Chapter 5 - IT Infrastructure and Emerging Technologies

5.1 IT Infrastructure & Components

5.2 Contemporary Hardware platform trends

5.3 Contemporary Software platform trends

5.4 Management Issues

IMPORTANT TERMINOLOGIES :

1. IT infrastructure consists of a set of physical devices and software applications that are
required to operate the entire enterprise, and it is a set of firmwide services budgeted by
management and comprising both human and technical capabilities.

2. Mainframe Computers supports thousands of online remote terminals connected to the

centralized mainframe using proprietary communication protocols and proprietary data lines.
(IBM 360 series)

3. Minicomputers - DEC - offered powerful machines at far lower prices than IBM mainframes,
making possible decentralized computing, customized to the specific needs of individual
departments or business units rather than time sharing on a single huge mainframe.

4. Personal Computers (PCs) - a spate of personal desktop productivity software tools—word

processors, spreadsheets, electronic presentation software, and small data management
programs—that were very valuable to both home and corporate users.

5. Client/server computing, desktop or laptop computers called clients are networked to powerful
server computers that provide the client computers with a variety of services and capabilities.
(windows os)

a. Client is the user point of entry, whereas the server typically processes and stores shared data,
serves up Web pages, or manages network activities.

b. Two-tiered client/server architecture - client/server network consists of a client computer

networked to a server computer, with processing split between the two types of machines.

c. Multitiered client/server architecture - work of the entire network is balanced over several
different levels of servers, depending on the kind of service being requested (small businesses)

d. Web server - responsible for locating and managing stored web pages (serve a Web page to a client
in response to a request for service)
e. Application server - handles all application operations between a user and an organization's back
end business systems (client requests access to a corporate system)

6. Enterprise Computing - Transmission Control Protocol/Internet Protocol (TCP/IP) networking

standard to integrate disparate networks and applications through firms into an enterprise-wide
infrastructure. Links pcs to mainframes to molibes or even public infrastructures (internet etc),
by use of softwares.

7. Cloud computing refers to a model of computing that provides access to a shared pool of
computing resources (computers, storage, applications, and services) over a network, often the
Internet.

8. Technology Drivers - Development in computer processing, memory chips, storage devices,

telecommunications and networking hardware and softwares have increased the computing
power which reducing costs

a. Moore's Law - (1) the power of microprocessors doubles every 18 months; (2) computing power
doubles every 18 months; and (3) the price of computing falls by half every 18 months.

■ Eg - Nanotechnology uses individual atoms and molecules to create computer chips and
other devices that are thousands of times smaller than current technologies permit.

b. Law of Mass Digital Storage - amount of digital information is roughly doubling every year

■ Eg: Number of megabytes that can be stored on magnetic media for $1 from 1950 to the
present roughly doubled every 15 months.

c. Metcalfe - the value or power of a network grows exponentially as a function of the number of
network members. As the number of members in a network grows linearly, the value of the entire
system grows exponentially and continues to grow forever as members increase.

9. Technology Standards are specifications that establish the compatibility of products and the
ability to communicate in a network (results in price declines as manufacturers focus on the
products built to a single standard)

10. Blade servers are computers consisting of a circuit board with processors, memory and network
connections that are stored in racks. (take up less space)

a. A single IBM mainframe can run up to 17,000 instances of Linux or Windows Server software and is
capable of replacing thousands of smaller blade servers

11. Operating system - manage the resources and activities of the computer (linux, unix, windows)

12. Storage area networks (SANs) connect multiple storage devices on a separate high-speed
network dedicated to storage. (central pool of storage that can be accessed and shared by
multiple servers)

13. Web hosting service maintains a large Web server, or series of servers, and provides fee-paying
subscribers with space to maintain their Web sites.

14. Legacy systems are generally older transaction processing systems created for mainframe
computers that continue to be used to avoid the high cost of replacing or redesigning them.
 15. Consumerization of IT rethink the way they obtain and manage information technology
equipment and services. Bring your own devices to work protocol

16. Quantum computing uses the principles of quantum physics to represent data and perform
operations on these data. (huge processing power - can perform multiple operations
simultaneously - used by researchers from IBM or MIT)

17. Virtualization is the process of presenting a set of computing resources (such as computing
power or data storage) so that they can all be accessed in ways that are not restricted by
physical configuration or geographic location.

a. Eg: Server or mainframe can be configured to run many instances of an operating system (or
different operating systems) so that it acts like many different machines.

18. Cloud computing is a model of computing in which computer processing, storage, software, and
other services are provided as a pool of virtualized resources over a network, primarily the
Internet.

a. On-demand self-service: Consumers can obtain computing capabilities such as server time or
network storage as needed automatically on their own.

b. Ubiquitous network access: Cloud resources can be accessed using standard network and Internet
devices, including mobile platforms.

c. Location-independent resource pooling: Computing resources are pooled to serve multiple users,
with different virtual resources dynamically assigned according to user demand. The user generally
does not know where the computing resources are located.

d. Rapid elasticity: Computing resources can be rapidly provisioned, increased, or decreased to meet
changing user demand.

e. Measured service: Charges for cloud resources are based on the amount of resources actually
used.

19. Types of Services of Cloud computing -

a. Infrastructure as a Service (IaaS): Customers use processing, storage, networking, and other
computing resources from cloud service providers to run their information systems. (Eg - Amazon
uses the spare capacity of its IT infrastructure to provide a broadly based cloud environment selling
IT infrastructure services.

b. Platform as a Service (PaaS): Customers use infrastructure and programming tools supported by
the cloud service provider to develop their own applications. (Eg: IBM offers a Smart Business
Application Development & Test service for software development and testing on the IBM Cloud.)

c. Software as a Service (SaaS): Customers use software hosted by the vendor on the vendor’s cloud
infrastructure and delivered over a network. (Eg: google apps - provides remote server access)

20. Public cloud is owned and maintained by a cloud service provider, such as Amazon Web
Services, and made available to the general public or industry group.
21. Private cloud is operated solely for an organization. It may be managed by the organization or a
third party and may exist on premise or off premise.

22. On-demand computing - they purchase their computing services from remote providers and
pay only for the amount of computing power they actually use (utility computing) or are billed
on a monthly or annual subscription basis.

23. Hybrid cloud computing model where they use their own infrastructure for their most essential
core activities and adopt public cloud computing for less-critical systems or for additional
processing capacity during peak business periods.

24. Green computing refers to practices and technologies for designing, manufacturing, using, and
disposing of computers, servers, and associated devices such as monitors, printers, storage
devices, and networking and communications systems to minimize impact on the environment.

25. Multicore processor is an integrated circuit to which two or more processor cores have been
attached for enhanced performance, reduced power consumption, and more efficient
simultaneous processing of multiple tasks.

26. Open source software is software produced by a community of several hundred thousand
programmers around the world which is not restricted to any specific operating system or
hardware technology, although most open source software is currently based on a Linux or Unix
operating system.

27. Linux and the applications it supports, has profound implications for corporate software
platforms: cost reduction, reliability and resilience, and integration,

28. Java is an operating system-independent, processor-independent, object-oriented programming

language that has become the leading interactive envt for the web

29. HTML (Hypertext Markup Language) is a page description language for specifying how text,
graphics, video, and sound are placed on a Web page and for creating dynamic links to other
Web pages and objects.

30. HTML5, solves this problem by making it possible to embed images, audio, video, and other
elements directly into a document without processor-intensive add-ons.

31. Web services refer to a set of loosely coupled software components that exchange information
with each other using universal Web communication standards and languages.

32. XML, which stands for Extensible Markup Language - can perform presentation, communication,
and storage of data. It provides a standard format for data exchange, enabling Web services to
pass data from one process to another.

33. Service-oriented architecture (SOA) is a set of self-contained services that communicate with
each other to create a working software application.

34. Software package is a prewritten commercially available set of software programs that
eliminates the need for a firm to write its own software programs for certain functions, such as
payroll processing or order handling.
 35. Software outsourcing enables a firm to contract custom software development or maintenance
of existing legacy programs to outside firms, which often operate offshore in low-wage areas of
the world.

36. Software as a service (SaaS) - delivering and providing access to software remotely as a Web-
based service. (Salesforce.com - provides on-demand software services for customer
relationship management)

37. Service level agreement (SLA) is a formal contract between customers and their service
providers that defines the specific responsibilities of the service provider and the level of
service expected by the customer.

38. Mashups - Individual users and entire companies mix and match these software components to
create their own customized applications and to share information with others.

a. ZipRealty uses Google Maps and data provided by online real estate database Zillow.com to display
a complete list of multiple listing service (MLS) real estate listings for any zip code specified by the
user.

39. Apps are small specialized software programs that run on the Internet, on your computer, or on
your mobile phone or tablet and are generally delivered over the Internet.

40. Scalability refers to the ability of a computer, product, or system to expand to serve a large
number of users without breaking down.

41. Total cost of ownership (TCO) model can be used to analyze these direct and indirect costs to
help firms determine the actual cost of specific technology implementations.

42. Competitive Forces Model for IT infrastructure Investments

a. Market demand for your firm's services - inventory of services provided to customers, supplies and
employees (survey the groups)

b. Firm's Business Strategy - analyze & assess new services and capabilities required to achieve goals

c. IT strategy, infrastructure, and cost - examine and assess plans - determine total costs perform
TCO analysis

d. Information technology assessment - behind tech curve? - IT vendors invest in new tech

e. Competitor firm services - Establish quantitative and qualitative measures to compare them to
those of your firm.

f. Competitor firm IT infrastructure investments - benchmark your expenditures for IT

infrastructures against competitors

CASE STUDIES :

1. Technology - Greening of the data center - pg 218

2. Organizations - Is it time for cloud computing? - pg 223
Important Diagram :
 Chapter 8 - Securing Information Systems

8.1 System Vulnerability and Abuse

8.2 Business value of security and control
8.3 Establishing framework for security and control

8.4 Technology and Tools for protecting information resource

IMPORTANT TERMINOLOGIES :

1. Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems.

2. Controls are methods, policies, and organizational procedures that ensure the safety of the
organization’s assets, the accuracy and reliability of its records, and operational adherence to
management standards.

3. Vulnerability has also increased from widespread use of e-mail, instant messaging (IM), and
peer-to-peer file-sharing programs.

4. Service set identifiers (SSIDs) that identify the access points in a Wi-Fi network are broadcast
multiple times and can be picked up fairly easily by intruders’ sniffer programs

5. War driving - in which eavesdroppers drive by buildings or park outside and try to intercept
wireless network traffic.

6. An intruder that has associated with an access point by using the correct SSID is capable of
accessing other resources on the network.
 7. Malicious software programs are referred to as malware and include a variety of threats, such
as computer viruses, worms, and Trojan horses.

8. A computer virus is a rogue software program that attaches itself to other software programs or
data files in order to be executed, usually without user knowledge or permission.

9. Worms - independent computer programs that copy themselves from one computer to other
computers over a network. (operate on their own without attaching to other computer program
files and rely less on human behavior in order to spread from computer to computer)

10. Drive-by downloads, consisting of malware that comes with a downloaded file that a user
intentionally or unintentionally requests.

11. Trojan horse is a software program that appears to be benign but then does something other
than expected (often a way for viruses or other malicious code to be introduced into a computer
system.)

a. Zeus - steal login credentials for banking by surreptitiously capturing peoples’ keystrokes as they use
their computers. It spreads mainly through drive-by downloads and phishing

12. SQL injection attacks have become a major malware threat. It attacks take advantage of
vulnerabilities in poorly coded Web application software to introduce malicious program code
into a company’s systems and networks.

a. attacker uses this input validation error to send a rogue SQL query to the underlying database to
access the database, plant malicious code, or access other systems on the network.

13. Ransomware tries to extort money from users by taking control of their computers or displaying
annoying pop-up messages. (CryptoLocker - encrypts an infected computer’s files, forcing users
to pay hundreds of dollars to regain access)

14. Spyware - small programs install themselves surreptitiously on computers to monitor user Web
surfing activity and serve up advertising.

15. Keyloggers record every keystroke made on a computer to steal serial numbers for software, to
launch Internet attacks, to gain access to email accounts, to obtain passwords to protected
computer systems, or to pick up personal information such as credit card and or bank account
numbers.

16. Hacker is an individual who intends to gain unauthorized access to a computer system.

17. Cybervandalism, the intentional disruption, defacement, or even destruction of a Web site or
corporate information system.

18. Spoofing may also involve redirecting a Web link to an address different from the intended one,
with the site masquerading as the intended destination.

19. Sniffer is a type of eavesdropping program that monitors information traveling over a network.
They usually help identify potential network trouble spots or criminal activity on networks, but
when used for criminal purposes, they can be damaging and very difficult to detect.
20. Denial-of-service (DoS) attack, hackers flood a network server or Web server with many
thousands of false communications or requests for services to crash the network.

21. Distributed denial-of-service (DDoS) attack uses numerous computers to inundate and
overwhelm the network from numerous launch points.

22. Perpetrators of DDoS attacks often use thousands of “zombie” PCs infected with malicious
software without their owners’ knowledge and organized into a botnet.

23. Computer crime any violations of criminal law that involve a knowledge of computer technology
for their perpetration, investigation, or prosecution.”

24. Identity theft is a crime in which an imposter obtains key pieces of personal information, such
as social security identification numbers, driver’s license numbers, or credit card numbers, to
impersonate someone else.

25. Phishing involves setting up fake Web sites or sending e-mail messages that look like those of
legitimate businesses to ask users for confidential personal data.

26. Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi connections to the
Internet, such as those in airport lounges, hotels, or coffee shops. The bogus network looks
identical to a legitimate public network.

27. Pharming redirects users to a bogus Web page, even when the individual types the correct Web
page address into his or her browser.

28. Click fraud occurs when an individual or computer program fraudulently clicks on an online ad
without any intention of learning more about the advertiser or making a purchase.

29. Cyberwarfare is a state-sponsored activity designed to cripple and defeat another state or
nation by penetrating its computers or networks for the purposes of causing damage and
disruption.

30. Social engineering -Malicious intruders seeking system access sometimes trick employees into
revealing their passwords by pretending to be legitimate members of the company in need of
information.

31. A major problem with software is the presence of hidden bugs or program code defects.

32. Patches - the software vendor creates small pieces of software to repair the flaws without
disturbing the proper operation of the software.

33. HIPAA - outlines medical security and privacy rules and procedures for simplifying the
administration of health care billing and automating the transfer of health care data between
healthcare providers, payers, and plans.

34. Gramm-Leach-Bliley Act - requires financial institutions to ensure the security and
confidentiality of customer data. Data must be stored on a secure medium, and special security
measures must be enforced to protect such data on storage media and during transmission.

35. Sarbanes-Oxley Act - imposes responsibility on companies and their management to safeguard
the accuracy and integrity of financial information that is used internally and released externally.
36. Computer forensics is the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law.

a. Recovering data from computers while preserving evidential integrity

b. Securely storing and handling recovered electronic data

c. Finding significant information in a large volume of electronic data

d. Presenting the information to a court of law

37. General controls govern the design, security, and use of computer programs and the security of
data files in general throughout the organization’s information technology infrastructure.

38. Application controls are specific controls unique to each computerized application, such as
payroll or order processing. They include both automated and manual procedures that ensure
that only authorized data are completely and accurately processed by that application.

39. Input controls check data for accuracy and completeness when they enter the system. There are
specific input controls for input authorization, data conversion, data editing, and error handling.

40. Processing controls establish that data are complete and accurate during updating.

41. Output controls ensure that the results of computer processing are accurate, complete, and
properly distributed. You can find more detail about application and general controls in our
Learning Tracks.

42. Risk assessment determines the level of risk to the firm if a specific activity or process is not
properly controlled. Business managers working with information systems specialists should try
to determine the value of information assets, points of vulnerability, the likely frequency of a
problem, and the potential for damage.

43. A security policy consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals.

44. acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and
computing equipment, including desktop and laptop computers, wireless devices, telephones,
and the Internet.

45. Identity management consists of business processes and software tools for identifying the valid
users of a system and controlling their access to system resources.

46. Disaster recovery planning devises plans for the restoration of computing and communications
services after they have been disrupted. focus primarily on the technical issues involved in
keeping systems up and running, such as which files to back up and the maintenance of backup
computer systems or disaster recovery services. (eg: MasterCard)

47. Business continuity planning focuses on how the company can restore business operations
after a disaster strikes. identifies critical business processes and determines action plans for
handling mission-critical functions if systems go down. (Eg: Deutsche Bank)
48. Information systems audit examines the firm’s overall security environment as well as controls
governing individual information systems. The auditor should trace the flow of sample
transactions through the system and perform tests, using, if appropriate, automated audit
software.

49. Authentication refers to the ability to know that a person is who he or she claims to be.

50. An end user uses a password to log on to a computer system and may also use passwords for
accessing specific systems and files. However, users often forget passwords, share them, or
choose poor passwords that are easy to guess, which compromises security.

51. Token is a physical device, similar to an identification card, that is designed to prove the identity
of a single user.

52. Smart card is a device about the size of a credit card that contains a chip formatted with access
permission and other data.

53. Biometric authentication uses systems that read and interpret individual human traits, such as
fingerprints, irises, and voices, in order to grant or deny access.

54. Two-factor authentication increases security by validating users with a multi-step process. To
be authenticated, a user must provide two means of identification, one of which is typically a
physical token, such as a smartcard or chip-enabled bank card, and the other of which is
typically data, such as a password or PIN (personal identification number).

55. Firewalls prevent unauthorized users from accessing private networks. A firewall is a
combination of hardware and software that controls the flow of incoming and outgoing network
traffic.

56. Packet filtering examines selected fields in the headers of data packets flowing back and forth
between the trusted network and the Internet, examining individual packets in isolation.

57. Stateful inspection provides additional security by determining whether packets are part of an
ongoing dialogue between a sender and a receiver.

58. Network Address Translation (NAT) can provide another layer of protection when static packet
filtering and stateful inspection are employed.

59. Application proxy filtering examines the application content of packets. A proxy server stops
data packets originating outside the organization, inspects them, and passes a proxy to the
other side of the firewall.

60. Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable
points or “hot spots” of corporate networks to detect and deter intruders continually. System
generates alarm

61. Antivirus software prevents, detects, and removes malware, including computer viruses,
computer worms, Trojan horses, spyware, and adware.

62. Unified threat management (UTM) - To help businesses reduce costs and improve
manageability, security vendors have combined into a single appliance various security tools,
 including firewalls, virtual private networks, intrusion detection systems, and Web content
filtering and antispam software

63. Wired Equivalent Privacy (WEP) - initial security standard developed for wi-fi; some margin of
security, however, if users remember to enable it.

64. Corporations can further improve Wi-Fi security by using it in conjunction with virtual private
network (VPN) technology when accessing internal corporate data.

65. Encryption is the process of transforming plain text or data into cipher text that cannot be read
by anyone other than the sender and the intended receiver.

66. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) enable client and
server computers to manage encryption and decryption activities as they communicate with
each other during a secure Web session.

67. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data
flowing over the Internet, but it is limited to individual messages, whereas SSL and TLS are
designed to establish a secure connection between two computers.

68. In symmetric key encryption, the sender and receiver establish a secure Internet session by
creating a single encryption key and sending it to the receiver so both the sender and receiver
share the same key. The strength of the encryption key is measured by its bit length.

69. Public key encryption uses two keys: one shared (or public) and one totally private. The keys are
mathematically related so that data encrypted with one key can be decrypted using only the
other key. To send and receive messages, communicators first create separate pairs of private
and public keys.

70. Digital certificates are data files used to establish the identity of users and electronic assets for
protection of online transactions

71. Public key infrastructure (PKI), the use of public key cryptography working with a CA, is now
widely used in e-commerce.

72. online transaction processing, transactions entered online are immediately processed by the
computer. Multitudinous changes to databases, reporting, and requests for information occur
each instant.

73. Fault-tolerant computer systems contain redundant hardware, software, and power supply
components that create an environment that provides continuous, uninterrupted service.

74. Downtime refers to periods of time in which a system is not operational.

75. Deep packet inspection (DPI) examines data files and sorts out low-priority online material
while assigning higher priority to business-critical files.

76. managed security service providers (MSSPs) that monitor network activity and perform
vulnerability testing and intrusion detection.

77. service level agreement (SLA) - cloud users should also ask whether cloud providers will submit
to external audits and security certifications.
 78. walkthrough—a review of a specification or design document by a small group of people
carefully selected based on the skills needed for the particular objectives being tested.

CASE STUDIES :

1. Management - Stuxnet and the changing face of cyberwarfare - pg. 347

Important Diagram :