Resourcing estimates
| Enterprise Architecture Design |
|---|
| ITNET202A Enterprise Security |
| Bank Cloud Security Architecture Design: Case Study |
Contents
National Institute of Standards and Technology (NIST) 1
Software as a Service (SaaS) 9
Infrastructure as a Service (IaaS) 9
Introduction
The data must be secured and network should make data available whenever accessed. It should be confidential and restricted to outsider access.
Customer information should be primarily secured.
Connectivity for ATM and EFTPOS systems at the bank offices.
Outline
This enterprise security case study presents a cloud architectural and security planning for bank located at Sydney, Australia. The network designed in this report is for connecting bank branches and customers as well. Furthermore, customers are allowed to access their accounts and perform transactions with utmost security. The bank managers are willing to pay for concrete network and security design rather than dealing with weakness and risks later.
Legal Standards
National Institute of Standards and Technology (NIST)
Cloud Security Alliance (CSA)
Security Architecture
Banking sector is very sensitive domain where protecting data and transaction is crucial (Daron, et al., 2013). Some security recommendations are as listed below.
Network
For wireless access, network uses firewall, encryption schemes for authentication, data and financial transactions (Franklin et al., 2009).
Applications
To secure applications in the network, authentication should be of prime importance. AAA, audit loggings and SAML are employed in the network.
To offer data security some important applications such as SDSLC, IDA, Proxy servers, DAM, FAM, URL filtering are applied.
Tools
Network Design
Figure 1 Network Security Architecture
Bank counters and EFTPOS
ATM for CCTV and surveillance
Firewalls
Routers
Personal Computers
Servers
Dedicated server is used for storing sensitive bank, customer and transaction data. Server projected to use are SQL Server with 100 GB storage so that any concurrent users within the bank can access data stored in the server.
Management tools
eXtensible Access Control (XACML)
Software Configuration and Library Management (SCLM)
Common Event Expression (CEE)
Operational Components
Advanced Encryption Standard (AES)
Secure Hash Algorithm (SHA)
Database Activity Monitoring (DAM)
File Alteration Monitoring (FAM)
Cost Estimation
Implementation Cost Estimates
| Component | Price per unit | Nos of units | Total cost |
|---|---|---|---|
| Personal Computers with Licensed OS | $264 | 15 | $3960 |
| Switch at Head Branch | $144 | 1 | $144 |
| Router | $97.84 | 2 | $196.68 |
| Firewall with Router | $156 | 1 | $156 |
| CCTV Camera | $184 | set of 4 | $184 |
| Backbone Cables | $150 | approximate | $150 |
| ATM Cables | $60 | approximate | $60 |
| Online Banking Application | $750 | approximate | $750 |
| Tools | $300 | $300 | |
| TOTAL | $5900.68 | ||
Operational Cost Estimates
Resourcing estimates
| Servers | Mode | price / month |
|---|---|---|
| Application Server | on rent | $99 |
| Domain Name Server | on rent | $59 |
| Database Server | on rent | $60 |
| Storage and Maintenance Server | on rent | $99 |
| Backup Server | on rent | $89 |
| TOTAL | $406 | |
Security Services
Management tools
Identity and Access Management Tools
Role-Based Access Control (RBAC)
Access control is important feature of network as it provides access to authorized access only. RBAC offers access to the network and data as per user’s role. The roles decide the access of user in the network based on their roles in the bank. Administration department staff is allowed to view, modify or create data used for administration purpose (Hammond, 2012).
There are many factors that affect roles in bank. Consider at an instance, a manager can have access to every piece of data even the most sensitive ones other than customer and employee login details. On the other hand, clerk is allowed to access information related to account summary and current balance. A clerk is not allowed to create or modify new data. RBAC allows access to information as per roles of people in their organization. Similarly, customers are allowed to access their accounts only. RBAC can help network to secure network and bank data by allowing access as per user roles.
One Time Password (OTP)
eXtensible Access Control Markup Language (XACML)
Software Configuration and Library Management (SCLM)
Incident Management Tools
Service Level Agreement (SLA)
Incident Object Description Exchange (IODEF)
IODEF is a secured format designed with intention of computer security. The format is readable and compatible with IDMEF, Intrusion Detection Message Exchange Format designed for IDS for hosts.
Real-time Inter-network Defense (RID)
RID offers communication between networks with responsibility of incident handling, management, identification and mitigation properties. It supports inter-network communication without security flaws. RID is most useful to offer communication between branches and head office.
Common Event Expression (CEE)
Operational Components
Secure Socket Layer (SSL)
Virtual Private Network (VPN)
Secure Shell (SSH)
Authentication, Authorization, Accounting (AAA)
The network administrator can find it difficult to manage bank network if he is at remote location from the network is installed. The same goes for bank employees and customers. In order to secure network and people related to it, AAA three factors are considered as most important. Authentication is the process through which user in the network is provided access on the basis of login credentials and OTP passwords entered during login. Authorization ensures access control and provides access to resources only if the user is authorized to use services. As a simple example, customers cannot be provided access to bank administration data. This is guaranteed by authorization schemes used in network. Accounting deals with profiling behaviour of network user on the basis of their roles. Actions of the users are recorded and logged into the system for accounting purpose.
Advanced Encryption Standard (AES)
AES is symmetric encryption scheme to secure network data transactions. It is found that it is six times faster than triple DES. AES uses symmetric block cipher for stronger encryption. It needs to be implemented in C or Java. Web application developers of bank, takes care of implementation of AES in the application itself.
Secure Hash Algorithm (SHA)
Audit Logging
Security Assertion Markup Language (SAML)
Synchronous Data Link Control (SDLC)
Database Activity Monitoring (DAM)
DAM is a set of tools to identify malicious activity on network that affect bank operations and productivity. It offers data discovery, analysis, classification, risk management, intrusion prevention and data security. All the activities related to database are managed and monitored by DAM tools.
File Alteration Monitoring (FAM)
FAM closely monitors file systems of the network and raises a flag whenever a file is modified even for small changes. All the file related tasks are managed and monitored to prevent unauthorised or malicious access.
Cloud Services
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Networking devices
Firewalls
A firewall filters unauthorised access to the private network. The proposed network for bank is a private cloud which needs to be protected from outsider attacks. All the VPN accessed are diagnosed at firewall first and then allowed for accessing network resources.
Routers
Router is a networking device used to forward data within the network. It maintains routing table that contains information of next hop on the basis of interface it is connected to. Data reaches to the correct destination only by use of routers (Ula et al., 2011). The routers in bank network are employed to use RIP (Routing Information Protocol).
Switches
Cables
Equipment
Personal Computers
Servers
EFTPOS device
Electronic Fund Transfer at Point of Sale device is prevalent these days for its fast pace service in managing transactions. This device allows customers to deposit amount and perform amount transfer transactions within seconds without needing them to fill deposit or transaction forms.
CCTV cameras
Closed Circuit Televisions are the most important unit of banking network. All the activities are recorded in CCTV for security purpose. The cameras are connected via ATM cables discussed above.
SABSA Framework Approach
The designed cloud network for bank offers security to network, devices, storage, application and data (customer and transaction). The cloud service employed is SaaS, PaaS and IaaS. The type of cloud architecture designed in network is public and private. The people involved in this architecture are staff of bank and customers (online and offline). These people are cloud users.
Where – Location
References
Gusev, A. M. (2001). ‘E-Banking – Developing Future With Advanced Technologies’, Proceedings of the Second International Conference on Informatics and Information Technology, 2, pp.154-164.
Hamed, A. Rama, C. and Minca, A. (2013). ‘Resilience to Contagion in Financial Net-works’, Mathematical Finance. doi:10.111/mafi.12051.
Rogito, P. K. (2017). ‘Multi-Tiered Security Architecture For Information Infrastructure Protection in Selected Commercial Banks in Kenya’, Master’s Thesis, United States International University, Africa.
SABSA Institute. (2017). SABSA. Retrieved from The SABSA Institute: www.sabsa.org
