01 Architecture Concepts – Regulatory Compliance, Security monitoring and Storage protocols

HIPAA (Health Insurance Portability and Accountability Act of 1996)

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients’ Personal Health Information (PHI). 

PHI includes:

  • Name, address, birth date and Social Security Number;
  • An individual’s physical or mental health condition;
  • Any care provided to an individual; or
  • Information concerning the payment for the care provided to the individual that identifies the patient, or if there is a reasonable basis to believe it can be used to identify the patient.

Regulatory compliance (HIPAA, PCI)

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.

Goal: Building and maintaining a secure network.

  1. Install and maintain a firewall configuration to protect cardholder data. Companies must create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data. Your hosting provider should have firewalls in place to protect and create a secure, private network.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters. This means creating, maintaining and updating your system passwords with unique and secure passwords created by your company, not ones that a software vendor might already have in place when purchased.
  3. Protect stored data.This requirement only applies to companies that store cardholder data. Specifically, companies that do not automatically store cardholder data are already avoiding a possible data security breach often targeted by identity theft.
  4. Encrypt transmission of cardholder data across open, public networks. Encrypted data is unreadable and unusable to a system intruder without the property cryptographic keys, according the PCI Security Standards Council. Cryptographic keys refers to the process in which plaintext, like the words seen here, are transformed into ciphertext. Ciphertext contains information unreadable to those without the cipher, or the specific algorithm that can decode the text

AADHAAR UID ( Unique Identitfication Authority of India ) Data Security – Compliance

Some of Aadhar regulations are

  1. The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity,
  2. ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.
  3. Types of Authentication.—
There shall be two types of authentication facilities provided by the Authority, namely:
    1. (i)  Yes/No authentication facility,
    2. (ii)  e-KYC authentication facility, which may be carried out only using OTP and/ or biometric authentication modes as specified in regulation 
  4. After collecting the Aadhaar number or any other identifier provided by the requesting entity, which is mapped to Aadhaar number and necessary demographic and /or biometric information and/ or OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, 
  5. please refer this link for current details Link to Regulations 

Security monitoring – intrusion detection system (IDS)

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware) 

Security monitoring – Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.

Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

DLP products may also be referred to as data leak prevention, information loss prevention or extrusion prevention products.

Security monitoring – SYSLOG

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.

Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems.

Storage protocols – NFS

NFS means you access a file share like \\james\mySharedFolder, and you put files on it. In Windows, this is a mapped network drive. You access folders and files there, but you don’t see the network mapped drive in Computer Manager as a local drive letter. You don’t get exclusive access to NFS drives. You don’t need a separate network cable for NFS – you just access your file shares over whatever network you want.

Storage protocols –  ZFS

Oracle Intelligent Storage Protocol

ZFS is a local file system and logical volume manager created by Sun Microsystems Inc. to direct and control the placement, storage and retrieval of data in enterprise-class computing systems.

Oracle’s ZS4-4 features more than 120 processor cores (an increase from 80 in ZS3-4) and up to 3 TB of DRAM (up from 1.5 TB in the prior 3-4 release). The ZFS storage appliance serves 85% or more of the I/O out of DRAM through Oracle’s hybrid pool storage architecture for a distinct performance advantage, 

Storage protocols – iSCSI (Internet Small Computer System Interface)

 

iSCSI is a transport layer protocol that describes how Small Computer System Interface (SCSI) packets should be transported over a TCP/IP network.

iSCSI means you map your storage over TCPIP. You typically put in dedicated Ethernet network cards and a separate network switch. Each server and each storage device has its own IP address(es), and you connect by specifying an IP address where your drive lives. In Windows, each drive shows up in Computer Manager as a hard drive, and you format it. This is called block storage.

iSCSI works by transporting block-level data between an iSCSI initiator on a server and an iSCSI target on a storage device. The iSCSI protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. Packets are sent over the network using a point-to-point connection. Upon arrival, the iSCSI protocol disassembles the packets, separating the SCSI commands so the operating system (OS) will see the storage as a local SCSI device that can be formatted as usual. Today, some of iSCSI’s popularity in small to midsize businesses (SMBs) has to do with the way server virtualization makes use of storage pools. In a virtualized environment, the storage pool is accessible to all the hosts within the cluster and the cluster nodes nodes communicate with the storage pool over the network through the use of the iSCSI protocol.

>> Network Architecture & Bare Metal