Chat with us, powered by LiveChat You are a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data i - Writeden

  4 Deliverables and 4-10 pages total (1-2 each).

  

Scenario:

You are a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data in transit that will be using applications in the cloud. Your client is an HR company called, Six twenty One HR Company that is moving HR applications and HR data into a community cloud, sharing tenancy with other clients. Your company has set up a software as a service, SAS, offering for its client base. We will be using Microsoft Azure.

The data that Six twenty One HR Company will be pushing to and from the cloud will contain sensitive employee information, such as personally identifiable information, PII. You will have to address sensitive data and transit issues of the client data using the HR applications stored in the cloud, and provide a life cycle management report that includes solutions to the cloud computing architect of your company.

The team will decide on a team leader, who may divide sections to complete by small groups of team members. You decide to make an outline of the report, and to use the phases of the software development lifecycle, SDLC, as a basis for the report. The outline includes the following: examine the cloud computing environment and determine the protection techniques and how they will be applied to components within the cloud to ensure end-to-end protection of data in transit. Consider what security techniques and methods are applicable, and tailor the software development life cycle methodology for the cloud computing environment.

Select the best methods and techniques for protecting confidentiality and integrity of data in transit, and apply principles to the whole study approach. These are the software development life cycle phases to use as the report outline: initiating projects/defining scope, functional design, analysis and planning, system design specifications, software development, installation/implementation, tailoring, operation and maintenance, and disposal.

The team will decide on a team leader, who may divide sections to complete by small groups of team members. You decide to make an outline of the report, and to use the phases of the software development lifecycle, SDLC, as a basis for the report. The outline includes the following: examine the cloud computing environment and determine the protection techniques and how they will be applied to components within the cloud to ensure end-to-end protection of data in transit. Consider what security techniques and methods are applicable, and tailor the software development life cycle methodology for the cloud computing environment.

Select the best methods and techniques for protecting confidentiality and integrity of data in transit, and apply principles to the whole study approach. These are the software development life cycle phases to use as the report outline: initiating projects/defining scope, functional design, analysis and planning, system design specifications, software development, installation/implementation, tailoring, operation and maintenance, and disposal.

CST620 Project 4 Resources

Scenario:

You are a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data in transit that will be using applications in the cloud. Your client is an HR company called, Six twenty One HR Company that is moving HR applications and HR data into a community cloud, sharing tenancy with other clients. Your company has set up a software as a service, SAS, offering for its client base. We will be using Microsoft Azure.

The data that Six twenty One HR Company will be pushing to and from the cloud will contain sensitive employee information, such as personally identifiable information, PII. You will have to address sensitive data and transit issues of the client data using the HR applications stored in the cloud, and provide a life cycle management report that includes solutions to the cloud computing architect of your company.

The team will decide on a team leader, who may divide sections to complete by small groups of team members. You decide to make an outline of the report, and to use the phases of the software development lifecycle, SDLC, as a basis for the report. The outline includes the following: examine the cloud computing environment and determine the protection techniques and how they will be applied to components within the cloud to ensure end-to-end protection of data in transit. Consider what security techniques and methods are applicable, and tailor the software development life cycle methodology for the cloud computing environment.

Select the best methods and techniques for protecting confidentiality and integrity of data in transit, and apply principles to the whole study approach. These are the software development life cycle phases to use as the report outline: initiating projects/defining scope, functional design, analysis and planning, system design specifications, software development, installation/implementation, tailoring, operation and maintenance, and disposal.

4 Deliverables and 4-10 pages total (1-2 each).

1. 1-2 pages double spaced:

· Combine security development lifecycle and software development lifecycle methodologies. Consider what model you are following such as Waterfall, Spiral, Agile, and Extreme Programming.

2. 1-2 pages double spaced:

· Begin Functional Analysis and Design—Use SQUARE for Requirements Information Gathering.

· Identify the SQUARE process and provide an overview of how to collect requirements for the security technology and/or techniques that are being proposed.

3. 1-2 pages double spaced:

· Learning Different Ways to Secure Data in the Cloud.

· Include a discussion about securing data in the cloud.

4. 1-2 pages double spaced:

· Provide Analysis and Planning for Evaluating Technologies.

· Compare different technologies and techniques, including encryption, access control, and other techniques.

· Consider their efficiency, effectiveness, and other factors that may affect the security of the data in the cloud

· Conclude which is generally a better, stronger technique and why.

Deliverable 1 Resources:

1-2 pages double spaced: Combine security development lifecycle and software development lifecycle methodologies. Consider what model you are following such as Waterfall, Spiral, Agile, and Extreme Programming.

Security Development Life Cycle

Implementation of security in the system development life cycle (SDLC) refers to the processes and activities executed to identify and mitigate threats. According to the National Institute of Standards and Technology (Kissel et al., 2008):

To be most effective, information security must be integrated into the SDLC from system inception. Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs. (p. 1)

NIST also defines steps that should be undertaken, including early identification and mitigation of vulnerabilities, awareness of potential engineering, reuse of security strategies, and facilitation of informed executive decision. In addition, the Open Web Application Security Project (OWASP) has developed the Software Assurance Maturity Model for SDLC security (2016).

References

Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick, J. (2008).  Information security: Security considerations in the system development life cycle (Special Publication 800-64, Revision 2). National Institute of Standards and Technology (NIST).  US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf.

Open Web Application Security Project (OWASP). (2016). Error handling. Secure SDLC cheat sheet. https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet.

Sergeev, A. (2021, March 5). Extreme programming and other methodologies. Hygger. Retrieved May 6, 2023, from https://hygger.io/blog/extreme-programming-waterfall-agile-kanban-scrum-lean/

Software Development Life Cycle for Data in the Cloud Computing Environment

Each team member is a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data in transit that will be using applications in the cloud. Your client is an HR company that is moving HR applications and HR data into a community cloud, sharing tenancy with other clients. Your company has set up a software as a service, SAS, offering for its client base.

The data that the HR company will be pushing to and from the cloud will contain sensitive employee information, such as personally identifiable information, PII. You will have to address sensitive data and transit issues of the client data using the HR applications stored in the cloud and provide a life cycle management report that includes solutions to the cloud computing architect of your company.

Software Development Life Cycle

Technology development and implementation usually follow a software development life cycle (SDLC) methodology. This approach ensures accuracy of information for analysis and decision making, as well as appropriate resources for effective technology management.

You and your team members will use components of the SDLC methodology to develop a  life cycle management report for the cloud computing architect of a company. This is a group exercise, representing the kind of collaboration often required in the cybersecurity technology community.

There are 11 steps to lead you through this project. Similar steps are typically used in organizational SDLC projects. Most steps should take no more than two hours to complete, and the entire project should take no more than three weeks to complete. Begin with the workplace scenario, and then continue with Step 1: “Initiating the Project.”

Software Development Methodologies

Many organizations engage in the software development process, from manufacturers of major software packages to companies implementing commercial off-the-shelf software (COTS), to custom, in-house development.

To be successful, a company must use a standard software development methodology, especially in an environment where software security—injected in all phases of the project—is so important. These standard processes are traditionally called software development methodologies, or software development life cycles.

There are numerous methods used in developing software. Waterfall, rapid application development, joint application development, and extreme programming are some of the common methodologies used today. With software security concerns, even more methodologies are advancing in this arena. Nevertheless, within these major categories, there are variations that fit a company's needs.

Many life cycle models have been built upon the traditional waterfall model framework, while some newer models differ greatly. The waterfall model is extensively used in practice, particularly in the development of large enterprise software systems. The other models vary in implementation cost, end-user involvement, and project implementation time. 

The rapid application development (RAD) model and the joint application development (JAD) model have similar approaches. JAD is mainly a methodology, where system users, analysts, designers, and software developers are working together to specify the components of the new system. They use many techniques, including meetings, workshops, and retreats to define and design the system. These techniques are highly structured based on best practices in JAD processes, and the group meetings can be held over extended periods.

Deliverable 2 Resources:

1-2 pages double spaced:

· Begin Functional Analysis and Design—Use SQUARE for Requirements Information Gathering.

· Identify the SQUARE process and provide an overview of how to collect requirements for the security technology and/or techniques that are being proposed.

Click the following link to learn more about software quality requirements engineering (SQUARE). Then, identify the SQUARE process and provide an overview of how to collect requirements for the security technology and/or techniques that are being proposed.

Software Quality Requirements Engineering (SQUARE)

Security Quality Requirements Engineering (SQUARE) is a nine-step methodology created at Carnegie Mellon University to assist organizations build security in the early stages of development. US-CERT, the United States Computer Emergency Readiness Team, discusses the SQUARE methodology (Mead, 2013):

Security Quality Requirements Engineering (SQUARE) provides a means for eliciting, categorizing, and prioritizing security requirements for information technology systems and applications. The focus of this methodology is to build security concepts into the early stages of the development life cycle. The model can also be used for documenting and analyzing the security aspects of fielded systems and for steering future improvements and modifications to those systems.

References

Mead, N. (2013). SQUARE process. United States Computer Emergency Readiness Team. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/square-process.

This information will be added to the group report.

In the next step, the team will learn how to secure data in the cloud.

Deliverable 3 Resources:

1-2 pages double spaced:

· Learning Different Ways to Secure Data in the Cloud.

· Include a discussion about securing data in the cloud.

Learn Different Ways to Secure Data in the Cloud

The team has successfully examined the phases of a software development life cycle, defined the scope, and analyzed requirements for the project. Now, you must begin your research into the Hadoop cloud environment to better understand what it takes to secure data in the cloud. To learn more about databases, review database models.

Include a discussion about securing data in the cloud in your final report.

In the next step, the team will provide the basis for evaluating technologies with analysis and planning.

Deliverable 4 Resources :

1-2 pages double spaced:

· Provide Analysis and Planning for Evaluating Technologies.

· Compare different technologies and techniques, including encryption, access control, and other techniques.

· Consider their efficiency, effectiveness, and other factors that may affect the security of the data in the cloud

· Conclude which is generally a better, stronger technique and why.

Provide Analysis and Planning for Evaluating Technologies

Once the team members have understood ways to secure data in the cloud, the team will analyze and develop a plan to use technologies and/or techniques to meet the functional requirements developed earlier for protecting client data protection in transit.

To prepare, click the following links and learn more about virtualization and cloud computing:

In the traditional security infrastructure environment, organizations typically rely on layered defenses using a combination of firewalls, intrusion detection, packet filters, encryption, and application-level security measures. However, the virtual environment often renders conventional security techniques ineffective. Virtual security, therefore, must address each component: host, client, and network. References: McGillicuddy, S. (2010, September 16). Networking vendors aim to improve server virtualization security.  Juniper Networks. Retrieved from http://searchnetworking.techtarget.com/news/1520266/Networking-vendors-aim-to-improve-server-virtualization-security Juniper Networks Cloud Security. (2015) .  Juniper Networks. Retrieved from https://www.juniper.net/us/en/local/pdf/whitepapers/2000465-en.pdf Logan, M. (2011, January 17). Some Information on Virtualization Security. Retrieved from http://ezinearticles.com/?Some-Information-On-Virtualization-Security&id=5736170

Host

Hackers can attempt to gain control of the hypervisor to compromise the host server. Once the host is compromised, hackers can potentially breach guest servers and misappropriate data. The first line of defense should focus on preventing the breach from affecting underlying layers. As a precautionary measure, antivirus software should be run on the host server. All other applications should run on the more restricted guest servers.

Client

If a client server is compromised, the affected client should be identified by the security mechanism and immediately disconnected to stop the threat from spreading.

Network

The first step to protecting virtual networks is deploying a hardened operating system and network protocols and applying current security algorithms, patches, and identity authentication. The second step is providing restricted or “least privileged” access, in which a person or application can access only what is required to accomplish the task. This not only reduces the attack surface area; it keeps networks from being easily compromised. In the event of a breach, hackers will be able to spy only on limited network traffic and confidential data.

References: McGillicuddy, S. (2010, September 16). Networking vendors aim to improve server virtualization security.  Juniper Networks. Retrieved from http://searchnetworking.techtarget.com/news/1520266/Networking-vendors-aim-to-improve-server-virtualization-security Juniper Networks Cloud Security. (2015) . Juniper Networks. Retrieved from https://www.juniper.net/us/en/local/pdf/whitepapers/2000465-en.pdf Logan, M. (2011, January 17). Some Information on Virtualization Security. Retrieved from http://ezinearticles.com/?Some-Information-On-Virtualization-Security&id=5736170

There are three popular approaches to create virtual servers. They are virtual machine, paravirtual machine, and OS-level virtualization.

Reference: Rouse, M. (2009). Server virtualization. Retrieved from http://searchservervirtualization.techtarget.com/definition/server-virtualization

Virtual Machine

Virtual machines use a hypervisor to create guest servers. The hypervisor, also called a virtual machine monitor (VMM), is an application that functions as a host of all virtual consoles. Through the hypervisor, each guest server communicates with the CPU in the host server to access computing resources. Each guest server stands independently, unaware of others, while running multiple operating systems. VMware and Microsoft Virtual Server are two popular virtualization platforms.

Paravirtual Machine

Like virtual machines, paravirtual machines (PVMs) also run multiple operating systems and create guest servers, but with two significant differences:

1. PVM Guest operating systems are aware of each other’s existence.

2. The hypervisor modifies or “ports” the guest operating system’s code.

OS-Level virtualization

When virtual servers are created at the OS level, no hypervisor is required. The host server OS performs all the functions of a virtual hypervisor. Instead of connecting with each guest server independently, it runs a single OS kernel as its core and exports OS functionality to each of the guests. Guests must, however, use the same operating system as the host, though different distributions of the same OS are allowed.

Software virtual machines create a management layer that emulates a guest operating system that resides on a host operating system. A distinction from hardware virtual machines is the host operating system's requirement, which may vary by virtual machine software. This implementation offers flexibility to reside on an existing host operating system. The hardware virtual machine is sometimes referred to as "bare metal" given that host operating systems are not required. This virtualization implementation has a modified hypervisor kernel that allows direct communication with the host hardware (rather than through a host operating system's layer). One benefit of this model over software virtual machines is higher performance. Cloud computing arose as a conceptual framework of services. The concept builds on years of previous work in virtualization and information technology research. Various types of cloud computing use virtualization technologies at different levels, such as application containers, dynamic virtual machines, hypervisors, and microservices. It is important to understand the virtualization technologies behind cloud computing that help provision and deprovision elastic services such as storage, CPU, memory, and other system resources. Access to these resources requires identity assurance to securely manage the cloud computing virtual systems.

Reference: Daniels, Jeff. (2011). Assured identity for the cloud. Indiana State University. Retrieved from http://hdl.handle.net/10484/2031

In "Assured Identity for the Cloud" (2011), Jeff Daniels identifies three illustrations of virtualization:

In cloud computing, there are three stakeholders involved:

· Cloud subscribers (client organization, end-user)

· Cloud service providers (third-party companies)

· Cloud infrastructure providers (sometimes the same company as the service provider)

Cloud Subscribers

Cloud subscribers decide to outsource some IT requirements to third-party companies. Using the cloud, a client can adjust its monthly plan to expand system resources when needed, allowing use of extra server space, network connectivity, and storage backup.

Cloud Service Providers

Cloud service providers deliver Web-based applications, platforms, server space, and network connectivity to other organizations. They provide central management and can increase the services when requested. They use virtualized, partitioned hard drives to offer services to clients. Typically, cloud customers can access services through a management panel within a Web browser.

Cloud Infrastructure Providers

Cloud infrastructure providers offer networking capabilities, including architecture and platform, to support the cloud. It is possible for cloud service providers to outsource their data needs to cloud infrastructure providers to optimize efficient operations and reduce cost structure through specialization. For this reason, clients should perform due diligence before committing to a cloud service offering to ensure that the cloud provider(s) comply with regulations. This situation also increases the complexity of liability management. Common cloud infrastructure requirements can include firewalls, VLAN segments, VPNs, SANs, data storage, networks, and operating systems. Examples of popular cloud platforms are Microsoft's Azure Services Platform, Google AppEngine, Amazon Web Services, and IBM's Cloud services.

Cloud computing has four deployment models: private, community, public, and hybrid depicted in the figure below.

Reference: Mell, P. & Grance, T. (2009). The NIST definition of cloud computing. U.S. Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory. Version 15, 10-7-09. Retrieved from http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

Hybrid Cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Private Cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community Cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public Cloud

The cloud infrastructure is provisioned for open use by the public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Cloud service providers can be leveraged in multiple ways, but they mostly offer three service models: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). These models provide varying levels of services, ranging from general infrastructure services, such as operating systems or database services provided by IaaS vendors to targeted functional services provided by SaaS vendors. IaaS remains the most widely used application of virtualization in the cloud computing context.

Mobile Cloud Computing

Cloud Device Messaging

As cloud computing continues to expand its reach to new platforms, service providers are increasingly offering cloud-on-mobile or mobile cloud computing to manage and operate mobile applications. The first iteration of mobile cloud computing has come in the form of mobile Gmail and Google Maps, which carry out data storage and processing activities on mobile devices, not necessarily on the cloud. The next generation of mobile cloud computing, such as Android 2.2's “Cloud to Device Messaging (C2DM)” feature, conducts data storage and processing outside the mobile device, on the cloud. One example of this is the “Chrome to Phone” app.

Benefits VS Barriers

Mobile cloud computing offers many benefits but also faces certain barriers to growth, such as scalability and security.

Benefits

· Web-developed applications, requiring only one version, will run on servers rather than on-site, and handset requirements will be automatically minimized and simplified.

· Mobile devices will become more powerful when their memory is freed, as data storage and processing will be offloaded to the cloud.

· Organizations will benefit from data-sharing applications and enhanced collaboration. Individual users will discover that remote-access applications enable them to monitor their PCs, DVRs, and home security systems.

Barriers

· Mobile Web connectivity is inconsistent in some areas. This can be addressed with technologies like HTML5, which uses local caching to help mobile cloud applications transmit at faster speeds.

· All platforms (physical, virtual, and mobile) connected to the cloud need to be secured. However, keeping in mind the limited storage of mobile devices, these security technologies must run on the cloud without adversely affecting device performance, battery life, or processing resources.

Compare different technologies and techniques, including encryption, access control, and other techniques. Consider their efficiency, effectiveness, and other factors that may affect the security of the data in the cloud. Include your reasoning and conclusions in your evaluation. Conclude which techniques are generally better and stronger and provide your reasoning.

You will include this summary in your report.

image1.png

image2.png