR application within the cloud. Describe any uniquesecurity technology characteristics, techniques or requirements appropriate for the software as a service (SaaS) in the cloud model.
i. Where in the cloud would the technology or techniques be used?
ii. Identify which specific components would use each technology or technique
Requirements are usually specified in a Service Level Agreement or SLA, which would be negotiated between the cloud provider and the HR company. What are the key requirements in the SLA for securing the HR company's data in the SaaS implementation and for assuring that the requirements are met?
Describe and explain your recommended deployment strategy to the cloud.
7.4 Operations and maintenance
Once the solution has been deployed and the HR application is running in the cloud, there will be a need for assuring the operation meets requirements and for routine maintenance. Concentrating solely on the data
Provide a very high level plan for what aspects need to be addressed in both the operations and maintenance.
Provide more detail and discuss and explain the process for continuous monitoring of the data in transit and the technology and techniques in the security architecture.
Provide more detail and discuss and explain the process for auditing the monitored data.
7.5 Disposal Plan
Assume that the HR company will no longer hves a need for the cloud HR application. The HR company will therefore end its contract with the cloud provider.
Identify and discuss the key areas which must be addressed regarding the application, data and other relevant information, hardware or software on the cloud.
How will the cloud and the HR company handle the preservation, retrieval and disposition of the HR company's data?
How will the cloud and the HR company handle the preservation, retrieval and disposition of the HR application?
What other actions, notifications, procedures, etc. would you recommend?
8.0 CONCLUSIONS
Attachment:- Cloud Template and Group plan.rar