Security Assessment of Large-Scale IT Infrastructure

(Shouki A. Ebad)

---

Abstract

Due to today’s online interactions, the security of IT infrastructure components is important for organizations. The literature survey revealed that evaluation of security of an IT infrastructure has not received as much attention from the research communities as that of application security. This paper examined an example of Saudi IT infrastructure to identify the challenges that threaten security, along with recommendations to address these challenges. Different qualitative methods were used in data collection, including focus groups, direct meetings, observations, and archival data/documents. Key categories of security threats are found to be networking, (e.g., violation of the principles of secure design), systems and storage (e.g., patching management), and information/endpoint (e.g., operation procedures). The lessons learned indicated that these infrastructure security risks can be addressed through various means, including infrastructure management (e.g., monitoring, documentation, and compliance with project management practices), software business activities (e.g., renewal of vendor support service), network redesigning (e.g., avoiding single point of failure structure), and incident response procedures (through developing and implementing clear, formal procedures). Some kinds of infrastructure security threats, such as cascading threats, are difficult to discover and evaluate. This study will assist security requirements engineers, systems managers, and security compliance officers.

KEYWORDS
Assessment, IT infrastructure, IT security, networking, security engineering, systems management

PDF

References

Adu, K.K. and Adjei, E. (2018). The phenomenon of data loss and cyber security issues in Ghana. Foresight, 20(2), 150–61. 
Ahmed, M.T.U., Bhuiya, N.I. and Rahman, M.M. (2017). A secure enterprise architecture focused on security and technology-transformation (SEAST), The 12th International Conference for Internet Technology and Secured Transactions, (ICITST-2017), Cambridge, UK, 11–4/12/2017.
Alanazi, S.T., Anbar, M., Ebad, S.A., Karuppayah, S. and Al-Ani, H.A. (2020). Theory-based model and prediction analysis of information security compliance behavior in the Saudi healthcare sector. Symmetry, 12(9), 1544. DOI: 10.3390/sym12091544
Alateyah, S.A., Crowder, R.M. and Wills, G.B. (2013). Identified factors affecting the citizen’s intention to adopt e-government in Saudi Arabia. World Academy of Science, Engineering and Technology, 7(8), 904–12.
Antonino, P., Duszynski, S., Jung, C. and Rudolph, M. (2010). Indicator-based architecture-level security evaluation in a service-oriented environment. In: The Fourth European Conference on Software Architecture: Copenhagen, Denmark, 23–26/08/2010. DOI: 10.1145/1842752.1842795.
Chaturvedi, M., Gupta, M. and Bhattacharya, J. (2008). Cyber Security Infrastructure in India: A Study, Emerging Technologies in E-Government. Available at: http://www.csi-sigegov.org/emerging_pdf/9_70-84.pdf (Accessed on 15/11/2020).
Dalol, M.H. (2018). Effectiveness of Accounting Information Systems in Light of Development of IT Infrastructure and Information Security. Master’s Dissertation, The Islamic University of Gaza, Gaza, Palestine.
Dooley, K. (2001). Designing Large Scale LANs: Help for Network Designers. USA: O'Reilly Media.
Ebad, S. (2018a) An exploratory study of ICT projects failure in emerging markets. Journal of Global Information Technology Management, 21(2), 139–60. DOI: 10.1080/1097198X.2018.1462071.
Ebad, S. (2018b). The influencing causes of software unavailability: A case study from industry. Software Practice and Experience, 48(5), 1056–76. DOI: 10.1002/spe.2569.
Hashizume, K., Rosado, D.G., Fernández-Medina, E. and Fernandez, E.B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(5), n/a. DOI: 10.1186/1869-0238-4-5.
Kirby, L. (2015). Beyond Cyber Security: Protecting Your IT Infrastructure. Available at https://uptimeinstitute.com/images/Documents/ProtectingYourITInfrastructure.pdf (accessed on 15/11/2020).
Lethbridge, T.C., Sim, S.E. and Singer, J. (2005). Studying software engineers: Data collection techniques for software field studies. Empirical Software Engineering, 10(3), 311–41.
Marrone, M. and Kolbe, L.M. (2011). Impact of IT service management frameworks on the IT organization. Business and Information Systems Engineering, 3(1), 5–18.
Mastelic, T. and Brandic, I. (2013). TimeCap: Methodology for comparing IT infrastructures based on time and capacity metrics. In: The IEEE 6th International Conference on Cloud Computing, 131–8, Santa Clara, CA, USA, 28/06–03/07/2013.
Mimura, M. and Suga, Y. (2019). Filtering malicious JavaScript code with Doc2Vec on an imbalanced dataset. In: The 14th Asia Joint Conference on Information Security (AsiaJCIS), Kobe, Japan, 24–31/08/2019.
Pearlson, K.E., Saunders, C.S. and Galletta, D.F. (2019). Managing and Using Information Systems. 5th edition, USA: Wiley.
Popp, K. and Meyer, R. (2011). Profit from Software Ecosystems Models, Ecosystems and Partnerships in the Software Industry. Norderstedt, Germany: Books on Demand.
Priem, R. (2020). Distributed ledger technology for securities clearing and settlement: Benefits, risks, and regulatory implications. Financial Innovation, 6(11), n/a. DOI: 10.1186/s40854-019-0169-6.
Rabii, L. and Abdelaziz, D. (2015). Comparison of e-readiness composite indicators, The 15th International Conference on Intelligent Systems Design and Applications (ISDA), Marrakech, Morocco, 14–16/12/2015.
Sanchez-Nielsen, E., Padron-Ferrer, A. and Marreo-Estevez, F. (2011). A multi-agent system for incident management solutions on IT infrastructures. In: The 14th Conference of the Spanish Association for Artificial Intelligence (CAEPIA 2011), La Laguna, Spain, 07–11/11/2011.
Schoenfisch, J, Meilicke, C., Stülpnagel, J.V. and Ortmann, J (2018). Root cause analysis in IT infrastructures using ontologies and abduction in Markov logic networks. Information Systems, 74(2), 103–16.
Shang, S. and Seddon, P.B. (2000). A comprehensive framework for classifying the benefits of ERP systems. In: The 2000 American Conference of Information Systems, Long Beach, California, 10–13/08/2000.
Shoffner, M., Owen, P., Mostafa, J., Lamm, B., Wang, X., Schmitt, C.P. and Ahalt S.C. (2013). The secure medical research workspace: An IT infrastructure to enable secure research on clinical data. Clinical and Translational Science, 6 (3), 222–5.
Shrivastava, A.K. (2015). The impact assessment of IT Infrastructure on information security: a survey report. In: International Conference on Information Security and Privacy (ICISP2015), Nagpur, India, 11–12/12/2015.
Sommerville, I. (2015). Software Engineering. 10th edition, UK: Pearson.
Sousa, K.J. and Oz, E. (2015). Management Information Systems. 7th edition, USA: Cengage Learning.
Teymourlouei, H., and Harris, V. (2019). Effective methods to monitor IT infrastructure security for small business. In: The 2019 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 5–7/12/2019.
Topper, J. (2018). Compliance is not security. Computer Fraud and Security, 2018(3), 5–8. DOI: 10.1016/S1361-3723(18)30022-8.
Wohlin, C., Runeson, P., Host, M., Ohlsson, M.C., Regnell, B. and Wesslen, A. (2012). Experimentation in Software Engineering. Germany: Springer.
Yasasin, E., Prester, J., Wagner, G. and Schryen, G. (2020). Forecasting IT security vulnerabilities –an empirical analysis. Computers and Security, 88(n/a), n/a. DOI: 10.1016/j.cose.2019.101610.
Zambon, E., Etalle, S., Wieringa, R.J. and Hartel, P. (2010). Model-based qualitative risk assessment for availability of IT infrastructures. Software and Systems Modeling, 10(4), 553–80.