Network Security and Cryptography Secure Data Storage and Transfer

Question: Prepare a report on data storage, data transfer, user authentication and network monitoring? Answer: Introduction In this report the existing network of Your Events will be analyzed from the information security viewpoint. There will be security planning for data storage, transmission etc. over the Intranet and Internet, use of different kind of authentication methods for different categories of users. Secure Data Storage and Transfer Currently, the company manages an Intranet, a central data center and related IT infrastructure for their business. They have geographically separated offices at four large cities and the head quarter is in London. At head headquarter, there is a data center for the company. There are file, print and mail servers. The sales staffs sell tickets via telephone and there is a website for the company also. Customers can purchase tickets from the website. Thus there will be transaction of customers personal information, credit card information etc. moreover, the company stores all these information at their web server. There is a backup of these data from web server to the file server. File server data are accessed for accounting activities. Now, the company collects, stores and processes huge amount of personal data and credit card information from the customers. It is the sole responsibility of the company to ensure the privacy of those data when stores and processed by the company. Also there are data protection issues. These data must be protected from all kind of misuse, unauthorized access, damage, modification etc. The security planning for ensuring secure storage and transfer of data are given as, The company should expand its network a bit. It should redesign the architecture of data storage. The web server should be dedicated for website related activities. It handled transactions from customers directly and deals with all web traffic directly. This is not a secure approach. There should be some firewall and proxy server for protecting the web server. Because, in current scenario, the web server contains sensitive credit card information and personal data from the customers. If there is some attack on the web server, then these data will be at risk. Thus there should be some proxy server to deal with all traffic. Firewall will be installed on the proxy server to monitor the traffic. (Arregoces Portolani, 2003) If possible then the company should refrain from storing credit card information of its customers. These are sensitive data and does not help in any business related work or decision making. Storage of such information adds more security issues to the company. Thus, it should not be stored permanently in the servers of the company. There should be proper backup and recovery management process. Instead of keeping back up of data from web server to file server, the company should adopt some proper backup and recovery management. This recovery management policies and infrastructure will save the company from disasters and potential data losses in the face of some fatal security attacks or natural calamities. (Harrington, 2005) While transmitting data from one center to another, there are chances of security attacks like spoofing, eavesdropping and other kind of man in the middle attacks on those data. The company should use proper encryption, decryption of those data while transmitting those. Another alternative is building some VPN or Virtual Private Network connecting all business sites. There should be proper tunneling methods for this infrastructure. (Stewart, 2013) Insider attack is a risk for the data center at head office. The data center itself should be protected. There should be restrictions on entry to the data center and operating on the data center. There should be proper user authentication techniques. The company uses several secure payment gateways for collecting payments from the customers. There are several rules, regulations and best practices to implement and use such platforms and online payment system. The company should confirm to those. Use Authentication There are different kinds of users who interacts with the IT infrastructure, information systems and website of the company. There are visitors and customers who visits the company website, makes ticket purchase over online platform. There are the sales staffs who access the system, checks status of tickets and books tickets on the behalf of the customers who purchases tickets via telephone. There are accounting staffs who access transactional information and file server, to carry on different accounting operation. However, there is lack of proper access control in the current scenario. For example, the data from web server is stored at the file server as a backup. And from there accounting staffs access those data. The backed up data includes personal data of the customers and information such as credit card information. Now, these data will not be needed for accounting. Accounting will need access to the transactional, sales, procurement, payroll etc. related data. In fact, the credit card data will not be required by the business or any other staffs. So, there should be different levels of access control and proper user authentication techniques before granting requests for accessing sensitive business, customer and customers credit card data. The access control and authentication techniques should be, For sales staff there should be limited access to the system. They will not be able to see credit card information or personal information about the customers. Also they wont be able to access accounting or other critical business data. The authentication process can be based on username password along with some CAPTCHA or security question. For accounting staffs they access more sensitive business information, thus there should be more degree of authentication. There should be biometric based authentication process. While purchasing tickets, or logging in users on the website should be asked to follow some authentication process. It may be similar to the authentication process for sales staff. There should be biometric based authentication while entering and working on data centers. All these authentication will save from unauthorized access to sensitive business data. It will also ensure availability of data to legitimate users. (Apelbaum, 2007) For transmitting data between offices, a secure private VPN channel should be created. It will build a private network for the company over the public Internet. The systems across the business sites will be able to connect to the VPN and can data securely and privately across the VPN channel. There are several benefits of using VPN in terms of security, functionality and management of the network. There will be virtual point to point connections between the systems. Also there will be virtual tunneling protocol for more secured infrastructure. The tunneling process will also help to encrypt the traffic or data transmission across the VPN. The implementation can use technologies like IPSec or OpenVPN. (Snader, 2006) For securing the data transmission from customers or user of the website over the Internet, the company needs to implement security control and implementation like SSL or Secure Socket Layer, HTTPS, Digital certificates, secure payment gateways etc. All transaction at the website will be done through SSL or HTTPS. It will help to transfer information like credit card information securely over the Internet. (Stallings, 2006) There are two cryptographic keys used in SSL. The public key is used by every customer for encrypting their data, on the other hand, the company will use a secret private key for decrypting the encrypted text. SSL creates a secure connection between client and server. On the other hand, HTTPS sends each message from user to the receiver securely. Thus SSL and HTTPS are complementary to one another. (Ciampa, 2011) The company can use digital signatures and use the same for sending any message to the customers or staffs. This will ensure that the company is sending the message, not any other person. This will help to ensure the identity of the company to its customer. For example, after sharing a credit card details, the customer need to be sure that whether the details have been reached to the company or not. The acknowledgment message and digital certificate from the company will help to ensure that. Even is worse cases, if the credit card information have been stolen from midway and used by any other attacker, then the company can prove that. Because the attacker can disguise as the company but wont have the digital certificate. (Speciner, et al., 2002) There are other kind of security mechanism for data transmission over the network for example PKI or Public Key Infrastructure. This also helps in securing data transmission over the Internet. There is also a pair of encryption keys and digital certificates. But PKI is basically used for email encryption. As the company does not use email based communication with their customers, so this technique is not very much applicable for them. (Ciampa, 2011) Vulnerability can be there in any information system or information technology infrastructure. Identification and safeguarding the vulnerabilities is a part of securing the network. It needs a constant monitoring process. There are various benefits from these vulnerability monitoring and scanning processes. Some of the benefits are, It protects the network by conducting comprehensive network monitoring and scanning. It updates the IT resources whenever needed. And the process is automated. It helps in IT auditing and reporting about the unmatched cases. The cost for data protection is reduced. There are lots of automated tools and techniques to make the network secure from hackers. Also there are different types of vulnerability scans. Vulnerabilities can come from the network of the customer or from Internet. There can be External and Internal scans that refers to scanning of private ports and LAN of the customer respectively. On the other hand there is range scanning for all external ports of a system. It checks all well-known ports, unused IP addresses etc. and finds if there is any exploitation of the vulnerabilities. (Manzuik, et al., 2006) Comments The processes, techniques etc. discussed in the report will help the company to make their current infrastructure secure for present and future. While preparing the report, it helped to learn about the networks and IT infrastructures used by the organizations, what are the different kind of threats faced by these organizations etc. Along with that, it helped to understand different countermeasures for the security risks, how those can be mitigated etc. References Apelbaum, Y., 2007. User Authentication Principles, Theory and Practice. s.l.:Fuji Technology Press. Arregoces, M. Portolani, M., 2003. Data Center Fundamentals. s.l.:Cisco Press. Ciampa, M., 2011. Security+ Guide to Network Security Fundamentals. s.l.:Cengage Learning. Harrington, J. L., 2005. Network Security: A Practical Approach. s.l.:Elsevier. Manzuik, S., Pfeil, K. Gold, A., 2006. Network Security Assessment: From Vulnerability to Patch. s.l.:Syngress. Snader, 2006. VPNs Illustrated: Tunnels, VPNs, And IPSec. s.l.:Pearson. Speciner, M., Perlman, R. Kaufman, C., 2002. Network Security. 2nd ed. s.l.:Pearson . Stallings, W., 2006. Cryptography And Network Security. 4th ed. s.l.:Pearson . Stewart, J. M., 2013. Network Security, Firewalls and VPNs. 2nd ed. s.l.:Jones Bartlett Publishers. Tipton, H. F. Krause, M., 2007. Information Security Management Handbook. 6th ed. s.l.:CRC Press.