Security Assessment of Large-Scale IT Infrastructure

Abstract

Due to today’s online interactions, the security of IT infrastructure components is important for organizations. The literature survey revealed that evaluation of security of an IT infrastructure has not received as much attention from the research communities as that of application security. This paper examined an example of Saudi IT infrastructure to identify the challenges that threaten security, along with recommendations to address these challenges. Different qualitative methods were used in data collection, including focus groups, direct meetings, observations, and archival data/documents. Key categories of security threats are found to be networking, (e.g., violation of the principles of secure design), systems and storage (e.g., patching management), and information/endpoint (e.g., operation procedures). The lessons learned indicated that these infrastructure security risks can be addressed through various means, including infrastructure management (e.g., monitoring, documentation, and compliance with project management practices), software business activities (e.g., renewal of vendor support service), network redesigning (e.g., avoiding single point of failure structure), and incident response procedures (through developing and implementing clear, formal procedures). Some kinds of infrastructure security threats, such as cascading threats, are difficult to discover and evaluate. This study will assist security requirements engineers, systems managers, and security compliance officers.