Question

You are the Senior Systems Administrator for a community based charity. Your charity is involved

in locating and providing accommodation, mental health services, training and support services to

disadvantaged people in the community.

Your charity currently runs a small data centre that has some 50 x86 64 bit servers running mainly

Windows Server 2008 R2 for desktop services, database and file services. It also has about 10 Red

Hat Enterprise Linux 5 servers for public facing Web pages, services and support.

Your charity is considering joining a community cloud provided by a public cloud vendor in order

to provide a number of applications to all 500 support staff and administrative users. The

community cloud would also be used to store the charity’s 200TB of data. This data contains a

considerable amount of confidential information about the people to whom the charity provides

services. A small number of the charity’s applications are mission critical and the data that those

applications use is both confidential and time sensitive.

The cloud vendor has made a presentation to management that indicates that operational costs

will drop dramatically if the cloud model is adopted. You are asked to assess whether this model is

in the best interests of the business.

Describe the steps that you would take to do a Risk Management assessment of this proposal.

20. Ramgovind, Eloff and Smith proposed in their 2010 paper that an information security analysis

should include the requirements of Identification and authorisation, authorisation,

confidentiality, Integrity, non-repudiation and availability. Discuss whether these

requirements are adequate for a proper security assessment for a proposed move to an IaaS

model for the charity.

21. A potential migration to the Cloud raises many issues around Governance. Discuss the

governance issues that you see arising from a migration of on-premise servers to an IaaS

model.

22. The charity’s board has proposed a move to migrate its servers to an IaaS model. Discuss the

methods that you would propose to the board to assess the SLA of the Cloud Provider. (10

marks)

23. The board has decided, as an initial step, to move the office automation and database servers

to the AWS cloud in order to begin the migration process, and test their strategy. Describe ten

steps that you would include in the plan to migrate these services.

Answer 1

Risk management assessment must include:

1. Data and application security.

2. Resistance to any/all type of vulnerabilities, data loss/risks and any malware attacks such as brute force attack.

3.The run and execution time operational risk associated with data processing.

4. Remedies against the bugs/worms and action plan for data protection.

20.The proposal by Ramagovind, Eloff and Smith should include data compliance, disaster recovery plan and access security norms for the environment.

21. Governance issues mostly include - process administration and monitoring from security point of view, data migration issues related to offline and online migration.

22. Service Level Agreement(SLA)plan should include policies for data protection and regulation, compliance against the unauthorized accesses and migration strategy from On-premise to IaaS.

23. The 10 steps which will provide a clear scenario of migration will be

- Backup plan for existing servers to avoid any kind of losses

- Backup storage and access

- Migration pre-requisites such environment readiness, memory and storage configuration.

- Migration initiation by administrator.

- Migration process monitoring and its ETA.

- Migration items and the process flow

- Target IaaS specification/s.

- Migration sign off document to prove its completion and latency.

- Post migration steps for the readiness

- Final testing and cross check between source (On-premise) and target environments(IaaS).