Wednesday, 19 April 2017

Management involvement in risk assessment


Abolishing negative impact on any organization and necessity for sound basis in decision making are the fundamental reasons software companies in India implement a risk management process for their IT systems. Risk management is a management responsibility.

This article describes the key roles of the personnel who should support and participate in the risk management process.
Senior Management
Senior management, under the standard of due caution and crucial responsibility for mission accomplishment, must make sure that the necessary resources are effectively applied to develop the competences needed to complete the mission. They must also assess and fit in results of the risk assessment actions into the decision making process. An actual risk management program that assesses and alleviates IT-related mission risks requires the support and contribution of senior management.

Chief Information Officer (CIO).
The CIO is accountable for the agency’s IT planning, accounting, and performance including its information security modules. Decisions made in these areas should be grounded on an effective risk management program.

System and Information Owners.
The system and information owners are accountable for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they possess. Typically the system and information owners are liable for alterations to their IT systems. Thus, they usually have to support and sign off on changes to their IT systems (e.g., system enhancement, key changes to the software and hardware). The system and information owners must therefore realise their role in the risk management process and completely support this process.

Business and Functional Managers. 
The managers accountable for business operations and IT procurement process must take an active role in the risk management process. These managers are the folks with the authority and responsibility for making the trade-off decisions vital to mission accomplishment. Their involvement in the risk management process empowers the achievement of proper security for the IT systems, which, if managed appropriately, will deliver mission effectiveness with a minimal expenditure of resources.
ISSO
IT security software package managers and computer security officers are in charge for their organizations’ security programs, including risk management. Consequently, they play a prominent role in introducing an appropriate, structured methodology to aid identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also perform as major consultants in support of senior management to make sure that this activity takes place on a continuing basis.
IT Security Practitioners
IT security practitioners (e.g., network, system, application, and database administrators; computer consultants; security analysts; security consultants) are in authority for proper implementation of security necessities in their IT systems. As changes happen in the existing IT system environment (e.g., growth in network connectivity, modifications to the existing infrastructure and organizational policies, introduction of innovative technologies), the IT security practitioners must support or utilize the risk management process to recognize and assess new probable risks and implement new security controls as required to safeguard their IT systems.
Security Awareness Trainers (Security/Subject Matter Experts)
The organization’s personnel are the operators of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behaviour is serious to mitigating risk and protecting the organization’s IT resources. To reduce risk to the IT systems, it is essential that system and application users be delivered with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must know the risk management process so that they can develop appropriate training materials and add in risk assessment into training programs to educate the end users.

Software companies in India need an extensive management as well as personnel support in order to execute risk management program with sheer success resulting into abolishment of uncertainty and risks along with suitable backup plans.

Friday, 10 March 2017

ITIL Service Transition

http://www.ifourtechnolab.com/

Service Transition   
The ITIL Service Transition helps to plan and deploy IT services. Service Transition ensures that the changes made to IT services and Service Management are carried out in a synchronous way.
The Service Transition includes different phases, namely :
  • Service Asset &Configuration Management
  • Change Management
  • Change evaluation
  • Transition planning and support
  • Release & Deployment Management
  • Knowledge Management
  • Service validation and testing

SERVICE ASSET AND CONFIGURATION MANAGEMENT
The objective of the Service Asset and Configuration Management includes :
  • Identify, Record and provide accurate information of the Configuration Items (CI = IT components)
  • Provide the Logical Model for IT infrastructure correlating the IT services & their components
  • Protect Integrity of the CIs
  • To create, implement and maintain Configuration Management System
  • Manage Service Assets
  • Perform regular audits / status accounting activities for all the CIs

CHANGE MANAGEMENT
The objective of the Change Management includes :
  • Study the adverse Impact of change & minimize it
  • Create & maintain a Change Management process
  • Prevent Unauthorized changes
  • Prepare Change Management Plans
  • Post Implementation Reviews of Changes
  • Maintain a record of all changes
Activities :
  • Record RFC
  • Review RFC
  • Assess & Evaluate Change – 7 R s of Change
  • Authorize Change
  • Issue Change Plan (to R& D Team)
  • Support/Coordinate Change Implementation
  • Post Change Review

CHANGE EVALUATION

To assess major Changes, like the introduction of a new IT service or a change to an existing service, before those Changes are allowed to proceed to the next phase in their life cycle.

Change Evaluation prior to Planning
  • To assess a proposed major Change before authorizing the Change planning phase.
Change Evaluation prior to Build
  • To assess a proposed major Change before authorizing the Change build phase.
Change Evaluation prior to Deployment
  • To assess a proposed major Change before authorizing the Change deployment phase.
Change Evaluation after Deployment
  • To assess a proposed major Change after authorizing the Change deployment phase.
The next process of the Service Transition is

RELEASE AND DEPLOYMENT MANAGEMENT
  • The objective of the Release and Deployment Management includes :
  • Implementing the authorized changes as per Change Management plan
  • Plan, Design, Build, Test & Install Hardware & Software components
  • Skills & Knowledge Transfer to enable
    -- Customers & users the optimum use of service
    -- Operations & support staff to run & support the service
SERVICE VALIDATION AND TESTING
The objective of the Service Validation  and testing includes :
Service Validation and Testing ensure that the deployed releases and the resulting services meet customer expectations, and to verify that IT operations is able to support the new service.
  • Test Model Definition
  • Release Component Acquisition
  • Release Test
  • Service Acceptance Testing
KNOWLEDGE MANAGEMENT

The objective of the Knowledge Management includes :
Improve the efficiency by reducing the need to Re-discover the knowledge
Create, Maintain & update Service Knowledge Management System
Ensure that correct & up-to-date information is available at on the right time for organization’s requirements.

TRANSITION PLANNING AND SUPPORT

This process of Service Transition (Project management) deals with planning the resources to deploy major     release within predicted cost, time and quality estimates.
  • Project Initiation
    To define stakeholders of the project, responsibilities and resources available to the project, and documenting risks, constraints and various assumptions affecting the project.
  • Project Planning and Coordination
    To ensure the Service Transitions projects are planned in accordance with the software organization’s guidelines of the Project management, and to coordinate activities and resources across projects.
  • Project Control
    To monitor project progress and resource consumption
  • Project Reporting and Communication
    An overall summary of all planned or ongoing Service Transition projects as information for customers and other Service Management processes
Conclusion :
Thus, the IT software development should use and implement the Service Transition to plan, implement and manage the changes of an IT service as a part of ITIL processes. Managing the risk for the new as well as existing IT services and changes made to IT services will protect the product environment. This eventually leads to deliver business value along with the customer relationship management.

References :

http://wiki.en.it-processmaps.com/index.php/ITIL_Service_Transition

Tuesday, 7 February 2017

IT Outsourcing – Local in comparison with Global

ASP DOT NET software companies in India


The latest trend for localised outsourcing includes hiring local employees which abolish language barriers and cultural difference. Software companies in India don’t have to go to another country to find a bargain, a better resource, a better product, better service. Overall cheaper package can occasionally be found on doorstep, localised outsourcing can deliver all of these advantages and is coming to be seen as an increasingly attractive preference.

With businesses facing mounting costs with uncertain global economic steadiness, localised outsourcing has become a new cost saving measure that is seeing increased up-take. ASP DOT NET software companies in India have moved to publicise and invest in SMEs, with the advancement of SMEs as suppliers being a key part of their strategy, in seeking to move the revenue out from recession. 

Numerous popular offshore outsourcing destinations are becoming increasingly expensive, even outsourcing within the same country can present logistical complications. Local outsourcing can present proficiencies and levels of convenience that even in a digital are simply not present elsewhere.

Repeatedly multi-national or global companies will seek proficiencies and employ local services around different sites. A hybrid approach is becoming very popular, with huge business adopting the advantages of both local and distant outsourcing. 

Individual customers may have precise reasons for wishing to keep specific services onshore – such as data-protection and security – but it is more than likely that for other services, location selections will depend largely on the vendor’s verdict that conditions are suitable.

Localised outsourcing can sometimes be problematic to employ successfully. Popular areas for outsourced overseas services can often include countries with developing economies. Political burdens and conflicts can be a risk of localised outsourcing. Social and political disturbance, particularly in many developing markets, and subsequently in software companies in India, has validated the geopolitical risk of locating business services abroad. 

Global business can recruit localised services around sites in numerous geographic locations. While this can be allowed for increased competency, lowering procurement costs, and taking benefit of local resources, such as; cultivated workforce, low cost labour and swift transport times, the employment of localised services can give upswing to cultural differences. These can sometimes be a hindrance if not effectively planned for.  Essential dissimilarities in culture that exist from one nation to another. These differences can have an important manner on how procurement does business and builds relationships with suppliers.

Centralised procurement can debatably lead to a more consistent and persuasive message while leveraging economies of scale, however, these paybacks hinge on the relationship between central decision-makers and local markets. 

Problems regarding cultural differences can be evaded through forward planning and an understanding of cultural backgrounds. Having a project manager or workers within the team who have a link to the cultural environment in proximity to an outsourcing project can assist to provide simplicity in transition and create robust links, which in turn increases the proficiency of localised outsourcing.  

Some c# software companies in India quest for a smooth, singular global model is unintentionally creating links in their own supply chain. Yet, it doesn’t have to be this way. If only local managers were involved and engaged from the commencement, global category managers would find that they could escape weeks of indecisive negotiations with their colleagues and agency suppliers.

Localised outsourcing can have difficulties and have crystal clear limitations, however the employment of a hybrid model permits businesses to take full benefit of the efficiencies on offer. The benefits of localised outsourcing to businesses are being familiar by majority of asp.net software companies in India. With planning, users can escape potential risk and attain the likes of cost savings, overall efficiency, detailed overview, with the swift delivery of services.

Friday, 13 January 2017

Side-channel Attack 

asp.net software companies in india

In cryptography, a side-channel attack is any attack created on information gained from the physical execution of a cryptosystem, rather than brute force or theoretical weaknesses in the procedures of organizations including asp.net software companies in india as well. For example, timing information, power feeding, electromagnetic leakages or even sound can offer an extra source of info, which can be used to break the system. Some side-channel attacks need technical knowledge of the inner operation of the system on which the cryptography is applied, although others such as differential power analysis are efficient as black-box attacks.

Classifications of Side Channel Attacks
Side channel attacks are usually classified in literatures along the subsequent three orthogonal        axes: 
  • Categorizations depending the control over the computation process; 
  • Categorizations depending on the way of accessing the module;
  • Categorizations depending on the method used in the analysis process.
Controls over the Computation Process
Depending on the control on the computation process by attackers in asp.net software companies india, SCA attacks can be broadly classified into two main categories: passive attacks and active attacks. We raise passive attacks to those that do not prominently interfere with the operation of the target system; the attacker increases some information about the target system’s operation, but the target system acts exactly as if no attack occurs. In active attack, on the other hand, the rival exerts some influence on the behavior of the target system. While the vigorously attacked system may or may not be able to detect such influence, an outsider viewer would notice a difference in the operation of the system. It is vital to note that the distinction between active attacks and passive attacks has further to do with the intrinsic nature of the attack than the invasiveness of a physical execution of the attack.
Ways of Accessing the Module
When analyzing the safety of a cryptographic hardware module for asp.net software company in india, it can useful to perform a methodical review of the attack surface — the set of physical, electrical and logical boundaries that are unprotected to a potential opponent. According to this observation, Side Channel attacks are divided into the subsequent classes: invasive attacks, semi-invasive attacks and non-invasive attacks.

Invasive Attacks

An Invasive attack includes DE packaging to get direct access to the internal mechanisms of cryptographic units or devices. A distinctive example of this is that the attackers may open a hole in the passivation layer of a cryptographic module and place a penetrating needle on a data bus to see the data transfer.
Tamper resistant or responsive instruments are usually implemented in hardware to effectively pawn invasive attacks. For example, some cryptographic modules of higher safety level will erotize all their memories when tampering are detected [116]. 

Semi-invasive Attacks  
This kind of attack includes access to the device, but without damaging the passivation layer or creating electrical contact other than with the official surface. For example, in a fault-induced attack, the attacker may use a laser beam to ionize a device to alter some of its memories and thus alter the output of this device. 

Non-invasive Attacks 
A non-invasive attack includes close observation or handling of the device’s operation. This attack only uses externally available info that is often accidentally leaked. A classic example of such an attack is timing analysis: calculating the time consumed by a device to perform an operation and correlating this with the computation executed by the device in order to deduce the worth of the secret keys.

Methods Used in the Analysis Process
Depending on the approaches used in the process of examining the sampled data in c#.dot net companies in india, SCA attacks can be separated into simple side channel attack and differential side channel attack. In a SSCA, the attack uses the side-channel output mostly depending on the achieved operations. Normally, a single trace is used in an SSCA analysis, and so the secret key can be directly read from the side-channel trace.
Differential side-channel attacks uses the link between the data and the instantaneous side-channel leakage of the cryptographic device. As this link is usually very small, statistical methods must be used to exploit it effectively. In a differential side-channel attack, an attacker uses a hypothetical model of the device beneath attack. The quality of this model depends on the abilities of the attacker.

Conclusion:
Cryptology may be appreciated as a constant struggle between cryptographers and cryptanalysts. Attacks on cryptography have a similarly long history. The safety of cryptographic modules for providing a practical degree of safety against white-box (total access) attacks should be observed in a totally un-trusted implementation environment.

Monday, 5 December 2016

Organization based access control

software development companies

Introduction: The current methods to access control and usage control depend on three entities: subject, action and object. Hence requiring a security policy contains in specifying security rules applying on the {subject, action, object} trio. It can be a authorization for some subject to understand some action on some object.One of the main goals of the OrBAC model is to permit the policy designer to describe a security policy independently of the application.
The selected method to achieve this goal is the overview of an abstract level.
  • Subjects are abstracted into characters. A role is a set of topics to which the same security rule apply.
  • Similarly, an activity is a set of events to which the same security rule apply.
  • And, a view is a set of substances to which the same security rule apply. 
Tools that integrate partly or entirely OrBAC concepts in their implementation.
  • MotOrBAC: MotOrBAC is an OrBAC security policy corrector
  • The OrBAC library: the OrBAC library is a set of Java classes which can deploy and understand OrBAC policies
  • Protekto: a tool established by the SWID company 
MotOrBAC:
MotOrBAC is an execution of the OrBAC access control model. MotOrBAC aims at providing an OrBAC policy description tool. Moreover it can be used to simulate OrBAC policies. The GUI is open source. The OrBAC API, on top of which MotOrBAC has been established to help software developers to contain security mechanisms in their software.

OrBAC API
The OrBAC Application Programing Interface is a Java library which has been recognized to programmatically deploy OrBAC policies. The API features the subsequent OrBAC policy editing capabilities:

  • Abstract policy specification: organizations, roles, activities, views, contexts, and abstract rules (permissions) can be used. This comprises organizations, roles, activities, and views hierarchies
  • Separation constraints and rules priorities can be stated to solve conflicts between abstract rules
  • Numerous languages can be used to traditional situations and object definitions. Simple ad-hoc languages have been defined to express time-based conditions or modest conditions on existing entities (subject, action or object) attributes. Two more powerful languages can be used, Java and Prolog, to be able to direct a wide variety of conditions
  • The administration policy, or AdOrBAC policy, related to an OrBAC policy can be stated using the same concepts and API methods 
Protekto

The Protekto project contains in the development of a platform which allows security policy concentration by executing verification and approval functions in the similar platform. It uses the OrBAC model and standards like SAML 2.0, XACML 2.0 and OpenID 2.0. Open source libraries like OpenSAML, OpenID4Java and SunXACML have been recycled through development. The platform is contains three principal entities:
  • Protekto IDP (Identity Provider)
  • Protekto SP (Service Provider)
  • Protekto PDP (Policy Decision Point)
Each component connects with the others using SAML mails. The OpenID protocol is used in the Protekto IDP component which can authenticate a user by a password or OpenID. Protekto IDP is accountable for empowering subjects into roles and manages the subject attributes.

Protekto can be used to download content presented by the Protekto SP. In this case the Protekto PDP is questioned to know if the user trying to download content is authorized to do so. In order to guarantee that privacy is enforce

Conclusion: The description of the security policy is entirely parameterized by the organization so that it is possible to handle concurrently various security policies related with different organizations. The model is not limited to permissions, but also comprises the possibility to specify prohibitions and duties. From the three abstract units (roles, activities, views), abstract privileges are defined. And from theses abstract privileges, concrete rights are derived.

Thursday, 3 November 2016

E Business – Strategy


software development companies
ASP DOT NET Software companies in India have belief that progress in e-business will not only deliver economic yields, but it is an important component of business definition and competitive strategy. Still, IT performance research has revealed that the relation between IT investment and enhanced organizational performance is still vague. Again and again, ambiguity and arguments have characterized the e-business regarding what is known and what is not known about its payoff. Strategists fail to capture the indisputability that e-business performance depends upon the convergence of strategic and tactical factors.

Among many established industries, with the help of software companies in India, there is significant evidence of e-business being deployed to accomplish strategic goals. Where this deployment has been most successful, there is a tough scenario that the organization has taken a combined approach that both shapes on the organization's strengths and pays cautious attention to the process of change within the organization. There are two perspectives with this, one is strategy content – which focuses on unique packages of resources – and second is strategy process – which captures human guidance and e-business implementation. These two perspectives are integrated to develop a more holistic understanding of the underlying drivers of e-business performance.

In spite of the dot.com downfall, there remains a strong belief among software companies in India that e-business – with its rising potential for generating new transactional prospects between firms, suppliers, corresponding product/service providers and customers – will eventually contribute meaningfully to the future performance of many well-known firms. E-business is more than an instrument but part of an intensely held strategic character that enables them to outpace the competition. Yet, in spite of these high-profile triumph stories many other likewise set firms have failed to replicate these results. This is not altogether shocking as technology modernization theory predicts that within any population there are significantly more followers than innovators. For those imitators wanting to study from these role models, a number of important queries come to mind, two of which, are:

  • Why does performance (precisely that related to e-business) differ between organizations that function within the same line of business and have access to the same information and technologies?
  • To what extent are these variances essential – that is, driven by firm assets and infrastructure – or intellectual – that is, driven by the principles and obligation of managers to a precise future (in this case a future inferring e-business implementation)?

Both questions are of real-world significance for ASP DOT NET software companies in India because they hit into the organizational thinking that takes place to clarify e-business applications. This reasoning is also of theoretical significance to the information technology (IT) literature in that it underlies the extent to which organizational success is dogged by strategy content and/or process. Although naturally linked to one another, the content and process viewpoints have evolved independently.

Developments in e-business applications and technologies, done by asp.net software companies in India,  present many prospects for modern businesses to redefine their strategic objectives and improve or transform products, services, markets, work processes and business communication. The experiential results tell that e-business performance varies as external pressures and capabilities (i.e., human, technological and business) fluctuate. Still, the exact degree of these capabilities is not determined. Most notably, the study shows that variation in managerial opinions, regarding the supposed benefit of e-business, tells much about performance.

Organizational differences comes out to be a factor for variation in success or failure of e commerce implementation and its alignment with strategic goals. This principle is perhaps most marked in e-business settings where inconsistent markets, swift technological change and financial limitations strongly effect the organizational reasoning that takes place to determine e-business strategy and the following implications for firm development and existence

Tuesday, 4 October 2016

Security considerations in SaaS

Software development company in india

Software development companies should consider following security factors in SaaS development and deployment:

  • Security of the data
  • Segregation of data
  • Security in the network
  • Availability
  • Backup
  • SaaS deployment model

Security of the Data

In the good old days of on-premise application deployment model, the critical data of each enterprise was placed within the enterprise boundary and was in context to its physical, technical and personnel security and--access control policies suggested by software companies. But, in the SaaS model, the organization’s data is stored outside the enterprise edge, at the SaaS vendor end. Consequently, the SaaS vendor must adopt added security checks to ensure security of the data and prevent breaches due to security weaknesses in the application or through vindictive employees. This involves the use of strong encryption techniques for data security and a granular authorization to control access to data.

In Amazon alike cloud vendors,administrators are unable to access the customer instances and can’t log into the Guest OS. To gain access to a host the administrators who have a business need are compelled to use their own strong cryptographic SSH keys. Logging and routine auditing of such accesses is carried out. While the data at rest in storage service offered by vendor is not encrypted by default, the encryption of data is done by users before uploading it to Amazon, so that it isn’t accessed or tampered by any illicit party.

Segregation of data

Security checks need to be implemented to ensure data security and prevent unauthorized access to data of one tenant by users of other tenants. This involves hardening the data store and applicationso as to segregate the data.

If the SaaS application is deployed at a third party cloud service provider, added safeguards need to be adopted so that application tenant’s data is inaccessible to other applications.

Security in the network

According to software development companies, in a SaaS deployment model, critical data is obtained from the organizations, processed by the SaaS application and stored at the SaaS service provider end. Security of all the data that flows over the network is mandatory in order to prevent sensitive information from leaking. This involves the use of strong network traffic encryption techniques such as SSL and TLS for security.

In case of AWS, the protection against MITM attacks, IP spoofing, port scanning, packet sniffing, etc. is provided by the network layer. With the help of SSL encrypted endpoints, Amazon S3 is accessed, for maximum security. To ensure that data is transferred securely within AWS as well as to and from sources outside of AWS, encrypted endpoints are accessible from both the Internet and from within Amazon EC2.

Availability

The SaaS apps of the service providers need to ensure that organizational clients are provided with service round the clock. This involves making changes in the architecture at the application and infrastructural levels to add scalability and high availability. Adoption of a multi-tier architecture should be done, supported by a load-balanced farm of application instances, running on large number of servers. Resistance to failures in hardware and software, as well as to DOS attacks, needs to be built starting from the bottom and up within the application.

At the same time, BCP and DRP needs to be considered for any unintended emergencies. This is essential to ensure the safety of the client data and marginal downtime for enterprises.

Backup

The SaaS vendor needs to ensure that all critical data of the client organization such as a software development companyis regularly backed up to facilitate quick recovery and restoration in case of disasters. To prevent the sensitive information from accidental leakage, backed up data is protected using strong encryption techniques.

In the case of cloud vendors such as Amazon, the stored data in S3 is not encrypted by default. The users need to separately encrypt their data and backup it, so that it cannot be accessed or altered with by illicit parties.

SaaS Deployment Model

Deployment model used by the vendor is the major differential factor in the types of SaaS security challenges faced by the organization. SaaS service providers may choose either between deploying the solution themselves or doing it using a public cloud provider. Amazon is a dedicated public cloud provider that helps to build secure SaaS solutions by providing infrastructure services that helps in ensuring perimeter and environment security. This involves the use of firewalls, intrusion detection systems, etc. whereas if it’s a self-hosted SaaS deployment, it requires the vendor to build these services and assess them for security weaknesses.

Conclusion:

Software as a Service [SaaS] is quickly emerging as the leading delivery model for meeting the needs of enterprise IT services. But most software development companies are still uncomfortable with the SaaS model due to dearth of visibility about the way their data is stored and secured. Subsequently, addressing organizations’ security concerns has emerged as the biggest challenge for the adoption of SaaS applications