The Service Oriented Approach How the physical infrastructure can impact service delivery and security? 6 th BICSI South East Asia Conference 2008, Singapore Guest Speaker: Ronald van Kleunen CEO / Managing Director Globeron Pte Ltd / Globeron Security Certified: CISSP, Wireless#, CWNA, CWSP, CWNT IRCA ISO/IEC 20000 ITSMS, ITILv2 and ITILv3 IRCA ISO/IEC 27001 ISMS CSOEP (DataCentre, Infrastructure, Process Security, Management) Copyright Globeron 2008 Page - 1 Agenda The Service Oriented Approach How the physical infrastructure can impact service delivery and security? Find out best practices in driving data centre design from service perspective Session ROI Return of Investment: Examples of good and bad data center design Tips on planning data centre physical infrastructure to ensure security, business continuity and effective management How to plan for sustainable growth Copyright Globeron 2008 Page - 2 Printed: 2008 Page - 1
Our relationship with Bicsi Bicsi recognition (worldwide) Bicsi recognises the CSOEP 5-day bootcamp (Certified Service Oriented Enterprise Professional) for CEC (Continuing Education Credits) RCDD NTS OSP WD Installer/ Technician RES Certified Trainer 35 35 35 35 Page - 3 CEO Accountability Accountable for & comply to: - Business & IT Governance & regulations - Telecommunications Act - Computer Misuse Act - International Standards - Wireless Service Availability (and Reliability) 99.999% - Wireless Service Performance - Wireless Service Security - Wireless Service Integration - Wireless Service Management & Processes Copyright Globeron 2008 Page - 4 Printed: 2008 Page - 2
IT is integrated in every Sector to support the Business Industries: IT & Telecommunications Manufacturing Financial / Banking / Legal Energy Transport & Logistics Government Bio / Hospitality / Healthcare Education Media Copyright Globeron 2008 Page - 5 Globeron s Service Oriented Enterprise (Certified Service Oriented Enterprise Professional) YOUR Organization Serving YOUR Customers (Internal and External) Business Processes and Procedures Service Delivery / Service Support Service Management Managed IT Infrastructure Services, Serving the IT Organization, High Available, Reliable Applications, Servers, Network, Storage Managed Data Center Environmentsi Serving the IT Organization,High Available, Reliable, Facilities, Power,Batteries, Generator, Aircon., Temperature, Cabling Service Security Page - 6 Printed: 2008 Page - 3
CEO / Customer Service needs Top Down Requirements Planning Organization and Requirements Applications Business Driven Services to a Service Oriented Enterprise (SOE) Heterogeneous Server and Storage Infrastructure Network + Telecom Infrastructure Data Centre Infrastructure Page - 7 Bottom Up IT Services / DataCenter Design Implementation/Migration and Management Organization and Requirements Applications Builders Driven Services to a Service Oriented Enterprise (SOE) Heterogeneous Server and Storage Infrastructure Network + Telecom Infrastructure Data Centre Infrastructure Page - 8 Printed: 2008 Page - 4
Typical IT Service Line Conceptual Connectivity Overview 3D View Mapping to the DataCenter MainFrame Webservers Database / Servers Firewall External Router Switch Switch Switch Firewall Firewall Applications Servers Office / Branch Page - 9 IT Service Line Segmentation Service Oriented Network Tier 1 Tier 2 Tier 3 Note: Services are separated and can be Secured separately. Services are managed by Service Managers SERVICE 1 SERVICE 2 SERVICE 3 Access Network Distribution Network Core Network Management Network (sometimes separated Security Management Network) Storage Network (Sometimes called: Back Up Network) Page - 10 Printed: 2008 Page - 5
Examples of IT Service lines Financial / Bank Online Internet Banking Service Trade Financial Service Electronic Bill Payment Services Telecommunication Online Payment Service SMS Service Online Voice Over IP Service Content Providers Online Gaming Service Page - 11 Example of a DataCenter Courtesy of Cari.net http://www.cari.net/carinet datacenters.html Page - 12 Printed: 2008 Page - 6
Data Center Service Grouping Rack Planning and Assignment Racks for Telco Equipment MDF, PABX Network Equipment Racks for Services, Scalability, etc. Page - 13 Data Center Rack Planning and Security? Rack Planning Patch Panel Planning Top or Bottom Rack! Power Supply Planning Cable Routing (Patch) inside Rack Outside Rack Depends on Cabling Page - 14 Printed: 2008 Page - 7
But how to ensure Security in a shared infrastructure? Shared access to Service Lines via the cable or wirelessly DataCentre cabling is pre-cabled by the installer without knowing the business needs (and IT Service Line needs). how to do the Security Architecture for the Service Oriented Solution House? 3-Tier Security Architecture compliance Access Layer Distribution Layer Core Layer What if the centralised switch is used? Does the DataCentre meet the Security needs of the business? Page - 15 IT Service Line flow end-to-end e.g. http://security.globeron.com Layer 7 Application Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Network Webservers Page - 16 Printed: 2008 Page - 8
Service Line Security (all layers) ty Ser rvice Line Securi Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical All application communication, E mail (SMTP, POP), Telnet, FTP, Web Services, HTTP, HTML, etc. Authentication mechanism > Userids, Passwords and other application information, authentication (application sniffers MSN, Spyware, Virus, etc.) Formats + Encryption to avoid compatibility errors on network layer > Authentication mechanisms Establishes, Manages, Terminates connection setups. > hijacking session, DoS connection setups, buffer overflow Flow Control of the session (Sliding Window Techniques, etc.) > packet injection, Denial Of Services DoS Network Protocols, IPv4, IPv6, Netbios, AppleTalk), Routers, L3 Switches, TCP/UDP, ICMP (Ping) > SYN, ACKs, NACKs, IP addresses, packet headers Ethernet, Token Ring, Hubs, (Wireless) Bridges, L2 Switches > Sniffing: MAC address, VLANs, VTP, STP, CDP, (R)ARP Cabling, Fiber, Coax, Wireless, Telephone lines, etc. > Eavesdropping Page - 17 IT Service & DataCentre Management Web Servers Applications Servers External Router Firewall Switch Firewall Switch Firewall Switch MainFrame Database / Servers Office / Branch Internal Users Media / Cabling Network System Storage Application Security Network + Security Device + System + Storage + Application (EXTERNAL) Monitoring Service (INTERNAL) Oriented Performance Infrastructure Monitoring (SOI) in the DataCenter - Copyright Globeron 2003- End User Experience Performance Monitoring 2006 Page - 18 Printed: 2008 Page - 9
Service needs in line with international standards (e.g. ISO/IEC 20000, ISO/IEC 27001, ITILv2, ITILv3) - Service Availability - Service Performance & Capacity - Service (Business) Continuity - Service Level Management & Reporting - Service Financial Management - Service & Security Incident Management - Service Problem Management - Service Change Management - Service Release Management - Service Configuration Management Page - 19 ISO/IEC 20000 ITSM Service Management Processes and Security Relationships to all other processes Page - 20 Printed: 2008 Page - 10
Security as part of the Security Framework ISO/IEC 27001- Structure Scope 11 Management Domains, 39 Objectives, 133 Controls Security Policy; Organization of information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Information security incident management; Business Continuity Management; Compliance. Page - 21 How can Bicsi help your organisation? 12-16 January 2009 CSOEP 5-Day Bootcamp Bicsi recognises the CSOEP 5-day bootcamp (Certified Service Oriented Enterprise Professional) for CEC (Continuing Education Credits) RCDD NTS OSP WD Installer/ RES Certified Technician Trainer 35 35 35 35 Page - 22 Printed: 2008 Page - 11
Contact Details ronald@globeron.com Copyright Globeron 2008 Page - 23 Printed: 2008 Page - 12