Software Development Life Cycle for Data in Cloud Computing Environment
Chimene Tchokoko Diboma
School or Institution Name (University at Place or Town, State)
Software Development Life Cycle for Data in Cloud Computing Environment
Operations and Maintenance:
The client has to manage human resource applications in the cloud environment. As the implementation includes software as a service offering, the operations and maintenance support will be provided by the vendor as per the subscription agreement between the vendor and the client. Installed system and applications in a cloud environment require appropriate management services. Client-side applications will work without any further maintenance requirements, but the infrastructure operations will be monitored by the vendor to ensure the quality of service. During the term of the service agreement between the parties, the vendor will provide operations and management support for the project as per the following plan.
A team of professionals will be available to monitor the operations of the applications in managed infrastructure. The vendor will release application updates to address security holes in previously released application versions. However, no major change in architecture will be made to avoid compatibility issues with legacy applications of the client. Data related to human resource management applications contain personally identifiable information and integrity of the data in transit will be monitored by the dedicated teams ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"r7LxDf6u","properties":{"formattedCitation":"(Weber, Nepal, & Zhu, 2016)","plainCitation":"(Weber, Nepal, & Zhu, 2016)","noteIndex":0},"citationItems":[{"id":30,"uris":["http://zotero.org/users/local/BeyJjeak/items/MJYUBHD5"],"uri":["http://zotero.org/users/local/BeyJjeak/items/MJYUBHD5"],"itemData":{"id":30,"type":"article-journal","title":"Developing dependable and secure cloud applications","container-title":"IEEE Internet Computing","page":"74-79","volume":"20","issue":"3","author":[{"family":"Weber","given":"Ingo"},{"family":"Nepal","given":"Surya"},{"family":"Zhu","given":"Liming"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Weber, Nepal, & Zhu, 2016). The vendor will respond to and disclose any discovered anomalies in traffic patterns to the client. The reporting will be transparent and will engage the in-house information technology teams of the client as well. A telephone number will be made available to the client to contact the vendor in case of a support case covered by the service level agreement.
Email support will always be available to the client and client will be able to request support for covered applications. The support will not be provided for legacy applications developed by the client itself. Related documentation and reports of any possible issues or service downtime reports will be provided via email. Incident response teams of the vendor will be available 24/7. However, the recovery support or incident response will be provided as per the severity of the support ticket opened by the client. Severity level 1 will be reserved for the issues that produce emergency conditions. In case of a severity level 1 issue, the client must contact the vendor via phone line as compared to the email requests ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"nRwLEvCC","properties":{"formattedCitation":"(Aljawarneh, Alawneh, & Jaradat, 2017)","plainCitation":"(Aljawarneh, Alawneh, & Jaradat, 2017)","noteIndex":0},"citationItems":[{"id":31,"uris":["http://zotero.org/users/local/BeyJjeak/items/ZKPYAI4Q"],"uri":["http://zotero.org/users/local/BeyJjeak/items/ZKPYAI4Q"],"itemData":{"id":31,"type":"article-journal","title":"Cloud security engineering: Early stages of SDLC","container-title":"Future Generation Computer Systems","page":"385-392","volume":"74","author":[{"family":"Aljawarneh","given":"Shadi A."},{"family":"Alawneh","given":"Ali"},{"family":"Jaradat","given":"Reem"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Aljawarneh, Alawneh, & Jaradat, 2017). After receiving a severity level 1 support request the vendor will provide professional remediation support. In case of severity level, 2 or 3 support event or issues that do not directly affect the operation of the client can be requested by any of the available support channels.
Maintenance of internal infrastructure of the vendor will be scheduled on a monthly basis and the client will be informed well before time. However, any scheduled maintenance will not cause any disruption to the operations of the applications running in the cloud. The clients will be informed to mitigate any discrepancies if there is an outage caused by the maintenance for a fraction of time ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"TqDXj5fY","properties":{"formattedCitation":"(Hehenberger et al., 2016)","plainCitation":"(Hehenberger et al., 2016)","noteIndex":0},"citationItems":[{"id":32,"uris":["http://zotero.org/users/local/BeyJjeak/items/QENM72LL"],"uri":["http://zotero.org/users/local/BeyJjeak/items/QENM72LL"],"itemData":{"id":32,"type":"article-journal","title":"Design, modelling, simulation and integration of cyber physical systems: Methods and applications","container-title":"Computers in Industry","page":"273-289","volume":"82","author":[{"family":"Hehenberger","given":"Peter"},{"family":"Vogel-Heuser","given":"Birgit"},{"family":"Bradley","given":"D."},{"family":"Eynard","given":"Benoît"},{"family":"Tomiyama","given":"Tetsuo"},{"family":"Achiche","given":"Sofiane"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Hehenberger et al., 2016). High availability access to the infrastructure will be maintained by the operations monitoring teams. Maintenance updates to the applications will be provided on a fortnightly basis. Research and development staff will install the updates and the updates will be tested for compatibility issues before the implementation of the patch.
Audit of the security systems is inevitable especially for mission-critical applications such as human resource management systems running in cloud environments. To ensure the confidentiality, availability, and integrity of data being transmitted to the cloud infrastructure, regular audits will be performed. Audits will be performed on a monthly basis and detailed audit reports will be shared with e client as well to ensure transparency of the systems. The vendor will schedule third-party independent audits of internal infrastructure and critical systems that will help in the understanding of the issues. Audits of the infrastructure related to the particular client as in this case will be performed by the in-house security engineers. Security engineers will access all of the logs and monitoring systems to detect anomalies in the traffic patterns. Auditing teams will test all of the parts of the infrastructure including client-side applications for security holes. All of the application programming interfaces will be checked for possible security loopholes ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"bZIADdvY","properties":{"formattedCitation":"(Kashfi, 2017)","plainCitation":"(Kashfi, 2017)","noteIndex":0},"citationItems":[{"id":33,"uris":["http://zotero.org/users/local/BeyJjeak/items/WR9BNRPA"],"uri":["http://zotero.org/users/local/BeyJjeak/items/WR9BNRPA"],"itemData":{"id":33,"type":"article-journal","title":"Software Engineering Challenges in Cloud Environment: Software Development Lifecycle Perspective","author":[{"family":"Kashfi","given":"Hanieh"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kashfi, 2017). Penetration testing tools will be utilized such as packet captures, TCP dumps and man in the middle (MITM) techniques to check for the efficacy of security measures. They will try to compromise or breach the system by using all possible attack vectors. As a result of the efforts, a comprehensive audit report will be generated and provided to the client as well.
If there are any vulnerabilities or possible security breaches such as anomalies in traffic patterns detected, then the vendor will fix discovered issues as soon as reliably possible. Updates will be released to address the security issues indicated in auditing reports. Software updates will include bug fixes and security patches. However, software updates released by the vendor may not include new features to the applications. Any new features developed for the applications may be sold to the clients as add-on services if they require their functionality in their business operations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"jOoYWGOV","properties":{"formattedCitation":"(Ferry et al., 2018)","plainCitation":"(Ferry et al., 2018)","noteIndex":0},"citationItems":[{"id":34,"uris":["http://zotero.org/users/local/BeyJjeak/items/428I36S6"],"uri":["http://zotero.org/users/local/BeyJjeak/items/428I36S6"],"itemData":{"id":34,"type":"paper-conference","title":"ENACT: Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems","container-title":"International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment","publisher":"Springer","page":"112-127","author":[{"family":"Ferry","given":"Nicolas"},{"family":"Solberg","given":"Arnor"},{"family":"Song","given":"Hui"},{"family":"Lavirotte","given":"Stéphane"},{"family":"Tigli","given":"Jean-Yves"},{"family":"Winter","given":"Thierry"},{"family":"Muntés-Mulero","given":"Victor"},{"family":"Metzger","given":"Andreas"},{"family":"Velasco","given":"Erkuden Rios"},{"family":"Aguirre","given":"Amaia Castelruiz"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Ferry et al., 2018). As the security audits are planned to be run at the beginning of each month, any security issues discovered will be patched within one month or before the next scheduled audit. When a fix for possible security issues is released neither the vendor nor the client will delay the installation of the security patch to ensure the smooth running of the applications.
Dedicated teams will monitor the functionality of the system to ensure that day to day functionality of applications remains stable. Operations and maintenance team of the vendor will administer the directories used by the client and user access security as well. The client can request specific restrictions for certain users to ensure the confidentiality of information. Appropriate segregation between critical applications will be provided by the operations and management teams as well. Security engineers may try to integrate more and more features found in the client-side applications into their offerings to increase the efficiency of the subscription models of software as a service cloud offering ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"jVmak675","properties":{"formattedCitation":"(Rosa, 2018)","plainCitation":"(Rosa, 2018)","noteIndex":0},"citationItems":[{"id":35,"uris":["http://zotero.org/users/local/BeyJjeak/items/ZECN3CA6"],"uri":["http://zotero.org/users/local/BeyJjeak/items/ZECN3CA6"],"itemData":{"id":35,"type":"thesis","title":"Analysis of requirements and technologies to migrate software development to the PaaS model","author":[{"family":"Rosa","given":"Fabiano"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Rosa, 2018). It will be ensured that data transmission is secured with end to end encryption and the vendor cannot access data of the client. Encryption keys will be stored locally in client-side machines and will never be retrieved by the vendor. Even the emergency recovery keys will be stored in local systems or provided to the client in protected media to ensure that the vendor will never be able to break the encryption mechanism in any way. These measures must be practiced by the operations and maintenance teams of the vendor to maintain the trust of clients in their services.
Disposal Plan:
As the project will enter the finalizing stage, the project deliverables will be handed to the owner as per the disposal plan. At the final stage of implementation, all of the software installations and integrations will be verified and tested for appropriate functioning. Any performance flaws and functionality issues will be rectified. Along with the rectification of issues, their documentation will also be completed for future reference. Documentation of such issues and rectification steps will help the client to look for the solution of possible problems in the future without requiring direct support from the vendor. The design documents and specifications of the projects will be compiled into end user guides. Extra documents or paperwork related to the project will be disposed of appropriately.
Military grade shredding techniques will be utilized both for digital and paper-based information material. It is inevitable to use secure methods of disposal of critical information as a breach of such information can cause irreparable damage to both the vendor and the client as well. Digital information related to the internal infrastructure and applications will be encrypted using AES-256 bits encryption algorithm if it is required by the client. Otherwise, it will be shredded and discarded as the vendor do not require access to such information because all of the necessary details will be provided to the client via documentation of the project ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"47uLs6hj","properties":{"formattedCitation":"(Rittinghouse & Ransome, 2017)","plainCitation":"(Rittinghouse & Ransome, 2017)","noteIndex":0},"citationItems":[{"id":36,"uris":["http://zotero.org/users/local/BeyJjeak/items/KYJDWCII"],"uri":["http://zotero.org/users/local/BeyJjeak/items/KYJDWCII"],"itemData":{"id":36,"type":"book","title":"Cloud computing: implementation, management, and security","publisher":"CRC press","ISBN":"1-4398-0681-0","author":[{"family":"Rittinghouse","given":"John W."},{"family":"Ransome","given":"James F."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Rittinghouse & Ransome, 2017). All the liabilities will be cleared. Accounts related to the project will be closed and all of the transaction receipts will be made part of the documentation related to future audits of the project costs. Employees of the client will be trained to use the newly installed systems. The training will cover the essentials of the project and will be based on the original agreement between the parties. As per the disposal plan, the vendor will never disclose information about the applications and security measures to any third parties. User manuals and troubleshooting guides of the equipment purchased from third parties will be handed over to the client.
References
ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Aljawarneh, S. A., Alawneh, A., & Jaradat, R. (2017). Cloud security engineering: Early stages of SDLC. Future Generation Computer Systems, 74, 385–392.
Ferry, N., Solberg, A., Song, H., Lavirotte, S., Tigli, J.-Y., Winter, T., … Aguirre, A. C. (2018). ENACT Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems. International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment, 112–127. Springer.
Hehenberger, P., Vogel-Heuser, B., Bradley, D., Eynard, B., Tomiyama, T., & Achiche, S. (2016). Design, modeling, simulation and integration of cyber physical systems: Methods and applications. Computers in Industry, 82, 273–289.
Kashfi, H. (2017). Software Engineering Challenges in Cloud Environment: Software Development Lifecycle Perspective.
Rittinghouse, J. W., & Ransome, J. F. (2017). Cloud computing: implementation, management, and security. CRC press.
Rosa, F. (2018). Analysis of requirements and technologies to migrate software development to the PaaS model.
Weber, I., Nepal, S., & Zhu, L. (2016). Developing dependable and secure cloud applications. IEEE Internet Computing, 20(3), 74–79.
