Proposal Project
harleyteam34
ITProjectDesign.docxRunning Head: IT PROJECT PROPOSAL
IT PROJECT PROPOSAL 2
Professional Reflection Essay Submission
Jamie Vaughan
Southern New Hampshire University
4 July 2018
Problem Statement
The cloud is a huge growth area in the information technology sector today. A lot of organizations are embracing the solution to simplify their operations, gain enormous economies of scale and even reduce their cost of operations. It is expected that in a few years most if not all of the information technologies will be run from the cloud. An organization wishing to adopt the solution will need to be aware of the requirements for ensuring they have the best solution they can get for their business.
Significance of Problem
Significance of the problem is there are too many cloud-based products out there, that is lacking high security features (See appendix A). Sure, they have security features, but there is still Hijacking, Data Breaching, Data Loss and Unauthorized Logins. The problem is the firewalls are not protecting the data that is coming into or leaving the network. Companies are still using servers because of the security features, also people do not want to change to something they are unfamiliar with. There needs to be a team setup that their whole purpose is to create security risks, have them breached to fix the problem. This will allow for a stronger security system. It is like a bank, they often hire people to break into their banks, so that they can find the security risks and fix them.
Implementation and Testing Plausibility
The challenges will be to do testing that other companies have failed to do or implement the changes to make the network security better.
· Planning
The first part of the planning will be to research what security measures have been done thus far with companies. Right now, there are five basic rules that IT use for security for web-based products: Review your ransom response plan, check the power supply, map data for better security and compliance, update server protection, and push IT security training wider and deeper (ESET). The planning needs to start with the vulnerabilities that occur daily, which is the phishing, malware, wrong software version that is a security risk and firewalls not protecting the data. The plan needs to raise all security awareness for all users, especially when the storage and other applications are cloud-based. Latency will occur once using cloud-based products, with everyone being on the network at the same time, need to ensure that there is plenty of bandwidth to cover all the users.
· Resources
One of the resources needed for cloud-based is the anti-virus program that will be needed to ensure the security of the user’s devices. There are several products out there that help protect but one of the most secure is McAfee. It will not allow a user to do any kind of work without doing ID check, which can be with a token or an encrypted password. The reliability is very important when it comes to keep out vulnerabilities. Another resource that is needed is the type of firewall that will be needed to protect the network from incoming and outgoing traffic. There will be two different firewalls that will be used Next-Gen Firewall and Application-level Gateways, these will protect the data and the user’s.
Proposal Description
Using cloud-based products versus using servers and purchasing software with licenses. It has been said that using servers and purchasing software with licenses is more secure and more reliable. That is not always the case, servers go down all the time and back is hard to get without a lot of data transferring. Servers are very expensive; the products must be updated often which cost the company a lot of money. The purchasing of software can be very expensive especially when you are getting the licenses for every user. The company needs to spend money on hiring specific employees to be able to manage servers and the data that it holds to manage it daily. Using cloud-based will allow the company to be able to spend money on a monthly yearly basis without breaking the bank. One positive note for using cloud-based products is that is you need more space you just call the cloud company you are using telling them you need more space and they flip the switch giving you more space.
The cost of buying a server or managing it can cost as low as $75k and continues to grow the more the company grows. When using a cloud-based server it can cost as little as .5 cents per hour, making it $12 a day, $4380 per year. This is an easier to come up with yearly then to come out of pocket $75k.
Overview of Solution
The first part of the cloud adoption plan is the assessment process. During this stage will be an evaluation of the business value, benefits, and feasibility of implementing the cloud solution. Understanding this early enough will ensure that the solution deployed is perfectly aligned with the organization and that the necessary objectives of the business are covered. There are also cloud vendors that provide cloud partnerships which can be leveraged to provide add-on services like improved after-sale technical support, discounts and so forth (Gholami, Daneshgar, Low, &Beydoun, 2016). The stage should ensure that the pros and cons have been definitively evaluated.
Preparing a cloud strategy is the next step in the adoption process (See a cloud strategy in Appendix B). The strategy needs to be customized to the needs of the organization. The existing solution will then be leveraged with platform as a service (PaaS), infrastructure as a service (IaaS) and software as a service (SaaS) solutions that will be adopted. The appropriate architecture is also decided upon at this stage. The applications that will be used in the cloud are decided at this point in time with the best options being stand-alone solutions that will ensure any potential disruption is limited to that single application. Other factors to consider include their capacity for productivity, agility, and efficiency. At this point, the organization must decide on whether to adopt a public, private or hybrid cloud solution. The service level agreement (SLA) entered with the cloud vendor will provide guarantees from them on the quality of service as well as the terms of policy and governance (Rountree, &Castrillo, 2013).
The implementation stage of the process will include such tasks as the standards to be adopted i.e. OpenStack adaptability and portability standards. There will also be the methodologies for migration of applications that will be adopted at this stage. The architectures selected will be used to develop these strategies including scripts and use cases. The appropriate servers are also taken into account (Gholami, et al, 2016)
Optimization is a stage that will lead to more streamlined business processes and licensing regimes that should lead to efficiency and increased value to the organization. With organizational efficiency, the company will be better positioned to offer better services to their customers. Other optimization strategies include evaluations conducted after deployment to determine and rectify problem areas and conducting skills assessments (Rountree, &Castrillo, 2013).
Methodology and Tools for Developing the Solution
As a first time development, there are the possibilities that there might arise various issues. If a major issue occurs during the process, it has the potential of disrupting the operations of the company in a major way. To avoid such a situation, the team will be choosing stand-alone applications and adopting the agile development framework.
The agile development framework is a project management methodology that divides tasks among different development groups. Each of them implements their requirements independent of the others. Characteristics of agile projects include empowered team leaders, clearly defined roles in teams, sparse documentation and the emphasis on testing a product before releasing it. It is a project option that should work in the development of the cloud solution and it can be done while the existing solution is still in place (Kerzner, 2013). This will avoid potential disruptions that could affect the normal operations.
Requirements and Gap Analysis of the Solution
There will be expectations of the cloud solution that will need to be met to consider it a success. Functional requirements will be those that ensure that certain technical milestones are met by the cloud solution. There will be three main levels of the cloud with the rise of each level representing the need for less technical expertise necessary to implement it. The lowest level will be the most complex and will include the compute and manage resources. The compute resources include the memory, the CPU and the disk which are required to power the applications that will be deployed. It needs to be capable of handling the load that will place on it. The manage resources include software provisioning and virtual machine management which are needed to provide server platforms and monitor the resource requirements of the application. The next levels are the development and deployment environments that are used for the development and deployment of applications. The applications themselves occupy the highest level where they can be easily accessed by users (Rountree, &Castrillo, 2013).
The performance requirements will include the capacity to serve users by ensuring the resources are always available to them. There will be the mobile users who will access the cloud resources through different WLANs, LANs and internet connections. They will be accessing the cloud through different devices like smartphones, tablets, laptops and desktop PCs. The cloud needs to be capable of meeting their requirements. Security requirements will be the cloud's capability of ensuring the confidentiality, integrity, and availability of the data that will be passing through it (Hathaway, 2014).
The gap in the current solution is that it can deliver applications to users outside the immediate network in a reliable manner. When it happens it usually slow and incomplete. The cloud will be capable of serving remote users anywhere they are so long as they have access to a reliable internet connection and an enabled device. Same way, the current solution does not have the requisite security solutions that can prevent attacks from the internet. With the cloud providing a greater exposure on the internet, it will also provide the necessary solutions to protect against viruses, ransomware, and distributed denial of service (DDoS) attacks and many more threats (Hathaway, 2014).
Compliance Requirements
There are many compliance requirements that need to be adhered to when adopting a cloud solution (See Appendix D). These include Payment Card Industry Data Security Standard (PCI DSS) for financial transactions, the Federal Security Information Management Act (FISMA) and the FTC Act from the federal government as well many more from both the federal and state governments. These are necessary compliance requirements given the sensitivity of data being handled that could belong to third parties like customers (Rountree, &Castrillo, 2013). The cloud user and the cloud vendor have a part to play in adhering to these requirements and most choose to collaborate in ensuring that the various requirements have been adhered to.
Problem Statement
The main problem was the poor security and other functional requirements that were being witnessed with a lot of information technology products in the market. The project aims to implement a cloud solution that takes into accounts most of the shortcomings that were identified in other products. The cloud solution will need to be not only proficient on a technical level but also capable of fulfilling the business requirements set out for it. The cloud solution is also expected to expand the reach of the network as the current one is restricted by being limited in that scope. The complete solution should ensure that the full benefits of using the technology are realized. (Rountree, &Castrillo, 2013).
Application of Knowledge on Stakeholder Needs
The stakeholders involved in the project will have an important part to play in the success of the final solution. Everyone that is invested with project are considered a stakeholder, that will invest their time and energy to build and make the project stronger and more reliable. Their views and suggestions will be of importance to the eventual outcome and they will be incorporated where necessary. One of the main needs of the owners was the provision of adequate security functions. With the importance of data that they held, it was necessary that the security tools that were put in place were capable of providing the requisite protection against common and are threats as well. The owner was insistent on an early warning system that alerted them to an ongoing attack on the system. Such a tool would provide an opportunity to directly steer the response to an attack and ensure that the damage is contained as much as possible. Also as part of this, a backup system was provided that was in tune with the owner's requirement. It involved using different data centers located far away from each other as to not be affected by the same potential disaster. The cloud was configured to provide multiple failover options that ensured business continuity even in the case of a potential disaster. (Rountree, &Castrillo, 2013).
The cloud solution needed to be capable of serving users who were spread far each other. Where the old solution mostly served the users located at a single office premise, the cloud solution needed to expand its reach. With expanding the reach of the cloud, they need to make the security stronger and more reliable. The security needs to start with an antivirus program that will protect all the users and multiple firewalls to protect the network. Among the solution was making the service accessible to a wide variety of internet connections including WANs, LANs, wireless, mobile and more. The solution was also designed to access of a variety of devices including smartphone, tablets and the expected laptops and desktop PCs. The purpose of this was to make the cloud solution available to a bigger variety of users. (Rountree, &Castrillo, 2013).
Project Design
The design process included the requirements stage which covered the needs of the three level to be developed in the cloud solution. These are the lowest level which included the ‘Compute' and the ‘Manage' resources. Here would be the CPU, disk, memory as well as virtual machines management and software provisioning. With the components of the CPU and virtual machines, it will be able to compute the necessary data. The next level would be the environments responsible for the development and deployment of applications with the final level being the applications. Agile development framework will be applied in the process to ensure high quality and accountability of the process. As far as the development process has reached, the model has been functioning largely as it was intended to, with the main issues being in determining the eventual scale of the system. It is an aspect that should be tested once all the components are completed and integration is done. (Rountree, &Castrillo, 2013).
The main challenges of the process were largely the need to keep testing the security resilience of the components. The success of each iteration in the process requires that adequate security testing is done of the components. It has been a stage that has taken a lot of time as the various tests are conducted. However, the upside of it is that it should significantly lessen the need for testing in future. Another challenge was the changing requirements by the owner which while not extensive, still meant that some of the iterations might have had to be redone so as to capture these requirements. It meant that the project timelines needed to be adjusted accordingly and the absorption of the resultant cost overruns (Kerzner, 2013).
Project Implementation
The project implementation plan will largely involve the migration of data and application to the cloud platform and the configuration of security settings. With the data involved being of a sensitive nature, it will be important that the plan consider options that will ensure the data is safeguarded throughout the entire process. The owner requested if it would be possible to conduct a live migration to minimize the disruption to operations. The process of live migration involves moving a virtual machine from one physical host to another one without causing any downtime for the end users. In this case, it will be moved to a cloud platform. It is a process that should take a few hours to be completed (Rountree, &Castrillo, 2013). Once complete, the owners will be provided with their new credentials to use when accessing the cloud.
The next step will be the configuration of security for the new platform. The cloud will have a number of actions taken to ensure its safety. These will include an intrusion detection system. The intrusion detection will responsible for screening all traffic that will be passing in and out of the platform and ensuring that they are all legitimate. The intrusion detection system once it discovers a potential threat, it will take the appropriate actions. The plan is to also include intrusion prevention in the solution that will be selected to avoid requiring the administrator to cater to every threat. A hybrid intrusion detection system will be used, capable of identifying threats from a constantly updated database of threats as well as identifying any anomalies in the operations of the cloud platform. Another security action will be the setting up of user profiles (Rountree, &Castrillo, 2013). Each user will be required to have a unique username and password that they will use to access the cloud and its resources.
Project Testing
Testing will be necessary to ensure that the implementation process was successfully done. Even with state of the art cloud architecture with high-quality hardware in the data centers, it is still important to conduct testing. Failures can affect any system and be prepared for potential failures can help in minimizing the level of damage caused. Resilience testing is a form of testing that measures how a system can ensure multiple failures at a go. To avoid major disruptions should things go wrong, it is done in a controlled environment. The resilience testing will test for how the system will respond to various simulated failures that are inflicted upon it (Hyslip, 2015). The results of the resilience tests will then be used to build the necessary protections and make improvements where necessary.
Another form of testing will be penetration testing. This form of testing is usually by an external contractor who has essentially being authorized to hack into the system. The hacking will be done to identify weak areas and vulnerabilities in the system that can be exploited by cybercriminals. The external contractor will be an ethical hacker who will provide the owners with a report of all the vulnerabilities they encountered and recommend how best to rectify them. (Hyslip, 2015).
Report Summary
The implementation process will need to be done in a structured manner that takes into account all the potential pitfalls. Live migration was found to be the best method for implementing the migration of data and applications to the cloud. To ensure a smooth transition, experts will be brought in to oversee the process. Also considered in the implementation stage is the options in place for backup of the data. It will be done by hosting in different data centers spread around in different geographic locations.
The testing is not expected to catch all vulnerabilities or foresee every potential risk. It is however expected to provide adequate information to support a robust mitigation strategy. Regular testing will be necessary in future to cater for emerging threats.
Stakeholder
A buy-in agreement is a key component for stakeholder, with this idea it is to keep open communication with all levels of stakeholders within the organization. With the company growing communication plan needs to build around the affected parties and customers. The proposed plans are the engagement feedback that will improve the stakeholder’s involvement. The engagement process is aware the best business ideas are coming from outside the organization.
The proposal needs to be a solid plan so that the stakeholder’s will confidence in buying into the idea. You need to believe in the product, present it with passion, if the stakeholder’s see the presentation as weak or that you are unsure of yourself, they will walk away without any concern. The project will not sell itself, but the confidence needs to come from the presenter.
The stakeholder’s need to feel they are part of the project, this will allow them to make the decisions to join the project. Having the stakeholders be in the decision-making process will make them think they are contributing to the project and the success of how the project will turnout.
There are severalcloud-based products that are currently available, while the stakeholders can research everything on-line, the project needs to make on-line look a kids toy.
Recommendation for Future Enhancement
The speed of acquiring and sending data back to the cloud should be considered. In as much as security is a significant concern, the speed of acquiring the data may be affected by network traffic. Data needs storage space, and the more you provide adequate storage, with the better since speed can easily be affected by low storage. The issue of speed can also be tackled by adopting a decentralized system and building the best infrastructure which can enable more users to utilize the resources available online without being affected by speed.
Online resources offered by cloud computing includes data and application platforms (See online resources offered by cloud solutions in appendix A) These resources are offered through the internet by the service provider. There are many considerations to make in the implementation process. The future of this project depends on all the elements are incorporated and executed. One of the major concerns is the security of the data once it is stored in the cloud. So far the project has been based ideally on testing and coming up with appropriate security measures such as designing a sophisticated antivirus program.
There is a need to have a backup system where in case the cloud is not in its best state; the users will still be able to access their data. This is important, especially when handling vital data which may contain confidential information. At no point in time should there be a situation where data is lost even when the system is hacked. ‘
A three-layer security system should be adopted, and the first layer may require user credential while the second and the third layer may require a kind of interaction between the system and the user. Face recognition software should be installed to enhance the security. The user may be required to update their location from time to time so that any attempted login from another location identified and necessary action be taken to ensure that the user data is protected.
A proper infrastructure regarding hardware resources has a bearing on the security and efficiency of hardware resources. The future of cloud computing depends on the type of computer systems which will have been invented. High speed and smart computers plus the user o satellite for storage and communication systems may speed the process and improve the security of data. These cloud computing resources are shared online hence there is a need to have a system which can transmitted relay real-time online resources to all the users.
The systems should be able to notify the administrator in case their security breach. An advanced security breach notification system is required so that in case there is an attempt to steal data or to infiltrate the system; proper action will be taken in time. It is also important to implement the best installation and configuration measures to avoid issues which as arise as a result of poor installation and configuration process.
Challenges and Lessons Learned
This project was aimed at shedding light on the huge security risk on institutional data as had been suggested by various publications and many researchers and as insinuated by many of our class studies. The success of this project was highly reliant on adequate and leading information. Unfortunately, after the research, it turned out that there is very little risk involved in using cloud products as they are not as vulnerable as suggested earlier, the risk was less than expected although it was identified there indeed exist some considerable risk. The risk is negligible and making it difficult to eloquently put it in terms that are more persuasive to organizations and policymakers in institutions to ditch cloud products and revert to the use of internal servers for information technology applications and products for organizations. Further, the study could only prove that regardless of their choice with regards to either choose cloud products of the internal server system, some organization is more susceptible to risk than others. This issue negatively affects the credibility of the sustained attacks on the cloud system of accessing applications by institutions.
It has also turned out to be a challenge in accessing organizational stakeholders to convince them of the value of this project on their cases, their choice with regards to accessing information technology products and applications. This is mostly so because the project's success is largely based on how it interacts with practical scenarios. These stakeholders would assess the study with its recommendations and give an expertise feedback regarding its practical applications and its validity. Failure to access them, therefore, leaves the study untested on its viability. This has however made me learn the different tactics of accessing key stakeholders such as booking urgent appointments with them, connecting with them using social media platforms and tracing them in organization's social events and fanfares where it is easy to make them commit their time to this proposal.
Even though there are security threats associated with using cloud products and applications by government institutions and private enterprises, there is a notable trend where stakeholders are not willing to share the security concerns that come with subscriptions to cloud applications. This denial robs this project firsthand information regarding the practical negative aspects of cloud products. In my opinion, this is based on the perception that new advances should not be criticized at all, probably an institutional policy. The policy is based on the bias where generally information technology staff have towards new systems without subjecting them to logical tests. This challenge has helped me device means to get information from organizations through more reliable channels such as the information department technical teams who can give unfiltered firsthand information about the performance and reliability of cloud products and not form public relations officers who sugarcoat the performance of information technology products just to build a positive image of the operations of their institutions. Moreover, permits of research, I believe, will better grant me entry into software development labs so as to get resourceful information from cloud applications designers. This is because permits in written forms from my instructors are more convincing in seeking entry to resourceful places than the use of the word of mouth.
Modification Strategies and Actionable Steps
There are no perfect strategies while embarking on a research but better planning is the first step towards research competence as this avoids unexpected expenditures that could halt the study (Planning, 2014). An elaborate plan should adequately prepare the researcher with proper tactics on sourcing information either from past works of research or from experts and persuasive ways of communicating the findings and conclusions of the research. This plan also gives one an array of questions whose answers will give helpful insights for the research. Further, one is able to plot on the applications deeded to prove their point or the viability of their project's results. The strategy should also have a mechanism of testing the various cloud applications to prove the presumed vulnerabilities with a specificity and actionable suggestions.
Potential Issues
Using cloud applications by an organization, although touted to be threat free and cost-effective as regards accessing information technology software has its own potential liabilities to users (Hashem et al., 2015). Surprisingly, some of these liabilities are so costly over time to an institution. For instance, cloud products may grant administration access to potentially harmful parties. This nature of access includes granting an IP address to an external party who could access critical organizational data, files, and protocols. These parties share the crucial information with rival businesses making an organization incur huge losses as a result (Ali et al., 2015). There has not been a reliable assurance or even guarantee that cloud products companies and administrators have the ability to tame this vice whatsoever.
The access to crucial data by unauthorized parties has often been associated with cloud products as organizations entrust the cloud products companies with massive data access (Hashem et al., 2015). Apart from sharing crucial information such as sales, marketing, and security data, some unauthorized parties further proceed to cause more harm to the critical data by infecting data with viruses and even worms which hold the entire system hostage (Hashem et al., 2015).
Cloud products are always updated with any new industrial enhancements on their products (Ali et al., 2015). When these updates arrive they are forced down on all subscribing organizations regardless of whether they want them or not based on the fact that cloud services are uniformly accessed by multiple institutions with businesses of varied nature (Ali et al., 2015). Some of these new changes disrupt the already set systems bringing their business into constant disruptions consequently tainting their customer relations based on the constant interruption of service delivery or the supply of goods. This issue is surprising, as mentioned before denied by the various companies this research contacted for various reasons.
Appendices
Appendix A
Information strategic plan framework for organizations
Appendix B
Sample cloud strategy
Appendix C
Online resources offered in cloud
Appendix D
Compliance Requirement
The payment card industry data security standard (PCI DSS) has twelve requirements that every organization handling branded credit cards is needed to adhere. The requirements are grouped into six sections termed as control objectives. The first group of requirements needs the company to build and maintain a secure network and systems. The second group requires protecting cardholder data. The third is that it needs to maintain a vulnerability management program. The fourth requires implementing strong access control measures. The requirement to regularly monitor and test networks is the fifth group. The last group requires the company to maintain an information security policy.
Apart from Visa and MasterCard merchants having a mandatory requirement, other stores or cardholders do not have mandatory entities.
Another compliance requirement is based on the Federal Security Information Management Act (FISMA). The task of the agency to assign various security agencies to ensure that the data in the federal government is secure according to Gikas, (2010); various companies carry out security reviews of keeping risks at bar. The FISMA compliances that an organization is needed to meet include the requirement to categorize information to be protected, to come up with the minimum baseline controls, to sort controls using a risk assessment procedure, to document the controls in a security plan, appropriately implement the security controls and assess its effectiveness, authorize the information system to be processed and lastly to monitor the security controls on regular basis.
FTC is one of the compliance requirements for the data companies. The federal commission act ensures that there is no unfair trading. The function of the act investigates and sues companies that practice fraudulent in the business. Therefore the companies are required to put in place various strategies that ensure fair trade between other companies and business (Martínez-Pérez, De La Torre-Díez, &López-Coronado, 2015).
References
Ali, M., Khan, S. U., &Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and
challenges. Information sciences, 305, 357-383.
Chang, V., Kuo, Y. H., & Ramachandran, M. (2016). Cloud computing adoption framework: A
security framework for business clouds. Future Generation Computer Systems, 57, 24-41.
Gholami, M. F., Daneshgar, F., Low, G., &Beydoun, G. (2016). Cloud migration process—a survey, evaluation framework, and open challenges. Journal of Systems and Software, 120, 31-69.
Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., & Khan, S. U. (2015). The rise
of "big data" on cloud computing: Review and open research issues. Information Systems,
47, 98-115.
Hathaway, M. (Ed.). (2014). Best Practices in Computer Network Defense: Incident Detection and Response (Vol. 35). IOS Press.
Hyslip, T. S. (2015). BIT WARS: Cyber Crime, Hacking & Information Warfare. Dr. Thomas S. Hyslip.
Kerzner, H. R. (2013). Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.
Martínez-Pérez, B., De La Torre-Díez, I., & López-Coronado, M. (2015). Privacy and security in mobile health apps: a review and recommendations. Journal of medical systems, 39(1), 181.
Planning, P. (2014). Quantitative Research Approach. In Innovation Acceptance (pp. 141-247).
Springer Gabler, Wiesbaden.
Rountree, D., &Castrillo, I. (2013). The basics of cloud computing: Understanding the fundamentals of cloud computing in theory and practice. Burlington: Elsevier Science.
